Embed Size (px)
Citation preview
Dear Sir/Madam:
In response to your current requirement for an Information Security Analyst / Consultant, I would like to offer my experience and expertise. My advanced knowledge of information systems and the security thereof, coupled with a wealth of experience as a security consultant, project manager and security awareness instructor will be invaluable to the analysis and implementation of your corporate security.
In general, the overall methodology that I employ in ensuring that information is secured necessarily includes reviewing not only the security of the information itself, but also the existing physical and personal security systems within which that information resides. This is carried out in tandem with a review and upgrade of existing information security policies, standards, guidelines, and procedures as well as all existing security processes and documentation. Applying this methodology, I can ensure the highest level of information security--confidentiality, integrity and availability--within the information structures, thereby assuring the enrichment of the corporate information system(s).
The attached information below summarizes my background and experience. Included are the following: (1) General Statement of Qualifications and Responsibilities, (2) Experience & Methodology, (3) Resume, and (4) Skills Matrices (A), (B), (C) and (D)--the added Experience & Methodology andSkills Matrix files are offered in order to present a somewhat more detailed look into the knowledge and experience I bring to the table--knowledge and experience that ensures the complete application of the tenets of Information Security to the position. For your convenience, this single information file is easily separable into individual files.
The commitment and dedication I bring to a project and to the people involved is a source of technical and professional pride. I take my work seriously and approach all projects with diligence, precision, and in a manner that ensures not only the successful completion of projects but so too ensures the increased security awareness of corporate management and staff. I am confident that I can bring to this position a measure of Information Security that is second to none.
In the event that I am the successful candidate, I can be on site within two weeks. Should you require additional information, please feel free to contact me. I can be reached at any time by phone at (604) 614-0108 or by email at [email protected]
Thank you for your time and consideration. I look forward to your reply. Sincerely,
CISSP, CISM, Security+, Network+Enhanced Reliability Clearance: File number 95358497
1
Brian MilliganInformation Security Critical
[email protected] Ph: 604-614-0108
General Statement of Qualifications and ResponsibilitiesPROFILEAs an IT security professional with over twenty years of experience in the design, development and management of security information systems for both the private and public sector, my knowledge and expertise in all areas of information security is very well developed and significant. This experience includes policy analysis and design, program design and instruction, site surveys, firewall analysis, risk assessment, intrusion detection/prevention and extends throughout the realm of Information Systems.
QUALIFICATIONSCISM Certification – 2007 (Upgrading September 2015)CISSP Certification - 2005CompTIA Security+ - 2004CompTIA Network+ - 2004Government of Canada Security Clearance – Enhanced Reliability—2004
GENERAL RESPONSIBILITIESI have thorough knowledge in the use of NSA & NIST Guidelines, COBIT, SOX, ISO-17799 / 27001, et al, Payment Card Industry (PCI DSS), HIPPA, Gramm-Leach-Bliley Act (GLBA), ISECOM, CSA Privacy Principles, as well as Carnegie Mellon and other security publications. My written and oral communication skills are excellent, as are my interpersonal and negotiating skills. In addition to setting and managing priorities judiciously, I maintain an excellent ability to present ideas in a business / user friendly language. Including the above, I have:
Participated as a member of senior management teams in governance processes of the organization’s security strategies, including an in depth study of Disaster Recovery and Business Continuity during and following a pandemic.
Led strategic security planning to achieve business goals by prioritizing defense initiatives and coordinating the evaluation, deployment, and management of current and future security technologies.
Formulated and communicated security strategies and plans to executive team, staff, partners, customers, and stakeholders.
Carried out the design and implementation of disaster recovery and business continuity plans, procedures, audits and enhancements.
Developed, implemented, maintained and monitored enforcement of policies, procedures, and associated plans for system security administration and user system access based on industry standard best practices.
Defined and communicated corporate plans, procedures, policies, and standards within the organization for acquiring, implementing and operating new security systems with respect to equipment, software, and other technologies.
Acted as advocate and primary liaison for the company’s security vision via regular written and in-person communications with the company’s executives, department heads and end users.
2
Worked closely with management and IT departments to ensure the security of information systems- computers, network (including 802.11access) and both processing and physical components.
Managed the administration of all computer security systems and their corresponding or associated software--firewalls, intrusion detection systems, cryptography systems, and anti-virus software, including various Malware components and methodology.
