2011 Summer Conference Brochure

Our Sponsors - page 3 -4

Welcome - page 5

Schedule of Events - page 6 - 7

Speaker biographies - page 8 - 17

Venue information - page 18

August 25th, 26th, 2011 — San Jose, California

ISACA Silicon Valley

2011 Summer Conference


Auditing and Securing the Cloud

CO

NT

EN

TS

16 CPE’s!

(This page intentionally left blank)

ISACA Silicon Valley 2011 Summer Conference

Page 3

;

Platinum Sponsors:

This conference would not be possible without the generous support of our

sponsors — THANK YOU!

http://www.infoblox.com

http://www.checkpoint.com

Gold Sponsors:

http://www.soaprojects.com

http://www.pwc.com

http://www.bpmllp.com

http://www.whitehatsec.com

Page 4

Silver Sponsors:

This conference would not be possible without the generous support of our

sponsors — THANK YOU!

DISCLAIMER

As it is the objective of the Silicon Valley Chapter of the Information Systems Audit and Control Association to provide a

forum for the expression of ideas and opinions, statements of opinion appearing herein are not necessarily those of the

Chapter or its directors and officers.

Additionally, We would like to thank the following companies for supplying time

and support to our Conference Speakers:

http://www.terremark.com

http://www.cloudpassage.com

http://www.hp.com

http://www.emc.com

http://www.ekkoconsulting.com/

http://www.contoural.com http://www.kpmg.com

http://www.ey.com

http://www.hp.com

http://www.hp.com

Welcome!

Register online at http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=35&Itemid=18

ISACA Silicon Valley has been providing IT Audit,

Security, and Governance Professionals with the

training and networking opportunities they need to

not just compete but to thrive since 1982. We are

continuing this tradition at our 2011 Summer Con-

ference, at which we are offering full day of semi-

nars that move beyond theory to emphasize practi-

cal skills you can utilize at work or to improve your marketability.

The Conference Committee has worked hard to provide you with a cost effective, value added, high

quality educational and networking opportunity for ISACA members and other professionals in related fields — we hope we have succeeded. As always, you input is greatly appreciated, and we strongly en-

courage you to fill-out the Evaluation Forms at the end of each day. You are also welcome to seek us

out with any comments or suggestions you might have to help us continually improve.

Kind Regards,

The 2011 Summer Conference Committee

• Sumit Kalra, Conference Director, [email protected]

• Jay Swaminathan, Chapter President, [email protected]

• Greg Edwards, Vice President

• Minel Diaz, Treasurer

• Mike Jordan, Certification Director

• Robert Ikeoka, Program Director

• Navarasu Dhanasekar, Marketing & Communications Director

• John Barchie, Conference Committee Chair

• Robin Basham, Conference Committee Volunteer

• Davor Borcic, Conference Committee Volunteer

ISACA SILICON VALLEY

2011 SUMMER CONFERENCE COMMITTEE MEMBERS

Page 5

http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=4&Itemid=4�


2011 Summer Conference Schedule

Thursday, August 25th

Agenda Time Topic Speaker

Registration 8:00 - 8:30 Continental Breakfast and Registration

Breakfast &

Announcements 8:30 - 9:00 Networking

Session 1.1

Keynote 9:00 - 10:00

Risks and Controls to Consider in working

with Infrastructure As a Service (IaaS) Cloud

Providers

Peter Nicoletti, VP of Security Engineering,

terremark, A Verizon Company

Session 1.2

10:10 - 11:20

Controls Automation in the Context Cloud

Architecture, Private Cloud, Community

Cloud, Public Cloud, Hybrid Cloud

Brad Ames, Director Internal Audit, HP

Session 1.3

11:30 - 12:30

Virtually Safe: Managing from Threats to Clear Skies

Dameon D. Welch-Abernathy, Strategic

Alliance Manager, Check Point Software

Technologies Ltd.

