Susan Orr Consulting, Ltd.
3108 St. Rt. 59, Ste 124-223
Naperville, IL 60564

Biographical Information

Susan Orr is president of Susan Orr Consulting, Ltd., an IT regulatory compliance consulting and IT audit firm for the financial services industry. Susan is a former FDIC bank examiner, with over 18 years of examination, auditing, and risk management experience. In addition to her bank examiner credentials, Susan is a Certified Information Systems Auditor, Certified Information Security Manager, and a Certified Risk Professional. Susan is also a frequent speaker at financial institution conferences and has presented hundreds of seminars and webinars besides performing IT audit and data security reviews across the U.S.


Speaking Topics


Sample of Topics

Below is a sample listing of topics available, please contact Susan if there are other topics you are interested in.

1. Title:

Preparing for Your Next IT Examination

This presentation will provide practical information for preparing for your next IT examination regardless of whether you are examined by the FDIC, FRB, OCC, OTS, or NCUA. Very well suited for a full day seminar, can be adjusted to fulfill any timeframe of one hour plus.

Description:

It is critical that banks have effective information security control systems in place with detailed policies and procedures for monitoring and oversight especially at a time when technology is changing rapidly, and regulations and legal requirements are increasing. Regulatory examinations are now risk focused and generally concentrated on information management and security. In this seminar we will cover at a high level the areas typically addressed in an IT examination, focus on "examination hot spots", and regulatory requirements.

Agenda:


Audience:

Senior management, operations, audit, compliance officers, IT staff, and anyone else responsible for preparing for and overseeing the examination program.



2. Title:

Network and Internet Security Best Practices

In this presentation we will provide information on the current threat landscape, regulatory hot spots, and take a look at some of the challenges and solutions available.

Very well suited for a full day seminar, can be adjusted to fulfill any timeframe of one hour plus.

Description:

Security breaches, identity theft, and data leakage dominate the headlines. All the while regulatory requirements increase, and those responsible for security try to keep pace. Along with protecting your customers from unauthorized access to their information and identity theft, you also need to be protecting the institution's intellectual and proprietary information and ensuring your reputation stays above reproach. With so many solutions and vendors available how do you choose? What should you be concentrating on? What are the real threats? Is there a way to spend our dollars and direct our resources effectively and efficiently?

In this presentation we will cover some of the threats facing institutions today and explore some of the methods for securing your network and protecting your valuable information assets.

Agenda:


Audience:

Senior Management, IT and operations personnel, information security officers, auditors, compliance officers, network administrators, and anyone else interested in or responsible for implementing and overseeing network security.



3. Title:

What's Up With Identity Theft and What Can We Do

Description:

Identity theft is reaching epidemic proportions. Millions of Americans have become victims and the count continues to rise. The threat landscape is changing so rapidly, security experts say it is just the tip of the iceberg. The types of attacks are becoming less sophisticated and more blended; however, the payload from the attacks is becoming more profitable. Once upon a time the goal was purely for recognition or for the challenge, now it is for financial gain. And now there are the new requirements for implementing a written ID Theft Prevention Program complete with identified "Red Flags".

This program is a great supplement to the Identity Theft Red Flags Prevention Program - What Does This Have to Do with IT presentation as we will delve deeper into some of the ways ID theft is being committed and the controls you should consider.

Well suited for a full day when combined with the Identity Theft Red Flags Prevention Program - What Does This Have to Do with IT. On its own can be adjusted to fit one to three hour venue.

Agenda:

Audience:

Senior management, compliance officers, IT, risk managers, audit, anyone charged with developing the ID Theft Prevention Program and responsible for data security.



4. Title:

Identity Theft Red Flags Prevention Program - What Does This Have to Do with IT?

Description:

On November 9, 2007, the FFIEC agencies and the FTC issued the Final Rule on Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003. Many discussions have revolved around this being a consumer compliance issue, but is it? While FACTA is primarily directed at consumer compliance, there are many aspects of the new Identity Theft Prevention Program that weave into the world of information technology. In fact, you may already have many aspects of the requirements in place or at least have the framework.

