3. ISACA Silicon Valley 2011 Summer Conference
Page 3
;
Platinum Sponsors:
This conference would not be possible without the generous support of our
sponsors —THANK YOU!
http://www.infoblox.com
http://www.checkpoint.com
Gold Sponsors:
http://www.soaprojects.com
http://www.pwc.com
http://www.bpmllp.com
http://www.whitehatsec.com
4. Page 4
Silver Sponsors:
This conference would not be possible without the generous support of our
sponsors —THANK YOU!
DISCLAIMER
As it is the objective of the Silicon Valley Chapter of the Information Systems Audit and Control Association to provide a
forum for the expression of ideas and opinions, statements of opinion appearing herein are not necessarily those of the
Chapter or its directors and officers.
Additionally, We would like to thank the following companies for supplying time
and support to our Conference Speakers:
http://www.terremark.com
http://www.cloudpassage.com
http://www.hp.com
http://www.emc.com
http://www.ekkoconsulting.com/
http://www.contoural.com
http://www.kpmg.com
http://www.ey.com
http://www.hp.com
http://www.hp.com
5. Welcome!
Register online at http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=35&Itemid=18
ISACA Silicon Valley has been providing IT Audit,
Security, and Governance Professionals with the
training and networking opportunities they need to
not just compete but to thrive since 1982. We are
continuing this tradition at our 2011 Summer Con-
ference, at which we are offering full day of semi-
nars that move beyond theory to emphasize practi-
cal skills you can utilize at work or to improve your
marketability.
The Conference Committee has worked hard to provide you with a cost effective, value added, high
quality educational and networking opportunity for ISACA members and other professionals in related
fields — we hope we have succeeded. As always, you input is greatly appreciated, and we strongly en-
courage you to fill-out the Evaluation Forms at the end of each day. You are also welcome to seek us
out with any comments or suggestions you might have to help us continually improve.
Kind Regards,
The 2011 Summer Conference Committee
• Sumit Kalra, Conference Director, TheConference-Director@isaca-sv.org
• Jay Swaminathan, Chapter President, ThePresident@isaca-sv.org
• Greg Edwards, Vice President
• Minel Diaz, Treasurer
• Mike Jordan, Certification Director
• Robert Ikeoka, Program Director
• Navarasu Dhanasekar, Marketing & Communications Director
• John Barchie, Conference Committee Chair
• Robin Basham, Conference Committee Volunteer
• Davor Borcic, Conference Committee Volunteer
ISACA SILICONVALLEY
2011 SUMMER CONFERENCE COMMITTEE MEMBERS
Page 5
6. ISACA Silicon Valley 2011 Summer Conference
2011 Summer Conference Schedule
Thursday, August 25th
Agenda Time Topic Speaker
Registration 8:00 - 8:30 Continental Breakfast and Registration
Breakfast &
Announcements
8:30 - 9:00 Networking
Session 1.1
Keynote
9:00 - 10:00
Risks and Controls to Consider in working
with Infrastructure As a Service (IaaS) Cloud
Providers
Peter Nicoletti, VP of Security Engineering,
terremark, A Verizon Company
Session 1.2
10:10 - 11:20
Controls Automation in the Context Cloud
Architecture, Private Cloud, Community
Cloud, Public Cloud, Hybrid Cloud
Brad Ames, Director Internal Audit, HP
Session 1.3
11:30 - 12:30
Virtually Safe: Managing from Threats to Clear
Skies
Dameon D. Welch-Abernathy, Strategic
Alliance Manager, Check Point Software
Technologies Ltd.
