
MESSAGE FROM THE PRESIDENT
ALAN SHEPPARD
1

SPRING 2011 SCHOLARSHIP WINNERS
1

THE CHALLENGE OF SAFE SMARTPHONE USE
I S S UE 1
V O L UME 2
Q 1 2 01 2
KELLEY JEFFERSON, VILLANOVA UNIVERSITY 2

MOBILE FORENSICS
RICHARD CASTRO
4

DATA LOSS PREVENTION PERSPECTIVE…

CERTIFICATION EXAM PASSERS

BASIC INTERNAL CONTROLS TO LOOK FOR IN SAP
Secure
Connections
MICHELE L. DICKINSON
5
5
JAMES YEN
6
 UPCOMING EVENTS
8
 COBIT 5 NEWS
8
MESSAGE FROM THE PRESIDENT
BY: ALAN SHEPPARD, CISA, CRISC, CIA, CFSA, CRP
We began the new calendar year with a milder winter, and a focus on chapter activities for the next few months.
We wrapped up 2011 with a December Holiday Social event held at the Plough and
Stars in Philadelphia. We had a good turnout of approximately 50 attendees, a few
of which had never before attended one of our chapter events. The Philadelphia
chapter also made a $1,000 donation to the South Jersey food bank. This represented attendee registration fees from the event. Thank you to Kevin O’Sullivan, the
program chair, for organizing this event and for arranging the donation to the food
bank.
We are making great progress in organizing our upcoming events. This includes
two of our remaining key events for our chapter year, the Spring Conference to be
held at the Golden Nugget in Atlantic City during the week of April 16th and our annual dinner meeting and networking event to be held at the Simeone Museum in
Philadelphia on June 14th.
The Spring event will be co-hosted with the New Jersey ISACA chapter. Our board
is excited by the opportunity to co-host this event with the New Jersey chapter as it
brings two of ISACA’s larger chapters together to host this event. We will be offering
two conference tracks and additional networking opportunities.
Lastly, this edition of our newsletter covers several
topics including Privacy Day, Mobile Forensics, Data
Loss Prevention, and Basic Internal Controls for SAP
System.
We have moved the timing and the venue for our annual dinner meeting and networking event networking so that it can be closer to the end of the chapter year and will
provide a unique atmosphere for our meeting.
Please check our website for more details on upcoming
events.
Warm Regards,
Each of these events represent some changes that were made to further enhance the
training and networking opportunities of our members. We look forward to seeing you
at an upcoming event.
Alan
Alan Sheppard
President, Philadelphia ISACA Chapter
We also have monthly events scheduled at the end of this month and in March.
SPRING 2011 SCHOLARSHIP WINNERS
Student's Name
School
Kelley Jefferson
Villanova University
Daniel Marone
Pierce College
Kimberly Halamicek
University of Delaware
1
Ranking
1st Place Winner
($2,500)
2nd Place Winner
($1,500)
3rd Place Winner
($1,000)
Newsletter Chairperson
Linda M Fonner, CIA, CISA
Senior Director, Internal Audit
West Pharmaceutical Services
Newsletter Committee
SPRING 2011 SCHOLARSHIP WINNER!
Editor
Richard Castro CISA, CRISC
Manager, IT Risk
ING Direct
THE CHALLENGE OF SAFE SMARTPHONE USE.
BY: KELLEY JEFFERSON, STUDENT—VILLANOVA UNIVERSITY .
Smartphones have become indispensable staples in today’s business world. Users love
the ability to quickly check email, read online news content, and facilitate transactions
with the tap of a finger. However, with the conveniences of smartphones comes the risk of security breaches in the WIFI networks they use, as well as operating system risks such as malware.
Michele Dickinson, CISA
Information Security Officer
Widener University
Using unsecured wireless networks to access sensitive information is a commonplace practice. According to research by ProtectMyID, Experian’s identity protection service, 29% of smartphone users take advantage of unsecured WIFI hotspots, and
19% access mobile banking while using unsecured WIFI. Additionally, 65% of smartphone users send and store e-mails on
their phones, including emails including credit card information and receipts from online shopping.