Lunch 12:30 - 1:30 Lunch and Networking Enjoy time with our Platinum, Gold and

Silver Sponsors

Session 1.4 1:40-2:40

Risk with outsourcing to the Cloud vs. SaaS Harshul Joshi, Director, PwC

Session 1.5 2:50-3:50

Emerging Security Standards for the Cloud

vs. SaaS Becky Swain, Partner, EKKO

Session 1.8 4:00-5:30

Panel Discussion:

Business Drivers Vs. Legislation and Standards

Driving Cloud Services

Moderator - Robin Basham, Sr. Director, SOAProjects Carson Sweet, CEO, CloudPassage Becky Swain, Partner, EKKO Marlin Pohlman, Chief Governance Officer, EMC Benny Kirsh, CIO, Infoblox Peter Nicoletti, VP, terremark, A Verizon Company Brad Ames, Director Internal Audit, HP

Reception 5:30 - 6:30 Networking Event Enjoy time with our Platinum, Gold and

Silver Sponsors

Enjoy time with our Platinum, Gold and

Silver Sponsors

Page 6


2011 Summer Conference Schedule Page 7

Friday, August 26th

Agenda Time Topic Speaker

Registration

8:00 - 8:30

Continental Breakfast and Registration Enjoy time with our Platinum, Gold and

Silver Sponsors Networking

Session 2.1

Keynote 8:30 - 10:00 Planning and Scoping the Cloud Audit

Cara M. Beston, Partner, PwC

Eric Tan, Director, PwC

Session 2.2

10:10 - 11:20

Governance and Enterprise Risk Manage-

ment (ERM) The GRC Stack

Marlin Pohlman, Chief Governance Officer,

EMC

Session 2.3 11:30 - 12:30 Privacy in the Cloud Doron Rotman, IT Advisory, KPMG

Lunch 12:30 - 1:30 Lunch and Networking Enjoy time with our Platinum, Gold and

Silver Sponsors

Session 2.4 1:40-2:40

Leveraging Data Security to Support

eDiscovery and Records Management Mark Diamond, Contoural, Inc.

Session 2.5 2:50-3:50

Operating in the Cloud

Incident Response, Notification and Reme-

diation, Application Security, Data Security

and Integrity, Identity and Access Manage-

ment

Virtualization,

David Ho, Ernst & Young

Session 2.8 4:00-5:00 PCI and Tokenization Panel Discussion

Jonathan Clark, CEO, ExoIS, Inc. Walter Conway, (QSA) Abir Thakurta, Director, Liaison Technologies Harshul Joshi, Director, PwC

Wrap Up/ Door

Prizes 5:00 - 5:30 Sponsor Raffles and Conference Closing Remarks , Sumit Kalra and Jay Swaminantham

Session 1.1— Risks and Controls to Consider in Working with Infrastructure As A Service

(IaaS) Cloud Providers: 9:00 A.M. – 10:00 A.M.

Pete Nicoletti, CCSK, CISSP, CISA, CCNE, FCNSP

VP of Security Engineering, terremark, A Verizon Company In this presentation we will look at an IaaS providers foundation and architecture…and the challenges in auditing and security

a “cloud.” We will review the issues of securing a multi-tenant architecture and what to look for from your provider. We

will also examine relevant guidance and audit information from: the CSA, RACI charts, Shared Assessments, SAS 70II, PCI,

ISO 27000, NIST 800-53aR3, FedRAMP, State Breach Laws and more. This presentation will provide you with a good review

of the risks and controls that you should be aware of if you are looking at IaaS providers.

