Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
Facilitator: Mr. Igor Martinez
IT Auditor Specialist, Internal Audit
Blue Cross Blue Shields of Florida
Introduction Fraud
1. What is fraud?• How do we identify fraudulent activities
2. What companies are doing to preventfraudulent activities?
3. Preventing fraud - role of IT Auditing within the organization.
4. How IT Auditors can maximize their audit to identify fraudulent activities?
5. Federal Government - False Claim Act.6. Ways to protect yourself from being a
victim of fraud?7. Questions?
Identifying Fraudulent Activities
As long as companies and people continue to exchange sensitive information, content, data and transactions over the internet, the chance of identity theft and other forms of online fraud will proceed to flourish.
The Motive
According to the privacy rights clearinghouse, more than 100 million notifications have been sent to individuals in the United States as per state disclosure notification laws, informing them that their personal information has been lost or stolen. That equates to 100 million people who are now targets for identity theft and online fraud.
Wow! 100 Million
2
In criminal law, Fraud is the crime or offense of deliberately deceiving another in order to damage them – usually, to obtain property or services unjustly.Computer crime and Fraud are regarded as synonymous by many. But it’s important to remember that it’s not the computers that commit crimes - it’s the people that use them, and the cost of their crimes to business is immense.
Computer Crime is Fraud
•False Caller ID gives the impression the person calling you is from a legitimate company. An individual will call you from their number, but when the information comes through your caller ID box, it indicates for example, ‘FirstBank’ is calling you (although the caller’s true number is displayed).
•Check Fraud occurs in a variety of forms. Typically, a completed check is stolen from your mailbox, home, or office. Checks contain your signature, account number, and routing number. This information can be used by thieves to print new checks fromtheir computer. In addition, stolen checks can be altered by using a variety of techniques, which can result in a changed payee or amount.
• Credit and Debit Card Fraud occurs when someone receives your card information from a non-bank source. Typically, a counterfeit card is produced with your card number and their name.
Examples . . .
The Internet Crime Complaint Center or IC3, a partnership of the FBI and the National White Collar Crime Center, in 2007 released itslatest annual report on victims' complaints received and referred to law enforcement.
Among the results:
"Internet auction fraud was by far the most reported offense, comprising 44.9% of referred complaints. Non-delivered merchandise and/or payment accounted for 19.0% of complaints. Check fraud made up 4.9% of complaints. Credit/debit card fraud, computer fraud, confidence fraud, and financial institutions fraud round out the top seven categories of complaints referred to law enforcement during the year."
Internet Fraud
IT Auditors need to understand that there has been a change in the paradigm of how business is being conducted and how information is being stored, and they need to be aware of the cyber-threat.
If you don't recognize that the threat is out there, you can't protect yourself against it.
Although many attacks come from outside the organizations, some are ‘insider jobs’ - carried out by employees who have access to systems within the company’s defenses.
The Insiders
3
Something the Sumitomo Mitsui Bank in the City of London found out in 2006. Fraudsters attempted to steal approximately $420 million from the bank by entering the building as cleaning staffand connecting hardware bugs to the keyboard sockets of the bank’s computers. The bugs captured keystrokes to reveal account details and other information.
Sumitomo Mitsui Bank Keystrokes
• Phishing refers to authentic looking emails that typically ask for your immediate attention and instruct you to follow a link to a website to update your personal information.
Most major internet sites and financial institutions have been targeted including Citibank, PayPal, eBay, Bank of America, Wells Fargo, the Internal Revenue Service (IRS), and America Online (AOL). These scams usually show up in your email inbox with a message from the "System Administrator" telling you to perform some urgent maintenance on your account. If you ever get message like this be very, very, careful.
• Creating false websites is referred to as spoofing. These websites can often be identified by their incorrect web addresses, which may simply appear as a string of numbers.
Phishing and Spoofing are two of the most commonly used methods of fraudulently obtaining personal information.
On the Information Technology (IT), internet arena..
Phishing Spoofing
We are used to the idea that technology should be deployed to beat IT-enabled crime. World class firewalls, for example, can help fortify an organization - rather like thick castle walls that prevent the bad guys from getting in. Inside those walls, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)can monitor applications and services and raise the alarm when access is attempted by an unauthorized stranger, or when unusual behavior is discovered.