Newsletter Contributors
With all of this transmitting of highly personal information via smartphones—oftentimes over unsecured wireless networks—it’s
no surprise that smartphone security is a point of concern for many companies. According to a survey conducted by AT&T in
June 2010, three out of four executives are concerned about how the use of mobile networks and devices could potentially
impact security.
Richard Castro CISA, CRISC
Manager, IT Risk; ING Direct
Michele Dickinson, CISA
Information Security Officer
Widener University
Unfortunately, these concerns are valid. While spying on internet users used to be a feat that only highly skilled hackers were
capable of, new software and technologies make it easy for virtually anyone to access information about other users of an unsecured wireless network.
Kelley Jefferson
Student—Villanova University
One of these programs is Firesheep, which was launched in October 2010. Firesheep works by taking a cookie from a web
browser that identifies a person when they log into their website account. Once Firesheep has that cookie, Firesheep users are
able to gain full access to a user’s account on the website, essentially acting as that person. The threat from Firesheep is significant, as it had over one million downloads in the first three months following its release.
Alan Sheppard, CISA, CRISC,
CIA, CFSA, CRP
Vice President & Senior
Manager TD Bank
While the security risks associated with unsecured wireless networks are numerous, there are many ways smartphone users
can protect themselves. The easiest way to minimize WIFI security risk is to avoid unsecured WIFI networks altogether and
only use wireless provider networks. If it is necessary to use an unsecured wireless network, users should exercise basic common sense. Using a smartphone on an unsecured wireless network should be treated the same as using a laptop on an unsecured wireless network—users should not enter passwords, or access personal and sensitive information, such as banking
information.
James Yen
Manager SAP Basis and Database; West Pharmaceutical
Services
Another new threat for smartphone users is the risk of malware. According to McAfee’s “Threats Report: Fourth Quarter 2010,”
the number of new smartphone malware rose 46% from 2009 to 2010. While hackers have targeted computers for years, as
smartphone usage increases, smartphones are quickly becoming a prime target for spyware and malware. There are currently
relatively few smartphone security risks, but experts believe new smartphone threats will become widespread, similar to the
threats faced with laptops and other computers. Paul Lepkowski, the enterprise information
security lead engineer at Rochester Institute of Technology’s Information Security office, believes that malware-infected apps of the future could operate in a variety of ways, potentially
allowing cybercriminals to eavesdrop on cell conversations or use smartphone cameras as
spying devices. Malware attached to games and wallpaper applications have been discovered
on Google’s Android app store, and Apple products will most likely soon be targeted as well.
To Volunteer Please Email
[email protected]
As smartphone security threats increase, the creators of the three major operating systems—
Google, Apple and Research in Motion (BlackBerry)—are finding ways to increase security of
the operating systems themselves. Both Apple’s iOS and Google’s Android use a tool called
“sandboxing”. Sandboxing works by isolating each application on the smartphone so that it
runs in its own virtual machine, separate from other apps. Through the use of sandboxing, no
application can perform operations that would adversely affect any other application.
Like Apple and Google, BlackBerry is also focusing on operating system security. BlackBerry is
currently in the process of transitioning away from their BlackBerry OS/BlackBerry Enterprise
Server, which gives administrators the ability to define hundreds of configuration settings and has detailed security layers, in
favor of an operating system more similar to the Android or iPhone.
(Continue on Page 3)
2
ISACA - Philadelphia
G ET
THE CHALLENGE OF SAFE SMARTPHONE USE (Continued from page 2)
Not only are operating system creators focusing on smartphone security, but major wireless providers Verizon and AT&T
are also taking steps to increase smartphone security. Verizon has teamed up with nonprofit organization StopBadware
to help protect users from security threats such as malware, spyware, and viruses on both traditional computers and mobile networks. AT&T has begun to offer McAffee Enterprise Mobility Management Software, which allows companies to
offer employees the option of several different types of smartphones and smartphone operating systems while also delivering highly secure access to corporate applications.