In addition, I provide the following:
Solid understanding of computer information systems including DOS, Windows, OS2, Unix and Linux platforms
Thorough knowledge and understanding of OSI and DoD protocol stacks, Ethernet, Wireless TCP/IP SSL,HTTP, DNS,SMTP, IPSec and Cisco routers and switches
Thorough knowledge and understanding of Information Theory and Information Security Systems, including Database Theory and Design (Dbase, SQL, PowerBuilder,…), UNIX/Linux security
Experience with programming languages including GWBASIC, C variants, Perl, Python, Fortran, COBOL, Assembly
Advisory and deployment services for client organizations
Development, recommendations and delivery of IT security strategies, regulatory compliance and risk assessments, security architecture, policies and procedures
Research and application of Intrusion Detection Systems / Intrusion Prevention Systems (IDS/IPS)
Analysis of security requirements for client organizations including specific security recommendations for implementation
Research and assessment of relevant security technologies and methodologies leading to recommendations to implement changes to enhance enterprise security of client organizations
Education and communication of security requirements and procedures to client organizations
3
Experience and Methodology
My experience to date has been one of ever increasing knowledge and development both within the expanse of Information Security and the overall nature of the information systems to which this security is applied. It is through this scope that I ensure, to the best of my knowledge and ability, that the security & privacy of information must play an essential role in the overall success of my client’s operational structure. Thus if information is to be successfully secured, the nature of the system(s) controlling that information must be thoroughly analyzed.
The security of information within a system is dependent on a number of influences, the associations to which must be accurately determined. In ensuring the privacy of information, one must first comprehend the nature of the information, the policies and procedures involved, and the existing methodology that is in place with respect to information security and privacy. This is a daunting but absolutely necessary task, and one which includes at least the following:
(a) A thorough review of existing security policies, standards, guidelines and procedures--
this necessarily must include a review and analysis of existing external connections to all Web based connections and applications!!
(b) In concert with (a), an update (or creation) of the following is necessary: Vulnerability Analysis (VA), Threat Risk Assessment (TRA), Business Impact Analysis (BIA), Incident Response Plan (IRP), Disaster Recovery Plan (DRP), Business Continuity Plan (BCP),…in an ideal security world, various specialized teams should be created to address these matters.
(c) Physical security of the system(s)—entrance/exit methods, locks, server access, build-ing codes, computer and system access, personnel pass codes, etc.—must be con-sidered equally with the above.
(d) Knowledge of overall security must be imparted to all personnel via workshops, handouts, posters, training sessions…
(e) Access and control of information is absolutely necessary; this is best achieved by cre-ating a hierarchical system of information classification, in which information is stored within the security boundaries defined by (i) High, (ii) Medium, (iii) Low and (iv) Unclas-sified (or, if necessary, by Top Secret, Secret, Confidential, Unclassified)
Information privacy is (at least) part and parcel of (a) through (e) above. As an Information Security Consultant I ensure, to the best of my knowledge, experience and ability, that these requirements are met.
4
Description of knowledge and experience in performing Threat and Risk Assessments and Privacy Impact Assessments…
Privacy Impact Assessments are carried out under each of (a) through (e) above. My experience with such assessments—and these can often be quite difficult and time consuming—has been to interview department heads, managers and employees in order to first get a sense of corporate security knowledge, the type of information handled, and the relative “weight” of that information (TRA). This allows me to gain insight into policies and procedures and thereby deal positively and efficiently with (b) above.Included--and absolutely necessary--in the overall Vulnerability Assessment of the system(s) is the Penetration Testing thereof. This difficult and certainly time-consuming work takes place both from within the system and “outside” the system. It must be noted here that the “system(s)” include not just the electronic component, but the human-factor component as well—it is this human factor that is difficult to deal with and must necessarily be handled cautiously and respectfully!
Description of experience implementing Information Security and Privacy Management programs, developing policies and procedures…
In each of my contracts I have either determined or aided in the determination and creation of policies and related programs—this is a necessary element of the position.
Description of experience of conducting privacy training/awareness programs/sessions…
In each of the positions to which I have been contracted, Security Awareness is an integral part of the overall security of the system. Without this, the contract cannot be considered a success--refer to (d) above.
Description of experience in dealing with end user...
Each of the security positions I held necessarily dealt with the end user “within” the corporation. Training and guidance with respect to security was provided onsite. Those who were not directly involved with the corporate structure were often granted external access to the system(s)--this was allowed on the provision that security information was in place and readily accessible to all clients.
Tools
An information system is complex. If the security of any one element of the system is breached, the entire system is compromised. Securing the system, and thus protecting the information it contains, is as complex as the system itself.
There exists a vast array of tools/programs/papers to address the security of information systems—in my capacity as an Information Security professional, one of the vital and absolutely essential security practices involves the “exploration” of the system at hand, both from within and without. Two of the most important tools are (1) Social Engineering and (2) Hard-hitting Penetration.
5
Social Engineering involves observation, conversation and deception…in order to gather information from employees (colleagues). I will not go into detail here, suffice to say that this method relies on everything from simple conversations (the “Water Cooler” syndrome comes to mind), to dumpster diving, fake emails and/or phone calls soliciting information. This method’s effectiveness relies on the good will of people and, as such, has proven to be a most effective method of penetrating information systems. For obvious reasons, this method is always difficult for security personnel to endure.
