Papers & Publications
Publications
- Author: "Scaling Risk Management" (The ISSA Journal, November 2011, [PDF]).
- Author: "How to Manage Cloud Risk" (CRN byline, October 2011)
- Interview: "Risk Chat: Is Your GRC in the Cloud?" (Big Fat Finance Blog, October 2011)
- Contributing Author, Contributing Editor: Information Security and Privacy: A Practical Guide for Global Executives, Lawyers and Technologists (2011, ABA Press, ISBN: 978-1-61632-807-8)
- Contributing Author: Data Breach and Encryption Handbook (2011, ABA Press, ISBN: 978-1-60442-989-3)
- Author: "Maddening Methods: Fundamentals of Risk Assessment and Analysis" (The ISSA Journal, July 2010, [PDF])
- Author: "De-Operationalizing InfoSec: Living in an Imperfect World" (The ISSA Journal, June 2010, [PDF])
- Author: "Architecting Adequacy: When Good Enough Really Is" (The ISSA Journal, March 2010, [PDF])
- Author: "Dysfunction Junction: Do Standards Function?" (The ISSA Journal, October 2009, [PDF], and cover of February 2010 "Best of 2009" issue)
- Author: "Elasticity: Will your organization bend or break?" (cover story for The ISSA Journal, September 2009, [PDF])
- Co-Author: "The Biometric Devil's in the Details" (Security Management, December 2008, with Ben Rothke)
- Author: "Key Management: The Key to Encryption" (The EDP Audit, Control, and Security (EDPACS) Newsletter, Volume 38 Issue 4, October 2008, [PDF])
- Co-Author: "Information Security and the Importance of Context" (CSO Online, August 2008, with Ben Rothke)
- Author: "Evolving Risk Resilience" (BT Initiatives Newsletter, May 2008)
White Papers
- "PCI: Requirements to Action" (May 2009 for Truth to Power Association, sponsored).
- GWU Masters Thesis: "The Total Enterprise Assurance Management (TEAM) Model: A Unified Approach to Information Assurance Management" ABSTRACT: This research thesis addresses the problem of identifying or creating a unified information assurance management model that harmonizes the key competency areas of enterprise risk management, operational security management, and audit management. The research was conducted by performing a literature review of existing information assurance related models, frameworks, and methodologies; creating a new model to unify the three competencies (given the absence of such a model); and, validating the research results with subject-matter experts (SMEs). The research concluded with the development of the Total Enterprise Assurance Management (TEAM) model, which was well validated by the SMEs. Survey results include that the work was overwhelmingly viewed as favorable and logical, and that a majority of respondents agreed that all four hypotheses of the research had been achieved.
- "Alphabet Soup: Making Sense of Models, Frameworks, and Methodologies" ABSTRACT: This paper will provide a US-centric overview and analysis of commercially-oriented information security models, frameworks, and methodologies. As a necessary component of the analysis, a cursory look is taken at a sampling of applicable laws within the US, such as the Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leech-Bliley Act of 1999 (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA). Additionally, industry standards will be weighed, such as the Payment Card Industry Data Security Standard, as adopted by Visa and MasterCard. The paper will attempt to thoroughly describe the goals of these models, frameworks, and methodologies, contextualizing them within the current business, regulatory, and legislative environment, helping to identify the usefulness of each model, framework, and methodology. The analysis will demonstrate the value of each model, framework, and methodology and where application of each would benefit an organization.
- DRAFT v2.0: "Alphabet Soup: Making Sense of Models, Frameworks, and Methodologies" (abandoned)
Grad School Papers
Disclaimer: The following papers are original works of research and analysis. Attribution is given whenever appropriate. These works are independent of my current employer. Any similarities that may exist between language or structures represented within a work and language or structures represented within my employer are purely coincidental.
- "The GWU Code of Academic Integrity and U.S. Copyright Law," prepared for EMSE 315 (Professor Dan Ryan) on September 27, 2004. This is the first paper I wrote for my graduate program at GWU. It represented a "best effort" at the time but is not one of my better works.
- "Use of Licensed Software: Policy and Policy Analysis," prepared for EMSE 315 (Professor Dan Ryan) on October 11, 2004. This is the second paper I wrote for my graduate program at GWU. It represents a significantly better effort than my previous paper.
- "Acceptable Use of Computing Resources: Policy and Policy Analysis," prepared for EMSE 315 (Professor Dan Ryan) on November 1, 2004. This is the third paper I wrote for my graduate program at GWU.
- "Research Paper: Information Security Technologies," prepared for EMSE 218 (Professor Dave Carothers) on November 10, 2004. This is the only paper required for the course. The paper provides basic overview and analysis on thirteen (13) different security technologies.
Other / Miscellaneous
- College senior paper, "Making the Horse Drink," circa May 1998, written at the end of my time at Luther College. It's based on a presentation that I gave at CERT/SEI in December 1997. An overview is available, as is the full text in Word format.
My Other Pages
[ Bio & Resume ]
[ Papers & Publications ]
[ Public Speaking ]
[ TEAM Model ]
[ Old Pages ]
Subscribe
My Google Reader Feed
Lijit Search
[ Papers & Publications ]
[ Public Speaking ]
[ TEAM Model ]
[ Old Pages ]
Subscribe My Google Reader Feed
Lijit Search
Support Me
Support EFF