But if we use technology to counter IT problems, we also need to use people to counter human crimes. If employees are vigilant, and if they understand what is expected of them, then security will be enhanced.
Firewalls, IDS, and IPS
IT Components that must be audited . . .
4
The Open Systems Interconnection Basic Reference Model (OSI Reference Model or OSI Model for short) is a layered, abstract description for communications and computer network protocol design, developed as part of the Open Systems Interconnection (OSI) initiative. It is also called the OSI seven layer model.
The OSI Model
Layers 7 through 4 comprise the upper layers of the OSI protocol stack. They are more geared to the type of application than the lower layers, which are designed to move packets, no matter what they contain, from one place to another.
Layers 3 through 1 are responsible for moving packets from the sending station to the receiving station.
The OSI model provides a conceptual framework for communication between computers, but the model itself is not a method of communication. Actual communication is made possible by using communication protocols. In the context of data networking, a protocol is a formal set of rules and conventions that governs how computers exchange information over a network medium. A protocol implements the functions of one or more of the OSI layers.
OSI - Pictorial
• Changes in our personal profiles (e.g. address, SSN, phone numbers, etc).
• Changes in our access capabilities (e.g. accounts, sites, transactions, etc).
• Changes in our computer configurations (e.g. IP address, passwords, drive location, etc).
• Changes in transactions, not authorized (e.g. money transfers, debit/credit to accounts, etc).
As victims, how do we identify fraudulent activities?
Accounting anomalies
Internal Control weaknesses
Internal Control Weaknesses include:
Lack of separation of duties
Lack of physical safeguards
Lack of independent checks
Lack of proper authorization
Overriding of existing controls
Inadequate accounting system
Lack of proper document and records
Some symptoms of fraud:
5
• Companies have increased their ethic and fraud prevention.
• Policies and procedures has increased significantly since 2001 and 2002, the years in which fraud came to the forefront.
• Corporate awareness programs.
• Enhance corporate compliance policies.
• Open communication between business and IT.
• There are also a number of formal bodies that organization can work with to minimize the amount and the impact of fraud, including accredited Computer Emergency Response teams who can help trace anyone illegally trying to access systems.
What the companies are doing to avoid fraud? • Organizations need to establish a culture in which their peopleare all jointly responsible for defending the company against attack. That requires everyone to know how to behave responsibly, be alert to potential problems, and understand the best course of action when confronted by a malicious attack.
• 80% of all e-crime is caused by people making a mistake, organizations need to develop programs aimed at prevention, education and raising awareness. This might involve obligatory Computer-Based Training (CBT) packages to be taken at regular intervals; company-wide security clinics; or even global road-shows to ensure awareness is maintained. Organizations may also wish to consider a 24/7 helpdesk to provide support and advice, and to capture details of any incidents that occur.
Culture, Training, and Help Desk
• Knowing and understanding your IT processes and specifically the one under review.
• Considering IT interdependencies associated to the IT process under review.
• Designing and Developing good audit programs and testing steps, with emphasis on “high risk” areas.
• Analyzing audit results with IT areas.
• Follow-up and Participate on the remediation efforts, if any.
• Improve the use of technology to detect fraud.
How can Information Technology Auditors help to minimize fraud within the organizations?
• Corporate awareness programs
• Strengthen ethic policies and procedures
• Strengthen background checks on key employees
• Address weaknesses in the processes and computer systems
• Improve the use of technology to detect fraud
How can we minimize the risk of Fraud?
6
The False Claims Act is a unique federal law that allows citizens with evidence of fraud against the federal government to sue, on behalf of the government, to recover triple the amount that has been defrauded from the government. As compensation for their efforts, the citizen, known as the “relator,” can receive an award, typically between 15% and 30% of the total amounts recovered.
What is the False Claims Act?Ask Yourself:
• What are the weakest links in the IT department’s internal controls?
• What deviations from acceptable business practices are possible?
• How can I get access to unauthorized transactions (e.g. checks, payroll)?
• What accounting accounts are easiest to access and forge?
