April 2008 Chip Kmh Apr2008
ISACA Silicon Valley — Serving IT Governance Professionals for 26 years.
The Chip
ISACA Silicon Valley Chapter
April 2008
Silicon Valley Chapter #62
P r e s i d en t ’ s M es s a g e — by Ken Baylor, President
Learn
April is a busy month for our Chapter members. The IRS has
Grow
made our personal lives revolve around the 15th, but this is just the tip
of the iceberg.
Network
Our Chapter meeting this month covers SAS 70. Once the
domain of CPA’s, SAS 70 is reaching deep into
the enterprise. Since the start of this year, a
[The] “vote on adopting the new
number of startled service organizations who do
In this issue:
Chapter by-laws...represents a major
business with public companies have been asked
to present them, as SOX auditors want to
step-forward for the Chapter. ”
A Message from the
1
ensure their clients are being billed fairly. All of a
President
sudden, there is a rush to find out what a SAS 70 Type II report is, and how to get one.
This month’s meeting will get you started, and more importantly, show you SAS 70s
April Monthly Meeting
2
limitations.
This month also see the culmination of the $40k giveback for member
COBIT Training Session
3
certification. The voting is going on right now, and will end on April 15th. If you have
not voted yet, please go here and do so: https://www.surveymonkey.com/s.aspx?
sm=Wuc_2bv_2ffQm56O798qL6KGOw_3d_3d. The results will be announced at the
CISA / CISM Review
4
Course
April 17th meeting.
Also at the membership meeting we will vote on adopting the new Chapter by-
Bookstore Update
5
laws. This represents a major step-forward for the Chapter. The current by-laws have
proven to be our Achilles heel, and have caused many problems in the past. If you have
not read them yet, they are here http://www.isaca-sv.org/ProposedByLaws.html
• News from
6
International
The annual Chapter elections are fast approaching. We need 3 volunteers to
oversee the elections and make sure they are conducted fairly, openly and reflect the
• International
Calendar of Events
standards the Chapter deserves. If you can help out the Chapter for these few critical
March Monthly
8
hours, please email me.
Meeting
If that were not enough, Himanshu Gupta, our very capable Conference
Director, is putting together CobiT Foundation training on April 23rd. CobiT and ISO
• Welcome New
9
27001 are two of the best respected Information Security and Privacy frameworks out
Members
there. CobiT is ISACA’s own and very popular in the US. Earlier this month I gave a
• Chapter Board
webinar on Frameworks: http://www.metricstream.com/webinars/webinar_4april08.htm .
Contact Information
The session was exceptionally well attended. I noticed a trend beginning mid-2007.
CISOs final y decided to leave the vendor-led realities behind them and started
searching for how to do their job more efficiently. Tired of turf-battles and lacking
direction, they turned to frameworks for guidance. The frameworks exceeded
expectations. This year the trend is gaining momentum. There is likely to be a major
demand for CobiT trained professionals in 2009. Those who are familiar with CobiT
and/or obtain the upcoming CGEIT certification will have a powerful advantage. I will be
at the training. I hope you will too.
Ken Baylor , President ISACA-SV
president@isaca-sv.org
Page 1
A p r i l 2 0 0 8 M o n t h ly M e e t i n g
- Jayaprakash Vinayagamurthy, Program Director
Biographies of our distinguished moderator and
T h e U p c o min g M on t h ly
panelists (below), can be found at:
M e e t i n g w i l l b e h e l d o n
http://www.isaca-sv.org/200804.html
A p r i l 1 7 , 2 0 0 8 .
This month’s panel discussion topic is:
Moderator:
Ken Baylor
S A S 7 0 - A u d i t i n g S e r v i c e /
President
ISACA — Silicon Valley
O u t s o u rc e O r g a n i z a t i o n s
Outsourcing business and information technology services
is becoming increasingly common in today’s global
marketplace. How do user organizations and their auditors
Panelist:
gain assurance that adequate controls are in place at their
Jerry Meyers
service providers? How can service organizations best
Associate Director
position themselves to meet the audit requirements of
Technology Risk Practice
current and future customers? How do organizations
Protiviti
monitor and evaluate the internal controls of third-party
outsourcers as part of their SOX 404 project?
This session is intended for those individuals working for
Panelist:
an organization that have a SAS 70 performed or receive a
Alan Miller
SAS 70 report from one of their outsourcing partners. We
Senior Manager
will discuss the requirements of SOX 404, the
Technology Audit Liaison
considerations that organizations should make for
Paypal
outsourcers, and the SAS 70 report relevance to the
organization's internal control structure.
