Specialties: Risk Management, Security Engineering, Consulting

SUMMARY
Experienced information assurance and risk management consultant.  Couples INFOSEC Analysis, Engineering, and Program Management to provide Defence in Depth.  Fluent in NIST SP 800 Series publications from requirements definition and strategy to post implementation audit and documentation.  Technical experience includes protocol analysis, host hardening, vulnerability remediation, and wireless security countermeasures.  Accomplished penetration tester with several published whitepapers and books.
		CERTIFICATIONS AND TRAINING
?	CISSP
?	MCSE+I
?	Master Internet Security Specialist
?	DARPA Analyst III Instructor
?	NNSA Executive Leadership Training
PROFESSIONAL EDUCATION
?	Johns Hopkins School of Business and Management
?	Baylor University
?	NSA Assessment Methodology 

NOTABLE EXPERIENCE
U.S. Government (Dept. of Energy)
Implemented full scope Security Program Management meeting all OPM, DISA, NIST, GAO, OMB requirements to assure continued funding of IT investments.
?	Performed Certification and Accreditation (C&A) of all IT investments >$1M.   C&A included development of System Security Plans, Continuity of Operations Plans, Threat Basis Documents, Security Test Plans, Risk Management Plans, and documenting the existing and planned security controls.  An actual security test and evaluation accompanied each C&A package.
?	Utilized Windows 2003 Servers on Compaq hardware platforms to track C&A development and risk management process.  Leveraged EMC Storage Array Networks over IPv4 and IPv6 communications for data warehousing.  Utilized NMAP, Queso, Core Impact, Canvas, NAI Sniffer, Phone Sweep, App Scan, Web Inspect, and a full range of GNU/Open Source tools to validate security controls.

US Government (US ARMY)
Reduced overall exposure of sensitive systems by 75%
?	Planned, coordinated, implemented, full IT system life cycle to support security baseline standardization.  
?	Created security baseline scripts for Windows NT, 2000, and AIX.  Documented all security settings along with residual risk statements and server build directions.  Wrote security baseline standards for CISCO Routers, VPN Concentrators, and other underlying network infrastructure components.

US Government (NIST)

?	Assisted with the specification for NIST SP 800-53, 800-37, and other relevant security standards.
?	Built and hardened Windows NT 4.0 and 2000 servers using Level 1 and Level 2 security baselines.  Provided full scope security testing and residual risk analysis assuring my findings and recommendations were included in the definition of NIST SP publications.    
	
NOTABLE ACCOMPLISHMENTS
?	Recognized contributor to the Center for Internet Security Level 1 and Level 2 NT 4.0 and 2000 baselines
?	Repeat guest speaker at the Fedworld eGOV conferences in Washington D.C.
?	Contributing author to 4 popular IT Security books 
 
ADDITIONAL EXPERIENCE
Fortune 100 Financial Services Company
Reduce exposure to critical systems by providing host hardening services
?	Defined, deployed, and managed the host hardening of 2,000+ production servers.
?	Developed and implemented security scripts for Windows NT 4.0 Server, 2000 Server, and AIX on a plethora of platforms including Dell, Compaq, HP, and IBM.  

US GOVT (Dept. of Energy)
Reduced costs associated with IT Security Program Management by >$3M annually. 
?	Streamlined the IT Security Program Management by designing, developing, and implementing an electronic risk assessment management system and an instrumented situational awareness reporting metric.
?	Windows 2003 server farm on HP hardware.  MS SQL Server used on an EMC SAN for centralization and storage of 4TB of security data.  Client systems included NT4 Workstations, 2000 Professional, 2000 Server, 2003 Server, Solaris 7, Solaris 8, and Linux based systems.  

Fortune 500 Financial Services Company
Drafted Payment Card Industry Framework 
?	Involved in the definition and draft of early phases of the PCI Framework.  Performe