Pete Nicoletti, CCSK, CISSP, CISA, CCNE, FCNSP, has 27 years of experience in the

Marketing, Sales, Development, Implementation and Management of all types of Information Tech-

nologies. He is internationally regarded as a wireless pioneer having built the world’s first com-

mercially viable Wireless ISP with over 500 antenna locations. Formally he was the CSO/CTO of

one of the most successful SMB Focused Managed Security Service Company’s and managed the

security for hundreds of clients. Steve Balmer presented him the “Microsoft Industry Solutions”

Award at Comdex 2000 for the most innovative and advanced implementation of Microsoft appli-

cations for a large VoIP/CRM travel agent system. Pete has owned several Computer Networking

Consulting Companies and was Citrix Reseller of the Year two times. He is currently the Vice

President of the South Florida Information Systems Security Administrators after three years as President, VP on the Board

of Directors of the FBI Infragard, a member of ISACA, Internet Coast, Honeynet Alliance, Computer Security Institute, IEEE,

Secret Service Miami Electronic Crimes Task Force, EFF, Union of Concerned Scientists, Anti-phishing Working Group and

the Cloud Security Alliance. Pete recently completed a chapter on Content Filtering for the college textbook: “Computer

and Information Security.” Pete is currently the VP of Security Engineering for Terremark Worldwide with responsibility for

all Federal and Commercial Managed Security Consulting and Design. Terremark, now owned by Verizon is a leading Cloud

Provider for the Federal Government, F1000 and Global companies concerned with security in their cloud.

Session 1.2 — Controls Automation in the Context of Cloud Architecture; Private Cloud,

Community Cloud, Public Cloud and Hybrid Cloud: 10:10 A.M. – 11:10 A.M.

Brad Ames, CPA, CISA, Internal Audit Director of Professional Practices

at Hewlett-Packard Company (HP) Ames is an Internal Audit Director of Professional Practices at Hewlett-Packard Company in Palo Alto, California. Brad’s

team is responsible for innovating and deploying non-traditional audit solutions for measuring risk to the business and short-

ening the time to management action. His role involves close collaboration with HP’s governance groups, customers and

external auditors in order to gain an ongoing view of emerging risk enterprise-wide. His

team has established continuous monitoring for the purpose of simplifying SOX 404 at-

testation and reducing the cost of compliance. Brad is a member of the Institute of Inter-

nal Auditor’s Professional Issues Committee. He is a CPA and Certified Information Sys-

tem Auditor with 10 years of experience in Public Accounting.


Page 8

2011 Summer Conference Speakers — Thursday, August 25th, 2011

Day One—Security Track


Page 9

Session 1.3 — Virtually Safe : 11:20 A.M.— 12:20 P.M.

Dameon D. Welch-Abernathy, CISSP,

Strategic Alliance Manager, Check Point Software Technologies Ltd. This session will is designed to engage thought processes around the decision to move toward vir-

tual technologies.

Is your organization moving towards virtualization? The push for greener solutions that do more with

less, has made people take a hard look at a virtualization strategy for managing infrastructure. Multi-

core architectures have brought a new level of power to the end users, but without the software

being specifically designed to take full advantage of it, there is no perceivable benefit coming from

these systems. This presentation seeks to demonstrate unique ways to not just ensure threat manage-

ment for a virtual infrastructure, but to also leverage it as part of the infrastructure change. When you take away the buzz,

and the clouds abate, will you be left with clear skies?

Dameon D. Welch-Abernathy, CISSP, a.k.a. “PhoneBoy,” has provided aid and assistance to countless IT professionals

since 1996. Best known as the author of two books on Check Point VPN-1/FireWall-1 as well as creator of a well-visited

FAQ site on the Check Point products, Welch-Abernathy currently works as a Strategic Alliance Manager for Check Point

Software Technologies. . Prior to that, Welch-Abernathy spent 10 years in Nokia’s Security Appliance Business, which was

acquired by Check Point Software Technologies in April 2009.

Welch-Abernathy writes on the subjects of VoIP, Telecom, Network Security, Gadgets and Technology, as well as the occa-

sional Nokia or Check Point-related item.

