Brett Osborne 1 of 6 Brett K Osborne 14135 Conifer Dr Orlando, FL 32832-6545 Home Phone: 407-282-9542 Contact Phone: 321-217-7785 E-Mail: SecurityPro@sprint.blackberry.net Employee Information: Information System Security Certifications: CISSP (ISC2), CISM (ISACA) Security Clearance: TOP SECRET • Senior C&A staff for both MA and GSS in Federal Agencies • Extensive ST&E experience with a range of tools, providing findings and reports • Interpret, consult, and analyze compliance to NIST SP 800 Series, OMB, FISMA and customer standards • C&A experience in Federal agencies including VA, NASA, FAA; also DoD • Strong knowledge of Government security documents, such as NIST SP 800 series and FIPS series, OMB A-130, The Privacy Act of 1974, as well as Standards, Best Practices, and/or Agencies' Regulations/handbooks • Complete PIA and other compliance documents Objective: Consideration for position involved in information security management, certification and governance activities. Certification and Accreditation Federal civilian (800-53/FISMA), DoD (DITSCAP) Full evaluations – technical, reviews, compliance, ST&E, findings, POA&Ms Emphasis on risk management, including analysis, vulnerability and threat management. Including a balance of technical and business-driven governance and policy. Experience: Network Defense Watch Engineer Apptis Inc. and DISA July 2008 – June 2009 Computer Network Defense support to US CENTCOM/DISA Manage Computer Network Defense (CND) for units/ components/ Joint Task Forces (JTFs) involved in USCENTCOM Operations (OIF/OEF). Communicate with units/ components/ JTFs regarding Network Defense, Threats, Vulnerabilities, and hostile Computer Network Operations (CNO). Brett Osborne 2 of 6 Manage vulnerabilities. Provide compliance statistics. Provide notifications of potential or suspected infections (trojan, worm, virus, etc.). Provide notifications of potential or suspected infiltration (intrusion actors, CNO) and exfiltration (data theft). Analyze developing threats, CNO, intrusion actors, and exploits. Developed and refined Policies and Procedures (TTP, SOP). Developed Threat and Vulnerabilities notification procedures. Direct units/ components/ JTFs to perform various CND procedures (firewall block, IDS signatures, DNS poisoning, etc.) to maintain and/or improve overall CND. Maintained statistics or metrics for Vulnerabilities, Directives, etc. Collaborated with various outside agencies (FBI, JTFGNO, NCIS, Military Services). Interacted with all levels of management including executives. Information Systems Certification Engineer Consultant to STG Inc. and DSA Inc. October 2007 – July 2008 Certification and Accreditation of VA Certification Assessments per NIST 800-53/FISMA of Veteran's Administration medical centers and business offices). Consultant to one of Project Contract Team. Site visits two-tothree weeks per month. Continuously reforming teams (new coworkers, new team lead possible each week). No patient care or privacy review. Collected data during site visit; completed assessment and reporting during off-site work weeks and uploaded to contractor home office for data validation and reporting to Agency. Policy compliance assessment: all policy areas assessed through interviews of VA staff (e.g. CIO, ISO, IT, safety, emergency management, Police Chief, &/or facility management/engineering) and document reviews (e.g. SSP, Incident, Contingency Plans, policies and/or procedures etc.). Assessments based on SP800-53, but also referenced related NIST documents (e.g. other 800 series documents). Technical compliance assessment (semi-automated) -Windows XP workstations, Windows2003 servers. Includes general and application servers (e.g. voicemail). Technical compliance assessment (interview): IOS12.x routers & switches, wifi (Airfortress & APs). Brett Osborne 3 of 6 Systems Security Engineer Consultant to Harris Corp. January 2007 – October 2007 NGA NGDS Program: Support Information Assurance, Systems Engineering, and manage Certification and Accreditation for program. Managed Certification and Accreditation, including SSAA activities. Analyzed use of COTS, Specialized Classification-Dissemination Controls, Discretionary Access Controls in DCID 6/3 Environment, Integrity Control of Program Versions (Change Management) and SOA. Provided reports for monthly Program Management Review. Managed Information Security Engineering Provided Design guidance across program, and specifically Information System Security Engineering (ISSE). Interacted and collaborated with customer Program Management offices. Addressed ISSE and C&A issues; published Technical papers to internal and customer audiences. Managed a wide range of ISSE/C&A issues including. Wrote Program Testing (e.g. Site Acceptance Requirements Test). Wrote various other compliance and