This presentation is well suited for a one to two hour venue.

Topics to be covered:


Audience:

Senior management, compliance officers, audit, IT, risk managers, anyone charged with developing the program.



5. Title:

Emerging Threats and Data Leakage - Where Do You Stand?

Description:

The last 5-7 years have brought more changes in the banking world than many years since the advent of banking. As financial institutions around the world strive to provide additional services in the "online" world, the threat landscape continues to evolve.

The financial services industry on the whole has taken significant steps to minimize fraud in its online business activities, never the less, the tactics being used are increasing and are becoming more difficult to detect as the simple phishing attack is morphing and blending with other forms of malicious attacks. Insider threats also still exist, in fact, over the last several years we have concentrated so much on the perimeter, we have actually become lax on our internal controls, it's the old term "Crunchy on the outside, soft and chewy on the inside."

This presentation will explore a variety of threats and risks facing the financial services industry today, discuss at a high level the techniques used, and provide some insight into best practices for implementing controls to detect and mitigate. We will also cover some of the newer technologies and services institutions are deploying like remote merchant capture.

This presentation is well suited for a full day or can be adjusted to fit into any timeframe.

Audience:

Senior Management, IT and operations personnel, information security officers, auditors, compliance officers, network administrators, and anyone else interested in or responsible for implementing and overseeing security.



6. Title:

How to Prepare for a Remote Deposit Capture Examination

Description:

The FFIEC issued guidance for the Risk Management of Remote Deposit Capture in January 2009 and while the guidance provides a broad overview of remote deposit capture and regulatory expectations regarding implementation there are specific requirements you will be expected to implement.

You may not have thought of it this way, but if you are offering remote merchant capture to your customers, you are actually extending your teller and backroom operations to them as well. This is exactly how your examiners are going to view this service. In addition to remote merchant capture, the regulators extend the guidance to cover branch capture and mobile banking operations. As with any new technology and product or service, we all face a learning curve; however, when it comes to data security we need to get up to speed very quickly. Do you need to do anything different for remote deposit capture? What are the risks? What are the examiners are going to expect you to have in place?

This presentation will answer those questions and more and help you get your policies, procedures, and risk mitigation strategies in compliance with the guidance and with industry best practices.

Audience:

Senior management, IT auditors, risk managers, Operations and IT, Cash managers, compliance officers, and/or anyone responsible for remote deposit capture.



7. Title:

IT Challenges from NCUA and Other Regulatory Agencies

Description:

The risks and threats to corporate and consumer non public personal information continue to increase at an alarming rate. Therefore it is imperative that credit unions and the financial services industry implement a security program to protect these information assets. In fact regulations, agency requirements, and best practices now mandate the deployment of safeguards to protect these assets. IT examinations are becoming more risk focused and generally concentrate on risk management and information security. What does the NCUA expect you to have in place? What are the examiners are going to be looking for? How do you prepare for your next IT examination?

This presentation will focus on:


Audience:

Senior Management, audit, compliance, risk managers, operations and IT.



8. Title:

Not On My Watch - Implementing an Information Security Program to Protect Critical Information Assets

Description:

Regulation mandates that financial institutions must ensure the security, confidentiality and integrity of information assets. To accomplish this, regulators require financial institutions to develop a security program and implement specific controls. What is a security program, where do you start? What controls do you need? What are the risks with not having an appropriate security program or noncompliance with the regulation?

This workshop will help you understand the requirements and implement a program that will assist you in meeting regulatory compliance. Bring your program with you and review it as we walk through the steps.

Agenda:

This full day seminar/workshop focuses on the:

Practical Aspects of the Information Security Program

  1. Introduction to Information Security
  2. Overview of security threats and trends
  3. ABC's of a risk assessment
  4. ABC's of an information security program
  5. Roles and Responsibilities

Assessing the network security environment

  1. Architecture
  2. Security assessment

Implementing an information security program

  1. Security controls and best practices
  2. Evaluating your information security program - bring your program with you to assess

A shorter timeframe is possible but will be at a higher level and not as detailed.