T RAINED ,
G ET
C ERTIFIED ,
G ET TO
W ORK
While smartphone security threats are only expected to increase in number, there are several steps companies can take
to minimize the risk of smartphone security breaches. IT professionals can provide smartphone access to work email
through an external email server, completely avoiding the internal network altogether. Additionally, companies should
perform risk assessments to determine their need for smartphone security solutions. There are several companies that
now offer malware, antivirus, and security solutions for smartphones.
However, even with advancing technology in smartphone security, ultimate security can never be guaranteed. As Marjorie Hutchings, the Vice President of Internet Services for Esurance Insurance Services, Inc. states, there will always be an
inherent trade-off between security and convenience. One of the best ways from companies to strengthen their security in
regards to mobile devices is to educate their employees and to create policies outlining and restricting use of these devices. While basic security measures such as creating a complex password to access work email or setting automatic locks
on smartphones are inconvenient, they are important to the overall security and good of the company.
While the smartphone is a great tool which enables users to access information more easily and conveniently than ever
before, it does not come without its risks. Although there will always be a trade-off between security and convenience, by
utilizing security technology and using common sense, businesses and individuals can feel more comfortable about their
smartphone use.
Works Cited
AT&T Inc.; AT&T Extends Smartphone Management Capabilities With Mobile Security Enhancing Platform From McAfee. (2011, February). Technology &
Business Journal,216. Retrieved April 13, 2011, from Career and Technical Education. (Document ID: 2249846941).
Experian Says Smartphone User Security at Risk. (2011, January). Manufacturing Close - Up,. Retrieved April 13, 2011, from ABI/INFORM Trade & Industry. (Document ID: 2249356711).
Bill Kenealy. (2011, April). A False Air of Security :As insurers make greater use of mobile computing, they must prepare countermeasures for the constantly
evolving tactics of malware creators.. Insurance Networking, 14(4), 14. Retrieved April 13, 2011, from ABI/INFORM Trade & Industry. (Document
ID: 2308430941).
Sheila Livadas. (2011, March). Mobile security policies gain traction as devices do more. Rochester Business Journal, 26(50), 35. Retrieved April 13, 2011,
from ABI/INFORM Dateline. (Document ID: 2298583031).
Kate Murphy. (2011, February 17). New Hacking Tools Pose Bigger Threats to Wi-Fi Users :[Business/Personal Tech]. New York Times (Late Edition (east
Coast)), p. B.8. Retrieved April 13, 2011, from Banking Information Source. (Document ID: 2268416461).
Verizon Teams Up With Nonprofit Organization StopBadware to Strengthen Protection for Internet Users :Three-Year Agreement to Help Small Businesses,
Smartphone Users and Others in Internet Ecosystem Defend Against Online Security Threats. (4 March). PR Newswire, Retrieved April 13, 2011, from
ProQuest Newsstand. (Document ID: 2282763901).
Philadelphia ISACA FAQs:
18th Largest ISACA
Chapter Worldwide
Total Membership: 1,282
CISA:
749
CISM:
147
CGEIT:
48
CRISC:
219
PRIVACY DAY 2012.
BY: MICHELE L. DICKINSON,
CISA .
January 28, 2012 is a day of awareness and education specific to the growing need of privacy. Known as Privacy Day, this
annual international event was created to raise awareness and provide education about the need for privacy in a digital
world. Privacy Day has been recognized by the United States Congress in both 2010 and 2011. This annual event has been
recently spearheaded by National Cyber Security Alliance(NCSA) www.staysafeonline.org which is also responsible for October’s Cyber Security Awareness Month referenced in the October edition of the Secure Connections Newsletter. NCSA website provides a historical look at Privacy Day citing the first legally binding international treaty related to the need for protection
of personal information as a right of the individual.
