Brett Osborne
1 of 6
Brett K Osborne
14135 Conifer Dr
Orlando, FL 32832-6545
Home Phone: 407-282-9542
Contact Phone: 321-217-7785
E-Mail: SecurityPro@sprint.blackberry.net
Employee
Information:
Information System Security Certifications: CISSP (ISC2), CISM (ISACA)
Security Clearance: TOP SECRET
• Senior C&A staff for both MA and GSS in Federal Agencies
• Extensive ST&E experience with a range of tools, providing findings and reports
• Interpret, consult, and analyze compliance to NIST SP 800 Series, OMB, FISMA
and customer standards
• C&A experience in Federal agencies including VA, NASA, FAA; also DoD
• Strong knowledge of Government security documents, such as NIST SP 800
series and FIPS series, OMB A-130, The Privacy Act of 1974, as well as Standards,
Best Practices, and/or Agencies' Regulations/handbooks
• Complete PIA and other compliance documents
Objective:
Consideration for position involved in information security management, certification and
governance activities.
Certification and Accreditation
Federal civilian (800-53/FISMA), DoD (DITSCAP)
Full evaluations – technical, reviews, compliance, ST&E, findings, POA&Ms
Emphasis on risk management, including analysis, vulnerability and threat management.
Including a balance of technical and business-driven governance and policy.
Experience:
Network Defense Watch Engineer
Apptis Inc. and DISA
July 2008 – June 2009
Computer Network Defense support to US CENTCOM/DISA
Manage Computer Network Defense (CND) for units/ components/ Joint Task Forces
(JTFs) involved in USCENTCOM Operations (OIF/OEF). Communicate with units/
components/ JTFs regarding Network Defense, Threats, Vulnerabilities, and hostile
Computer Network Operations (CNO).
Brett Osborne
2 of 6



Manage vulnerabilities. Provide compliance statistics.
Provide notifications of potential or suspected infections (trojan, worm, virus, etc.).
Provide notifications of potential or suspected infiltration (intrusion actors, CNO)
and exfiltration (data theft).
 Analyze developing threats, CNO, intrusion actors, and exploits.
 Developed and refined Policies and Procedures (TTP, SOP).
 Developed Threat and Vulnerabilities notification procedures.
 Direct units/ components/ JTFs to perform various CND procedures (firewall block,
IDS signatures, DNS poisoning, etc.) to maintain and/or improve overall CND.
 Maintained statistics or metrics for Vulnerabilities, Directives, etc.
 Collaborated with various outside agencies (FBI, JTFGNO, NCIS, Military
Services).
 Interacted with all levels of management including executives.
Information Systems Certification Engineer
Consultant to STG Inc. and DSA Inc.
October 2007 – July 2008
Certification and Accreditation of VA
Certification Assessments per NIST 800-53/FISMA of Veteran's Administration medical
centers and business offices). Consultant to one of Project Contract Team. Site visits two-tothree weeks per month. Continuously reforming teams (new coworkers, new team lead
possible each week). No patient care or privacy review. Collected data during site visit;
completed assessment and reporting during off-site work weeks and uploaded to contractor
home office for data validation and reporting to Agency.
 Policy compliance assessment: all policy areas assessed through interviews of VA
staff (e.g. CIO, ISO, IT, safety, emergency management, Police Chief, &/or facility
management/engineering) and document reviews (e.g. SSP, Incident, Contingency
Plans, policies and/or procedures etc.). Assessments based on SP800-53, but also
referenced related NIST documents (e.g. other 800 series documents).
 Technical compliance assessment (semi-automated) -Windows XP workstations,
Windows2003 servers. Includes general and application servers
(e.g. voicemail).
 Technical compliance assessment (interview): IOS12.x routers &
switches, wifi (Airfortress & APs).
Brett Osborne
3 of 6
Systems Security Engineer
Consultant to Harris Corp.
January 2007 – October 2007
NGA NGDS Program: Support Information Assurance, Systems Engineering, and manage
Certification and Accreditation for program.
Managed Certification and Accreditation, including SSAA activities. Analyzed use of
COTS, Specialized Classification-Dissemination Controls, Discretionary Access Controls in
DCID 6/3 Environment, Integrity Control of Program Versions (Change Management) and
SOA. Provided reports for monthly Program Management Review. Managed Information
Security Engineering
Provided Design guidance across program, and specifically Information System Security
Engineering (ISSE). Interacted and collaborated with customer Program Management
offices.
