SARAH CORTES, PMP, CISA SARAH.CORTES@POST.HARVARD.EDU SARAHCORTES.IS TWITTER: @SARAHCORTES PGP Key: 226CCE21 Phone: 330-99-CYBER SUMMARY I addition to an academic career, a senior technology executive with extensive experience in all aspects of delivering systems and services through the full software development life cycle to Fortune 500 firms in the financial services industry, including information security, disaster recovery, data center management and complex application development. On September 11, 2001, as SVP of Disaster Recovery for Putnam Investments, a subsidiary of Marsh & McLennan in the World Trade Center, successfully managed trading, pricing and other critical system failovers. Ran technical command center coordinating senior management communications and technical recovery staff. As SVP and manager of Applications Development for Trading and Analytics systems, implemented dozens of major, complex applications, including fixed income and equity data warehouse and reporting system; global performance analytics package with custom reports; market data systems, Unix-based compliance system; version control, turnover systems and procedures, security, and backups for global, domestic and cash trading systems; system performance measurement. As SVP and head of Information Security, directly managed up to 100 staff and budget of $30 million, delivered quality products and stable systems while coordinating over 65 audits per year by outside audit firms, regulatory agencies and clients, 14 major DR tests per year, and thousands of security activities. Worked closely with CIO and CFO to advise on control environment. Worked with senior staff at audit firms, regulatory agencies and clients’ auditors to ensure smooth, effective audits. P R E PA R AT I O N B.A. HARVARD UNIVERSITY Major in Applied Mathematics and Romance Languages. John Harvard Scholar, Agassiz Scholarship. M.S. BOSTON UNIVERSITY Computer Information Systems – Information Security 2012 Ph.D. NORTHEASTERN UNIVERSITY College of Computing and Information Science (CCIS), Information Assurance candidate, 2016 P U B L I C AT I O N S ACADEMIC- LEGAL AND TECHNICAL “Legalizing Domestic Surveillance: The Role of Mutual Legal Assistance Treaties in Deanonymizing TorBrowser Technology,” Richmond Journal of Law and Technology (JOLT), 22 Rich. J.L. & Tech. 1 (2015) (forthcoming). 20,000 in League Under the Sea, Anonymous Communication, Trust, MLATs, and Undersea Cables, (with Paul Syverson, Aaron Jaggard, Aaron Johnson (US Naval Research Laboratory) and Joan Feigenbaum (Yale University)), Proceedings on Privacy Enhancing Technologies (PETS-9th International Symposium). Volume 1, Issue 1, Pages 4–24, ISSN (Online) 2299-0984, DOI: 10.1515/popets-2015-0002, April 2015.http://wiki.sarahcortes.is/trustrep-popets15.pdf. With Andrew Lewman (The Tor Project), Aditya Rao and Christo Wilson (Northeastern University), “Jurisdictional Arbitrage in Anonymous Network Path Selection” (submitted). 1 “Chapter 3: Legal Frameworks for Smart Grid Privacy,” (with Rebecca Herold and The Smart Grid Interoperability Panel Cyber Security Working Group) NIST: NISTIR 7628 2014 Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid, 2014, pp. 8-21 (pp. 304-317). “Chapter 3: Legal Frameworks for Smart Grid Privacy,” (with Rebecca Herold and The Smart Grid Interoperability Panel Cyber Security Working Group) NIST: NISTIR 7628 2010 Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid, 2010, pp. 7-15 (pp. 323-331). A C A D E M I C & R E L AT E D A P P O I N T M E N T S Northeastern University Law School, Legal Skills in Social Context Clinic (LSSC) Surveillance Law, Privacy Tools, and Tor 2014-15 Domestic Surveillance, Privacy and Anonymity Technology w/ACLU 2012-13 MIT CoDesign Studio, MIT Media Lab 2013-14 co-Leader: Domestic Surveillance, Privacy and Anonymity Technology, and Tor Harvard Extension School 2011-13 Teaching Assistant (TA), Cloud computing The Tor Project, Inc. 2012-15 Researcher – File/Analyze FOIAs/FOIPAs Collaborate with US Navy researchers on MLATs/path selection Suffolk University: Sawyer School of Business, Strategy and International Business Department 2009 Guest Lecturer, MBA class, Project Management and OpenSource Legal Affairs Office, Department of Energy, US Federal Government Washington, DC Programmer Analyst- programmed price fluctuation analysis to detect price gouging for litigation. Harvard Senior Common Room Cambridge, MA 1990-20013 Tutor- Appointed by Harvard House masters, SCR members are appointed as prominent achievers in their field to advise students. Advised students, helped them with their resumes, computer skills, and job search. Prospect Hill Academy Cambridge, MA 2014-Present Teaching Assistant. Teach high school youth computer programming