ISACA’s mission is to support enterprise objectives through the development, provision and promotion of research, standards, competencies and practices for the effective governance, control and assurance of information, systems and technology. April 2012 Page 1 Information Systems Audit & Control Association Chapter Website: www.isaca.toronto.on.ca International Website: www.isaca.org APRIL 2012 MONTHLY BULLETIN Toronto Chapter Activities Certification Boot Camps We are gearing up to offer a two day boot camp courses in CISA, CISM and CGEIT on weekends in May. The CISA will run from 12-13 May, while the CISM and CGEIT will run from 26-27 May. Candidates can also measure their preparedness for the exam by enrolling in the mock exams to be held on 19 May. The eight week comprehensive CISA exam preparation course will be held on Saturday mornings from 14 April to 02 June at the KPMG offices in the Bay Adelaide Centre, in downtown Toronto. Further details about the courses and registration can be found on the ISACA Toronto Chapter website: CISA https://isaca.toronto.on.ca/cisa.aspx CISM https://isaca.toronto.on.ca/cism.aspx CGEIT https://isaca.toronto.on.ca/cgeit.aspx The deadline to register for the June 2012 ISACA exams for CISA, CISM, CGEIT and CRISC is April 20. If you already have the CISA designation and would like to mentor candidates preparing for the exam, you can earn up to 10 CPEs. Find out more by going to the Toronto Chapter website: https://isaca.toronto.on.ca/cisa.mentor.aspx CALL FOR NOMINATIONS – 2012-2013 BOARD OF DIRECTORS Nominations are being accepted for positions on the Board of Directors. A nomination must be signed and supported by two members in good standing of the Chapter. The nominee must be a member in good standing of the Chapter must also sign the nomination form. Please submit the nominations for the Board of Directors to Patricia Goh at [email protected]by April 30th, 2012. Detach form here✂ To the Nomination Committee: We wish to nominate for the position of of the ISACA Toronto Chapter for the 2012-2013 year. We confirm that we are members in good standing of the ISACA. Name (please print): Signature: Date: Telephone: Each nomination must be signed by two members in good standing of the Chapter. Acceptance: I accept this nomination. I confirm that I am a member in good standing of the ISACA Toronto Chapter. Name: Date: Signature:
Transcript
ISACA’s mission is to support enterprise objectives through the development, provision and promotion o f research, standards, competencies and practices for the effective governance, control and assurance of information, systems and technology.
April 2012 Page 1
Information Systems Audit & Control Association Chapter Website: www.isaca.toronto.on.ca International Website: www.isaca.org
APRIL 2012
MONTHLY BULLETIN
Toronto Chapter Activities Certification Boot Camps We are gearing up to offer a two day boot camp courses in CISA, CISM and CGEIT on weekends in May. The CISA will run from 12-13 May, while the CISM and CGEIT will run from 26-27 May. Candidates can also measure their preparedness for the exam by enrolling in the mock exams to be held on 19 May.
The eight week comprehensive CISA exam preparation course will be held on Saturday mornings from 14 April to 02 June at the KPMG offices in the Bay Adelaide Centre, in downtown Toronto.
Further details about the courses and registration can be found on the ISACA Toronto Chapter website:
The deadline to register for the June 2012 ISACA exams for CISA, CISM, CGEIT and CRISC is April 20.
If you already have the CISA designation and would like to mentor candidates preparing for the exam, you can earn up to 10 CPEs. Find out more by going to the Toronto Chapter website: https://isaca.toronto.on.ca/cisa.mentor.aspx
CALL FOR NOMINATIONS – 2012-2013 BOARD OF DIRECTORS Nominations are being accepted for positions on the Board of Directors. A nomination must be signed and supported by two members in good standing of the Chapter. The nominee must be a member in good standing of the Chapter must also sign the nomination form. Please submit the nominations for the Board of Directors to Patricia Goh at [email protected] by April 30th, 2012.
Detach form here✂
To the Nomination Committee:
We wish to nominate for the position of
of the ISACA Toronto Chapter for the 2012-2013 year.
We confirm that we are members in good standing of the ISACA.
Name (please print): Signature: Date: Telephone:
Each nomination must be signed by two members in good standing of the Chapter. Acceptance:
I accept this nomination. I confirm that I am a member in good standing of the ISACA Toronto Chapter.
Name: Date:
Signature:
April 2012 Page 2
Invitation to Participate in an ISACA Sponsored Res earch Survey
As one of ISACA's mandates to support research initiatives, the Toronto Chapter is pleased to be a sponsor on a very important and forward looking research project titled "Patient's Privacy in Electronic Health Records (EHR)” with Professor Roy Ng, CISA, from Ryerson University Privacy and Cyber Crime Institute. Ontario is implementing EHR and the collection, transmission and storage of digital transmission has inherent and control risks of protecting the privacy and confidentiality of patient's data.
