GovInfoSecurity.com - Information Security News, Regulations, & Education

Editorial Staff

A veteran journalist with more than 14 years experience, Tracy Kitten most recently covered the ATM and financial self-service industries as the senior editor of ATMmarketplace.com. During her six-year tenure with ATMmarketplace.com, Kitten reported extensively about ATM security and regulatory issues facing the global ATM market. She also played an instrumental role in promoting the site's social media presence and was at the forefront of the development of ATMmarketplace.com's videos, podcasts and webinars. She was a regular presenter at conferences hosted by the global ATM Industry Association and was the keynote speaker at ATMIA's U.S. and Canadian conferences in 2009. She also has spoken at events hosted by Bank of America, Credit Union Conferences and PULSE, and has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Tom Field is an award-winning journalist with over 20 years experience in newspapers, magazines, books, events and electronic media. A veteran community journalist with extensive business/technology and international reporting experience, he has written news, sports, features, fiction and analysis for publications ranging from Editor & Publisher to Yankee Magazine, and he has held editorial management positions at weekly and daily newspapers, as well as a global business/technology magazine. An accomplished public speaker, Field has developed and moderated scores of podcasts, webcasts, roundtables and conferences, and he has appeared on C-SPAN, The History Channel and Travel Channel television programs.

Eric Chabrow is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek. Chabrow was an editor on the team that developed Time Inc.'s teletext information service, a precursor to today's Internet news and information websites. A one-time college journalism teacher, Chabrow worked for daily newspapers, as a business editor in New Jersey and as a government and general assignment reporter in Delaware, Pennsylvania and Ohio. Chabrow anchored, reported and produced news segments for The News Show, a daily webcast that covered business technology.

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Howard J. Anderson has more than 32 years of journalism experience, primarily covering healthcare topics. He was the founding editor of Health Data Management magazine, where he served in several leadership roles, including publisher, for 17 years. Previously, he worked at three other healthcare magazines. He was lead editor at Healthcare Financial Management and a reporter for Modern Healthcare and Hospitals magazine (now H&HN). He also covered healthcare and business issues for three daily newspapers in Illinois. He hold's a bachelor's degree in journalism from the University of Illinois and a master's degree in management from DePaul University.

Upasana Gupta is an HR professional who has successfully represented Fortune 2000 companies, information security services companies and large technology firms in enabling them to locate, attract, hire and retain top-level Information Security and IT talent. In addition to her recruiting background, she also writes and is a contributing editor at Information Security Media Group, specializing in career matters and emerging roles within the information technology and security community. She holds an MBA in Human Resources from Maharishi University of Management.

Karyn Murphy is a seasoned writer with experience spanning 20 years. She's spent most of that time in the high-tech field learning the ins and outs of every "next big thing" - from wireless fraud detection technology to Internet security applications. An evangelizer of safe technology use, Karyn has logged many hours with financial institutions discussing the customer impact of technology. Her background culminates in a unique perspective that brings together a nuts and bolts understanding of technology and how that technology is applied in the real world. Karyn holds a degree in Business Administration with concentrations in journalism and computer science from St. Bonaventure University.

Contributors

Based in Manhattan, Aiello has more than 15 years of financial services and banking experience. Currently the AML/BSA Compliance Officer for Private Banking at Commerce Bank, Mr. Aiello draws on his broad-based experience that has ranged from accounting and operations management and includes the last several years in enterprise risk management and compliance functions.

As a risk manager, he first developed risk assessments that focused on the operations function. With the passing of the Sarbanes-Oxley Act, the focus expanded to include financial reporting and data integrity analysis and assessment. In his most recent position, Aiello has updated his focus to Anti-Money Laundering and Bank Secrecy Act related compliance.

Philip Alexander began his career in computers back in the late 1980s while serving in the U.S. military. Since then he has worked in both the public and private sectors in positions including; engineer, project manager, security architect, and IT director. He currently works for a major financial institution as an Information Security Officer.

