Conference Sessions

Financial Information Security Decisions is a customized educational conference designed by the editors of Information Security magazine, SearchSecurity.com and SearchFinancialSecurity.com. The conference offers you a soup-to-nuts agenda focused on the latest financial security trends, technologies and tools. Delivered over two days, the conference features daily keynotes, emerging technology showcases and breakout sessions (each accompanied by live "how-to" tutorials) that span the following:

General Sessions

Managing an Information Security Program in Difficult Market Conditions
Anish Bhimani, Chief Information Security Officer, JP Morgan Chase

Security and efficiency are often viewed as being mutually exclusive. However, during the current economic climate, it's more important than ever to be able to reduce the overall cost of security without compromising the
effectiveness of security.

As information security continues to mature as a discipline, it will increasingly be measured in the same way as other technologies are, and security managers will be asked to apply additional
financial rigor to their programs. Therefore, striking the right balance between efficiency and controls becomes a necessary part of every organization's security program. In this keynote, JPMorgan Chase's Anish Bhimani discusses how to:

  • Strike the right balance between productivity, quality, and controls
  • Prioritize investments, and self-funding investments through production efficiency
  • Leverage security investments that can yield additional non-security efficiencies

Owning the Enterprise
Dino Dai Zovi, Security Researcher

It is not a surprise or a new discovery that the level of security on internal enterprise networks is significantly less than on the same organization's external-facing networks. Even with draconian patching policies and operating system security settings, the vast scale and heterogeneity of internal networks forces significant security compromises. While an exploit may open the door, especially via a client-side web browser or application vulnerability, compromising enterprise networks rarely requires exploits. This session evaluates the current and future state of client-side application security and describea attacks that defeat or bypass current enterprise security defenses, such as 802.1x/NAC, Active Directory authentication, and Vista's Protected-Mode Internet Explorer.

Your Strategic Security Metrics Program
Pete Lindstrom, Senior Analyst, Burton Group

At the operational level, there are many metrics to pick from with varying levels of return to the enterprise. At the strategic level, we remain very much in red-yellow-green, thumbs-up, thumbs-down land when the CIO asks "are we secure?"

In this session, Pete Lindstrom will explain how to bridge the gap to provide evidence-based, objective metrics at a strategic level? This session aims to set the bar high for security programs - to drive away the ad hoc, management by exception environment that exists today and replace it with a program that is measurable and defensible, even in the face of varied levels of risk tolerance. Along the way, we will define a set of alternative paths that can be followed to achieve these objectives.

The State of Cybercrime: How effective is your Network Neighborhood Watch?
Jerry Dixon, Director of Analysis for Team Cymru

The Internet is a rough neighborhood and how well are you policing your part of the Internet? Online fraud is pervasive, hackers continue to use sophisticated techniques to target financial and personal information. This talk provides an overview of the current trends affecting organizations, including, what enables online fraud, what the main barriers are, and what you should be doing to combat the problem.

  • New threats and emerging trends in online fraud affecting many organizations
  • How to establish an effective Network Neighborhood Watch Program at your company
  • Policy and globalization issues around combating online fraud and steps you can take to protect your organization

Identity and Access Management WorkShop

One of the key stumbling blocks for security pros are issues related to access control. Excessive access rights, lack of audit trails/logging and access for outside contractors are all driving investment in authentication and authorization, making it a top operational initiative. This workshop explores effective approaches to tackling a large-scale identity and access management project.

Best Practices in Managing Privileged Access
Andras Cser, Senior Analyst, Forrester Research

Privileged user and password management (PUPM), also known as password vaulting, has recently become a topic of great interest for financial services organizations due to inefficiencies in privileged user and password management processes today. With an increased number of audit findings and internal security threats, security pros are finding holes and need to more effectively automate the process. Andras Cser, senior analyst, Forrester Research, will provide an overview of the problems, processes, and products for meeting regulatory and security requirements in the area of PUPM. Attendees will learn:

  • What kinds of audit finds can PUPM remediate?
  • What are the business benefits of PUPM?
  • How do PUPM solutions work?
  • What are the best practices to implement PUPM?
  • Who are the main vendors for PUPM?

The Evolving Value Proposition and Impact of Identity Management
David Sherry, VP of Enterprise Identity and Access Management, Citizen's Financial Group

For years now businesses have understood the value of adopting an identity management approach to securing data access. But for a variety of reasons they have chosen not to adopt it. In 2008, that seems to be changing. Driven by advances in the technology, and in response to regulatory requirements, many organizations are redefining their business cases to adopt an identity management solution. Building on a multi-year case study, this session will explore how you make and sell the business case for identity management, regulatory and business impacts, and some suggestions of important areas to consider in an overall solution.