Panelist:
By attending this session you will learn:
Todd Bishop
!"
History and understanding of SAS 70 requirements and reports
Senior Manager
!"
Procedures relating to performing a SAS 70 project from the service
Systems and Process Assurance
organization and the service auditor perspective, and
PricewaterhouseCoopers
!"
Procedures relating to the evaluation of the SAS 70 report from the
receiving user organization, including the user organization?s internal
audit function and the external auditor.
Panelist:
Nicolas Lidzborski
For meeting information and
Senior Security Engineer
registration, go to:
Operations Security
Qualys
http://www.isaca-sv.org/
meetings.html
Page 2
Page 3
2 0 0 8 C I S A / C I S M R ev i ew C o u r s e
— Chris Nara, Certification Director
CISA Training Course
The CISA Review Training Course will be offered on seven Sat-
Location:
urdays between April 19 and June 7, 2008, from 8 a.m. to 1 p.m. The
examination wil be held on June 14, 2008.
Ernst & Young Office
303 Almaden Boulevard
The last day to register for the Training
Course is April 19, 2008. Attendees are re-
Please note that registration for the
San Jose, CA 95110
sponsible for ensuring they meet the require-
exams themselves has already closed.
ments for CISA certification, including the
necessary work experience and continuing professional education.
ISACA Member
Non ISACA Member
Training Fee
$285.00
$320.00
CISA Examination Review Manual
See Link Below
See Link Below
(2008)
CISA Review Questions (550 Ques- See Link Below
See Link Below
tions with answers and explanations)
For more information on the preparation material click here. The course includes a review of the fol owing sub-
jects as required by the CISA Examination:
Date
Subject
Instructor
Apr 19
· IS audit process
Jay Swaminathan
Apr 26
· IT Governance
Tom Ross
May 3
· Systems and Infrastructure Life Cycle
Sreeni Kancharla
May 10
· IT Services Delivery and Support
Ram Shenoy
May 17
· Protection of Information Assets
Kris Khan
May 31
· Business Continuity and Disaster Recovery
Jeff Fenton
Jun 7
· Mock CISA Review Test
The Training Course will also have a mock examination to help candidates prepare for the examination. All candi-
dates should be registered for the actual examination before attending the Training Course, but please note that
registration for the June 2008 exam has already closed. To register for the course, however, please go to: http://
www.isaca-sv.org/CISAOnLineRegistration.html. All instructors have passed their CISA examinations, and all
training is being coordinated and managed by Christopher Nara.
The CISM Review Training Course will be offered on three Saturdays from May 17,
2008 to June 7, 2008, between 8 a.m. and 4 p.m. The examination wil be held on June 14,
CISM Training
2008. The last day to register for the training course is May 17, 2008 (please register at
Course Location
http://www.isaca-sv.org/CISMOnLineRegistration.html). Attendees are responsible for ensuring
they meet the requirements for CISM certification, including the necessary work experi-
TBD
ence and continuing professional education. Note: registration for the June 2008 exam
has already closed.
Continued on page 4
Page 4
2 0 0 8 C I S A / C I S M R ev i ew C o u r s e
(Continued from page 3)
CISM Fees
ISACA Member
Non ISACA Member(*)
Training Fee
$285.00
$320.00
CISM Examination Review Manual (2008)
See Link Below
See Link Below
CISM Review Questions
See Link Below
See Link Below
(*) Does not include ISACA International Membership Dues. The amount includes only local chap-
ter dues. The CISM Review Book and the Practice Question Database can be obtained at the fol-
lowing link: CISM Preparation.
The course includes a review of the fol owing subjects as required by the CISM Examination:
Date
Subject
May 17
· Information Security Governance
May 17
· Risk Management
May 31
· Information Security Program Management
May 31
· Information Security Management
Jun 7
· Response Management
The Training Course wil also have a mock examination to help candidates prepare for the exami-
nation. All candidates should register for the actual examination before attending the Training
Course; but please note that registration for the June 2008 exam has already closed. To register for the course, however,
please go to: http://www.isaca-sv.org/CISMOnLineRegistration.html. All instructors have passed their CISM examinations,
and al training is being coordinated and managed by Christopher Nara.
