Summary - SarahCortes

advertisement
SARAH CORTES, PMP, CISA
SARAH.CORTES@POST.HARVARD.EDU
SARAHCORTES.IS
TWITTER: @SARAHCORTES
PGP Key: 226CCE21
Phone: 330-99-CYBER
SUMMARY
I addition to an academic career, a senior technology executive with extensive experience in all aspects of
delivering systems and services through the full software development life cycle to Fortune 500 firms in the
financial services industry, including information security, disaster recovery, data center management and complex
application development.
 On September 11, 2001, as SVP of Disaster Recovery for Putnam Investments, a subsidiary of Marsh &
McLennan in the World Trade Center, successfully managed trading, pricing and other critical system failovers.
Ran technical command center coordinating senior management communications and technical recovery staff.
 As SVP and manager of Applications Development for Trading and Analytics systems, implemented dozens of
major, complex applications, including fixed income and equity data warehouse and reporting system; global
performance analytics package with custom reports; market data systems, Unix-based compliance system;
version control, turnover systems and procedures, security, and backups for global, domestic and cash trading
systems; system performance measurement.
 As SVP and head of Information Security, directly managed up to 100 staff and budget of $30 million,
delivered quality products and stable systems while coordinating over 65 audits per year by outside audit firms,
regulatory agencies and clients, 14 major DR tests per year, and thousands of security activities. Worked closely
with CIO and CFO to advise on control environment. Worked with senior staff at audit firms, regulatory
agencies and clients’ auditors to ensure smooth, effective audits.
P R E PA R AT I O N
B.A. HARVARD UNIVERSITY
Major in Applied Mathematics and Romance Languages. John Harvard Scholar, Agassiz Scholarship.
M.S. BOSTON UNIVERSITY
Computer Information Systems – Information Security
2012
Ph.D. NORTHEASTERN UNIVERSITY
College of Computing and Information Science (CCIS), Information Assurance candidate,
2016
P U B L I C AT I O N S
ACADEMIC- LEGAL AND TECHNICAL
“Legalizing Domestic Surveillance: The Role of Mutual Legal Assistance Treaties in Deanonymizing
TorBrowser Technology,” Richmond Journal of Law and Technology (JOLT), 22 Rich. J.L. & Tech. 1
(2015) (forthcoming).
20,000 in League Under the Sea, Anonymous Communication, Trust, MLATs, and Undersea Cables,
(with Paul Syverson, Aaron Jaggard, Aaron Johnson (US Naval Research Laboratory) and Joan
Feigenbaum (Yale University)), Proceedings on Privacy Enhancing Technologies (PETS-9th International
Symposium). Volume 1, Issue 1, Pages 4–24, ISSN (Online) 2299-0984, DOI: 10.1515/popets-2015-0002,
April 2015.http://wiki.sarahcortes.is/trustrep-popets15.pdf.
With Andrew Lewman (The Tor Project), Aditya Rao and Christo Wilson (Northeastern University),
“Jurisdictional Arbitrage in Anonymous Network Path Selection” (submitted).
1
“Chapter 3: Legal Frameworks for Smart Grid Privacy,” (with Rebecca Herold and The Smart Grid
Interoperability Panel Cyber Security Working Group) NIST: NISTIR 7628 2014 Guidelines for Smart
Grid Cyber Security: Vol. 2, Privacy and the Smart Grid, 2014, pp. 8-21 (pp. 304-317).
“Chapter 3: Legal Frameworks for Smart Grid Privacy,” (with Rebecca Herold and The Smart Grid
Interoperability Panel Cyber Security Working Group) NIST: NISTIR 7628 2010 Guidelines for Smart
Grid Cyber Security: Vol. 2, Privacy and the Smart Grid, 2010, pp. 7-15 (pp. 323-331).