WHAT An EHR is a longitudinal collection of the health information records of a patient and is stored in an electronic format that can be easily transmitted and shared among many service providers across a health system.
WHY Ontario is in the middle of implementing EHR. There is value in understanding patient attitudes towards privacy in EHR.
HOW To participate the survey, please see: https://survey.ryerson.ca:443/s?s=1953
This research studies perceptions of risks and privacy concerns of patients about digitized information in an EHR and the tradeoff between privacy and clinical utility. For more details see http://ryerson.ca/~royng/survey.html
There is an opportunity for a draw for two $100 Gif t Cards
Master of Management and Professional Accounting (M MPA) Award Dinner
The Master of Management and Professional Accounting Program, offered by the University of Toronto at Mississauga, responds to this vision of changing client and employer needs by introducing bright, talented students with diverse interests and leadership potential to the ethical, human and technical foundations of business and the accounting profession. The Toronto Chapter has actively supported this program in its activities.
Your Chapter Secretary, Jeff Bhagar, represented the Chapter at the MMPA Awards and Celebrants Night which took place on 11 April, 2012. Their Director, Len Brooks stated, “It has been very heartening to experience the strong support we have received from ISACA Toronto Chapter and look
forward to sharing a mutually beneficial future.”
The MMPA program is unique in Canada. Since its beginning in 1988, originally as the MBA in Professional Accounting Program, the Program has offered a special blend of academic and professional training in a co-operative format. Their MGT 2224 – ‘Information Systems Auditing’ course covers topics such as “ISACA Standards, Guidelines, and Procedures” and “Using COBIT to perform an audit”.
For more information, see http://www.utoronto.ca/mmpa/Program/Program.html
Information Systems Audit and Control Association Award. Left to Right; Amy Mullin, Jeff Bhagar (ISACA), Jeff Zygouras (award recipient), Len Brooks stand in front of the spectacular display of recently restored wall of arms in the great hall at Hart House, Canada's finest display of heraldry. For more information, see: http://www.heraldry.ca/projects/harthouse.htm
April 2012 Page 3
An Introduction to CobiT 5.0 – A Discussion on the Changing Governance Landscape
Full Day Session May 10, 2012 (5:30 PM - 7:30 PM)
Speakers: Gord Kilarski, Daisy Lui, Joseph Braithwaite, Mark Look Yan, and Kimberly Turgeon
Holiday Inn Kitchener 30 Fairway Road South
Kitchener, Ontario N2A 2N2
Effective IT governance ensures that products and services delivered by IT enable business strategy and contribute value to its stakeholders. In order to achieve this, an enterprise-wide governance program for information and related technologies must align with business direction and strategy, and deliver the right products and services at the right time, while managing the many risks associated with data and technology.
The need for good governance has moved to the top of executives’ agendas and includes three key areas:
� Increased value creation � Improved Business user satisfaction with IT engagement and services � Compliance with relevant laws, regulations, and policies
CobiT 5.0 is the latest governance and management framework for information and related technology. It integrates knowledge from several predecessor frameworks to enable organizations to achieve their governance and management objectives.
This session will explain the features of CobiT 5.0 and include important considerations for adoption. Interactive voting technology will be used during the session to provide insights from the attendees on topics such as the maturity of CobiT use, adoption plans for CobiT 5.0, the challenges and feedback.
This session will cover:
� History of CobiT over the years and how it has evolved � An overview of the CobiT 5.0 framework and principles � CobiT 5.0 vs. CobiT 4.1 and the implications for organizations that have
adopted previous versions of CobiT � Adoption strategies � CobiT training and certification process update
Speaker Profiles :
Gord Kilarski, I.S.P., ITCP, IP3P leads the Information and Technology Risk and Governance practice at Deloitte Canada. He is a member of the Deloitte Global Financial Industry practice and frequently advises boards and executives on governing the improvement of information and technology value. Gord has over twenty years of experience in designing effective and efficient IT organizations; holding roles as CTO, COO, and VP & General Manager in high tech companies. His focus for the past six years has been on delivering information and technology risk and governance solutions to the Canadian marketplace. Gord is an I.S.P. and holds ITCP (IT Certified Professional) and international certifications.
Daisy Lui, CISA, CIA, CISSP is a senior manager with Deloitte’s Information and Technology Risk and Governance practice based in Toronto and has over ten years experience in Information Technology, IT auditing and risk management. Responsibilities have included assisting her clients in managing IT risks, leading technology-oriented business risk control reviews for clients, and developing the IT risks/controls management and auditing competency within Deloitte. Daisy’s main focus has been on IT Internal Audit, IT Governance, and in the past four years she has been assisting her clients in meeting CEO/CFO certification requirements. Daisy is an accredited CobiT instructor and has led CobiT foundation classes for clients and for internal Deloitte staff. She is a Certified Information System Auditor (CISA), Certified Internal Auditor (CIA), and a Certified Information System Security Professional (CISSP).
