Projects undertaken in current role. Governance Lead/CISO for international Geospatial Solution

Transcription

1 Dr Carol Buttle 27 Middleleaze Drive Swindon, Wilts SN5 5GL Summary Highly technical defence and security specialist providing Information Security Strategies (ISS) to national and international government departments, defence, military, security services, law enforcement agencies, airlines and commercial organisations. CESG Certified Professional Lead Accreditor and Assessor. Excellent track record delivering highly complex and large scale projects. Advisor to local, national and international government agencies. Expert witness and advisor on security implications, testing and penetration testing strategies and forensic capture. Advises various standards committees on security and cyber security issues. Developsestimation, metric and governance frameworks for regulatory bodies. Current Role CTO/CISO Responsibility for design, development and delivery of mission critical defence, military and safety critical commercial projects. Security strategy design, risk management and governance. In-depth project estimation and metrication. Projects undertaken in current role CTO/CISO for air-sea anti-warfare destroyers developed for the Commonwealth Chief responsibility for Information Assurance and ISS including all vulnerability assessment, risk assessment, threat assessment to HMG SPF standards. BCP and BCM authority. Chief responsibility for designing and implementing diverse penetration testing schemes in light of emerging threats. Advised and managed the GCHQ CREST TIGER and CHECK teams. Provided the policy guidance for STAR and intrusion analyst teams. Led the TEMPEST activities. Achieved regulatory and military accreditation with 30% time and budget savings. Design Director/Authority and CISO for multi-national cross border antiterrorist system Overall responsibility for cryptographic design, governance, IA and IS to global security services. Developed in-depth Identity Management Systems, threat analytics and forensic capture methods. Authored the RMADs and BCPs. The ISS, threat analytics and penetration strategy identified previously unexpected risks and have subsequently become standardized as a result. Governance Lead/CISO for international Geospatial Solution Chief responsibility for developing cross party risk management policies, designing IA methodology and ISS, governance, penetration testing, threat management and vulnerability metrics. Advised the CBEST/STAR and CREST and CHECK teams. The strategies employed led to successful re-negotiation of contract with multimillion $ savings. The IA methodology and testing strategies identified critical security flaws on the existing system that were successfully mitigated and ensured the regulatory needs of the evolving system. Design Authority/CISO for Banking Fraud Detection system Design, governance and accreditation responsibility for overall cyber strategy for

2 fraud detection using multiple cards, systems and biometrics. Developed all policies to ensure multi-layered encrypted personal and banking data complied with HMG SPF, Data Protection Act, Freedom of Information Act, PCI-DSS, PA- DSS, Banks Internal Audit and Compliance departments, Sarbanes-Oxley Act and multiple international standards such as FIPS. vulnerability and threat analysis. Developed and assessed Data Analytics and Pattern Analytics to identify new attacks. Advised the Banks boards on risk mitigation strategies. Developed BCM strategy. Led the penetration test effort managing teams of CREST testers national and Security Designer/CISO for Cloud Management in Border Control Design, cryptographic design, governance and accreditation for management of critical and sensitive data system using cloud technology for rapid access in border control. Overall responsibility for developing log management policies, security information and management. Overall responsibility and advising on configuration, risk and vulnerability management. Lead authority for BCP and BCM. Overall responsibility to define, develop and implement robust network activity and visibility schemes and metrics. Assess and develop schemes for network anomalies and forensic capture. Develop real-time profiling and threat prioritization schemes. vulnerability and threat analysis. Developed passive and active (timed and dynamic) scan assessments. Led the penetration test effort managing teams of TIGER and CREST testers. Developed and led the TEMEST activities and mentored teams accordingly. CTO/CISO for Autonomic Adaptive Ubiquitous System Overall design responsibly and security responsibility to develop as system for adaptive secure communications for military and commercial use. Design of security architectures and patterns. Design of frameworks for RF, Wireless and cryptographic security. IA, ISS and governance to ensure robustness and defence in depth. Developed penetration testing and verification systems against existing and emerging threats. Managed the CREST teams and provided analysis to GCHQ and other security bodies on existing, emerging and previously unidentified threats. Developed the TEMPEST effort. Achieved accreditation with multiple international military regulatory authorities. CTO/CISO for Remote Telemedical System Design, governance and accreditation responsibility for mission critical and highly sensitive medical system. Developed all policies to ensure multi-layered encrypted personal and medical data complied with HMG SPF, Data Protection Act, Freedom of Information Act and multiple international standards. vulnerability and threat analysis. Led the penetration test effort managing teams of CREST and CHECK testers. Managed the Incident Management teams and the CBEST/STAR teams. Designed Network Intrusion Detection Systems (NIDS) and Host Intrusion Detection Systems (HIDS) to mitigate a new variant of attacks that this emerging technology could be prone to.