and related skills. S A M P L E L E G I S L AT I V E T E S T I M O N Y Testimony before the Massachusetts Legislature on Data Breach Laws, including Massachusetts General Law (MGL) Chapter 93H and its regulations, 201 CMR 17.00 Testimony before the Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) on Data Breach Laws, including Massachusetts General Law (MGL) Chapter 93H and its regulations, 201 CMR 17.00 S A M P L E I N V I T E D TA L K S A N D S P E A K I N G E N G A G E M E N T S 2015: NACACS15- North America Computer Audit and Control Symposium: invited speaker University of Delaware 2014: PETS14: Privacy Enhancing Technology Symposium, Amsterdam: MLATs and Path Selection ECA14 Eastern Communications Association Invited panel on DV and film w/producer Garland Waller 2013: USENIX, FOCI, Washington DC: Legal Hostility factors in Anonymous Network Routing 2012: EnergySec Conference, Portland OR: Legal Aspects and Case Law in Smart Grid Privacy: invited speaker 2012: B-Sides Las Vegas Security Conference at Defcon/Black Hat: SmartGrid, Surveillance & Subpoenas 2011: Northeastern University NIST SmartGrid CyberSecurity Conference: invited speaker 2010: Babson College Technology Council, Has IT Killed Privacy?: invited speaker Boston University, Craigslist Killer and Location-Based Technology: invited speaker 2 Project Management Institute (PMI) National Conf., COBIT and IT Standards: invited speaker 2009: Bentley University Usability Forum: invited speaker Project Management Institute (PMI) Annual Conference, Waltham, MA: invited speaker H O N O R S & A WA R D S 2013: First Prize, World Bank Hack-a-Thon Team, Washington DC First Prize for team development of an application, fuerza.is, to help fight domestic violence SAMPLE PROFESSIONAL ACTIVITIES National Institute for Science and Technology (NIST) [SGIP-CSWG: Smart Grid Interoperability Panel, Cyber Security Working Group](http://collaborate.nist.gov/twikisggrid/bin/view/SmartGrid/CyberSecurityCTG) Led the sub-team that created, and then updated, the privacy laws section of the report 2009-2014 Privacy use cases team 2009-2012 Smart Grid Interoperability Panel Cyber Security Working Group (CSWG) 2009-present P R O F E S S I O N A L S U M M A R Y- T E C H N O L O G Y & B U S I N E S S INMAN TECHNOLOGY IT 2004-CURRENT Launched and run own company providing consulting to Fortune 500 firms. Provide hands-on program/project management services with a preference for broadening industry experience and focus on improving business leverage of IT investment through fresh, new technologies and skill sets. Clients include: FIDELITY BROKERAGE COMPANY TECHNOLOGY HARVARD LAW SCHOOL HARVARD UNIVERSITY INFORMATION SYSTEMS FIDELITY MANAGEMENT & RESEARCH BIOGEN IDEC Sample engagements: As project manager for a large global financial services company: Led large interdisciplinary teams of up to 80 Implemented an application release module of a major trading and brokerage system used by dozens of major financial institutions. Aggregated feeds of account information held away from the brokerage firm or asset manager, and displayed all clients account information, including those accounts and assets held away from the brokerage or institutional asset manager. Implemented a complementary application module which enabled trading of mutual funds subsequent orders Transaction volume exceeded millions of records daily for update Technical environment included Oracle, .xml, mainframe As project manager for large University: As project manager, led a team of developers, business owners, IT infrastructure engineers and analysts, testers, and Quality Analysts to implement a web-based DNA Analysis Learning application. Utilized Agile development methodologies Application takes as input data from forensic DNA labs as well as lesson content, and enables DNA lab technicians and others to learn analysis techniques for complex samples. Managed a project comprised of 19 subprojects to optimize performance for Vista, BU’s Learning management system. Managed a project for a significant upgrade of VISTA, the LMS application, through business requirements and project planning and architectural design lifecycle phases Led client focus groups for a web-based retail nutrition optimization application and LMS with faculty. As project manager for large biopharmaceuticals company: 3 Led a team of 20 developers, business owners, business analysts, IT infrastructure analysts, DBAs, testers, and Quality Analysts to implement a web-based Global Biopharmaceutical Clinical Trials application. Application takes as input data from thousands of patients worldwide daily at 40 locations that are part of clinical trials, updates database and creates views and reports track workflow and status of protocols as a part