Harvey Newstrom, CISSP CISA CISM CIFI IAM GSEC ISSAP ISSMP ISSPCS IBMCP West Melbourne, FL or Washington, DC Last Updated: 3/31/2008 mail@HarveyNewstrom.com http://HarveyNewstrom.com 321.574.1212 or 301.681.8704 Profile Harvey Newstrom is a principal security consultant with a history of helping Fortune-500 corporations and Federal Agencies leverage IT technology to increase organization efficiency. He combines executive business savvy with technical know-how to produce solutions that are both realistic and effective. He has extensive experience with Fortune-500 companies, Internet e-commerce, dot-com startups, government agencies, and military black-ops projects. This diverse background gives him special insight on security operations beyond that of most security experts. Mr. Newstrom has authored 3 textbooks, 1 reference book, over 50 technical manuals, over 100 white papers, and helped develop over 50 security products. He has been a guest speaker at various events for Fortune-500 companies, professional organizations, and throughout the business world. He has peer-reviewed security books, published documents on security websites, and has consulted for the World Olympics. He has developed security for the CIA, DoD, DoJ, FBI, NARA, NASA, NRO, NSA, Pentagon, USDA and other agencies. Mr. Newstrom established security practices for Harris, AT&T, IBM, Fiderus, Newstaff and various government agencies. He has lead security teams from IBM, Ernst & Young, Deloitte & Touche, AT&T, Harris and Newstaff. He restructured security organizations at JPMorgan, Chase Manhattan, Reliant Energy, Bank of America, FirstUSA Bank, IBM, Ryder, Advantis, Fleming, Harris, and AT&T. He launched enterprise-wide security initiatives at Fleming, Pitney Bowes, Ryder, Staples, ADP, Bank of America, Credit Suisse First Boston, EBS, First USA, JP Morgan, Chase Manhattan, Anthem, AT&T, Apple Computer, Cisco, Harris, IBM, Lanier, Lotus, Philips Electronics, Tivoli, Florida Power & Light, and Reliant Energy. Objective Mr. Newstrom knows that security controls at all levels must derive from corporate goals and business drivers, and not from technology. There must be business rationality for security, rather than a mere desire to keep up with the latest technological advances. Mr. Newstrom strives to analyze the fundamental connection between business efficiency and technical operations to achieve more precise assessments, more accurate predictions, and more effective results. Mr. Newstrom does not view security as merely a compliance program. Instead, Mr. Newstrom sees security as an aspect of organizational efficiency. The emergent security attributes of confidentiality, integrity and availability define the efficiency levels to which information assets are leveraged. Confidentiality increases the competitiveness of information assets. Integrity increases the usability of information assets. Availability increases the utilization of information assets. Credentials B.P.S. 3.692 GPA - Bachelors Degree in Professional Studies from Barry University (9/16/89) A.S. 4.0 GPA - Associates Degree in Computer Science from Morris Junior College (6/29/84) CISSP #26730 - (ICS)2 Certified Information Systems Security Professional (11/01) (11/04) CISA #0332168 - IS Audit and Control Association Certified Information Systems Auditor (9/16/03) CISM #0300730 - IS Audit and Control Association Certified Information Security Manager (5/29/03) CIFI #115 - IISFA Certified Information Forensics Investigator (4/12/05) GSEC #2137 - SANS GIAC Security Essentials Certification (9/18/02) (10/17/04) IAM - National Security Agency Infosec Assessment Methodology (10/16/02) ISSAP #26730 - (ICS)2 Information Systems Security Management Professional (8/31/04) ISSMP #26730 - (ICS)2 Information Systems Security Architecture Professional (9/7/04) ISSPCS #8 - International Systems Security Professional Certification Scheme (6/1/05) IBMCP - IBM Certified Professional in Security and Privacy Services (10/1/99) IBMPM - IBM Project Manager Training (2/00) CMMI Level 3 - Capability Maturity Model Integration training and team lead experience (5/12/06) Executive Training - Harris Executive Leadership Training (714/89) DNI DCID 6/3 - DNI Special Security Center DCID 6/3 Training (4/5/06) Active Clearances - NACI (multiple), SSBI (3/7/07), Secret (8/5/05), Top Secret (8/15/07), SCI (3/21/08) Skills Skills: Confidentiality, Integrity, Availability, Access Control, Awareness and Training, Audit and Accountability, Certification and Accreditation, Testing, Penetration Testing, Beta Testing, Compliance Testing, Vulnerability Scans, Ethical Hacking, Appraisal, Risk Assessment, Forensics, Investigations, Configuration Management, Security Maintenance, Contingency Planning, Strategy, Development, Design, Identification and Authentication, Architecture, Standards, Policies and Procedures, Implementation, Remediation, Firewalls, Intrusion Detection Systems, Incident Response, Media Protection, Physical Security, Environmental Security, Network Security, System Security, Personnel Security, Consulting, Public Speaking, Research and Development. Industries: Fortune-500, Military, Government, International, High