Session Description

Virtualization, in and of itself, is an IT infrastructure strategy, not a security strategy, and as such, this presentation seeks to

define security models that not only secure, but take advantage of ‘Cloud’ computing designs. The definition of ‘Cloud’ com-

puting models can be complex and will mean different things to different organizations, but defining the model is a require-

ment to being able to map to strategies that protect those assets. Building a security model for virtualization needs to happen

as part of the planning process to be most effective, but on closer review, the audience should discover much of the planning

work done for them, when they are able to conceptualize the strategy. Much of what we do today to protect data can be

reused, but you will find that virtualization presents both a unique challenge, and a unique opportunity to create a safe envi-

ronment to grow your services oriented computing models. Whether it is in the ‘Cloud’, or in the components of hardware

that make it up, security is adapting to fit the needs. This session will define various ‘Cloud’ models, and the options for creat-

ing a secure infrastructure around them. When defining a strategy to abstract

hardware and the dissemination of resources, let’s make sure security is consid-

ered to protect the design, as well as benefit from it.

2011 Summer Conference Instructors — Thursday, August 25th, 2011




Page 10

Session 1.4 — Risks in Outsourcing to the Cloud vs. SaaS; Cloud security Architecture:

1:40 P.M. -2:40 P.M. Harshul Joshi, CISSP, CISA, CISM, Director PwC Harshul Joshi - is a Director in the security practice for PwC, with primary areas of focus in IT security and compliance based

risk assessments, Threat and Vulnerability modeling and security architecture. He has worked with various compliance stan-

dards including PCI (Payment Card Industry), Sarbanes Oxley 404, GLBA (Gramm Leach Bliley Act), PCI (Payment Card In-

dustry) and SAS 70. Harshul has worked in Fortune 100 companies assisting with IT compliance, audit and security initiatives

and is an internationally known speaker. Some of the sample topics he speaks on include PCI, Wireless Security, Auditing

Firewalls and Intrusion Detection, Risks of IT Outsourcing and Off shoring and Performing IT Risk assessment from a Busi-

ness stand-point. He has spoken at various conferences in Singapore, India and in United States. He is a regular speaker at

ISACA North American Conference as well as Network Security Conference.

Harshul is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA) and

Certified Information Security Manager (CISM).

Harshul has an MBA in International Business and a

MS in Information Systems. Prior to joining PwC,

Harshul was a Director of Technology consulting for

CBIZ MHM LLC, where he headed the security

practice creating and delivering risk assessment ser-

vices. He also spearheaded IT security and compli-

ance at Sony Corporate audit group performing

compliance and audit assessments for Sony Electron-

ics, Sony Music and Sony Pictures. Prior to joining Sony, Harshul was a

Security Architect with Verizon / GTE.

Session 1.5 — Emerging Security Standards for the Cloud vs. SaaS: 2:50 P.M - 3:50 P.M

Rebecca Swain, CIPP/IT, CIPP, CISSP, CISA Becky Swain is a Partner with EKKO Consulting and has over 12 years of information security

and privacy experience, designing, implementing, improving and measuring the effectiveness of

policies, processes, and internal controls as a senior auditor, consultant and risk management

practitioner involving complex and critical business operations and technical architectures with

Fortune 500 companies based in Silicon Valley. As Co-Founder/Chair & Chief Architect, Cloud

Security Alliance (CSA) Cloud Controls Matrix (CCM), Mrs. Swain is actively engaged in devel-

opment and adoption of cloud security and privacy standards participating with CSA and ISO/

IEC as both contributor and project co-editor for ISO/IEC 27036 – Information technology –

Security techniques: Information Security for Supplier Relationships – Part 1. Mrs. Swain holds

numerous information security related certifications, including CISSP, CISA, CIPP and CIPP/IT, is

an active member in professional affiliations (e.g., CSA, IAPP, and ISACA), serves on the Board

of the CSA Silicon Valley Chapter, has recently been appointed as Security Lead for the Cloud-

NOW (Network of Women) Special Interest Group (SIG), and is an ‘Information Security

Practitioner’ category finalist in the (ISC)2 2011 Americas Information Security Leadership

Awards (Americas ISLA).






