Referate: EuroCACS

23.03.2010 / Risk Management (Englisch) / Peter R. Bitterli
Scenario Based (IT) Risk Assessment / Management
European Conference on Audit, Control and Security (EuroCACS 2010);
Budapest; PDF-File (5.7 MB)

Scenario-based risk assessment – if designed and implemented correctly – enables a team of (IT) professionals to consistently identify, assess and treat risks using a combination of the experience of internal resources, collected through structured but creative risk identification workshops, with a demonstrably mature risk management process. To balance the necessary creativeness of the risk identification workshops, a quality review process of the resulting IT risk landscape is used based on information gained from the «IT Grundschutz Handbuch» of the German BSI (available in English) to ensure the completeness of the risk scenarios.


22.03.2010 / Auditing (Englisch) / Peter R. Bitterli
Risk based Audit Planning for SMEs based on IT Process Maturity Assessment
European Conference on Audit, Control and  (EuroCACS 2010);
Budapest; PDF-File (5.0 MB)

This session will explain a highly efficient approach to the identification of IT risks by means of an assessment of the maturity of relevant IT processes. This approach has been developed by the IT Standards Board of the Swiss Institute of Certified Accountants and Tax Consultants and is in general valid for all types of auditing in possibly most countries in the world. The risk assessment approach is consistent with recently published standards and related information, such as «IT Controls for Sarbanes Oxley», but aims to be easily understandable also by less experienced auditors.


16.03.2009 / Auditing (Englisch) / Peter R. Bitterli
Integrated Auditing of (IT) Applications
European Conference on Audit, Control and Security (EuroCACS 2009);
Frankfurt; PDF-File (1.6 MB)

This session shows a step-by-step approach to auditing (financial) applications that has been developed by the IT Standards Board of the Swiss Institute of Certified Accountants and Tax Consultants. The «new» approach has been published in German and also in French but is in general valid for all types of application auditing in possibly most countries in the world. The audit approach is consistent with recently published standards and related information, such as «IT Controls for Sarbanes Oxley», but aims to be easily understandable also by less experienced auditors.


17.03.2009 / IT Governance (Englisch) / Peter R. Bitterli
Impossible IT Governance – Hard Facts on Soft Factors
European Conference on Audit, Control and Security (EuroCACS 2009);
Frankfurt; PDF-File (2.1 MB)

Many books have been published that proclaim to know the one and only truth about IT (or security) governance. They clearly describe the different aspects of governance, explaining how strategic alignment, value delivery, risk management, resource management and performance measurement need to be combined to achieve the overall goal of IT governance. Reality, however, shows that all of this does not seem to work. The known but neglected soft factors, such as leadership and communication skills on every level of management have a much bigger influence on target achievement than envisaged. Based on more than 25 years of practical experience in IT audit and IT security reviews the speaker will help you recognize the soft factors that really influence the success of IT governance and use them to your advantage.


20.03.2007 / Security Management (Englisch) / Luc Pelfini
Assessing the Success of Awareness Campaigns
European Conference on Audit, Control and Security (EuroCACS 2007);
Wien; PDF-File (1.2 MB)

The benefits of any expenditures for information security awareness campaigns must be circumstantiated. This presentation will provide you with guidance on how to identify key performance indicators for information security awareness (i.e. metrics) and how to translate these indicators into an appropriate form for recurring assessments.


20.03.2007 / Risk Management (Englisch) / Götz Hoffmann
Integrating IT Risk Analysis into Operational Risk Analysis according to Basel II
European Conference on Audit, Control and Security (EuroCACS 2007);
Wien; PDF-File (344 KB)

IT risk management is one of the bases for IT security management according to ISO 27001. On the other hand, IT risks are usually a relevant part of the company-wide operational risk. In the context of Basel II the totality of operational risks (including IT risks) has to be considered in a company’s risk analysis. This session shows a simple method of IT risk analysis that addresses the requirements of both ISO 27001 and Basel II. The method uses a standard threat catalogue that ensures the complete identification of the relevant IT risks, without escalating the number of risks that must be handled.


19.03.2007 / Security Management (Englisch) / Peter R. Bitterli
Building an ISMS based on ISO/IEC 27001
European Conference on Audit, Control and Security (EuroCACS 2007);
Wien; PDF-File (838KB)

ISO 27001 clearly defines how an Information Security Management System (ISMS) should look like, describing actually the major security management processes any company should have in place. This presentation explains the differences between the «twin standards» ISO 27001 and ISO 17799, concentrating mostly on the ISMS. It clearly shows how existing security organizations and security management processes fit in such an ISMS and what steps your company should take if you want to professionalize your information security management up to the point where you could get certified.


21.03.2006 / Awareness Training (Englisch) / Luc Pelfini
Developing Effective Interactive Security Awareness Trainings
European Conference on Audit, Control and Security (EuroCACS 2006);
London; PDF-File (636 KB)

Interactive training sessions (class based or computer based) provide a high potential regarding effectivity and user acceptance – provided that some mission critical pitfalls can be avoided. This presentation will provide you with critical success factors, prerequisites and stepwise development tasks to create a successful interactive awareness training.


