ISACA Greater Washington, D.C. Chapter
Serving ISACA GWDC Members since 1974
Upcoming Chapter Events
Below are upcoming chapter conferences, seminars, review courses, and other events. Prior chapter events can also be viewed.
For information on our event policies, see https://isaca-gwdc.org/event-policies/.
The ISACA Greater Washington DC (GWDC) is proud to host our annual IT Audit conference. This conference is part of our monthly conference series.
IT professionals, IT advisory or audit professionals, business executives, students or professionals interested in learning more about IT Audit should attend this event.
Registration closes on January 17, 2024 @ 8pm.
Agenda
08:30 AM – 09:30 AM
Building an API Audit Program
Presenter: Baljeet Malhotra (TeejLab)
APIs benefit organizations immensely through accelerated innovations, newer business models, and competitive differentiation. However, the growing API usage also means increased cybersecurity risks for enterprises. Given the importance of APIs in digital transformation at enterprises, it is imperative for Audit Professionals to understand better various API risks that pose various challenges to their organizations. In this session, we’ll first identify various risks that originate from within the enterprise API ecosystems. This session will then provide an overview of an API Auditing framework to manage API Risks effectively. Dr. Malhotra will also highlight best industry practices and hands-on examples for API Risk Management.
09:30 AM – 10:30 AM
Use of Agile Methodology in IT Audit
Presenter: Jack Doyle (Kearney & Company)
While Agile delivery approaches are normative in software development, auditor and consultant usage is a mixed bag. This presentation is meant to inform assessors considering a change in project management style by describing agile, reviewing key tenets of implementation, and discussing experience using agile for assessments. The presentation should answer questions such as:
10:30 AM – 11:30 AM
Prioritizing Enterprise Risks Using Data Normalization with Ken Squires
Presenter: Ken Squires (Sikich)
Many organizations have competing risk assessment remediation priorities with business objectives and regulatory requirements that are difficult to compare. Normalization techniques can collect and aggregate numerical risk values into comparable data to ensure the organization’s IT resources, legal team, C-Level executives, and key stockholders can jointly prioritize the implementation of controls needed to mitigate risk to a reasonable level.
Attendees will learn:
11:30 AM – 12:30 AM
Adaptive Cybersecurity Risk Assessments
Presenter: Gideon Rasmussen (Cybersecurity Management Consultant)
This session provides practical cybersecurity assessment advice. It details the end-to-end process, including scoping, 9 steps to develop work papers, scheduling, on-site assessment, report preparation, and presentation.
The first assessment example leverages the NIST Cybersecurity Framework to ensure coverage across security domains. Sample scoping questions will be provided, along with tips and examples to add controls based on business processes, insider threat, privacy, and fraud.
This session also addresses follow-on assessments. Attendees are encouraged to evaluate lines of business and to take deep dives into critical functions. Tips and examples are provided to leverage best practices, creating specific testing procedures.
Rather than repeating the same assessment year-over-year, the scoping methodology is risk opportunistic. There is a focus on areas that have not been evaluated recently and areas that may require enhanced controls due to the presence of valuable data. Albert Einstein’s quote applies here: “The definition of insanity is doing something over and over again and expecting different results”.
The session will briefly walk through the assessment report framework, providing tips along the way.
The assessment presentation phase includes a slide deck framework covering: the threat landscape, assessment methodology, high and moderate-high findings, a Strengths, Weaknesses, Opportunities and Threats (SWOT) slide and next steps.
Presenters
Dr. Baljeet Malhotra
Founder & CEO of TeejLab
Dr. Baljeet Malhotra is an award-winning researcher and a global tech leader known for his work in Open Source and API Risk Management. He founded TeejLab in 2019 and steered the team to build API Discovery and Security™, world’s first end-to-end API Risk Management platform. Prior to TeejLab, he established the R&D unit of Black Duck Software in 2016 (acquired by Synopsys). He also served as Research Director at SAP and Senior Software Engineer at MahindraTech. He received a PhD in Computing Science from the University of Alberta and won several awards including NSERC (Canada) scholar and Global Young Scientist (Singapore). He concurrently holds Adjunct Professor positions at the University of British Columbia, University of Victoria and University of Northern BC. He has given numerous talks globally that were organized by ISACA, ISSA, IIA, ISC2, OWASP and other organizations.