Phil is also an avid public speaker, and regularly presents at security conferences around the country and abroad. He has published a number of information security articles as well. Phil is also the author of Data Breach Disclosure Laws – a State by State Perspective. His second book, Information Security: A Manager’s Guide to Thwarting Data Thieves and Hackers is due out early in 2008.

Paul Angiolillo is a writer and editor with 20-plus years of experience at newspapers, magazines and newsletters, private companies, and academic organizations. He has held positions at M.I.T.’s TechnologyReview.com, Global Insight (formerly DRI, Inc.), BusinessWeek magazine, The Boston Globe, and Data General Computer Corp. Paul is a graduate of Yale University, with a BA in English.

A Master Certified Novell Engineer and a Cisco Certified Network Associate, Pete Boergermann currently holds the position of MIS Technical Support Manager and IT Security Officer at a mid-sized Community Bank in Pennsylvania. He actively serves on the Pennsylvania Bankers Association's Member Services Policy Committee. Pete has served on the Pennsylvania Bankers Association's Technology and Operations Committee for several years, chaired the committee, along with writing several articles for the PBA magazine. He has over ten years of experience in network development and implementation.

Betsy Broder is an Assistant Director in the Federal Trade Commission’s Division of Privacy and Identity Protection. In this capacity she helps coordinate the agency’s law enforcement and outreach efforts on privacy issues, including data security, identity theft, and pretexting. She also oversees the FTC’s other identity theft initiatives such as coordination with criminal law enforcement agencies and consumer education. She has testified before Congress and has been interviewed in television, newspapers and radio for reports focusing on identity theft and consumer fraud. Broder formerly served as Assistant Director of the FTC’s Division of Planning and Information, where she helped develop the agency’s identity theft program, and also coordinated the collection and analysis of consumer complaint data and other intelligence functions.

Ericka Chickowski is an experienced business and technology journalist who focuses on information security. Formerly the West Coast Bureau Chief for SC Magazine, her work has appeared in several dozen publications, including the Seattle Post Intelligencer, San Diego Business Journal, Puget Sound Business Journal and Processor.

Juan Deaton is a graduate from University of Idaho with a BSEE and is currently employed as a Cellular Systems Engineer at the Idaho National Lab's Next Generation Wireless Test Bed. Before working at the INL, Juan worked for Motorola's CDMA Cellular infrastructure group where he developed system requirements and planned and executed beta tests for new infrastructure equipment and VoIP using EVDO for Verizon Wireless. In his current assignment at the INL, Juan is analyzing options for using an airborne wireless node for emergency communications and researching vulnerabilities of VoIP applications for the Department of Homeland Security Directorate of the INL.

Jennie is a teaching assistant for the SANS Institute Rochester in security essentials and system forensics. Her experience in the areas of IT auditing, information security, computer forensic investigations, information privacy, compliance, and training and awareness come from her work in the financial, manufacturing, and academic fields. Her prior experience includes working in the commercial sector as a computer forensic investigator, Security SME, network and system administrator, Sr. IT Auditor, and Regulatory Content Manager. She holds a BS/MS in IT from RIT. In addition, to her SANS teaching, she consults to several companies on information security issues and writes certification exam questions for both SANS and ISACA.

Larry Detar is an IT Security Manager with Clifton Gunderson LLP, Southwest Client Service Center. He plans, implements, and conducts network data security and general Information Systems controls reviews including vulnerability assessments and penetration testing. Larry has worked in the Information Technology industry for over 22 years, 14 of which were with the United States Army Military Intelligence Corps. He instructs Ethical Hacking and Countermeasures courses for the EC Council and is a Licensed Penetration Tester, Microsoft Certified Systems Engineer and former Microsoft Certified Trainer. He has spoken before the National Association of Federal Credit Unions (NAFCU), the Credit Union Internal Auditors Association (CUIAA) and numerous Credit Union leagues. A member of the International Council of E-Commerce Consultants, he was a guest speaker at H@cker Halted International Security Conferences in Mexico City, Singapore and Dubai, U.A.E. on the subjects of data security, network defense and social engineering.