What I term as Hard-hitting Penetration involves attacking the system both from within and without, using various “hacking” tools. As effective as this method is, combined with the above, it is prudent to acknowledge that, as security “experts”, we feel we are always one or more steps behind the knowledge and perserverence of hackers, crackers and spies! Below is a partial list of tools I employ when testing system security:
1. Aircrack2. BruteForcer3. Brutus4. CeasarFTP5. Cain6. EmailSpiderEasy7. eMailTrackerPro 20078. EMCO network Software Scanner9. HconSTF_v0.4_portable10. inSSIDer11. ipscan12. Ironwasp13. Legion14. Medusa15. Metasploit
16. Neon Software17. NeoTracePro18. Nessus19. Netscan20. NetworkMiner21. Network Stumbler22. Nmap23. NScan24. OmniPeek25. Ophcrack26. outssider27. Putty28. Puttytel29. RainbowCrack30. Sam Spade
31. SmartWhois32. SpamChoke33. SuperScan34. SuperScan+35. Tor Browser36. W3af37. Web The Ripper 238. Wikto39. WinDump40. Wireshark
Brian Milligan
April 19, 2015
RESUME
Manitoba Public Insurance Sep 2014 – Oct 2014
Information Security Consultant
Reviewed existing Information Security system and Physical Security system.
Prepared drafts of Policies, Standards, Guidelines and Procedures.
Created Business Continuity Checklist (Phase I).
Created first draft of Risk Management document.
6
DELL (Canada) Aug 2013 – Oct 2013
Information Security Consultant
Reviewed existing Information Security system and Physical Security system.
Prepared drafts of Policies, Standards, Guidelines and Procedures.
Created initial drafts required security Policies.
Prepared initial disaster recovery model, including: Threat Risk Assessment (TRA), Vulnerability Assessment (VA), Disaster Recovery Plan (DRP), Business Impact Analysis (BIA), Business Continuity Plan (BCP), Incident Response Plan (IRP)…
PRIVATE CONTRACTS Oct 2009 - Dec 2012
Information Security Consultation
Revisited / updated security initiatives undertaken with clients in 2006-2008 (see EXCEPTIONAL SECURITY CONTRACTS below)
SKILLSOFT Mar 2011 - Apr 2011
Information Security Consultation
In late March of 2011 I was contracted by SkillSoft, an educational software company (Canadian headquarters in Fredericton, NB), to review the information security component of their online material. This work was carried out remotely. Following the review, suggestions and recommendations were submitted.
GOVERNMENT OF NEWFOUNDLAND Aug 2008 - May 2009
IT Information Security Consultant
Reviewed existing Information Security system and Physical Security system.
Prepared drafts of Policies, Standards, Guidelines and Procedures.
Created initial drafts of twenty-eight required security Policies for GNL.
Prepared initial disaster recovery model, including: Threat Risk Assessment (TRA), Vulnerability Assessment (VA), Disaster Recovery Plan (DRP), Business Impact Analysis (BIA), Business Continuity Plan (BCP), Incident Response Plan (IRP)and Incident Response Team (IRT)…
Prepared paper on creation of Crisis Management Team.
Prepared paper on necessary Risk Assessment Procedures within GNL.
7
Investigated Risk Avoidance versus Risk Management within GNL
Investigated cost-benefit analysis, including that related to PCI DSS, re GNL security decisions.
Created information security presentation for GNL employees.
Created introduction to information security for GNL executive management.
Created first phase of Business Continuity checklist.
Suggested remodeling of GNL information sensitivity system from High, Medium, Low and Public to Top Secret, Secret, Confidential, and Unclassified.
Gathered information on security related Network Behavior Analysis (NBA).Discussed problems with GNL re Physical Security.
Attended regular meetings with GNL Senior Management to discuss issues and options for current/future consideration and/or resolution.
EXCEPTIONAL SECURITY CONTRACTS Jan 2006 - Jun 2008
IT security contracts (4) carried out with signed specific non-disclosure agreements
Review and apply Security Requirements for information systems.
Information system Risk Assessment.
Establish Computer Security Incident Response Capability guidelines.
Review and apply Common Criteria for IT security evaluation, including CSA Privacy Principles.
Preparation of Risk Management Guide for IT systems.
Prepare paper on Corporate Security guidelines and deliver Security Awareness program(s).
Prepare paper on Government Security guidelines.
Develop guidelines for Information Security plans.
Review and enhance general security principles and practices for IT systems.
Initial review and evaluation of Service Oriented Architecture (SOA) structure.
Identify and document Physical Security problems/defects.
GOVERNMENT OF ALBERTA Dec 2005 - Apr 2006
As the IT Security Manager for the Department of Energy, I was responsible for
Developing, maintaining, coordinating and monitoring departmental security program.
Developing, maintaining, enhancing and implementing security policies, practices and processes.
Ensuring that departmental security policies, practices and processes were compliant with Government of Alberta security policies and standards where appropriate.
Developing action plans, schedules, presentations, status reports and other management communications to ensure informed decision making and optimization of the effectiveness of information security in the Department.