Page 11

Session 1.8 — Panel Discussion - Business Drivers Vs. Standards and Legislation Impacting

Cloud Services:

Moderator: Robin Basham, Senior Director of Enterprise GRC, SOAProjects, is

recognized across several industries as an ICT and GRC expert, assist-

ing clients to architect and implement GRC Platforms, and with Green Tech initiatives. Past Banking

Operations Officer, and Master Educator, Ms. Basham's Certifications include ITIL, CobiT, Network-

ing, Java Enterprise, Information Audit and Security, CGEIT, ACGTA and most recently the CRISC.

Technical Advisory, Executive leadership and Steering Committees include ISACA, OASIS, OMG,

and AWC. Ms. Basham holds two graduate degrees in IT and Education, and is a founding member

for Control Objectives for Sustainable Business, COSB. She is the creator of Facilitated Compliance

Management software and founded Phoenix Business and Systems Process.

Panelist: Benny Kirsh - CIO of Infoblox, a leading company in network automation

and control, Benny Kirsh, is an accomplished, results-oriented

information technology professional with more than 20 years of

experience in various industries. He has held several CIO posi-

tions. He joined The Cooper Companies to lead an ERP implementation and drive a cultural change

necessary for a global rollout. He also led a highly professional IT team in implementing several sys-

tems such as financials, distribution, supply chain and others. He established a Change Management

process to create transparency and build a strong working relationship within the business. Prior to

The Cooper Companies, Benny was the first CIO at Kyphon, a company experiencing significant

growth. His most important objective was to lay the technology foundation for growth while sustain-

ing the flexibility required for Kyphon to function in a competitive market. He was responsible for implementing critical sys-

tems such as ERP, Quality Assurance, Workflow, Clinical Trial Systems and others. Benny relocated to the US from Israel

with an International Enterprise, Terayon Communication Systems, bringing with him a wealth of global experience.

Panelist: Carson Sweet, Is co-founder and CEO of

CloudPassage. His information security career has spanned nearly

two decades and includes a broad range of entrepreneurial, manage-

ment and hands-on technology experience. As a senior information

security strategy and technology consultant, Carson has created and implemented groundbreaking

security solutions across a range of industries and public sectors. Prior to co-founding CloudPassage he served as RSA's prin-

cipal solutions architect for the financial services sector, where he specifically focused on virtualization & cloud security,

Internet application controls, data protection and anti-fraud. Carson formerly served as founding CSO for GlobalNetX-

change (now Agentrics) and CTO for the Investor Responsibility Research Center (now the RiskMetrics Group). He also

founded security consulting and managed services lines of business for RPM Consulting (acquired by Computer Horizons

Corporation), TimeBridge Technologies (acquired by Dimension Data) and Security Methods. Prior to his technology career

Carson served in the U.S. military as a heavy anti-armor weapons specialist and later as a career firefighter-paramedic. He

studied emergency health sciences at the Jefferson College for Health Sciences, pre-medical neuropsychology at Virginia

Commonwealth University/Medical College of Virginia and information technology at the University of Massachusetts.





Page 12

Panelist: Marlin Pohlman is Chief Governance Officer at EMC. In this role he coordinates the activities of standards

based IT governance with EMC, its Security Division RSA and its

holdings in VMWare and Acadia. Within the Cloud Security Alliance

he is Global Strategy Board Chair & Director, coordinating the ac-

tivity of technical work groups within the alliance and acting as liai-

son with external cloud standards bodies. Within the CSA Dr. Pohlman is also the active Co-Chair

of the Controls Matrix and Consensus Assessments work groups as well as Co-chair of the Cloud

Audit/A6 Standards Work Group. He holds a Ph.D. in Computer Science, an MBA in technology

management, and bachelors in Engineering Physics. Dr. Pohlman is a licensed engineer and holds the

CSA CCSK certification the ISC2 CISSP certification as well as the ISACA CISM, CISA, CGEIT,

CRISC certifications. He is also a trained paralegal.