Addressed ISSE and C&A issues; published Technical papers to internal and customer
audiences. Managed a wide range of ISSE/C&A issues including. Wrote Program Testing
(e.g. Site Acceptance Requirements Test). Wrote various other compliance and certification
documents - Disaster plan, backup, audit, etc.
System Readiness Review – coordinate use of security test tools, such as SRR , and
analyze
Other C&A documentation – transferred C&A information to (DoN) Application
Security Plan document for USMC
COTS Management - submit COTS for acceptance; review internally (forecast
approval); manage COTS-mitigation plan and schedule. Other concerns - freeware,
vulnerability, licenses.
Report Activities to Management – update PMR monthly
Site Acceptance Test (SAT) for DCID 6/3 (Compliance)
Established new approach. Wrote original document; to conduct inspection of compliance
with DCID 6/3. Highly critical for success due to extremely accelerated schedule (due to
discovery of interdependance with another project)
o Accomplished on schedule and with no defects
Schedules: IA and C-and-A schedules; incorporate in to Program Master schedules.
Program master schedule accelerated in August 07 (see not on SAT above).
IDR Security Presentation: no prior material. Wrote original presentation for IDR, as
well as added significant to other presentations also. Addressed activities, processes,
concerns, risk and issues.
Concerns, Risks and Issues: Use of COTS, Foreign developer,
classification/dissemination, Marking (DCID 6/3 compliance), classification of program
documents (interpreted customer guide). Several technical memos published for
customer review.
Monitor vulnerabilities: monitored accepted sources (BEA, ISS, CERT, WASC,
Security Tracker, Security Focus (BugTraq), Secunia, MS, Mal-Aware, SANS).
Brett Osborne
4 of 6
FAA FTI Program: Updated consolidated Continuity-Contingency-Disaster Plans document.
Redesigned document to comply with federal directives (e.g. NIST SP 800-34, 800-53, etc.).
Corrected and clarified wording to follow industry standard terminology and practice.
Redesigned document to separate subject areas (Continuity, Contingency Response,
Disaster Response).
Updated document to reflect current program design status. Added significant
Contingency/Disaster scenarios to content (e.g. tornadoes).
Added proposals for additional recovery resources.
Reviewed System Security Plan and provided recommendations for modification needed to
bring document in to compliance with relevant federal guidance (e.g. SP 800-18, 800-53,
etc.). Federal Public Trust position.
Systems Engineer
Consultant to CSR Corp
Cape Canaveral Air Force Station, FL
November 2006 – December 2006
Managed system update package:
Coordinated with internal and external organizations.
Developed engineering package. Researched drawings. Corrected and updated drawings
(drawings vs as-built). Provided engineering recommendations. Created drawings for
physical and logical elements. Top Secret.
Systems Engineer Sr
Lockheed Martin Simulation, Training & Support
09/27/2003-October 2006
Performs technical planning, system integration, verification and validation, cost and risk,
and supportability and effectiveness analyses for total systems.
Analyses are performed at all levels of total system product to include: concept, design,
fabrication, test, installation, operation, maintenance and disposal. Ensures the logical and
systematic conversion of customer or product requirements into total systems solutions that
acknowledge technical, schedule, and cost constraints. Performs functional analysis,
timeline analysis, detail trade studies, requirements allocation and interface definition
studies to translate customer requirements into hardware and software specifications.
Network Security Strategic Design:
Provide DITSCAP C&A documentation to ISSE team.
Provide support and consultation to Program Management on C&A and ISSE issues.
Apply current technologies to the design, development, evaluation, and integration of
System Security.
Interact with senior internal and external personnel on significant matters requiring
coordination between internal groups and other organizations
Apply regulations and standards based on a full and competent knowledge of
governmental, industry and best practices and principles
Author Security Policies, analyses and other technical documentation at multiple levels.
Demonstrated participation and leadership within several Information Security focused
organizations and publications
System Engineering in support of developing the System Security Architecture. Assessed
Security Requirements. Used various methodologies. Knowledge of various standards
(such as NIST and DoD publications, directives & instructions were utilized to analyze
information risks, gaps and develop requirements. Information System Risk (Threat &
Vulnerability management) Analysis. Define and design safeguards and countermeasures
appropriate to accepted level of risk and budget.
Brett Osborne
5 of 6





Infrastructure Defense, Design Integration and System Analysis
Worked with interdisciplinary Teams to develop Security Architectures.