certification documents - Disaster plan, backup, audit, etc. System Readiness Review – coordinate use of security test tools, such as SRR , and analyze Other C&A documentation – transferred C&A information to (DoN) Application Security Plan document for USMC COTS Management - submit COTS for acceptance; review internally (forecast approval); manage COTS-mitigation plan and schedule. Other concerns - freeware, vulnerability, licenses. Report Activities to Management – update PMR monthly Site Acceptance Test (SAT) for DCID 6/3 (Compliance) Established new approach. Wrote original document; to conduct inspection of compliance with DCID 6/3. Highly critical for success due to extremely accelerated schedule (due to discovery of interdependance with another project) o Accomplished on schedule and with no defects Schedules: IA and C-and-A schedules; incorporate in to Program Master schedules. Program master schedule accelerated in August 07 (see not on SAT above). IDR Security Presentation: no prior material. Wrote original presentation for IDR, as well as added significant to other presentations also. Addressed activities, processes, concerns, risk and issues. Concerns, Risks and Issues: Use of COTS, Foreign developer, classification/dissemination, Marking (DCID 6/3 compliance), classification of program documents (interpreted customer guide). Several technical memos published for customer review. Monitor vulnerabilities: monitored accepted sources (BEA, ISS, CERT, WASC, Security Tracker, Security Focus (BugTraq), Secunia, MS, Mal-Aware, SANS). Brett Osborne 4 of 6 FAA FTI Program: Updated consolidated Continuity-Contingency-Disaster Plans document. Redesigned document to comply with federal directives (e.g. NIST SP 800-34, 800-53, etc.). Corrected and clarified wording to follow industry standard terminology and practice. Redesigned document to separate subject areas (Continuity, Contingency Response, Disaster Response). Updated document to reflect current program design status. Added significant Contingency/Disaster scenarios to content (e.g. tornadoes). Added proposals for additional recovery resources. Reviewed System Security Plan and provided recommendations for modification needed to bring document in to compliance with relevant federal guidance (e.g. SP 800-18, 800-53, etc.). Federal Public Trust position. Systems Engineer Consultant to CSR Corp Cape Canaveral Air Force Station, FL November 2006 – December 2006 Managed system update package: Coordinated with internal and external organizations. Developed engineering package. Researched drawings. Corrected and updated drawings (drawings vs as-built). Provided engineering recommendations. Created drawings for physical and logical elements. Top Secret. Systems Engineer Sr Lockheed Martin Simulation, Training & Support 09/27/2003-October 2006 Performs technical planning, system integration, verification and validation, cost and risk, and supportability and effectiveness analyses for total systems. Analyses are performed at all levels of total system product to include: concept, design, fabrication, test, installation, operation, maintenance and disposal. Ensures the logical and systematic conversion of customer or product requirements into total systems solutions that acknowledge technical, schedule, and cost constraints. Performs functional analysis, timeline analysis, detail trade studies, requirements allocation and interface definition studies to translate customer requirements into hardware and software specifications. Network Security Strategic Design: Provide DITSCAP C&A documentation to ISSE team. Provide support and consultation to Program Management on C&A and ISSE issues. Apply current technologies to the design, development, evaluation, and integration of System Security. Interact with senior internal and external personnel on significant matters requiring coordination between internal groups and other organizations Apply regulations and standards based on a full and competent knowledge of governmental, industry and best practices and principles Author Security Policies, analyses and other technical documentation at multiple levels. Demonstrated participation and leadership within several Information Security focused organizations and publications System Engineering in support of developing the System Security Architecture. Assessed Security Requirements. Used various methodologies. Knowledge of various standards (such as NIST and DoD publications, directives & instructions were utilized to analyze information risks, gaps and develop requirements. Information System Risk (Threat & Vulnerability management) Analysis. Define and design safeguards and countermeasures appropriate to accepted level of risk and budget. Brett Osborne 5 of 6 Infrastructure Defense, Design Integration and System Analysis