AS OF FEBRUARY 24, 2012
Please check out the website www.staysafeonline.org/dpd for additional information, events and webinars regarding identity
protection and privacy. Resources are available for people young and old from schools to businesses. You can use this
website as a central source for resources from Federal, State and International government as well as resources for consumers and businesses.
Philadelphia ISACA Chapter would like to introduce you to these resources to encourage your focus and involvement in increasing awareness of Privacy Day in 2012 and years to come.
3
ISACA - Philadelphia
MOBILE FORENSICS
BY: RICHARD CASTRO, CISA, CRISC
Mobile devices have been
on the market for decades,
as with computer forensics;
however mobile forensics is
a relatively new field. It’s
been around since the late
1990s or early 2000s, and
has made significant progress.
Mobile forensics
exists now due to necessity.
There are hundreds of millions of mobile devices in the United Stated which have expanded device
functionality and capabilities. This has resulted in exposure to both people
and organizations.
Details on a device can be found by using the IMEI number along with
websites such as www.phonescoop.com and fcc.gov/oet/ea/fccid. If the
information is scratched off, some devices will respond by dialing *#06#.
Once the device is identified traditional techniques should still be used. A
manual review should be considered when the mobile evaluation is time
sensitive, the device is not supported by commercial tools, there is volatile
data, a bad work environment (i.e. raining), or if the device is damaged.
Some basic information to look for (windows mobile) when doing a scroll
evaluation may include the following:
Typical employers looking for skilled mobile forensic examiners include
law enforcement, military, and private industry. Law enforcement and
military usually are in search of data stored on mobile devices such as
contacts, schedules, pictures, and voice. Private companies that have a
mobile application or a mobile presence are in search of artifacts such as
passwords, credit cards, removable storage, litigation support, fake applications, or devices loaded with SMS intercept, spouseware, flexispy,
Zitmo, or other malware/spyware.
If time is on your side, and the device is supported, a more detailed and
thorough mobile forensics analysis should be incorporated including a
component and functionality evaluation (see below).
No matter what industry or type of employer, there are five (5) basic objectives with mobile forensic, being:
1. Identify the Device;
2. Evaluate File and System Artifacts;
3. Reconstruct Activities;
4. Create Timelines; and
5. Develop Relational Diagrams.
Some good commercial products exist to help in the investigation. Choosing tools may be difficult, as each have strengths and weaknesses. For
example, some tools support CDMA, GSM, and SIM, while others do not.
Furthermore, some tools support certain devices, while others do not. A
variety of tools would aid in ensuring completeness of coverage, however
budgetary constraints are also usually another challenge. A sample of
mobile forensics tools may be found in the table below, in no particular
order:
Prior to any evaluation, it is essential to isolate the device and establish
legal authority to conduct the examination. Isolating the device will help
limit contamination, and legal authority will help in reducing unnecessary
privacy challenges. Once authoritative approval is finalized, following a
chain of evidence process will aid in completeness and support the validity of collected information. A basic chain of evidence process includes,
but is not limited to, Continuity of Possession and Proof of Integrity. An
example of a chain of evidence form may be seen in Appendix A, pg 10.
So the device is isolated, you are granted the legal authority to conduct
the examination, and you established a chain of evidence process. What
is next? Identify the type of device. There are hundreds, if not thousands
of different phones. They have different operating systems,
capabilities, and various device data exchange interfaces. The first way
to identify the device is through the IMEI and Model/Make, usually located
by the battery (see right).