Mark Look Yan, CISA, CRISC leads the Internal Audit and Compliance practice within the Information and Technology Risk and Governance practice at Deloitte. Mark has over 8 years of experience in providing clients with IT Governance, risk management, and assurance solutions across a diversified
April 2012 Page 4
client base in the financial services, telecommunications, public sector, and manufacturing industries. He is a certified trainer for CobiT Foundations and CobiT Implementation Methodology. He is also a Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Control (CRISC).
Joseph Braithwaite, CGEIT, CRISC, PMP, ITIL is a manager with Deloitte’s Information and Technology Risk and Governance practice in Toronto. Joseph has over 15 years of experience in providing clients with IT Governance, risk management and project management solutions across a diversified client base including financial services, public sector, and energy industries. Joseph holds a joint Major degree in Business and Information Technology as well as a certification in enterprise IT (CGEIT), Certified in Risk and Information Systems Control (CRISC), Project Management (PMP) and Information Technology Infrastructure Library (ITIL).
Kimberly Turgeon, CA, ITIL is a manager with Deloitte’s Information and Technology Risk and Governance practice based in Toronto and has over 6 years of experience in IT governance, IT risk management and IT audit. Primarily working on IT governance and IT internal audit engagements, Kimberly has experience with corporations and government bodies across a range of industries, including financial services, public sector and technology and media organizations. Kimberly is a Chartered Accountant (CA) and has also obtained the Foundation Certificate for COBIT and ITIL (IT Service Delivery) and is currently completing the requirements for her Certified Information Systems Auditor (CISA) designation.
Register for this session: https://isaca.toronto.on.ca/ed.r.aspx?EventID=205&EventT= Waterloo Session - An introduction to CobiT 5.0 – A discussion on the changing governance landscape&EventTime= May 10, 2012 (5:30 PM - 7:30 PM)&EventSp= ISACA Toronto Chapter&EventLoc= Holiday Inn
Special Two Day Conference
The ISACA Toronto Chapter is proud to present two days of training in Mississauga. On Thursday May 17th, the sessions will focus on Security and Privacy. On Friday May 18th, the sessions will be on Governance, Risk and Compliance.
Security and Privacy
Full Day Session May 17, 2012 (8:30 AM - 4:30 PM)
Speakers: See Presentation Topics Below
Living Arts Centre 4141 Living Arts Drive Mississauga, Ontario
L5B 4B8 http://www.livingartscentre.ca/
Registration and Continental Breakfast 8:00 – 8:30
Keynote Speaker – Miyo Yamashita
Organizations in both the public and private sectors that collect or handle personally identifiable information (PIA) or personally identifiable health information (PIHA) have obligations to manage sensitive financial, personal and medical information in accordance with a myriad of regional and international standards and regulations, depending on jurisdictions an organization may operate in. Given the practical challenges with such compliance, organizations have depended on the expertise and knowledge of external help offering multi-disciplinary professionals specializing in privacy regulatory affairs, privacy law, technology controls including security, policy and information governance.
Successful organizations have found it useful to take an enterprise-wide, risk-based approach that addresses privacy mandates under a comprehensive framework. Taking an enterprise-wide approach to privacy protection encourages and facilitates stronger overall management of personal information. This method also allows for privacy specific solutions to be integrated with broader data protection and information management strategies. This approach moves privacy away from what can be an expensive and time consuming compliance-driven approach to a streamlined risk-based approach. Leading organizations take the approach of examining commonalities among various business requirements and then develop specific strategies and programs to take advantage of these commonalities through process
April 2012 Page 5
simplification and consolidation. Further, the concept of Privacy by design has also been in vogue for some time now. The idea is that organizations need not see privacy compliance as a growth barrier, but if they understand the requirements well and are proactive, they can develop solutions by building-in privacy compliance right at the design stage of business process or systems and gain competitive advantage.
Speaker Profile
Miyo Yamashita is a Partner in Enterprise Risk Services at Deloitte and the National privacy solution leader for Canada. Previous to Deloitte, Miyo has close to a decade of experience in senior privacy roles in the Canadian healthcare system, including the role of Chief Privacy Officer for University Health Network, Canada’s largest academic hospital with over 12,000 staff, user traffic of approximately one million patient visits per year and an annual operating budget of $1 billion.
Into the Cloud Out of the Fog - Insights from E&Y 2 011 Global Security Survey – Rafael Etges
Rafael will summarize the results of the 2011 Ernst & Young Global Information Security Survey from nearly 1,700 participants in 52 countries and across all industry sectors. The increased level of participation demonstrates that information security is still one of the most important issues facing organizations today.
The environment is one of unprecedented change, with many new business paradigms supported by new technologies. We see more and more traditional and non-traditional businesses moving not only information but also entire business models into the “cloud” — extending the virtual business with increased use of mobile computing, social media and shared computing infrastructures and services.
