General Information

I take individual responsibility and am good at working to deadlines and under pressure.  I enjoy teamwork and can co-ordinate, manage and prioritise well, I demonstrate good leadership abilities and will readily take the initiative and accept responsibility for others as well as myself. I have over 10 years experience in IT and 7 years in Information Security.

Technical Information

Key skills are: Security Architecture Design including network topology/infrastructure, analysis carried out to best practice as defined by the security organisations and forums such as: ISF, SANS, ISC². 

Other skill areas:

·         Project planning ( conforming to Prince2) and Resource Management

·         ITIL Service management – Service delivery and support processes

·         Risk Management and Analysis using SPRINT/SARA, Business Impact Assessment techniques and Fundamental Information Risk Management (FIRM - designed and produced by Internet Security Forum - ISF) also e-business risk assessment. 

·         Business Continuity – including Disaster recovery

·         Gap Analysis for BS7799 compliance (using Proteus: BSi approved software),

·         Security Policy, Procedure and Standards - writing, review and assessment

·         Security Investigations - evidence gathering

·         Identity Management – Biometric, SSO and Wireless authentication methods/products and design and deployment

·         WLAN auditing, hardening/pen testing, providing granular access control and access monitoring

·         Designing Vulnerability/Penetration testing solutions for servers and firewalls, utilising commercial tools such as: RETINA, SecureScoutNX, ISS-Security Scanner.

·         Securing/Hardening of operating systems, providing a more granular level of control and access through policies and ACLs.

Software Products & Operating Systems

·         SecureScoutNX  (NetVigilance), RETINA & IRIS (eEye), Internet Security Scanner (ISS)

·         BioLink Authenteon (Biolink USA, Biometric Authentication & data encryption)

·         PROTEUS – BS7799 Gap Analysis/Assessment (SMHPLC) BSi approved tool.

·         ActiveNet Steward (distributed firewall)  - Security Information Management (Security Designers Ltd)

·         Microsoft’s Office suite, Windows NT/2000/XP. Entrust PKI

Employment areas

Information Security Risk Consultant

XXXX

Dec 03 to June 05
Reason for leaving: Redundancy (whole of department made redundant) 

In my current role, I was recruited to design and roll out the Security Partner Programme (SPP) for ISC Networks.  This is a 12 month rolling service to implement, or improve, an Information Security Management System (ISMS).  Not only would the service assist the client in complying with BS7799 but also train and educate them in best practices for managing Information Security.  The objective of the SPP is to provide piece of mind and demonstrate internally and externally that the organization is committed to achieving best practice or compliance with BS7799

Bringing the vision to fruition involved discussing business objectives and deciding whether they were achievable in light of available resources, skill-sets and budgets.  I produced an outline of a high level process. Each process was broken down into sub-processes of a manageable size where the resources and timescales could be calculated. 

I produced flow and cross-functional diagrams to identify process flow, ownership and responsibility. I designed and documented the processes and procedures for: Agreeing Scope, Business Impact Assessment, Asset Inventory, Gap Analysis, Network Architecture Review and Risk Assessment.

As the Partner Programme evolved, I negotiated with the helpdesk department to agree the support requirements, response times, KPIs and SLAs for the project and integrated their procedures into the overall design.

The SPP included a requirement for a security lab.  This would be used for customer support, research and development, product evaluation, training and user acceptance testing.  I designed the infrastructure for the lab, specified and procured equipment, and implemented change control procedures for access and use of the lab.

Under the programme I was directly responsible for two security engineers and mentored a trainee; the engineers were employed to support the programme’s clients.  

Contracting: Security Management & Consultancy

Oct 02 to Dec 03

Providing consultancy services to system and network integrators, education and public sector. I undertook security breach investigation for a Pharmaceuticals firm to clear/incriminate suspected employee for breach of security policy. I worked on a project to improve security at a System Integrator in response to a malicious security breach.  I provided vulnerability assessment and penetration testing of their internal and external facing servers and amended the existing security configuration, adding Biometric authentication to priority servers. Clients included: M3 Networks, Merseyside Constabulary, and The Droitwich Knee Clinic.

Information Risk Security Consultant

XXXX

Professional Services Division

Aug01 – Oct 02
Reason for leaving: Redundancy due to company structure change

I was taken on to head up the consultancy services team.  I was responsible for the high level design of services such as: information risk analysis, network analysis, penetration/vulnerability testing, and improving authentication systems through the use of biometrics, policy design, production and maintenance and gap analysis.

The role consisted of client facing consultancy, pre-sales consultancy and Gap Analysis for compliance to BS7799 I carried out various levels of penetration and vulnerability testing of firewalls and servers, using passive and stringent methods.  

