About Us | Contact Us
View Cart

Workshops and Seminars

Workshops and Seminars

2014 Featured Talks

Average Length: 50 – 90 min
For more information on the following talks, feel free to contact us!

03/26/14: Indiana Bankers Association Training Center

Where Compliance meets Information Security:  The Social Media Guidance and Third Party Management

On December 10, 2013, the Federal Financial Institutions Examination Council (FFIEC) issued a new guidance entitled: Social Media: Consumer Compliance Risk Management Guidance.  While the Guidance states that it imposes no new requirements on financial institutions, it applies to conduct previously unregulated by these agencies.  While it does a great job of identifying all laws and regulations that impact social media, it focuses solely on external risk and misses internal risks.  Meanwhile, it takes the meaning of “vendor management” to a new level, suggesting that we expand our cloud provider management definition to include third party arrangements in social media.

Meanwhile, examiners are also questioning our compliance with all aspects of the various guidance related to Vendor Management and Due Diligence, especially in relation to Cloud Providers.  Complicating matters is that the Social Media Guidance brings to our attention the risk of third party relationships in social networking.  Add to that the ease of signing up for cloud services, that the entire contract review is often accomplished by the push of one button (agree.)  How do we leverage our existing due diligence processes to address the fact that our management team could enter into agreements with third parties without realizing they are doing so?

Dan Hadaway CRISC, CISA, CISM will help us understand the compliance, security, and reputational risks of cloud computing, especially in the social media environment, and how we can adjust our existing compliance and due diligence processes to create a unified, balanced, risk-based approach to addressing these ever-changing, complex issues.

Deliverables Include:

  • Social Media Risk Assessment (to conform with the Social Media Guidance)
  • Social Media Development Standards
  • Social Media Management Training PowerPoint
  • Third Party Relationship Analysis Checklist
  • Cloud Computing Policy Statements (for insertion into existing vendor management policies.)
  • Management Guidelines for Social Media Conduct


04/04/14:  Infotex Jam (Infotex Clients Only)

  • Using ELM to enhance your network monitoring experience. (Michael Hartke)
  • Using TRAC to reduce your risk management process to thought.  (Sean Waugh)
  • The Myths of Information Security (Dan Hadaway)


04/11/14:  OBL Technology Conference

Top Three Issues and Three Questions in Network Monitoring

Dan Hadaway, Managing Partner, & Sean Waugh, Lead Tech. Auditor, Infotex Open the hood of the managed security service provider, as Dan defines monitoring strategy. Meanwhile, what should we be asking ourselves as we enhance our processes? What should we be doing to monitor our network, beyond the MSSP? What open source tools are worth the time and what applications are worth the money? Sean will help us create a tactical plan.


06/12/14: Indiana Bankers Association Training Center

Simplifying your IT Risk Management Program

Examiners have made it clear:  if your management team understands the risk exposure of information and technology to your bank, you are definitely heading in the right direction.  If risk is considered in all technology decision making, an effective IT risk management process has been implemented.

The standards themselves call for a risk assessment of all information assets.  Beyond creating an inventory of assets, identifying threats and vulnerabilities, and assessing risk mitigation techniques, an effective risk management program puts the organization on guard in real time, in a manner that avoids threats and vulnerabilities as much as it mitigates the unavoidable risks or unpredictable problems.

  • The FFIEC Standards and Effective Risk Management Strategy
  • The Importance of Permeation and the Meaning of Multi-Disciplinary
  • How IT plugs into Enterprise Risk Management
  • Formal Risk Measurement Requirements (Vendor, Project, Infrastructure, Physical, GLBA, MFA)
  • Risk Metrics
  • Risk Measurement Process and Tools
  • Breakout Sessions
    • Asset Inventory
    • Vendor Risk Threshold Analysis
    • Drill Down Risk Assessments (using Mobile Banking, Mobile Devices, Smart ATMs, and Social Media as examples)


08/21/14: Indiana Bankers Association Training Center

Building Your Vendor Management Program

Because financial institutions rely heavily on vendors to perform tasks involving confidential information, the FFIEC makes us responsible for governing the vendor process.  An effective vendor management program will identify, measure, monitor, control, and escalate the risks associated with vendor relationships.  Meanwhile, the tools we use to measure vendor risk are improving.  The SAS70 is being replaced with the SSAE-16.  Service Organizations Control (SOC) reports are internal control reports on the services provided by a service organization. SOC reports provide valuable information users need to assess and address the risks associated with an outsourced service.  In addition, examiners are clarifying what is meant by a Critical Vendor, and the tools we use to manage the vendor due diligence process have improved.

  • Risk Management Basics
  • Vendor Risks
  • Governing Threshold
  • Policy and Procedure
  • Enlisting Vendor Owner Support
  • The SSAE-16 Review Process
  • The due Diligence Process
    • New Vendors
    • Annual Review
  • Streamlining the Process

Deliverables (Templates)

  • Board-level Vendor Management Policy
  • Vendor Management Procedure
  • Vendor Contract and Non-Disclosure Agreement
  • SSAE-16 Review Checklist
  • Vendor Due Diligence Checklists
  • Access to Our Workshop Portal and Appropriate Boilerplates


Top Five Trends in IT Auditing

Length: 1 hour

  • IT Audit Planning work program
  • Annual IT Security Report Template
  • IT Audit Request for Proposal

The audit landscape for banks is changing due to a stipulation in a regulation which has nothing to do with the banking industry. Because of this, banks need to consider including audit rotation in their policy. In this crash-course on the meta-language of IT Auditing, we will analyzing these two trends.


