Eight Hour Workshops
The following workshops are designed to be customized to your financial institution and delivered directly to your management team. We also provide these workshops at the Indiana Bankers Association from time to time.
Governance Principles for Non-Technical Management
While your technical team is busy fighting the fight against cybersecurity threats, how can Management ensure they have the appropriate support? What roles does Management play in the battle against cyber threats? How do we ensure we are properly managing the risk of these threats? This workshop will cover the following topics:
- IT Governance Definition
- IT Governance Goals
- Assurance: Gaining confidence in cyber risk management practices
- Transferring Information Technology Risk through Insurance
- Vendor Management Principles
- Incident Response Principles
- Disaster Recovery Princpiles
- What documentation should management understand?
- The role of the board, and its importance.
Known for his ability to simplify technical concepts for nontechnical personnel, Dan Hadaway will not disappoint your executive suite, especially if they want to come up to speed about cybersecurity!
Data Flow Who? So we have the board on board . . . it was a bit awkward when they reflected on the fact that our risk was “least” or “minimal” . . . but they’re ready to “manage the assessment process” and we’ve already gone through an iteration or two. The Cybersecurity Assessment Tool has realigned our 2016, and by the end of the first quarter we should be well off on the five step process prescribed at ffiec.gov/cyberassessmenttool.htm
But what are we to do about those strange gray areas where we find ourselves “not at baseline.” Can we accept the risk? Are we out of compliance? Which deficiencies represent true security risk and which ones merely increase compliance risk, assuming we can’t justify why we never saw this as guidance? What is the easiest way to knock these off?
This workshop will walk through the most common deficiencies we are seeing from the initial Cybersecurity Assessments, discuss the pros and cons of mitigation, and even provide starting point boilerplates where possible to help with policy-related mitigation.
As always, access to the infotex boilerplate portal will be offer to all attendees for deliverables including the following:
- Presentation Templates
- Mitigation Strategy Template
- Risk Assessment Templates
- Encryption Standards (to establish exactly what data-at-rest we WILL be encrypting, among other things.)
- Data Flow Risk Assessment
- Typical Data Flow Diagrams
- Password Management Procedure
- Server, Browser Hardening Procedures
- Threat Management Strategy
- Data Classification Schemas
Incident Response Team Training Templates
Incident Response Management:
The entire fifth domain of the Cybersecurity Assessment Tool covers incident response. When we choose “accept” as a risk response decision, we rely on our ability to respond if a threat truly does exploit a vulnerability. Even when we select “mitigate,” controls can sometimes break. Technology never works the way it’s supposed to. Disasters happen. Thus we have all developed . . . whether formally or informally . . . our Incident Response Processes. This workshop will help streamline your processes that mitigate cybersecurity risk.
Incident Response as a Control
- Baseline and Evolving CAT Statements
- Domain 2 and 3 statements that prepare an excellent Domain 5 posture!
- The Mitigation of Impact (Turning Lemons into Lemonade)
Incident Response as a Process
- Fitting Incident Response into your existing IT Governance program.
- Creating an Incident Response Policy that your Board understands.
Building the Incident Response Team.
- Incident Response Team responsibilities and maximizing the meeting effectiveness.
- Incident response planning.
- Creating and using a decision tree.
- CAT #
- Integrating incident response into your existing Risk Management Program.
- Identifying Potential Incidents, Incident Detection
Managed Security Service Providers and how to put them on your team.
- Monitoring techniques, reporting methodologies, and how to maximize their value. (SIEMs, IRT Agendas, Decision Trees)
- Broadcast Awareness and Incident Escalation
- When do we have to inform our customers?
- Ongoing Incident Communication Concerns
- Dealing with the Media, your Customers, and your Employees during an incident.
- When to bring law enforcement in, and how to actually get something done.
- Forensics do’s and don’ts.
Forensics: Why, What, When, and
Vendor Management Program
Does it seem like you are trapped in your Vendor Management program? Are the spreadsheets starting to show up in your dreams? Spend a day learning ways to simplify your vendor management program. Take home some free tools that can be used to make your job easier, while simultaneously doing a better job of managing vendor risk!