Volume e-Commerce, Consulting, Business, Education, Entertainment, Financial, Healthcare, Internet, Manufacturing, Non-Profit, Publishing, Technology, Utilities. Standards: ACM, BS-7799, CBK, CC, CISA, CIA, CISM, CISSP, Clinger-Cohen, CMM, CMMI, COBIT, DCID 6/3, DITSCAP, DoD, DoD 5015.2-STD, DoJ, E-Government Act, EFF, FEA, FBI, FIPS, FISCAM, FISMA, GAO, GIAC, GLBA, HIPAA, IAM, IBM, IEEE, INFOSEC, ISACA, (ISC)2, ISSAP, ISSMP, SSA, ISO-15489, ISO-9126, ISO-9000, ISO-17799, ISOO, ITRMA, ITSEC, NARA, NCIC, NIACAP, NISPOM, NIST, NISTIR-5153, Orange Book, OMB, Privacy Act, RFCs, SANS, Sarbanes-Oxley, SAS-70, SSE-CMM, TCSEC, USDA, US Law, and many others. Career Principal Security Architect, Science Applications International Corporation, Lanham, MD (4/04 - present) Lead team of eight security engineers to design Security Architecture component of the Enterprise Architecture for the National Archives and Records Administration (NARA). Integrated Federal Enterprise Architecture business-level guidance with NIST system-level guidance into cohesive security. Merged NIST, DCID, DoD, ISOO, OMB, FISCAM and ISOO security controls into a consistent system that meets all requirements in each area. Complied with all federal mandates for government agencies while delivering a service assessed to CMMI Level 3. Principal Security Consultant, Newstaff, Inc. West Melbourne, FL (1/01 - 03/04) Returned to Newstaff, Inc. to develop automated security tools, security consulting methodology, and perform independent research in security. Wrote proposals, generated sales, and acted as project manager on all security projects. Provided the expertise, training, methodology, and direction for all security consultants. Acted as project manager for security consulting projects. Complied with all federal mandates for government agencies. Director of Security Testing, Fiderus Strategic Security and Privacy Services, Cary, NC (9/00 - 12/00) Created the Security Consulting Practice of "ethical hackers" for this $75 million startup. Developed methodology for security testing. Conducted training classes for consultants. Earned the company's first revenue, and later the company's first account. Lead the division to become the first operational for the company. Achieved more revenue than all other divisions combined by the end of the first quarter. Senior Security Consultant, IBM Security and Privacy Services, Orlando, FL (7/98 - 8/00) Based on success in Boca Raton, was hired directly into IBM's consulting practice. Developed methodologies used by consultants. Project Manager for security audits of Fortune-500 customers, and for internal IBM product development. Developed patentable security methodology for the practice in 1998. Developed most of the practice's intellectual capital in 1999. Achieved highest utilization rate of the practice in 2000. Lead Security Consultant, Newstaff, Inc., West Melbourne, FL (1/95 - 6/98) Cofounded Newstaff, Inc. in 1995 to provide security consulting services to Fortune-500 companies. Wrote proposals, generated sales, and acted as project manager on all security projects. Provided the expertise, training, methodology, and direction for all security consultants. Landed the company's first account, which was a six-month contract with IBM. Followed-up with a total of 6 IBM contracts. Resolved unexplained campus-wide computer shutdowns at IBM's famous Boca Raton site to a design flaw in the NetBIOS protocol. Reorganized South Florida campus from one big site into five distributed sites. Helped establish proof-of-concept for IBM's new Security and Privacy Services practice. Automated network monitoring, intrusion detection, and security alerts. Lead Network Security Engineer, Harris Electronic Systems, Palm Bay, FL (1/85 - 12/94) Divisional Security Auditor. Manager for security R&D. Team lead on security engagements for military projects. Project Manager for internal security projects and external customer security projects. Certified software and servers for production use. Wrote in-house security standards, policies and procedures. Lead change-control committee, design-review teams, and organizational steering committees. Lead in-house R&D in network security. Developed system software and tools for security testing, monitoring, reporting, analysis, and secure communications to support military contracts. Lead R&D efforts on several military security applications including stealth packets, multi-layer disk data recovery, covert timing channels, and a method for obscuring clear-text passwords in clear-text transmissions. Lead Software Engineer, Castronova Enterprises, Melbourne, FL (6/82 - 12/84) Managed a small team of developers to produce secure turnkey systems for industry. Performed design review, monitored development, performed acceptance testing, and audited client implementations. Manager of Information Systems, Florida Department of Education, Brevard County, FL (5/81 - 5/82) Managed team of students and staff in operations of school computer lab. Developed policies and procedures. Audited compliance. Taught education courses on computer security. Monitored activities and systems.