February 15, 2017 ISACA Detroit Chapter Meeting

Pre-Dinner Topic: Preparing Your Leadership for Cybersecurity Expectations—Effective Approaches to Addressing Cybersecurity Topics Pre-Dinner Speakers: Matt Kipp CISA, TERP10 and Shane O’Donnell, CPA, CISA After-Dinner Topic: Securing Connected Vehicles After-Dinner Speakers: Greg Boehmer, CISA, CIA, CFE, CGEIT, CISSP, CISM, CRISC, CRMA, PMP Robert Carton Allen Hillaker

Date: Wednesday, February 15, 2017 Time: 4:30 - 5:00 Registration & Networking 5:00 - 6:00 Pre-Dinner Presentation 6:00 - 6:45 Dinner 6:45 - 7:45 After-Dinner Presentation Location: Michigan State University Management Education Center 811 W. Square Lake Road Troy, MI 48098-2831

Cost: Advance Online Registration Only Walk-In Fees $20.00 Member $40.00 Member $30.00 Non-Member $50.00 Non-Member

PRESIDENT VICE PRESIDENT TREASURER SECRETARY Keith Cheresko JD, CIPP/US/IT Greg Boehmer CISA, CIA, CFE, CGEIT Ryan Hodges CISA, CISSP Juman Doleh-Alomary MScE, CISA, Privacy Associates Int’l LLC CISSP, CISM, CRISC, CRMA, PMP Deloitte & Touche CISM, CRISC, ISO27001 presidentisacadetroit@gmail.com Deloitte & Touche treasurerisacadetroit@gmail.com Wayne State University vpresidentisacadetroit@gmail.com secretaryisacadetroit@gmail.com

VOLUME 31 # 6 REGION 4 CHAPTER 8

DATABYTE

The Chapter must provide the number of reservations by 12:00 pm on the Friday prior to the Chapter meeting. Advance online registration closes at noon on Friday, February 10, 2017. If you have made a reservation and cannot attend, please contact Geralyn Jarmoluk at Administrator@isaca-det.org, or 248-762-7421 prior to the above noted deadline for refunds. Walk-in registration is available at an increased fee. Reservations not cancelled prior to the above-noted dead-line cannot be refunded as we are committed to the caterer for the meals ordered.

DIRECTORS

Brad Barton, CISA Lear Corporation 248-707-9372 Derrick Buckingham, CISA, CISSP, CISM, CRISC Detroit Medical Center 313-729-8816 Doug Copley, CISM, CISSP, CISA, CIPP, CIPT Forcepoint 517-204-5701 Shannon Desjardins, CPA, CISA, CRISC Blue Cross Blue Shield of Michigan 586-201-1603 Michele M. Dawson, CPA, CISA Beaumont Health Systems 734-637-9270 Michael A. Forrest, CISA, CGEIT Flagstar Bank 248-312-5435 Chris Johnson, CISA Lear Corporation 248-417-7472 Bhaskar Kakulavarapu, CISSP, CISM Comerica 248-925-7001 Linda Kearney, CISA, CISM, CIA, CIPP-US Fiat Chrysler Automobiles 586-219-9041 Charles Murray, CPA, CISA KPMG LLP 313-320-4566 D. Robert Okopny, PhD, CIA, CFE, CMA Eastern Michigan University 734-487-0246 Sajay Rai, CPA, CISSP, CISM Securely Yours LLC 248-723-5224 Malini Sarma, CISA General Motors 313-667-2878 Carrie Schrader, CISA, CBM, CFE, CGEIT, CRISC GM Financial 586-817-8590 Melvin B. Taylor, CISA, CISM General Electric 248-761-5671 Doug Wahr, CFE, CISA, CRMA, CISSP Auto Club Group (AAA) 313-436-7277 Manish Zaveri, CISA, CPA Delphi Corporation 248-888-9090

2

DATABYTE

DETROIT CHAPTER ISACA – YOUR ‘YEAR-ROUND’ PARTNER FOR PROFESSIONAL GROWTH

Dear Detroit Chapter Members,

Ready for the ride? With the change in administration in Washington D.C. and early indications of a different approach,

there is no telling what we will encounter in our professional lives in the next four years. Hang on tight; it could get bumpy. This uncertainty makes it all the more important to stay engaged and up-to-date. Attending our monthly membership meet-

ing provides a double dose of training on current topics of interests. Can’t make the meetings? We understand and are ex-

ploring ways to expand our reach. Not getting to hear what is important to you? Speak up and let us know.

