Work History

1997 – present

Millions Consulting Limited

Senior Consultant: Information Security, System Architecture, Network and Infrastructure Architecture, Software development.

1989 – 1997

Ernst & Young

• Senior Consultant (July 1994 – September 1997)
• Network Manager (Jan. 1991 – July 1994)
• Communications Consultant (Jan. 1991 – July 1994)
• Unix Kernel Programmer (Oct. 1989 – Jan. 1991)
• Unix System Programmer (Oct. 1989 – Jan. 1991)
• Unix System Administrator (Oct. 1989 – Jan. 1991)

1985 – 1989

Millions Computing Ltd.

Owner/Manager

Experience

2003/08 – 2008/03 Security Consultant

Responsible for defining many aspects of the security practise.

Created a Controls Catalogue based on NIST SP800-53 and ISO19977.

Created technical—architectural—standards and guidelines to aide in the implementation of required security controls. Technical Standards were intended as a bridge between the policy security goals and infrastructure implementations. Technical Guidelines provided implementation specific guidance on how to meet the requirements of a technical standard, if such guidance was required. For example, the Encryption Standard defined the acceptable cyphers and required key lengths; then there was a Technical Guideline for how to configure Microsoft IIS SSL to conform to the standard, there was another guideline that explained how to use PGP—or GPG—in conformance with the standard.

Other standards and guidelines included:

• OS, middle-ware and application standard configurations—or builds
• Wireless Network Security Standard, included configuration guidelines for several wireless network radios that were deployed.
• Authentication Standard. UNIX/MS Active Directory Kerberos interoperability
• Standards and Guidelines for controls from the Controls Catalogue where developed on an as needed basis.

Developed risk assessment processes based on the existing information classifications and probability and impact definitions.

Preformed security assessments base on the NSA Information Assurance Methodology. Assessments were done on internally developed systems, purchased systems and service provider's systems.

Provided risk analysis for the monthly Patch Tuesday meetings. Meetings were held to determine which patches would be deployed and the time line that they would be deployed to. As well, short and long term mitigation strategies were decided upon for issues that warranted them.

Participated in incident investigations as well as incident response and look backs.

Consulted on many projects; extrapolated security goals/requirements from project business requirements, assessed designs to evaluate applicability and strength of proposed controls proposed additional controls and assisted in the implementation of the controls.

Responsible for vulnerability assessments; responsibilities included:

• designing and building the assessment environment
• defining assessment procedures
• performing quarterly assessments
• analyse results
• prioritise remediation efforts

Developed and presented informational Lunch & Learn sessions.

Developed and presented informational technical security information sharing sessions, based on SANS materials.

2003/01 – 2003/02 Programmer (Perl) UNIX Consultant

Developed network performance monitoring solution that allowed clients of a network service provider to verify that Service Level Agreements were being met.

2001/10 – 2001/10 Network Security Consultant

Firewall and VPN install and configuration. Installed and configured Checkpoint Firewall-1/VPN-1 based appliances for a network service provider to provide to their customers.

2000/06 – 2003/01 Lead Java developer

Contracted to small firm to re-factor their desktop product into an enterprise product. Consulted on all aspects of technology including designing implementing and maintaining a network—three sites in three cities connected by VPN—and inter-site VoIP. Involved in all aspects of the software design and development. Wrote a SWING component to display a JTree as an org. chart. Designed an implemented the application security framework. This framework was a dynamic rule based access control system that allowed access control to reflect changes in a company's organisational structure.

1999/09 – 2000/06 Network Security Consultant

Installed and configured IBM firewall. Responsible for day to day operations of the firewall. Monitored logs and investigated incidents.

1998/01 – 1998/05 Network–UNIX Consulting

Provided network and UNIX consulting services to a small ISP. Services included:

• Configuring RADIUS server
• Configuring dialup network server
• Disaster recovery—without backups—of a Solaris server
• Installation and configuration of Red Hat Linux servers

1997/10 – 1998/06 IT Consulting

Executive office support. Responsible for day to day operations and support of desktop systems, back office systems and network and telecomm systems. Systems include MS Exchange, Cisco PIX firewall and MS Remote Access Server.

1997/10 – 1998/06 SAP Basis Consultant

Upgrade and support of SAP system

1997/10 – 1997/11 SAP Consultant Support

Provided on-site technical support for SAP consultants working on customer premises.

1997/10 – 1997/10 UNIX Consultant

Worked with receiver to prepare assets for sale. Work included ensuring that all intellectual property was safely backed up and that it was securely removed from workstations prior to the workstations being re-imaged.

1997/10 – 1998/04 Network Security Consultant

Assessed existing firewall. Recommended improvements in implementation and processes.

Education

1999

IBM Learning Services – IBM Firewall for AIX (S0625)

1998

SAP Partner Academy – Certified SAP R/3 Application Consultant ABAP/4 Development Workbench

1981 – 1984

University of Regina – Computer Science