Lively topics for new and seasoned internal auditors, students and others are presented montlhly between September and May.

Cloud migration is on the top of the “To-do List” for CIOs and CISOs for the current year, especially with the COVID-19 pandemic which has created a new norm of remote work for majority of the work force. Transition and reliability on the organizational compute, storage and network needs are shifting from on-premise to cloud.
CISOs and Cybersecurity leaders have an important role to play in advising the business leaders/CIOs for the selection of an appropriate cloud provider and ensuring that they meet the cybersecurity needs for the organization. Cloud provider business agreements are time consuming to finalize, have multi-year obligations and hence they require appropriate due diligence.
In this webinar, Rajiv will discuss the following aspects of auditing cloud provider:
•Preparation for Cloud Provider audit 
•Organizational readiness for transition
•Framework and key artifacts for auditing
•What happens after audit?

Auditing Cloud Provider

Year at a Glance
Charlie Murray, Vice President

Nominations & Awards
Keith Cheresko, Chairperson


Webinar Topic and Speaker

Simplifying Policy: Information Security on One Page
David Soubly, Principal, IT Security and Risk, ICEX (Intellectual Capital Exchange)

Why is information security policy so complex? What can we do about it? How many of you struggle to understand your company’s information security policy? How many are concerned that a policy manual meant to be read and understood by everyone is just too much to handle? How can we work to simplify information security policy, when the security industry itself introduces layers of complexity?

We will explore these issues, discussing the journey toward simplicity and how challenging it is be “just simple enough.” We will learn about the various forms of “debt” that can create drag in an organization. We will uncover the foundations of data, information, and knowledge, and what this has to do with understanding information security.

All of this will lead to a one-page information security policy, part of an ongoing quest to represent all of information security on one page, so that everyone gets it. You may not agree with the result, but the journey itself will be compelling.

ISACA Chapter Meeting  Simplifying Policy: Information Security on One Page

JOINT MEETING WITH THE INSTITUTE OF MANAGEMENT ACCOUNTANTS ALSO, 2020-2021 IIA DETROIT CHAPTER BOARD ELECTIONS WILL BE HELD

Topics:
THE STATE OF MICHIGAN’S ECONOMY
Scott Darragh, Economist, State of Michigan Department of Treasury

FEDERAL ECONOMIC OUTLOOK ~ THE IMPACT OF COVID – 19
Paul Traub, Senior Business Economist, Federal Reserve Bank of Chicago

VIRTUAL MAY CHAPTER MEETING

Dr. Joe Adams joins us to address an important topic on hiring practices in light of the cybersecurity workforce gap.  As the founder of the Michigan Cyber Range, Dr. Adams has significant experience in workforce development and training. 

The webinar discusses the huge gap between the supply and demand of qualified talent in the cyber security industry. This gap is estimated to be almost 3 million unfilled jobs around the world, with almost half a million of these in the US alone. The gap’s impact is most apparent as organizations struggle to keep up with increasing government regulations, system complexity, and expanding attack surface. Dr. Joe Adams will look at some of the causes of the gap and how companies can change their recruiting and retention policies to fill positions with the right people.

This webinar is designed not only for the CAEs but all members of the Board of Directors for both private and public companies.

HOW YOUR HIRING PRACTICES MAKE THE TALENT GAP WORSE

Cloud misconfigurations are a leading cause of data breaches and security risks within AWS. With an ever-expanding number of new services, the complexity of securing and configuring your AWS environment is always increasing.  Security practices are often ignored or overlooked.  In this session we will look at common configuration mistakes, the risks that they pose and ways to identify and mitigate these risks.
 This session will include looking at operational responsibility of services such as EC2, EKS, S3, Lambda and how a Cloud Security Posture Management System (CSPM) can be used to monitor and automate security around these services.  Deploying to an AWS well architecture framework and compliance to governance such as CIS, HIPPA, NIST, PCI, and GDPR.

Avoiding data breaches and risk from misconfigurations before it is too late

A month ago, we were all begging for talent. Any warm body that could come close to doing the job we were ready to talk to. Now, a few weeks later the entire industry might have been flipped upside down. The reality is, for Internal Auditors, the demographics are still not on our side! We will still need a robust recruiting and talent attraction strategy to fill the jobs and skill shortages we have currently, and that are increasing as more and more talent retire.
Tim Sackett, is an expert in talent acquisition technology, recruiting execution, and author of the best-selling book the Talent Fix. In this session he will show us what world class organizations are doing to attract talent to the most hard to fill jobs across the world, and how some simple changes can have a huge impact in how we communicate to potential talent in getting them to want to come to work for you.
Right now is when we prepare for hiring what’s next. Great organizations increase their talent during difficult times, so that they can take advantage of the upswing like no one else. Having the right tech stack and strategy in place will make all the difference.