Lunch 12:30 - 1:30 Lunch and Networking
Enjoy time with our Platinum, Gold and
Silver Sponsors
Session 1.4
1:40-2:40
Risk with outsourcing to the Cloud vs. SaaS Harshul Joshi, Director, PwC
Session 1.5
2:50-3:50 Emerging Security Standards for the Cloud
vs. SaaS
Becky Swain, Partner, EKKO
Session 1.8 4:00-5:30
Panel Discussion:
Business Drivers Vs. Legislation and Standards
Driving Cloud Services
Moderator - Robin Basham,
Sr. Director, SOAProjects
Carson Sweet, CEO, CloudPassage
Becky Swain, Partner, EKKO
Marlin Pohlman, Chief Governance Officer,
EMC
Benny Kirsh, CIO, Infoblox
Peter Nicoletti, VP, terremark, A Verizon
Company
Brad Ames, Director Internal Audit, HP
Reception 5:30 - 6:30 Networking Event
Enjoy time with our Platinum, Gold and
Silver Sponsors
Enjoy time with our Platinum, Gold and
Silver Sponsors
Page 6
7. ISACA Silicon Valley 2011 Summer Conference
2011 Summer Conference Schedule Page 7
Friday, August 26th
Agenda Time Topic Speaker
Registration
8:00 - 8:30
Continental Breakfast and Registration
Enjoy time with our Platinum, Gold and
Silver SponsorsNetworking
Session 2.1
Keynote
8:30 - 10:00 Planning and Scoping the Cloud Audit
Cara M. Beston, Partner, PwC
Eric Tan, Director, PwC
Session 2.2
10:10 - 11:20
Governance and Enterprise Risk Manage-
ment (ERM) The GRC Stack
Marlin Pohlman, Chief Governance Officer,
EMC
Session 2.3 11:30 - 12:30 Privacy in the Cloud Doron Rotman, IT Advisory, KPMG
Lunch 12:30 - 1:30 Lunch and Networking
Enjoy time with our Platinum, Gold and
Silver Sponsors
Session 2.4
1:40-2:40 Leveraging Data Security to Support
eDiscovery and Records Management
Mark Diamond, Contoural, Inc.
Session 2.5
2:50-3:50
Operating in the Cloud
Incident Response, Notification and Reme-
diation, Application Security, Data Security
and Integrity, Identity and Access Manage-
ment
Virtualization,
David Ho, Ernst & Young
Session 2.8 4:00-5:00 PCI and Tokenization Panel Discussion
Jonathan Clark, CEO, ExoIS, Inc.
Walter Conway, (QSA)
Abir Thakurta, Director,
Liaison Technologies
Harshul Joshi, Director, PwC
Wrap Up/ Door
Prizes
5:00 - 5:30 Sponsor Raffles and Conference Closing Remarks , Sumit Kalra and Jay Swaminantham
8. Session 1.1— Risks and Controls to Consider in Working with Infrastructure As A Service
(IaaS) Cloud Providers: 9:00 A.M. – 10:00 A.M.
Pete Nicoletti, CCSK, CISSP, CISA, CCNE, FCNSP
VP of Security Engineering, terremark, A Verizon Company
In this presentation we will look at an IaaS providers foundation and architecture…and the challenges in auditing and security
a “cloud.” We will review the issues of securing a multi-tenant architecture and what to look for from your provider. We
will also examine relevant guidance and audit information from: the CSA, RACI charts, Shared Assessments, SAS 70II, PCI,
ISO 27000, NIST 800-53aR3, FedRAMP, State Breach Laws and more. This presentation will provide you with a good review
of the risks and controls that you should be aware of if you are looking at IaaS providers.
Pete Nicoletti, CCSK, CISSP, CISA, CCNE, FCNSP, has 27 years of experience in the
Marketing, Sales, Development, Implementation and Management of all types of Information Tech-
nologies. He is internationally regarded as a wireless pioneer having built the world’s first com-
mercially viable Wireless ISP with over 500 antenna locations. Formally he was the CSO/CTO of
one of the most successful SMB Focused Managed Security Service Company’s and managed the
security for hundreds of clients. Steve Balmer presented him the “Microsoft Industry Solutions”
Award at Comdex 2000 for the most innovative and advanced implementation of Microsoft appli-
cations for a large VoIP/CRM travel agent system. Pete has owned several Computer Networking
Consulting Companies and was Citrix Reseller of the Year two times. He is currently the Vice
President of the South Florida Information Systems Security Administrators after three years as President, VP on the Board
of Directors of the FBI Infragard, a member of ISACA, Internet Coast, Honeynet Alliance, Computer Security Institute, IEEE,
Secret Service Miami Electronic Crimes Task Force, EFF, Union of Concerned Scientists, Anti-phishing Working Group and
the Cloud Security Alliance. Pete recently completed a chapter on Content Filtering for the college textbook: “Computer
and Information Security.” Pete is currently the VP of Security Engineering for Terremark Worldwide with responsibility for
all Federal and Commercial Managed Security Consulting and Design. Terremark, now owned by Verizon is a leading Cloud
Provider for the Federal Government, F1000 and Global companies concerned with security in their cloud.
