leading practices in security testing - Isaca

ISACA Sydney Chapter presents an evening professional development session:

1. AGM 2. Periodic Penetration Testing: leading practices in security testing Tuesday 23rd April 2013; 5:00pm to 8:30pm 1CPE Venue: Ernst & Young, Level 33, 680 George Street, Sydney FREE to members; $20 for non-members

Time

Session

5:00pm – 5:40pm

Registration: Ernst & Young, Level 33, 680 George Street, Sydney

5:40pm sharp

Welcome and introductions

5:45pm – 6:15pm

AGM: 2012 highlights, 2013 plans and certification awards - David Roche, Sydney Chapter President - Andrew Bornhorst, Sydney Chapter Treasurer

6:15pm – 7:05pm

Presentation: Periodic Penetration Testing: leading practices in security testing - Paul Kastner, Partner, Ernst & Young - Jarrod Loidl, Senior Manager, Ernst & Young

7:05pm – 8:30pm

Networking Many thanks our sponsor: Ernst & Young To register: Contact Sandra on [email protected]

Presentation: Periodic Penetration Testing: leading practices in security testing Most organisations and businesses today understand that their information is under attack and subsequently conduct some form of security testing of their IT environment. Very few in Australia however have established programs of work focused on consistent and ongoing security testing of all their IT systems and applications. Similarly there are very few firms in Australia that have delivered penetration testing services on this size and scale or been involved in the development of such programs. This presentation draws upon our experiences with helping to build and establish periodic testing programs for large enterprise clients and demonstrates some of the leading practices in penetration testing services. We will cover: - the business case for ongoing security testing; - what should be included in a periodic testing program and what to exclude; - how to leverage risk based approaches to establish priority-based testing; - how to securing funding and executive engagement; - what qualities to look for in service providers in this space; - how periodic testing supports project based penetration testing by greatly improving depth of coverage and enables greater maturity of information security. About Paul Kastner Paul is the Sydney Financial Services lead partner for IT risk and security. He has been advising clients on IT and risk management tissues for over 25 years. He is a specialist in leading IT change and has a strong focus on information security and IT risk management. He has a strong understanding of security technology, processes, and standards and has helped top tier organisations across APJ to improve their security. He also has a deep understanding of outsourcing and cloud service providers and has done work advising both outsourcers and their clients in improving service delivery and managing IT risk and security. ISACA is an international, not-for-profit, member based professional association. ISACA develops and maintains frameworks, provides certification and professional development for IT audit, IT governance, IT risk and information security professionals. www.isaca.org/sydney Frameworks: COBIT 5, RISK-IT, VAL-IT, Business Model for Information Security; Certifications: CISA, CISM, CGEIT and CRISC

Prior to joining EY he led various businesses for a leading security vendor, and as a result is very familiar with security tools and providers. In the broader IT space, he has led the implementation of several core banking and insurance systems and has also led engagements to conduct comprehensive business and IT change programs in banks, insurers, government, oil&gas, utilities, and retail clients. He has also served as CIO for a bank.

About Jarrod Loidl Jarrod is a Senior Manager with Ernst & Young’s Melbourne Advsiory practice, where he manages the Advanced Security Centre. Jarrod has been involved in IT for 15 years, 9 dedicated to IT security. Prior to joining Ernst & Young, he had been employed as part of dedicated in-house penetration testing teams and worked for a number of security consultancies delivering security services across Australia. He has been the security lead for projects, including enterprise transformation programs and provided penetration testing services for a number of recognised Australian brands. He has also delivered security architecture reviews, governance, risk and compliance (GRC) assessments, audit remediation and security management services. He has delivered a number of presentations for clients and consultancies throughout his career, and is active in a number of security forums. He has presented at the Australian Information Security Association (AISA), Open Web Application Security Project (OWASP) and ISACA chapters in Melbourne as well as the Ruxcon security conference in 2010.