Conclusion
Be Aware of Your Environment
Take Steps to Minimize Fraud
Be Aware of Red Flags to Detect Fraud
Balance Risk and Controls
ERM – Enterprise Risk Management Programs
Fraud Opportunity Checklist
Facilitator: Mr. Igor Martinez
• IT Auditor Specialist, Internal Audit
Blue Cross Blue Shields of Florida
• Vice-President – ISACA Jacksonville Chapter
QA and Thanks
Information Security
Information Security
Presented by:
Bob Gardner, CISANovember 7, 2007
7
Presentation Topics
General computer controls – four pillars
Definition of information security risk
Examples of recent data breaches and hacking
Recent legislation that is mandating strong internal controls over information security
What types of data needs to be secured
Identity Theft - How does this impact you?
IT Auditors Role Concerning Information Security
Common internal company challenges to secure data
Reliance on Third Party Service Providers
Components of a strong information security control environment
Four pillars of IT General Computer Controls
1. System Development Methodology – project sponsor, user requirements, testing
2. Program Change Control – three environments, Test, Quality Assurance, Production,
3. Computer Operations – system backups, automated scheduling, virus protection
4. Information Security – organization, policies, standards and procedures, firewall, authorization, authentication, principle of least privilege
Information Security Risk• The risk that confidential or otherwise sensitive
information may be divulged or made available to those without appropriate authority. An aspect of this risk is privacy, the protection of personal data and information, which in many countries and regions is required by law to be addressed.
Source: ITGI (Information Technology Governance Institution)
Hacking and data breach examples
• TJX – millions of credit card numbers were compromised (latest loss estimates – $$$ millions placed in loss reserves)
• Big Banks – backup tapes lost
• Medium, Small companies – some have gone out of business because of loss of business and consumer confidence after data breach
• Universities systems hacked
• Laptops stolen – public accounting firm , internal theft
8
Recent Legislation –Stronger Controls
• Recent Legislation that is mandating stronger internal controls over data – which includes data transmissions, financial reporting, sensitive non-public information.
• Heightened regulatory scrutiny is resulting in penalties and fines for non-compliance.
Recent Regulations Passed to Require Stronger Controls over Sensitive Information
• Health Insurance Portability and Accountability Act (HIPAA)
• Gramm Leach Bliley – Privacy law designed to protect sensitive financial information
• Sarbanes Oxley – requires controls over the financial reporting process for publicly traded companies (not only accounting controls but includes access controls over financial reporting data)
• Payment Card Industry – sponsored by VISA (i.e. credit card number)
• California SB 1386 – anti identity theft law - requires public disclosure
NOTE: Most of the above require Board of Director oversight andresponsibilities for sound Information Security management processes
ISO 17799
ISO 17799 (a comprehensive set of controls comprising best practices in information security)
– Security Policy– System Access Control– Computer & Operations Management– System Development and Maintenance– Physical and Environmental Security– Compliance– Personnel Security– Security Organization– Asset Classification and Control– Business Continuity Management (BCM)
Where is the information that needs to be secured?
Hardcopy – management reports, customer/member sensitive information (account number, account status, current balance)
Electronic• Databases – Oracle, MicroSoft SQL Server, Mainframe, MicroSoft Access• Excel files – in all of the companies I have worked for, Excel is used extensively in
Accounting and Finance departments to perform complex data analysis, data manipulations • Online reporting systems – typically READ only central report repositories• Ad Hoc Report Writers that can READ the data – i.e. Crystal Reports, Brio Query• Application systems access through transaction security • Emails – from upper management may be very sensitive• Data file transmissions to business partners• Sensitive data on company laptops – if laptop is stolen without tools such as encryption that
protects others from accessing the laptop hard drive• Flash drives –does your company allow the use of these?
9
Identity Theft
• According to Federal Trade Commission – they estimate that about 9 million individual are victims of ID theft annually
• The U.S. Department of Justice puts the figure around 3.5 million
What Should You do to Protect Your Information?
• Do not assume that your information is protected – BE PROACTIVE, be a little skeptical, and Monitor your banking/financial information as best you can
• Ask questions about information security with companies you do business with• Emails – do not click links in emails (instead type the url into a browser that you
KNOW to be correct if you need to go to the site advertised• Fight Identity Theft by monitoring your banking activity for accuracy and mistakes• Shred financial documents before discarding them• Protect your social security number• Don’t give out personal information unless you know who you are dealing with• Don’t use obvious passwords• Inspect your credit report – you can get one free one once a year• Consider products that report to you changes to your credit report
IT Auditor’s Role Related to Information Security• To evaluate and test existing controls around Business/Legal/Information
Technology risks – (i.e. Information Security Policies, Standards and Related Procedures)
• Test security access rights over network, operating system, database rights, and application system security, data transmissions, third party service providers, external web sites of business partners
• Report to management exposures and risks related to information security
• To educate business and IT management on the importance controls that reduce risks – During audit process, Consulting through participation of a new system development project.
