Transition from SAS-70 to the New SSAE-16

Year at a Glance
Charlie Murray, Vice President

Nominations & Awards
Keith Cheresko, Chairperson


Webinar Topic and Speaker

Simplifying Policy: Information Security on One Page
David Soubly, Principal, IT Security and Risk, ICEX (Intellectual Capital Exchange)

Why is information security policy so complex? What can we do about it? How many of you struggle to understand your company’s information security policy? How many are concerned that a policy manual meant to be read and understood by everyone is just too much to handle? How can we work to simplify information security policy, when the security industry itself introduces layers of complexity?

We will explore these issues, discussing the journey toward simplicity and how challenging it is be “just simple enough.” We will learn about the various forms of “debt” that can create drag in an organization. We will uncover the foundations of data, information, and knowledge, and what this has to do with understanding information security.

All of this will lead to a one-page information security policy, part of an ongoing quest to represent all of information security on one page, so that everyone gets it. You may not agree with the result, but the journey itself will be compelling.

JOINT MEETING WITH THE INSTITUTE OF MANAGEMENT ACCOUNTANTS ALSO, 2020-2021 IIA DETROIT CHAPTER BOARD ELECTIONS WILL BE HELD

Topics:
THE STATE OF MICHIGAN’S ECONOMY
Scott Darragh, Economist, State of Michigan Department of Treasury

FEDERAL ECONOMIC OUTLOOK ~ THE IMPACT OF COVID – 19
Paul Traub, Senior Business Economist, Federal Reserve Bank of Chicago

Dr. Joe Adams joins us to address an important topic on hiring practices in light of the cybersecurity workforce gap. As the founder of the Michigan Cyber Range, Dr. Adams has significant experience in workforce development and training.

The webinar discusses the huge gap between the supply and demand of qualified talent in the cyber security industry. This gap is estimated to be almost 3 million unfilled jobs around the world, with almost half a million of these in the US alone. The gap’s impact is most apparent as organizations struggle to keep up with increasing government regulations, system complexity, and expanding attack surface. Dr. Joe Adams will look at some of the causes of the gap and how companies can change their recruiting and retention policies to fill positions with the right people.

This webinar is designed not only for the CAEs but all members of the Board of Directors for both private and public companies.

Cloud misconfigurations are a leading cause of data breaches and security risks within AWS. With an ever-expanding number of new services, the complexity of securing and configuring your AWS environment is always increasing. Security practices are often ignored or overlooked. In this session we will look at common configuration mistakes, the risks that they pose and ways to identify and mitigate these risks.
This session will include looking at operational responsibility of services such as EC2, EKS, S3, Lambda and how a Cloud Security Posture Management System (CSPM) can be used to monitor and automate security around these services. Deploying to an AWS well architecture framework and compliance to governance such as CIS, HIPPA, NIST, PCI, and GDPR.

A month ago, we were all begging for talent. Any warm body that could come close to doing the job we were ready to talk to. Now, a few weeks later the entire industry might have been flipped upside down. The reality is, for Internal Auditors, the demographics are still not on our side! We will still need a robust recruiting and talent attraction strategy to fill the jobs and skill shortages we have currently, and that are increasing as more and more talent retire.
Tim Sackett, is an expert in talent acquisition technology, recruiting execution, and author of the best-selling book the Talent Fix. In this session he will show us what world class organizations are doing to attract talent to the most hard to fill jobs across the world, and how some simple changes can have a huge impact in how we communicate to potential talent in getting them to want to come to work for you.
Right now is when we prepare for hiring what’s next. Great organizations increase their talent during difficult times, so that they can take advantage of the upswing like no one else. Having the right tech stack and strategy in place will make all the difference.

As a continuation to last month’s webinar where Jeff Sisolak discussed how to leverage the National Institute of Standards and Technology (NIST) library to assist in planning and development of audit strategy, this month’s topic will cover select NIST publications which provide details on how to assess cyber security controls.
Whether you are an IT Auditor, Audit department leader, business manager or just personally interested in understanding IT and Security best practices, this webinar will touch on specific actions to help assess related policies, practices and procedures. Armed with this information, risk and control assessments can be developed or enhanced to help organizations align with regulatory, professional and/or industry expectations for proper and secure information technology controls.

