Risk and Security Workshops

These workshops are designed to introduce current risk and information security hot topics to Information Security Officers and Network Administrators.

Principles of Information Security

Introductory one day class for Information Security Officers, Network Administrators and anyone else working with technology and security in a financial institution. This class will address governing bodies, their requirements, and expectations. We will look at types of policies , what they include , and other security stances you should consider.

Areas of instruction will include:

Mandates

• Regulatory Guidance
  • GLBA (501b)
  • FFIEC
• Vendor best practices
• Audit/Exam experiences

Physical/System Security

• Security Policies
  • User, email, computer, laptop, cell phone , and remote access policies
• Security Controls - User
  • Password policies
  • Employee training
• Security Controls - Vendor
  • SAS 70
  • Financials
  • Contracts
  • Independent tests
• Security Controls - Physical/Logical
  • Wireless
  • Encryption
  • Other security controls

Information Security in Action

Introductory one day class for Information Security Officers, Network Administrators and anyone else working with technology and security in a financial institution. This class will take the principles of security and discuss ways to enforce, check, and report on them. With information security it is not enough to have a policy or procedure in place, but you must have a way to monitor, test, and/or report on the success of policies and procedures.

Areas of instruction will include:

• Review of information security principles
• Network Hardening - concepts and best practice
  • Perimeter - Firewalls/IDS/IPS
  • Host - Server
  • Host - Workstation
  • Host - Mobile devices
• Checklist of reports to review
• Data - retention and disposal
• Viruses/spam/malware
• Delegate control of admin roles
• Assigning security rights
• Admin accounts
• Active Directory - group policy settings
• Server software
• Backups & backup policy
• Patch management/MBSA
• Technology steering committees

Risk and Security - The Risk Management Process in Theory and Practice

Risk management is a battle all institutions must face. In this one day workshop aimed at Information Security Officers, we will discuss the risk management process as it relates to risk assessments and the requirements set forth in all 12 FFIEC IT Handbooks.

Areas of instruction will include:

• Risk Identification
  • Inherent vs. residual
• Assessment
  • Threats
  • Impact vs. probability
  • Prioritization
• Application of controls
  • Avoid
  • Mitigate
  • Reduce
  • Transfer
  • Accept
• Management of program
• Assessment and adjustment
• Risk management in practice
  • Information security
  • Disaster recovery
  • Remote deposit capture

IT Audits and Examinations - Real World Best Practices for Preparation and Response

The audit and examination process probably causes more anxiety for financial instructions than almost any other activity they perform. Knowing what to do in preparation for an exam, how to respond while the examiners are there, and how to follow up after the exit can ease this anxiety. We will look at auditor standards and questionnaires along with the standard exam questionnaire by various regulatory groups and lessons learned from our customers.

Areas of instruction will include:

• The Audit
  • SAS 94
  • BITS
  • Other standards
  • Defining scope of work
  • Proper responses and documentation
  • Response to findings
  • Board of Directors reporting
• The Examination
  • The examiners questionnaire
    • FDIC
    • OCC
    • OTS
    • NCUA
  • Proper responses and documentation
  • Response to findings
  • Board of Directors reporting
• Case Studies

If you have any questions, please email education@safesystems.com.