American Falcon's Homepage

Last Updated 05/14/2007

Professional Resources:

Resume: [ HTML ] [ PDF ] [ Word ]

Presentation to now-defunct RootFest, Minneapolis, MN, 2000 -- “Holistic Security: A Discussion of Risk Analysis & Strategic Initiatives”

An extremely dated, brief paper on Internet Content Management

My college Senior Paper, written at the end of my term at Luther College. It is based on a presentation that I gave at CERT/SEI in December 1997. An overview is available, as is the full text in Word format.

An overview of my experience at Argonne National Laboratory in Chicago. I participated in a co-op there in January – May 1997.

Submitted Papers and Articles:

Based on the below research thesis, I have submitted a paper to IEEE S&P with the proposed title A Unified Assurance Management Model.

Authors: Benjamin L. Tomhave, M.S.
Julie J.C.H. Ryan, Ph.D.

Keywords:

D.4.6.d Information flow controls < D.4.6 Security and Privacy Protection < D.4 Operating Systems < D Software/Software Engineer

H.0.a Infrastructure Protection < H.0 General < H Information Technology and Systems

H.1.0 General < H.1 Models and Principles < H Information Technology and Systems

K.4.4.f Security < K.4.4 Electronic Commerce < K.4 Computers and Society < K Computing Milieux

K.4.4.g Internet security policies < K.4.4 Electronic Commerce < K.4 Computers and Society < K Computing Milieux

K.4.4.i Economic and other policies < K.4.4 Electronic Commerce < K.4 Computers and Society < K Computing Milieux

K.6.4.b Management audit < K.6.4 System Management < K.6 Management of Computing and Information Systems < K Computing Milieux

K.6.m.b Security < K.6.m Miscellaneous < K.6 Management of Computing and Information Systems < K Computing Milieux

Abstract: Assurance organizations are increasingly challenged by the number of methods competing for attention; methods that can be classified as models, frameworks, and methodologies. The purpose of this research was first classifying these methods according to a defined taxonomy, then evaluating whether any such method could be used comprehensively and holistically across the enterprise. Failing that, this research then sought to combine key abstracted elements into a single unified approach. The result of this research was the development of the Total Enterprise Assurance Management (TEAM) model. Experts from the information security assurance field were asked to review and critique the model. Their feedback was integrated into the final draft of the model. This feedback from subject-matter experts was also used as an initial theoretical validation of the model. Future research efforts may include development of metrics and validation of the model in a real-world scenario.

White Papers:

Research thesis in partial completion of the requirements for Master's of Science in Engineering Management with a concentration in Information Security Management. Titled The Total Enterprise Assurance Management (TEAM) Model: A Unified Approach to Information Assurance Management.

Abstract: This research thesis addresses the problem of identifying or creating a unified information assurance management model that harmonizes the key competency areas of enterprise risk management, operational security management, and audit management. The research was conducted by performing a literature review of existing information assurance related models, frameworks, and methodologies; creating a new model to unify the three competencies (given the absence of such a model); and, validating the research results with subject-matter experts (SMEs). The research concluded with the development of the Total Enterprise Assurance Management (TEAM) model, which was well validated by the SMEs. Survey results include that the work was overwhelmingly viewed as favorable and logical, and that a majority of respondents agreed that all four hypotheses of the research had been achieved.

Alphabet Soup: Making Sense of Models, Frameworks, and Methodologies was originally prepared for GWU EMSE 316, but has since been released as a white paper under the Creative Commons Attribution-NonCommercial-NoDerivs 2.5 License. *NOTE: Public Draft of v2.0 is available here for comments.

Abstract: This paper will provide a US-centric overview and analysis of commercially-oriented information security models, frameworks, and methodologies. As a necessary component of the analysis, a cursory look is taken at a sampling of applicable laws within the US, such as the Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leech-Bliley Act of 1999 (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA). Additionally, industry standards will be weighed, such as the Payment Card Industry Data Security Standard, as adopted by Visa and MasterCard. The paper will attempt to thoroughly describe the goals of these models, frameworks, and methodologies, contextualizing them within the current business, regulatory, and legislative environment, helping to identify the usefulness of each model, framework, and methodology. The analysis will demonstrate the value of each model, framework, and methodology and where application of each would benefit an organization.

Grad School Papers:

Disclaimer: The following papers are original works of research and analysis. Attribution is given whenever appropriate. These works are independent of my current employer. Any similarities that may exist between language or structures represented within a work and language or structures represented within my employer are purely coincidental.

The GWU Code of Academic Integrity and U.S. Copyright Law, prepared for EMSE 315 (Professor Dan Ryan) on September 27, 2004. This is the first paper I wrote for my graduate program at GWU. It represented a "best effort" at the time but is not one of my better works.

Use of Licensed Software: Policy and Policy Analysis, prepared for EMSE 315 (Professor Dan Ryan) on October 11, 2004. This is the second paper I wrote for my graduate program at GWU. It represents a significantly better effort than my previous paper.

Acceptable Use of Computing Resources: Policy and Policy Analysis, prepared for EMSE 315 (Professor Dan Ryan) on November 1, 2004. This is the third paper I wrote for my graduate program at GWU.

Research Paper: Information Security Technologies, prepared for EMSE 218 (Professor Dave Carothers) on November 10, 2004. This is the only paper required for the course. The paper provides basic overview and analysis on thirteen (13) different security technologies.