Amy Friend is Assistant Chief Counsel at the Office of the Comptroller of the Currency. She has been with the OCC since 1998. She is a co-chair of the OCC's Privacy Working Group and chair of the Legislative Advisory Group. Previously she spent 10 years working for the House of Representatives as Minority general counsel, Committee on Banking & Financial Services; Counsel to the Subcommittee on Crime; Legislative director to Congresswoman Rosa DeLauro; and Legislative assistant to Congressman Charles Schumer. Prior to her time on Capital Hill, she was an associate at Jenner and Block, and also at Brownstein, Zeidman & Schomer.

Officer Michael R. Grigsby of the Somerset Police Department has spent the last 14 years in the field of criminal justice. In addition to being a police officer, he has previously served as the Community Service Coordinator for the Commonwealth Attorney's Officer of the 28th Judicial Circuit. Officer Grigsby is a published author in a variety of academic, trade and professional publications regarding Internet and cyber crime. He has also provided lectures on a variety of topics including Risk Assessments, Cyber Crime Prevention, and Environmental Safety and Awareness both at a state and national level. Officer Grigsby is a graduate of Eastern Kentucky University with Degrees in Corrections and Police Administration, and graduate work in the area of Asset Protection.

William Henley has spent his entire professional career as a financial institution regulator. Henley is the Director of IT Risk Management for the Office of Thrift Supervision. In his role as the Director, Henley serves as the principal advisor regarding the development, implementation and maintenance of policies, procedures and guidelines pertaining to the examination and supervision of saving associations in the area of Information Technology (IT) and Technology Risk Management, including electronic banking activities; and is the OTS representative to the FFIEC IT Subcommittee. Prior to joining the OTS, he spent more than 17 years with the FDIC, including 9 as a Bank Examiner; and 8 years in various positions including Examination Specialist in both the Planning and Program Development Section and in the Technology Supervision Branch, and the acting Section Chief of the Capital Markets Policy Branch.

Rebecca Herold is an information, security, privacy and compliance analyst, author and instructor with her own company. Herold is also an adjunct professor for the Norwich University Master of Science in Information Assurance program. She has provided information security, privacy and regulatory services to organizations from a wide range of industries throughout the world. Herold has more than 15 years of information privacy, security and compliance experience. She was instrumental in building the information security and privacy program while at Principal Financial Group.

Omar Herrera is an information security officer working for the central bank of Mexico. He has previously worked as information security consultant for Deloitte and is member of the OISSG. He is experienced in technical information security assessments, risk analyses, incident response team management, technical security training and malicious software analyses.

Dr. Markus Jakobsson is Associate Professor at Indiana University’s School of Informatics Dr. Jakobsson is also Associate Director of the Center of Applied Cybersecurity Research, and founder of RavenWhite, Inc. He is the inventor or co-inventor of more than fifty patents, has served as the Vice President of the International Financial Cryptography Association, and is a Research Fellow of the Anti-Phishing Working Group. Prior to his current position, he was Principal Research Scientist at RSA Laboratories, a member of technical staff at Bell Laboratories, and Adjunct Professor at New York University. His latest book, Phishing and Countermeasures was released last year. Professor Jakobsson researches fraud, social engineering and phishing, and the prevention of these attacks. He has laid the foundations to the discipline of how to perform experiments to assess risk arising from sociotechnical vulnerabilities in the context of current and potential future user interfaces. He consults to the financial industry and heads the efforts at www.stop-phishing.com.

As Director Information Security of Synovus Financial, Steven Jones holds responsibility for the company's organizational policy, risk management, security awareness, identity management, disaster recovery, and other areas of risk management. As a member of senior management, he aids in technology planning, regulatory compliance, business solution delivery, policy, and strategy. Mr. Jones joined Synovus Financial in 1995 before becoming Vice President, Director of Network Research & Development in 1999 and ultimately, Vice President Director Information Security in June 2001.

Mr. Jones has more than 10 years of IT & IS management experience in the financial services industry. Jones established a best of class security program to meet increasing industry regulations (such as SOX, GLBA, FFIEC, and SEC) and align with business needs through a risk based approach. Through innovative implementations of access and identity management technologies, Jones has enabled the business to bring low cost, secure, and compliant solutions to market quickly. He is active in organizations such as BITS, Information Risk Executive Council, ACH Data Security Rules Work Group, and serves on several advisory boards including SecureWorks and Blue Coat.