Returning to our stage from presentations throughout the day, please also welcome,

Panelist: Brad Ames, Director Internal Audit, Hewlett Packard Company

(See page 7)

Panelist: Becky Swain, Cloud Security Alliance,

Partner, EKKO Consulting Group

(See page 8)

Panelist: Pete Nicoletti, VP Security Engineering, terremark, A Verizon Company

(See page 7)




Page 13

Session 2.1— Planning and Scoping the Cloud Audit : 8:30 A.M. – 10:00 A.M.

Cara M. Beston, Partner, PwC In this presentation, compliance leaders from PwC will look at recommended best practice for plan-

ning and scoping audit in environments that either partially or entirely leverage Cloud technologies.

Leading the discussion is Cara Beston, Partner and head of Risk Assurance Cloud Computing services,

as well as published author of such articles as “Look Before You Leap Into the Cloud, The Promise of

Lower Capital and Operational Costs Isn’t the Only Benefit of Cloud Computing”, (Copyright © 2010

SYS-CON Media, Inc.).

This session will cover redefining audit objectives, boundaries of review, documenting risks, and deliv-

erables in the context of cloud enabled platforms, resources and services.

Cara Beston is a partner based in San Jose, CA and leading the Risk Assurance Cloud Computing services. She specializes

in IT and process risk and control assurance services to IT, Internal Audit and business leaders in the Technology sector. In

her 22 years with PwC, Cara has served over 80 technology clients, including key Cloud enabling enterprises, Cisco Systems,

VMware, 3Par, SaaS providers Taleo, Webex and Proofpoint, and a number of on-line businesses including Shutterfly, CBS

Interactive, Zappos.com and others. Cara graduated summa cum laude from Bridgewater College, MA and is a member of the

AICPA. She lives in Pleasanton, CA with her husband and 3 children.

Eric Tan, CISA, CGEIT, CPA, Director, PwC Joining Cara, is Eric Tan, CISA, CGEIT and CPA. Eric is a Director at PwC with over twelve years of experience

delivering IT governance and risk management solutions. Eric currently leads PwC's

cloud and internet assurance practice based in Silicon Valley. He serves as an internal

audit and compliance advisor to various leading SaaS providers in the bay area. His ex-

perience includes leading large scale system assessments, performing risk and security

reviews; business continuity & disaster recovery diagnostics, and helping his clients im-

plement various compliance and control solutions. Eric focuses on clients in the technol-

ogy sector. Clients he has served includes Google, eBay, LinkedIn, Novell, Tibco, Shut-

terfly, and Proofpoint.

2011 Summer Conference Speakers — Friday, August 26th, 2011

Audit Track - Keynote




Page 14


Audit Track

Session 2.2 — Governance and Enterprise Risk Management (ERM) The GRC Stack: 10:10

A.M. – 11:10 A.M.

Dr. Marlin Pohlman, Chief Governance Officer at EMC In this role he coordinates the activities of standards based IT governance with EMC,

its Security Division RSA and its holdings in VMWare and Acadia. Within the Cloud Secu-

rity Alliance he is Global Strategy Board Chair & Director, coordinating the activity of tech-

nical work groups within the alliance and acting as liaison with external cloud standards

bodies. Within the CSA Dr. Pohlman is also the active Co-Chair of the Controls Matrix and

Consensus Assessments work groups as well as Co-chair of the Cloud Audit/A6 Stan-

dards Work Group. He holds a Ph.D. in Computer Science, an MBA in technology man-

agement, and bachelors in Engineering Physics. Dr. Pohlman is a licensed engineer and

holds the CSA CCSK certification the ISC2 CISSP certification as well as the ISACA

CISM, CISA, CGEIT, CRISC certifications. He is also a trained paralegal.

In this session, Chief Governance Officer and highly regarded GRC expert, Dr. Marlin Pohlman, will cover Govern-

ance Models, Enterprise Risk Management, Information Risk Management, Third-party Management, Legal and

Electronic Discovery, Compliance and Audit and Portability and Interoperability.

Outsourcing critical business functions into the Cloud can result in challenges of maintaining assurance and control

over legal and regulatory obligations for data management and protection. In this session, we will guide you

through the process for establishing an effective cloud security program leveraging the Cloud Security Alliance

(CSA) Governance Risk & Compliance (GRC) Stack, providing you with real world examples of industry adoption.