Audience:

Risk managers, auditors, compliance officers, and anyone delegated the responsibility for the information security program.



9. Title:

How to prepare for or conduct an IT Audit

Description:

A well planned and structured audit program that evaluates the risk management program and processes, internal controls and policies and procedures is required to meet regulatory compliance. This workshop will assist you in meeting the mandate whether you preparing for your next exam or audit.

This is designed for a full day workshop/seminar. Can be adjusted and presented at a higher level with limited detail in a shorter timeframe.

Agenda:

The audit program

  1. Why audit
  2. Management's role
  3. Internal vs external

Performing the IT audit

  1. Understanding the IT environment
  2. Audit focus
  3. Steps

Documentation

  1. Work papers
  2. Reporting

Examiner expectations

Audience:

Anyone responsible for conducting the IT Audit or managing the outsourced program.



10. Title:

Business Continuity Planning 101

Description:

Remember when you only needed to have a plan in place for evacuating your employees in the event of a disaster, making sure you could gracefully shut down your computers, and have backup so you could restore your systems? Since 9/11 there has been a renewed focus on disaster recovery - one of business continuity. Disruptions can occur at any time for a variety of reasons and with a variety of outcomes encompassing natural disasters, technical failures, and human error. Being able to keep your doors open or at least still being able to service your customers is imperative to your survival.

From a regulatory perspective, many of the regulations today starting with GLBA mandate financial institutions have a comprehensive, enterprise-wide business continuity plan that encompasses the recovery of operations and computer systems. The regulators are serious when it comes to you having a comprehensive plan and have updated the FFIEC Business Continuity Plan Handbook (March 2008) to address the requirements. The new handbook places emphasis on performing a business impact analysis, risk assessment, and developing a testing policy.

Very well suited for a full day seminar, can be adjusted to fulfill any timeframe of one hour plus.

This presentation will cover:

Audience:

Directors, Senior Management, Risk Managers, IT auditors, Compliance Officers, Operations staff and IT staff, or any one interested in or having the responsibility for continuity planning.



11. Title:

Pandemic Preparedness - Is It Really Necessary

Description:

The FFIEC agencies jointly issued guidance addressing the need to be prepared for a pandemic influenza outbreak, the potential impact on the delivery of critical services, and the need for a written plan. What do institutions really need to do to comply with the guidelines and are the examiners really serious about this is probably the most frequently asked question concerning pandemic preparedness.

Is a pandemic a serious threat? We all have our own opinion, but the real question is will your institution be prepared for the challenges a pandemic outbreak may present?

Agenda:


Audience:

Board of Directors, senior management, audit, operations, compliance, risk managers, IT staff.



12. Title:

Vendor Management Program - An Enterprise-wide Focus

Description:

Vendor Management is a key element of your overall information security program, and now with the new identity theft program, once again you need to be effectively overseeing your outsourced relationships. When you outsource, you are placing your confidential customer information in someone else's hands along with the control for the security of that information, but you still retain the responsibility for ensuring the integrity, confidentiality, and security of the information. While you need to trust your third parties, the trust can't be blind. Prior to entering into a relationship, you need to establish rules and guidelines for a successful relationship and establish performance measurement criteria. You need to ensure the prospective product or service is going to align with your stated business objectives and adequately provide the service you require. You run your business with the best practices in mind and you should expect your outsourced partners to do the same. How do you develop an effective measurement program and criteria? Where do you start? What are the risks with not having appropriate measurement tools?

Vendor management is a hot topic for examinations today. In fact, the FDIC, OCC, and NCUA have issued (2008) updated guidance on managing vendor relationships and the related risks.

Join Susan for a discussion on how to develop your vendor management program and be prepared for your next examination.