A C A D E M I C & R E L AT E D A P P O I N T M E N T S
Northeastern University Law School, Legal Skills in Social Context Clinic (LSSC)
Surveillance Law, Privacy Tools, and Tor
2014-15
Domestic Surveillance, Privacy and Anonymity Technology w/ACLU
2012-13
MIT CoDesign Studio, MIT Media Lab
2013-14
co-Leader: Domestic Surveillance, Privacy and Anonymity Technology, and Tor
Harvard Extension School
2011-13
Teaching Assistant (TA), Cloud computing
The Tor Project, Inc.
2012-15
Researcher – File/Analyze FOIAs/FOIPAs
Collaborate with US Navy researchers on MLATs/path selection
Suffolk University: Sawyer School of Business, Strategy and International Business Department
2009
Guest Lecturer, MBA class, Project Management and OpenSource
Legal Affairs Office, Department of Energy, US Federal Government
Washington, DC
Programmer Analyst- programmed price fluctuation analysis to detect price gouging for litigation.
Harvard Senior Common Room
Cambridge, MA
1990-20013
Tutor- Appointed by Harvard House masters, SCR members are appointed as prominent achievers
in their field to advise students. Advised students, helped them with their resumes, computer skills,
and job search.
Prospect Hill Academy
Cambridge, MA
2014-Present
Teaching Assistant. Teach high school youth computer programming and related skills.
S A M P L E L E G I S L AT I V E T E S T I M O N Y
Testimony before the Massachusetts Legislature on Data Breach Laws, including Massachusetts General
Law (MGL) Chapter 93H and its regulations, 201 CMR 17.00
Testimony before the Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) on
Data Breach Laws, including Massachusetts General Law (MGL) Chapter 93H and its regulations, 201
CMR 17.00
S A M P L E I N V I T E D TA L K S A N D S P E A K I N G E N G A G E M E N T S
2015: NACACS15- North America Computer Audit and Control Symposium: invited speaker
University of Delaware
2014: PETS14: Privacy Enhancing Technology Symposium, Amsterdam: MLATs and Path Selection
ECA14 Eastern Communications Association Invited panel on DV and film w/producer Garland Waller
2013: USENIX, FOCI, Washington DC: Legal Hostility factors in Anonymous Network Routing
2012: EnergySec Conference, Portland OR: Legal Aspects and Case Law in Smart Grid Privacy: invited speaker
2012: B-Sides Las Vegas Security Conference at Defcon/Black Hat: SmartGrid, Surveillance & Subpoenas
2011: Northeastern University NIST SmartGrid CyberSecurity Conference: invited speaker
2010: Babson College Technology Council, Has IT Killed Privacy?: invited speaker
Boston University, Craigslist Killer and Location-Based Technology: invited speaker
2
Project Management Institute (PMI) National Conf., COBIT and IT Standards: invited speaker
2009: Bentley University Usability Forum: invited speaker
Project Management Institute (PMI) Annual Conference, Waltham, MA: invited speaker
H O N O R S & A WA R D S
2013: First Prize, World Bank Hack-a-Thon Team, Washington DC
First Prize for team development of an application, fuerza.is, to help fight domestic violence
SAMPLE PROFESSIONAL ACTIVITIES
National Institute for Science and Technology (NIST) [SGIP-CSWG: Smart Grid Interoperability Panel,
Cyber Security Working Group](http://collaborate.nist.gov/twikisggrid/bin/view/SmartGrid/CyberSecurityCTG)
 Led the sub-team that created, and then updated, the privacy laws section of the report 2009-2014
 Privacy use cases team 2009-2012
 Smart Grid Interoperability Panel Cyber Security Working Group (CSWG) 2009-present
P R O F E S S I O N A L S U M M A R Y- T E C H N O L O G Y & B U S I N E S S
INMAN TECHNOLOGY IT
2004-CURRENT
Launched and run own company providing consulting to Fortune 500 firms. Provide hands-on program/project
management services with a preference for broadening industry experience and focus on improving business leverage of
IT investment through fresh, new technologies and skill sets. Clients include:
FIDELITY BROKERAGE COMPANY TECHNOLOGY
HARVARD LAW SCHOOL
HARVARD UNIVERSITY INFORMATION SYSTEMS
FIDELITY MANAGEMENT & RESEARCH
BIOGEN IDEC
Sample engagements:
As project manager for a large global financial services company:
 Led large interdisciplinary teams of up to 80
 Implemented an application release module of a major trading and brokerage system used by dozens of
major financial institutions. Aggregated feeds of account information held away from the brokerage firm or
asset manager, and displayed all clients account information, including those accounts and assets held away
from the brokerage or institutional asset manager.