In addition to our regular membership meetings there are outstanding training sessions being planned. It is our goal to pro-

vide information on topics you can use in your daily work activities. We strive to bring you meaningful information, networking opportu-

nities and, on occasion, fun activities. As you will frequently hear, we are always looking for members willing to help by volunteering their skills, talents and time for the betterment of us all. Don’t be shy; tell us how we are doing.

Keith Cheresko JD, CIPP/US/IT

ISACA Detroit Chapter President

ISACA Communications Chair, Brad Barton, with January Speaker Doug Copley

ISACA Programs Chair. Malini Sarma, with Speakers Mike Muha and Mary Rowley

Before Dinner Topic - Preparing Your Leadership for Cybersecuri-ty Expectations: Effective Approaches to Addressing Cybersecuri-ty Topics. The agenda for the presentation is as follows:

· The cyber shift · Steps to effectively communicate with leadership · Cyber concerns across leadership · Questions the board should ask · Attributes of cyber confidence · Instilling confidence in leadership

Before Dinner Speakers Shane O’Donnell, CPA, CISA is the Chief Audit Executive located

out of our Detroit office. Shane has over 12 years of experience in audit and IT security. Shane has worked extensively with Sarbanes-Oxley (SOX) testing and program development for Fortune 500 Companies. Shane has assisted organizations with streamlining internal audit processes while reducing redundant activities and identifying defi-ciencies in the process. Shane joined The Mako

Group in 2012 and has overseen engagements for large healthcare entities, manufacturers, financial institutions and large global companies. Shane has taken part in the following initiatives:

SOX Control Testing ISO 27001 and NIST Security Framework Control Mapping SOC 2 Reports Enterprise Wide Risk Assessments Operational and Financial Audits

Shane received his formal education from Western Michigan Uni-versity where he received his Bachelor of Business Administration in Finance. Shane went on to obtain his Master of Science in Ac-counting from Walsh College. Shane is also an active member of the American Institute of Certified Public Accountants, Habitat for Humanity and serves on several committees for The Guidance Cen-ter, a nonprofit in metro Detroit.

3

DATABYTE

DETROIT CHAPTER ISACA – YOUR ‘YEAR-ROUND’ PARTNER FOR PROFESSIONAL GROWTH

Before Dinner Speakers Continued

Matt Kipp CISA, TERP10 is an Audit and Risk Manager out of the Detroit office. Matt has over ten years of experience in both SAP admin-istration and security as well as IT and internal audit. Before joining The Mako Group in 2015, Matt served as SAP GRC Analyst for a Fortune 500 Company. Matt has worked closely with

large manufacturers, financial institutions and other large public and private entities.

Matt has taken part in the following initiatives: IS0 27001 Risk Assessments NIST and ISO 27001 Framework Control Mappings Enterprise Wide Risk Assessments SOX Controls Testing General Computer Control Audits IT Audit Readiness Assessments

Matt received his formal education from Central Michigan Univer-sity where he received his Bachelor of Science in Business Admin-istration and Management Information Systems. Matt went on to obtain his MBA in Management Information Systems with an em-phasis in SAP as well as a Graduate Certificate in SAP from Central Michigan University. Matt is a Certified Solution Architect ERP and is a member of the Detroit ISACA Chapter. After Dinner Topic - Securing Connected Vehicles The security risks and attack surfaces in vehicles are increasing exponentially as they become even more connected. There is a growing need to create a hardened vehicle platform that will be in service for 10 or more years, but developing this is extremely challenging and po-tentially costly. The need to be able to detect and respond to these threats across the entire ecosystem in real time becomes an even larger challenge when you are dealing with multiple vehicle platforms, multiple vendors and third parties. When an incident happens, does it impact vehicle safety and privacy? How resilient is the platform? In this presentation, we will discuss how connected vehicles differ

from their less connected brethren, as well as the safety and secu-

rity implications of their increased connectivity. Based on our ex-

pertise developed during the analysis of vehicles and systems de-

signed by both domestic and foreign companies, we will examine

connected vehicles, how to they can be secured and monitored,

and what can be done to minimize the impact when an attack

does happen.