Compliance WorkShop

Financial services organizations are among the most regulated in the information security sector. It's no secret that many of the recent data breaches occurred due to missteps with a third party vendor, this workshop offers strategies and tactics on how to hold service providers accountable and create SLAs that meet your compliance mandates. We also outline technology solutions and perspectives from those who have worked with customers on meeting a myriad of existing and emerging regulations.

Compliance and Outsourcing
Richard Mackey, VP SystemExperts

Financial organizations are increasingly turning to service providers to reduce cost, augment their product set, and focus on core services. Partnering with other organizations brings with it risk, particularly when the information shared with the service provider is sensitive and is subject to regulatory requirements.

Most regulations from those specified by the FFIEC to GLBA to PCI require organizations to ensure that their service providers protect sensitive data according to the requirements of the regulation or contract. This requires a service provider management program and SLAs that clearly state the responsibilities of both parties.

In this presentation, Mackey discusses the requirements stated in various regulations and practices designed to help you effectively manage your service providers. Attend and discover:

  • How to minimize risk via information analysis
  • The importance of risk analysis to service provider management
  • How to review service provider practices
  • Typical regulatory requirements and how they affect service provider management
  • How to monitor relationships and establish triggers for further review
  • The importance of coordinated incident response and business continuity planning with service providers
  • The use of technology to facilitate managing and monitoring service providers

How I Learned to Stop Worrying and Love My Compliance Department
Matthew Todd, CSO & Vice President, Risk and Technical Operations Financial Engines

Financial institutions are unique as they are driven by countless regulations and other factors that make it essential to create a framework on which to base corporate and business-unit based risk management. In this session Matthew Todd will explain how he attacks this problem. You learn how to:

  • Start from basic principles of due care
  • Establish a culture of compliance
  • Use compliance and laws to give your program critical direction
  • Establish effective process and record keeping
  • Investigate existing agreements and contracts
  • Test, test, test

Common Missteps When Trying to Meet PCI Compliance
Ed Moyle, Partner, SecurityCurve

Interpreting and applying technology and controls to PCI can be confusing. In this session, Moyle, outlines the six common mistakes organizations make and how to avoid them when you are trying to meet a PCI audit. He also outlines the key areas companies need to focus on when dealing with an assessment, including:

  • Authentication data, and requirements if you encrypt the PAN
  • Issues related to application lifecycle management
  • Areas where documentation is often insufficient
  • And much more

Meeting the New PCI Application Security Requirements and Creating Secure Code
Diana Kelley, Partner, SecurityCurve

Next week the new 6.6 PCI requirements for application security go into effect. PCI 6.6 has been the subject of some confusion for merchants trying to interpret the requirements and how to secure Web-facing applications. This is a problem that financial organizations have been grappling with for some time: how to protect access to data stores which are increasingly integrated with web-enabled front-ends for all levels of access including customers, private clients, and financial partners. Financial institutes also have a high rate of custom-created code running these web applications where a few errors in the code could expose millions of dollars of assets to attack.

In this session, Diana Kelley, will explain web-application security, PCI requirement 6 and 6.6, and the PA-DSS and why creating secure code is essential to protecting assets. She will provide an explanation of how security, more generally, can be woven throughout the software development lifecycle and explain some of the most common web application security vulnerabilities, including the OWASP Top Ten. Finally, she will present an overview of web application penetration testing tools specifically created to help organization test and monitor web applications and how entities can get the most value from the tools and meet the latest PCI requirement.

Network Security Workshop

Many organizations take a "reactive" approach to threats and vulnerabilities--an outdated approach that leaves high-value data and intellectual property exposed. This workshop explores how to build and maintain a more agile, proactive defense model that reduces the risk of malware, application attacks and emerging Web 2.0 threats.

Five Myths of Threat Management
Joel Snyder, Senior Partner, Opus One

There are many common misconceptions thrown at you everyday about how to protect your organization. In this dynamic session, Snyder helps to demystify these defenses and gives you the straight answers. He reviews:

  • Intrusion Defense
  • Malware protection
  • Application layer threats
  • How to deal with upcoming threats
  • Budget issues
  • And more

Bringing Operational Discipline to Network Security
Christofer Hoff, Chief Security Strategist, Unisys

Christofer Hoff, chief security strategist for Unisys and former CISO for a $25 billion financial services company will explain how to apply operational discipline to network security. He explores real-world examples of transforming the operational discipline of information security and build the foundation for service improvements. This practical case study introduces innovations in network and risk analytics that get to the root of change and risk management - transforming today's labor-intensive efforts of guesswork into predictable, automated, risk-driven business processes.