James Kist, CISSP, is a Senior Information Security Consultant with Icons, Inc. He has more than 15 years experience in Information Technology, with more than 10 years specializing in Information Security. He has authored courseware on several topics including network security, system security, web application security, and wireless network security. He regularly conducts penetration tests and vulnerability assessments on wired networks, wireless networks, and web applications for financial institutions. He is a Certified Information Systems Security Professional (CISSP) and is a SANS GIAC-GWAS (GIAC Web Application Security) Certified Professional. He holds a Bachelor's degree in Computer Science from University at Buffalo.

Jeffrey M. Kopchik is a Senior Policy Analyst in the Federal Deposit Insurance Corporation’s (FDIC) Technology Supervision Branch, Division of Supervision and Consumer Protection (DSC). Kopchik was the Team Leader of the FDIC’s 2004 study “Putting an End to Account-Hijacking Identity Theft.” He was the FDIC’s primary representative on the FFIEC staff working group that drafted the 2005 guidance on Authentication in an Internet Banking Environment. Kopchik was also involved in interagency rulemaking efforts to comply with the Fair and Accurate Credit Transactions (FACT) Act, and was involved in the creation and implementation of the Gramm-Leach-Bliley Act (GLBA) interagency information security guidelines, supervisory guidance on customer notice, FFIEC Business Continuity Planning Booklet, and FDIC guidance on wireless networks.

Warren has extensive experience in computer forensic cases involving some of the largest law firms and corporations in the world and has conducted forensic analyses globally in support of numerous cases, from civil disputes to criminal prosecutions at the federal level. He is the coauthor of “Computer Forensics: Incident Response Essentials,” an Addison Wesley textbook, and is a frequent lecturer on the subjects of computer forensics, incident response and cybercrime.

Adam Losner is the President and Founder of Finance Technology and Controls (FTC) Consulting, a firm specializing in Risk Management, Internal/IT Audit and IT Compliance to the Financial Services industry. Adam previously held roles as Chief Financial Officer and Chief Audit Executive at the Securities Industry Automation Corporation (SIAC) where he was responsible for all of the Corporation’s auditing activities. In these roles, he led the Corporation’s Sarbanes-Oxley 404 compliance efforts, and introduced COSO ERM and COBIT risk management frameworks to the Corporation.Prior to SIAC, Adam held various IT Audit and Systems Management positions in the United States and the United Kingdom at Long Island Savings Bank, Lex Service and Marathon Oil. Adam works closely with the Institute of Internal Auditors (IIA) on its International Advanced Technology Committee; and with the IIA, the Computer Security Institute and Symantec as a member of the Security Compliance Council. Adam holds the designation of CIA, CISA and CISSP and graduated MBA from Columbia Business School.

AVP, Regional Security Officer
TD Banknorth N.A, Springfield, Massachusetts

Kirk has been in his current position at TD Banknorth for 7 years, prior to that he was employed as Security Manager for the former SIS Bank in Springfield, Ma. Kirk is a retired U.S. Air Force Security Police Officer; during his 24 years of service he was involved in numerous security operations including Space Shuttle Security, Nuclear Weapons Security, and Personal Security for many distinguished visitors including Ronald Reagan, Bill Clinton, Dick Cheney, John McCain, Margaret Thatcher, and the Queen of England. In Nov 2001 after the 9/11 terrorist attacks, he was recalled to active duty with the Air Force and deployed to the Afghanistan Area of Operations in support of Operation Enduring Freedom. Kirk has been Board Certified as a Certified Protection Professional by ASIS International, and has been a guest speaker at ASIS International chapter meetings, US Postal Service Identity Theft seminars, The Southeast Cyber Crime Summit, The International Association of Financial Crime Investigators, The Northeast TRIAD Law Enforcement and Elder Affairs Organization, and other community affairs functions.