After Dinner Speakers

Greg Boehmer, CISA, CIA, CFE, CGEIT, CISSP, CISM, CRISC, CRMA,

PMP is a Deloitte Advisory senior manager in the Cyber Risk prac-

tice of Deloitte & Touche LLP. He has more than twelve years of

risk management consulting and auditing experience, which in-

cludes working internationally on three different continents. A

majority of this time has been focused in the automotive industry

with point-of-view that he co-authored in the Automotive News Con-

tent Studio titled “Automotive cybersecurity: Growing technology

needs a broader safety net”. He specializes in SAP GRC, Risk Assess-

ments, Internal Controls, and IT Governance.

Robert Carton has been with Deloitte for a year and a half, where he is a Specialist Master in Deloitte's cyber risk practice. His experi-ence includes penetration testing, medical device testing and auto-motive security analysis.

Prior to joining Deloitte, Robert completed 21 years of active duty

military service with the US Navy. Much of his time was spent as-

signed to the National Security Agency where he part of the NSA Red

Team, and other NSA cyber units. The final 8 years of Robert’s mili-

tary career were spent at Naval Special Warfare Development

Group, where he served as the Computer Network Operations Lead

and performed Research and Development activities in support of

elite special warfare units.

Allen Hillaker has been with Deloitte & Touche LLP for a year and a half, where he is an Advisory consultant in Deloitte's cyber risk prac-tice. His experience includes infrastructure and automotive security analysis, including the security analysis of traffic signal networks, as well as security analysis and penetration testing of vehicles pro-duced by multiple domestic and international OEMs.

Prior to joining Deloitte, Allen performed automotive security re-

search as part of the University of Michigan Transportation Re-

search Institute's Cybersecurity team, where he developed penetra-

tion testing and CAN analysis tools. He also worked as a software

developer for Delphi, where he developed prototype automotive

systems.

Welcome New ISACA Detroit Chapter Members Tracy Cleeton Craig Church Patrice Cheesman David Janda Rohan Dsouza Rick Getchell Syed Ayaz Steven Balagna Michael Vanderlinden Christopher Udoh Wajid Khan Bryant Bullen Rani Vaidyanathan Laruie Saims Joe Gasiorowski Alexandra Marien Akash Verma Nicholas Rogers Sahibjeet Dhindsa Claudia Mitchell Jim Staelgraeve II Chandrashekar Kasibhatta

The ISACA Detroit Chapter Certification Committee Wishes to Congratulate the following Newly Certified

Daniel A. Norberg, CISM

David M. Kure, CISA Jason D. Philp, CISM

Melissa Westphal, CRISC

4

DATABYTE

DETROIT CHAPTER ISACA – YOUR ‘YEAR-ROUND’ PARTNER FOR PROFESSIONAL GROWTH

Senior IT Auditor (NERC Audit) (08934) If this position interests you please apply online at:

https://www.newlook.dteenergy.com/wps/wcm/connect/dte-web/dte-pages/careers/join-the-team

The future is bright at DTE Energy! We are the largest electric and gas utility in Michigan with an aspiration to be the best operated energy company in North America. We are a Fortune 500 company headquartered in Detroit, Michigan with businesses in 26 differ-

ent states. DTE Energy’s utility and non-utility businesses are poised for significant growth. We look forward to working with highly motivated and team-oriented individuals to energize our efforts of growing economically and environmentally.

We care for our employees and prioritize their health and safety first. Recently, DTE Energy has been recognized as an outstanding place to work and has received the following accolades:

Gallup Great Workplace Award for 3 consecutive Years! (2013, 2014 and 2015)

Metropolitan Detroit’s 101 Best and Brightest Companies to work for

J.D. Power Customer Satisfaction Award

Professional Women’s Magazine/Black EOE Journal “Best of the Best”

Computerworld’s 100 Best Places to Work in IT

Best Employers for a Healthy Lifestyle Gold Award

Detroit Free Press Green Leaders Award

DTE Energy is an equal opportunity employer and considers all qualified applicants without regard to race, color, sex, sexual orientation, gender identity, age, religion, disability, national origin, citizenship, height, weight, genetic information, marital status, pregnancy, protected veteran status or any other status pro-tected by law.