Session 1.2 — Controls Automation in the Context of Cloud Architecture; Private Cloud,
Community Cloud, Public Cloud and Hybrid Cloud: 10:10 A.M. – 11:10 A.M.
Brad Ames, CPA, CISA, Internal Audit Director of Professional Practices
at Hewlett-Packard Company (HP)
Ames is an Internal Audit Director of Professional Practices at Hewlett-Packard Company in Palo Alto, California. Brad’s
team is responsible for innovating and deploying non-traditional audit solutions for measuring risk to the business and short-
ening the time to management action. His role involves close collaboration with HP’s governance groups, customers and
external auditors in order to gain an ongoing view of emerging risk enterprise-wide. His
team has established continuous monitoring for the purpose of simplifying SOX 404 at-
testation and reducing the cost of compliance. Brad is a member of the Institute of Inter-
nal Auditor’s Professional Issues Committee. He is a CPA and Certified Information Sys-
tem Auditor with 10 years of experience in Public Accounting.
Register online at http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=35&Itemid=18
Page 8
2011 Summer Conference Speakers — Thursday, August 25th, 2011
Day One—Security Track
9. Page 9
Session 1.3 — Virtually Safe : 11:20 A.M.— 12:20 P.M.
Dameon D. Welch-Abernathy, CISSP,
Strategic Alliance Manager, Check Point Software Technologies Ltd.
This session will is designed to engage thought processes around the decision to move toward vir-
tual technologies.
Is your organization moving towards virtualization? The push for greener solutions that do more with
less, has made people take a hard look at a virtualization strategy for managing infrastructure. Multi-
core architectures have brought a new level of power to the end users, but without the software
being specifically designed to take full advantage of it, there is no perceivable benefit coming from
these systems. This presentation seeks to demonstrate unique ways to not just ensure threat manage-
ment for a virtual infrastructure, but to also leverage it as part of the infrastructure change. When you take away the buzz,
and the clouds abate, will you be left with clear skies?
Dameon D. Welch-Abernathy, CISSP, a.k.a. “PhoneBoy,” has provided aid and assistance to countless IT professionals
since 1996. Best known as the author of two books on Check Point VPN-1/FireWall-1 as well as creator of a well-visited
FAQ site on the Check Point products, Welch-Abernathy currently works as a Strategic Alliance Manager for Check Point
Software Technologies. . Prior to that, Welch-Abernathy spent 10 years in Nokia’s Security Appliance Business, which was
acquired by Check Point Software Technologies in April 2009.
Welch-Abernathy writes on the subjects of VoIP, Telecom, Network Security, Gadgets and Technology, as well as the occa-
sional Nokia or Check Point-related item.
Session Description
Virtualization, in and of itself, is an IT infrastructure strategy, not a security strategy, and as such, this presentation seeks to
define security models that not only secure, but take advantage of ‘Cloud’ computing designs. The definition of ‘Cloud’ com-
puting models can be complex and will mean different things to different organizations, but defining the model is a require-
ment to being able to map to strategies that protect those assets. Building a security model for virtualization needs to happen
as part of the planning process to be most effective, but on closer review, the audience should discover much of the planning
work done for them, when they are able to conceptualize the strategy. Much of what we do today to protect data can be
reused, but you will find that virtualization presents both a unique challenge, and a unique opportunity to create a safe envi-
ronment to grow your services oriented computing models. Whether it is in the ‘Cloud’, or in the components of hardware
that make it up, security is adapting to fit the needs. This session will define various ‘Cloud’ models, and the options for creat-
ing a secure infrastructure around them. When defining a strategy to abstract
hardware and the dissemination of resources, let’s make sure security is consid-
ered to protect the design, as well as benefit from it.