Liaising with the Government of Alberta Chief Information Security Officer to consider common security issues within the Government, thus ensuring that security issues and concerns were sufficiently addressed in the Disaster Recovery Plan and Business Continuity Plan.
Maintaining a current knowledge of existing and emerging security best practices, trends and technologies. Assisting in the development and implementation of security awareness programs and initiatives
Representing the Department through the participation in cross-government initiatives involving information security to ensure knowledge transfer.
8
Analyzing Department of Energy business needs in terms of IT security in order to identify opportunities for improved efficiency and effectiveness, and ensuring that security policies, standards and procedures are communicated to IT management and stakeholders.
MISCELLANEOUS CONTRACTS Feb 2000 - Sep 2005This was, essentially, a period of self-study for me in an effort to vastly improve my knowledge of information systems and the security thereof. As such, my actual work in Information Security involved very private contracts with real estate, legal and other firms (two nine month contracts; one six month contract) and, as per Confidentiality Agreements, this work must remain confidential. Outlined below is the work carried out during this period.
I was contracted by the clients to review, enhance and upgrade their security profile. Initially met with management team to discuss existing security and overall security expectations
Regular meetings continued throughout the project. Discussed security configuration options with system technicians. Observed overall general onsite security and knowledge thereof. Included here was in depth
attention given to physical security. Reviewed existing security policies, standards, guidelines and procedures; made necessary
changes and recommendations. Instructed management and staff on information security concepts and procedures. Delivered training programs and seminars.
AURORA COLLEGE Sep 1997 - Jun 1999
As an independent consultant I worked on developing workshops that focused on computers, mathematics and sciences in support of the Mine Trade Access Program, which provided students with the skills necessary to work in the mining industry. The Mine Trade Access Program was a joint venture with Aurora College, the Government of the Northwest Territories, and BHP Diamonds.
Reviewed all system related information security plans and made recommendations accordingly. Conducted a full security analysis of internet capabilities in preparation for online training. Conducted penetration tests of the campus intranet and external connections. Designed and facilitated training programs focused on computer based training, the sciences and
mathematics for students enrolled in the Mine Trade Access Program. Provided ongoing coaching and support to the students in the program. Designed and implemented prototype HTML based online training and instruction.
DIAVIK DIAMOND MINES Oct 1996 - May 1997Independent Consultant contracted to develop and implement a system that secured all of the network’s information
Developed, implemented and managed a security system that would protect Diavik's network, confidential data and its various systems.
Contracted and supervised two consultants who provided ongoing support to the project. Performed security risk assessments and served as an internal auditor on all security issues and
concerns. Provided direct training to all employees, contractors or other third parties ensuring proper
information security clearance in accordance with organizational goals and objectives. Managed the conversion to Unix OS. Created disaster recovery and business contingency plans. Developed security policies and procedures. Conducted penetration testing. Made recommendations on applications for intrusion testing.
9
GOVERNMENT OF THE NORTHWEST TERRITORIES May 1993 - Mar 1997Independent Consultant contracted to provide training to management and staff on the use of the Internet
Designed and delivered training programs on a variety of topics including Introduction to DOS, Unix and Introduction to email.
Provided consultation to the Territorial Government on developing systems that would protect all confidential information currently stored on their network.
Developed and implemented policies and procedure standards that would minimize the risk in the event of any security breaches.
Skills Matrices below (Pages 11 - 24)
10
SKILLS MATRIX (A) - IT SECURITY SPECIALIST
Candidate Name: Brian MilliganRelevant Skills / Experience:
Skills
Experience
(yrs)Experience Detail
Experience in Information Security15+ General Statement of Qualifications and Responsibilities —
Employed in all aspects of Information Security:
Participated as a member of senior management teams in governance processes of the organization’s security strategies.
Led strategic security planning to achieve business goals by prioritizing defense initiatives and coordinating the evaluation, deployment, and management of current and future security technologies.
Developed and communicated security strategies and plans to executive team, staff, partners, customers, and stakeholders.
Assisted with the design and implementation of disaster recovery and business continuity plans, procedures, audits and enhancements.
Developed, implemented, maintained and monitored enforcement of policies, procedures, and associated plans for system security administration and user system access based on industry standard best practices.
Defined and communicated corporate plans, procedures, policies, and standards within the organization for acquiring, implementing and operating new security systems with respect to equipment, software, and other technologies.
Acted as advocate and primary liaison for the company’s security vision via regular written and in-person communications with the company’s executives, department heads and end users.
Worked closely with management and IT departments to ensure the security of information systems- computers, network (including 802.11 access) and both processing and physical components.
Managed the administration of all computer security systems and their associated software, including firewalls, intrusion detection, cryptography, anti-virus software and Malware.