• To maintain proficiency with technological advances – (i.e. new operating systems) by reading/research internet, targeted training classes
Sample Audit Findings Concerning Information Security
• Accounts Payable employees has Accounts Payable system access that allows them to create a new vendor and process invoices. (Segregation of duties exception)
• An excessive number of Accounting Department employees has the ability to post a prior period transaction to General Ledger system. (Principle of least privilege)
• Employees who transferred to another department still had access to systems that their former job required. (Lack of periodic system security access review by management)
• Password control requirements for Payroll system does not meet minimum length and complexity requirements for Company password policy.
10
Common internal company challenges to secure information
Lack of management support – tone of the top (CEO or Board of Directors may not be properly educated to view information security as one of their greatest risk)
Employee hiring – good hiring practices and decisions
Lack of Strong Information Security policy (without it, there is less accountability and understanding of what the company expects from its employees.
Lack of resources in the Information Security Department – people and dollars to support initiatives such as information security awareness
Limit access on a need to know only – takes time ($) to set up application security correctly (use the principle of Least Privilege)
Lack of training of managers responsible for information security – business users and IT Managers
Reliance on Third Party Service Providers
Third party service providers (i.e., ADP or Ceridien for Payroll processing, Fidelity for mortgage loan processing) Third party service provider is an extension of the companies control environment.Must rely on their control environment (Management – tone at the top, policies, etc.)Contract – Right to AuditOne of the tools we rely on is the SAS 70 reportVendor management practices
- service level agreements (i.e. system up time, daily transactions are processed by 6:00 p.m.- Scheduled weekly meetings to discuss operational issues and follow up of previously identified issues- review financial reports annually to ensure they are going to in business in the future.
Components of a Strong Information Security Control Environment
• Top management support – CEO and Board support (CRITICAL) - if this condition does not exist, uphill battle
• Organizational position (Manager of IT organization or placed as a Director in Risk Management Division)
• Head of Information Security - Need to be a visionary - to lead company with plans to keep up with forever changing landscape of new risks, threats and technology
• Policies, standards and detailed procedures
• CIO or Information Security Officer periodically report to Board on risks and threats (many Board of Directors need the education of Information Security issues)
• Risk Assessments Performed – (at least annually)
• Security Monitoring by Network Information Technology team
SUMMARY
Information Security (limited view) – A Very Important/Broad area of responsibility
Data Breaches
Recent Legislation related to Information Security
Information – Where is it?
Identity Theft and how to be proactive to protect your own sensitive information
IT Auditors role related to Information Security Control Objectives
Common internal company challenges to secure data
Reliance on Third Party Service Providers
Components of a strong information security control environment
11
Thanks and Q/A
Questions ???
&
Thank You!!!
Technology Audit Issues
Presented By:
Wendy Fuerstenberger, CISA, CIANovember 7, 2007
1. What is IT Audit? • Definition• Importance To The Organization• The Audit Process
2. IT Infrastructure Components
3. IT Audit Issues and How They Affect The Business
Discussion Points
What is IT Audit?
• IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations.
IT Audit
12
Importance To The Organization
• Availability: Will systems be available when required?
• Confidentiality: Will information only be disclosed to authorized users?
• Integrity: Will information provided by the system be accurate, reliable and timely?