2011 Summer Conference Instructors — Thursday, August 25th, 2011
Day One—Security Track
Register online at http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=35&Itemid=18
10. Page 10
Session 1.4 — Risks in Outsourcing to the Cloud vs. SaaS; Cloud security Architecture:
1:40 P.M. -2:40 P.M. Harshul Joshi, CISSP, CISA, CISM, Director PwC
Harshul Joshi - is a Director in the security practice for PwC, with primary areas of focus in IT security and compliance based
risk assessments, Threat and Vulnerability modeling and security architecture. He has worked with various compliance stan-
dards including PCI (Payment Card Industry), Sarbanes Oxley 404, GLBA (Gramm Leach Bliley Act), PCI (Payment Card In-
dustry) and SAS 70. Harshul has worked in Fortune 100 companies assisting with IT compliance, audit and security initiatives
and is an internationally known speaker. Some of the sample topics he speaks on include PCI, Wireless Security, Auditing
Firewalls and Intrusion Detection, Risks of IT Outsourcing and Off shoring and Performing IT Risk assessment from a Busi-
ness stand-point. He has spoken at various conferences in Singapore, India and in United States. He is a regular speaker at
ISACA North American Conference as well as Network Security Conference.
Harshul is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA) and
Certified Information Security Manager (CISM).
Harshul has an MBA in International Business and a
MS in Information Systems. Prior to joining PwC,
Harshul was a Director of Technology consulting for
CBIZ MHM LLC, where he headed the security
practice creating and delivering risk assessment ser-
vices. He also spearheaded IT security and compli-
ance at Sony Corporate audit group performing
compliance and audit assessments for Sony Electron-
ics, Sony Music and Sony Pictures. Prior to joining Sony, Harshul was a
Security Architect with Verizon / GTE.
Session 1.5 — Emerging Security Standards for the Cloud vs. SaaS: 2:50 P.M - 3:50 P.M
Rebecca Swain, CIPP/IT, CIPP, CISSP, CISA
Becky Swain is a Partner with EKKO Consulting and has over 12 years of information security
and privacy experience, designing, implementing, improving and measuring the effectiveness of
policies, processes, and internal controls as a senior auditor, consultant and risk management
practitioner involving complex and critical business operations and technical architectures with
Fortune 500 companies based in Silicon Valley. As Co-Founder/Chair & Chief Architect, Cloud
Security Alliance (CSA) Cloud Controls Matrix (CCM), Mrs. Swain is actively engaged in devel-
opment and adoption of cloud security and privacy standards participating with CSA and ISO/
IEC as both contributor and project co-editor for ISO/IEC 27036 – Information technology –
Security techniques: Information Security for Supplier Relationships – Part 1. Mrs. Swain holds
numerous information security related certifications, including CISSP, CISA, CIPP and CIPP/IT, is
an active member in professional affiliations (e.g., CSA, IAPP, and ISACA), serves on the Board
of the CSA Silicon Valley Chapter, has recently been appointed as Security Lead for the Cloud-
NOW (Network of Women) Special Interest Group (SIG), and is an ‘Information Security
Practitioner’ category finalist in the (ISC)2
2011 Americas Information Security Leadership
Awards (Americas ISLA).
2011 Summer Conference Instructors — Thursday, August 25th, 2011
Day One—Security Track
Register online at http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=35&Itemid=18
11. Register online at http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=35&Itemid=18
Page 11
Session 1.8 — Panel Discussion - Business Drivers Vs. Standards and Legislation Impacting
Cloud Services:
Moderator: Robin Basham, Senior Director of Enterprise GRC, SOAProjects, is
recognized across several industries as an ICT and GRC expert, assist-
ing clients to architect and implement GRC Platforms, and with Green Tech initiatives. Past Banking
Operations Officer, and Master Educator, Ms. Basham's Certifications include ITIL, CobiT, Network-
ing, Java Enterprise, Information Audit and Security, CGEIT, ACGTA and most recently the CRISC.
Technical Advisory, Executive leadership and Steering Committees include ISACA, OASIS, OMG,
and AWC. Ms. Basham holds two graduate degrees in IT and Education, and is a founding member
for Control Objectives for Sustainable Business, COSB. She is the creator of Facilitated Compliance
Management software and founded Phoenix Business and Systems Process.
Panelist: Benny Kirsh - CIO of Infoblox, a leading company in network automation
and control, Benny Kirsh, is an accomplished, results-oriented
information technology professional with more than 20 years of
experience in various industries. He has held several CIO posi-
tions. He joined The Cooper Companies to lead an ERP implementation and drive a cultural change
necessary for a global rollout. He also led a highly professional IT team in implementing several sys-
tems such as financials, distribution, supply chain and others. He established a Change Management
process to create transparency and build a strong working relationship within the business. Prior to
The Cooper Companies, Benny was the first CIO at Kyphon, a company experiencing significant
growth. His most important objective was to lay the technology foundation for growth while sustain-
ing the flexibility required for Kyphon to function in a competitive market. He was responsible for implementing critical sys-
tems such as ERP, Quality Assurance, Workflow, Clinical Trial Systems and others. Benny relocated to the US from Israel
with an International Enterprise, Terayon Communication Systems, bringing with him a wealth of global experience.