11
Manitoba Public Insurance
Sep 2014 – Oct 2014
Information Security ConsultantResume Reference –Page 7
DELL (Canada)
Aug 2013 – Oct 2013
Information Security ConsultantResume Reference –Page 7
PRIVATE CONTRACTS
Oct 2009 - Dec 2012
Information Security ConsultationResume Reference –Page 7
SKILLSOFT
Mar 2011 - Apr 2011
Information Security ConsultationResume Reference –Page 7
GOVERNMENT OF NEWFOUNDLAND
Aug 2008 - May 2009
IT Information Security Consultant Resume Reference –Page 7/8
EXCEPTIONAL SECURITY CONTRACTS
Jan 2006 - Jun 2008
IT security contracts (4) carried out with signed specific non-disclosure agreementsResume Reference –Page 8
GOVERNMENT OF ALBERTA
Dec 2005 - Apr 2006IT Security Manager for the Department of EnergyResume Reference –Page 8
MISCELLANEOUS CONTRACTSFeb 2000 - Sep 2005Resume Reference –Page 9
ADDITIONAL EXPERIENCEMay 1993 - June 1999Resume Reference –Page 9-10
Direct experience with IT GCC SOX compliance
7 From mid-2003 to the present, I have ensured that clients are aware of SOX and its affiliated controls, including General Computer Controls (GCC), Business Cycle Controls (BCC), and General Information Controls (GIC).
In addition I have aided in the establishment of a Security Management Framework as outlined below:
Created SOX and related documentation to support and enhance security policies
12
Reviewed existing security policies and created/enhanced where necessary
Ensured that associated IT security was aligned with Business Strategy and was maintained as a core part thereof
Developed corporate Access Control Models to enhance information security and control—High, Medium, Low and Unclassified (similar to Top Secret, Secret, Confidential and Unclassified)
Ensured configuration of and/or client awareness of Threat Risk Assessment (TRA), Vulnerability Assessment (VA), Business Continuity Plan (BCP), Business Impact Analysis (BI A) and Disaster Recovery Plan (DRP)
Ensured Incident Response Plan created and/or updated
Advised that Information Security be viewed as a Management issue as opposed to a Technical issue
Initiated security awareness information sessions and workshops for Management and employees; updated staff on general SOX compliance and possible security threats
Certified Information Systems Security Professional (CISSP) and/or SANS GIAC Audit designations
8+ CISM Certification - 2007 CISSP Certification - 2005 CompTIA Security+ - 2004 CompTIA Network+ - 2004 Government of Canada Security Clearance –
Enhanced Reliability—2004
Knowledge of regulatory and legislative influences on Information Security (e.g. PIPEDA, DHS, NEB)
15+ I have thorough knowledge in the use of NSA & NIST Guidelines, COBIT, SOX, ISO-17799 et al, Payment Card Industry (PCI DSS), HIPPA, Gramm-Leach-Bliley Act (GLBA), ISECOM, CSA Privacy Principles, as well as Carnegie Mellon and other security publications.
The above publications and security directions, including those of the Department of Homeland Security (DHS), the National Energy Board (NEB), the Information Security Forum (ISF), ISO 17799 / 27002, PIPEDA and others are all necessary to effectively complete a proper and well-stated Information Security system.
Knowledge of Information Security best practices (e.g. ISO 17799, NIST, ISF)
15+ Used for constant and continued reference, both computer and hard copies of the following publications travel with me to all employment locations:
(A)
Personal Information Protection and Electronic Documents Act (PIPEDA)--Oct 20, 2010
Harmonized Threat and Risk Assessment Methodology (TRA)— (Government of Canada) Oct 23, 2007
Control Objectives for Information and related Technologies (COBIT 4.1)—IT Governance Institute
Introduction to General Computer Controls—ISACA 2005
13
Sarbanes-Oxley Act of 2002—107th Congress USA
The Standard of Good Practice for Information Security—2007 Information Security Forum
Incident Response Plan—Government of Western Australia Jul 2004
A Security Management Framework for Online Services-- Government of Western Australia Apr 2004
(B)
National institute of Standards and Technology (NIST):
(1) Establishing a Computer Security Incident Response Capability (CSIRC)—NIST 800-3 Nov 1991
(2) Guide for Developing Security Plans for Federal Information Systems—NIST 800-18 Feb 2006
(3) Risk Management Guide for IT Systems—NIST 800-30 July 2002
(4) Generally Accepted Principles and Practices for Securing IT Systems—NIST Special Publication Sep 1996
(5) Engineering Principles for IT Security—NIST 800-27 (Rev A) Jun 2004
(6) Information System Security Reference Data Model (DRAFT)—NIST 800-110 Sep 2007
(7) Guide for Security Authorization of Federal Information Security Systems (INITIAL PUBLIC DRAFT)—NIST 800-37 Aug 2008
(8) Managing Risk from Information Systems (SECOND PUBLIC DRAFT)—NIST 800-39 Apr 2008
(9) Technical Guide to Information Security Testing (DRAFT)—NIST 800-115 Nov 2007
(10) Computer Security Incident Handling Guide—NIST 800-61 Jan 2004
(11) Guide to Malware Incident Prevention and Handling—NIST 800-83 Nov 2005
(12) Guide to Computer Security Log Management—NIST 800-92 Sep 2006
(13) Security Configuration Checklists Program for IT Products-Guidance for Checklists Users and Developers—NIST 800-70 May 2005
(14) An Introduction to Computer Security: The NIST Handbook—NIST 800-12(C)
14
Carnegie Mellon Software Engineering Institute:
(1) Defining Incident Management Processes for Computer Security Incident Response Teams (CSIRTs)—Oct 2004
(2) Handbook for Computer Security Incident Response Teams (CSIRTs)—Apr 2003
(3) First Responders Guide to Computer Forensics—Mar 2005
(4) First Responders Guide to Computer Forensics: Advanced Topics—Sep 2005
(D)
Common Criteria for Information Technology Security Evaluation:
(1) Part 1: Introduction and General Model—Version 3.1; Revision 1 Sep 2006
(2) Part 2: Security Functional Components—Version 3.1; Revision 2
(E)
Federal Information Processing Standards Publications (FIPS)
(1) Standards for Security Categorization of Federal Information and Information Systems—Feb 2004
(2) Minimum Security Requirements for Federal Information and Information Systems—Mar 2006
In addition to the above, I maintain a travel “library” of over a dozen textbooks which I consult regularly for information and ideas-I am constantly searching for new ideas and material.