Cellebrite
iXam
Wolf
.XRY
ForensicMobile
EnCase Nutrino
BitPim
Oxygen
Secure View
Device Seizure
CellDek
FTK
In a basic mobile forensic review you would cover:
 The evaluation of both Physical and Logical device storage;
 A search for new installations, deleted text, photos, SSN, PIN, or
sensitive company data; and
 Complete keyword and format searches (parse data and interpret)
Nibble Reverse, 7-Bit Encoded SMS, Hexadecimal, ASCII,
Unicode, etc…
(Continued on page 5)
4
Publication Objectives
DATA LOSS PREVENTION PERSPECTIVE....
BY: MICHELE L. DICKINSON, CISA.
Data Loss Prevention (DLP) is a topic that is included in Security Management practices and discussed as a concern in today’s mobile environment. The critical aspect of Data Loss prevention is identifying what data, if it were
compromised by being lost or stolen, would have a large impact to the business. With the pending threat of identity theft, and regulatory requirements of Red Flags, Identity Theft, Graham Leach Bliley, Payment Card Industry
compliance as well as state laws, the need to protect private information has now become a compliance requirements as well as a continued responsibility. The topic of DLP is greater than just data in electronic form, as information is lost through social engineering, shoulder surfing, printed paper, improper trash disposal, and theft. The
methods to attack the threat of data loss cover governance, educational awareness, technical, administrative and
procedural safeguards. Visibility by security and audit professionals to the vulnerabilities which exist in their organization’s business is a critical method to mitigate the risk
of DLP.
Visibility to the risks of DLP begin with the categorization
of data. External compliance requirements require the
protection of personally identifiable information (PII)
which includes specific data elements as well as combination of data elements. DLP should also focus to protect the critical data to the business, trade secrets for
example, to ensure that this information is also categorized as confidential. Strong security management practices must be in place to ensure proper account creation,
access rights, database controls, server security, vendor
access, data exchange and network security to ensure
that the data defined as confidential to the business is
properly protected. The categorization of information is a critical first step in all DLP efforts; however a detailed
understanding of the information and the manner with which it must be protected is crucial. The NIST Information
Security (sp800-39) documentation provides guidance on the process of risk management, threat identification,
and mitigation of risks processes and can be useful for security professionals who have never had to perform a
large scale analysis of risk within an organization.
The objective of this publication
is to provide our chapter members with important ISACA International and chapter-related
announcements, events, as well
as current audit, IT Risk, and IT
security topics.
Next Publication: Q2 2012
CONGRATULATIONS
2011 Certification
Exam
Passers
CGEIT—4 members
CISA—18 members
CISM-9 members
MOBILE FORENSICS (continued from page 4)
If the mobile device has a SIM, use a data extractor. Examples of SIM data extractors may include tulp2g, Simcon,
and Device Seizure. SIM Hierarchical Storage Structure is set in such a manner:
 Maser File (root)
 Dedicated File (directory)
 Elementary Files (data)
 Master File
 Dedicated File
Don’t forget to review/recover deleted SMS
Tools will help you cover a lot of ground during the examination, and rapidly. But do not solely rely on tools, as they
too have limitations. As evidenced by Trevor Eckhart, manual investigations can result in the identification of platform exposure (in this case Android and Carrier IQ).
http://www.youtube.com/watch?v=T17XQI_AYNo&feature=share
Countermeasure can be found here:
https://market.android.com/details?id=com.lookout.carrieriqdetector
Mobile Forensics: Things to Remember
Isolate the Device; Legal Authority; Continuity of Possession/Chain of Evidence; Integrity of Data; Documentation of
Actions Taken; Device Acquisition; Data Acquisition; Identify/Analyze File and System Artifacts; Interpret; Reconstruct; Create Timelines; Develop Relational Diagrams; and Report.
ISACA - Philadelphia
5
CHAPTER LEADERS
Alan C. Sheppard, President
Dan W. Hill, 1st VP
Kevin P. O’Sullivan, 2nd VP/Sect’y
BASIC INTERNAL CONTROLS FOR SAP SYSTEM.
BY: JAMES YEN, MANAGER OF BASIS AND DATABASE, WEST PHARMACEUTICAL SERVICES.