Worked with interdisciplinary Teams to develop Security Architectures. Contributing author to Security Architecture and other Architecture Development Provide direction on Threat Management, Identification Management. Support for program financial planning (“Estimate At Completion”) and sub-project preproposal. Reviewed and revised Program Security Requirements, contract analysis; gap analysis. Program Internationalization Sub-Project o Analysis of international and multi-national requirements and standards. o Utilized NATO C3 Technical Architecture to create architecture and innovative solutions. o Designed preliminary estimate for technical elements. Engineering costing estimation (Basis of Estimation) for multiple year Security tasks Personal: Certifications Certified Information System Security Professional from International Information System Security Certification Consortium (ISC2), # 71972 (03/01/2005) Certified Information System Security Manager from Information System Audit and Control Association (ISACA), License# 273135 (07/26/2005) Affiliations Information Systems Security Association, Chapter President (2006-08) INCOSE (International Council on Systems Engineering), Chapter President 2008, Vice President 2007, Secretary 2006,) CISSP Test Supervisor for ISC2 CISSP test examinations Member, Computer Security Institute (07/01/2005) Member, ISACA (01/31/2005), Board service 2005 Publication Have been quoted in various information security and professional certification publications, Information Security Magazine Certification Magazine SearchSecurity.com (and related Tech Target sites) Technologies Engineering/Architecture, including: and o DoD Architecture Framework (DoDAF) Methodologies o NATO C3 Technical Architecture (NC3TA) Used Capability Maturity Models (CMM) including SSE-CMM. Constructive Systems Engineering Cost Model (CoSysMo). Perimeter Security and Firewalls, including Checkpoint, Cisco. Intrusion Detection, multi-vendor. Vulnerability Assessment, multi-vendor including ISS Scanner products, various shareware, including Nmap, Nessus, Cheops, SATAN/SAINT Virus Analysis/control, multi-vendors including Symantec Norton Antivirus and McAfee. Securing Operating systems, including WindowsNT, Solaris and others Regulations, DCID 6/3 Standard, and US DoD Instructions, Directives and Regulations Guidelines o 8500 Series Used o DITSCAP Certification and Accreditation NISPOM US NIST FIPS and Security Special Publications ISO 17799, 13335 JFAN 6/3 System engineering costing estimation (CoSysMo) Prior work Brett Osborne 6 of 6 Network and Information Security Engineer NASA Kennedy Space Center – Shuttle Launch System upgrade LM Space Operation (Tech Svs) 11/1/1997-11/28/2002 Senior Network Security Engineer: • Worked with interdisciplinary and interdepartmental Teams to develop end-to-end security solutions. • Project management and scheduling • Evaluated various products and recommended vendors • Evaluated technologies, and standards for applicability • Write Policies, Requirements and Specifications: • Security Goals/Concept of Operations • Security Technical Requirements Policy • Firewall; intrusion detection; Virtual Private Networks, Public Key Infrastructure, and cryptography; router and network control lists; auditing; Operating system security configurations and constraints (Unix and WindowsNT); email and content controls; malicious code and virus controls; web server security configuration; remote access controls • Perimeter Security and Vulnerability Assessment: • Used tools such as ISS Internet Scanner, Nmap, Cheops and Nessus. • Used technical standards from various sources: • IETF, IEEE, ISO and other relevant standards • NASA standards, policies handbooks and guidelines • Federal Information Processing Standards (FIPS), NIST, OMB, White House and GAO Standards and Practices • Public Law (P.L.) 100-235, "Computer Security Act of 1987" • Office of Management and Budget Circular No. A-130, "Management of Federal Information Resources" • P.L. 106-398, Government Information Security Reform Act (The Security Act of 2000). • DITSCAP by inference of the above citations • Utilized numerous Computer Security industry organizations and resources. • Installed, maintained and administer security devices (firewalls, intrusion sensors). • Network Security Design and Deployment: • Imported Software Controls (contributing author): Shareware and COTS control • Network Security Installation and Administration: • Deploy security systems and devices (firewalls, intrusion sensors). • System Engineering: Install and configure network infrastructure – switches, concentrators, structured cabling plant. • Network Design and Management, including use of network analyzers/sniffers. Education: Tampa College Bachelor of Science, Computer Info Systems 1994 3.8