Ability to manage and deliver a Security Awareness Program for the corporation
15 My written and oral communication skills are excellent, as are my interpersonal and negotiating skills. In addition to setting and managing priorities judiciously, I maintain an excellent ability to present ideas in both a business friendly and user friendly language.
To this end I have successfully developed and delivered a number of Security Awareness Programs, including workshops, seminars, presentations...all of which are geared to the specific audience, whether front end staff, computer gurus or Management.
Ability to articulate regulatory requirements to technical audience
15+ I am easily able to articulate all areas of information security requirements and methods to virtually any audience—the level to which I strive is, in part, audience dependent. However, should I come across difficulties with concepts, questions or material, whether in writing or directly, I am not afraid to seek help.
Ability to articulate technical controls to non-technical audience
15+ Presenting technical material of any kind to a non-technical audience is often quite difficult. However, with proper thought and preparation, most difficulties in this area can be successfully mitigated. Admittedly, this area does present occasional problems…I am
15
fortunate that some years ago I taught Mathematics and Physics at both high school and university levels, an experience that most definitely aids in the successful conveyance of the ideas and methods of Information Security.
Skills Matrix (B) follows…
16
SKILLS MATRIX (B) - IT SECURITY SPECIALIST
Candidate Name: Brian Milligan Relevant Skills / Experience:
SkillsExperience
(yrs)Experience Detail
Knowledge of OWASP and ISO 17799/27002
6 Have used OWASP essentially as a reference since 2003; ISO 17799/27002 referenced frequently since 2006.
Knowledge of LAN / WAN and internetworking design & management
15 Worked with Diavik Diamond Mines LAN/WAN structure during 1996/97 contract—primary focus was on system change from Novell to UNIX and/or Windows. This type of design/change consultation continues with respect to most recent contracts.
Experience designing & managing security architecture for a large company
10 Designed security policies, procedures, standards and guidelines for Government of Newfoundland, Government of Alberta, Private Consultations, Diavik Diamonds and Aurora College. Managed requirements and implementation of overall security structure, including physical security.
Experience developing Authentication & Authorization Frameworks
10 In all contracts, I researched and incorporated Authorization and Authentication products and studies--login, password, Smart Cards… tools required to adhere to CIA triad. Also ensured that system users maintained accessibility unique only to job function.
Knowledge of security architecture methodologies, Industry best practices & generally accepted information security principles
15 This is an ongoing study and capability that I practice in order to ensure that clients are aware of and adhere to the security guidelines and principles that best fit their business needs. It is part and parcel of my involvement with all clients.
Proven ability to collaboratively plan, document, and present security strategies, achieve buy-in from IT leadership, and manage the strategy implementation process
15 The points below are indicative of my approach with clients:
Participate as a member of the senior management team in governance processes of the organization’s security strategies
Lead strategic security planning to achieve business goals by prioritizing defence initiatives and coordinating the evaluation, deployment, and management of current and future security technologies, including those associated with PCI DSS, Cloud Computing and Smart Grid.
Develop and communicate security strategies and plans to executive team, staff, partners, customers, and stakeholders.
Assist with the design and implementation of disaster recovery and business continuity plans, procedures, audits, and enhancements.
Develop, implement, maintain, and oversee enforcement of policies, procedures, and associated plans for system security administration and user system access based on industry standards and best practices.
17
Define and communicate corporate plans, procedures, policies, and standards for acquiring, implementing, and operating new security systems, equipment, software, and other technologies.