This presentation is very well suited for a 2 to 3 hour session, or can be condensed into a high level overview and presented in an hour.

Audience:

Directors, Senior Management, Risk Managers, IT auditors, Compliance Officers, Operations staff, IT staff, and anyone responsible for developing and implementing the program.



13. Title:

IT Security 101 for the Board of Directors

Description:

Protecting an institution's information assets is mandated by regulation and requires an ongoing security program to ensure customer confidence and trust, compliance with law, and shielding the institution's reputation. This security process should be designed to identify, measure, manage, and control risks to data and systems. The responsibility for ensuring an appropriate risk management system is in place lies ultimately with the board. Therefore, it is imperative that the board understand the risks and subsequent safeguards to properly govern and maintain a secure environment.

This presentation will provide an overview of IT security based on the FFIEC guidance and best practices and will focus on:


Audience:

Board and Senior Management



14. Title:

Phishing, Pharming, and More Oh, My

Description:

While phishing and pharming continue to plague the financial services industry, new threats and even some old as well as reinvented malicious attacks continue to emerge. No one is safe, whether a financial institution, merchant, or consumer. Regardless of the type of attack or breach, your valuable reputation can be negatively impacted, your current customers may loose confidence in your abilities to secure their assets, new business will shy away, not to mention the financial fall out to rectify the situation.

In this presentation we will address some of these threat vectors and provide some insight into how to detect them and protect your institution.

This presentation can be adapted for one to two hour venues.

Audience:

Senior management, audit, compliance, operations, IT, and anyone else interested in today's threats and security.



15. Title:

Enterprise-wide Risk Assessments 101

Description:

Risk assessments are a key focus of examinations today and are mandated by regulation. They are essential to an effective and appropriate risk management program and provide the basis for your security program, audit program, business continuity plan, not to mention your vendor management program and identity theft red flag program. Once thought to be an IT risk assessment only, today, the focus is on the institution as a whole. Strictly an IT focus and electronic data is not sufficient. Needless to say, many organizations are still a little unclear what is meant by an enterprise-wide risk assessment. This presentation will provide an approach for developing an enterprise-wide risk assessment and a frame work that can be adapted to the other numerous risk assessments now required.

If you have asked these questions, then this presentation is for you:

What is meant by enterprise-wide? Where do I start? Can I outsource the risk assessment? Is there an approved format or template?

Objectives:

Understanding the difference between IT and enterprise-wide risk assessments
Simplifying the approach
Developing a matrix

This presentation is well suited for a full day seminar, or adapted to provide an overview and basics in a one to three hour venue.

Audience:

Anyone responsible for developing a risk assessment or leading a risk assessment team



16. Title:

Most Common IT Examination Deficiencies

Description:

Examiners are focusing more on information technology and security, so what are they finding during IT examinations? While findings vary from institution to institution, there are some specific commonly cited deficiencies that seem to appear repeatedly regardless of institution size, charter, or location. Will the examiners find these deficiencies at your institution? This presentation will focus on the most common IT examination and audit findings and what you can do prepare for your next exam or audit.

This presentation is adapted for one to two hour venues.

Audience:

Senior management, auditors, compliance officers, risk managers, IT and operations.



17. Title:

Data Leaks Happen: Are You Prepared?

Description:

Electronic communication has become an essential and effective means for organizations to conduct business. However, along with the ease of transacting business and the global reach it provides, comes the risk of data leakage. In addition we still have paper documents that still require protection. The protection of PII and corporate information is a critical issue and is mandated by not one, but numerous complex and sometimes confusing regulations. What is required, which laws apply to what entities, what is necessary to be compliant? Not instituting proactive tools for monitoring, reporting, and controlling the risk of unauthorized access or disclosure can result in substantial fines, prison sentences, and or increased regulatory scrutiny. What information is at risk? How is the information "leaking out" of our institutions.

This presentation can be adapted for a one to three hour venue.