THE FUTURE OF TALENT ACQUISITION FOR INTERNAL AUDITORS

As a continuation to last month’s webinar where Jeff Sisolak discussed how to leverage the National Institute of Standards and Technology (NIST) library to assist in planning and development of audit strategy, this month’s topic will cover select NIST publications which provide details on how to assess cyber security controls. 
Whether you are an IT Auditor, Audit department leader, business manager or just personally interested in understanding IT and Security best practices, this webinar will touch on specific actions to help assess related policies, practices and procedures. Armed with this information, risk and control assessments can be developed or enhanced to help organizations align with regulatory, professional and/or industry expectations for proper and secure information technology controls.

Leveraging NIST’s Publications to Build Cybersecurity Audit Programs

The National Institute of Standards and Technology or NIST has issued a comprehensive library of special publications related to cyber security, risk, and their own risk management framework. The framework is compulsory for Federal systems but also gaining popularity in commercial enterprises because they are free, ubiquitous, and often necessary for doing business with government entities anyway.  However, the sheer volume of this body of work can be daunting.  While thoroughness and precision can be an asset, it can also make it difficult to see the forest for the trees.
This presentation will define the foundational elements of any meaningful cyber security risk management program using the NIST Special Publications (SP) as a guide, with an emphasis on what it means for the internal auditor.  It will cover the more common documents such as 800-37, and 800-53.  It will cover more obscure documents such as SP 800-18, SP 800-60 vol. I & II, and other related documents not published by NIST.  It will conclude with tips and techniques for any cyber security risk management audit program, regardless of the actual framework in use.

Seeing the Risk Management Forest for the Trees

Join Erik in talking about building a thriving vulnerability management program that focuses on improving business risk through refocusing efforts on the vulnerabilities that matter most.
Vulnerability Management is one of the most important, but least sexy, components of an Information Security program coming in at number 3 on the CIS Top 20.  Despite its criticality, many organizations fail to get a program off the ground leading to low hanging fruit for attackers.  Overwhelming volumes of vulnerabilities, lack of asset visibility and missing foundational components to support a vulnerability program are just a couple of reasons programs fail.
Erik will take this time to offer ideas on how to build a sound foundation for and standup a program along with where to focus your time to avoid boiling the ocean.

Building a Vulnerability Management Program

Every day we are faced with ethical dilemmas. They are not all big, earth-shattering decisions between right and wrong… but every ethical decision we face carries a consequence. From behavioral ethics to technical ethics to codes of professional conduct, this session will explore ethical behavior in the workforce, and the critical role that accountability professional play in upholding the public trust.

IIA Detroit Chapter Ethics Webinar

There are several ways to get the risk assessment wrong.  If the risk is considered a “thing”, and not a “quantity”, we probably got it wrong.  Werner Enterprises adopted the FAIR (Factor Analysis of Information Risk) framework to perform quantitative risk assessment of information security and operational risk.
Dave will walk the audience through their process of adopting FAIR, what worked, what didn’t and the lessons learned as they go through their risk management journey.

To FAIR or not? A Risk Assessment Discussion

With the widespread adoption of social media sites and phone-based apps, users are leaving data trails everywhere.   Often the companies behind these tools do not charge fees to the end users to use their software.   Instead the payment method is the collection and reuse of the end user data gathered by the software applications.  This data is in turn sold to data aggregators or directly to other companies that sell other products and services.  As the data migrates further away from the end user, it is more widely available and less likely to remain in the ownership and control of the originator of the data.   More and more often an investigation starts with internet-based searches to identify and analyze this data.   The trend will continue to move in this direction.

Internal Auditors can benefit greatly from understanding how to best integrate this new wealth of information in their audits and investigations.    The future of both audits and investigations will need to rely more on technology but cannot neglect the impact and role of the “human element”. Points of particular interest include:  

•Personal assistants (Siri, google home, Alexa),
•Analytics applied to social media sites,
•Check in features showing real time locations,
•The trend towards this data going directly to the public cloud, and 
•Data enablement on more everyday devices.

