TORONTO CHAPTER

NEWSLETTER

In This IssuePresident’s Message ..................... 1International ISACA News........... 2Chapter Activities ......................... 4New CISAs & CISMs! .................. 52005 Training ............................... 8Career Opportunity..................... 13Member’s Submission ................ 16Board and Committee Members 18Membership Application Form .. 20

Information SystemsAudit and ControlAssociation

Chapter Website:http://www.isaca.toronto.on.caInternational Website:www.isaca.org

Fall 2004 Web Site Award Bronze Level 2003-2004 Volume 11, Issue 1

ISACA’s mission is to support enterprise objectives through the development, provision and promotion of research, standards, competencies and practices for the effective governance, control and assurance of information, systems and technology.

Fall 2004 Page 1

President’s Message Patricia Goh

Congratulations to our Toronto chapter CISA and CISM exam passers as well as to our chapter’s top scorers! This year, our chapter has a passing rate of over 80% for CISA. In late October of last year, many chapter members have also turned out to celebrate with our chapter’s recent exam passers during the new CISA and CISM appreciation night.

ISACA International has begun its audit on the documentation of 2003 continuing education activities. A randomly selected group of CISAs has been sent an audit letter requesting written support documentation for 2003 continuing professional education hours. If you have any questions about the 2003 audit request, please contact the certification department at certification@isaca.org or via telephone at +1.847.253.1545, ext. 471, 403 or 474.

During the year, ISACA has applied to the American National Standards Institute

(ANSI) for ANSI accreditation of the Certified Information Systems AuditorTM (CISA®) and Certified Information Security Manager® (CISM®) certification programs. ANSI accreditation is based on the new International Standard ISO/IEC17024, “General Requirements for Bodies Operating Certification Systems of Persons,” which is expected to play a prominent role in facilitating global standardization of the certification community, increasing mobility among countries, enhancing public safety and protecting consumers.

As we approach the end of the calendar year, it is also time for us to renew our membership with ISACA. The 2005 hard copy invoices have been mailed to all members who have not yet renewed. As always, you may renew by remitting the invoice with payment or by paying online at the ISACA web site.

We shall be ushering in a new year shortly. As chapter members, we can look forward to many exciting upcoming chapter and international activities. In the new year, our chapter will pilot some short

sessions in addition to the monthly professional development sessions. We hope you will find these additional sessions useful. Stay tuned for details in the upcoming newsletters, electronic notification and on our chapter website!

Meanwhile, have a happy holiday season!

Patricia

Season’s Greetings!

From Your Chapter Board

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 2

INTERNATIONAL NEWS

Events Update - 2005-07 Conferences

ISACA is proud to announce the dates and locations of upcoming conferences/events beyond 2004.

The following are anticipated and known dates and locations for conferences in 2005, 2006 and 2007:

North America CACS

- 24-28 April 2005, Las Vegas, Nevada, USA- 7-11 May 2006, Orlando, Florida, USA- April/May 2007, Dallas, Texas, USA

International Conference

- 19-23 June 2005, Oslo, Norway- 30 July-Aug 2, 2006, Adelaide, South Australia- July 2007, Singapore

EuroCACS Conference March 2006, London, UK

Latin America CACS

- October 2005, Panamá City, Panamá

2005 Oceania CACS

- Perth, Western Australia, Australia

Information Security Conference

- September 2005, Las Vegas, Nevada, USA

Network Security Conference

- September 2005, Las Vegas, Nevada

COBIT User ConventionThe next session in the new COBIT User Convention series will take place 21-22 February 2005 in Cape Town, South Africa. The COBIT User Convention, exclusively designed for users of Control Objectives for Information and related Technology (COBIT®), is a two-day event featuring case studies and facilitated discussion groups. These events will allow COBIT users to share success stories, address questions and provide information about future developments.

The first convention was successfully completed in Chicago, Illinois, USA, in November. It included a keynote address from John C. Carrow, vice president and chief information officer, Unisys Corporation, on how Unisys Corporation is transforming its IT organization using COBIT as the fundamental baseline for achieving standard IT processes and Sarbanes-Oxley compliance.

An additional convention is planned for 11-12 April 2005 in Brussels, Belgium. For additional COBIT User Convention locations and dates as they become available, please visit www.isaca.org/Cobituserconvention.

Bookstore UpdateThe following selected books are now on sale at special reduced prices:

Achieving the Promise of Information Technology

How to Turn Computer Problems into Competitive Advantage

Brink’s Modern Internal Auditing The Soul at Work E-commerce Security: Weak Links, Best

Defenses Fighting Computer Crime: A New Framework for

Protecting Information Netspionage E-business 2.0: Roadmap to Success The Clickable Corporation Strategic Internet Commerce Surviving the Digital Jungle Activity Based Information Systems.

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 3

Complete descriptions of these books are available on the ISACA web site at www.isaca.org/salebooks. For more information, or to place an order, please contact bookstore@isaca.org or telephone +1.847.253.1545, ext. 401.

Please note that books offered in the ISACA Bookstore Inventory Reduction Sale may contain dated material. Sale prices are effective while quantities are available.