Importance
The Audit Process
• Planning & Preliminary Assessment
• Conduct Fieldwork
• Report
• Follow-up
Audit Process
Risk Assessment
•Third Party Management•Business Continuity
•Change Control•Security
•Application Development•Database Management
•Network Infrastructure•Planning and Strategy
IT Infrastructure Components
13
Potential Audit Issues:
Issue: Lack of formal strategic planning process
Impact: IT not aligned with corporate strategy
Issue: Lack of formal policies and proceduresImpact: Management’s expectations relating
to IT are not communicated and/or consistent across the organization
Planning & Strategy
Potential Audit Issues:
Issue: Lack of perimeter protection – firewallsImpact: Hacker attack that could result in the
loss of corporate data
Issue: Lack of capacity planning –network/server performance
Impact: Slow network/server performance may impede productivity
Network Infrastructure
Potential Audit Issues:
Issue: Table access not adequately secured Impact: Integrity of data compromised
Issue: Inadequate database indexing and tuning procedures
Impact: Slow database performance which can impede daily business processing
Database Management
Potential Audit Issues:
Issue: Lack of formal development processImpact: Applications may not meet business
requirements
Issue: Lack of testingImpact: System outages
ApplicationDevelopment
14
Potential Audit Issues:
Issue: Lack of intrusion detection proceduresImpact: Hacker attack may not be detected in
a timely manner – increased damage
Issue: Inadequate user access managementImpact: Unauthorized access to sensitive
corporate data
Security
Potential Audit Issues:
Issue: Changes not properly reviewed / authorized by all stakeholders
Impact: Changes may indirectly have negative impact on operations
Issue: No formal “back-out” plans for changesImpact: System outages
Change Control
Potential Audit Issues:
Issue: Lack of formal business continuity plans
Impact: Business will not be able to function in a disaster situation
Issue: Lack of disaster recovery testingImpact: Delay in recovery of systems may
negatively impact business operations
Business Continuity
Potential Audit Issues:
Issue: Lack of formal third-party management process
Impact: Third-party performance may not meet business requirements
Issue: Lack of formal contract review by legal counsel for critical outsourced processes
Impact: Company may not be adequately protected in the event of litigation
Third-Party Management
15
Thank You!
QA and Thanks
Introduction
• Founded in 1969, as the EDP Auditors Association (EDPAA) From the efforts of a handful of interested auditors in Southern California, the Electronic Data Processing Auditors Association (EDPAA) was organized in 1969.
• Its first conference was held in January 1973, just before the exposure of the Equity Funding scandal, and its first regular publication, The EDP Auditor, began in May of thesame year.
• In 1977, the EDPAA’s Foundation (EDPAF) published its first edition of Control Objectives, a compilation of guidelines, procedures, best practices, and standards for conducting EDP audits.
• In June 1978, the EDP Auditors Foundation (EDPAF) introduced its certification program—Certified Information Systems Auditor (CISA). Because of information technology, some internal and external auditors wanted a separate certification for auditors of Information Technology; the CISA provided the vehicle. The firstCISA exam was given in 1981 and offered in two languages.
Historical Highlights
• Between 1992 and 1996, Control Objectives underwent a major revision.Since 1996, the document goes by the title CobiT (Control Objectives for Information and Related Technology).
• CobiT was revised in 1998 and 2000 (third edition), and is available on CD-ROM and online.
• CobiT has become an authoritative, up-to-date, international set of generally accepted IT control objectives for day-to-day use by business managers, users of IT, and IS auditors.
• In June 1994, the EDPAA formally changed its name to Information Systems Audit and Control Association (ISACA). Over the years, EDPAA/ISACA has held training seminars, sponsored technical journals, and assumed sponsorship of Computer Audit, Control and Security conferences (CACS) begun by Harold Weiss in the 1960s.