I was responsible for assessing the business’ internal security procedures and processes and implementing where necessary new security measures.  I designed the company security policy, internet and email policy and respective acceptable use policies.  I organised and headed the Information security group, which comprised business heads and directors, where all decisions on security would be initiated and decided.  Business Impact assessments were completed for priority systems, the risk level measured and quantified this enabled the appropriate security controls to be defined.

Clients included: Hill House Hammond in Bristol, where I produced their security policy and carried out Gap Analysis for BS7799. The Co-operative Society in Manchester where I carried out penetration testing of their firewall and provided recommendations for improvements, The NHS where I conducted gap analysis to BS7799 to assist in their objective to achieve BS7799 certification.

Also, I co-hosted and spoke at seminars on Network Security awareness including BS7799, Biometrics, Wireless and Distributed Firewalls to select groups (typical attendees: from IT managers to Directors). 

Contracting: Security Management & Consultancy

Sept00 – Aug 01

The main aspect of my position was client-facing consultancy.  I had to discuss clients’ requirements, complete scoping studies, carry out business impact assessments and where necessary risk assessments.  Following that, I produced recommendations to reduce perceived risks to an acceptable level.  I produced IT Security Policies, Procedures and Standards to provide methods to help manage risk.  To help enforce these, I produced contingency plans for system outages e.g. Backup procedures, test plans for backup and recovery and I validate the plans once implemented. 

Though the use of BS7799/ ISO 17799-1 I provided a consistent approach to the risk assessment of information security.  I’m trained in SPRINT and SARA methodologies from the Information Security Forum (ISF) for Information Security Risk Assessment.

Other responsibilities included resource planning and monitoring across multiple projects through the use of a resource availability and forecasting tool I designed and developed.

For one system integrator I completed a security review of the business functions and data flow.  Due to the distributed nature of the business consultants, which were working remotely across the UK. The confidentiality and integrity of client information was paramount, after a risk assessment of internal systems, RAS and Internet access, I made recommendations to improve the security and processes surrounding the day-to-day actions of the consultants.  This was done to improve client confidence in the company and the services offered.

One of the largest clients was Radianz (Equant/Reuters partnership) where I was taken on to carry out risk analysis of the OSS/BSS system, which comprised of 10 sub-systems. I made recommendations for improving the existing security measures and identified risks that had been overlooked. 

Senior Security Consultant

XXXX

Finance

June99 – Sept00
Reason for leaving: Freelance work so I could work closer to home

The Information Security Management team was involved to varying degrees in every IT project raised within the XXXX.  The team’s function was to review and approve/disprove the security aspect of each project following analysis and business impact assessment.  My role within ISM was to apply myself to any project assigned to the team for assessment, irrelevant of my personal skill set.  For me this involved using SPRINT risk analysis method, and working to BS7799. As well as project risk assessments, I produced security procedures, policies and standards for potentially any software system. Also, I produced business cases for the implementation of new products, ideas or technologies, depending on the project.  I took responsibility for evaluating new products from a security aspect prior to purchase and deployment.

I was responsible for the security assessment of all the databases after an audit had identified many problems. I managed a small team to identify which servers had priority and what levels of security controls would be required and how the amendments would be rolled out. I selected ISS DB Scanner as the most appropriate tool. 

Another aspect of my position within ISM was project planning and task/time management for myself and those who report to me on various projects.  In order to facilitate this resource and time management I designed and developed a resource management tool implemented in Excel, which has become a departmental standard for resource planning and forecasting. 

Project Analyst/Security

XXXX Ltd. (formally CCN)

Aug 98 – To June99

Risk, Trend, and Market analysis and Credit Analysis Services,

One of eight people working within the Network Development Design Group, an in-house consultancy dealing with multiple projects.  The core project I was involved in was concerned with the design and implementation of a physical network over which a Public Key Infrastructure would be run.  I was closely involved in the implementation and analysis of Solaris 2.6 for the Certificate Authority, Directory Services server and NT4 Server on which a bespoke application – EThiCS would run.  My main role within this project is to specify and implement the security requirements for both systems.  This involved detailed analysis and reporting, and the recommendation of ways to augment existing security procedures as well as incorporating new ones. Writing the Server policies for the NT servers, from removing non-required services to hardening the ACL’s to reduce the possibility of any exploitation of any known vulnerabilities.

Along side the Public Key Infrastructure project, I worked on rationalising a network belonging to a subsidiary.  This involved an analysis of their current systems and business processes and replacing whole or part thereof with a new topology to conform to Experian Company standard.  Following my analysis I made recommendations for the improvement of the system in terms of network efficiency, resilience and security.

Prior History:

1993-1998: Sheffield Hallam University.  
1992-1993: Birtley Engineering – Engineer, Database design and network maintenance
1991-1992: Boots PLC – Civil engineering and Assistant IT Manager

Qualifications