of determining if new drugs have market potential. Utilized Agile development methodologies Supervised the significant upgrade of the application through full lifecycle phases Drafted and reviewed all documents and ensured compliance with FDA 201 CFR part 11 Federal regulations As project manager for a variety of small and medium-sized clients Utilized Agile development methodologies Developed Disaster Recovery plans Met with staff and senior management Identified critical systems Identified resources and documented plans for high availability or disaster recovery of systems Implemented Disaster Recovery plans Negotiated third party recovery contracts with hosting vendors Conducted plan tests with staff As project manager for a major University: Coordinated a team of 30 developers, business owners, business analysts, desktop support analysts, IT infrastructure analysts, DBAs, testers, desktop support QA and management to implement web-based University portal and applications including: Implemented a CMS/Web portal calendar package Implemented a Faculty Information System (FIS) application supporting faculty, interfacing with over 40 existing University systems and the existing SIS, including functionality for workforce planning and candidate and employee management Led systems implementation through full lifecycle phases As project manager for a large global financial services company: Led large interdisciplinary teams of up to 50 Implemented a variety of risk and security projects, including: Application and database authentication and authorization, custom-developed and package, and transmission encryption Delivered Compliance assessment with 41 security and control policies, including platform configuration, network security, change control, cryptography, firewalls, information architecture, application and database security development Implemented Database logging across thousands of high-risk databases Implemented tools/programs to ensure closure for hundreds of outstanding audit issues As project manager at a large global biotech company: Implemented new Disaster Recovery infrastructure across four worldwide sites Reported directly to CIO Analyzed technical and network architecture and business, applications Developed technical alternatives for high availability or redundant architecture. Presented capital expenditure to Capital Investment Committee. Worked with vendors to implement recoverable application configurations. As project manager at a major University: Negotiated major equipment and service increases for Disaster Recovery and Business Continuity on vendor contracts at the same price as university was currently paying. Implemented automated Disaster Recovery, cutting recovery time and reducing staff time per test Worked with business units to involve them in the BC/DR process and document business requirements and acceptance criteria Implemented controls to ensure compliance with audit requirements PUTNAM INVESTMENTS, Boston, MA 4 1993-2004 Senior Vice President, Enterprise Computing and Communications Security Operations, Disaster Recovery/High Availability, Audits and Client Transmissions (2000-2004) Implemented redundant systems for critical applications, including Transfer Agent, Defined Contributions, Trading, Pricing, Accounting, and web-based portal and applications. Supervised implementation of Sarbanes-Oxley and Graham-Leach-Bliley IS audit controls Developed and implemented multi-platform disaster recovery and site-to-site recovery capability. Supervised multiple recovery tests across all platforms and business areas simultaneously. In order to protect company from escalating core systems management software costs by current vendors, utilized in-house resources with IBM consulting resulting in $4M cost avoidance over seven years. Completed conversions in record time (six months), on budget. Migrated 4,000 client transmissions for 500+ clients onto secure encryption technology. Vice President, Putnam-wide Year 2000 project (1998-2000) Responsible for research, analysis, remediation and/or testing of over 1,000 client/server applications, hardware, system SW, and all networks, with rollouts across 7,000 desktops. Coordinated multidisciplinary teams. Developed proprietary tools and methods for locating potential code problems in multiple technologies. Successfully organized and participated in industry-wide Y2K testing, requiring coordination between 29 custodian, asset manager and broker dealer “buddies” and DTC, SIA, Coopers, and major stock exchanges. Implemented 24-hour rotating test environments and standardized testing for date warp testing. Vice President, Investment Trading and Analytics Systems (1993-1997) New system development, enhancement and support for equity and fixed income