• More than 70,000 members in over 140 countries• More than 170 chapters worldwide
Historical Highlights
16
ISACA Growth
It became even stronger in 2006, as unprecedented growth brought the total number of members to more than 70,000 worldwide by year-end—increasing the 2005 year-end figure by 13 percent. This growth was supported by increases in each of ISACA’sfive geographic areas: Asia, Europe/Africa, Latin America, North America and Oceania. ISACA was also especially pleased to note a 124 percent increase in the number of student members during the
• Information Systems Control Journal
• JournalOnline articles
• Discounts on ISACA conferences
• Global Communiqué online
• Standards, Guidelines & Procedures
• Career Centre – enhanced capabilities
• K-NET (more than 6,000 links)
www.isaca.org/benefits
ISACA Benefits
• Discounts on CISA and CISM exams & materials
• Research publication downloads
• Discounts on IT Governance Institute (ITGI) research publications• Audit programs & Internal Control Questionnaires• Peer-reviewed bookstore
More Benefits
Local Chapter Benefits
•Access to affordable local continuing education
•Information exchange opportunities through chapter meetings
•Networking with your professional peers
•Leadership experience on local boards and committees
•Opportunity to make a positive impact on the local business community and the profession
17
•13,937 registered for the June 2007 exam
•3,926 have already registered for the December 2007 exam*
•More than 50,000 people have earned designation since inception
•More than 40,000 are currently certified 0
2000
4000
6000
8000
10000
12000
14000
16000
18000
2004 2005 2006
June Exam
December Exam
CISA Statistics
0
500
1000
1500
2000
2500
2004 2005 2006
•1,946 registered for June 2007 exam
•476 already registered for December exam
•6,500 certified since inception
•5,000 currently CISM certified
June Exam
December Exam
CISM - Statistics
Certification Requirements
• Passing score on CISA/CISM Exam
• At least five years of experience (substitutions available)
• Adherence to Code of Professional Ethics
• Minimum 120 hours of continuing education every 3 years
Comprehensive Student Program
Reduction of student dues
$25
New member fee waived
All benefits delivered electronically
Many chapters reduce or waive chapter dues for studentsStudent area of the web site
Student membership application
Benefits of membership
IT Audit Basics articles
Eligibility and dues– Students MUST provide proof of full-time enrollment
– Reviewed by staff, therefore no online join functionality
www.isaca.org/student
18
ISACA Events-Conferences
•Passing the bar •Fit for use •Verified to have met a standard
Doesn’t necessarily equate to competency
Certification
Why Certification?•Satisfaction/personal accomplishment •Practical assessment of skills •Useful metric of base competency •Right of passage•Typical requirement for consulting•Help in Career Progression/Compensation•Recognition of special knowledge•Resume distinction in a tight job market
Why Certification?
Average Salary by Certification
19
What makes a certification authority viable? •Industry Recognition or Accreditation •Body of Knowledge culled from industry •Integrity •Longevity •Prestigious membership •Recertification
Certification Selection
What is added to the certificate: You! •Experience & performance •Professionalism & Integrity •Proven track record •Recertification activities •Education & Training •Intellectual study
Formula = You, Experience, + Certification
Security CertificationsCISSP CISA CFE GIAC CPP
MBCP
Top CertificationsAudit CertificationsGIAC certifications cover four IT/IT Security job disciplines:
•Security Administration•Management•Audit•Software Security
CPP-Certified Protection ProfessionalNearly 10,000 professionals have earned the designation of CPP™. This group of professionals has demonstrated its competency in the areas of security solutions and best-business practices through an intensive qualification and testing program. http://www.issa.org/Resources/Industry-Certifications.html#CCSA
20
Information Security CertificationsCEH Certified Ethical Hacker CISM Certified Information Security Manager CISSP Certified Information Systems Security Professional CSP RSA Certified Security Professional ECSA EC-Council Certified Security Analyst GIAC Global Information Assurance Certification ISSPCS International Systems Security Professional Certification Scheme LPT Licensed Penetration Tester PCIP Professional in Critical Infrastructure Protection Security+ Computer Technology Industry Association (CompTIA) SSCP Systems Security Certified Practitioner Symantec SPS - Symantec Product Specialist
STA - Symantec Technology Architect SCSE - Symantec Certified Security Engineer SCSP - Symantec Certified Security Practitioner
Audit Certifications
CCSACertification in Control Self-Assessment
CIA Certified Internal Auditor
CISA Certified Information Systems Auditor
CISM Certified Information Security Manager
CSA Control Self-Assessment
•Gold standard for IS auditors •Founded 1978 by ISACA •Code of Professional Conduct •5 years experience required & verified•Certification exam based on Practice Analysis of IS audit professional’s skills
•Three-year 120 CEU recertification cycle
CISACertified Information Systems Auditor
Curious about Membership
Like many professional organizations, we assist the members by supporting their chosen profession.
Formula for Development = Experience, Certification—becoming familiar with CBOK, and You.
ISACA Jax Chapter would add membership and participation in one or more professional associations related to your current job or your aspirations as part of the developmental path.
You to can join 70,000 professionals from 170 countries who havejoined ISACA.
Start small come to our next seminar or lunch meeting where we do IT in many forms—controls, audits, vulnerabilities, familiarization with new technologies.
You do not get a Vegimatic with your membership, but you do get the ISACA Journal.