The National Institute of Standards and Technology or NIST has issued a comprehensive library of special publications related to cyber security, risk, and their own risk management framework. The framework is compulsory for Federal systems but also gaining popularity in commercial enterprises because they are free, ubiquitous, and often necessary for doing business with government entities anyway. However, the sheer volume of this body of work can be daunting. While thoroughness and precision can be an asset, it can also make it difficult to see the forest for the trees.
This presentation will define the foundational elements of any meaningful cyber security risk management program using the NIST Special Publications (SP) as a guide, with an emphasis on what it means for the internal auditor. It will cover the more common documents such as 800-37, and 800-53. It will cover more obscure documents such as SP 800-18, SP 800-60 vol. I & II, and other related documents not published by NIST. It will conclude with tips and techniques for any cyber security risk management audit program, regardless of the actual framework in use.

Join Erik in talking about building a thriving vulnerability management program that focuses on improving business risk through refocusing efforts on the vulnerabilities that matter most.
Vulnerability Management is one of the most important, but least sexy, components of an Information Security program coming in at number 3 on the CIS Top 20. Despite its criticality, many organizations fail to get a program off the ground leading to low hanging fruit for attackers. Overwhelming volumes of vulnerabilities, lack of asset visibility and missing foundational components to support a vulnerability program are just a couple of reasons programs fail.
Erik will take this time to offer ideas on how to build a sound foundation for and standup a program along with where to focus your time to avoid boiling the ocean.

Every day we are faced with ethical dilemmas. They are not all big, earth-shattering decisions between right and wrong… but every ethical decision we face carries a consequence. From behavioral ethics to technical ethics to codes of professional conduct, this session will explore ethical behavior in the workforce, and the critical role that accountability professional play in upholding the public trust.

There are several ways to get the risk assessment wrong. If the risk is considered a “thing”, and not a “quantity”, we probably got it wrong. Werner Enterprises adopted the FAIR (Factor Analysis of Information Risk) framework to perform quantitative risk assessment of information security and operational risk.
Dave will walk the audience through their process of adopting FAIR, what worked, what didn’t and the lessons learned as they go through their risk management journey.

With the widespread adoption of social media sites and phone-based apps, users are leaving data trails everywhere. Often the companies behind these tools do not charge fees to the end users to use their software. Instead the payment method is the collection and reuse of the end user data gathered by the software applications. This data is in turn sold to data aggregators or directly to other companies that sell other products and services. As the data migrates further away from the end user, it is more widely available and less likely to remain in the ownership and control of the originator of the data. More and more often an investigation starts with internet-based searches to identify and analyze this data. The trend will continue to move in this direction.

Internal Auditors can benefit greatly from understanding how to best integrate this new wealth of information in their audits and investigations. The future of both audits and investigations will need to rely more on technology but cannot neglect the impact and role of the “human element”. Points of particular interest include:

•Personal assistants (Siri, google home, Alexa),
•Analytics applied to social media sites,
•Check in features showing real time locations,
•The trend towards this data going directly to the public cloud, and
•Data enablement on more everyday devices.

We live in contentious times in which divisiveness not only drives people to engage in antisocial and unethical behavior, but creates tremendous risk for organizational cultures and reputations.

In this free webinar, Don Levonius shares some unique insights on promoting civility in the workplace with a focus on ethics.

Digital Transformation is a mandate and companies are adopting methodologies like Agile, XP, and Lean to push the envelope on faster delivery and at the same time continuously improve the product capabilities. This rapid uptrend has given rise to Business and IT embracing DevOps practices such as Continuous Integration, Continuous Delivery, and Site Reliability Engineering. Let's explore the challenges Internal Audit is facing and ways to enable the organization to achieve its objectives.

Managing cyber risk in today’s digital environment is extremely challenging, whether your organization is public, private or governmental. In response to the growing frequency and severity of cyber-attacks, many organizations have decided it’s time to focus more of their efforts on cyber risk, starting with a cyber risk assessment. This approach to proactively dealing with the risk of cyber-attacks increases the organization’s awareness of the potential impacts and costs, and enables them to take actions that reduce the overall risk to the organization, minimize the impact of cyber-attacks, and more predictably ensure the continuity of essential services.