For the past 17 years of managing SAP systems experience, I found that auditors are not as comfortable to deal
with SAP auditing as to the other traditional finance system. They believe that it will need a certain level of SAP
technical knowledge for auditing SAP systems. In fact, SAP Internal Controls only require some understanding
the controls of System, Access and Process inside SAP. With overlook of System Environment, People Access
and Business Process Controls, auditors should be able to perform their job via the same way as they deal with
traditional accounting auditing – “Trust but Verify”.
Torpey J. White, Treasurer
Atul Malhotra, Continuing Education
Zachary Bolc Leahan, Webmaster &
Academic Relations
Paula D’Orazio, Communications
There are two major guidelines that IT Auditor needs to focus on in order to obtain a correct evaluation of com- Atul Malhotra, Certification Director
plete SAP System:
Girard T. Smith, Immediate Past
1. Make sure all procedures to be in place and followed.
President
2. Segregation of duties is not avoided.
Based on the section 404 of Sarbanes-Oxley, it requires public companies to adopt and maintain control focus.over internal controls over financial reporting. Internal Controls are the practices, transactions and protecting a company property and assets. This includes controls that verify that the financial reporting systems have
the proper controls, such as ensuring that revenue is recognized correctly. According to this guideline, there are
several good reasons for auditors to deal intensively with the SAP processing and the data saved in the system.
Based on the SAP Best Practice, following lists are the top priorities that auditor should focus on during SAP
System Auditing.:
1. Systems Build Baseline (Installed, Copied and Migrated) in a SAP Environment.
2. Customizing and Table Change Management.
3. In-house Developments - SAP standard versus modification of source code.
4. SAP system setting and security to protect from unauthorized access.
5. Data flow and reconciliation procedure in the SAP FI Accounting Components.
6. Tracking critical master record changes.
7. Verified Process Automation and Systems integration Procedures.
Clarence (Chip) J. Rindgen, Membership
Anthony Hernandez, Sponsorship
Linda M. Fonner, Newsletter
Agnes Peraino, Scholarship
Cheryl R. Morris, Certification
Christopher Savino, Website Content Author
Craig Morea, Collegiate Advisor
Donovan George Hawse, Collegiate
How to start auditing a SAP System? Like all other IT auditing, it starts with planning. A control document will Advisor
help to walk through the SAP environment, business process and executing the test cases. Here is one of the
examples for auditing on SAP Basis/System Area:
Control Document
Key Control Area
Control Test Case ID
Control Objective
Control Risk
Point(s) of Control
Preventive/Detective
Manual/Automated
Control-Frequency
Control-Start Date
Application
Description
IT Operation – SAP Basis System
SAP Basis Test Case 1.1
All SAP production programs needed to process batch and on-line transactions and prepare related reports are executed timely and to normal completion.
Critical jobs that fail and are not followed up could present a risk in inaccurate data transferred from/to SAP.
An overview of financially critical jobs scheduled in the SAP system is reviewed and approved regularly the Basis Manager. Critical jobs are monitored by Basis teams on a daily basis and job failures are logged and action
items to remediate are taken as needed.
Detective
Manual
Weekly
March, 2008
SAP/FI
This test case explains the SAP Basis team needs to keep all logs of Batch job failing, Shortdumps and Data Update errors from the SAP systems weekly. Then notify the responsible team to review the root cause and find the
solution. All logs and actions need to be documented and review by management team.
Employment
Connections
Search jobs online by geography, certification, experience level and other factors.
Members can also post resumes/CVs and receive
emails when new jobs are
posted. A new career advice
section is also available.
ISACA - Philadelphia
6
DATA LOSS PREVENTION PERSPECTIVE… (continued from page 5)
Business process analysis should be performed for departments with access to the confidential data as defined in the data classification.
