WHAT YOU WILL LEARN:
- U.S. Information Security Laws and Regulations
- Information Security Program Components
- Security Awareness Programs
- IT Audit
- Social Engineering
- Preparing for your IT Examinations
- Running Effective IT and Audit Committees
If session dates do not work for you, please contact the institute:
Email: firstname.lastname@example.org, Phone: (605)269-0909
If you are interested in being invoiced rather than paying online please use coupon: InvoiceMe
By purchasing this certification, you are hereby agreeing to the policies and procedures of the SBS Institute. Click HERE to read and review.
Module 1 – Building an Information Security Program
Lecture 1 – Regulatory Overview and ISP
We begin our discussion with an analysis of GLBA and the requirements established by the safeguards rule. Then we evaluate the information provided by the FDIC, OCC, and Federal Reserve designed to address GLBA and help institutions document a comprehensive information security program. Additional resources from NIST, SANS, ISO, and other entities that have built frameworks for information security are evaluated. The objective of this section is to equip students with tools to help them construct a risk-based information security program that is right for their size and complexity.
Assignment 1: Policy Writing Exercise
Module 2 – Risk Management
Lecture 1 – Risk Assessments
The risk assessment discussion begins with an analysis of the regulatory requirements to conduct a risk assessment. We will supplement NIST 800-30 guidance to help construct a repeatable risk assessment methodology for financial institutions. We will look at asset-based risk assessment methodologies that help identity critical it assets, their importance, and known impact and probability of threats, to identify inherent risk. We then identify current controls in place to calculate residual risk, measuring this against board approved risk appetite. Students will exercise the discussed methodology in scenario based exercise.
Lecture 2 – FFIEC Cybersecurity Assessment
This module will also review the guidance and process established by the FFIEC for completion of the Cybersecurity Assessment Tool. It is also critical to build a governance program to ensure a consistent methodology is followed, reports are taken to appropriate channels, gaps are identified an a managed, and improvements are made to the overall information security program. Policies will be discussed to manage the cybersecurity assessment process and students will step through the inherent risk and cyber maturity questions for baseline controls.
Assignment 1: Risk Assessment Exercise
Module 3 – Third Party Management and BCP
Lecture 1 – Third Party Management and BCP
Third Party Risk Management processes are discussed from guidance provided by regulatory agencies, to build a program for selecting new relationships and managing existing ones. Ideas for each step of the process will be discussed and focus is given to building a model that provides the same level of assurances around security as if the product/service was conducted in-house. This includes leveraging the already discussed risk assessment process on the third party, examination reports, SSAE16 (soon SSAE18) reports, internal or external IT Audit reports, and so forth. Attendees will learn to identify issues and manage those risks within their risk appetite levels.
Business Continuity and Disaster Recovery are discussed in this next section. The FFIEC BCP Appendix J (Third Party Management) guidance is evaluated to ensure we connect and integrate cybersecurity risk and the need to understand dependencies on third parties in our business continuity planning. The FFIEC guidance is explored to build a process around Business Impact Analysis, Risk Assessment, Risk Management, and Testing.
Assignment 1: Third Party Management Exercise
Module 4 – Incident Response and Network Security
Lecture 1 – IRP and Network Security
This section will discuss building an incident response policy and detailed procedure for a financial institution. We will examine threats against the institutions network, third party breach notification procedures, CATO incident, and physical losses. Banking regulations are augmented with NIST 800-61 to build a robust IRP.
Customer and Employee Security Training and Awareness models are also discussed in this section. These programs must mature beyond the annual training sessions to become a continual learning program reminding people about the current and evolving threats we face and re-enforce the policies and procedures created by the institution to manage those risks. We explore ideas to build a continuous learning approach.
Last major topic in this section is Network Security. We explore the FFIEC guidance and supplemental regulatory guidance over the years. We put additional focus on other resources that management can use to guide its network security efforts. Resources such as NIST 7621 small business security standard, SANS (CIS) Top 20 Controls, and emerging advanced control ideas.
Module 5 – Security and Technology Trends
Lecture 1 – Security and Technology Trends
This section reviews hot topics in cybersecurity areas and goes over these threats in details. ATM Fraud, CATO, Ransomware, ATP Threats like Carbanak, Malware Attacks, Phishing Campaigns, Wire fraud and many other issues discusses and their associated guidance reviewed.
Assignment 1: Ransomware Guidance GAP Exercise
Assignment 2: FBI Wire Guidance GAP Exercise
Module 6 – Audit
The Audit section is one of the 3 pillars of this course. A strong program is driven by a risk assessment, which creates documented policies and procures, and audit comes in to validate those controls are implemented and adequate to protect to institution. We will discuss the auditing of people, process, and technology. First is the process with the IT Audit on policies and procedures. Then technology with Network Assessments like vulnerability assessment and Penetration Testing, and lastly people are tested with social engineering. We will also talk about specific audit items from FFIEC CAT, such as firewall reviews and access control audits.
Lecture 1 – Auditing Components
Assignment 1: Audit Exercise
Module 7 – Governance Structure and Enterprise Risk Management
Lecture 1 – IT Governance and ERM
Assignment 1: Audit Exercise
Module 8 – Board Involvement in Information Security Programs
Lecture 1 – Board Involvement
We will dive deeper into the governance challenges faced by financial intuitions today to give practical examples of information that should be communicated to the board and how to drive more “creditable challenge” and involvement by the board into the institution. We will apply the previous sections of this course in a review type process that has a board and executive level perspective, to ensure we involve them at the proper level and communicate responsible amounts of information.
Module 9 – InTREx Examination Process
The FDIC has released a new examination process which includes a risk-based approach to scoping the examination. This program consists of multiple parts with an inherent risk assessment process and control evaluation. We will examine these questions and control, walking through the process together. Students will be given a scenario and asked to facilitate an examination.
Assignment 2: InTREx Exam Exercise
Comprehensive 100 Multiple Choice Exam
Your cart is empty