BCAC's Information Technology Compliance Seminar

Tuesday, March 21, 2023, 9:00 a.m. to 2:00 p.m.

 “Whatever Happened Last Time, It Wasn’t a Penetration Test” – demystifying what a penetration test really SHOULD entail

One of the most awkward situations is when we complete our testing and have a laundry list of low-hanging fruit that needs to be fixed that previous vendors never brought up. This leads to fear, uncertainty, and doubt. Offensive security practitioners need to do a better job at partnering with clients to enable them to make security a part of the business that helps it function better, not a cost center that is seen as a burden. Our job is not to play, "Gotcha!"; it is to help security teams build trust within their organizations that will holistically create a secure environment for all.

Updates surrounding FFIEC Authentication and Risk Assessment guidance

The FFIEC released guidance in August 2021 entitled "Authentication and Access to Financial Services and Systems". The guidance set requirements for how financial institutions should risk assess the authentication controls of technologies based on various factors. This session will cover the risk assessment requirements established by the guidance, types of authentication methods that can be utilized, and insights to what constitutes true multifactor authentication (MFA). 

Model validation for security systems

Institutions routinely use models for a broad range of activities to inform and improve business decistions, save money, and reduce the risks that they may face. Relying on models that are not working appropriately can impose costs, including the potential for unintended and adverse consequences from decisions based on inaccurate model output, particularly when it comes to security models.

Best practices for defining and testing GLBA key controls

In the last year, regulatory agencies have placed a greater focus on key GLBA controls. This session will discuss how your institution should be identifying controls that are key to mitigating information security risks along with proper methods for testing the design and operating effectiveness of these controls. It also covers how key control testing should be integrated into periodic updates given to Board members and other risk governance committees.

Member Price:  $95.00                                                            Non-Member Price:  $145.00

FEATURED SPEAKERS

We're pleased to have as our presenters from Wolf & Company, P.C.: Jason Clinton, Senior Manager, IT Advisory Services Group; Sean Goodwin, Senior Manager, DenSecure Group; Meredith Piotti, Principal , Advisory Group.

Jason is a Senior Manager in Wolf's IT Advisory Services Group where he is responsible for coordinating and executing IT audit services for financial institutions, healthcare SaaS organizations, and fintech organizations. He has 11 years of experience providing IT audit services and specializes in facilitating and performing System and Organizations Control (SOC) readiness assessments and reports. Jason also provides IT services that focus on information security practices, risk assessments, vendor management, application management, and internal control testing (FDICIA/SOX).

Sean is a senior manager in Wolf's DenSecure Group. His role entails developing security reviews, managing projects including security reviews (e.g., Active Directory, firewall configurations, etc.), vulnerability assessments, and penetration tests. Sean is also Wolf's Lead QSA where he is responsible for carrying out PCI DSS audits and mentoring Associates QSA.

Meredith is a principal in Wolf's Advisory Group and serves on the Firm's Internal Audit Team, where she provides internal audit, consulting, and risk management services to clients. She also oversees the Firm's data analytics team - combining operational and technological knowledge to perform model validation reviews, conversion testing, and incorporate analytics into audits. With over 13 years of experience in the field, Merry works with clients to provide full internal audit services, supplement internal audit capabilities, assist with specialized reviews, and develop risk-based audit plans with outsourced and co-sourced internal audit departments.

WHO SHOULD ATTEND

Operations Officers, Compliance Officers, Risk Officers, Information and Security and Technology Professionals, IT Professionals, and Vendor Management Professionals.

AGENDA

  8:30 -   9:00   Registration

  9:00 - 10:00    "Whatever Happened Last Time, It Wasn't A Penetration Test"

10:00 - 11:00   Updates surrounding FFIEC Authentication and Risk Assessment Guidance 

11:00 - 12:00   Model validation for security systems 

12:00 -   1:00  Best practices for defining and testing GLBA key controls

  1:00 -   2:00   Lunch

Please submit your questions in advance to info_bcac@bcac-ct.org.

POLICIES

Membership: Membership is on an individual basis. Program registration substitutions or in lieu of another is not permitted. To become a BCAC member, please use this link: JOIN BCAC

Payment Policy: The BCAC will not be able to accommodate individuals/organizations who have not paid in full for prior registrations.

Refund Policy: A refund will be issued if you contact the program chairperson at least 72 hours prior to the scheduled program. The refund will be in the form of a credit toward a future meeting.

Cancellation Policy: If the program is canceled, it will be canceled one day prior to the program and registered attendees will be notified by email when possible.   Notification will be sent to all members announcing the rescheduled program. At the discretion of the BCAC, a refund will be made, or credit will be given for a future program.

Any reference to any person, or organization, or activities, products, or services related to such person or organization, or any linkages from any presentations  to the web site of another party, do not constitute or imply the endorsement or recommendation by BCAC or any of the Board of Governors.