Workshops / Seminars
*Program descriptions are for “full
day” workshops. For sessions, the
program will be scaled down . . .
but the objectives will be the same.
Risk Management Program
Full day and 1 hour, 15 min.*
Title: Building your IT Risk Management Program
Audience: Information Security Officers, Compliance
Officers, IT Managers, Small Bank Presidents
Description: Technology permeates the operations of the entire institution and defies departmentalization. Technology enables you to develop, deliver, and manage your products and services. An effective IT risk management process should identify, measure, control, and monitor operations risk.
The standards themselves call for a risk assessment of all electronic banking applications. It also says – The risk assessment process should:
- Identify all transactions and levels of access associated with Internet-based customer products and services;
- Identify and assess the risk mitigation techniques, including authentication methodologies, employed for each transaction type and level of access; and,
- Include the ability to gauge the effectiveness of risk mitigation techniques for current and changing risk factors for each transaction type and level of access.
Agenda:
- The FFIEC Standards and Effective Risk Management Strategy
- Management Awareness Training
- Vulnerability Assessments and other Tests
- The Risk Analysis Procedure
- GLBA / BSA / OFAC / Patriot Act Risks
- Risk Metrics
- Risk ranking
- Executive Summary
- Safeguard implementation
Deliverables:
- Board-level Risk Management Policy
- Procedure-level Risk Analysis Procedure
- Gap Analysis on Your Existing Policy/Procedure
- GLBA / BSA / OFAC / FACTA / Patriot Act Risk Assessment Boilerplates with benchmarks
- Vulnerability Assessment Program/Procedures
Vendor Management Program
Full day and 1 hour, 15 min.*
Title: Building your GLBA Vendor Management Program Audience: Compliance Officers, Information Security Officers, Small Bank Presidents
Description: Today’s financial institutions are relying heavily on vendor partners to perform tasks ranging from the mundane to handling critical processes and information, including nonpublic customer information. With this growing trend comes increasingly stringent regulations governing the security of customer data. And, according to the FFIEC, you are responsible for establishing and approving a risk-based policy to govern the vendor process.
An effective vendor management program should provide the organizational framework for Management to identify, measure, monitor, and control the risks associated with vendor relationships.
Agenda:
- Risk Management Basics
- Vendor Risks
- Governing Threshold
- Policy and Procedure
- Vendor Owners
- The Due Diligence Process: Pre-contract, Contract, Post-contract
- Streamlining the Process
- Checklists
Deliverables (Templates)
- Board-level Vendor Management Policy
- Vendor Management Procedure
- Vendor Contract
- Vendor Nondisclosure Agreement
- Vendor Due Diligence Checklist
- Access to our Workshop Portal and Appropriate Boilerplates
IT Audit Program
Full day and 1 hour, 15 min.*
Title: Building your IT Audit Program
Audience: Information Security Officers, Compliance Officers, IT Managers, Small Bank Presidents
Description: A well-planned, properly structured audit program is essential to evaluate risk management practices, internal control systems, and compliance with corporate policies concerning IT-related risks at institutions of every size and complexity. Effective audit programs are risk-focused, promote sound IT controls, ensure the timely resolution of audit deficiencies, and inform the board of directors of the effectiveness of risk management practices. An effective IT audit function may also reduce the time examiners spend reviewing areas of the institution during examinations. Ideally, the audit program would consist of a full-time, continuous program of internal audit coupled with a well-planned external auditing program. The problem is, how do you design an audit program that doesn't develop a life of its own?
Agenda:
- The FFIEC Standards and Effective Risk Management Strategy
- Management Awareness Training
- Controls reviews, Vulnerability Assessments, and other Tests
- Choosing the External Auditor
- Information Technology Certifications
- Risk Metrics
- Properly reviewing an Audit Report
- Writing the Management Response
- Audit Tracking Programs
Deliverables (Templates):
- Board-level IT Governance Policy
- IT Audit Procedure
- Management Response Template
- Non-disclosure and Audit Engagement Templates
- Audit Tracking Program Template
- Access to our Workshop Portal and Appropriate Boilerplates
User Awareness Program
Full day, 3 hour, and 1 hour 15 min.*
Title: Building your IT Risk Management Program
Audience: Information Security Officers, Compliance Officers, IT Managers, Small Bank Presidents
Agenda:
- The importance of User Awareness.
- What should be allowed or disallowed.
- Making it fun!
- The Acceptable Use Policy.
- Due Diligence Testing
Deliverables:
- Acceptable Use Policy
- Acceptable Use Policy Comprehension Test
- Identify Theft Prevention Brochure
- User Awareness Training PowerPoint
- User Awareness Training Comprehension Test
Board Training
1 hour, 15 min.*
Title: Information Security for the Board of Directors
Description: The information security risks inherent in a Bank’s Information System can be substantially mitigated by the creation, training, enforcement, and updating of Board-level policies that require documentation and enforcement of procedures at the management and user-level. These high-level policies should be written so board members control risk management and IT governance objectives, and management can have the flexibility to implement and enforce them.
Deliverables:
- Information Security Risk Management Policy
- Information Security Program
Biographical Sketch of Speaker
Dan Hadaway, CISA, CISM
Managing Partner of infotex
Dan has worked extensively with banks on policy issues, engaging on projects
ranging from gap analysis to developing a full policy set for denovo banks.
He is the lead auditor for the firm. He can tailor his consulting to any
size bank, working on simple user-level policies with banks as small as one
location to overseeing the entire IT strategy for a publicly held company.
He has provided management-level regulatory compliance training for Fortune
500 companies as well as user-level awareness training for the smallest of
banks. His strength is helping banks decide where in the
"security/compliance spectrum" they should be. He has helped develop risk
management programs and processes for banks as large as 2.5 billion and as
small as 26 million in assets.
He is the Managing Partner of infotex, an Indiana Bankers Association Preferred Service Provider in several areas, including Information Security Training.
Infotex Portal Articles