Research NewsResearch Projects in Progress With Target Release Dates

Managing Risk in the Wireless LAN Environment: Security, Audit and Control Issues—fourth quarter 2004

Cybercrime: Incident Response and Digital Forensics Services—fourth quarter 2004

Control PracticesControl Practices extends the capabilities of the COBIT framework with an additional level of detail. The COBIT IT processes, business requirements and control objectives define what needs to be done to implement an effective control structure. The control practices provide the more detailed how and why needed by management, service providers, end users and control professionals to help them justify and design the specific controls needed to address IT project and operational risks and to improve IT performance. The publication provides guidance on the reason for controls and the best practices for meeting specific control objectives.

All of the control practices are individually integrated into COBIT OnlineTM, for subscription details see www.isaca.org/cobitonline. A publication containing the control practices for all of the 34 high-level COBIT control objectives will be available in the ISACA Bookstore, www.isaca.org/bookstore, in the third quarter.

COBIT Security BaselineTM

This guide is based on COBIT, which is a comprehensive set of resources that contains the information organizations need to adopt an IT governance and control framework. COBIT covers security in addition to risks that may occur with the use of IT. This guide focuses on the specific risks of IT security, in a way that is easy to follow and implement for all users—small to medium enterprises, executives and board members of larger organizations as well as home users. This document is available for a limited time as a complimentary, member- and CISM-only download at www.isaca.org/cobitsecuritybaseline.

Please visit www.isaca.org/cobit for more information on the entire COBIT body of work.

Research Project Spotlight

COBIT Mapping: Mapping of ISO/IEC

17799:2000 With COBIT

The document demonstrates how these two standards are interrelated, and how the detailed information requirements of ISO/IEC 17799:2000 can be integrated with COBIT. Almost 1,000 information requirements were mapped to 316 COBIT control objectives. The document is a profound source of information for all stakeholders responsible for, and interested in, IT governance, information security management and their respective controls. It is especially useful for IT and information security managers with the responsibility to address these issues, especially when implementing COBIT, ISO/IEC 17799 or both. This paper is a valuable source and useful guideline for implementation of these standards in organizations, independent of their size, geography or industry. It will help to improve completeness and quality and reduce cost of such implementations.

This detailed mapping document, as well as the high-level COBIT Mapping: Overview of International IT Guidance paper, is posted for complimentary download at www.isaca.org/research.

NEW

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 4

IT Control Objectives for Sarbanes-Oxley

The updated ITGI document is now available in the ISACA Bookstore for US $5 per printed copy. IT Control Objectives for Sarbanes-Oxley is also available as a complimentary download on the ITGI and ISACA web sites (www.itgi.org and www.isaca.org). For convenience, ISACA members also have access to the appendices in Microsoft Word format on the ISACA web site.

ITGI first issued IT Control Objectives for Sarbanes-Oxley as a discussion document in the third quarter of 2003. It covered the importance of IT within the Sarbanes-Oxley compliance process. The positive responses received, as well as the number of new articles, web sites and third-party presentations that have referenced the document and its message, have served to meet the objective of the project—to provide IT-related guidance for Sarbanes-Oxley compliance.

The responses to the discussion document resulted in many enhancements to the new edition. This latest release addresses these suggested revisions, as well as the PCAOB pronouncement in March 2004.

Toronto Chapter Activities We’re Growing! By Director of Membership, Margaret Lee-YouWe cordially welcome the following new, transferred and returning members into our Chapter:

Afolabi Akinduro Geoffrey Gorender Margaret Morrison Lisa Allen Federic Guimont Ravinder Nehru Guruswamy Alooru Jason Hall Kayode Olafunmiloye Ben Omiyi Muizz Hassan Jan Pachl Michael Beer Dennis Herdman Palanivelu Pasupathy Andrew Bowler Jason Hollingsworth Girish Patel Llewellyn Carby Terry Hung Ann Perry Eric Carvalho Robert Hutchison Sean Pillai Gaunett Coke Sam Kamoutsis Diana Pompilii Erdinc Dalli Ahmed Khalid Francis Romany Shiraz Daresalamwala Bilal Khan Doug Sibley Bing Deng Javed Khan Richard Sizer Robert Dimech Alex Kwok Claude Smith Vladimir Dimitrov Anila Lalani Vincent Tan Ashutosh Dutta Stacey Larizza Cresencio Vasquez Edward Dzikunu Karima Madhany Oscar Vaz Peter Edward Venkitachalam Mahadevan Daniel Wen Helene Edwards Dave Maharaj Roy Wiseman Maher El Loulou Scott McDonald Sammy Wong Brian Fisher Terry McInally Richard Zaluski Paul Formosa Robert McNicoll Jin Zhang Lynn Gaw Ronnie Mohammed

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 5

From the Director of CISA/CISM TrainingCongratulations to all GTA Professionals who recently passed the 2004 CISA & CISM Exams!Being recognized as a CISA and CISM brings with it a great number of professional and organizational benefits. Successful achievement demonstrates and attests to an individual's information systems audit, control and security expertise and indicates a desire to serve an organization with distinction. This expertise is extremely valuable given the changing nature of information technology and the need to employ certified professionals who are able to apply the most effective information systems audit, control and security practices, and who have an awareness of the unique requirements particular to information technology environments. Those who become CISAs and CISMs join other recognized professionals worldwide who have earned this highly sought after professional designations.

Please join me in congratulating the following GTA Professionals in their outstanding achievement!