3 CTO/CISO for UK/French Government Secure Communications System Design, governance and accreditation responsibility BIL 5-6 system. Led all aspects of risk management, vulnerability and threat assessment and strategies. Developed IA methodologies and penetration testing strategies for multiple scenarios. Developed the methodology for EmSEC. Developed the BCM. Identified key threat metrics that have become standardized. CTO/CISO for Biometric Systems Design, governance and accreditation responsibility for multiple biometric systems used in defence, healthcare, banking and other commercial arenas. vulnerability and threat analysis. Developed NIDS and HIDS. Led web analytics, penetration testing, registration, profiling, threat prioritization, network anomaly and visibility strategies. CTO/CISO Strike Force Design, governance and accreditation responsibility for battle and mission critical aircraft and on-board anti-warfare systems. Development of all Risk policies and procedures. Development of all Physical Tamper Resistance strategies, Class 1-3 attack frameworks, BIL frameworks, threat metrics, vulnerability assessments, real-time threat prioritization schemes, air-ground and ground-air incident management. Developed penetration testing strategy. Led MoD, GCHQ, DoD, CREST penetration test teams. Led and advised multi-vendor Intrusion Analytics teams. the Pentagon. Provides governance and accreditation for: Compliance: HMG IS and HMG IA Standards and ISO27005 ISO 31000, ISO 31010, CCTA CRAM and the Orange Book. PCI-DSS, FSA, ISF SOGP, APRA, ISO, COBIT, OSA, TOGAF (ADM), MODAF Security Policy Architectures and Security Standards: ISO27001/ISO , ,FIPS body of standards , NIST SP PL1. Architectural frameworks and standards: Zachman, TOGAF, ISO 27001/27002, NIST SP , SOX or PCI, SSE-CMM, NIST Information assurance methodologies: ISO27001, HMG IA. US FIPS, IAS2, IAS1, ISO Testing and Penetration Testing: TEMPEST, EMC and Comsec testing. Forensic Readiness Planning, CCTM and CHECK for security services. Regularly advises various agencies and organisations on security implications of common encrypted protocols such as SSH, SSL, IPSEC and PGP; demonstration of the functions along with possible vulnerabilities and threats to WEP, WPA, WPA2, TKIP, EAP, LEAP, PEAP. Provides threat, vulnerability assessments and mitigation for areas dependent on algorithms such asdes, 3DES, RSA and AES. Develops schemes and tools to recognise ARP spoofing and black hacking.

4 Regularly develops penetration testing strategies and provides advice on penetration testing to government agencies, law enforcement, military, security agencies, banking and healthcare. Regulates cyber security teams and penetration testing teams against CHECK and OWASP. Advises on correct use of the CVE, BID, and CVSS methodologies to ensure gap closure in record reporting. Advises on known and emerging threats and vulnerabilities with IPv4 and IPv6 and their associated security attributes. Undertakes risk, threat and vulnerability assessment and research for IP/Ethernet protocols and their associated security attributes, including: TCP, UDP, ICMP, ARP, DHCP, DNS, CDP, HSRP, VRRP, VTP, STP and TACACS+. Regularly contributes to the security forces threat metrics from research analytics. Audits: undertakes audits against HMG IA Maturity Model, HMG SPF, ISO27001, Internal Audit Standards Information and ISA. Business Continuity Plans and Business Continuity Management: HMG IA Maturity Model, BCI Good Practice Guidelines, ISO 22301, ISO 27001, BS 25999, BS and COBIT 4.1. or their predecessors. Work History Feb 2008 Present, CTO/CISO, BBS IT Ltd, UK Oct 2006-Feb 2008, Principal Consultant, Software Practice Lead, Security and Governance, Praxis High Integrity Systems, Bath, UK Dec 2005 Oct 2006, Engineering Manager, Motorola, Ireland, Cork, Ireland Mar 2005 Oct 2006, R&D Security, Defence, Various International Jan 2001 Mar 2005, Engineering Manager, Motorola, Swindon, UK Sept 1998 Jan 2001, Head of Computing, New College, Swindon/Oxford, UK Mar 1983 Sept 1998, Security Consultant and R&D, Defence, Various international Covered by Official Secrets Act Mar 1983, Cryptographer and Security, Strike Force Defence Codification, Various international. Covered by Official Secrets Act. Education PhD OxfordBrrokes Post Graduate Research Methodologies Analytics Oxford Brookes Advanced Software Engineering OxfordUniverity: Distinction BA (Hons) Combined Studies First Class DipHE - Distinction Affiliations: Industrial Professor SEC. Responsible for research into security and vulnerability assessments. Biometrics and border control. CCP CESG Lead Accreditor and Assessor (GCHQ) Distinguished Fellow and Senior Advisor on cryptography and security to SEC Distinguished Fellow and Senior Advisor on threat metrics to ASEP Assessor for GCHQ for CESG Professional Scheme Vice-Chair UKSMA SIG Threat metrics and benchmarks; software measurement and estimation. COSMIC SIG Threat Metrics and benchmarks

5 Fellow of Institution of Analysts and Programmers Member of NIITE (Government proposals for software) Advisor to governments for security Member of the Security and Defence Councils