Act as advocate and primary liaison for the company’s security vision via regular written and in-person communications with the company’s executives, department heads, and end users.
Work closely with IT department on corporate technology development to fully secure information, computer, network, and processing systems.
Manage the administration of all computer security systems and their associated software, including firewalls, intrusion detection systems, cryptography, anti-virus software and various Malware components and methodology.
Exceptional knowledge and experience in IT infrastructure security (networks, databases, system services and server)
15 After a general overview of my client’s security posture, I meet with those system administrators and/or consultants who are close to the system infrastructure to discuss problems, both real and perceived, relating to the system—network, servers, database structure, etc. I tend to keep this process ongoing throughout the lifecycle of the system(s), with training to ensure that this process is actually maintained. This process has been followed throughout all of my contracts.
Writing security policies/procedures
15 In each of my contracts I have, after an initial overview, either refurbished and/or rewritten security policies/procedures to ensure that they are aligned with (1) the most recent information security updates and, (2) the overall structure of the business involved.
Project planning15 In those cases where Project Planning was undertaken, I was
usually consulted to ensure that adherence to security principles was followed. This is part and parcel of my security involvement with all clients.
Coordinating & conducting client interviews
15 As above, this is part and parcel of my involvement—this ensures that client interests in the associated security concerns are kept on track (and on budget!)
Producing business cases10 My involvement here has been essentially to provide strong
security guidelines that will ensure that the demands of the overall project and/or business mandate are met and adhered to.
Producing Requirements definitions
10 As above, security requirements are studied with respect to the business structure—here I establish the necessary importance of security requirements by preparing initial disaster recovery models, including Threat Risk Assessment, Vulnerability Assessment, Disaster Recovery Plan, Business Impact Analysis, Business Continuity Plan, Incident Response Plan and Incident Response Team…
18
Producing cost & impact analysis
N/A Although I have participated in this area, it is simply to show that security requirements that I have recognized are necessary to ensure that the information system is secure and the cost-benefit is favourably balanced with respect to my impact analysis. This is carried out with the cooperation of those working within the realm of cost benefit analysis.
IT Security Implementation Planning
10+ This is something that begins the minute I enter the business area…it includes overall analysis, business meetings, software/hardware study, etc.
Developing an IT Security Program
10+ Through all of the above, the Security Program results. This will, as an ongoing process, include workshops and training for all employees.
Skills Matrix (C) follows…
19
SKILLS MATRIX (C) - IT SECURITY SPECIALIST
Candidate Name: Brian Milligan Relevant Skills / Experience:
Skills Minimum Expe-rience Required
Summary of Experience Cross-reference to resume
Formal degree or diploma in a related field (i.e. computer science, computer engineering, information system security etc.)
Degree or diploma
CISM Certification - 2007CISSP Certification - 2005CompTIA Security+ - 2004CompTIA Network+ - 2004
Government of Canada Security Clearance – Enhanced Reliability—2004
Page 2
Certified Information System Security Professional (CISSP) certification.(current)
CurrentCISSP Certification – Current Page 2
Experience conducting following types of assessments:
- Web application vul-nerability assessment
- Infrastructure (server) vulnerability assess-ment
Multiple projects (for each type of assessment)
In each of my projects I have ensured that Web applications are secure—I note here that, as I am not a Web “expert”, I rely on Web personnel for information and guid-ance.
Similarly, the overall VA that I perform must necessarily rely on those closest to the particular area(s) in question, as hard-ware demands specialists on point.
As such, all of my recent projects have fol-lowed this method.
Web tasks are not listed in my re-sume as these were carried out, with certain security expertise and guidance on my part, by those with considerably more Web expertise.
Experience documenting professional reports and interacting with senior level management.
Multiple re-ports, meet-ings, consul-tations etc.
Prepared initial disaster recovery model, including: Threat Risk Assessment (TRA), Vulnerability Assessment (VA), Disaster Recovery Plan (DRP), Business Impact Analysis (BIA), Business Continuity Plan (BCP), Incident Response Plan (IRP)and Incident Response Team (IRT)…
Prepared paper on creation of Crisis Management Team.Overall, I prepared papers on all neces-sary Security Concepts and Procedures re-lating to the system(s) in question (see Re-sume)
Resume pages 7 through 10 and attached Skills Matrices (A) to (D)
20
Skills Minimum Expe-rience Desired
Summary of ExperienceCross-reference to resume
Formal training from a recog-nized and reputable source (e.g. SANS, ISC2) on ethical hacking and secure software lifecycle development pro-cesses
Experience and Training
Most of my training I have undertaken as self-study, although I did take a five day course in Ethical Hacking in Calgary and a five day CISM course in Winnipeg a few years ago—I found the courses helpful but, for the most part, I do equally well or bet-ter with self-study.
Not included in Resume
Experience with java programming language
Although I do have considerable programming experience-- GWBASIC, C variants, Perl, Python, Fortran, COBOL, Assembler--JAVA is not a part of this experience. However, I do not see any great difficulty here if I find that I must use it…
Page 3
Experience with Windows servers
I have worked with Windows, Unix, Linux, OS2 and DOS on both servers and desk-tops.