21.06.2005 / Risk Management (Englisch) / Peter R. Bitterli
Using Control Self-assessment for Risk Management
European Conference on Audit, Control and Security (EuroCACS 2005);
Oslo; PDF-File (864 KB)

Control self-assessment (CSA) has become one of the magic words in risk management and compliance reviews. But experience shows that the results of CSA are often random and not repeatable, based on superficial evidence, and not used effectively for later improvements. This session will present the critical success factors for performing effective CSAs that produce value for the investment. Though all examples are based on CSA used for BS 7799 compliance, the presented methodology can be used for any type of standard (e.g. COBIT, BS 15000, ITIL)


20.06.2005 / Awareness (Englisch) / Peter R. Bitterli
Keeping Information Security Awareness Training Fresh
European Conference on Audit, Control and Security (EuroCACS 2005);
Oslo; PDF-File (361 KB)

This presentation will provide insight into the tricks of running a successful information security awareness campaign. It will explain both a scientific and pragmatic means of analyzing the need for improvement and will help the information security manager recognize the importance of structuring the campaign for different target audiences (e.g., managers, employees, IT staff) and their specific cultural and professional backgrounds. The session will show typical unwanted behaviour of the target audiences and some of their special characteristics that can help in convincing them of something they may not initially be keen to implement.


21.03.2004 / IT-Sicherheit in Anwendungen (Englisch) / Peter R. Bitterli
Designing Security Controls into (Web-) Applications
European Conference on Audit, Control and Security (EuroCACS 2004);
Zürich; PDF-File (796 KB)

The proper integration of IT security controls when developing new information systems (i.e. business applications) is difficult, hardly understood and therefore often neglected – especially for Web applications. Two fundamentally different approaches to «solve this problem» exist: either looking at risks individually for every application and then implementing appropriate measures or enforcing a rather strict development methodology that ensures specific deliverables at certain points in the project life cycle. This session will look at some existing solutions and then propose a pragmatic but well proven set of tools that will help to collect existing risks, plan and implement appropriate mitigating security measures and ensure that major security deficiencies are recognised before the new application can go live.


29.03.2000 / Prüfung der IT-Sicherheit (Englisch) / Peter R. Bitterli
Auditing the Information Security Management System
European Conference on Audit, Control and Security (EuroCACS 2000);
Oslo; PDF-File (1.4MB)

Reviewing or auditing the Information Security Management System can be a complex and time consuming task. This session will show you how to efficiently assess the adequacy of your ISMS by using a combination of Control Self-Assessment (CSA) coupled with a more traditional IT audit approach. The CSA is guided by the IT Auditor and based on the BS7799, but can easily be adapted to COBIT or other internationally accepted standards. In smaller to medium companies this proven approach takes just 5 to 10 days for the complete review, providing the auditee with a clear statement on the situation and a list of prioritised recommendations.


28.03.2000 / Management der Informationssicherheit (Englisch) / Peter R. Bitterli
Creating the Information Security Management System
European Conference on Audit, Control and Security (EuroCACS 2000);
Oslo; PDF-File (1.3 MB)

Organising the Information Security Management System in medium to large enterprises can be quiet a difficult task. This session will demonstrate how to set up an information security organisation that defines, regulates, coordinates and reviews the corporate information security issues. Based on ideas of the INFOSEC Business Advisory Group of the EU framework, the session will provide workable directions on how to get the job done.


28.03.2000 / Führung mit COBIT (Englisch) / Peter R. Bitterli
The Value of Control Objectives for Senior Management
European Conference on Audit, Control and Security (EuroCACS 2000);
Oslo; PDF-File (877 KB)

In order to attain business objectives, optimise information value and capitalise on technologies successful enterprises integrate information technology (IT) and business strategies, culture and ethics. This session will show how you can use the internationally recognised COBIT framework for governance, control and audit for information and related technology to ensure that your IT will be governed by generally accepted good (or best) practices, that the enterprise’s information and technology support its business objectives, that its resources are used responsibly, and that its risks are managed appropriately.


29.03.1999 / COBIT-Einführung (Englisch) / Peter R. Bitterli
COBIT: An Overview of the Framework
European Conference on Audit, Control and Security (EuroCACS 1999);
Zurich; PDF-File (566 KB)

At the time of this European Conference on Audit, Control and Security, COBIT was still not widely known. This presentation explains the COBIT Framework (2nd edition), its elements as well as the source standards and regulations COBIT is based on. This session will explain how to put COBIT to effective use, how CobiT compares with other methods and what use COBIT will be for the many audiences COBIT has been designed for.


7.10.1997 / COBIT-Einführung (Englisch) / Peter R. Bitterli
Using COBIT for Internet Audits
European Conference on Audit, Control and Security (EuroCACS 1997);
Frankfurt; PDF-File (193 KB)

At the time of this European Conference on Audit, Control and Security, COBIT has just emerged. This presentation explores how the first version of the COBIT Framework could – or rather could not – be used as a guidance for the audit of the use of Internet.


 
Design & CMS by Eratec