ISACA-PSC December 2002 Newsletter

December 2002 Email Newsletter

AUDIT LOG
THE ISACA PUGET SOUND CHAPTER eNEWSLETTER
December 2002

Visit the ISACA-PSC website @ http://www.isaca-psc.org

INSIDE
-President's Message
-Upcoming Meetings, Events and Announcements
-New Job Postings
-Feedback

PRESIDENT'S MESSAGE
Our November meeting was a rousing success. Peter Rosenzwieg, D&T, did an excellent one hour presentation on CRM followed by a detailed workshop on Siebel security and control. Presentation files for both sessions are available from our website. The chapter thanks Peter for the time and effort he put into developing these presentations.

Our next meeting on December 17th should be on the same level as November with Josh Schmidt from Jefferson Wells (and your chapter VP) speaking on PBXs. Telecommunications and associated equipment is sometime overlooked in the IT audit world. I am sure we will all learn a lot about what we should be doing to help our companies and organizations deal with the risks and problems associated with this area. Our Joint Meeting with the IIA, which usually takes place in December, will be in May this year.

Big news for our chapter is that we will now be accepting credit cards when you register for monthly meeting and seminars. Through Acteva, we can accept credit cards without having to set up our own processing. Since everyone must pre-register for our monthly meetings and seminars, using your credit card to book that registration will speed the check-in process and save our chapter treasurer the time and responsibility of depositing all those checks and cash. Let us know what you think.

Lastly - make sure you pencil in the March seminar. Detailed information is below and as always on the chapter website.

See you on December 17th - Doug.

- Doug Taylor, President

UPCOMING MEETINGS / EVENTS / ANNOUNCEMENTS
I. Upcoming Meeting Topic: PBX Security Auditing
II. Upcoming ISACA PSC March 2003 Seminar
III. Puget Sound ISACA and IIA Chapter Members Speak to Seattle Pacific University Students

I. Upcoming Meeting Topic: PBX Security Auditing
The Puget Sound Chapter of ISACA will meet Tuesday 12/17/02 at the 75th floor of the Columbia Tower Club. The Columbia Tower Club is on top of the Bank of America Tower located between 5th and 6th between Cherry and Columbia. Registration begins at 11:15 A.M., lunch begins 11:30 A.M., and the presentation begins at 12:00 noon (1 and 1/2 hours). Sign up by completing the registration form at http://www.isaca-psc.org/register.htm (preferred method) or call 206-215-8920 by 2:00 PM the Friday preceding the meeting. Please specify in the comments if you prefer a vegetarian lunch selection. CPE=1 credit hour. No jeans allowed. Please register in advance! The Columbia Tower Club has had difficulties in accommodating walk-in guests during the past meetings.

*Please be advised that no shows will be billed for the full cost of meals. See the website for details (http://www.isaca-psc.org/events.htm).

The topic will be on the Private Branch Exchange (PBX), which is an often overlooked critical element of information technology. A PBX is a sophisticated computer-based switch that can be thought of as essentially a small, in-house phone company for an organization. Failure to secure a PBX can result in exposing the organization to toll fraud, disruption of services, or theft of proprietary or confidential information, which could lead to a loss of revenue or legal entanglements.

Joshua Schmidt will provide an overview of auditing PBX security within the framework of the following control categories:

-Administration and Vendor Maintenance
-Phone System Features and Access Restrictions
-Administrative Console Security
-Monitoring and Utilization Tracking
-Cost Management
-Telecommunications Organization and Staffing
-Awareness and Problem Management
-Facilities Security
-Business Continuity
-Third Party Contracts

Joshua is the lead manager in the Northwest for Jefferson Wells International's information security services consulting practice. Besides managing and performing other types of information systems security projects, Joshua has performed PBX security audits for government and financial institutions.

Heavily involved with local security industry groups, he is the Vice President and Webmaster for the Puget Sound Chapter of the Information Systems Audit and Control Association (ISACA), on the Board and Webmaster for the Puget Sound Chapter of the Information Systems Security Association (ISSA), and an active member of the Agora. He is a Certified Information Systems Security Professional, and a Certified Information Systems Auditor.

II. Upcoming ISACA PSC March 2003 Seminar
The ISACA PSC is pleased to announce its March 2003 conference on Network and Cisco Router Security. This two-day program will be held on March 27th and 28th 2003 at the Bell Harbor International Conference Center in downtown Seattle. The event will feature two of our industries premier security experts, Dr. Eugene Schultz and Mr. George Jones. The seminar sessions will address:

Network Security by: Dr. Eugene Schultz
This one-day course provides a comprehensive view of networking--its mechanisms and protocols--but with a security slant. It begins with a broad overview of networking, then proceeds to cover security-related threats and control mechanisms. The course also delves into specific network-related issues that users and organizations typically face and how to address them. Topics include networking basics, major types of network security exposures and control measures, securing network services, securing web servers, firewalls, encryption, and secure email.