Manish Agarwal Vivek Gupta Patricia C. Muricy Rajul Aggarwal Jason Hall Sarwat Nafei Sabah-ul Arfeen Omodara Henry Vincent Ohprecio

Ijaz Arif Joyce Wei Yun Ho Luis Estanislao Valencia

Palacios James Arlen Jason Neale Hollingsworth Paulina Maria Paplinski Manoj Arora Martin Hristov Pacanchique Maria Patricia Eugene Atangan Christopher Hutny Steven Francis Peck Tara Lynn Baker Fazal Adil I. Francia Peralta Darin L. Barton Khan Muhammad Irfan Wallace Chesterfield Pitt Herminia A. Bastos Felixberto Palacios Isada Robert Anthony Plaenk Michael J. Beer Tushar Jaiswal Palakkal Rajagopalan Robert Beggs Sam Kamoutsis Leroy Michael Reynolds Rajiv Bhushan Ahmed Karim John Wallace Rombough Wang Binbing Ahmed M. Khalid Robert Walker Rowe Glenn Blair Javed Khan Irfan Saeed Richard de Borja Nitin Neil Khare Muhammad Umar Saleem Andre M. Carrington Anthony Wing-Kwan Ko Manoj Kumar Satnaliwala Angelo Catenazzo Kristi Koo Brian Senic Brian Chan Chun Yan Kwan Kevin Shannon Anurag Chanda Alex Ka Leung Kwok Shashi Shekhar Gautam Chaudhuri Philippe Lagrange Bridget Simard Gang Chen Noble LaiFang Mily Song/Xiying Gifford Chu Lorri Ellen Larstone Craig Van Spall Gaunett R. Coke Michael Lee John Rajes Sundararaj Erdinc Eric Dalli David Cameron Lewis Wilbert Joseph Tabang Bernard Damhuis Ke Liu Paul Ho Ming Tam Shiraz A. Daresalamwala Grand Lui Vincent Tan Vladimir Dimitrov Richard Mangru Danny Torchia Peter Raphael Edward Maureen Yi Mao Yeung Tsang-Tay Wei Fang Carlo Mariglia Alain Valiquette Jeffery Feldman Lester Cabero Marinas Daniel Hua Wen Francisco Franco Terry McInally Donna L. Wile Andre Pereira Gargaro Divyesh Pravin Mehta Stuart Wright Donald A. van Geete Florin Mirsu Stanislav Yazhemsky

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 6

Ann Marie Gillingham Guennadi Momot Benjamin Yip Geoffrey Gorender Kamani Moyez James Allan Young Frederic Louis Guimont Bhupathy Raju Muppala

Note: This list EXCLUDES individuals that requested their exam results NOT be released and EXCLUDES individuals that have not paid their exam related fees.

Top Three CISA ScorersWe would like to provide special recognition to the following individuals in their outstanding achievement in being the top three CISA scorers for the Toronto Chapter:

John Wallace Rombough Ranking No. 1Daniel Hua Wen Ranking No. 2Paul Ho Ming Tam and Jeffery Feldman Ranking No. 3

Top Three CISM ScorersWe would like to provide special recognition to the following individuals in their outstanding achievement in being the top three CISM scorers for the Toronto Chapter:

Andre M. Carrington Ranking No. 1Glenn Blair Ranking No. 2Manoj Arora and Noble LaiFang Ranking No. 3

CISA/CISM 2004 UpdateI am pleased to embark on my third term serving as the Director of CISA/CISM Training for the ISACA Toronto Chapter. Over the past month or so, I have been receiving many phone calls and emails requesting information about the CISA and CISM exams and the qualification process in general. It is exciting to see so much continued interest in the CISA and CISM designations. I would like to take this opportunity to invite each of you who are contemplating writing the exam, or who have questions in general about the CISA and CISM designations, to an information session being held on January 13, 2005. The details are as follows:

CISA and CISM Information Session:The session is aimed at individuals who wish to obtain information about the CISA and CISM designation and the qualification process. The session will include topics such as registering for the CISA and CISM exam, the exam content, CISA exam preparation courses, key dates, etc.

Date: January 13, 2005Time: 4:30 p.m. – 6:00 p.m.Location: Deloitte & Touche

79 Wellington Street WestP.O. Box 29 TD CenterToronto M5K 1V9Main Boardroom, 19th Floor, Room 19-010

Registration is not required, however I would appreciate if you could RSVP by January 7, 2005 to myself, Lisa Allen at (416) 601-6441 or liallen@deloitte.ca.

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 7

CISA/CISM Appreciation Night & Member Networking Reception:We would like to take this opportunity to thank everyone who came out for the CISA/CISM Appreciation Night and the networking reception. We had a great turnout and it was a lot of fun catching up with all of our successful writers and fellow ISACA members.

2005 CISA/CISM ExaminationThe CISA/CISM Exam this year will be on June 11, 2005 and consists of 200 multiple-choice questions, administered during a four-hour session. The purpose of the examination is to test a candidate’s knowledge, evaluation and application of IS audit principles and practices and technical content areas.

New Comprehensive CISA Preparation CourseThe ISACA Toronto Chapter will be offering two CISA preparation courses to

assist writers in preparing for the CISA exam.

Saturday morning and Saturday afternoon classesThe ISACA Toronto Chapter will be providing a Comprehensive CISA preparation course to assist writers in preparing for the CISA exam. We will be holding two courses, which will run weekly every Saturday morning and Saturday afternoon, from March 2005 to June 2005 (excluding holiday weekends). Each session will be instructed by experienced IS audit, security & control professionals. This is a comprehensive course, covering each of the technical content areas of the CISA exam. In addition to technical training, attending the preparation course allows writers to network with other writers and to develop support groups for self-study. The course structure is designed for 1st time CISA writers and those writers who are inexperienced in IS Auditing.