 Implemented a complementary application module which enabled trading of mutual funds subsequent orders
 Transaction volume exceeded millions of records daily for update
 Technical environment included Oracle, .xml, mainframe
As project manager for large University:
 As project manager, led a team of developers, business owners, IT infrastructure engineers and analysts,
testers, and Quality Analysts to implement a web-based DNA Analysis Learning application.
 Utilized Agile development methodologies
 Application takes as input data from forensic DNA labs as well as lesson content, and enables DNA lab
technicians and others to learn analysis techniques for complex samples.
 Managed a project comprised of 19 subprojects to optimize performance for Vista, BU’s Learning
management system.
 Managed a project for a significant upgrade of VISTA, the LMS application, through business requirements
and project planning and architectural design lifecycle phases
 Led client focus groups for a web-based retail nutrition optimization application and LMS with faculty.
As project manager for large biopharmaceuticals company:
3





Led a team of 20 developers, business owners, business analysts, IT infrastructure analysts, DBAs, testers,
and Quality Analysts to implement a web-based Global Biopharmaceutical Clinical Trials application.
Application takes as input data from thousands of patients worldwide daily at 40 locations that are part of
clinical trials, updates database and creates views and reports track workflow and status of protocols as a
part of determining if new drugs have market potential.
Utilized Agile development methodologies
Supervised the significant upgrade of the application through full lifecycle phases
Drafted and reviewed all documents and ensured compliance with FDA 201 CFR part 11 Federal regulations
As project manager for a variety of small and medium-sized clients
 Utilized Agile development methodologies
 Developed Disaster Recovery plans
 Met with staff and senior management
 Identified critical systems
 Identified resources and documented plans for high availability or disaster recovery of systems
 Implemented Disaster Recovery plans
 Negotiated third party recovery contracts with hosting vendors
 Conducted plan tests with staff
As project manager for a major University:
 Coordinated a team of 30 developers, business owners, business analysts, desktop support analysts, IT
infrastructure analysts, DBAs, testers, desktop support QA and management to implement web-based
University portal and applications including:
 Implemented a CMS/Web portal calendar package
 Implemented a Faculty Information System (FIS) application supporting faculty, interfacing with over 40
existing University systems and the existing SIS, including functionality for workforce planning and
candidate and employee management
 Led systems implementation through full lifecycle phases
As project manager for a large global financial services company:
 Led large interdisciplinary teams of up to 50
 Implemented a variety of risk and security projects, including:
 Application and database authentication and authorization, custom-developed and package, and transmission
encryption
 Delivered Compliance assessment with 41 security and control policies, including platform configuration,
network security, change control, cryptography, firewalls, information architecture, application and database
security development
 Implemented Database logging across thousands of high-risk databases
 Implemented tools/programs to ensure closure for hundreds of outstanding audit issues
As project manager at a large global biotech company:
 Implemented new Disaster Recovery infrastructure across four worldwide sites
 Reported directly to CIO
 Analyzed technical and network architecture and business, applications
 Developed technical alternatives for high availability or redundant architecture.
 Presented capital expenditure to Capital Investment Committee.
 Worked with vendors to implement recoverable application configurations.
As project manager at a major University:
 Negotiated major equipment and service increases for Disaster Recovery and Business Continuity on vendor
contracts at the same price as university was currently paying.
