| PRACTICAL TECHNOLOGY |
At Financial Information Security Decisions, many of the industry's leading information security experts gathered to share vendor-neutral expertise and proven security strategies. If you couldn't make it to New York City for this year's event, you can catch up here. Below you can download speaker presentations from a selection of this year's sessions. Feedback on Financial Information Security Decisions presentations can be submitted via SearchFinancialSecurity.com.
-- Justice, Victim Corporations and Cybercriminals
-- The State of Security Today
-- How to Evolve Your Compliance Program As Technologies and Mandates Change
-- Managing Third-Party Risk
-- FFIEC Guidance for Remote Deposit Capture: What is Expected of You
-- Red Flag Rules and Preparing For New Regulations
-- Pragmatic Data Security
-- Reality Check: Emerging Internet Security Threats in 2009
-- Identity Management Solutions and Today's Environment
-- Cloud Computing: Security Risks and Compliance Implications
Justice, Victim Corporations and Cybercriminals
What is law enforcement doing to tackle cybercrime, and how can law enforcement work with private industries to prevent, investigate and prosecute cybercrime? In this session, Erez Liebermann, a federal prosecutor focusing on cybercrime, discusses recent cases prosecuted by his office and across the country. The discussion focuses on the state of the law and what law enforcement is doing to fight the growing instances of cybercrime, both domestically and internationally. Liebermann explains why cooperation between private industry and law enforcement is critical and why the myths about cooperating with law enforcement are outdated.
The State of Security Today
Everyone is talking about compliance testing and data leakage, but what's really going on that's pushing the industry in that direction? And will it work? Marcus Ranum, a world-renowned expert on security system design and implementation and recognized as an early innovator in firewall technology, candidly discusses how today's trends are likely to affect the future of security.
How to Evolve Your Compliance Program As Technologies and Mandates Change
As technologies change and audit processes evolve, so do the interpretations of regulatory requirements. For instance, how do you deal with the explosion of virtualized machines when it comes to segregation of function? Further, how do you deal with the responsibilities for administration of the virtual machine versus the administration of the underlying environment in meeting compliance requirements? And how do you take existing, standard regulations and apply them to new and ever-changing technologies? In this presentation, compliance expert Richard Mackey, vice president, SystemExperts, describes how to effectively interpret particular requirements from regulations such as HIPAA and PCI and discusses the implications these interpretations have on compliance activities, administration, and auditors.
Managing Third-Party Risk
While organizations are increasingly turning to service providers to reduce cost, augment their product set, and focus on core services, it's no secret that many of the recent data breaches occurred due to missteps with a third-party vendor. Partnering with other organizations brings with it risk, particularly when the information shared with the service provider is sensitive and is subject to regulatory requirements. Organizations are under pressure from regulators, customers, and partners to ensure that information they entrust to service providers is kept secure. In this presentation, Mackey discusses the requirements stated in various regulations, from PCI to FFIEC, and delivers best practices designed to help you effectively manage your services providers. He addresses the importance of risk analysis to service provider management, and the importance of coordinated incident response and business continuity planning with service providers.
FFIEC Guidance for Remote Deposit Capture: What is Expected of You
This past January, the Federal Financial Institutions Examination Council (FFIEC) issued guidance for managing the risks associated with remote deposit capture (RDC). Financial institutions have been adopting RDC mostly for their commercial customers, but the FFIEC guidance makes it clear that banks must understand RDC risks and manage them, a responsibility that was in the hands of executive management. The main risk with implementing RDC is the exposure of the check writer, user, vendor and financial institution to increased security risk. Add to this risk Internet transmission of files or images, and additional security layers may be required. You need to determine if your organization can effectively manage the overall increased risk. Find out where to start with Dan Fisher, president & CEO, The Copper River Group, as he discusses what the FFIEC expects in the form of changes and additional measures that need to be taken, how the guidance pertains to the role of the IT security professional and RDC technology, and the changes in BCP and DRP that are required.
Red Flag Rules and Preparing For New Regulations
The Federal Trade Commission's Red Flag Rules represent yet one more regulation that financial organizations need to address. Plus, states like Massachusetts are raising the bar in similar ways in attempting to reign in identity theft. While there is no doubt that these new regulations increase the compliance burden on financial institutions, the commonality of requirements between the new and existing regulations offer a possible solution. In this presentation, Mackey discusses various aspects of regulations, including the Red Flag Rules, the Massachusetts Identity Theft Law, PCI, HIPAA, and GLBA, and how to structure a compliance program that addresses common and unique areas of particular regulations and contracts
Pragmatic Data Security
While data breaches run rampant and every vendor under the sun claims to offer a data protection solution, there is very little information available to build a practical, effective, data security program. This session busts through hype, hyperbole, and complexity and details a pragmatic approach to information-centric security you can implement in nearly any organization. From tools and techniques to process and even to satisfying those pesky auditors - we'll present a straightforward, step-by-step process to reduce risks, stay out of the headlines and keep your organization's most valuable information safe. Rich Mogull, founder of Securosis, examines the top five steps you can take today for data protection, why traditional data classification doesn't work, and which data security tools really work.
Reality Check: Emerging Internet Security Threats in 2009
Financial institutions understand the value of the data they process on behalf of their clients and partners. So do the attackers, who have strong incentives for investing significant funds in powerful techniques for breaching financial firms' defenses and targeting the organizations' customers. Now that fortune rather than fame drives Internet attacks, it is critical to keep abreast of the latest attacks. In this presentation, Lenny Zeltser, security consulting manager, Savvis, explores today's emerging Internet security threats to help financial institutions fine-tune their defenses. Examine attack patterns that have included the use of careful social engineering, elaborate malware, the web ecosystem, and the increased precision of modern attacks. You'll get real-world examples of cyber attacks and the incentives behind malicious Internet activities
Identity Management Solutions and Today's Environment
The downturn in the economy is driving downsizing and forcing companies to do more with less. Achieving compliance with auditor requirements and maintaining a secure environment are still top priorities. Identity management solutions help companies implement sustainable processes that drive efficiency, accuracy, and compliance. This presentation explores the business challenges that have been exacerbated by today's financial crisis and looks at how identity management solutions can help address these challenges. Learn where your organization fits on the capability maturity continuum and receive practical tips for moving further along the continuum. Kelly Manthey, business process partner, Solstice Consulting LLC, and Brian Schlueter, lead security specialist at a major insurance company, discuss the IdM technology landscape, common business challenges, and implementation best practices.
Cloud Computing: Security Risks and Compliance Implications
There has been a great deal of buzz around cloud computing and like all emerging technologies, it has many definitions and solutions as well as many points to consider from a security perspective. This discussion explains cloud's many uses, its current advantages and disadvantages, and most importantly, the security questions that must be considered. In this presentation, David Sherry, CISO, Brown University, discusses cost considerations when utilizing the cloud, practical uses for piloting and testing the cloud, regulatory implications when moving to cloud computing, and how cloud computing can be used securely within an organization.