Process analysis is a critical step to understand how the data is used as part of the business process; therefore increasing the visibility of the
security professional. A walkthrough of the process will highlight any business tasks which are not visible to the security and audit professionals through the access rights of the user. The process analysis will provide key information to ensure that controls can be established to protect the information from disclosure and that this protection aligns with the business use of the data. Proper business process analysis can
also uncover potentially unknown or insecure means of handling information, like printing of information, local electronic storage, or improper
disposal. Proper controls must also exist for confidential information which has been printed, copied, or stored outside of known areas. The
thoroughness of this analysis will highlight potential weaknesses in the control over the confidential data, and enable proper controls to be
established or alternate solutions to be developed. This analysis should uncover and document the ways in which data is used within the
business which can include data at rest, data in motion, and data in use. Data at rest refers to information in storage, data in motion refers to
information in transit on the network and data in use refers to the user interacting with the data from their computer. A risk assessment should
be performed based on the information uncovered in the business process analysis to determine the threats and vulnerabilities associated
with the current business process.
A technical analysis should also be performed to understand all of the technical risks of an organization. Mobility is a great concern to the
organization and has been for some time. The aspects of mobility are changing. Initial mobility provided in floppy disks and hard drives has
evolved into thumb drives, cloud based drop boxes and mobile phones. With each advent of new technology and its adoption within an enterprise, the risks associated specifically related to DLP should be evaluated. The existence of personal mobile assets within an enterprise could
allow for pictures to be taken on mobile phones of confidential data and emailed out of the organization through personal email accounts or
posted into online drop boxes. Identifying access to thumb drives, Bluetooth connections, remote access points, third party websites and
unauthorized wireless access points are essential to identify points where data could be lost or stolen. Control measures should be established based on your organization’s risk tolerance, vendor products analyzed and all risks and protection measures should be documented.
One additional aspect of DLP is data stored at 3rd party locations. Visibility to the security of the data is a risk when data is stored and processed at a vendor partner. Although an organization can contractually require a vendor or third party to protect data entrusted in their care,
the organization maintains responsibility for due care and legal liability if the information is lost or stolen. Aside from contractually requiring the
vendor to provide protection, the organization should ensure that the vendor is able to maintain control over the data. One standard method
to evaluate control processes in place at a vendor is to review any third party assessments performed at the vendor locations. Although SAS
70 Type 2 is a standard upon which organizations trust for assessing the controls in the environment, the term “SAS 70 Type 2” is now used in
marketing material and can be misleading to the organization. In today’s world of cloud based vendors, the SAS 70 often only covers the
environmental and physical controls in the data center locations where the information is stored. If the vendor maintains control over the logical security controls, then the SAS 70 may not be sufficient. It is prudent to read the SAS 70 and have a discussion with the vendor to determine the scope of the assessment and evaluate whether the controls tested actually meet the organization’s information protection requirements.
Visibility to the risks associated with DLP in the organization allows the security professional to continuously monitor and enhance the control
environment. This methodology aligns with the NIST Risk Management strategy (sp 800-53 rev3) and business process innovation principles
for the analysis of business process. Although DLP will continue to be a risk to each organization, a thorough understanding of the organization’s confidential data, how the confidential data is used in the business and with vendors and the ability to maintain visibility will enable an
organization to monitor the risks which impact the business and proactively address threats to the loss of confidential information.
BASIC INTERNAL CONTROLS FOR SAP SYSTEM (continued from page 6)
Another most common issue in SAP system auditing is to perform the job without procedures or logs. And one person does everything from
SAP development, testing, approval, and implementation. Sarbanes-Oxley guidance issued by the government stresses the importance of Segregation of Duties. Not one person has control over all aspects of any financial transaction, including outsourcing business. For the past 20
years, IT outsourcing has been a very common especially in SAP Operation and Support Area. Many people forget that Sarbanes-Oxley requires any full outsourcing service providers to maintain the same level of internal controls as the “parent” company. Auditors should invest
more time and pay attention in this area.
References:
Sarbanes-Oxley-Information-Technology-Compliance-audit, By Dan Seider, 2005, SANS Institute.