 Implemented automated Disaster Recovery, cutting recovery time and reducing staff time per test
 Worked with business units to involve them in the BC/DR process and document business requirements and
acceptance criteria
 Implemented controls to ensure compliance with audit requirements
PUTNAM INVESTMENTS, Boston, MA
4
1993-2004
Senior Vice President, Enterprise Computing and Communications
Security Operations, Disaster Recovery/High Availability, Audits and Client Transmissions (2000-2004)
Implemented redundant systems for critical applications, including Transfer Agent, Defined Contributions,
Trading, Pricing, Accounting, and web-based portal and applications.
 Supervised implementation of Sarbanes-Oxley and Graham-Leach-Bliley IS audit controls
 Developed and implemented multi-platform disaster recovery and site-to-site recovery capability.
Supervised multiple recovery tests across all platforms and business areas simultaneously.
 In order to protect company from escalating core systems management software costs by current vendors,
utilized in-house resources with IBM consulting resulting in $4M cost avoidance over seven years.
Completed conversions in record time (six months), on budget.
 Migrated 4,000 client transmissions for 500+ clients onto secure encryption technology.
Vice President, Putnam-wide Year 2000 project (1998-2000)
Responsible for research, analysis, remediation and/or testing of over 1,000 client/server applications, hardware,
system SW, and all networks, with rollouts across 7,000 desktops. Coordinated multidisciplinary teams. Developed
proprietary tools and methods for locating potential code problems in multiple technologies.
 Successfully organized and participated in industry-wide Y2K testing, requiring coordination between 29
custodian, asset manager and broker dealer “buddies” and DTC, SIA, Coopers, and major stock exchanges.
 Implemented 24-hour rotating test environments and standardized testing for date warp testing.
Vice President, Investment Trading and Analytics Systems (1993-1997)
New system development, enhancement and support for equity and fixed income applications; strategic planning.
Implemented: Oracle-based fixed income data warehouse and reporting system; global performance analytics
package with custom reports; market data systems, Unix-based compliance system; version control, turnover
systems and procedures, security, and backups for global, domestic and cash fixed income trading systems; system
performance measurement, tracking and reporting for 12 equity and fixed income systems; Notes turnover
application, incorporating signoff to multiple departments.
Delivered: Powerbuilder/Oracle/Lotus Notes municipal credit tracking system-CASS; High Yield fixed income
security analytics system; domestic fixed income trade allocation subsystem; currency forward preprocessor
subsystem.
THE BOSTON COMPANY, Boston, MA
1983-1993
A subsidiary of Mellon Bank
Vice President, Data Center Operations (1992-1993)
In addition to existing responsibilities, managed Stratus, DEC, DG, Wang platforms, 2,500 nodes on 40
Novell/Pathworks LANs, 5-site Wide Area Network (WAN) of token ring, Ethernet, FDDI, and arcnet, and dial
access security. Chair, Technology Standards and Policies Committee. Wrote/implemented LAN Security Policy.
Implemented platform consolidation. Interconnected 17 LANs. Centralized LAN management with intelligent
hubs and routers.
 Reduced PC service calls from 375/month to 80/month.
 Standardized data communications components, saving over $400,000 in wiring costs.
 Completed Novell CNE data communications and OS professional certifications.
Vice President, Disaster Recovery Planning (1992-1993)
Manager of Mutual Fund System Development and Support (1989-1992)
Manager, Portfolio Accounting Operations and Services (1989-1990)
Progressively moved into roles with expanding responsibilities. Developed and implemented 8 major and 35
medium-sized systems and applications. Managed $10 million budget. Managed the development, installation,
and marketing of a system and service providing portfolio accounting services to 3500 privately managed accounts
at seven American Express subsidiaries.
 Supervised first 100% successful DR test. DR program became a model for all American Express companies
 Implemented first state-of-the art global fund accounting system, GMFA, enabling expansion to over $1 billion
in assets. Reduced losses due to processing errors to less than $50,000 per year.
