| EMERGING THREATS |
At Financial Information Security Decisions, many of the industry's leading information security experts gathered to share vendor-neutral expertise and proven security strategies. If you couldn't make it to New York City for this year's event, you can catch up here. Below you can download speaker presentations from a selection of this year's sessions. Feedback on Financial Information Security Decisions presentations can be submitted via SearchFinancialSecurity.com.
Social Networking and Security: The Business Risks of Employee Information Sharing
Employees are sharing large amounts of data about their personal and professional lives through social networking sites. Some of this information may appear to have no value - someone's favorite color, their address, the name of their boss, or the name of their childhood pet. However, attackers have become increasingly sophisticated at mining and correlating this personal information in creative ways, often putting the business at risk. Dr. Hugh Thompson exposes the new risks to businesses that have resulted from employee information sharing.
Internet Nails: Downstream Consequences of Bad Software Design
For want of a nail, the shoe was lost. For want of a shoe, the horse was lost. For want of a horse, the knight was lost. We're used to dealing with the problems that are in front of us right now, but never seem to have the time to stop and ask ourselves 'how did we get here?' Security luminary Marcus Ranum discusses the downstream consequences of apparently simple decisions, and the long-term costs that are associated as a consequence of failing to re-assess them before it's too late.
Practical Risk Management Approaches
Providing a foundation for risk governance within financial services organizations should be treated as a key business initiative and successfully managing risk eases the compliance burden. In this session, Eric Holmquist, with more than 27 years in the financial services industry, explores practical approaches to key program elements that provide your organization with an enterprise-wide approach to risk management.
Intersecting State and Federal Data Protection Acts
The legal landscape for data protection has changed markedly in 2010. Massachusetts and Nevada have passed new regulations requiring organizations that store, process or communicate personal identifying information (PII) to notify victims in the event of a breach and implement administrative and technical controls to prevent breaches. At the federal level, H.R. 2221, the Data Accountability and Trust Act (DATA) cleared the House with a voice vote and in its current form, requires similar controls. In this presentation, Richard E. Mackey Jr., vice president of consultancy SystemExperts, discusses key requirements associated with the Massachusetts and Nevada regulations and how these state-level laws affect NYC-based organizations, an introduction to the federal DATA bill and what you can do now to prepare, and how organizations should construct a security program to meet these requirements.
FFIEC Guidance for Remote Deposit Capture: What is Expected of You
One of the most profound areas of operational risk for financial institutions is that of third party risk. Organizations depend on these critical resources to support day-to-day operations, and yet have virtually no control over how they are managed. Maintaining world-class vendor management is critical to a sound risk management program. In this session, Holmquist covers essential elements of vendor management, ensuring accountability and the importance of risk analysis of service providers, among other topics.
The Abridged Application Security Program
While much progress has been made during the past decade in the field, starting out a new application security program today can still feel like an attempt at boiling the ocean. Open discussion about popular practices and maturity models has now become commonplace, but mid-sized firms have to be extra smart about how they deploy their limited resources to avoid being spread thin over a large developer organization and a multitude of applications. In this presentation, Max Caceres, vice president of D.E. Shaw & Co., discusses using a focused approach to start an application security program that is integrated with the development organization from day 1, and that can grow organically over time as the security organization matures.
Putting 'Information' Back Into Information Security
Although we call it "Information Security," for the past 20 years our profession has really been about protecting the infrastructure, not the data. The notion of information centric security is crucial for financials, not just encryption, but content filtering, data classification and DLP because of regulations. After all, auditors don't care if it was a malicious attack or a common mistake. In this session, Securosis CEO Rich Mogull explores how to reorient your security program to protect the information itself, not merely the places where it's stored and used.
Cybercrime and the Financial Sector: The Growing Link
As cybercrime routinely targets the financial sector, Erez Liebermann and Seth Kosto, federal prosecutors focusing on cybercrime and white collar fraud, discuss law enforcement's response to the growing threat and what corporations can do to assist and protect their systems. They also examine recent cases prosecuted by their offices and across the country.
Protecting Data and Transactions with Encryption and Tokenization
Driven in large part by PCI requirements and massive theft, organizations are rapidly adopting a combination of new and old encryption technologies to protect data through transactions and storage. In this session Mogull describes the latest data protection technologies, such as transparent data encryption, tokenization, and format preserving encryption.
Managing Actionable Threat Information for Financial Services Security Professionals
More than any other industy, information security professionals in financial services firms need to be on the front lines of information about emerging threats. The only way to stay even with hackers and their exploits, according to Nick Selby of Trident Risk Management, is through actionable intelligence from reputable sources. What does threat intelligence mean? What does it comprise? The past five years have seen the rise of new classes of commercial intelligence bringing rich, contextual information that can help you see threats across stovepipes. From malware to botnets, scams to physical threats, intelligence about competitors, to who is saying what about your company, your product and your people, the problem is no longer, 'Where can I get threat intelligence," it's "How can I manage it?"
This was first published in June 2010