Start Date: March 19, 2005 Cost: Member $350 CAD Non-Member $450 CAD

Location: 79 Wellington Street West, 20th Floor

Concentrated CISA Preparation Course:The ISACA Toronto Chapter will also be providing a Concentrated CISA preparation course to assist writers in preparing for the CISA exam. The course will run over 3 full days on May 7th, 8th, and 14th, with the option to attend a ½ day review/question session on June 4, 2005. Each day will be instructed by experienced IS audit, security & control professionals. This is a concentrated course. Although the course will cover each of the technical content areas of the CISA exam, the pace is fast and there is more emphasis on self-study. The course structure is designed for experienced IS Audit professionals with a minimum 4 years experience or potential repeat CISA writers.

Start Date: May 7, 2005 Cost: Member $450 CAD Non-Member $550 CADLocation: 79 Wellington Street West, 19th Floor

For questions regarding the Toronto Chapter CISA Comprehensive/Concentrated Preparation Course, please contact Jennifer Boyce, CISA Training, ISACA Toronto Chapter, (416) 643-8276, jeboyce@deloitte.ca

Exam Key Dates to RememberFebruary 2, 2005 – CISA/CISM Exam Early Registration Deadline

February 25, 2005 - CISA Comprehensive Preparation Course Registration Deadline

March 30, 2005 - CISA Exam Final Registration Deadline

April 15, 2005 - CISA Concentrated Preparation Course Registration Deadline

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 8

June 11, 2005 – CISA/CISM Exam

I look forward to serving as your Director of CISA/CISM Training. Please feel free to contact me directly with any specific questions you may have. I will be more than happy to answer them. Keep an eye on the ISACA Toronto Chapter website as I will be regularly updating the site with information on our CISA Preparation Course and other frequently asked questions. Additional information about the CISA and CISM exam can also be found on the

ISACA International website. Lisa Allen

2005 CONTINUING PROFESSIONAL EDUCATION SERIES SCHEDULE

2005CISA

Hrs Time Session Speaker

Jan 13 7.0 8:30am – 5:00pm Key Tools for a Network Security Audit J. TannahillFeb 10 3.5 8:30am – 12:00pm Continuity Threat and Risk Assessment E. Lahnakoski

3.5 1:00pm – 5:00pm Project Risk Management B. RajamaniMarch 10 7.0 8:30am – 5:00pm Writing Effective IT Audit Reports T. NicholsApril 4 – 6 21 Canadian Conference on I.T. Audit,

Governance and Security **April 14 3.5 8:30am – 12:00pm Auditing the IT Security Function A. Woda

3.5 1:00pm – 5:00pm Patch Management G. C. HallMay 12 7.0 8:30am – 5:00pm More Wireless With Less Worry M. Richardson

June 9 7.0 8:30am – 5:00pm How To Audit Web-Based Application Security

D. Rhoades

June 23 7.0 8:30am – 5:00pm Intrusion Detection and Intrusion Prevention E. Schultz- 5:00pm – 6:00pm Annual General Meeting -

Course Location: Board of Trade, First Canadian Place, corner of King & Bay, Toronto.

Legend* Register for the ISACA Training Week Sessions through the ISACA International Web Site

–www.isaca.org

CE - Continuing Education Hours for the CISA/CISM Designation.

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 9

KEY TOOLS FOR A NETWORK SECURITY AUDIT

Thursday, January 13th, 2005 8:30am - 5:00pm 7.0 CE Hours

This popular workshop has been updated in 2004 with new network security tools as well as updates to existing tools. The workshop will discuss 20 key tools and techniques that can be used to perform a comprehensive network security assessment. It will demonstrate the tools and provide practical tips on using them. The workshop will use a live TCP/IP network with Windows and UNIX operating systems to demonstrate network mapping and discovery, TCP/IP port scanning, network vulnerability assessment from an auditor’s perspective. This will provide the framework for the practical use of tools and techniques. The participants will learn:

A structured audit approach to network security assessment

Practical uses and limitations of the tools

How to perform network discovery and mapping

Network vulnerability assessment tools and techniques

How to use packet capture and analysis tools for audit purposes

Prerequisites: The participant should have a basic understanding of TCP/IP.

CONTINUITY THREAT AND RISK ASSESSMENT

Thursday, February 10th , 2005 8:30am – 12:00pm 3.5 CE Hours

Too often, business continuity plans and disaster recovery plans are developed and tested without reference to a rigorous and empirical analysis of threats and risks to the continuity of an organization. This seminar addresses methodologies for:

organization and governance structure and framework assessing and quantifying your organization's exposures to prolonged business and system outages identifying time-sensitive processes, their recovery priorities and interdependencies determining the maximum tolerable downtime for your organization, through the specification of recovery

time-objectives and recovery point objectives for these time-sensitive processes and the information systems applications and infrastructures that support them.

The seminar will focus on the following:

An overview of regulatory and contractual requirements affecting financial institutions and other publicly traded organizations

Techniques for identifying potential threats to your organization Identifying essential business processes within your organization Assessing the impact of the above threats on essential business processes and the time-sensitivity of these

impacts Methods of identifying single points of failure in your organization Principles and "good practices" in developing threat reduction/deterrence countermeasures Determining the minimum resource requirements for resuming business operations (albeit in a degraded

mode) Assessing and reporting on the potential impacts of facility-wide and regional incidents

Attendees will obtain an understanding of frameworks for assessing business interruption risks, as well as the principles, methodologies and best practices for quantifying and describing the time-dependent consequences of prolonged and unanticipated business interruption events.