Top Five Issues in Network Monitoring

Length: 1 hour

  • Boilerplates for a Network Monitoring Procedure
  • Event Log Management Standards
  • Technical Security Standards
  • Incident Response Plan
  • Incident Response Policy

Auditors now know why we can’t monitor all of the stinking event logs but guess what, they don’t care!!  The managed service provider becomes even more important as we find ways to be more productive.  These are two of the issues we’ll discuss as we open the hood of the managed security service provider, in an attempt to help bankers realize what happens when they outsource the act of watching their network.


Top Five Opportunities in IT Risk Assessing

Length: 1 hour

  • Drill-down risk assessment spreadsheets for the top five assets
  • Risk Management Policy
  • Risk Management Process PowerPoints

The act of drilling down is no longer a skill we haven’t exercised.  The need to “plug into” an enterprise risk management process is inevitable.  The days of spreadsheets are numbered.  These are just three of the opportunities we will be exploring as we discover the many ways that risk assessing can deliver value to our decision-making processes!


Top Eight BYOD Controls

Length: 1 hour

  • Portable Device Risk Assessment Spreadsheets
  • BYOD Policy
  • Portable Device Security Configuration Standards

It is (NOT) possible to reduce all of portable device risk management (measurement, response, monitoring) practices to eight simple steps.  But if we need to get started, here are the first eight controls we should start with!


A Brief History of Change

Length: 1 hour

  • Change Management Policy
  • Change Tracking Spreadsheet

The only constant is change. And change is changing. The pace of change has been getting faster and faster as we evolve as human beings. And the only thing we can count on is that we can’t really count on anything except change. Change is the pattern that connects. And yet why is change so darn difficult!
Dan Hadaway preaches that change management is an attitude, that resistance to change is the problem, and that the recognition of these facts is the first step in a challenging, yet achievable, program to recovery. Yes, technology is always changing.  But if we can learn to manage that change, we will be happier!


The Four Promises (Managing Vendor Risk)

Length: 1 hour

  • Vendor Contract Templates

While we’re all still trying to find the best way to manage vendor risk, we’re far beyond where we ever thought we’d be just five years ago, when examiners first started bring the issue to the forefront in priority.  Most of us have inventoried our vendors, have them classified according to risk, and have reviewed them all at least once, maybe twice or three times on the critical vendors.  Some of us have involved the vendor owners organically, and some of us have gone so far as create a calendar of contract expirations.
But do we know what to go for when we update that contract?  Dan Hadaway will go over the four fundament security agreements that, if secured, will make your vendor contracts bullet-proof from both a compliance and a legal risk perspective.


CATO:  The New State Guidance

Length: 1 hour

  • Link to the CATO Guidance

Even if you are not examined by the DFI, you should take a close look at this guidance.  Based on the work by the Texas Bankers Association, the Indiana and Ohio Department of Financial Institutions were two of many to adopt this guidance.  Complying with it should be easy, and safe!  Dan Hadaway will go over the important benchmarks and milestones inherent in the guidance.


Shotgun!  Marrying the BYOD Policy with the MDM Configuration!

Length: 1 hour

  • Mobile Security Kit

Okay, if you are thinking a shotgun wedding between the technical and non-technical sides of portable device management won’t work, we agree.  But something needs to happen, and Dan Hadaway has a short three-step plan to help get you started on the process of aligning . . . . if you’d prefer that term . . . your policies with your technical enforcement standards.


Bring Your Own What?  Managing Portable Devices Risk!

Length: 1 hour

  • Mobile Security Kit

Now that our board members want their board packets to share space with the Angry Birds, and our loan officers demand the cost savings from a paperless loan review, and our executives have discovered that they can get even more work done if only they could have e-mail on their Galaxy 3, how do we keep our bank out of trouble?  In this talk, we take a three-pronged approach to managing portable device risk:  the risk assessment, the non-technical controls, and the technical controls.


Incident Response Testing

Length: 1 hour

  • Incident Response Policy
  • Incident Response Plan
  • DDoS Scenario Test plan
  • DDos Scenario Test Documents
  • CATO Scenario Test Plan
  • CATO Scenario Test Documents

Examiners and auditors alike are realizing that the more likely disaster is an incident . . . on the network or to the information you’re trying to protect.  Thus, why are we focusing all the resources on tornados and earthquakes?  Dan Hadaway will help us develop a strategy to quickly bring our incident response plans up to speed, focusing on the most likely incidents as well as the standards that examiners will be wanting to see.


Taking your Customer Awareness Training to the Next Level!

Length: 50 – 90 minutes

You can work for the FFIEC, or you can work for the bank.  It’s your choice!  Whether or not you’re already in compliance with the FFIEC Supplement to the Guidance on Authentication in the Internet Banking Environment, there’s still work to be done.  In this talk, Dan will reveal three primary strategy components that, when implemented, will ensure you turn this compliance to-do into an effective process that will enhance customer service, but will also mitigate security and reputational risk.


Corporate Takeovers and the FFIEC’s Response

Length: 50 – 90 minutes

In just the last two years the FFIEC has released several guidances addressing one of the highest security and transactional risks currently facing banks:  the corporate account takeover.  In this attack vector, organized criminals target small businesses and other high-payoff customers via orchestrated attacks using malware, keyloggers, etc.  This talk will walk us through the typical attack vectors related to corporate account takeovers, then delineate the FFIEC’s current posture on risk mitigation strategies.

Latest Articles