IT Audit Conference 2024

Building an API Audit Program

Presenter: Baljeet Malhotra (TeejLab)

APIs benefit organizations immensely through accelerated innovations, newer business models, and competitive differentiation. However, the growing API usage also means increased cybersecurity risks for enterprises. Given the importance of APIs in digital transformation at enterprises, it is imperative for Audit Professionals to understand better various API risks that pose various challenges to their organizations. In this session, we’ll first identify various risks that originate from within the enterprise API ecosystems. This session will then provide an overview of an API Auditing framework to manage API Risks effectively. Dr. Malhotra will also highlight best industry practices and hands-on examples for API Risk Management.

Use of Agile Methodology in IT Audit

Presenter: Jack Doyle (Kearney & Company)

While Agile delivery approaches are normative in software development, auditor and consultant usage is a mixed bag. This presentation is meant to inform assessors considering a change in project management style by describing agile, reviewing key tenets of implementation, and discussing experience using agile for assessments. The presentation should answer questions such as:

• What is the value of changing from the existing approach?
• How is this different from any other corporate project management vocabulary?
• How and why does your team discuss project status?
• What project management activities result in changes to delivery?
• What are the use cases where this approach is best suited and how do you implement them?

Prioritizing Enterprise Risks Using Data Normalization with Ken Squires

Presenter: Ken Squires (Sikich)

Many organizations have competing risk assessment remediation priorities with business objectives and regulatory requirements that are difficult to compare. Normalization techniques can collect and aggregate numerical risk values into comparable data to ensure the organization’s IT resources, legal team, C-Level executives, and key stockholders can jointly prioritize the implementation of controls needed to mitigate risk to a reasonable level.

Attendees will learn:

• Define acceptable risk criteria that can be utilized as a data normalization technique
• View a sample risk register populated with results from different assessments that have gone through the risk data normalization process.

Adaptive Cybersecurity Risk Assessments

Presenter: Gideon Rasmussen (Cybersecurity Management Consultant)

This session provides practical cybersecurity assessment advice. It details the end-to-end process, including scoping, 9 steps to develop work papers, scheduling, on-site assessment, report preparation, and presentation.

The first assessment example leverages the NIST Cybersecurity Framework to ensure coverage across security domains. Sample scoping questions will be provided, along with tips and examples to add controls based on business processes, insider threat, privacy, and fraud.

This session also addresses follow-on assessments. Attendees are encouraged to evaluate lines of business and to take deep dives into critical functions. Tips and examples are provided to leverage best practices, creating specific testing procedures.

Rather than repeating the same assessment year-over-year, the scoping methodology is risk opportunistic. There is a focus on areas that have not been evaluated recently and areas that may require enhanced controls due to the presence of valuable data. Albert Einstein’s quote applies here: “The definition of insanity is doing something over and over again and expecting different results”.

The session will briefly walk through the assessment report framework, providing tips along the way.

The assessment presentation phase includes a slide deck framework covering: the threat landscape, assessment methodology, high and moderate-high findings, a Strengths, Weaknesses, Opportunities and Threats (SWOT) slide and next steps.

Dr. Baljeet Malhotra
Founder & CEO of TeejLab

Dr. Baljeet Malhotra is an award-winning researcher and a global tech leader known for his work in Open Source and API Risk Management. He founded TeejLab in 2019 and steered the team to build API Discovery and Security™, world’s first end-to-end API Risk Management platform. Prior to TeejLab, he established the R&D unit of Black Duck Software in 2016 (acquired by Synopsys). He also served as Research Director at SAP and Senior Software Engineer at MahindraTech. He received a PhD in Computing Science from the University of Alberta and won several awards including NSERC (Canada) scholar and Global Young Scientist (Singapore). He concurrently holds Adjunct Professor positions at the University of British Columbia, University of Victoria and University of Northern BC. He has given numerous talks globally that were organized by ISACA, ISSA, IIA, ISC2, OWASP and other organizations.

Jack Doyle
Principal @ Kearney & Company
CPA, CGFM, CISA, CISSP

Jack Doyle has 12 years of experience across financial statements, IT controls audit, GRC consulting, and GRC software implementation. Jack is a Principal at Kearney & Company, where he currently supports OCIO GRC clients at the National Institute of Health, following experience in the HHS, DHS, DoD, and Intel communities.

Jack is a proud graduate of Virginia Tech, where he majored in accounting and philosophy. Jack grew up in northern Virginia but is loyal to his Massachusetts family roots for all things sports, especially the Boston Celtics. Jack holds the following certifications: CPA, CGFM, CISA, and CISSP.

Ken Squires
Partner of Governance, Risk & Compliance @ Sikich
CDPSE, CISA, CISSP, CRISC, HCISPP, NSA IAM

Ken Squires is a Partner of Governance, Risk, and Compliance (GRC) at Sikich, a leading professional services firm that helps clients achieve their goals in the digital age. With more than 26 years of risk management experience and multiple credentials, such as CISSP, HCISPP, and CRISC, he offers unparalleled strategic guidance to clients as they work to complete organizational cybersecurity objectives and navigate complex compliance requirements.

As a virtual Chief Information Security Officer (vCISO) for several companies, he has managed multiple information security management systems based on ISO 27001, NIST, HITRUST, HIPAA, and PCI standards. He has also led internal and external vendor due diligence assessments, presented findings and remediation projects to C-level sponsors and executive leadership teams, and designed and implemented security policies and incident response plans. He has contributed intellectual capital to Sikich’s Professional Services Framework, including reporting, checklists, templates, testing methods and techniques, and research. Ken’s mission is to help clients protect their data, assets, and reputation from cyber threats and regulatory risks.

Gideon Rasmussen
Cybersecurity Management Consultant
CISSP, CRISC, CISA, CISM, CIPP

Gideon Rasmussen is a Cybersecurity Management Consultant with over 20 years of experience in corporate and military organizations. Gideon has designed and led programs including Information Security (as a CISO), PCI – Payment Card Security, Third Party Risk Management, Application Security and Information Risk Management. Has diverse industry experience within banking, insurance, pharmaceuticals, DoD/USAF, state government, advertising and talent management.

Gideon has authored over 30 information security articles. He is a veteran of the United States Air Force, a graduate of the FBI Citizens Academy and a recipient of the Microsoft Most Valuable Professional award. Gideon has also completed the Bataan Memorial Death March (4 occurrences).