Day 2 of NACACS is wrapping up and sessions were energized, topics were relevant, and it’s clear that ISACA gets industry leaders to share their knowledge.  The morning started with all conference attendees at a panel discussion focusing on generic IT Risk, Governance and Control issues. In general, I find panel discussion to be a great time to check the social media feeds, email, and news.  But this one was quite good.  It included a cross-section of industries including IT leaders in healthcare, energy, financial institutions, and consulting.  Consensus among the members are that security is a big deal, and it’s the responsibility of the IT and risk management folks to inform and educate management and decision makers.  We are the knowledge owners and Governance makers need to know what we know.

If these conferences do nothing else, they instill a healthy paranoia about the security of data and information.  Retired Colonel Jeffery Schilling gave great insight about Advanced Persistent Threats (APTs) and handling security incidents.  APTs, if you haven’t heard, are one of the threats-de-jour and involve a super-dedicated attacker (like a nation or organized crime) targeting specific people and information, using ADVANCED techniques, PERSISTENTLY, and apparently in a very THREATENING manner– as opposed to hacking in a nonthreatening manner. Maybe APTs hack with a scowl on their face? The most important takeaway here, Schilling says (I paraphrase because I’m a terrible note taker), the least important part of Incident Response is what you do in a response. The most important part is how you plan for it ahead of time.  That’s smart and I love it.

I was pumped about Top Threats Facing Banks by Russ Horn of CoNetrix.  I’ve seen him in the past and he is consistently on par with the RAS client base.  Surprisingly, the threat landscape for FI’s hasn’t changed a whole lot in the past year. Corporate Account Takeover, wire and ACH threats, and mobile devices are all hot topics.  All of these have been front-of-mind in RAS clients for quite a while now. Although no new fix-it-all controls are available, it’s necessary to stay vigilant and deploy multi-factor authentication and always always always follow your institutions’ wire transfer policy procedures. All Horn’s examples of wire fraud by way of corporate account takeover could have been avoided if the FI’s wire employees explicitly followed the procedures that were in place at the bank.

An in-depth session on iOS security was technical but good.  The major takeaway was that, yes, mobile operating systems can be dangerous and you need to control them.  There are three options; out-of-the-box (BYOD, aka bring your own disaster), Apple products (Configurator, iPhone Configuration Utility), or Mobile Device Management (MDM). I can’t tell you what’s best for your company, but I bet the Google will provide a lot of good insight.

The last session of the day was an update on the use of Service Organization Control Reports. If you deal in Vendor Management, you’re more than familiar with these reports. They are the “new” SAS 70 reports, and there are three SOC reports to choose from (SOC 1, 2, and 3).  These sessions always have the potential to develop into sticky situations– SOC reports are developed and governed by the AIPCA. We are at an ISACA conference, which doesn’t directly compete with the AICPA, but IT folks don’t always like that CPAs are the only ones able sign-off on SOC reports. In one particularly exciting session several years ago at NACACS Chicago, where the AICPA unveiled the new SOC standards, Curtis and I almost came to fisticuffs defending the honor of the CPA profession over internal controls reporting. At least that’s how I remember it. And I thought we’d at least get a plaque for our efforts.

But I digress. My takeaway from the SOC session was that confusion remains in all industries about the differences in the SOC reports, their uses, and especially what happens using the carve-out method of reporting. Do user organizations and user auditors need to review the SOC reports for the carved-out sections? Few attendees had seen or issued a SOC 3 report. We, the CPAs, have a big job of educating the user organizations, service organizations, and even the user auditors about the depth, usage, and function of these reports.

Finally, if you’re looking for a BBQ Revue, just stop. We had Buffalo Filet Mignon. Not the tabasco/butter sauce buffalo, but real live (actually, medium) buffalo from Y.O. Ranch Steakhouse. Please, stop reading this and go eat their food.  In an artistic and ironic turn of events, today’s belt buckle had a buffalo on it, which our waiter noticed.  Which I tweeted, which was retweeted by ISACA International.  Coincidence? Or fate? Only NACACS lore will tell.