The audience will particularly benefit by Marlin’s insights as the Chair CSA Strategy, Board, Co-Chair Cloud Control

Matrix, Founder/Co-Chair CSA Consensus Assessment, Co-Chair Cloud Audit. With over 18 years IT governance

and audit experience Marlin Pohlman is the editor elect of the ISO and ITU-T cloud information security manage-

ment standards. As the Chief Governance Officer at EMC Marlin Pohlman oversees the product strategy and stan-

dards compliance of the EMC Cloud GRC Portfolio.

Session 2.3 — Privacy in the Cloud: 11:30 A.M. - 12:30 P.M.

Doron Rotman, IT Advisory, KPMG Doron is a member of the IT Advisory practice specializing in information govern-

ance, privacy, and security and is the National Privacy Service Leader. Doron is a

Managing Director in KPMG’s Advisory Services practice

with over 20 years of experience. Mr. Rotman is focused on

providing Privacy and Information Governance Service. He

is the national privacy service leader, a member of KPMG’s national Privacy Leadership

Council and a member of KPMG International Privacy Leadership team. He has extensive

high tech, financial services, manufacturing and government industry knowledge, both in the

information technology and the accounting and finance aspects. Doron delivered multiple

around the world on the topic of Privacy and the Cloud, recently at the NACACS 2011.



Page 15


Audit Track

Session 2.4 — Leveraging Data Security to Support eDiscovery and Records Manage-

ment:1:40 P.M. - 2:40 P.M.

Mark Diamond, President and CEO, Contoural, Inc.

Mark Diamond is one of the industry thought leaders

in proactive litigation readiness, compliance, and re-

cords information management strategies. His company, Contoural, has helped 20% of the For-

tune 500 plus many mid-sized and smaller organizations as well as public sector entities. Mark is

a frequent industry speaker, presenting at numerous Legal and IT industry conferences as well

as online venues. Additionally, Mark addresses more than one hundred internal corporate audi-

ences each year.

Mark is founder, President & CEO of Contoural, Inc. Under his leadership, Contoural has grown

to be a leading independent provider of litigation readiness and records and information management services. He

is recognized as a thought leader in litigation readiness and records information management. Mark is an online

columnist for InsideCounsel Magazine, as well as an author of numerous white papers for both the legal and IT

communities. He is also co-author of the Litigation Readiness Chapter of the West eDiscovery for Corporate

Counsel, 2010 ed. Previously Mark was chair of the Storage Networking Industry Association Security Customer

Advisory Board

Session 2.5 — Operating in the Cloud, Incident Response, Notification and Remediation,

Application Security, Data Security and Integrity, Identity and Access Management Virtu-

alization: 2:50 P.M. - 3:50 P.M.

David Ho, Ernst & Young

David Ho is a multi-disciplinary professional with over 13 years of experience in

IT, information security, and internal audit. He brings a

unique blend of strong technical skills with business acu-

men and drive for operational excellence. He specializes

in transforming information security organizations to en-

able business innovation, while managing the company's risk. He has led and executed on

technical information security implementation projects, audited complex IT systems for in-

formation security and data privacy controls, and program managed multiple multi-million

dollar security projects. David's specialties include Information security strategy and gov-

ernance, Data security and privacy, Internal audit and compliance, and Portfolio and program management. David

is an Information Security Senior Manager at Ernst & Young.


Page 16


Audit Track

Session 2.8 — PCI and Tokenization Panel Discussion: 4:00 P.M. - 5:00 P.M Jonathan Clark, CEO and founder of ExoIS, Inc. is a PCI QSA and security and com-

pliance expert. Jonathan is the Chief Architect of the SaaS product

PeepSafe, a portal based offering that allows organizations to relo-

cate processes and systems from their internal networks allowing

them to de-scope portions of , or in some cases their entire PCI

footprint. Prior to Exois, Jonathan started and sold a Web Company,

headed up IT for Morphics and developed an Enterprise Configuration Technology program at Applied

Materials, subsequently leading the rollout and deployment of the program in multiple Applied product

divisions globally. Jonathan has a BSc Honors in Mathematics from Bristol University, England. He also scored a great hatrick

against Watsonville in the Peninsula Premier League.