Manager of Mutual Fund Performance and Analysis Services (1987-1991)
5
Started up, marketed, managed new service venture selling portfolio manager investment performance evaluations
Management Training Program, Executive Assistant to CEO of The Boston Company, and Vice Chairman
of Shearson Lehman (1983-1987)
DEPARTMENT OF ENERGY, U.S. FEDERAL GOVERNMENT,
Washington, DC
Programmer Analyst- wrote programs to analyze price fluctuations to detect price gouging.
1981-1982
TECHNICAL/SKILLS
Managed Projects implementing technology applications to the following business areas:





Fixed Income and Equity Trading
Domestic and Global Currency
Investment Performance Measurement
Custody
HR systems
* Derivatives
* Cash Management
* Accounting and Fund Accounting
* Asset/Liability Management
* Inventory management
* Middle Office, Back Office
* Investment Analytics
* Pricing
* Finance
* Academic workflow
Regulatory Domain Expertise (IT-related): Sarbanes-Oxley, COBIT, Securities Act of 1933, Securities Act of 1940, SEC,
FDIC, ISEE, Mass Division of Banks, Massachusetts General Privacy Laws, Massachusetts Data Breach Law, PCI
Data Security Standards, ISO 27001 and 27002, HIPAA, GLBA, NIST 800-53, CSF, FedRAMP, Cloud Security
Alliance, FISMA, PIPEDA, EU Data Privacy
Implementations in the following environments or technologies:
Operating Systems: Solaris, Windows, Unix, Linux, OS/400, VMS, MVS
Databases: Oracle, Sybase, MS-Sql, DB/2, Access
Messaging: MQ, CICS, Outlook-Exchange Server, Notes-Lotus Domino
Application-related: Flex, Netbeans IDE, Flash, xml, html, javascript, Ruby, PHP, C++, SQL, MySQL, Scala, Rhino, java,
j2ee, CSS, Sql Server, asp.net, perl, Weblogic/Websphere, RSS, JSP, SharePoint, Documentum, Peoplesoft, SAP, Siebel CRM,
Charles River Trading, EzeCastle, Thomson Financial, Reuters, WebEvents, Trumba, Bloomberg, OaSys, SAP
Web-related: REST, SOAP, CORBA, Apache Tomcat, Apache http web server. CMS-Rhythmyx-Percussion, CMS-iNet,
Dreamweaver, Adobe CS3
Security: Fortify, Sun Identity Management Suite, ACF2, RACF, Custom ACL, pgp
Disaster Recovery: Sungard, Comdisco, IBM, Iron Mountain, EMC SRDF
System Development Lifecycle Methodologies: Agile, RUP, SCRUM, Summit-D, MS Project
Video Production: Finalcut 7, X, YouTube, Kodak zi8
S O C I A L S E RV I C E S , P R O F E S S I O N A L A C T I V I T I E S A N D O R G A N I Z AT I O N S
Employers Against Domestic Violence (EADV), Director, 2010-present
Emerge Abuser Education, Director, Vice President, Clerk, 2009-present. Emerge is the first Batterer Intervention
Program in the US, Court-Mandated and Voluntary, Domestic Violence (DV), Intimate Partner Abuse(IPA), Intimate
Partner Violence (IPV), counseling and education, victim services, research, publications
Transition House, Director, Clerk, Volunteer. Work with survivors providing computer training, resume and job search
advice. One of the first Domestic Violence(DV) Shelters and service providers in the US
IPV Tech, Founder. Technologists collaborating to end Domestic Violence(DV), Intimate Partner Abuse(IPA), Intimate
Partner Violence (IPV)
Northeastern Law School LSSC - Collaborated on leading a Legal Skills in Social Context (LSSC) Program on Cyber
stalking Law
Cambridge Family and Children's Service (CFCS), Director, 1996-2002
Advocacy
 Work with survivor and advocate referrals on cyber stalking and technology abuse cases
 Work with forensic scientists on evidence collection issues
Legislative Testimony
 Testimony before the Massachusetts Legislature on bills regarding DV victim work leave to attend court
hearings
Lobbying
 Working with members of the MA Legislature regarding bills affecting DV victims and DCF

6
FUNDRAISING
- Educational Organizations








- Harvard University - Annual Giving Co-Chair, Reunion Giving Co-Chair
- National Cathedral School for Girls - Capital Campaign Special Gifts Committee
- Milton Academy - Annual Giving Committee, 2003-2014
- Shady Hill School - Capital Campaign Major Gifts Committee
- Cambridge Ellis Nursery School - Board of Directors. Capital Campaign Steering Committee.
