Professional Resume

• Word (.docx)
• PDF
• Word (.doc)

Publications and Speaking

• Three talks from CIScon 2009 Sept 14-17, 2009:
  • "It's About Time" - A talk on the importance of time synchronization and the pitfalls of NTP.
  • "Total Enterprise Assurance" - A full-day training session based on the upcoming release of version 2 of the TEAM Model, blends Survivability with Assurance Management. It provides a roadmap for flexibly structuring the assurance management program while achieving the goals of defensibility and recoverability. See additional references here.
  • "Practical Key Management" - A half-day session on managing cryptographic key materials, including a look at different vendors and use models available today.
• A feature article (see cover here and here) for The ISSA Journal titled "Elasticity: Will your organization bend or break?" (September 2009)
• John Steven from Cigital posted a nice Justice League blog piece (local copy here) based on one of my posts (May 2009).
• An article co-authored with Ben Rothke titled "The Biometric Devil's in the Details" was published by Security Management in December 2008.
• An article titled "Key Management: The Key to Encryption" was published in the October 2008 EDPACS.
• An article co-authored with Ben Rothke titled "Information Security and the Importance of Context" was published in the August 2008 on CSO Online.
• I spoke on a Data Security Summit panel at CSI 2008 in November 2008. My small presentation was titled "Information Classification (Ugh!)".
• My former employer published a commentary piece of mine titled "Evolving Risk Resilience" in the May 2008 edition of BT Initiatives.
• Presentation to now-defunctRootFest, Minneapolis, MN, 2000 -- “Holistic Security: A Discussion of Risk Analysis & Strategic Initiatives”
• An extremely dated, brief paper on Internet Content Management
• My college Senior Paper, written at the end of my term at Luther College. It is based on a presentation that I gave at CERT/SEI in December 1997. An overview is available, as is the full text in Word format.
• An overview of my experience at Argonne National Laboratory in Chicago. I participated in a co-op there in January – May 1997.

White Papers

• Pending: Release of version 2 of The TEAM Model. Expected: September 2009
• Pending: Release of "Practical Risk Management." Expected: September 2009
• Published in May 2009 for Truth to Power Association, a sponsored white paper titled "PCI: Requirements to Action" that provides a practical look at the Payment Card Industry Data Security Standard (PCI DSS) v1.2, including translating the requirements into an action item format. My announcement of the paper is available here. Positive feedback was provided by Dr. Anton Chuvakin, which you can read here.
• Research thesis in partial completion of the requirements for Master's of Science in Engineering Management with a concentration in Information Security Management. Titled The Total Enterprise Assurance Management (TEAM) Model: A Unified Approach to Information Assurance Management.
  
  

  Abstract: This research thesis addresses the problem of identifying or creating a unified information assurance management model that harmonizes the key competency areas of enterprise risk management, operational security management, and audit management. The research was conducted by performing a literature review of existing information assurance related models, frameworks, and methodologies; creating a new model to unify the three competencies (given the absence of such a model); and, validating the research results with subject-matter experts (SMEs). The research concluded with the development of the Total Enterprise Assurance Management (TEAM) model, which was well validated by the SMEs. Survey results include that the work was overwhelmingly viewed as favorable and logical, and that a majority of respondents agreed that all four hypotheses of the research had been achieved.

• Alphabet Soup: Making Sense of Models, Frameworks, and Methodologies was originally prepared for GWU EMSE 316, but has since been released as a white paper under the Creative Commons Attribution-NonCommercial-NoDerivs 2.5 License. *NOTE: Public Draft of v2.0 is available here for comments.
  
  

  Abstract: This paper will provide a US-centric overview and analysis of commercially-oriented information security models, frameworks, and methodologies. As a necessary component of the analysis, a cursory look is taken at a sampling of applicable laws within the US, such as the Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leech-Bliley Act of 1999 (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA). Additionally, industry standards will be weighed, such as the Payment Card Industry Data Security Standard, as adopted by Visa and MasterCard. The paper will attempt to thoroughly describe the goals of these models, frameworks, and methodologies, contextualizing them within the current business, regulatory, and legislative environment, helping to identify the usefulness of each model, framework, and methodology. The analysis will demonstrate the value of each model, framework, and methodology and where application of each would benefit an organization.

Grad School Papers:

Disclaimer: The following papers are original works of research and analysis. Attribution is given whenever appropriate. These works are independent of my current employer. Any similarities that may exist between language or structures represented within a work and language or structures represented within my employer are purely coincidental.


• The GWU Code of Academic Integrity and U.S. Copyright Law, prepared for EMSE 315 (Professor Dan Ryan) on September 27, 2004. This is the first paper I wrote for my graduate program at GWU. It represented a "best effort" at the time but is not one of my better works.
• Use of Licensed Software: Policy and Policy Analysis, prepared for EMSE 315 (Professor Dan Ryan) on October 11, 2004. This is the second paper I wrote for my graduate program at GWU. It represents a significantly better effort than my previous paper.
• Acceptable Use of Computing Resources: Policy and Policy Analysis, prepared for EMSE 315 (Professor Dan Ryan) on November 1, 2004. This is the third paper I wrote for my graduate program at GWU.
• Research Paper: Information Security Technologies, prepared for EMSE 218 (Professor Dave Carothers) on November 10, 2004. This is the only paper required for the course. The paper provides basic overview and analysis on thirteen (13) different security technologies.