Contributing author to Security Architecture and other Architecture Development
Provide direction on Threat Management, Identification Management.
Support for program financial planning (“Estimate At Completion”) and sub-project preproposal.
 Reviewed and revised Program Security Requirements, contract analysis; gap analysis.
 Program Internationalization Sub-Project
o Analysis of international and multi-national requirements and standards.
o Utilized NATO C3 Technical Architecture to create architecture and innovative
solutions.
o Designed preliminary estimate for technical elements.
Engineering costing estimation (Basis of Estimation) for multiple year Security tasks
Personal:
Certifications

Certified Information System Security Professional from International Information System
Security Certification Consortium (ISC2), # 71972 (03/01/2005)
 Certified Information System Security Manager from Information System Audit and Control
Association (ISACA), License# 273135 (07/26/2005)
Affiliations
 Information Systems Security Association, Chapter President (2006-08)
 INCOSE (International Council on Systems Engineering), Chapter President 2008, Vice
President 2007, Secretary 2006,)
 CISSP Test Supervisor for ISC2 CISSP test examinations
 Member, Computer Security Institute (07/01/2005)
 Member, ISACA (01/31/2005), Board service 2005
Publication Have been quoted in various information security and professional certification publications,
 Information Security Magazine
 Certification Magazine
 SearchSecurity.com (and related Tech Target sites)
Technologies
 Engineering/Architecture, including:
and
o DoD Architecture Framework (DoDAF)
Methodologies
o NATO C3 Technical Architecture (NC3TA)
Used
 Capability Maturity Models (CMM) including SSE-CMM.
 Constructive Systems Engineering Cost Model (CoSysMo).
 Perimeter Security and Firewalls, including Checkpoint, Cisco.
 Intrusion Detection, multi-vendor.
 Vulnerability Assessment, multi-vendor including ISS Scanner products, various shareware,
including Nmap, Nessus, Cheops, SATAN/SAINT
 Virus Analysis/control, multi-vendors including Symantec Norton Antivirus and McAfee.
 Securing Operating systems, including WindowsNT, Solaris and others
Regulations,
 DCID 6/3
Standard, and
 US DoD Instructions, Directives and Regulations
Guidelines
o 8500 Series
Used
o DITSCAP Certification and Accreditation
 NISPOM
 US NIST FIPS and Security Special Publications
 ISO 17799, 13335
 JFAN 6/3
 System engineering costing estimation (CoSysMo)
Prior work
Brett Osborne
6 of 6
Network and Information Security Engineer
NASA Kennedy Space Center – Shuttle Launch System upgrade
LM Space Operation (Tech Svs)
11/1/1997-11/28/2002
Senior Network Security Engineer:
• Worked with interdisciplinary and interdepartmental Teams to develop end-to-end security
solutions.
• Project management and scheduling
• Evaluated various products and recommended vendors
• Evaluated technologies, and standards for applicability
• Write Policies, Requirements and Specifications:
• Security Goals/Concept of Operations
• Security Technical Requirements Policy
• Firewall; intrusion detection; Virtual Private Networks, Public Key Infrastructure, and cryptography;
router and network control lists; auditing; Operating system security configurations and constraints
(Unix and WindowsNT); email and content controls; malicious code and virus controls; web server
security configuration; remote access controls
• Perimeter Security and Vulnerability Assessment:
• Used tools such as ISS Internet Scanner, Nmap, Cheops and Nessus.
• Used technical standards from various sources:
• IETF, IEEE, ISO and other relevant standards
• NASA standards, policies handbooks and guidelines
• Federal Information Processing Standards (FIPS), NIST, OMB, White House and GAO Standards
and Practices
• Public Law (P.L.) 100-235, "Computer Security Act of 1987"
• Office of Management and Budget Circular No. A-130, "Management of Federal Information
Resources"
• P.L. 106-398, Government Information Security Reform Act (The Security Act of 2000).
• DITSCAP by inference of the above citations
• Utilized numerous Computer Security industry organizations and resources.
• Installed, maintained and administer security devices (firewalls, intrusion sensors).
• Network Security Design and Deployment:
• Imported Software Controls (contributing author): Shareware and COTS control
• Network Security Installation and Administration:
• Deploy security systems and devices (firewalls, intrusion sensors).
• System Engineering: Install and configure network infrastructure – switches, concentrators,
structured cabling plant.
• Network Design and Management, including use of network analyzers/sniffers.
Education:
Tampa College
Bachelor of Science, Computer Info Systems 1994
3.8