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 10

PROJECT RISK MANAGEMENT

Thursday, February 10th , 2005 1:00pm – 5:00pm 3.5 CE Hours

Given the statistics on project failures, successful management of project risks is crucial to project success. However, in several organizations, the reality is that there is a gap between the organization’s total risk/exposure within its project portfolio and its risk management capabilities. This risk management gap is caused by a number of factors and practical challenges faced by project teams. Firstly, project teams do not share a common language for defining risks. For instance Program, Project and Product risks are often not distinguished and dealt with. Secondly many organizations lack structured risk management processes and training. Further, organizations are challenged with defining risk tolerances, often letting project managers either under or over manage risks, with sub-optimal end results.

The purpose of this session is to share practical insights and discuss:

Basics of risk management and a project risk management process; Factors that complicate project risk management; A project risk model and various categories of project risks: Project management risks, Product life cycle risks,

Project support risks and Project environment risks; An approach for identification, assessment and management of project risks that maximizes return on efforts;

and Relevant best practices.

WRITING EFFECTIVE IT AUDIT REPORTS

Thursday, March 10th , 2005 8:30am – 5:00pm 7.0 CE Hours

Writing an effective audit report is often a significant challenge to an information technology audit specialist. Technical subject matter must be effectively communicated to end-users and constituents who may not be familiar with information technology, and may be more interested in the "big picture".

This course addresses the reporting standards of the auditing profession. Seminar participants will start by learning a comprehensive approach for business writing in general and on audit reports in particular. We will then examine the various components of a typical audit report: conclusion, scope, findings/observations and management action plans.

The emphasis will be on the importance of developing a single, clear message for the key sections of the audit report document. We will cover critical principles such as tone, language, brevity, and grammar. We will also consider the needs of readers and the development of a structure that supports the main message.

AUDITING THE IT SECURITY FUNCTION

Thursday, April 14th , 2005 8:30am – 12:00pm 3.5 CE Hours

Auditing the information security function will allow seminar attendees to gain an understanding of information security frameworks consisting of best practices and information security management systems based on the ISO 17799 standard. This session will cover the best practices for information security and provide an audit program for assessing and rating the maturity level of the information systems program. The session begins with an overview of information security organization, policies as well as risk management methods and then covers information security awareness, application security, networks, physical security, compliance programs and business continuity. Information security trends and management techniques will also be presented.

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 11

PATCH MANAGEMENT

Thursday, April 14th , 2005 1:00pm – 5:00pm 3.5 CE Hours

What is Patch Management: “the systematic notification, identification, deployment, installation, and verification of applicable hot fixes, patches, and service packs to operating systems, and software applications.”

The critical and often missed aspect of patch management is that it is NOT just a technology only problem or solution. People and processes are vital to a sustainable, repeatable, successful enterprise-wide solution. We will discuss 12 separate capabilities that are necessary for an enterprise-wide patch management solution.

These are sub processes to the following, higher level groupings:

Security Management,

Asset Management,

Change Management, and

Emergency Management.

MORE WIRELESS WITH LESS WORRY

Thursday, May 12th, 2005 8:30am – 5:00pm 7.0 CE Hours

Wireless networks offer businesses many advantages over wired networks. Benefits, including increased mobility, network architecture flexibility, and lower infrastructure costs have been behind the increasing use of wireless systems in the design of corporate networks. Although wireless networks have significant benefits, the underlying technologies contain many inherent security risks. As with most new technologies, functionality not security was the primary design focus for wireless networking.

“More Wireless with Less Worry” will discuss the major wireless technologies, significant security risks, and different methods to identify and secure the technologies. Demonstrations will illustrate the impact of unauthorized (rogue) access points, unsecured wireless networks, and public hotspots on your environment.

Key topics will include:

Benefits and applications of wireless technologies

Prevalent technologies and standards

Standard security features

Security limitations and inherent vulnerabilities

War driving and other specific attacks

Significant risks and impact

Securing wireless technologies with layered controls

Performing wireless security assessments.

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 12

HOW TO AUDIT WEB-BASED APPLICATION SECURITY

Thursday, June 9th , 2005 8:30am – 5:00pm 7.0 CE Hours

From sign-on to sign-off, and everything in between, this course goes beyond typical web server configuration tips. This course will show you how to test your web-based application for security flaws ranging from the subtle to the severe.

There are numerous commercial and freeware tools to assist in locating network-level security vulnerabilities. However, these tools are incapable of locating application-level issues for your web-enabled applications, such as online shopping and banking. This course will demonstrate how to identify security weaknesses for web-enabled services that could be exploited by remote users.

The course will:

Define the key threat areas

Demonstrate how to remotely identify vulnerabilities within each area using publicly available software and manual techniques

Describe the steps required to eliminate or mitigate exposures

With numerous real-world examples from the instructor’s years of experience with testing web application and network security, this informative and entertaining course is based on fact, not theory. The course material is presented in a step-by-step approach, and will apply to web portals, e-commerce, online banking, shopping, subscription-based services, or any web-enabled application.

