By Bruce H. Nearon

An increasing number of clients are requesting penetration study proposals from CPAs. The demand for these services could be attributed to regulatory requirements such as in the banking, insurance and government sectors, or greater awareness of security threats and exposures on the part of business managers.

The problem is there is no common generally accepted definition or best practices for penetration studies. Perhaps the client really wants a vulnerability assessment. Likewise, there is no common definition for vulnerability assessments or benchmarks to determine due professional care for practitioners.

Learn about the objectives of a penetration study—to breach a computer system from outside, and obtain the administrator’s password to critical servers and/or confidential information that reside on the system—by attending the Sept. 10 continuing professional education (CPE) presentation organized by the New York State Society of CPAs Emerging Technologies (ET) Committee. Designed for auditors, consultants, CEOs, CFOs and CIOs who want to learn more about penetration studies and vulnerability assessments, this one-hour CPE session also will address the elements of a properly planned and conducted penetration study. These include: enumeration and footprinting, automated scanning, obtaining physical information on the target, social engineering and breaching security. The differences and similarities between penetration studies and vulnerability assessments will be discussed as well.

Through attending this session, you will be able to explain these services to your clients, and will learn where to get training and resources should you desire to bid on this type of work. The market for penetration studies and vulnerability assessments is growing rapidly and offers great opportunities to expand your service offerings and reduce information technology security risks for clients.

Date: Tuesday, Sept. 10, 2002
Time: 8:30 a.m. to 9:00 a.m.: registration, networking, free continental breakfast 9:00 a.m. to 10:00 a.m.: CPE session
Presenter: Joel Lanz, CPA, CISA, CISSP
Location: NYSSCPA headquarters, 530 Fifth Avenue (between 44th and 45th streets), fifth floor, New York City

About the Presenter

Mr. Lanz is a former Big Five technology risk consulting partner and vice president of a large financial services organization’s auditing department. He heads a CPA practice that focuses on providing technology risk management services. Mr. Lanz is a member of the NYSSCPA Emerging Technologies Committee and is an adjunct faculty member of the School of Computer Science and Information Systems at Pace University. He can be reached at jlanz@itriskmgt.com.

Additional Information

This NYSSCPA/Foundation for Accounting Education (FAE) morning CPE presentation is free to NYSSCPA members and $15 for nonmembers to qualify for one hour of CPE credit. At the session you will get the chance to network with the profession’s and the industry’s IT leaders.

Advance registration is recommended because seating is limited.

For additional information, contact Gary Carpenter at (315) 487-4567 or gcarpenter-cit@worldnet.att.net or Bruce H. Nearon at (973) 403-6955 or bnearon@jhcohn.com.

To register: contact FAE at (212) 719-8383 or (800) 537-3635 or visit the Society’s website at www.nysscpa.org. Select the Find Committees link at the left of the screen, scroll down to the Emerging Technologies Committee, select it, and then select “9/10/02 – CPA Perspective on Penetration Studies and Vulnerability Assessments” located under the FREE IT CPE banner.

Acknowledgments

J.H. Cohn LLP helped provide the funding and resources for the continental breakfast, marketing and publicity, and administration of this event.

Gary Carpenter, of Carpenter Information Technologies, helped administer this event.