Session Descriptions

Compliance Decisions is a customized educational summit designed by the editors of SearchCompliance.com, SearchCIO.com, Information Security Magazine Online and SearchSecurity.com. Our one-day seminar attacks compliance from all angles to help you create an effective compliance strategy, understand the latest regulations and their implications, and leverage the best tactics for managing compliance technologies.

Future-Proof Your Compliance Program

Eric Holmquist, Vice President, Director of Operations Risk Management, Advanta Bank Corp

 

The holy grail of compliance is building a streamlined program that can easily accommodate the changing regulatory environment. Case in point: Massachusetts and Nevada are in the process of enacting strict data privacy laws that need to be integrated into your existing compliance program.

CIOs and CISOs routinely list compliance as one of their top areas of concern because confusion surrounds how to create a streamlined and comprehensive compliance program. In this keynote presentation Eric Holmquist, vice president at Advanta Bank discusses how he successfully implemented such a program at his financial services company. He offers best practices and lessons learned, including some painful do’s and don’ts, that you can take back to your organization. With over 20 years experience and the author of multiple books on risk management, Eric Holmquist explains:

• The compliance landscape relative to areas such as technology governance, information security and data privacy
• The current environment and how to plan for the “next wave” of compliance demands
• How to address all various compliance requirements in one comprehensive program
• How to develop GRC best practices that meet or exceed regulatory requirements
• And so much more
  

Protecting Personal Data: Nevada, California and Massachusetts Data Privacy Laws - Where Do We Go From Here?

Andrew Baer, Founder, Baer Business Law

Nevada is getting serious about protecting personal information. A new law signed in late May strengthens an earlier data protection law by mandating that data collectors use industry standard cryptographic key technology and, if they accept credit or debit cards, to comply with the Payment Card Industry Data Security Standard (PCI DSS). This new style of state information security regulation is more aggressive than the risk assessment-based strategy favored up to now by federal regulators. Businesses will have to start looking to state information security law, and not just federal guidelines, in crafting the architecture and features of their security programs. During this session, Andrew Baer discusses:

• How data security regulation is changing and Nevada is helping to lead the way
  
• Analysis of the Nevada data security law, who needs to comply and how to comply
  
• Open questions and legal and compliance risks
  
• California data security regulation update
  
• Massachusetts data security regulation update

How to Evolve Your Compliance Program As Technologies and Mandates Change

Richard Mackey, Vice President, SystemExperts

As technologies change and audit processes evolve, so do the interpretation of regulatory requirements. For instance, how do you deal the explosion of virtualized machines when it comes to segregation of function? Further, how do you deal with the responsibilities for administration of the virtual machine versus the administration of the underlying environment in meeting compliance requirements? And, how do you take existing, standard regulations and apply them to new and ever-changing technologies?

This session describes how organizations can effectively interpret requirements from regulations such as HIPAA and PCI and implications these interpretations have on compliance activities, administration, and auditors. In this session, Dick Mackey, vice president at SystemExperts and veteran auditor and consultant for large enterprises, discusses:

• How the use of virtualization affects system administration requirements, segregation, and network security
• How organizations make decisions and should make decisions about what to encrypt and how those decisions affect key management and archival of information
• How to test the security of your applications and environment, as required by PCI, among others
• PCI's testing requirements: Comparing the requirements and effectively testing the security of your applications and environment

Managing Third-Party Risk

Richard Mackey, Vice President, SystemExperts

While organizations are increasingly turning to service providers to reduce cost, augment their product set, and focus on core services, it's no secret that many of the recent data breaches occurred due to missteps with a third-party vendor. Partnering with other organizations brings with it risk, particularly when the information shared with the service provider is sensitive and is subject to regulatory requirements.
Increasingly organizations are under pressure from regulators, customers, and partners to ensure that information they entrust to service providers is kept secure; but up until recently, organizations lacked clear guidance on how to appease regulators. That changed this past June when the Federal Deposit Insurance Corporation (FDIC) released guidance for managing third party risk. As a result, organizations from all verticals are taking a closer look at what they expect from their partners. These days it is far more common to ask their service providers to meet a standard of security practice that would have been considered extreme just a few years ago.

In this presentation, Mackey discusses the requirements stated in various regulations, from PCI to FFIEC and practices designed to help you effectively manage your service providers. Attend and discover:

• How to minimize risk via information analysis
• The importance of risk analysis to service provider management
• Typical regulatory requirements and how they affect service provider management
• How to monitor relationships and establish triggers for further review
• The importance of coordinated incident response and business continuity planning with service providers
• How technology can facilitate managing and monitoring service providers