Sarbanes-Oxley and Mainframe Compliance: What Database Professionals Need to Know, By Gwen Thomas,
Whitepaper from Data Governance, Inc.
7
ISACA - Philadelphia
Scholarship Purpose
PHILADELPHIA ISACA CHAPTER—CALENDAR OF UPCOMING EVENTS
The purpose of the Philadelphia
ISACA Scholarship program to
raise awareness of ISACA and
the value of ISACA student
membership and to grow the
profession by encouraging students to prepare themselves for
a satisfying career in information
systems assurance and control,
risk, security, and/or governance
of enterprise IT.
Thursday, M arch 01, 2012
Philadelphia ISAC A and D elaw are InfraG ard
Joint Breakfast M eeting
8am - 12pm
April 16 - 22, 2012
Joint Philadelphia ISAC A and C entral N J
C hapters Spring Training C onference
Location: G olden N ugget, A tlantic C ity, N J
C ost is anticipated to be sim ilar to 2011
http://bit.ly/ISACAscholarship
Tuesday, M ay 15, 2012
W ebinar: 2:00 - 3:00pm plus Q &A
M obile D evice Threats and Security C hallenges
Lance H aw k, Air Products
Notification
2/29/2012 Notification to Scholarship winners
Thursday, June 14, 2012
Annual M em bership D inner M eeting
Topic: TBD
Venue: S im eone M useum
Scholarship Link
Awards
March 2012 Awarding of Scholarships
December 2011
Social
Alan Sheppard
Dan Getman
Kevin O’Sullivan
Philadelphia ISACA presented a
check to the Food
Bank.
Spring 2012 Scholarship
Submit Entry: April 2, 2012
Notify Winner: May 1, 2012
Spring 2012 Scholarship
Submit Entry: April 2, 2012
Notify Winner: May 1, 2012
CALL FOR VOLUNTEERS/SPEAKERS/SPONSORS
BY: PAULA D’ORAZIO, CISA, CGEIT, CFE
Volunteers : The success of our chapter is directly related to the individual volunteer efforts of members just like you. Chapter members who volunteer their skill and time take
pride in knowing they play an important role in helping to continue the long term success of
our local chapter and are committed to their own professional growth. You can help with
just a few minutes of your time to assist with one or more tasks. We welcome you in joining
our group. There are volunteer opportunities that range in commitment from as little as a
one-time two-hour role at a conference to support registration to the time necessary to
serve as a member of our board of directors. We are currently looking for volunteers to
help our chapter. http://www.cvent.com/d/5cqnlc/1Q
Speakers : The Philadelphia ISACA Chapter is continuously seeking qualified instructors
knowledgeable in the areas of Internal Auditing, Information Technology Audit, Information
Security, and Governance, Risk, and Compliance. If you have related audit and/or information security experience, we want to hear from you. http://www.cvent.com/d/zcqn7q/1Q
Sponsors Contact Anthony Hernandez: [email protected]
If you would like to sponsor an event or the Chapter website, we want to hear from you.
ISACA - Philadelphia
8
Follow ISACA:
! 2
01 ore 2
r,
te learn
r
a o qu t
d rview
n
co 5ove
e
s bit
g
in /co
m .org
o
c
.. isaca
.
5
T ww.
I
B w
CO Go to
ISACA - Philadelphia
9
m
CHAPTER DIRECTORS
Alex Habre, Director
David G. Menichello, Director
Derek J. Danilson, Director
Jarred B. Berstein, Director
EXAMPLE OF CHAIN OF EVIDENCE FORM
.
MOBILE FORENSICS—Appendix A (continued from page 4)
Michael G. Griffith, Director
Ram Vijayanathan, Director
Thu Nguyen, Director
William Vink, Director
Dean Fowler, Alternate Director
Michele L. Dickinson, Alternate
Director
ISACA - Philadelphia
10