Agenda:

Audience

Board, management, tellers, customer service, personal bankers, loan officers, marketing, HR - *Everyone. *



18. Title:

Regulatory Landscape: Past vs. Future

Description

Over the last several years we have seen an influx of new regulations directed at security and safeguarding information assets. Just what are those regulations? What is required? Looking back at, how did we do, what were the most common IT examination and audit findings? Where are we headed in 2009? What will be the "hot topics" for examinations and audits? Are there technologies available that should be considered to improve security and help meet compliance with the mandates?

This seminar will focus on regulation past and present as well as the most common IT audit and examination deficiencies of 2007 - 2008. We will also look at some of the threats to information assets present and future, and what the experts are saying; and what the regulators concerns are for 2009.

This seminar can be adapted for 2 to 4 hours, or a condensed 1 hour high level presentation.

Audience:

Senior management, audit, risk managers, compliance, IT and operations.




19. Title:

Technological Advances to Improve Security: What's Available

Description:

The technology age has brought a plethora of products and services that have changed how we live, work, and play. We can do just about everything without ever leaving our homes. We can buy groceries, do our banking, and buy just about any product you can imagine. We can even do these things no matter where we are in the world, as long as we have "connectivity". Technology advances have also combined the multiple devices we have grown to love and just can't be without like smart phones, blackberries, MP3 players. We can communicate instantaneously via email and instant messaging, in fact when it comes to electronic data, over 90% of all a companies assets are created, stored, processed, and transmitted electronically. Just look at your institution, look at the technology and processes you have implemented: Internet connectivity, websites, email, online banking, bill payment, laptops, instant messaging, VoIP, imaging, merchant capture, and mobile banking. Unfortunately, all these advances have come with a price, risks are increasing, and the need for security, and monitoring is imperative. Fortunately, there are also technology advances that help us do just that, but unfortunately, many financial institutions aren't taking advantage of them.

This presentation will provide an overview of some of the products and services available to help financial institutions improve security, reduce risks, and increase productivity.

Well suited for one to two hour venues.

Audience:

Senior management, audit, risk managers, compliance, operations and IT.



20. Title:

Today's Technology in the Workplace: What Every HR Manager Must Know & Are You Getting the Most out of your Intranet?

Description:

The technology age has brought many products and services that have changed how we live, work, and play. We communicate instantaneously, we telecommute, and have access to information from virtually anywhere, anytime. Which is easy, thanks to technology and the fact that 90% of a company's assets are created, stored, processed, and transmitted electronically. Just look at what has been implemented in your institution: a website, Internet connectivity, email, online bill payment, laptops, VoIP, remote deposit capture, mobile banking, and an Intranet. Unfortunately, all these advances have come with a price. Risks are increasing and the need for security and monitoring is imperative Fortunately, there are technological advances that help us to that. From an HR perspective are you getting the most out of technology, do you know the risks, and controls so you can ensure all the right policies are in place and training is sufficient? What about effectively using the Intranet? This presentation will provide best practices for securing and monitoring electronic communications from an HR perspective and provide some hints for maximizing the Intranet.

This presentation is well suited for a one - three hour venue.



21. Title:

Preparing for an IT and Data Security Examination - Electronic Payments Focus

Description:

This session will focus on the areas typically covered in an IT examination relating to the electronic payments as well as best practices for securing confidential information. Attendees will gain an understanding of examination procedures and identifying and controlling information technology related risks.

Agenda:


Audience:

Senior management, audit, compliance, operations staff, IT, any responsible for electronic payment operations.



22. Title:

Security Officer Refresher Training

Description:

This in-depth "refresher course" is for the experienced Security Director. Too often Security Officers get bogged down in a "business as usual" mode that sometimes doesn't take into consideration the changes in regulations, technology, and trends or the expansion of their own duties over the years. In order to stay up-to-date, this class will focus on such responsibilities as disaster recovery, business continuity, security threat trends and fraud, security best practices, and regulatory matters as pertains to financial institution security and information technology. Also important in this session is the networking and time for exchange of ideas, problems and solutions by your fellow security officers and directors.