Although many of the survey participants revealed increasing information security budgets, they also revealed a growing gap between their business needs and what information security is doing for their organizations. It is clear much more that can be done to protect information and manage information risk.
Speaker Profile
Rafael Etges is the Information Security lead in Ernst &Young’s Toronto based Advisory Services. He provides oversight and direction to the practice regarding information assurance, privacy and IT security risk management. He has fourteen years of advisory experience in Latin and North America and spent four additional years working within the private sector in the telecom, retail, defence and technology industries. Additionally, he has seven years of experience directing the security practice in a national telecom company.
Rafael is research associate in the doctoral degree program at the Henley and Rotman business schools, has published papers in the ISSA, ISACA and ISC2 journals and IT World/CIO Canada. As a subject matter expert, he has been interviewed by the CBC, Canadian Security, Toronto Star, Les Affaires and CTV/W5 on cyber-security issues.
Privacy Assurance – Sylvia Kingsmill & Mark Varma
Organizations that collect personally identifiable information (PII) have to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). When such organizations outsource non-core activities to help reduce costs and meet their business objectives, out of necessity they depend on their service providers to achieve their compliance obligations. While PIPEDA does not prohibit the use of third party service providers to meet their business objectives, it does require the outsourcing organization to ensure that PII is protected when handled by the third party.
Service provider controls assurance where controls are relevant for an audit of financial statements have been very popular (through CICA 5970 reports, which have since recently been replaced by CSAE 3416 reports, also called SOC1 reports). Assurance on controls not relevant for an audit of financial statements (“non-financial” or “operational” controls) was provided under CICA section 5025. Recent developments in assurance standards have made a provision for modelling non-financial reports as well to look similar to CSAE 3416 reports but under CICA Section 5025 for one of more principles within Trust Service Principles and criteria with underlying controls – also called SOC2 or SOC3 reports depending on target users.
The session will consist of two parts. Firstly, the session will discuss PIPEDA obligations in outsourcing arrangements, and the Generally Accepted Privacy Principles as a tool to measure privacy controls and
April 2012 Page 6
related compliance activities by both organizations and their service providers. Secondly, the session will also provide a primer on non-financial control assurance reports and how privacy assurance reports allow service providers to demonstrate effectiveness of controls to help fulfil customer’s compliance obligations.
Participants will benefit from the insights and real-life cases to be shared by the experienced speakers and take away implementable practical solutions back to their work place.
After attending this session, participants will be able to understand:
� The reasons why organizations outsource and various outsourcing models; � The profile of risk and compliance challenges associated with each outsourcing model
and the mutual responsibilities between the service provider and user organizations under PIPEDA;
� Generally Accepted Privacy Principles. and � Assurance reporting mechanisms under Canadian and US standards, including new
changes.
Speaker Profiles
Sylvia Kingsmill is a Senior Manager in Deloitte’s Enterprise Risk Services practice with over 8 years of experience in privacy and compliance risk management. She assists major clients in various sectors to navigate their regulatory environments, prepare regulatory reports and appear before regulatory bodies, including Privacy Commissioners involving high profile privacy breaches. She also assists clients to align their use of new technologies with critical business processes from a data privacy and operational risk perspective.
As the former Chief Privacy Officer of a national registry and a licensed lawyer, her expertise lies in developing enterprise-wide compliance programs, breach management, data sharing agreements, third party contract risk and compliance monitoring, IT outsourcing/cloud computing, cross-border data transfers, privacy compliance, including privacy communications plans, privacy training programs and liaison with privacy regulators.
Mark Varma, CA, CISA is a Manager with Deloitte & Touche in Toronto, with Deloitte’s Technology & Information Risk Services practice. His work involves assisting with management of information technology and business risk for clients in a range of industries including financial services, government, retail and real estate, with a focus on IT Compliance and Outsourcing risks.
Mark has extensive experience leading training for Deloitte’s clients and staff. Mark is a Chartered Accountant (CA), and a Certified Information Systems Auditor (CISA). He holds a Bachelor of Commerce degree from Queen’s University.
Next Generation Security Operations Centre – John H eaton
Enterprises and government agencies are confronted with very real cyber security threats. There are a broad spectrum of novel exploits which are causing headaches that seem to be increasing on an almost daily basis. Determined “bad guys” are using sophisticated methods to target weak links that are left vulnerable by ineffective network and application defences. As well, the rise in system breaches exposes the disparity between offence and defence: Any attacker only has to penetrate one target successfully, while the defender must guard against all possible attacks.
This presentation will outline Accenture’s vision for high performance security operations. We see a recasting of security operations from the focus of a small group of individuals on a set of tactical objectives, to a virtual organization that provides strategic value and directly improves outcomes for the organization, its customers and employees. We see three primary characteristics that will influence this transformation:
1. Making internal and external data sources actionable 2. Extracting more value out of existing investments 3. Using smarter resource utilization models
Speaker Profiles
John Heaton, CA, CISA, CISSP is a partner with Accenture where he leads their security practice for Canada. He has over 20 years of business experience in North America, South America and Europe.