Following the Digital Investigative Trail.   How Digital "Currency" is Exposing

We live in contentious times in which divisiveness not only drives people to engage in antisocial and unethical behavior, but creates tremendous risk for organizational cultures and reputations. 

In this free webinar, Don Levonius shares some unique insights on promoting civility in the workplace with a focus on ethics.

PROMOTING CIVILITY IN THE WORKPLACE

Digital Transformation is a mandate and companies are adopting methodologies like Agile, XP, and Lean to push the envelope on faster delivery and at the same time continuously improve the product capabilities. This rapid uptrend has given rise to Business and IT embracing DevOps practices such as Continuous Integration, Continuous Delivery, and Site Reliability Engineering. Let's explore the challenges Internal Audit is facing and ways to enable the organization to achieve its objectives.

Digital Transformation and Internal Audit

Managing cyber risk in today’s digital environment is extremely challenging, whether your organization is public, private or governmental.  In response to the growing frequency and severity of cyber-attacks, many organizations have decided it’s time to focus more of their efforts on cyber risk, starting with a cyber risk assessment. This approach to proactively dealing with the risk of cyber-attacks increases the organization’s awareness of the potential impacts and costs, and enables them to take actions that reduce the overall risk to the organization, minimize the impact of cyber-attacks, and more predictably ensure the continuity of essential services.

This webinar will provide participants with a high-level overview of assessing cyber risk and explore the following:
•Threats and root causes of breaches 
•The changing regulatory landscape 
•Security frameworks and tools 
•Practical ways to assess your risk and organizational exposure 
•Key elements of a successful cyber risk management program

Assessing Cyber Risk - Challenges and Solutions

Technology is omnipresent.  Technology is helping businesses work faster, smarter and become more innovative.  But the same technology is introducing more security risks.  Organizations are deploying security technologies to mitigate the security risks and implement continuous monitoring of these risks.  Audit departments within organizations are planning to conduct more technology audits than ever before.  They are looking to automate their audits. They are looking for newer, smarter audit tools.  But before we go any further to identify any new tools, let’s look at the same continuous monitoring tools already deployed within the organizations, which could help the auditors as well.  
The session will discuss the following areas:
•Asset Inventory
•Security Information Event Management
•Identity and Access Management
•Network Security
•Mobile Device Management

Auditing Smarter – Not Harder

The Foreign Corrupt Practices Act (FCPA) was enacted in 1977 making it illegal to make payments to foreign government officials for the purpose of obtaining or keeping business. The anti-bribery provisions of the FCPA require maintenance of accurate books and records as well as an adequate system of internal controls. Please join this webinar to gain an overview of the FCPA, discuss recent enforcement trends throughout the years, and understand how the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) considers a company’s existing compliance program when assessing penalties. The webinar will cover common methodologies and frameworks for identifying possible gaps in existing compliance programs, common pitfalls and considerations when assessing and remediating anti-bribery and anti-corruption compliance gaps, highlighting areas where internal audit practitioners can contribute to a company's anti-corruption monitoring efforts.

Understanding the FCPA: Recent Trends and Considerations

Business transformation in the 21 st century has organizations extending their value chain into
customer decision making, as they design and deliver “digital services” using advanced
information technology. Such transformations need organizations to run at a faster speed to
explore new value creating opportunities and still keep running their daily operations at regular
speed. So, organizations may need two different organizational structures and governance models
to manage both faster and regular speeds to isolate risks, including strategic (e.g. brand reputation),
compliance (e.g. data security and integrity), operational and technical risks that surface when
working with many unproven technologies, external partners, and evolving customer expectations.
This presentation will look at strategies to address these risks.

Enterprise Risk Management in the Age of Business Transformation

In 2010, the AICPA issued SSAE No. 16, Reporting on Controls at a Service Organization, which replaced SAS 70.  Most organizations outsource certain tasks and functions to at least one service organization.  Therefore, many risks of the service organization become risks of the user entity.  SSAE 16 reports are intended to provide an objective evaluation of the effectiveness of controls at the service organization.  Join us to discuss:
* Why the change to SSAE16
* Similarities & Differences between SAS70 & SSAE16
* Impacts of the change to Internal Audit Organizations
* Common pitfalls / value adds / best practices
* Broad Standards (SSAE 16, SOC, AT101) and how they relate

Transition from SAS-70 to the New SSAE-16

SAS70

SSAE16

Service

Organizations

Controls

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Transition from SAS-70 to the New SSAE-16

Presented by

About this talk

More from this channel