- Social Services Organizations
- Emerge, Inc. - various fundraising campaigns
- Transition House - Board Development campaigns
JOURNALISM
APPOINTMENTS AND REGULAR CORRESPONDENCE
CCTV NeighborMedia, correspondent
Security Watch blog
TechTarget National News Media- IT Knowledge Exchange, IT Compliance Advisor, regular columnist
Squashsite.co.uk, correspondent
Harvard Crimson, editor, consultant
Video
The Boston Globe, stringer
JOURNALISM-
TECHNOLOGY
Samples:
State moving to rework data security law - Boston Business Journal
The Future of Healthcare IT
HIPAA becoming a standard for data protection regulations
What's in the White House Cyberspace Policy Review you need to know?
Understanding the risk of penalties for violating data privacy laws
Prepare for compliance auditors: Tighten access control
Database logging and privileged access control
Prepare for compliance auditors: Review policies and standards
How do you align an IT risk assessment with COBIT controls?
Harvard Business School Series: Branding and Search Engine Optimizers (SEOs)
Can unfiltered e-discovery result in violations of data breach laws?
J O U R N A L I S M - S P O RT S
Squashsite.co.uk, correspondent
World Jr Women’s Squash Championships, CCTV, correspondent
New England Squash Open 2010
US Amateur Racquets Tournament, YouTube
2010 - present
VIDEO PRODUCTION/APPEARANCES
2012: Digital Surveillance and Geo-location, Defcon 20, CCTV
Data Vulnerability Research: How To Hack, CCTV
2011: Abuser Education Program, CCTV




B O A R D S A N D P R O F E S S I O N A L A F F I L I AT I O N S
Harvard Senior Common Room – Appointed by Harvard House masters, SCR members are appointed
as prominent achievers in their field to advise students
HBSAB – Harvard Business School Association of Boston – Board of Directors Program Committee
HAA – Harvard Alumni Association Executive Committee
ISACA – Information Systems Audit and Control Association – ISACANE Board of Directors
7

US National Institute of Standards (NIST) SmartGrid Cyber Security Working Group (CSWG)
COMM UNITY SERVICE















8
SPORTS
Squashsite.co.uk squash writer/reporter
Tennis & Racquet Club, Membership Committee 2006-2012
University Club, Squash Tournament Liaison Committee 2001-2004
US Squash Open at Murr Center, Host Committee, 2001- 2004
Tournament of Champions, pro Squash Tournament Host Committee 2002-2009
Players Cup Committee, Boston professional tennis tournament, Boston, 2009
OTHER TRAINING
Boston Police Department 16 hour Domestic Violence training
Mandatory State of MA 40-hour training for working with victims of Domestic Violence
Transition House, Dating Violence Intervention Project (DVIP) training
State of MA, Department of Children and Families (DCF), Community Advisory Board training,
Constructive Communication
Emerge 3-day introductory Domestic Violence training: Counseling Abusers
Emerge 2-day advanced Domestic Violence training
Emerge Observations: over 40 hours of observations with supervision of court-mandated 2-hour
abuser intervention sessions and parenting classes
Met qualifications for MA State Certified Batterer Intervention Program Counselor
Lundy Bancroft Retreat Assistant
Download