Bookstore Update
Members preparing for the CISA and CISM examinations can find al new, completely revised CISA and
CISM study aids available at the ISACA Bookstore:
CISA® Review Manual 2008 (English, Italian, Japanese and Spanish editions)
CISA® Review Questions, Answers & Explanations Manual 2008 (English, Italian, Japanese and Spanish edi-
tions)
CISA® Review Questions, Answers & Explanations Manual 2008 Supplement (English, French, Italian, Japa-
nese and Spanish)
CISA® Practice Question Database v8, CD-ROM or web site download (English and Spanish editions)
CISM® Review Manual 2008 (English, Japanese and Spanish editions)
CISM® Review Questions, Answers & Explanations Manual 2008
(English, Japanese and Spanish editions)
CISM® Review Questions, Answers & Explanations Man-
ual 2008 Supplement (English, Japanese and Spanish
Did You Know…
editions)
ISACA has developed several chapter officer
CISM® Practice Question Database v8, CD-ROM or web site
orientation presentations—for chapter presi-
download (English only)
dents and vice presidents, membership di-
rectors, newsletter editors and webmasters,
See www.isaca.org/cisabooks and www.isaca.org/cismbooks,
and new officers. The officer orientations can
respectively, for complete descriptions and to place an order.
be viewed from the chapter leader area of
Contact the Bookstore at bookstore@isaca.org or
the ISACA web site, www.isaca.org/chapadmin.
+1.847.660.5650 with any questions.
Page 5
Certification Update
CISA CPE Policy Update
Calendar of Events
The CISA Certification Board has approved an update to the Certified
Information Systems Auditor™ (CISA®) continuing professional edu-
Dates of conferences/events are indicated in RED;
cation (CPE) policy. Performing peer reviews can now be counted as
other dates and deadlines are indicated in BLACK.
“contributions to the IS audit and control profession.” To view this
addition and the ful policy, please visit www.isaca.org/cisacpepolicy.
April
CGEIT Certification Updates:
2 April..................... Early-bird registration deadline for
!"
Applications for Certified in the Governance of Enterprise IT™
the Training Week in Vancouver,
(CGEIT™) are being accepted under the grandfathering provi-
British Columbia, Canada
sion until 31 October 2008. More information on this and the
7-11 April ............... ISACA® Training Week
Dal as, Texas, USA
certification in general is available at www.isaca.org/cgeit.
9 April.................... Final registration date for the June
!"
To date, more than 300 CGEIT grandfathering applications have
2008 CISA and CISM exams
been received.
15 April.................. Last day to use the Member-Get-A-
!"
Registration for the first CGEIT exam, offered on 14 December
Member web site to recruit new ful -
2008, wil begin in mid-July.
dues-paying members and gain a
!"
To construct a quality exam, ISACA has elicited the support of
chance to win valuable prizes
IT governance professionals around the world. Exam items cur-
16 April.................. Early-bird registration deadline for
rently are being reviewed for the CGEIT exam. Those interested
the Training Week in Minneapolis,
in supporting this effort may find additional information at
Minnesota, USA
23 April................ ISACA e-Symposium on compli-
www.isaca.org/cgeititemwriter.
ance
Exam Registration/Renewal Updates:
27 April-1 May..... North America CACS
!"
More than 10,000 CISA and approximately 1,500 Certified Infor-
Las Vegas, Nevada, USA
mation Security Manager® (CISM®) candidates have registered
29 April................ Deadline for receipt of dues pay-
for the June exam administrations.
ment for Member-Get-A-Member
contest
!"
Registered candidates unable to take the exam this June can re-
quest a deferral of their registration fees to the December 2008
May
administration. Information on charges and deadlines for such
14 May ................ Early-bird registration deadline for
requests are available at www.isaca.org/examdefer. Deferral re-
2008 International Conference
quests wil not be accepted after 28 May 2008.
28 May ................ Deadline to defer exam date from
Certification holders who have not already done so must pay
the June to December administra-
tions
their annual maintenance fee and report their CPE hours by 30
April, or they will be subject to revocation. The renewal process
June
can be completed online by logging on to www.isaca.org and go-
5 June ................. Early-bird registration deadline for
Latin America CACS
ing to My Renewals.
9-13 June............ ISACA Training Week Vancou-
ver, British Columbia, Canada
Distance Learning Update
14 June ............... CISA and CISM exam administra-
tion
ISACA is pleased to announce the launch of a new online events site.
