Strategic Business Planning
Connected Automobile Cyber Security Testing Program
Developed a white paper entitled "Considerations for a Connected Automobile Cyber Security Program" and delivered a business plan presentation to senior management of a global company. The paper and presentation identified:
Developed a white paper entitled "Considerations for a Connected Automobile Cyber Security Program" and delivered a business plan presentation to senior management of a global company. The paper and presentation identified:
- Government and industry initiatives around the globe
- Connected automobile cyber security market overview, including an estimate of the global addressable market available to the company
- Competitors (strengths and weaknesses)
- Threats to the connected automobile and resultant opportunities for the company to provide cyber security test and certification services
- Recommendations and a costed implementation plan to develop and implement a connected automobile cyber security test and certification service
National-level Cyber Security Consulting
National IT Security Policy Template
Developed a National IT Security Policy Template for a national government. The purpose of this template was to "...provide a common set of guidelines to help country entities in the development, implementation, and maintenance of Information Security Management System (ISMS) programs required for the information under their control."
The template was derived from, and traced fully back into the government's National Information Assurance Standards. It provided implementation guidance for baseline policies:
Developed a National IT Security Policy Template for a national government. The purpose of this template was to "...provide a common set of guidelines to help country entities in the development, implementation, and maintenance of Information Security Management System (ISMS) programs required for the information under their control."
The template was derived from, and traced fully back into the government's National Information Assurance Standards. It provided implementation guidance for baseline policies:
- Strategy and Planning
- Information Security Risk Management Process
- Awareness and Training
- Human Resources Security
- Compliance
- Performance Evaluation and Improvement
- Asset Management
- Physical and Environmental Security
- Clear Desk and Clear Screen
- Operations Management
- Information Security Communications
- Access Control
- Supplier Security
- Information Systems Acquisition, Development, and Maintenance
- Information Security Incident Management
- Information Systems Continuity Management
- Use of Cryptographic Controls
National Human Resource Development Guidelines
Developed a set of guidelines to be used by national organizations and employers to build a capable and ready cyber security work force.
This document:
Developed a set of guidelines to be used by national organizations and employers to build a capable and ready cyber security work force.
This document:
- assessed the status quo for cyber security professionals in terms of job descriptions, defined growth & career paths
- identified the most likely work roles that will be required by entities in the near term (i.e., within the next 5+ years)
- identified the gaps that exist in the government's national jobs classification scheme with respect to the definition of cyber security professionals
- documented lessons learned from other governments and entities who have applied the US Government's NICE Framework within their organizations and agencies
- provided recommendations and strategies to help the country meet its strategic goal of developing an indigenous cyber security capacity to meet current and future cyber security requirements
National Operational Technology System Security Standard
Developed a national-level Operational Technology (OT) System Security Standard for a national government.
The standard applied the requirements from the country's National Information Assurance Standards (which are based on NIST SP 800-53), and provided implementation guidance and OT-specific augmentation requirements from recognized OT security standards including:
Developed a national-level Operational Technology (OT) System Security Standard for a national government.
The standard applied the requirements from the country's National Information Assurance Standards (which are based on NIST SP 800-53), and provided implementation guidance and OT-specific augmentation requirements from recognized OT security standards including:
- NIST SP 800-82 (Guide to Industrial Control Systems (ICS) Security)
- IEC 62443-2-1 (Establishing an Industrial Automation and Control System Security Program)
- IEC 62443-3-3 (System Security Requirements and Security Levels)
- US DHS Catalog of Control Systems Security Recommendations
- NIST Cybersecurity Framework
- ISO/IEC 27019 (Information Security Controls for the Energy Utility Sector)
- ISO/IEC 27032 (Guidelines for Cybersecurity)
Establishment of Cyber Security Testing Labs
Establishment of an Accredited Cyber Security Testing Laboratory for an International Client
Led a project team that established a cyber security testing capability for a commercial client in the United Arab Emirates (UAE). The client required an internationally-recognized (i.e., ISO/IEC 17025 accredited) cyber security testing capability (people, processes, and technologies) for the following domains:
Led a project team that established a cyber security testing capability for a commercial client in the United Arab Emirates (UAE). The client required an internationally-recognized (i.e., ISO/IEC 17025 accredited) cyber security testing capability (people, processes, and technologies) for the following domains:
- ICT hardware,
- software,
- cryptographic modules and algorithms, and
- mobile applications, devices and telecommunications systems.
Establishment of a Commercial Internet of Things (IoT) Security Testing Lab
Led a project team that established an IoT product security testing capability for a large commercial firm. This labatory is currently testing network-connected products in the following industries:
Led a project team that established an IoT product security testing capability for a large commercial firm. This labatory is currently testing network-connected products in the following industries:
- health care and wellness systems, including network-connected medical devices,
- industrial control systems components,
- industrial lighting systems, and
- life-safety and signalling systems (examples include: network-connected locking devices, smoke / gas / CO detection and alarm devices, physical access control equipment and systems, etc.).