April 2012 Page 7
John has over 14 years of experience with ERP Applications, including implementing and assessing system security. John is a Chartered Accountant, Certified Information Systems Auditor and Certified Information Systems Security Professional.
Attendees are invited to register for the full day of May 17 and either the full day or half day sessions on May 18 at the normal rate.
Register for this session: https://isaca.toronto.on.ca/ed.r.aspx?EventID=218&EventT= Special Two Day Training Event - The ISACA Toronto Chapter is proud to present two days of training in Mississauga. On May 17th the sessions will focus on Security and Privacy - &EventTime= May 17,
Governance, Risk and Compliance
Morning Session May 18, 2012 (8:30 AM - 12:00 PM)
Speakers: Tabish Gill, Reza Kopaee and Baskaran Ra jamani
Living Arts Centre 4141 Living Arts Drive Mississauga, Ontario
L5B 4B8 http://www.livingartscentre.ca/
Corporate Governance is not a new topic. It has been at the forefront of corporate thought since the 1990’s when the Cadbury and Turnbull Reports were released and risk management was hitting the agendas more frequently in Corporate boardrooms around the world. The legacy of major failures such as the U.S. sub-prime and ABCP markets, Enron, Tyco and Worldcom are still with us. This session will explore the major trends in the business, technology and regulatory environments and their effects on shaping how Governance is implemented to manage Risk and ensure ongoing Compliance. The session will cover:
� Corporate Governance - what does the term really mean from the Board, management to shareholder views and where and how does IT Governance fit within enterprise governance
� Models and Frameworks (including ISO38500, including COBIT) � How companies have implemented GRC ("evolutionary path", how GRC is
evolving and what's coming in the future) � What's working, what's not, � Corporate environmental conditions for success
Tabish Gill CA, CISA is a Senior Manager with Deloitte & Touche in their Toronto Information & Technology Risk Solutions practice. His client focus is primarily in the Financial Services, Public Sector and Consumer business organizations. He provides a broad range of professional experience that allow his clients to better measure and manage risk, uncertainty and control and enhance the reliability of systems and processes, throughout the enterprise. Tabish has a wide background including internal and financial statement audit, external outsourced IT risk advisory, SOX 404 and MI 52–109 certifications, individual projects resulting from major organizational changes, implementation of new technologies and reliance on third-party service providers. Tabish is a Chartered Accountant (CA), a Certified Information Systems Auditor (CISA) and holds an Honours Bachelor of Accounting degree from Brock University.
Reza Kopaee, MSc, CISSP, CISA, CSSLP is an associate partner at Deloitte & Touche Enterprise Risk Management Services with over fourteen years of solid experience in Risk Management, IT transformation, and Information Security and Privacy consulting. Reza is responsible for Enterprise Data Protection (EDP) and Governance Risk Compliance (GRC) Management solution services at Deloitte Canada. He leads a team of consultants nationally assisting large corporations with their EDP or GRC related projects. With practical experience gained through direct involvement in more than 100 transformational projects in the financial, public, technology, and airline industry, Reza has gained practical knowledge in the area of IT Transformation, IT Governance, Security and Privacy risk management.
Baskaran Rajamani CISA, PMP, CISSP, ITIL is an Associate Partner with Deloitte & Touche in Toronto. He is part of the leadership team at Deloitte’s Technology & Information Risk Services and also its professional practice director responsible for service quality and risk management. Baskaran specializes
April 2012 Page 8
in helping Financial Services clients in successfully managing IT Audit, Compliance, Outsourcing and IT Governance risks. Baskaran’s recent focus includes Green IT and Cloud computing and the related opportunities for IS Audit professionals. Baskaran has almost 30 years of experience of which the last 17 years have been in professional services, preceded by his career in engineering automation.
Baskaran is a popular speaker and has authored several technical papers on IT risk management and IT audit and presented at conferences and seminars in different parts of the world. He has a Master’s degree in Engineering and an MBA. He is the Vice-President of ISACA Toronto Chapter.
Attendees are invited to register for the full day of May 17 and either the full day or half day sessions on May 18 at the normal rate.
Register for this session: https://isaca.toronto.on.ca/ed.r.aspx?EventID=222&EventT= Special Two Day Training Event -The ISACA Toronto Chapter is proud to present two days of training in Mississauga. On Friday May 18th the sessions will be on Governance, Risk and Compliance&EventTim
Moving to CobiT 5.0 – A discussion on the changing governance landscape
Afternoon Session May 18, 2012 (1:00 PM – 4:30 PM)
Speakers: Mark Look Yan, Daisy Lui, Baskaran Rajamani
Living Arts Centre 4141 Living Arts Drive Mississauga, Ontario
L5B 4B8 http://www.livingartscentre.ca/
Effective IT governance ensures that products and services delivered by IT enable business strategy and contribute value to its stakeholders. In order to achieve this, an enterprise-wide governance program for information and related technologies must align with business direction and strategy, and deliver the right products and services at the right time, while managing the many risks associated with data and technology.