Walter Conway, Payment Card Industry Qualified Security Assessor (QSA) and ecommerce

consultant applying his 30-years of electronic payments and technology management experience to help-

ing clients plan, implement, and manage their credit card and e-commerce programs including achieving

PCI compliance. Walt spent over 10 years with Visa, and two years as president of an Internet-based

payment processor. His focus is assisting organizations of all sizes plan, implement, and manage their

credit card and ecommerce systems, including achieving PCI DSS compliance. In addition to his QSA

duties, Walt is PCI columnist for Storefront Backtalk.com, focusing on issues facing retailers, and con-

ducts PCI training workshops. He also writes a popular PCI blog focused on Higher Education compliance issues. He is a fre-

quent speaker on PCI DSS, security, and ecommerce topics at professional conferences and webinars. He co-authored Why

Banks View Campuses as High Risk Merchants, an examination of computer security breaches, and 5 Strategies to Achieve

PCI Compliance (both published by the Association of Financial Professionals). Other publications include Five Myths About

the PCI DSS (Government Finance Officers Association), Straight Talk about Data Security (in the NACUBO Business Officer), and

Back to School: What Colleges and Universities Can Teach About PCI Compliance (SPSP Payments News).

Abir Thakurta, CISSP, Director of Pre-Sales and Profes-

sional Services for Liaison Technologies has been instrumental

in shaping the data security industry since its infancy and helping it

to mature as enterprise security concerns have shifted to protecting

sensitive and confidential business and customer information. Thakurta works closely with customers

to help them develop and implement innovative, practical, all-encompassing security strategies to solve

organizational data protection problems. Thakurta often becomes the "go to" guy for customers seek-

ing advice on use of security solutions to reduce organizational risk and comply with data security mandates and privacy laws.

He actively works to educate the market through published articles in respected data security journals and by speaking at

industry conferences around the world. Thakurta holds a B.S. in Engineering for Manipal Institute of Technology in Manipal,

India, and a M.S. in Supply Chain Technology from the New Jersey Institute of Technology in Newark, New Jersey, and he

completed the Georgia Tech Management Program in Atlanta. He is a member of the Payment Card Industry’s Security Stan-

dards Council, ISC2 and the Technology Association of Georgia - Information Security Group.

Returning to the stage, Harshul Joshi, Director, PWC (Please see page 10)


Page 17


Audit Track

Final Comments and Conference Wrap Up:

Sumit Kalra, Director, BPM and Conference Director Sumit Kalra, CISA, CISSP, is a Director at Burr Pilger Mayer, where he manages the Assur-

ance Services practice specializing in information technology, SAS70 Audits, and assess-

ments. His 12 years of industry experience include 6 years at international CPA firms, and 6

years at companies in the technology, consumer products and financial services industries.

His knowledge base spans a variety of ERP solutions and complex infrastructure implementa-

tions. Sumit has a BS in Accounting and Computer Information Systems from San Francisco

State University. In his

spare time, Sumit en-

joys cooking international cuisine.

We hope you enjoyed the presentations, and have gained valuable insights into

and learned new techniques about Cloud Security and Cloud Audit.

Before you leave, please fill-out the Speaker Assessment Form for today’s ses-

sion We will use your input to learn about our performance, and to improve

future conferences. Please leave the forms at the Registration Desk on your

way out.


Page 18

To register, or to gain additional information, including driving directions, please visit:

http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=4&Itemid=4

Venue Information

The 2011 Summer Conference will be held at:

Biltmore Hotel & Suites

2151 Laurelwood Road

Santa Clara, CA 95054

(408) 988-8411

(Free Parking)


Documents

2011 Summer Conference Brochure