This course would be especially useful for those who:

Audit web application security

Develop web applications

Manage the development of a web application

All techniques and tools are demonstrated using a Windows platform. Course notes will include documentation for performing similar tests on UNIX systems.

INTRUSION DETECTION AND INTRUSION PREVENTION

Thursday, June 23rd , 2005 8:30am – 5:00pm 7.0 CE Hours

Intrusion detection has grown from something that at one time was considered a "black art" to a mainstream activity in organizations throughout the world. Intrusion prevention is new and still mostly unproven. Intrusion detection and intrusion prevention involve considerably more than deploying intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). The particular manner in which IDSs and IPSs are deployed greatly affects their usefulness,

but few people genuinely understand the "in's and out's" of intrusion detection and intrusion prevention sufficiently to use it optimally. Additionally, successful use of intrusion detection and intrusion prevention requires establishing an infrastructure that includes appropriate policy provisions, management oversight, incident response procedures, and many other considerations.

This one-day course "puts it all together" by providing attendees with in-depth information about the most critical aspects of intrusion detection and intrusion prevention. This course teaches attendees what they need to know to set up an intrusion detection program and make sound technical and managerial decisions concerning deployment of

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 13

the various elements of these programs.

Topics covered will include:

Approaches to Intrusion Detection and Intrusion Prevention

Case Studies: Real-Life IDSs

Limitations in IDSs and IPSs

The Administrative/Procedural/Legal Side of Intrusion Detection

This course is designed for a wide range of attendees, including system and network administrators, IT staff, information security staff, and auditors. It contains a mixture of technical and non-technical information. Some knowledge of networking, Unix, Linux and Windows operating systems is helpful in understanding some of the technical content of this course, but is not required.

CAREER OPPORTUNITY

Positions AvailableAn Intermediate IT Auditor responsible for carrying out project and operational audits in a major Canadian financial institution.

Qualifications:The skills that will add to your effectiveness may include: B.Sc in Computer Sciences or Math, or equivalent, CISA and enrolled in one of the following:

CGA, or CMA programs. 2-3 years experience within an audit role or at an IT Analyst level within an IT environment. Experience in at least three of the following areas is required:

- Platforms: desktop, NT servers, HPUX- Operating systems: Windows 2000/2003, NT, Unix/ AIX, - Database Management System: Oracle, Sybase, MS SQL, Paradox, Access 2000, Fox Pro- Business applications: Pension Systems, Oracle Financials, JD Edwards, Investment applications, Business Continuity Planning- Technical Services: Internet services, security, Disaster Recovery Planning, Telecommunications and networking, Vendor Management

Experience with project management methodology, systems development life cycle (SDLC), computer-assisted auditing techniques (CAATs) using ACL.

Strong analytical, organizational and judgment skills. Strong written and oral communication skills with a demonstrated ability to effectively

communicate ideas and actions to people at all levels in an organization. Proficient in Microsoft Office (Word, Excel, Outlook) and MS Project are required. Strong interpersonal skills to facilitate working with staff at all levels to obtain a full understanding

of the assigned audit area. The successful candidate would require minimum travel.

Please apply in-confidence directly to Evelyn Santos at esantos@omers.com.

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 14

COUPON ORDER FORM

Company Name:

Address:

Contact Person:

Telephone:

Fax:Quantity Total Cost

Book Type MA @ $750 (Member, 10 Half-day session coupons)

Book Type NA @ $950 (Non-Member, 10 Half-day session coupons)

TOTAL

GST included. GST Registration No. R123951709.

Please make checks payable to The ISACA - Toronto Chapter. Coupons are not accepted for Joint or Multi-day Sessions. Coupon Expiry Date: June 30th, 2006.

Mail completed form and cheque to: Information Systems Audit and Control AssociationToronto Chapter - Program Committeec/o Cheryl KickseeMetro Toronto Police4620 Finch Avenue EastToronto, Ontario M1S 4G2

2004/2005 CONTINUING PROFESSIONAL EDUCATION SERIES

Session Members Non-Members

All Day (8:30am – 5:00 pm) $160 $200

Morning (8:30 am – 12:00 pm)

Afternoon (1:00 pm – 5:00 pm)

$80 $100

GST included. GST registration number: R123951709

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 15

REGISTRATION FORM

SESSION NAME

DATE

Name & Email address

Company Telephone Member(Y/N)

AM/PM/ DAY

CISA/CISM(Y/N)

WAYS TO REGISTEREmail George Davis at geodav@primus.ca or On-line form www.isaca.toronto.on.caCall: (416) 410 - 2246 or Fax: (705) 487 - 1548Make cheques payable to ISACA - Toronto Chapter. Charge cards will NOT be accepted.To avoid disappointment and to assist us with logistics, please register at least 2 days before the session.NEED UP-TO-DATE INFORMATION?Check www.isaca.toronto.on.ca or Call (416) 410 - 2246Remember to check the session location before attending since venues can change due to availability.

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 16

Member’s SubmissionWireless SOSSince the introduction of the Wireless LAN (WLAN) 802.11 specification by the Institute of Electrical and Electronics Engineers (IEEE) in 1997 there has been a host of products available for businesses and consumers to pursue wireless connectivity. Businesses can gain several benefits from deploying wireless technology including ease of deployment, simplified maintenance and upgrades, and removing the need to install cabling and wires. These benefits can yield significant savings in both time and dollars.