JOB SUMMARY Responsible for applying advanced Information Systems internal auditing standards, procedures, and techniques to evaluate and provide assurance regarding the adequacy of controls related to the accomplishment of business objectives, compliance with laws and regulations and reliability of financial reporting. Fre-quently leads audit teams, provides technology consulting to business clients and may take action on certain matters with minimal reference to superiors for advice and guidance. KEY ACCOUNTABILITIES

Plan, develop, conduct and frequently lead new or previously reviewed IT related audits of complex Company systems, operations, processes, functions and activities. These include information systems audits and special investigations requiring the application of specialized auditing principles and practic-es.

Partner with clients to help provide guidance on internal control structures, information security, information privacy, process efficiencies, policy and procedure development and re-engineering initiatives as well as other complex business subjects.

Assist NERC Compliance Organization staff and consults with client organizations with respect to the design and implementation of controls and/or auto-mated testing of controls.

Ensure work-papers fully support conclusions and conform to departmental and professional standards.

As a QA team member, is responsible for planning and directing assessments, reviewing teams' work-papers and draft audit reports and managing client relationships.

Accumulate pertinent data, organize material, use sampling techniques and software analysis tools, make detailed analysis of existing conditions.

Write and present comprehensive compliance reports or develop presentations that clearly describe objectives, scope, conclusions, and findings and pro-vide value added recommendations to both internal and external stakeholders.

Perform, and may lead IT controls testing.

Partner with clients to assess their business risks on new and/or complex subjects. -Research and prepare position statements on proposed and existing professional audit standards, management concerns, and regulatory decisions.

Use knowledge of the client's business/industry to identify technology and industry developments and evaluate the impacts. Protect confidential client information.

Ability to read, evaluate and analyze various programming languages including SQL. Design, develop, and implement CAATs. Provide CAAT and soft-ware analysis tool assistance to other auditors and clients.

Work effectively with personnel at all levels internally and externally such as outside entities, MPSC, NERC, FERC, IRS, management consultant firms, etc.

Provide management support for the NERC Compliance organization as needed, particularly with respect to its needs and systems.

QUALIFICATIONS

Bachelor's Degree in, Computer Science, Business Administration, Engineering or other related discipline from an accredited college or university.

CISA, CISSP, CIA, CPA or CA certification required within two years; currently certified applicants IS a plus.

Must have at least five years relevant IT audit. IT security experience preferred.

Possess strong analytical and problem solving skills to improve processes, minimize risk and add value to a wide variety of complex operations. Duties require high degree of judgment and ingenuity.

Compliance experience is preferred.

Demonstrated consulting expertise to business segments and in the analysis of audit subjects and evaluation of controls.

Demonstrated ability to communicate well with others. Proficient verbal non-verbal, written, and presentation skills.

Negotiates and settles conflicts with clients and others.

Advanced working knowledge of the company's regulated and unregulated operational processes.

Proficiency with MS Office products. Advanced Excel abilities required. Understands and utilizes data analysis tools such as ACL.

Possesses a valid driver's license, meet company driving standards and provide own transportation within the service area.

5

DATABYTE

DETROIT CHAPTER ISACA – YOUR ‘YEAR-ROUND’ PARTNER FOR PROFESSIONAL GROWTH

February 15, 2017 Menu Caprese Salad; Caesar Salad; Antipasto Salad Lasagna Tuscan Chicken

Penne Pasta with Alfredo Sauce Italian Green Beans Fresh Baked Bread Dessert

The meal includes a meat and vegetarian entrees with a salad, starch, seasonal vegetable and an assortment of desserts..