Panelist: Carson Sweet, Is co-founder and CEO of
CloudPassage. His information security career has spanned nearly
two decades and includes a broad range of entrepreneurial, manage-
ment and hands-on technology experience. As a senior information
security strategy and technology consultant, Carson has created and implemented groundbreaking
security solutions across a range of industries and public sectors. Prior to co-founding CloudPassage he served as RSA's prin-
cipal solutions architect for the financial services sector, where he specifically focused on virtualization & cloud security,
Internet application controls, data protection and anti-fraud. Carson formerly served as founding CSO for GlobalNetX-
change (now Agentrics) and CTO for the Investor Responsibility Research Center (now the RiskMetrics Group). He also
founded security consulting and managed services lines of business for RPM Consulting (acquired by Computer Horizons
Corporation), TimeBridge Technologies (acquired by Dimension Data) and Security Methods. Prior to his technology career
Carson served in the U.S. military as a heavy anti-armor weapons specialist and later as a career firefighter-paramedic. He
studied emergency health sciences at the Jefferson College for Health Sciences, pre-medical neuropsychology at Virginia
Commonwealth University/Medical College of Virginia and information technology at the University of Massachusetts.
2011 Summer Conference Instructors — Thursday, August 25th, 2011
Day One—Security Track
12. Register online at http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=35&Itemid=18
Page 12
Panelist: Marlin Pohlman is Chief Governance Officer at EMC. In this role he coordinates the activities of standards
based IT governance with EMC, its Security Division RSA and its
holdings in VMWare and Acadia. Within the Cloud Security Alliance
he is Global Strategy Board Chair & Director, coordinating the ac-
tivity of technical work groups within the alliance and acting as liai-
son with external cloud standards bodies. Within the CSA Dr. Pohlman is also the active Co-Chair
of the Controls Matrix and Consensus Assessments work groups as well as Co-chair of the Cloud
Audit/A6 Standards Work Group. He holds a Ph.D. in Computer Science, an MBA in technology
management, and bachelors in Engineering Physics. Dr. Pohlman is a licensed engineer and holds the
CSA CCSK certification the ISC2 CISSP certification as well as the ISACA CISM, CISA, CGEIT,
CRISC certifications. He is also a trained paralegal.
Returning to our stage from presentations throughout the day, please also welcome,
Panelist: Brad Ames, Director Internal Audit, Hewlett Packard Company
(See page 7)
Panelist: Becky Swain, Cloud Security Alliance,
Partner, EKKO Consulting Group
(See page 8)
Panelist: Pete Nicoletti, VP Security Engineering, terremark, A Verizon Company
(See page 7)
2011 Summer Conference Instructors — Thursday, August 25th, 2011
Day One—Security Track
14. Register online at http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=35&Itemid=18
Page 14
2011 Summer Conference Speakers — Friday, August 26th, 2011
Audit Track
Session 2.2 — Governance and Enterprise Risk Management (ERM) The GRC Stack: 10:10
A.M. – 11:10 A.M.
Dr. Marlin Pohlman, Chief Governance Officer at EMC
In this role he coordinates the activities of standards based IT governance with EMC,
its Security Division RSA and its holdings in VMWare and Acadia. Within the Cloud Secu-
rity Alliance he is Global Strategy Board Chair & Director, coordinating the activity of tech-
nical work groups within the alliance and acting as liaison with external cloud standards
bodies. Within the CSA Dr. Pohlman is also the active Co-Chair of the Controls Matrix and
Consensus Assessments work groups as well as Co-chair of the Cloud Audit/A6 Stan-
dards Work Group. He holds a Ph.D. in Computer Science, an MBA in technology man-
agement, and bachelors in Engineering Physics. Dr. Pohlman is a licensed engineer and
holds the CSA CCSK certification the ISC2 CISSP certification as well as the ISACA
CISM, CISA, CGEIT, CRISC certifications. He is also a trained paralegal.
In this session, Chief Governance Officer and highly regarded GRC expert, Dr. Marlin Pohlman, will cover Govern-
ance Models, Enterprise Risk Management, Information Risk Management, Third-party Management, Legal and
Electronic Discovery, Compliance and Audit and Portability and Interoperability.