Andrew Miller is a freelance writer specializing in financial services and information technology. He holds an MBA from Columbia University and a Master's in computer science from Rensselaer Polytechnic Institute. He has held jobs at CMP Media, MetLife, and Gartner.

David has a total of 21 Years with FDIC, and served 13 Years as Safety and Soundness Examiner, three years as a Compliance Examiner, two years as an IT Examiner, and three years as an Examination Specialist in Washington Headquarters in the Technology Supervision and AML/Terrorist Financing Branches. Nelson is a graduate of Temple University and ABA Stonier Graduate School of Banking at Georgetown University. Prior to joining the FDIC, he served in the US Navy and US Naval Reserve. Nelson holds CISA and CISSP certifications and previously was a Certified Regulatory Compliance Manager.

Susan Orr is a leading financial services expert with vast regulatory, risk management, and security best practice knowledge and expertise. During her 14 year tenure as a bank examiner, Susan held lead positions including Regional IT Examination Specialist, Special Assistant to the Regional Director, Special Assistant to the Director of DSC, and Special Assistant to the Vice Chairman of the FDIC. Susan was also a lead instructor for the FDIC’s technology school and was instrumental in key industry initiatives such as the FDIC E-Risk Strategic Initiatives Risk Monitoring Committee, the Chicago Region Interagency Technology Group, and the Federal Financial Institutions Examination Council (FFIEC) IT Handbook rewrites. Prior to launching her consulting practice, Susan was Vice President of Regulatory Compliance at for an Internet security company. Susan retains close relationships within the FFIEC agencies as well as industry trade groups to stay abreast on new technologies, best practices, and regulatory issues.

Vincent is a senior team member and a security evangelist at Icons, Inc. – an Information Security consulting firm. Vincent routinely advises his clients in the banking sector on issues ranging from regulatory compliance to information security best practices. His area of expertise includes Information Technology Risk Management, Information Security Program Management and the overall Gramm-Leach-Bliley (GLBA) compliance at institutions ranging from the largest organization in the country to de novo banks.

Matthew Speare oversees security for M & T Bank Corporation, the nation's 17th largest bank holding company, based in Buffalo, New York. He is responsible for developing and sustaining an information risk program that effectively protects the personal information of millions of M & T Bank customers. His responsibilities include information security management, IT compliance and risk management, corporate emergency and incident response, and business continuity management.

Matt is also a Major in the Army National Guard, serving as the 42nd Infantry Division Aviation Operations Officer, and is a AH-64 Apache Attack Helicopter pilot.

Kevin Sullivan is an Investigator with the NY State Police and is the state investigations coordinator assigned to the NY HIFCA El Dorado Task Force in Manhattan. He has 20 years of police experience. Inv. Sullivan possesses a Masters in Economic Crime Management and is both a certified anti money laundering specialist and certified anti money laundering professional. He is also the director of AMLtrainer.com.

Anne E. Terwilliger, CISSP is President of Accentuate Security, an information security consulting firm that specializes in the development of information security policies, information security awareness programs, and compliance reviews. Prior to opening Accentuate Security, Anne served as the Vice President for Information Security Policy and Awareness at National City Bank in Cleveland where she developed an information security awareness program for its 33,000 employees. She was also the Information Security Officer for the United States and Europe for the Sumitomo Mitsui Banking Corporation in New York. She spent 12 years as the EDP Security Officer at the New York Clearing House, where she implemented security controls and an awareness program for CHIPS (the largest private international interbank payment systems in the US) and ACH (US domestic funds transfer system.)

Tom Walsh, CISSP, is president of Tom Walsh Consulting, an Overland Park, Kan.-based firm that advises healthcare organizations on risk management strategies. He has conducted numerous courses on HIPAA compliance. Walsh serves as information security officer at San Antonio Community Hospital on an outsourced basis. He is one of the authors of a new book, "Information Security in Healthcare: Managing Risk," published by the Healthcare Information and Management Systems Society.

Marcia J. Wilson is an Information Security Professional and a freelance writer. Her expertise includes network security assessments, information security policy and procedure development, business continuity and disaster recovery planning as well as security awareness training for small and medium sized companies.