Key ExposuresHowever, in the excitement created by deploying this new technology, an important component was not given a high enough priority – security! The initial 802.11 and those that immediately followed provided rudimentary security at best. The authentication mechanism was weak and it was demonstrated that wireless sessions could be hijacked or be subjected to denial-of-service attacks. The encryption scheme (Wired Equivalent Privacy or WEP) used a static 40-bit shared encrypt ion key that was easily compromised and cumbersome to manage. Worst yet, encrypt ion was not enabled by default. Thus, a WLAN could be deployed that enabled connectivity to an organization internal network with virtually no protection. “War driving” has become a popular pastime where someone with a laptop and wireless adapter could drive by on a street searching for a wireless access point, connect to an exposed network and enjoy free access. There are even web sites that identify wireless access points in major North American cities.

RecommendationsSo what can organizations do to address security requirements while working with this emerging technology? The IEEE Standards Board Review Committee approved the 802.11i specification in June 2004 that provides for better security and addresses the earlier weaknesses. While vendors move to provide 802.11i-compliant products the Wi-Fi Protected Access (WPA) standard is available that provides stronger security by incorporating some features of 802.11i (such as stronger encryption). Organizations can make use of WPA but still need to take a proactive approach to dealing with wireless security risks. Some suggestions include:

Reviewing wireless projects and assessing the security implications. Consider privacy and confidentiality requirements especially if sensitive data (e.g. personal information,

intellectual assets) can be accessed. Treat wireless access points as external access points and secure them accordingly. Consider using a DMZ

to channel wireless connections and securing the access points using VPN or RADIUS solutions. At the very least, turn on WEP (still better than no security at all) and look for products that offer WPA. Change the default passwords of each wireless access point. These are well known to hackers. For each access point, change the manufacturer’s default service set ID (SSID) to some value that is not

easily identifiable with the organization and disable the broadcast SSID. This will require the remote device to match the SSID of the access point in order to establish a connection.

Consider controlling access of remote devices based on specific MAC addresses. For wireless routers it is also possible to use static IP addresses rather than DHCP. Both these methods are useful for restricting who can connect to the wireless access points although they could come with some administrative overhead.

Perform a security review of existing wireless infrastructure and assess areas of risk. For example, plan to place wireless access points away from outer walls and windows and closer to the centre of the building. Also, organizations should think about doing their own “war driving” exercises regularly to test your exposure and to identify wireless access points.

Keith D’Sousa, CMA, CISA, CISM is a Senior Manager within KPMG’s Advisory Services practice in Toronto. He has over 15 years of extensive experience in all aspects of information systems processing, risk management, and information systems security review assignments on a variety of computing environments. Keith has developed a particular expertise in the areas of data security and integrity, having held technical and systems audit positions. He has extensive security and controls expertise on a variety of computing platforms.

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 17

Features and Benefits

A full conference featuring a keynote address by one of Canada’s leading IT authorities, 20 concurrent sessions in four tracks and our very popular, in-depth, practical workshops.For additional information and on-line registration, go to the Conference-exclusive web site at:www.conferences.cica.ca/ITAudit

CONFERENCE FEATURES Keynote address:

Doug Cooper, Country Manager, Intel Canada Inc.

CONCURRENT SESSIONS:

Executive track (Day 1 only) Aligning Investment in IT with Business Strategy Project Management in Today’s Corporation: Staying

Competitive and In Control Creating & Maintaining Stakeholder Value:

Information Systems Governance & Enterprise Resiliency

IT Audit track An Update on the Sarbanes-Oxley Act – Continuing

Implications for the IT Auditor (in-depth, double session)

SOX Roundtable– Real Life Experiences Business Continuity Planning (in-depth, double

session) Application and Data Retirement The New S. 5900 – Impact on SOX Compliance

IT Governance track Building a Bridge to Excellence – Focus on the

Custodians of ERP Responding to Audit Committee Expectations The Contractual Issues of Outsourcing Change Management from Management’s

Perspective Managing Multi-Sourced Environments Current Issues in Privacy IT Procurement Trends

IT Security track Application Security in a Web World Wireless Security Secure IT Infrastructure for ecommerce COBIT Security Baseline (in-depth, double session) Intrusion Detection & Prevention (in-depth double

session)WORKSHOPS

Fundamentals of IT Audit (3 days) Wireless Networks (1 day) Audit and Security of Windows 2003 (1 day)CONFERENCE BENEFITS

When you register for the 2005 Canadian Conference on IT Audit, Governance and Security,you receive access to our expanding Conference-exclusive Web Community

Also available is Xtensions, our unique CD-ROM product that will give you valuable in-house training opportunities and serves as an important, permanent electronic conference record.

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 18

2004/5 ISACA TORONTO CHAPTER OFFICERS AND COMMITTEESPRESIDENT

Patricia Goh - President Bank of Nova Scotia 416-866-6507 patricia.goh@scotiabank.comMarian Soon Shiong Bank of Nova Scotia 416-866-6719 marian.soonshiong@scotiabank.comCarmen Li Bank of Nova Scotia 416-866-4442 carmen.li@scotiabank.com

VICE PRESIDENT

Arturo Lopez, Director PricewaterhouseCoopers Inc. 416-941-8219 Arturo.j.lopez@ca.pwcglobal.comKim Davies PricewaterhouseCoopers Inc. 416-941-8383

x63478Kim.davies@ca.pwc.com

WEBSITE MANAGEMENT

Tim Cassidy Deloitte & Touche 416-601-5287 tcassidy@deloitte.caSanjev Chib Moneris Solutions 416-734-1726 sanjeev.chib@moneris.comBehram Faroogh Tactical Business Solutions 416-930-3530 behram@rogers.comPatricia Goh Bank of Nova Scotia 416-866-6507 patricia.goh@scotiabank.com