Outsourcing critical business functions into the Cloud can result in challenges of maintaining assurance and control
over legal and regulatory obligations for data management and protection. In this session, we will guide you
through the process for establishing an effective cloud security program leveraging the Cloud Security Alliance
(CSA) Governance Risk & Compliance (GRC) Stack, providing you with real world examples of industry adoption.
The audience will particularly benefit by Marlin’s insights as the Chair CSA Strategy, Board, Co-Chair Cloud Control
Matrix, Founder/Co-Chair CSA Consensus Assessment, Co-Chair Cloud Audit. With over 18 years IT governance
and audit experience Marlin Pohlman is the editor elect of the ISO and ITU-T cloud information security manage-
ment standards. As the Chief Governance Officer at EMC Marlin Pohlman oversees the product strategy and stan-
dards compliance of the EMC Cloud GRC Portfolio.
Session 2.3 — Privacy in the Cloud: 11:30 A.M. - 12:30 P.M.
Doron Rotman, IT Advisory, KPMG
Doron is a member of the IT Advisory practice specializing in information govern-
ance, privacy, and security and is the National Privacy Service Leader. Doron is a
Managing Director in KPMG’s Advisory Services practice
with over 20 years of experience. Mr. Rotman is focused on
providing Privacy and Information Governance Service. He
is the national privacy service leader, a member of KPMG’s national Privacy Leadership
Council and a member of KPMG International Privacy Leadership team. He has extensive
high tech, financial services, manufacturing and government industry knowledge, both in the
information technology and the accounting and finance aspects. Doron delivered multiple
around the world on the topic of Privacy and the Cloud, recently at the NACACS 2011.
15. Register online at http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=35&Itemid=18
Page 15
2011 Summer Conference Speakers — Friday, August 26th, 2011
Audit Track
Session 2.4 — Leveraging Data Security to Support eDiscovery and Records Manage-
ment:1:40 P.M. - 2:40 P.M.
Mark Diamond, President and CEO, Contoural, Inc.
Mark Diamond is one of the industry thought leaders
in proactive litigation readiness, compliance, and re-
cords information management strategies. His company, Contoural, has helped 20% of the For-
tune 500 plus many mid-sized and smaller organizations as well as public sector entities. Mark is
a frequent industry speaker, presenting at numerous Legal and IT industry conferences as well
as online venues. Additionally, Mark addresses more than one hundred internal corporate audi-
ences each year.
Mark is founder, President & CEO of Contoural, Inc. Under his leadership, Contoural has grown
to be a leading independent provider of litigation readiness and records and information management services. He
is recognized as a thought leader in litigation readiness and records information management. Mark is an online
columnist for InsideCounsel Magazine, as well as an author of numerous white papers for both the legal and IT
communities. He is also co-author of the Litigation Readiness Chapter of the West eDiscovery for Corporate
Counsel, 2010 ed. Previously Mark was chair of the Storage Networking Industry Association Security Customer
Advisory Board
Session 2.5 — Operating in the Cloud, Incident Response, Notification and Remediation,
Application Security, Data Security and Integrity, Identity and Access Management Virtu-
alization: 2:50 P.M. - 3:50 P.M.
David Ho, Ernst & Young
David Ho is a multi-disciplinary professional with over 13 years of experience in
IT, information security, and internal audit. He brings a
unique blend of strong technical skills with business acu-
men and drive for operational excellence. He specializes
in transforming information security organizations to en-
able business innovation, while managing the company's risk. He has led and executed on
technical information security implementation projects, audited complex IT systems for in-
formation security and data privacy controls, and program managed multiple multi-million
dollar security projects. David's specialties include Information security strategy and gov-
ernance, Data security and privacy, Internal audit and compliance, and Portfolio and program management. David
is an Information Security Senior Manager at Ernst & Young.