This webinar will provide participants with a high-level overview of assessing cyber risk and explore the following:
•Threats and root causes of breaches
•The changing regulatory landscape
•Security frameworks and tools
•Practical ways to assess your risk and organizational exposure
•Key elements of a successful cyber risk management program

Technology is omnipresent. Technology is helping businesses work faster, smarter and become more innovative. But the same technology is introducing more security risks. Organizations are deploying security technologies to mitigate the security risks and implement continuous monitoring of these risks. Audit departments within organizations are planning to conduct more technology audits than ever before. They are looking to automate their audits. They are looking for newer, smarter audit tools. But before we go any further to identify any new tools, let’s look at the same continuous monitoring tools already deployed within the organizations, which could help the auditors as well.
The session will discuss the following areas:
•Asset Inventory
•Security Information Event Management
•Identity and Access Management
•Network Security
•Mobile Device Management

The Foreign Corrupt Practices Act (FCPA) was enacted in 1977 making it illegal to make payments to foreign government officials for the purpose of obtaining or keeping business. The anti-bribery provisions of the FCPA require maintenance of accurate books and records as well as an adequate system of internal controls. Please join this webinar to gain an overview of the FCPA, discuss recent enforcement trends throughout the years, and understand how the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) considers a company’s existing compliance program when assessing penalties. The webinar will cover common methodologies and frameworks for identifying possible gaps in existing compliance programs, common pitfalls and considerations when assessing and remediating anti-bribery and anti-corruption compliance gaps, highlighting areas where internal audit practitioners can contribute to a company's anti-corruption monitoring efforts.

Business transformation in the 21 st century has organizations extending their value chain into
customer decision making, as they design and deliver “digital services” using advanced
information technology. Such transformations need organizations to run at a faster speed to
explore new value creating opportunities and still keep running their daily operations at regular
speed. So, organizations may need two different organizational structures and governance models
to manage both faster and regular speeds to isolate risks, including strategic (e.g. brand reputation),
compliance (e.g. data security and integrity), operational and technical risks that surface when
working with many unproven technologies, external partners, and evolving customer expectations.
This presentation will look at strategies to address these risks.

Dr. Raj Aggarwal is back to address an important topic on the alignment of internal audit and the board. As a board member, Dr. Aggarwal gets to see both sides, internal audit interaction with the board, and the board expectations of the internal audit function.
Dr. Aggarwal will expand on the recent article of Board Matters in IIA’s Internal Auditor magazine and share his experiences related to the exchanges of the board and the internal audit.
This webinar is designed not only for the CAEs but all members of the internal audit function and the Board of Directors for both private and public companies.

12.00 Noon (eastern) to 1.00 pm (eastern)
One CPE Credit
Presenter: Taras Shalay
In this webinar, Taras will introduce the different coverages available under the cyber insurance and de-mystify the various coverages and terms. In addition, Taras will discuss how the cyber insurance can play a key role in managing the overall cyber risk within an organization.
By the end of this webinar, participants should be able to:
• Explain the various terms associated with cyber insurance
• Understand whether a given policy addresses their cyber risks
• Examine their own cyber risk policy
Bio: Taras Shalay
With 10 years of underwriting and brokerage experience in Professional Liability, Executive Lines and Cyber Liability, Taras has a unique specialization in the insurance industry.
Taras’ extensive Cyber Liability experience allows him to easily explain the complexities of a Cyber Liability policy, as well as the various different coverage’s available to his clients that may or may not fit their insurance needs. Taras’ main focus is to identify the key exposures for his clients and provide the best available solutions in this quick changing market environment.
Taras also has a decade of experience with Directors’ & Officers Liability, Employment Practices Liability, Fiduciary Liability, Crime, and Errors and Omissions.
Taras Shalay is a 2006 graduate of Western Michigan University with a Master’s degree in Economics, where he was also awarded with graduate student of the year in his department.