Cisco Router Security by: Mr. George Jones
This one-day course focuses on current best practices for securing Cisco routers, which make up the core of many of today's networks. Topics include boot time configuration, configuring remote access, login and user administration, IOS modifications, routing protocol security, traffic filtering, and use of the Router Audit Tool.

In addition to the speakers presentation information each participant will receive a free copy of the book "Internet Security for Business" which was co-authored by Dr. Schultz, meals (breakfast, lunch, and never-ending snacks), and 14 CPEs.

Detailed information for each of the seminars, speaker's bios, and registration information is available on our web-site at: www.isaca-psc.org/education.htm Space is limited to only 60 participants so sign up ASAP!!!

III. Puget Sound ISACA and IIA Chapter Members Speak to Seattle Pacific University Students
On Monday, November 18, 2002, three members of the Puget Sound ISACA and IIA Chapters were guest presenters at a graduate information systems class at Seattle Pacific University. The volunteer professionals were Rebecca Dols of Frank Russell Company, Claude Dennis of PEMCO, and Jack Champlain of BECU. The presentation began with an overview of ISACA and IIA. We provided screen shots of selected pages from the international and chapter websites and highlights of recent job opportunities. Next, each volunteer briefly described their career backgrounds and their current auditing challenges. We then fielded several questions from the students. Jack concluded with a brief overview of a conceptual model of physical and logical security controls in computing system environments. There were a total of 15 students in attendance. We are grateful to Professor Gerhard Steinke for inviting us to share information about careers in auditing with his students.

We are planning at least two more student information events - one at Seattle U and one at UW. The exact dates have not been determined, but they will likely take place in the spring. If you are interested in attending, please call or email me.

-Jack Champlain, Academic Relations Chair, ISACA and IIA (jchamplain@becu.org or 206-439-5966)

For other events, check the online calendar at http://www.isaca-psc.org/events.htm.

JOB POSTINGS
Senior IT Auditors/Consultants
Company headquartered in California is currently seeking to add 8-10 IT auditors/consultants to their local Seattle office. This company was started by ex- big-4 partners and directly competes with the big-4. My client is owned by an established parent company but operate as a separate entity. Currently my client has 27 offices nationally and internationally with around 600 employees (and growing!). They provide risk consulting, IT consulting, and internal audit services. Business is expected to grow substantially in the next year because of the effects of the Sarbanes-Oxley Act.

Job duties include anything from IT internal audits, IT operations risk management, information systems testing, IT asset management, security and privacy issues, business systems control and effectiveness, reliability and performance management, business continuity management, change management and IT optimization.

Ideal candidate will have a minimum of 2 years solid IT experience (preferable big-4 or similar type consulting/auditing firms but will also look at strong IT internal auditors). Company pays better than the big-4 and has more of an entrepreneurial feel. Must be able to travel (~ 25%-45% travel). Currently looking for senior and manager level candidates! Will look at staff level if about to be promoted to senior.

If interested, please email resume as a Word attachment to mailto:baarrestad@kforce.com.

Ernst & Young - Technology and Security Risk Services Senior (Seattle)
Within E&Y's Technology & Security Risk Services (TSRS) practice, we are currently seeking a Senior to participate in and supervise multiple client engagement teams and other related activities. This professional will serve as a fieldwork leader to assist clients in employing proper information systems, resources, and controls to maximize efficiencies and minimize risk. The successful candidate will work with client personnel to analyze, evaluate, and enhance information systems facilitating the business internal control process, and will assist clients and other TSRS professionals in performing information technology control and security engagements

Responsibilities include collaborating with other members of the engagement team to plan the engagement and develop work programs timelines, risk assessments, and other planning documents, Work with the audit team to document the business processes dependent on information technology, and ensuring high quality in client service.

To qualify for this position offering excellent opportunities for career advancement to the right professional, candidates must have:

- A Bachelor's or Master's degree in Business, Accounting, Finance, Computer Science, Information Systems, Engineering and/or other appropriate academic major.

- A minimum of 3 years of experience working as an auditor for a public accounting firm or particular systems/technology experience to meet special needs.

- Candidates must also be actively pursuing a related professional certification and/or CPA certification.

Apply online at http://www.ey.com/us/careers. Please use Reference Code U072-5EHRQT

If you would like to post a job opening, please contact Mike Santos (see Feedback section below). For other job postings, check the ISACA PSC website at http://www.isaca-psc.org/jobs.htm.

FEEDBACK
ISACA PSC values your input. Send Mike Santos, 2002-03 Publications Chairperson, an email to jmsantos@becu.org for all questions/comments regarding the ISACA PSC Audit Log eNewsletter.