The need for good governance has moved to the top of executives’ agendas and includes three key areas:
� Increased value creation; � Improved Business user satisfaction with IT engagement and services; and � Compliance with relevant laws, regulations, and policies
CobiT 5.0 is the latest governance and management framework for information and related technology. It integrates knowledge from several predecessor frameworks to enable organizations to achieve their governance and management objectives.
This session will explain the features of CobiT 5.0 and include important considerations for adoption.
Interactive voting technology will be used during the session to provide insights from the attendees on topics such as the maturity of CobiT use, adoption plans for CobiT 5.0, the challenges and feedback. Specifically, it will cover:
� A brief history of CobiT over the years and how it has evolved; � An overview of the CobiT 5.0 framework and principles; � CobiT 5.0 vs. CobiT 4.1 and the implications for organizations that have
adopted previous versions of CobiT; � Adoption strategies to move to CobiT 5.0; � CobiT training and certification process update.
This will be an interactive session and will feature speakers from Deloitte’s national Information and Technology Risk and Governance practice: Daisy Lui, Mark Look Yan with opening and closing by Baskaran Rajamani.
Speaker Profiles
Mark Look Yan, CISA, CRISC is a manager within the Information and Technology Risk and Governance practice at Deloitte Canada. Mark has over eight years of experience in Information
April 2012 Page 9
Technology (IT), IT internal audit and external audit services across a diversified client base in the financial services, media, telecommunications, public sector, and manufacturing industries. Over the past four years, Mark’s main focus has been on assisting clients with IT Governance and risk/control management solutions. Mark is a certified trainer for CobiT Foundations and CobiT Implementation Methodology. He is also a Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Control (CRISC).
Daisy Lui, CISA, CIA, CISSP is a senior manager with Deloitte’s Enterprise Risk practice based in Toronto and has over 12 years’ experience in Information Technology, IT auditing and risk management. Responsibilities as a member of this team include assisting her clients in managing IT risks, leading technology oriented business risk control reviews for clients, and developing IT risks/controls management and auditing competency within Deloitte. Daisy’s main focus has been on IT Internal Audit, IT Governance, and in the past four years she has been assisting her clients in meeting CEO/CFO certification requirements. Daisy is an accredited CobiT instructor and had led CobiT foundation classes for clients and for internal Deloitte staff. She has an Honours Bachelor of Applied Science (Electrical Engineering) from University of Waterloo, and an MBA from York University. She is a Certified Information System Auditor (CISA), Certified Internal Auditor (CIA), and a Certified Information System Security Professional (CISSP).
Baskaran Rajamani CISA, PMP, CISSP, ITIL – See profile in morning session
Attendees are invited to register for the full day of May 17 and either the full day or half day sessions on May 18 at the normal rate.
Register for this session: https://isaca.toronto.on.ca/ed.r.aspx?EventID=223&EventT= Special Two Day Training Event -The ISACA Toronto Chapter is proud to present two days of training in Mississauga. Moving to CobiT 5.0 – A discussion on the changing governance landscape&EventTime=
ISACA’s Academic Relations Research Committee (IARRC) – Research Topic
Role of IT Executives/CIOs and Ability to Achieve C ompetitive Advantage through IT Capability
Research Source / Author Dr. Jee Hae Lim, Theophanis C. Stratopoulos, Tony S. Wirjanto, University of Waterloo
The objective of this study is twofold. A two-stage approach is used in order to examine the contribution of senior IT executives / CIO on their firm’s ability to achieve superior IT capability, and the impact of co-presence of powerful senior IT executives in firms with superior IT capability on their firm’s competitive position
The Toronto Chapter extends a research grant to the University of Waterloo Centre for Information Assurance (UWCISA) research. In this section, we present one of synopsis of research reports UWCISA published. Here, we present a synopsis of its recent research on Role of IT Executives / CIO on the Firm’s ability to achieve competitive advantage through IT capability.
Research Abstract: Contrary to prior studies that have tried to examine the role of IT capabilities (a firm’s ability to innovate with IT) on firm performance in isolation from the role of senior IT executives / CIO, we propose that there is a positive relationship between the power of senior IT executives and the likelihood that the firm will develop superior IT capability. Furthermore, the contribution of IT capability to a firm’s competitive advantage is much stronger in firms with powerful senior IT executives as they are the driving force that may ensure the continuous renewal of IT capability. We develop a two-stage econometric model designed to test the contribution of senior IT executives on their firm’s ability to achieve superior IT capability, and the impact of co-presence of powerful senior IT executives in firms with superior IT capability on their firm’s competitive position Empirical evidence based on a sample of large US firms strongly supports our hypotheses.