CERTIFIED INFORMATION SYSTEMS AUDITOR / CERTIFIED INFORMATION SECURITY MANAGER

Lisa Allen, Director Deloitte and Touche 416-601-6441 liallen@deloitte.caAlec Cram Deloitte and Touche 416-601-6501

x7946acram@deloitte.ca

Jennifer Boyce Deloitte and Touche 416-643-8276 jeboyce@deloitte.ca

COMMUNICATIONS

Ian Steingaszner, Director Magna International Inc. 905-726-7408 Ian_steingaszner@magna.on.caRaj Devadas KPMG 416-777-8458 rdevadas@kpmg.ca

CONTINUING EDUCATION COMMITTEE

Bob Darlington, Director Canadian Pacific Railway 416-595-3242 bob_darlington@cpr.caDonna Baker RBC Financial Group 416-955-3621 donna.baker@rbc.comJeff Bhagar Bank of Nova Scotia 416-933-2554 jeff.bhagar@scotiabank.comGeorge Davis - Registrar Retired 705-487-3130 geodav@primus.caRussell Dyer RBC Financial Group 416-955-6732 russell.dyer@ rbc.comLaureen Ellis Mackenzie Financial 416-967-2113 lellis@mackenziefinancial.com

Cheryl Kicksee Toronto Police Services 416-808-4858 cheryl.kicksee@torontopolice.on.caIan King CET-PICK 416-995-7162 kinicinc@rogers.comRaul Mangalindan Call-Net Enterprises Inc. 416-718-6479 raul.mangalindan@sprint-canada.comMatt Marshall Sun Life Financial 416-408-6557 mmars@sunlife.comKaren PowellBaskaran Rajamani

AEGON Canada IncDeloitte & Touche

416-883.5193 416-643-8457

karen.lazenkas@aegoncanada.cabrajamani@deloitte.ca

Mohammad Sharifullah AVIVA Canada Inc 416-288-5233 mohammad_sharifullah@avivacanada.com

MARKETING

Nina Vivera, Director KPMG 416-777-3033 Nvivera@kpmg.caRaj Devadas KPMG 416-777-8458 rdevadas@kpmg.caParimal Barot KPMG 416-777-8615 pbarot@kpmgDharmesh Joshi KPMG 416-777-8714 dharmeshjoshi@kpmg.ca

ISACATORONTO CHAPTERNEWSLETTER

Fall 2004 Page 19

Karen Nemani 2Keys Corporation 416-577-3222 knemani@2keys.caDimitri Vekris 2Keys Corporation 1-888-834-4420 dvekris@2keys.caTheo Odartei Mobile Computing Corp. Inc. 905-676-8900

x870todartei@mobilecom.com

Denzil Luna Management Board Secretariat

416-325-1138 Denzil.luna@mbs.gov.on.ca

MEMBERSHIPMargaret Lee-You, Director Sun Life Financial 416-204-3756 margaret.lee-you@sunlife.comSudarshan Pai PricewaterhouseCoopers Inc. 416-941-8383

x63818sudarshan.a.pai@ca.pwc.com

RESEARCH AND UNIVERSITY RELATIONS

Paul Johns, Director Deloitte & Touche 416-601-5850 pauljohns@deloitte.caCameron Jue Deloitte & Touche 416-601-6500

x7174cjue@deloitee.ca

Jager Bhoohe Vtithi Recovery Services 416-523-4775 Jager.bhoohe@vrithi.comTREASURY

Usuff Currim, Treasurer PricewaterhouseCoopers Inc. 416-228-1940 usuff.currim@ca.pwcglobal.comZoher MalaTarun M. Arora PricewaterhouseCoopers Inc. tarun.m.arora@ca.pwc.com

PAST PRESIDENT & COMMITTEEBob Darlington, Director Canadian Pacific Railway 416-595-3242 bob_darlington@cpr.caRaj Krishnamoorthy Deloitte & Touche 416-601-6245 rkrishnamoorthy@deloitte.caWendy Rodricks Deloitte & Touche 416-601-5931 wrodricks@deloitte.ca

The views and opinions contained in this publication are solely those of its author, and do not necessarily represent or reflect the views or opinions of the Toronto Chapter of the Information Systems Audit and Control Association. In the event of questions concerning articles in this publication, please contact the author of the articles directly.

Information About ISACA

ISACA is committed to providing its members and the IT assurance, information security management and IT governance community with high-quality educational and training opportunities and events.

With more than 35,000 members in over 100 countries representing more than 170 local chapters, ISACA is a recognized global leader in IT governance, control and assurance. ISACA sponsors international conferences, publishes Control Objectives for Information and related Technology (COBIT), and administers the globally respected Certified Information Systems Auditor™ (CISA®) designation and the new Certified Information Security Manager™ (CISM™) designation.

The International Conference is ISACA's flagship conference. It is also the site of the Annual General Meeting of the Membership as well as ISACA Board of Directors' meetings and scheduled Global Leadership Conference for representatives of the local chapters. Held in mid-summer annually, the International Conference attracts over 250 professionals from around the globe. Its educational streams focus on managerial and business issues of IT audit, control, security and assurance.