Data Protection WorkShop

The financial sector is largely data-driven where transactions and customer data touches a lot of hands within an organization. This only underscores the need for a strong data protection, data classification and data leakage strategy for financial firms. The data protection workshop helps you unravel the complexities of creating a data protection program from cradle to grave.

Understanding and Selecting a Data Loss Prevention Solution
Rich Mogull, Principal of Securosis

As networks become more porous and traditional network perimeters crumble, financial institutions are looking for ways to protect customer information from insider threats, accidents, and external attack. This session, Rich Mogull will look at Data Loss Prevention (DLP), one of the hottest technologies for limiting information loss. We'll explore the top five features to look for, how to run a selection process, and how to optimize your solution for the needs of financial services organizations. Attend and learn:

  • How DLP tools protect data in motion, data in use, and data at rest
  • Limitations of host-based or network-based approaches
  • How to integrate DLP with enterprise infrastructure such as email or document management systems.
  • How DLP tools can help identify bad business practices that place sensitive data at risk
  • How the tools can help with compliance demands

Case Study: Allstate Insurance Company's Local Data Protection (LDP) Project
Eric Leighninger, Chief Security Architect, Allstate Insurance Company

Financial services companies have been under siege in terms of trying to meet the protection requirements for sensitive corporate and personal data imposed by statutes such as CA 1386, Sarbanes-Oxley and GLB, state and federal banking and insurance regulations, industry standards such as PCI and competitive market pressures. Protecting data-at-rest, data-in-transit and data-in-use in large information intensive enterprises is a daunting challenge from technological as well as financial perspectives.

In this session you will hear from Eric Leighninger, chief security architect for Allstate Insurance Company on how his company is attacking this problem in general and in particular with regard to data-at-rest on mobile devices and removable media. In this role he is responsible for creating and articulating the information security architectural vision, communicating that vision to the enterprise, creating security architecture models and roadmaps, recommending security technology options and validating information security architectures against enterprise requirements.

Attacking the data-at-rest protection problem requires a combination of encryption and compensating control mechanisms such as data obfuscation, filtering and masking. Allstate, like many comparable companies, has developed a data encryption strategy that takes into account the sensitivity and value of the data itself, the context in which it is used and the associated risk of compromise. In the context of mobile devices such as laptop computers and USB storage media, local data encryption is an effective tool for protecting corporate data on mobile media that is inadvertently lost or intentionally stolen or maliciously attacked. Leighninger will discuss Allstate's Local Data Protection Project LDP that dealt with laptop and media encryption with an emphasis on:

  • A description of the problem to be solved and its relationship to the larger set of enterprise data protection considerations
  • Technical and procedural challenges and issues that arose
  • An overview of the project, implementation and support issues that arose during test and deployment of the encryption solution
  • Lessons learned

Risk/Governance Workshop

Many today argue that managing and prioritizing spending and security programs based on risk is the only way that makes sense. This workshop explains how to build a risk-based approach in your organization where you engage the proper business areas to ensure appropriate governance.

Creating Successful Information Security Governance
Eric Holmquist, Vice President, Director of Operational Risk for Advanta Bank

More than ever information security in financial services requires a thorough combination of governance elements, including policies, procedures, technology and, most importantly, training and awareness. In this session, Eric Holmquist will explore the key elements of sound information security governance and how to successfully manage and coordinate all of the complex and important elements. Topics include:

  • Designing an effective governance structure
  • Managing to more than just regulatory compliance
  • Creating effective control and monitoring elements

Lessons Learned from Societe Generale
Keith White, Vice President of Information Technology Risk, Credit Suisse

The events at Societe Generale, that led to an unprecedented $7 billion dollar loss, has been labeled as a failure of IT, process controls, management oversight and even management's crippling of the control program. In this session, Keith White will examine and analyze the published facts taking into consideration principles of effective governance structures, compliance expectations, and control and monitoring strategies, all of which are critical to an effective information security program. Some of the questions that will be considered include the following:

  • What contextual elements may have contributed to the events leading up to the Societe Generale losses?
  • What is authorization "creep" and how does it occur?
  • How does collusion, or its absence, increase or decrease the IS aspects of a risk scenario?