This study makes several contributions to IT business value literature. First, it suggests the need to extend the prior literature on IT capability and firm performance with a search for factors that have a multiplicative effect on the payoffs from IT capabilities. Second, existing literature is leveraged to theorize and empirically validate the proposition that the power of senior IT executives works multiplicatively with IT capability. Third, a relatively new area of research is illuminated, such as the value adding contribution of incumbent senior IT executives. Fourth, the study demonstrates that senior IT executives who leverage
April 2012 Page 10
their power to develop a superior and enduring IT capability are making a much stronger contribution to their company than IT executives who develop a superior but non-enduring IT capability. Finally, identifying antecedents of IT capability (i.e., factors that lead a firm to achieve and sustain superior IT capability) as well as recognizing the role that these factors play on the rent yielding capacity of IT capability helps to illuminate the proverbial black box of IT business value research.
Partial list of key references:
Research Papers Bharadwaj AS, Bharadwaj SG, Konsynski BR. Information Technology Effects on Firm Performance as Measured by Tobin’s q. Management Science. 1999;45(7):1008-1024.
Information Week [Internet]. 2004 Marlin S. Double Duty [cited 2010 Jul 9];(November 8). Available from: http://www.informationweek.com/shared/printableArticle. jhtml;jsessionid=3W51RGNKNA0SDQE1GHRSKH4ATMY32JVN?articleID=52200063
Computerworld [Internet] Rosencrance L. Intel names co-CIOs. 2002 [cited 2010 Jul 9];(February 21). Available from: http://www.computerworld.com/s/article/68511/Intel_names_co_CIOs
INTERNATIONAL NEWS
Certification Update
In February 2012, 420 Certified Information Systems Auditor (CISA) , 352 Certified Information Security Manager (CISM) , 34 Certified in the Governance of Enterprise IT (CGEIT ), and `136 Certified in Risk and Information Systems Control ( CRISC) candidates were awarded certification.
Certified in Risk and Information Systems Control ( CRISC) milestone ISACA is proud to announce that more than 16,000 CRISC certifications have been earned since the credential’s inception in April 2010.
Discounts Available – North America CACS & World Co ngress: INSIGHTS 2012 Did you know discounts are available for you and your chapter members? ISACA is pleased to offer
discounts for the North America Computer Audit, Control and SecuritySM (North America CACS) conference, which will be held 7-10 May in Orlando, Florida, USA, and World Congress: INSIGHTS 2012, which will be held 25-27 June in San Francisco, California, USA.
If you are a platinum or gold member, you can receive US $150 off the current registration fee for North America CACS and INSIGHTS 2012. This is a great way to recognize loyal ISACA members. Ensure that your long-standing members are aware of this
April 2012 Page 11
opportunity.
New ISACA Resources Available ISACA members can receive the following new deliverables prior to their release in early April by reserving them now:
ISACA has issued the Incident Response white paper, and chapter leaders are invited to use it as a topic for future chapter meetings. Information on current research projects is posted on the Current Projects page of the ISACA web site.
Calendar of Events and Deadlines Dates of conferences/events are indicated in RED; other dates and deadlines are indicated in BLACK .
April
26 April Webinar
24-27 April ISACA Training, Denver, Colorado, USA
30 April Last day for 2012 online renewal
May
5-6 May North America Leadership Conference, Orlando, Florida, USA
7-10 May North America CACS 2012, Orlando, Florida, USA
14-17 May Network Security Auditing, ISACA and Deloitte Course, Chicago, Illinois, USA
21 May Article submission deadline, ISACA Journal
June
1 June Article submission deadline, COBIT Focus
4-7 June Taking the Next Step—Advancing Your IT Auditing Skills, ISACA and Deloitte Course, San Diego, California, USA
9 June CISA, CISM, CGEIT and CRISC Certification Exams
12-15 June ISACA Training, Dallas, Texas, USA
25-27 June World Congress: INSIGHTS 2012, San Francisco, California, USA
Information About ISACA With 95,000 constituents in 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the
nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.
ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.
The views and opinions contained in this publication are solely those of its author, and do not necessarily represent or reflect the views or opinions of the Toronto Chapter of the Information Systems Audit and Control Association. In the event of questions concerning articles in this publication, please contact the author of the articles directly.
