Session Descriptions

Financial Information Security Decisions is a customized educational conference designed by the editors of Information Security magazine online, SearchSecurity.com and SearchFinancialSecurity.com. The conference offers you a soup-to-nuts agenda focused on the latest financial security trends, technologies and tools.

• General Sessions
• Track 1: Governance, Risk and Compliance
• Track 2: Practical Technology Solutions
  
  

General Sessions

Keynote: Justice, Victim Corporations and Cybercriminals

Erez Liebermann, Assistant United States Attorney General, District of New Jersey, Computer Hacking and Intellectual Property Section

What is law enforcement doing to tackle cybercrime, and how can law enforcement work with private industries to prevent, investigate and prosecute cybercrime?  In this session, Erez Liebermann, a federal prosecutor focusing on cybercrime, discusses recent cases prosecuted by his office and across the country. The discussion focuses on the state of the law and what law enforcement is doing to fight the growing instances of cybercrime, both domestically and internationally. Attend and gain an insight into:

• Cases the federal government has investigated and prosecuted
• The current legal tools available for prosecutors and the penalties faced by cybercriminals
• Why cooperation between private industry and law enforcement is critical and why the myths about cooperating with law enforcement are outdated

Keynote: The State of Security Today

Marcus Ranum, Chief Security Officer, Tenable Network Security

Everyone is talking about compliance testing and data leakage, but what's really going on that's pushing the industry in that direction? And - will it work? Marcus Ranum, a world-renowned expert on security system design and implementation and recognized as an early innovator in firewall technology candidly discusses how today's trends are likely to affect the future of security. And following the presentation, pose your own questions to one of the industry's most well respected thought leaders.

Track 1: Governance, Risk and Compliance

Financial services organizations are among the most regulated in the information security sector. As new regulations continue to emerge and demand stricter security policies and procedures, organizations need to adjust how they approach compliance and manage risk. This track offers practical advice on how to interpret specific regulations, key strategies to address emerging regulations and the technologies that support an organization’s compliance efforts.

How to Evolve Your Compliance Program As Technologies and Mandates Change        

Richard Mackey, Vice President, SystemExperts

As technologies change and audit processes evolve, so do the interpretation of regulatory requirements. For instance, how do you deal the explosion of virtualized machines when it comes to segregation of function?  Further, how do you deal with the responsibilities for administration of the virtual machine versus the administration of the underlying environment in meeting compliance requirements? And, how do you take existing, standard regulations and apply them to new and ever-changing technologies?               

This session describes how to effectively interpret particular requirements from regulations such as HIPAA and PCI and implications these interpretations have on compliance activities, administration, and auditors. Mackey discusses:

• The use of virtualization and how it affects system administration requirements, segregation, and network security
• How organizations should be making decisions about what to encrypt
• Ways that encryption decisions affect key management and the archival of sensitive information 
• How to test the security of your applications and environment, as required by PCI, among others  
  

Managing Third-Party Risk

Richard Mackey, Vice President, SystemExperts

While organizations are increasingly turning to service providers to reduce cost, augment their product set, and focus on core services, it's no secret that many of the recent data breaches occurred due to missteps with a third-party vendor. Partnering with other organizations brings with it risk, particularly when the information shared with the service provider is sensitive and is subject to regulatory requirements.

Organizations are under pressure from regulators, customers, and partners to ensure that information they entrust to service providers is kept secure. While regulators have been evaluating third party relationships, organizations have lacked clear guidance on how to appease regulators. That all changed this past June when the Federal Deposit Insurance Corporation (FDIC) released guidance for managing third party risk. As a result, organizations from all verticals must take a closer look at what they expect from their partners. These days it is far more common to ask their service providers to meet a standard of security practice that would have been considered extreme just a few years ago.

In this presentation, Mackey discusses the requirements stated in various regulations, from PCI to FFIEC and delivers best practices designed to help you effectively manage your service providers. Attend and discover:            

• How to minimize risk via information analysis
• The importance of risk analysis to service provider management
• Typical regulatory requirements and how they affect service provider management
• How to monitor relationships and establish triggers for further review
• The importance of coordinated incident response and business continuity planning with service providers
• How technology can facilitate managing and monitoring service providers              

FFIEC Guidance for Remote Deposit Capture: What is Expected of You        

Dan Fisher, President & CEO, The Copper River Group

This past January, The Federal Financial Institutions Examination Council (FFIEC) issued guidance for managing the risks associated with remote deposit capture (RDC). The guidance allows banking customers to deposit checks from their home or office by scanning a check and transmitting the image to the bank for posting. Financial institutions have been adopting RDC mostly for their commercial customers, but the FFIEC guidance makes it clear that banks must understand RDC risks and manage them, a responsibility that was in the hands of executive management.