Jack Doyle
Principal @ Kearney & Company
CPA, CGFM, CISA, CISSP
Jack Doyle has 12 years of experience across financial statements, IT controls audit, GRC consulting, and GRC software implementation. Jack is a Principal at Kearney & Company, where he currently supports OCIO GRC clients at the National Institute of Health, following experience in the HHS, DHS, DoD, and Intel communities.
Jack is a proud graduate of Virginia Tech, where he majored in accounting and philosophy. Jack grew up in northern Virginia but is loyal to his Massachusetts family roots for all things sports, especially the Boston Celtics. Jack holds the following certifications: CPA, CGFM, CISA, and CISSP.
Ken Squires
Partner of Governance, Risk & Compliance @ Sikich
CDPSE, CISA, CISSP, CRISC, HCISPP, NSA IAM
Ken Squires is a Partner of Governance, Risk, and Compliance (GRC) at Sikich, a leading professional services firm that helps clients achieve their goals in the digital age. With more than 26 years of risk management experience and multiple credentials, such as CISSP, HCISPP, and CRISC, he offers unparalleled strategic guidance to clients as they work to complete organizational cybersecurity objectives and navigate complex compliance requirements.
As a virtual Chief Information Security Officer (vCISO) for several companies, he has managed multiple information security management systems based on ISO 27001, NIST, HITRUST, HIPAA, and PCI standards. He has also led internal and external vendor due diligence assessments, presented findings and remediation projects to C-level sponsors and executive leadership teams, and designed and implemented security policies and incident response plans. He has contributed intellectual capital to Sikich’s Professional Services Framework, including reporting, checklists, templates, testing methods and techniques, and research. Ken’s mission is to help clients protect their data, assets, and reputation from cyber threats and regulatory risks.
Gideon Rasmussen
Cybersecurity Management Consultant
CISSP, CRISC, CISA, CISM, CIPP
Gideon Rasmussen is a Cybersecurity Management Consultant with over 20 years of experience in corporate and military organizations. Gideon has designed and led programs including Information Security (as a CISO), PCI – Payment Card Security, Third Party Risk Management, Application Security and Information Risk Management. Has diverse industry experience within banking, insurance, pharmaceuticals, DoD/USAF, state government, advertising and talent management.
Gideon has authored over 30 information security articles. He is a veteran of the United States Air Force, a graduate of the FBI Citizens Academy and a recipient of the Microsoft Most Valuable Professional award. Gideon has also completed the Bataan Memorial Death March (4 occurrences).
Virtual Meeting Information
Event Questions and Policies
Registration Questions
If you have any registration questions about this event, please contact the chapter using the Registration Contact Form.
If you have CPE questions after the event has concluded, please contact the chapter using the CPE Contact Form.
Cancellation and Refund Policy
Cancellation and refund for advance registrations is allowed if cancellations are submitted through the registration system. Refunds vary depending on the date of cancellation. See ISACA GWDC Event Policies for details.
If ISACA GWDC cancels the event, all registrants will be notified as soon as possible through email at the email address provided during registration. Full refunds will be provided.
Complaint Policy
The GWDC welcomes your comments, complaints, suggestions, questions, and other feedback concerning our website information and services. All complaints should be submitted through the Registration Contact Form.
CPE Information
Earn up to 4 Continuing Professional Education (CPE) credit in the area of Information Technology. The ISACA® Greater Washington, D.C. Chapter is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.NASBARegistry.org
CPE Distribution and Evaluation Survey
CPEs will be distributed via e-mail along with the event evaluation survey after the completion of the event. Attendees must be present for the full event to receive full CPE credit.
Learning Objective
After attending this event, attendees will learn about recent topics in the IT Audit space.
CPE-Related Details
ISACA® Greater Washington, D.C. Chapter
P.O. Box 13993
Arlington, VA 22219
Terms of Use ■ Privacy Policy ■ Cookie Policy
Chapter Information
ISACA GWDC