January Chapter Meeting Raffle Winners

Robert Yanik Lynne Mangan Anthony Toins James Dye Brian Kaetz John Kruze Aaron Buck Doug Wahr Unsal Yetkin Christopher Mishler

2016-2017 ISACA Committees

Academic Relations

Sajay Rai (Chair)

Michele Dawson

Ryan Hodges

Bhaskar Kakulavarapu

Robert Okopny

Manish Zaveri

Bylaws, Policies & Proce-dures

Greg Boehmer (Chair)

Keith Cheresko

Linda Kearney

Charles Murray (Chair)

Certification Michele Dawson

Michael Forrest

Steve Rogers (Non Board Volunteer)

Brad Barton (Chair)

Keith Cheresko

Doug Copley

Communications Juman Doleh-Alomary

Ryan Hodges

Chris Johnson

Bhaskar Kakulavarapu (Webmaster)

Facilities

Carrie Schrader (Chair)

Ryan Hodges

Linda Kearney

Membership Michael Forrest (Chair)

Doug Wahr

Nominating & Audit Brad Barton (Chair)

Linda Kearney

Program

Malini Sarma (Chair)

Greg Boehmer

Keith Cheresko

Doug Copely

Juman Doleh-Alomary

Seminars

Manish Zaveri (Chair)

Brad Barton

Carrie Schrader

Doug Wahr

Melvin Taylor (Chair)

Social Committee Ryan Hodges

Malini Sarma

Juman Doleh-Alomary (Chair)

Spring Training Shannon Desjardins

Mike Forrest

Annual Detroit Chapter of ISACA Scholarship Competition

ISACA Detroit is excited to announce our 4th Annual Scholarship Com-petition. This competition is designed to enrich the experience of stu-dents by providing them with a “real world” experience. The competi-tion consists of contestants working on a case study and presenting their conclusions to a panel of industry professionals who will play the role of potential future employers. The contestants not only have an excellent chance to win some cash, but the 1st place university also earns the right to display the ISACA Detroit trophy (just like a Stanley Cup) for the next year. So, let the competition begin. This year the competition will start on March 31, 2017 at 6 pm and end on April 2, 2017 at around 4 pm. The format of the competition is as follows: You are free to form a team. It is recommended that the team consist

of two students, one with a background of IT auditing or assurance, and the second with a background of IT Security.

A university may send multiple teams to the competition.

Teams will be competing for three scholarships: 1st place is $4,000, 2nd place is $2,500 and 3rd place is $1,500. The winners will get a certificate and the 1st place team university will get the “ISACA Detroit Cup”. And, of course, all participants will get honorable mention on ISACA’s website and monthly newsletter.

Like last year, it is also possible that the judges give out more than one 1st place, 2nd place and 3rd place awards. Last year, we had two teams who received 1st place awards of $4,000 each and two teams received 3rd place awards of $1,500 each.

Teams will be issued a case study at 6 pm on March 31, 2017. Teams will be expected to work on the case study till Noon of April 2, 2017. At that time, the teams will present their report to the judges. The presentation will be held at Eastern Michigan University, Owen Building at 300 West Michigan Ave, Ypsilanti, MI 48197. The winners will be announced after all the teams have presented (around 3 pm on April 2, 2017).

The case study will be made available on March 31, 2017 at 6 pm via email.

Register today at the following link: http://www.cvent.com/d/8vq50b/1Q.

6

Attend up to 4 Chapter Meetings FREE

In these difficult times, the ISACA Detroit Chapter Board wants to help. If you are unemployed, laid-off, or are not currently receiving a paycheck, we have some good news. It’s during times such as these that maintaining a network of peers and maintaining your level of training is so very important. We are, therefore, offering to allow you to attend up to four (4) meetings FREE. You must regis-ter for each meeting through the Membership Chairman by sending an e-mail stating that you are currently out of work and wish to attend the meeting. The e-mail must be received prior to the meeting registration close for that meeting. Please send your email to Mike Forrest at: m_forrest@wowway.com.

ADVERTISE IN THE DATABYTE NEWSLETTER

¼ Page $50.00 ½ Page $100.00 Full Page $200.00

Contact Geralyn Jarmoluk at administrator@isaca-det.org

or Mike Forrest at m_forrest@wowway.com

Photo Disclaimer: ISACA Detroit Chapter may capture images from meetings and events on film or digital media for publication and marketing purposes.