The main risk with implementing RDC is the exposure of the check writer, user, vendor and financial institution to increased security risk. Add to this risk, internet transmission of files or images and additional security layers may be required. You need to determine if your organization can effectively manage the overall increased risk. Find out where to start with Dan Fisher, as he discusses:

• What the FFIEC expects in the form of changes and additional measures that need to be taken          
• How the guidance pertains to the role of the IT security professional and RDC technology
• The changes in BCP and DRP that need to be implemented

Red Flag Rules and Preparing For New Regulations

Richard Mackey, Vice President, SystemExperts

The Federal Trade Commission's Red Flag Rules represent yet one more regulation that financial organizations need to address. Plus, states like Massachusetts are raising the bar in similar ways in attempting to reign in identity theft. While there is no doubt that these new regulations increase the compliance burden on financial institutions, the commonality of requirements between the new and existing regulations offer a possible solution. In this presentation, Mackey discusses:

• Various aspects of regulations including the Red Flag Rules, the Massachusetts Identity Theft Law, PCI, HIPAA, and GLBA
• How to structure a compliance program that addresses common and unique areas of particular regulations and contracts

Track 2: Practical Technology Solutions

As new security technologies continue to emerge, it’s easy to become overwhelmed and lose focus on where to prioritize your limited security budget and resources. This track focuses on new threats, countermeasures and how to lock down emerging technologies. Our experts also take a deep dive into access control and data security.

Pragmatic Data Security

Rich Mogull, Founder, Securosis

While data breaches run rampant and every vendor under the sun claims to offer a data protection solution, there is very little information available to build a practical, effective, data security program. This session busts through hype, hyperbole, and complexity and details a pragmatic approach to information-centric security you can implement in nearly any organization. From tools, to techniques, to process, and even to satisfying those pesky auditors - we'll present a straightforward, step-by-step process to reduce risks, stay out of the headlines and keep your organization's most valuable information safe. This session examines:                                

• The top 5 actions you can take today for data protection
• Why traditional data classification doesn't work, and how to fix it
• A step by step process to building a successful data security program
  
• All the major data security tools- find out which ones really work

Reality Check: Emerging Internet Security Threats in 2009

Lenny Zeltser, Security Consulting Manager, Savvis

Financial institutions understand the value of the data they process on behalf of their clients and partners. So do the attackers, who have strong incentives for investing significant funds in powerful techniques for breaching financial firms' defenses and targeting the organizations' customers. Now that fortune, rather than fame drives internet attacks, it is critical to keep abreast of the latest attacks.

In this presentation, Zeltser explores today's emerging Internet security threats to help financial institutions fine-tune their defenses. Examine attack patterns that have included the use of careful social engineering, elaborate malware, the web ecosystem, and the increased precision of modern attacks. You'll get real-world examples of cyber attacks and the incentives behind malicious Internet activities. Come to this timely talk to learn:

• The key drivers of modern-day attackers to large-scale and targeted attacks
• Which recent breaches exemplify threat categories that organizations need to track
  
• The approaches Internet criminals employ to trick victims and bypass defenses
• How to adjust your security architecture to match today’s threat landscape

Identity Management Solutions and Today's Environment

Kelly Manthey, Business Process Partner, Solstice Consulting LLC
Brian Schlueter, Lead Security Specialist, "Major Insurance Company"

The downturn in the economy is driving downsizing and forcing companies to do more with less. Achieving compliance with auditor requirements and maintaining a secure environment are still top priorities. Identity management solutions help companies implement sustainable processes that drive efficiency, accuracy, and compliance. This presentation explores the business challenges that have been exacerbated by today's financial crisis and looks at how identity management solutions can help address these challenges. Learn where your organization fits on the capability maturity continuum and receive practical tips for moving further along the continuum. Attend and explore:

• Common business challenges: downsizing and doing more with less
• Responding to regulatory requirements
• Capability maturity model
• IdM technology landscape
• Enterprise IdM roadmap best practices
• Implementation best practices

Cloud Computing: Security Risks and Compliance Implications

David Sherry, CISO, Brown University

There has been a great deal of buzz around cloud computing and like all emerging technologies, it has many definitions and solutions, as well as many points to consider from a security perspective. This discussion explains cloud's many uses, its current advantages and disadvantages, and most importantly, the security questions that must be considered. In this presentation, David Sherry covers:

• Cost considerations when utilizing the cloud
• Practical uses for piloting and testing the cloud
• Regulatory implications when moving to cloud computing
• How cloud computing can be used securely within an organization

Register for Complimentary Admission Today!