16. Page 16
2011 Summer Conference Speakers — Friday, August 26th, 2011
Audit Track
Session 2.8 — PCI and Tokenization Panel Discussion: 4:00 P.M. - 5:00 P.M
Jonathan Clark, CEO and founder of ExoIS, Inc. is a PCI QSA and security and com-
pliance expert. Jonathan is the Chief Architect of the SaaS product
PeepSafe, a portal based offering that allows organizations to relo-
cate processes and systems from their internal networks allowing
them to de-scope portions of , or in some cases their entire PCI
footprint. Prior to Exois, Jonathan started and sold a Web Company,
headed up IT for Morphics and developed an Enterprise Configuration Technology program at Applied
Materials, subsequently leading the rollout and deployment of the program in multiple Applied product
divisions globally. Jonathan has a BSc Honors in Mathematics from Bristol University, England. He also scored a great hatrick
against Watsonville in the Peninsula Premier League.
Walter Conway, Payment Card Industry Qualified Security Assessor (QSA) and ecommerce
consultant applying his 30-years of electronic payments and technology management experience to help-
ing clients plan, implement, and manage their credit card and e-commerce programs including achieving
PCI compliance. Walt spent over 10 years with Visa, and two years as president of an Internet-based
payment processor. His focus is assisting organizations of all sizes plan, implement, and manage their
credit card and ecommerce systems, including achieving PCI DSS compliance. In addition to his QSA
duties, Walt is PCI columnist for Storefront Backtalk.com, focusing on issues facing retailers, and con-
ducts PCI training workshops. He also writes a popular PCI blog focused on Higher Education compliance issues. He is a fre-
quent speaker on PCI DSS, security, and ecommerce topics at professional conferences and webinars. He co-authored Why
Banks View Campuses as High Risk Merchants, an examination of computer security breaches, and 5 Strategies to Achieve
PCI Compliance (both published by the Association of Financial Professionals). Other publications include Five Myths About
the PCI DSS (Government Finance Officers Association), Straight Talk about Data Security (in the NACUBO Business Officer), and
Back to School: What Colleges and Universities Can Teach About PCI Compliance (SPSP Payments News).
Abir Thakurta, CISSP, Director of Pre-Sales and Profes-
sional Services for Liaison Technologies has been instrumental
in shaping the data security industry since its infancy and helping it
to mature as enterprise security concerns have shifted to protecting
sensitive and confidential business and customer information. Thakurta works closely with customers
to help them develop and implement innovative, practical, all-encompassing security strategies to solve
organizational data protection problems. Thakurta often becomes the "go to" guy for customers seek-
ing advice on use of security solutions to reduce organizational risk and comply with data security mandates and privacy laws.
He actively works to educate the market through published articles in respected data security journals and by speaking at
industry conferences around the world. Thakurta holds a B.S. in Engineering for Manipal Institute of Technology in Manipal,
India, and a M.S. in Supply Chain Technology from the New Jersey Institute of Technology in Newark, New Jersey, and he
completed the Georgia Tech Management Program in Atlanta. He is a member of the Payment Card Industry’s Security Stan-
dards Council, ISC2 and the Technology Association of Georgia - Information Security Group.
Returning to the stage, Harshul Joshi, Director, PWC (Please see page 10)
17. Register online at http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=35&Itemid=18
Page 17
2011 Summer Conference Speakers — Friday, August 26th, 2011
Audit Track
Final Comments and Conference Wrap Up:
Sumit Kalra, Director, BPM and Conference Director
Sumit Kalra, CISA, CISSP, is a Director at Burr Pilger Mayer, where he manages the Assur-
ance Services practice specializing in information technology, SAS70 Audits, and assess-
ments. His 12 years of industry experience include 6 years at international CPA firms, and 6
years at companies in the technology, consumer products and financial services industries.
His knowledge base spans a variety of ERP solutions and complex infrastructure implementa-
tions. Sumit has a BS in Accounting and Computer Information Systems from San Francisco
State University. In his
spare time, Sumit en-
joys cooking international cuisine.
We hope you enjoyed the presentations, and have gained valuable insights into
and learned new techniques about Cloud Security and Cloud Audit.
Before you leave, please fill-out the Speaker Assessment Form for today’s ses-
sion We will use your input to learn about our performance, and to improve
future conferences. Please leave the forms at the Registration Desk on your
way out.
18. Page 18
To register, or to gain additional information, including driving directions, please visit:
http://isaca-sv.org/index.php?option=com_content&view=category&layout=blog&id=4&Itemid=4
Venue Information
The 2011 Summer Conference will be held at:
Biltmore Hotel & Suites
2151 Laurelwood Road
Santa Clara, CA 95054
(408) 988-8411
(Free Parking)
2011 Summer Conference