applications; strategic planning. Implemented: Oracle-based fixed income data warehouse and reporting system; global performance analytics package with custom reports; market data systems, Unix-based compliance system; version control, turnover systems and procedures, security, and backups for global, domestic and cash fixed income trading systems; system performance measurement, tracking and reporting for 12 equity and fixed income systems; Notes turnover application, incorporating signoff to multiple departments. Delivered: Powerbuilder/Oracle/Lotus Notes municipal credit tracking system-CASS; High Yield fixed income security analytics system; domestic fixed income trade allocation subsystem; currency forward preprocessor subsystem. THE BOSTON COMPANY, Boston, MA 1983-1993 A subsidiary of Mellon Bank Vice President, Data Center Operations (1992-1993) In addition to existing responsibilities, managed Stratus, DEC, DG, Wang platforms, 2,500 nodes on 40 Novell/Pathworks LANs, 5-site Wide Area Network (WAN) of token ring, Ethernet, FDDI, and arcnet, and dial access security. Chair, Technology Standards and Policies Committee. Wrote/implemented LAN Security Policy. Implemented platform consolidation. Interconnected 17 LANs. Centralized LAN management with intelligent hubs and routers. Reduced PC service calls from 375/month to 80/month. Standardized data communications components, saving over $400,000 in wiring costs. Completed Novell CNE data communications and OS professional certifications. Vice President, Disaster Recovery Planning (1992-1993) Manager of Mutual Fund System Development and Support (1989-1992) Manager, Portfolio Accounting Operations and Services (1989-1990) Progressively moved into roles with expanding responsibilities. Developed and implemented 8 major and 35 medium-sized systems and applications. Managed $10 million budget. Managed the development, installation, and marketing of a system and service providing portfolio accounting services to 3500 privately managed accounts at seven American Express subsidiaries. Supervised first 100% successful DR test. DR program became a model for all American Express companies Implemented first state-of-the art global fund accounting system, GMFA, enabling expansion to over $1 billion in assets. Reduced losses due to processing errors to less than $50,000 per year. Manager of Mutual Fund Performance and Analysis Services (1987-1991) 5 Started up, marketed, managed new service venture selling portfolio manager investment performance evaluations Management Training Program, Executive Assistant to CEO of The Boston Company, and Vice Chairman of Shearson Lehman (1983-1987) DEPARTMENT OF ENERGY, U.S. FEDERAL GOVERNMENT, Washington, DC Programmer Analyst- wrote programs to analyze price fluctuations to detect price gouging. 1981-1982 TECHNICAL/SKILLS Managed Projects implementing technology applications to the following business areas: Fixed Income and Equity Trading Domestic and Global Currency Investment Performance Measurement Custody HR systems * Derivatives * Cash Management * Accounting and Fund Accounting * Asset/Liability Management * Inventory management * Middle Office, Back Office * Investment Analytics * Pricing * Finance * Academic workflow Regulatory Domain Expertise (IT-related): Sarbanes-Oxley, COBIT, Securities Act of 1933, Securities Act of 1940, SEC, FDIC, ISEE, Mass Division of Banks, Massachusetts General Privacy Laws, Massachusetts Data Breach Law, PCI Data Security Standards, ISO 27001 and 27002, HIPAA, GLBA, NIST 800-53, CSF, FedRAMP, Cloud Security Alliance, FISMA, PIPEDA, EU Data Privacy Implementations in the following environments or technologies: Operating Systems: Solaris, Windows, Unix, Linux, OS/400, VMS, MVS Databases: Oracle, Sybase, MS-Sql, DB/2, Access Messaging: MQ, CICS, Outlook-Exchange Server, Notes-Lotus Domino Application-related: Flex, Netbeans IDE, Flash, xml, html, javascript, Ruby, PHP, C++, SQL, MySQL, Scala, Rhino, java, j2ee, CSS, Sql Server, asp.net, perl, Weblogic/Websphere, RSS, JSP, SharePoint, Documentum, Peoplesoft, SAP, Siebel CRM, Charles River Trading, EzeCastle, Thomson Financial, Reuters, WebEvents, Trumba, Bloomberg, OaSys, SAP Web-related: REST, SOAP, CORBA, Apache Tomcat, Apache http web server. CMS-Rhythmyx-Percussion, CMS-iNet, Dreamweaver, Adobe CS3 Security: Fortify, Sun Identity Management Suite, ACF2, RACF, Custom ACL, pgp Disaster Recovery: Sungard, Comdisco, IBM, Iron Mountain, EMC SRDF System Development Lifecycle Methodologies: Agile, RUP, SCRUM, Summit-D, MS Project Video Production: Finalcut 7, X, YouTube, Kodak zi8 S O C I A L S E RV I C E S , P R O F E S S I O N A L A C T I V I T I E S A N D O R G A N I Z AT I O N S Employers Against Domestic Violence (EADV), Director, 2010-present