23. Title:

Incident Response Plan - Your Framework for Responding to an Information Security Breach

Description:

It isn't a matter of "if" but "when" when it comes to a breach that exposes confidential customer or corporate information. Any breach regardless of the type or size can be potentially devastating. Financial losses are not the only concern, what about your reputation? Financial institutions are particularly vulnerable by the very nature of the business. You have information that thieves want, information they can parley into cold hard cash, if not the cash itself. Despite the fact that rapid response is key to successfully responding to a data breach and minimizing the negative effects, the financial services industry is mandated to implement security controls that include identifying potential risks, monitoring for and detecting unauthorized access, mitigating the outcome, and notifying customers, law enforcement, and regulators when it does happen. Be sure that examiners will be looking for your plan.

We will cover the key regulatory requirements including state level data breach notification laws and focus on the key elements of an Incident Response Plan.

Audience:

Senior management, audit, compliance, risk management, security officers, operations, IT or anyone responsible for developing and executing the incident response plan.



24. Title:

Managing and Reporting Fraud

Description:

Fraud isn't something new in fact you could say it has been around almost since the beginning of time. While the old tried and true methods to commit fraud still exist, new angles continue to emerge. Fraud comes in all shapes and sizes - unsophisticated to very sophisticated, nontechnical to technical. It is safe to say that fraud isn't going to go away and will continue to plague financial institutions; therefore, it is imperative that we develop appropriate risk management strategies. These presentation will address key strategies which include developing a risk management committee and developing a fraud prevention program including controls for preventing and detecting fraud as well as how to report to senior management and the board.

Audience:

Anyone responsible for managing a fraud program, auditors, compliance officers, risk managers, IT and operations, and management.



24. Title:

Securing Information Assets - What's Your Weakest Link

Description:

Over the last several years we have focused our "security" attention on the network perimeter and cybersecurity; and with good reason. However, in doing so we have let some basic tenets of internal controls fall by the wayside. Data leakage - a new buzz word in the security industry is all about privileged information whether confidential corporate information or customer information making its way out the confines of our inner sanctum into the wild. And believe it or not - it is leaking out via our trusted (or once trusted) insiders, our employees.

These uncertain economic times are unfortunately forcing organizations to re-organize and in many cases implement staffing reductions. So it is seems to be a good time to take a close look at shoring up our internal controls and getting back to old fashion physical and computer security - it may not be just the employee who is walking out the door.

Topics to be covered:


Objectives:


Audience:

Senior management, IT and operations management, audit, risk managers, HR.



25. Title

WiFi - Is Your Institution Secure?

Description:

The use of wireless technology has been readily accepted by all of us - consumers and businesses alike. No longer do our computers have to be tethered by a cord to have network and Internet access. In fact consumers don't even have to have a computer to do their banking. While the use of this technology creates cost-effective business opportunities and provide mobility it can affect a credit union's profile in a variety of ways and create security risks and challenges.

In this presentation, risk management and information technology expert Susan Orr will discuss the risks and benefits of wireless technology at your credit union. She will answer these questions and more:


Audience:



26. Title

Deploying Remote Access Securely

Description

Remote access is generally defined as communication from a remote location or facility through a data connection or link into the internal network. The ability to access files and information on your computer over the Internet maybe useful for specific tasks and employees; however, there are also risks involved. If you haven't deployed remote access, you may have employees who are requesting access. Or based on your pandemic plan, you may be looking at "telecommuting" as an option for specific employees. Remote access outside of the typical "vendor access" is becoming popular in the financial services industry

So should you allow remote access? Under what circumstances? Is there a secure way to deploy it? What will your examiners and auditors say?

Regardless of whether you are considering allowing remote access or have already opened your internal network for access from beyond your perimeter join us for this presentation as we explore remote access applications, deployment strategies, and risk identification and mitigation strategies.

Audience

Risk managers, IT/operations, compliance officers, senior management, auditors.