19-20 June.......... Sarbanes-Oxley Symposium
The site, which offers a number of user-friendly features and im-
Rosemont, Illinois, USA
provements, wil hold its inaugural e-Symposium on 23 April 2008,
23-27 June……………ISACA Training Week Min-
focusing on PCI compliance. To register for the e-Symposium and
neapolis, Minnesota, USA
take the first step toward earning three free CPE credits, please visit
25 June ............... Early-bird registration deadline for
http://isaca.brighttalk.com. E-symposia are recorded and archived for
Information Security Management
Conference and Network Security
viewing on demand. Registration is required to view an archived or
Conference in Las Vegas, Ne-
live event and earn free CPE credits. For more information, please
vada, USA
visit www.isaca.org/webcasts
Member-Get-A-Member Contest Extended
Due to high demand, ISACA has extended its 2008 Member-Get-A-Member contest for two weeks! The contest wil end 15 April. Al new mem-
ber payments must be received and posted at ISACA by 5:00 p.m. (17.00) (Central Standard Time) on 29 April 2008.
The easiest way to participate in the contest is by using the special Member-Get-A-Member e-mail sent from ISACA in February. That e-mail con-
tains a unique membership link to the special y designed web site where members can initiate e-mail invitations. Using this e-mail and the web site
ensures that the participating member wil receive ful credit for recruiting each new ful -dues-paying member. Members may also access the Mem-
ber-Get-A-Member contest by logging in at www.isaca.org.
Page 6
Research Update
Information Security Governance: Guidance for Information Security Managers
This companion to Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edi-
tion, is available on the ISACA web site, www.isaca.org. Once senior management and the board of directors have an un-
derstanding of the imperatives and benefits for undertaking the integration of information security into the organization’s gov-
ernance structure, they can look to this document to provide an approach and methodology for achieving that objective. The
guide covers such fundamental issues as:
What is information security governance?
What are the security roles and responsibilities of executive management?
What is an effective business-oriented approach to providing security governance?
How is a security strategy aligned with business objectives developed?
How is a security strategy implemented?
How is the effectiveness of the security program measured and monitored?
Recent/Upcoming ISACA/ITGI Releases
ITAF™: A Professional Practices Framework for IT Assurance
COBIT® Mapping: Mapping ITIL v3 With COBIT® 4.1
COBIT® Mapping: Mapping COSO ERM With COBIT® 4.1
COBIT® Mapping: Mapping FFIEC Framework With
COBIT® 4.1
More information on these books and, in some cases, member downloads are available at www.isaca.org/deliverables.
Those books available for purchase can be found in the ISACA Bookstore at www.isaca.org/bookstore.
Standards Update
A new IS Auditing Guideline, G39 IT Organization, was approved for issue by the Standards Board. It is effective
1 May 2008. Al IT organizations serve similar purposes and have similar accountabilities, but their profiles, management
systems, processes, constraints, strengths and weaknesses make each IT organization unique. However, there are cer-
tain attributes for verifying an optimized IT organizational structure. This guideline provides guidance in applying
IS Auditing Standard S10 IT Governance.
For more information on ISACA IS Auditing Standards, Guidelines and Procedures, please visit www.isaca.org/
standards
Conference Spotlight
International Conference
27-30 July 2008
Toronto, Canada
ISACA is pleased to present its 36th International Conference and Annual Meeting of the Membership, in Toronto, Ontario,
Canada. Conference streams include IT Governance, IT Audit Practices, Information Security Management, and IT Risk Man-
agement and Compliance. Postconference and preconference workshops wil also be presented, including a special postcon-
ference event: IT Control Objectives for Basel II.
Al registered CISAs and CISMs are invited to an exclusive networking reception to celebrate the certifications’ shared history
of excel ence. The 30th anniversary of the CISA designation wil also be recognized. For more information and to register,
please visit www.isaca.org/international.
Future Conferences and Training Weeks
Upcoming events are noted in the Calendar of Events. Other future 2008 events to keep in mind include:
17-20 August—Latin America CACSSM, Santiago, Chile
8-10 September—Network Security Conference, Las Vegas, Nevada, USA
8-10 September—Information Security Management Conference, Las Vegas, Nevada, USA
8-10 September—Oceania CACSSM, Sydney, New South Wales, Australia
Page 7
A n o t h e r S u c c e s s f u l M o n t h ly M e e t i n g - M a rch 2 0 , 2 0 0 8
Our chapter held its Seventh Successful Monthly Meeting on March 20, 2007. Our panel discussion on an "Efficient
approach to PCI Compliance - Leveraging existing compliance efforts" was moderated by the CEO and co-founder
of AppSec Consulting, Brian Bertacini. This panel discussion provided a highly interactive, panel-led forum for the
exchange of views and insights on PCI Compliance efforts from the perspective of experienced BIG 4 and industry
auditors.