Emerge Abuser Education, Director, Vice President, Clerk, 2009-present. Emerge is the first Batterer Intervention Program in the US, Court-Mandated and Voluntary, Domestic Violence (DV), Intimate Partner Abuse(IPA), Intimate Partner Violence (IPV), counseling and education, victim services, research, publications Transition House, Director, Clerk, Volunteer. Work with survivors providing computer training, resume and job search advice. One of the first Domestic Violence(DV) Shelters and service providers in the US IPV Tech, Founder. Technologists collaborating to end Domestic Violence(DV), Intimate Partner Abuse(IPA), Intimate Partner Violence (IPV) Northeastern Law School LSSC - Collaborated on leading a Legal Skills in Social Context (LSSC) Program on Cyber stalking Law Cambridge Family and Children's Service (CFCS), Director, 1996-2002 Advocacy Work with survivor and advocate referrals on cyber stalking and technology abuse cases Work with forensic scientists on evidence collection issues Legislative Testimony Testimony before the Massachusetts Legislature on bills regarding DV victim work leave to attend court hearings Lobbying Working with members of the MA Legislature regarding bills affecting DV victims and DCF 6 FUNDRAISING - Educational Organizations - Harvard University - Annual Giving Co-Chair, Reunion Giving Co-Chair - National Cathedral School for Girls - Capital Campaign Special Gifts Committee - Milton Academy - Annual Giving Committee, 2003-2014 - Shady Hill School - Capital Campaign Major Gifts Committee - Cambridge Ellis Nursery School - Board of Directors. Capital Campaign Steering Committee. - Social Services Organizations - Emerge, Inc. - various fundraising campaigns - Transition House - Board Development campaigns JOURNALISM APPOINTMENTS AND REGULAR CORRESPONDENCE CCTV NeighborMedia, correspondent Security Watch blog TechTarget National News Media- IT Knowledge Exchange, IT Compliance Advisor, regular columnist Squashsite.co.uk, correspondent Harvard Crimson, editor, consultant Video The Boston Globe, stringer JOURNALISM- TECHNOLOGY Samples: State moving to rework data security law - Boston Business Journal The Future of Healthcare IT HIPAA becoming a standard for data protection regulations What's in the White House Cyberspace Policy Review you need to know? Understanding the risk of penalties for violating data privacy laws Prepare for compliance auditors: Tighten access control Database logging and privileged access control Prepare for compliance auditors: Review policies and standards How do you align an IT risk assessment with COBIT controls? Harvard Business School Series: Branding and Search Engine Optimizers (SEOs) Can unfiltered e-discovery result in violations of data breach laws? J O U R N A L I S M - S P O RT S Squashsite.co.uk, correspondent World Jr Women’s Squash Championships, CCTV, correspondent New England Squash Open 2010 US Amateur Racquets Tournament, YouTube 2010 - present VIDEO PRODUCTION/APPEARANCES 2012: Digital Surveillance and Geo-location, Defcon 20, CCTV Data Vulnerability Research: How To Hack, CCTV 2011: Abuser Education Program, CCTV B O A R D S A N D P R O F E S S I O N A L A F F I L I AT I O N S Harvard Senior Common Room – Appointed by Harvard House masters, SCR members are appointed as prominent achievers in their field to advise students HBSAB – Harvard Business School Association of Boston – Board of Directors Program Committee HAA – Harvard Alumni Association Executive Committee ISACA – Information Systems Audit and Control Association – ISACANE Board of Directors 7 US National Institute of Standards (NIST) SmartGrid Cyber Security Working Group (CSWG) COMM UNITY SERVICE 8 SPORTS Squashsite.co.uk squash writer/reporter Tennis & Racquet Club, Membership Committee 2006-2012 University Club, Squash Tournament Liaison Committee 2001-2004 US Squash Open at Murr Center, Host Committee, 2001- 2004 Tournament of Champions, pro Squash Tournament Host Committee 2002-2009 Players Cup Committee, Boston professional tennis tournament, Boston, 2009 OTHER TRAINING Boston Police Department 16 hour Domestic Violence training Mandatory State of MA 40-hour training for working with victims of Domestic Violence Transition House, Dating Violence Intervention Project (DVIP) training State of MA, Department of Children and Families (DCF), Community Advisory Board training, Constructive Communication Emerge 3-day introductory Domestic Violence training: Counseling Abusers Emerge 2-day advanced Domestic Violence training Emerge Observations: over 40 hours of observations with supervision of court-mandated 2-hour abuser intervention sessions and parenting classes Met qualifications for MA State Certified Batterer Intervention Program Counselor Lundy Bancroft Retreat Assistant