Page 3
Skills Matrix (D) follows…
21
SKILLS MATRIX (D) - IT SECURITY SPECIALIST
Candidate Name: Brian Milligan Relevant Skills / Experience:
Required Skills Years of Ex-perience
Details
Extensive experience de-veloping privacy pro-grams
15+ Privacy issues and programs are maintained at all phases of information security development and implementation and are absolutely essential in maintaining the highest degree of Information Security. The developments described below are part and parcel of each of my forays into advancing and maintaining security:
(a) Developed and communicated security and privacy strategies and plans to executive team, staff, partners, customers, and stakeholders.
(b) Developed, implemented, maintained and monitored enforcement of policies, procedures, and associated plans for system security administration and user sys-tem access based on industry standard best practices.
Facilitation with stake-holders towards present-ing/delivery of privacy management artefacts and training, conducting privacy impact assess-ments and threat risk as-sessments
15+ The following represent and ensure the management of threat, risk and privacy:
(a) Prepared initial disaster recovery model, including: Threat Risk Assessment (TRA), Vulnerability Assessment (VA), Disaster Recovery Plan (DRP), Business Impact Analysis (BIA), Business Continuity Plan (BCP), Incident Response Plan (IRP)and Incident Response Team (IRT)…
(b) Prepared paper on creation of Crisis Management Team
(c) Prepared paper on necessary Risk Assessment Proce-dures
(d) Addressed Risk Avoidance versus Risk Management
Extensive knowledge of developing information security, privacy and risk management policies and
15+ The following represent my work with the development of threat, risk and privacy procedures:
22
Required Skills Years of Ex-perience
Details
procedures
(a) Developed and communicated security and privacy strategies and plans to executive team, staff, partners, customers, and stakeholders
(b) Assisted with the design and implementation of disaster recovery and business continuity plans, procedures, au-dits and enhancements
(c) Developed, implemented, maintained and monitored enforcement of policies, procedures, and associated plans for system security administration and user sys-tem access based on industry standard best practices
(d) Defined and communicated corporate plans, proce-dures, policies, and standards within the organization for acquiring, implementing and operating new security systems with respect to equipment, software, and other technologies
(e) Acted as advocate and primary liaison for the company’s security vision via regular written and in-person commu-nications with the company’s executives, department heads and end users
(f) Worked closely with management and IT departments to ensure the security of information systems- comput-ers, network (including 802.11access) and both process-ing and physical components
(g) Managed the administration of all computer security systems and their corresponding or associated soft-ware--firewalls, intrusion detection systems, cryptogra-phy systems--and anti-virus software, including various Malware components and methodology.
In depth experience with privacy legislation includ-ing PHIPA, FIPPA, PIPEDA and Security Standards and Best Practices
15+ Refer to Resume and attached Skills Matrix(A)I have thorough knowledge in the use of NSA & NIST Guidelines, COBIT, SOX, ISO-17799 et al, Payment Card Industry (PCI DSS), HIPPA, Gramm-Leach-Bliley Act (GLBA), ISECOM, CSA Privacy Principles, as well as Carnegie Mellon and other security publica-tions. In addition, I rely heavily on the following (and other) pub-lications.The above publications and security directions, including those of the Department of Homeland Security (DHS), the National
23
Required Skills Years of Ex-perience
Details
Energy Board (NEB), the Information Security Forum (ISF), ISO 17799 / 27002, PIPEDA and others (listed below) are all necessary to effectively complete a proper and well-stated Information Security system.
(a) Personal Information Protection and Electronic Docu-ments Act (PIPEDA)--Oct 20, 2010
(b) Harmonized Threat and Risk Assessment Methodology (TRA)— (Government of Canada) Oct 23, 2007
(c) Control Objectives for Information and related Techno-logies (COBIT 4.1)—IT Governance Institute
(d) Introduction to General Computer Controls—ISACA 2005
(e) Sarbanes-Oxley Act of 2002—107th Congress USA
(f) The Standard of Good Practice for Information Security—2007 Information Security Forum
(g) Incident Response Plan—Government of Western Aus-tralia Jul 2004
(h) A Security Management Framework for Online Ser-vices-- Government of Western Australia Apr 2004
Working knowledge of privacy and security regu-lations, trends, issues, in-cluding an understanding of their impact on busi-ness and IT operations, as well as skill with inter-pretation and communic-ation of regulations and compliance requirements.
15+ My working knowledge of information systems and the security thereof is extensive and well documented in the attachments provided. Part and parcel of this knowledge and experience is to ensure that clients maintain an awareness and comprehension of the nature and overall impact of positive Information Security—the skill with which I interpret and deliver to clients those areas of security regulation, trends and compliance is a source of pro-fessional pride to which I strongly adhere.
24