In the picture from left to right:
!"
Brian Bertacini – CEO and co-
founder of AppSec Consulting
!"
Andy Steingruebl - Information Se-
curity, PayPal
!"
Burak Yenier - Director, IT Opera-
tions, CashEdge
!"
Jim Travato - Director, Information
Security, Intuit
In the picture from left to right:
!"
Andy Steingruebl
!"
Burak Yenier
!"
Jim Travato
!"
Kieran Norton - Senior Manager,
Deloitte & Touche
!"
Andrew Luca - Director, Pricewater-
houseCoopers
C o n t r i b u t e t o t h e C h i p ! W i n u p t o $ 2 5 0 !
Would you be interested in benefiting our membership by
taking notes at a monthly meeting for later publication in the
Chip? If so, please contact: marketing-director@isaca-sv.org or
vicepresident@isaca-sv.org. Remember, newsletter article
awards are awarded every month — up to $250! For full details, go to:
http://isaca-sv.org/newsletters.html
Page 8
Wel c o m e N ew M emb er s!
— from Ramachandra Shenoy, Membership Director
The ISACA –SV Chapter welcomes the fol owing new and transferred members
for the month of March 2008. Transferred members are denoted with an “*”.
M a r c h 2 0 0 8
ISACA-SV —
Mr. Paul Andrew Volk
Christopher Chit Tun, PMP
SERVING BAY
Mr. Manohar Bantwal Nayak, CCIE
Samir Vyas, Director
AREA
Mr. David B. Cook, MISA, CISSP
Smith Leah
GOVERNANCE
Mr. Jason Hengels
Deborah Tadlock, CPA
Mrs. Uma Anitha Kottali, IT Compliance
Christine Sublett, CISSP, NSA-IEM
PROFESSIONALS
Mgr
Mr. Jit Singh, President
SINCE 1982.
Alex Garcia, MBA CPA CIA CMA CFM
Mr. David Lars Chamberlain
Mr. Soonseng Seetho
Jasvir Gill
ISACA Silicon Valley
Ms. Kavita Khatwani, Sr IT Compliance
Mr. Shah Tejas Pankajkumar, CISA,ACA * Chapter
Mgr
Derick Fogt, CISA *
Ms. Suzanne Figueroa
P.O. Box 2105
Ms. Mude Manju, CISM *
Miss Yang Kang-I Connie
Ms. Connie J. Sadler,
Cupertino, CA 95015-2105
Ms. Monica Lor Khun
CISM,CISSP,CM,GIAC *
DISCLAIMER
As it is the objective of the Silicon Valley Chapter of the Information Systems Audit and Control Asso-
ciation to provide a forum for the expression of ideas and opinions, statements of opinion appearing
herein are not necessarily those of the Chapter or its directors and officers.
I S A C A S i l i c o n V a l l e y C h a p t e r B o a r d C o n t a c t
Find up-to-date chapter activity
I n f o r m a t i o n
at: http://www.isaca-sv.org/
President:
Ken Baylor
president@isaca-sv.org
C o n t r i b u t e t o
t h e C h i p ! W i n
Vice President:
Navarasu Dhanasekar
vicepresident@isaca-sv.org
u p t o $ 2 5 0 !
Treasurer:
Surya Vinjamuri
treasurer@isaca-sv.org
Newsletter article
Program Director:
Jayaprakash Vinayagamurthy program-director@isaca-sv.org
awards are awarded
Academic Director: Sreenivas Kancharla
academic-director@isaca-sv.org
every month. Do you
have something to say
Conference Director: Himanshu Gupta
conference-director@isaca-sv.org that will benefit our
membership? If so,
Marketing Director: Shammyangu Rana
marketing-director@isaca-sv.org
please rush your arti-
Membership Director: Ramachandra Shenoy
membership-director@isaca-sv.org cles to marketing-
director@isaca-sv.org
Certification Director: Christopher Nara
certification-director@isaca-sv.org or vicepresi-
dent@isaca-sv.org
Page 9