April 2012 Page 12
Join online and save US $20.00 MEMBERSHIP APPLICATION www.isaca.org/join □ MR. □ MS. □ MRS. □ MISS □ OTHER _______________ Date __________________ MONTH/DAY/YEAR
Name___________________________________________________________________________________________________ FIRST MIDDLE LAST/FAMILY ____________________________________________________________________________________________________________________________ PRINT NAME AS YOU WANT IT TO APPEAR ON MEMBERSHIP CERTIFICATE
Residence address ________________________________________________________________________________________________________ STREET
_________________________________________________________________________________________________________ CITY STATE/PROVINCE/COUNTRY POSTAL CODE/ZIP
Residence phone _____________________________________ Residence facsimile _________________________________ AREA/COUNTRY CODE AND NUMBER AREA/COUNTRY CODE AND NUMBER
Company name __________________________________________________________________________________________
Title ___________________________________________________________________________________________________
Business address __________________________________________________________________________________________________________ STREET
Business phone _____________________________________ Business facsimile _________________________________ AREA/COUNTRY CODE AND NUMBER AREA/COUNTRY CODE AND NUMBER
E-mail ________________________________________________________ Send mail to Form of Membership requested � I do not want to be included on How did you hear about ISACA? � Home � Chapter Number (see reverse)________________ a mailing list, other than that for 1 � Friend/Coworker 6 � Local Chapter � Business � Member at large (no chapter within 50 miles/80 km) association mailings. 2 � Employer 7 � Certification Programs � Student (must be verified as full-time) 3 � Internet Search 8 � Direct Mail 4 � IS Control Journal 9 � Educational Event 5 � Other Publication
Please note: Membership in the association requires you to belong to a local chapter when you live or work within 50 miles/80 km of its territory. The name of the chapter is indicative of its territory. If you live further than 50 miles from the chapter territory, select member at large. This selection is subject to verification by ISACA International. Cities listed in parentheses are a reference to where the majority of chapter meetings are held. Please contact your local chapter at www.isaca.org/chapters for other meeting locations.
Level of education achieved (indicate degree achieved, or number of years of university education if degree not obtained)
Current Professional Activity (If not your title, please select the BEST match) 1 � CEO, President, Owner, General/Executive Manager 2 � CAE, General Auditor, Partner, Audit Head/VP/EVP 3 � CISO/CSO, Security Executive/VP/EVP 4 � CIO/CTO, Info Systems/Technology Executive/VP/EVP 5 � CFO, Controller, Treasurer, Finance Executive/VP/EVP 6 � Chief Compliance/Risk/Privacy Officer, VP/EVP 7 � IS/IT Audit Director/Manager/Consultant 8 � Security Director/Manager/Consultant 9 � IS/IT Director/Manager/Consultant 10 � Compliance/Risk/Privacy Director/Manager/Consultant 11 � IS/IT Senior Auditor (External/Internal) 12 � IS/IT Auditor (External/Internal Staff) 13 � Non-IS/IT Auditor (External/Internal) 14 � Security Staff 15 � IS/IT Staff 16 � Professor/Teacher 17 � Student 99 � Other _________________________________ Date of Birth___________________________________________ MONTH/DAY/YEAR
1 � One year or less 2 � Two years 3 � Three years 4 � Four years 5 � Five years 6 � Six years or more
7 � AS 8 � BS/BA 9 � MS/MBA/Masters 10 � Ph.D. 99 � Other ______________
Certifications obtained (other than CISA/CISM)
1 � CPA 2 � CA 3 � CIA 4 � CISSP Work Experience
5 � CPP 6 � GTAC 7 � CFE 99 � Other ________
1 � No experience 2 � 1-3 years 3 � 4-7 years
4 � 8-9 years 5 � 10-13 years 6 � 14 years or more
Payment due • Association dues † $ 65.00 (US) • Chapter dues (Toronto) $ 25.00 (US) • New member processing fee $ 30.00 (US) * PLEASE PAY THIS TOTAL $ 120.00 (US)
† For student membership information please visit www.isaca.org/student
* Membership dues consist of association dues, chapter dues and new member processing fee. Join online and save US $20.00.
Method of payment � Check payable in US dollars, drawn on US bank � Send invoice (Applications cannot be processed until dues payment is received.) � MasterCard � VISA � American Express � Diners Club
All payments by credit card will be processed in US dollars ACCT # _______________________________________________ Print name of cardholder __________________________________ Expiration date__________________________________________ MONTH/YEAR Signature ______________________________________
By applying for membership in ISACA, members agree to hold the association and its chapters, and the IT Governance Institute, and their respective officers, directors, members, trustees, employees and agents, harmless for all acts or failures to act while carrying out the purposes of the association and the institute as set forth in their respective bylaws, and they certify that they will abide by the association's Code of Professional Ethics (www.isaca.org/ethics).
Initial payment entitles new members to membership from the date payment is processed by International Headquarters through the end of that year. No rebate of dues is available upon early resignation of membership.
Contributions, dues or gifts to ISACA are not tax deductible as charitable contributions in the United States. However, they may be tax deductible as ordinary and necessary business expenses.
Make checks payable to: ISACA Mail your application and check to: ISACA 1055 Paysphere Circle Chicago, IL 60674 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 The dues amounts on this application are valid through 31 December 2012.