New guidance continues to add to the ever-growing list of what examiners and auditors currently call “vendor due diligence.” In this workshop, we will attempt to simplify the process!
- Simplifying the Due Diligence Review
- Shortcuts allowed, and not allowed
- Appendix J, BCP Review, and Domain Four Implications
- The Impact of Recent Guidance
- Guidance Consolidation – OCC 2013-29
- The SSAE-16 Review Process
- How to Review a SOC-1 or 2
- Data Flow Diagramming
- Outsourcing: Why, Who, What, When
- Enlisting Vendor Owner Support
- The due Diligence Process
- New Vendors
- Annual Review
Customer Awareness Training
The June 2011 Supplement to the 2005 Authentication Guidance finally put some teeth into the “good idea” of teaching our customers good information security practices. Now we are required to create a strategy and implement a plan for increasing the awareness of our customers. This workshop shows us how to create a customer awareness training strategy and illustrates ten tactics that work.
Everything Mobile Banking
Finally, under one workshop, we present all mobile banking issues – everything from risk management to vendor management to marketing to customer awareness to incident response to helpdesk training.
Incident Response Planning
We’ve finally brought our management team members into the reality that there is no such thing as 100% security. Now what? The best way to address the inevitable is to ensure that we have a good process in place for responding to the information security incident.
Monitoring IT Risk
Event Log Management, Security Event Information Management, Intrusion Prevention and Detection, Ongoing Technical and Non-technical Controls Testing, Risk Monitoring, and Policy Enforcement.
Risk Management Program
Examiners have made it clear: if your management team understands the risk exposure of information and technology to your bank, you are definitely heading in the right direction. If risk is considered in all technology decision making, an effective IT risk management process has been implemented.The standards themselves call for a risk assessment of all information assets. Beyond creating an inventory of assets, identifying threats and vulnerabilities, and assessing risk mitigation techniques, an effective risk management program puts the organization on guard in real time, in a manner that avoids threats and vulnerabilities as much as it mitigates the unavoidable risks or unpredictable problems.
Technical Security Standards – Tweak the Geek Speak
Management wants documentation, but they don’t understand what we are saying. Meanwhile, we need documentation so we can remember what we did! Add on top of that the fact that the FFIEC requires the establishment of a security baseline. Specifically: “Financial institutions should develop security control requirements for new systems, system revisions, or new system acquisitions. Management will define the security control requirements based on their risk assessment process evaluating the value of the information at risk and the potential impact of unauthorized access or damage.”This workshop will help you with standard language starting points for documenting your network configuration standards, server and network device build-config standards, password management procedures, change control procedures, patch management procedures, remote access security procedures, server hardening procedures, and wireless security procedures.
Technology Compliance Training
Because Information Security is a team effort, awareness is the most important control. Financial Institutions must maintain an appropriate Acceptable Use Policy and teach the concepts inherent in that policy. The training should stress the threats and vulnerabilities financial institutions face, and help users understand their role in mitigating information security risk. According to the FFIEC, authorized internal users should receive a copy of the [Acceptable Use] policy and appropriate training, and signify their understanding and agreement with the policy before management grants access to the system.
The Branchless Banking Program
In 2000, seventy percent of transactions were initiated inside the financial institution. Now, we’re headed to less than a third of transactions inside the branch. The new paradigm creates a need for a new governance strategy. One way to address this need is to create a whole new program outside of the existing IT governance programs. This worksho9p will show you how to create a new program that addresses everything from authentication risk to wireless banking to mobile devices to ATM management.
The Information Technology Strategy
Incorporating governance, risk management, and new technologies into one strategy writing process that identifies tactics to withstand the test of time, audits, and user satisfaction.
Vendor Management: Today’s financial institutions are relying heavily on vendor partners to perform tasks ranging from the mundane to handling critical processes and information, including nonpublic customer information. With this growing trend comes increasingly stringent regulations governing the security of customer data. And, according to the FFIEC, you are responsible for establishing and approving a risk-based policy to govern the vendor process.An effective vendor management program should provide the organizational framework for Management to identify, measure, monitor, and control the risks associated with vendor relationships.