Resources

Bank Compliance Association of Connecticut: Information Technology Compliance Seminar

Date

March 21, 2023

Presenters

Jason T. Clinton, CISA

Senior Manager

Meredith F. Piotti, CPA, CIA

Principal

Sean D. Goodwin, CISA, QSA, PCIP, CISSP, CCSP, GSEC, GCIH, GCIA, GCWN, GCCC, GCUX, GCPM, GDAT, GSE

Senior Manager

 

Description

Location: DoubleTree by Hilton Hotel, Bristol, Connecticut

Jason will be speaking on the following topics:

Updates surrounding FFIEC Authentication and Risk Assessment guidance

The FFIEC released guidance in August 2021 entitled “Authentication and Access to Financial Services and Systems”. The guidance set requirements for how financial institutions should risk assess the authentication controls of technologies based on various factors. This session will cover the risk assessment requirements established by the guidance, types of authentication methods that can be utilized, and insights to what constitutes true multifactor authentication (MFA).

Best practices for defining and testing GLBA key controls

In the last year, regulatory agencies have placed a greater focus on key GLBA controls. This session will discuss how your institution should be identifying controls that are key to mitigating information security risks along with proper methods for testing the design and operating effectiveness of these controls. It also covers how key control testing should be integrated into periodic updates given to Board members and other risk governance committees.

Merry will be speaking on the topic of Model validation for security systems.

Institutions routinely use models for a broad range of activities to inform and improve business decistions, save money, and reduce the risks that they may face. Relying on models that are not working appropriately can impose costs, including the potential for unintended and adverse consequences from decisions based on inaccurate model output, particularly when it comes to security models.

Sean will be speaking on the topic of Whatever Happened Last Time, It Wasn’t a Penetration Test – demystifying what a penetration test really SHOULD entail.

One of the most awkward situations is when we complete our testing and have a laundry list of low-hanging fruit that needs to be fixed that previous vendors never brought up. This leads to fear, uncertainty, and doubt. Offensive security practitioners need to do a better job at partnering with clients to enable them to make security a part of the business that helps it function better, not a cost center that is seen as a burden. Our job is not to play, “Gotcha!”; it is to help security teams build trust within their organizations that will holistically create a secure environment for all.

This program has been approved for 5 CRCM CE credits by the American Bankers Association.

Back to Events