DATABYTE

DETROIT CHAPTER ISACA – YOUR ‘YEAR-ROUND’ PARTNER FOR PROFESSIONAL GROWTH

Detroit IIA and ISACA Spring Training Social Event March 28, 2017

Tuesday March 28, 2017 – 5:00 to 7:00 pm Start time is directly after Tuesday’s Spring

Training Sessions

Cost: IIA and ISACA Detroit Chapters will provide select subsidized drinks and appetizers at:

Lucky Strike 44325 Twelve Mile Road

Novi, Michigan (p) (248) 374-3420

(less than 3 miles from the Suburban Collection Showplace)

Our 2017 Sponsors

Platinum Vendor

Gold Vendor

Announcing ISACA Detroit Smart Device App

The ISACA Detroit Chapter Communications Committee is happy to announce the availability of a smart device App designed to pro-vide current and important information on several membership bene-fits and activities. This App is now available for both Apple and Android devices and can be installed by following the steps below. Making this App available to our membership is just one in a series of improvements being researched and planned by the Communica-tions Committee. We are anxious to meet our membership’s expec-tations for effective communications and any and all ideas are wel-comed. If you have a suggestion, please send an email message to: Brad Barton, Chair of the Communications Committee, (bbarton424@gmail.com) or reach out to any of our Board members to submit your suggestion. The ISACA Detroit Communications Committee

7

DATABYTE

DETROIT CHAPTER ISACA – YOUR ‘YEAR-ROUND’ PARTNER FOR PROFESSIONAL GROWTH

Spring Training Chapter News The Detroit Chapters of IIA and ISACA are proud to co-sponsor the 18th Annual Spring Training. Once again, the Spring Training Committee has obtained some of the top trainers in auditing from around the country to provide their personal ex-pertise to our members. As you all know, this is our 18th year for the seminar and it has gained out-of-state recognition. Do not miss your opportunity to get the training you need. A number of classes sell out each year! Don't miss out on the oppor-tunity to network with your peers, enhance your skills, and learn about new products and services in the marketplace. Please click the following link to view more information on this event, register, and/or download the Spring Training brochure. IIA & ISACA 18th Annual Spring Training The Spring Training Committee

TRACK MON MARCH 27 TUES MARCH 28 WED MARCH 29

A Accounting Fraud; Deterrence,

Detection & Remediation (Paul Zikmund)

Auditing Ethics & Compliance Pro-grams & Controls (Paul Zikmund)

Fraud Deterrence, Keys to Successful Mitigation of Fraud Risk

(Paul Zikmund)

B Facilitation Skills (Keith Levick)

Collaborative Negotiations (Keith Levick)

Performance Coaching (Keith Levick)

C The 21 Irrefutable Laws of

Leadership (Don Levonius)

Sometimes You Win, Sometimes You Learn

(Don Levonius)

The 15 Invaluable Laws of Growth (Don Levonius)

D

Risk-Based Approach to IT Infrastructure Security &

Control Assessments (John Tannahill)

Cloud Computing Security & Audit

(John Tannahill)

Cyber Security & Emerging Risk Areas

(John Tannahill)

E Auditing Strategic Risks (Greg Duckart)

F Successful Audit Data Analytics (Hands-On) (Jim Tarantino)

G Internal Audit School (Hernan Murdock)

H Project Management for Auditors (Kathleen Crawford)

I

Implementing COSO 2013: Real-World Applications & Best Practices

(Jim Roth)

Risk Management Assurance: Developing Your

Internal Audit Strategy (Jim Roth)

J Auditing IT Outsource

Environment (Norm Kelson)

Auditing CyberSecurity Governance and Controls (Norm Kelson)

K

Understanding & Auditing Cryptography for

CyberSecurity Applications (Ken Cutler)

CyberSecurity of Microsoft Windows Server & Active Directory (Ken Cutler)

L Auditor’s Guide to CyberSecurity Vulnerability and Penetration Testing (Robert Herst)

8

The February 15, 2017 ISACA Chapter Meeting

will be held at:

Michigan State University Management Education Center

811 W. Square Lake Road Troy, MI 48098-2831 Phone: (248) 879-2456

DATABYTE Geralyn Jarmoluk, Editor

P.O. Box 43 Romeo, MI 48065

administrator@isaca-det.org 248-762-7421

DATABYTE

DETROIT CHAPTER ISACA – YOUR ‘YEAR-ROUND’ PARTNER FOR PROFESSIONAL GROWTH