ISACA Winnipeg Chapter Homepage

Control Guidelines for Secure
Application Design and Testing
Event 76

Monday & Tuesday

April 10 & 11, 2006

Royal Crown Conference Centre, 83 Garry Street (Winnipeg, Manitoba)

8:00 AM to 4:30 PM

Presented By:

For further information contact

Scott MacLennan, Event Director - (204) 957-2203 Scott

Visit the ISACA Winnipeg Chapter web site at isaca-wpg.org

SCHEDULE (both days)
Registration.............08:00 AM to 08:15 AM (Continental Breakfast Provided)
Presentation............08:15 AM to 10:15 AM
Coffee Break............10:15 AM to 10:30 AM
Presentation............10:30 AM to 12:00 AM
Lunch Break.............12:00 AM to 01:00 PM (Lunch Provided)
Presentation.............01:00 PM to 02:45 PM
Coffee Break.............02:45 PM to 03:00 PM
Presentation.............03:00 PM to 04:30 PM

SPEAKER INFORMATION

David S. Read Chief Technologist
As Blue Slate's Chief Technology Officer, David leads the technology group, working as an advisor for each project to help evaluate and determine functional requirements, platforms, products, integration approaches, architectures, QA procedures and implementation processes. He also works with the IT team to find and evaluate new products, tools and techniques that will strengthen Blue Slate's technology capability.

A major component of his success is his participation in client projects. This on-going field experience allows him to maintain his skills, understand industry trends and have real-world application requirements to apply as he evaluates new tools and techniques.

His most recent field experiences include work at one of the world's largest hotel and leisure companies and a large mutual funds organization. His assignments have included designing a high-performing web service-based application, incorporating a rules and workflow engine with diverse backend systems, integrating an open-source database pooling solution into a closed source application, and developing and utilizing a proprietary query analysis tool to assist in improving the performance of a Sybase-based backend.

Dave has broad expertise across IT technologies. He has leveraged commercial and open source solutions to build a variety of integrated solutions. As an architect, Dave likes the flexibility to choose from various approaches, using the project's timetable, available infrastructure, customer's acceptance of risk, and project budget to design optimal solutions. Key to this is Dave's understanding of new technologies and his grasping of their strengths in context with other platforms and architectures.

Prior to joining Blue Slate in June of 2000, Dave had 15 years of IT experience. Most recently, Dave was Senior Applications Architect for Integrated Partners Incorporated (IPI). Here he worked with each customer and delivery team to design, construct, and implement robust technology solutions. Engagements included work for a large state retirement group, guiding their requirements gathering process, working to design a solution building on their existing infrastructure, and coordinating development and implementation teams.

Degrees / Certifications:
BS, Computer Information Systems, College of Saint Rose
GIAC Security Essentials Certification (GSEC)
Red Hat Certified Engineer (RHCE)
Sun Certified Programmer for the Java 2 Platform
Certified Engineer on Pega's PegaRULES Platform
Trained ILOG JRules/Java Developer

SESSION DESCRIPTION (16 CPE Credits)
Overview
This seminar is designed to introduce key concepts and considerations around the need for sound management practices and controls in IT project engagements. The training material is designed to provide the reader with a solid base and understanding in the types of standards, issues, and controls that must be considered throughout the project's lifecycle. We will be covering general controls as well as application controls and tying these in to the concepts discussed throughout the seminar. Where applicable, examples will be used to emphasize the best practices, tools, and methodologies commonly exercised in business.
Defining the issues

Scanning the global landscape: a capture of the control issues surrounding the IT environment
- General IT Controls
- Application IT Controls

Application vulnerabilities

Flaws in software

Suppliers & consumers of vulnerabilities
Examining weaknesses and mitigations

Examples of real applications effected by security-related issues
          - Cost reduction system
          - Reporting tool
          - File transfer utility
Sox Compliance

Sections 302 & 404

Impact on Canadian companies
- Instrument 52-109 & 52-111

Key control frameworks
- COSO: framework for regulatory & risk management
- COBIT: specifically developed for IT security & control practices

Impact on IT: best practices
          - Redefining your IT
          - Leveraging SOX for strategic advantage
          - Case studies
Culture of security

Major aspects of a security culture
          - Training & focus
          - Standards
          - Multi-level security
          - Reviews
          - Third party audits
          - Testing
Securing the database

Risks inherent with flaws in database defenses

Risks associated with RDBMS usage

Risk mitigation methods
Logging

Logging do's and don'ts

Value proposition: why logging is a core part of an application's operation
Design for security

Identifying secure and insecure designs

Looking for ambiguous requirements and transforming into solid definitions
Expressing security in requirements

Defining information requirements appropriate for design, build and test of an application

Requirements gathering methodology
Securing various application architectures

Identification of security risk exposures in different application architectures

Risk mitigation suggestions
Effective Encryption

Encryption: choices and tradeoffs in information encryption

Encryption scenarios and methods for proper implementation
Security Standards

Defining standards to apply through the application development lifecycle
Authentication, authorization and configuration

Best practices used in user authentication and access authorization

Security implications of application configuration decisions

Products overview & best practice techniques
Users, the ultimate firewall

Risks exposed: users circumventing all security precautions

Mitigation approaches and tips for users to be diligent when handling critical data
Testing for security

Testing techniques that help to expose security risks before application deployment

Common pitfalls encountered in testing new and existing applications

Considerations for ongoing testing, review, and reliance on existing applications
What have we learned

Recap on all training material providing checklist of hot issues, mitigations, tools and methodologies

Quick reference guide to help participants apply theory and perform self assessments in their respective environments

WHO SHOULD ATTEND:
IT professionals including auditors, managers, and those in security and compliance roles, software architects, application development team leads. As well as those in Corporate Governance roles would certainly benefit with a better understanding of the issues when in discussions with IT groups. Those who register for this event before April 3, 2006 will receive a free IT Promotional gift (min. value $40).

Learning Level: Intermediate

Event Costs (all prices include GST & are in Canadian Funds)

Member..........................$ 995.00 (ISACA or CGA Members only)

Group rate for 5 or more...$ 1,045.00 per person

Non-Member...................$ 1,095.00

A $100.00 Early Registration Discount is available if you register on or before
March 3, 2006 and payment is received by March 15, 2006

Those registering for this event are invited to attend the "IT controls for financial reporting: Internal/external perspective" half day event on April 12, 2006 for FREE. When registering for the follow-on half-day Event 77 select the 'Guest' option from the 'Rate' drop down list.

Cancellation Deadline: March 22, 2006, 2005. Refer to Polices below.

Express Registration requires Member ID & PW.

Event Policies

Please refer to our Chapter Cancellation & Substitution Policy and Privacy Policy

Advance Registration and Payment is greatly appreciated and Substitutions are allowed. If we cancel a course for any reason, our liability is limited to the registration fee only.

The speakers, topics and events are correct at the time of publishing and if unforeseen circumstances occur, ISACA reserves the right to alter or delete items from the program.

The presenters have prepared this material for the professional development of ISACA members and others. Although they trust that it will be useful for this purpose, neither the presenters, nor ISACA can warrant the use of this material would be adequate to discharge the legal or professional liability of members in the conduct of their practices.

For ISACA info contact the President - for Membership info the Membership Director