20200 Redwood Road Suite #15, Castro Valley, CA 94546              bob.harren@beam-itsec.com

 

 

Certified Information Systems Security Professional

 

Strategic Cyber Security: Planning-Policies-Training / Cyber Risk Management /
Assessments: PCI-DSS, ISO 27001, NRC, NERC-CIP, DIARMF, FISMA: NIST 800-series/ Governance Risk Compliance (GRC) / Secure Multi-Site Global Operations /
Pen Testing-Vulnerability Assessments / Business Continuity-Disaster Recovery

 

West Point graduate with uncompromising success in securely optimizing technology performance to drive corporations to profitability. Hands-on, cyber security professional and technical operations executive with multi-platform background in diverse industries and organizations including Xerox, Kikkoman International, the U.S. military and federal agencies. Visionary leader with the ability to build cohesive teams, and to exceed corporate goals and objectives. Established Best Practices for secure high tech implementations worldwide. Provided strategic vision and tactical focus for delivering technology to maximize IT security.  Applied Operations Research training to champion secure technologies and processes.

 

 

·   Wrote and updated corporate cyber security policies, procedures, standards and compliance metrics for California State Compensation Insurance Fund. Mentored and provided knowledge transfer to corporate employees.

·   Managed GRC programs: DIARMF/DIACAP Certification & Accreditation (C&A) teams, wrote policies and procedures, conducted IA Control Validations, Risk Analyses, wrote Networthiness Applications, recommended cyber security architecture solutions, conducted penetration and assessment scans and evaluated vulnerability results for remediation at USAF Space Command at Vandenberg AFB, and Defense Manpower Data Center (DMDC) operational and development systems (NIST 800-30, 37, 39, 53, 61, 82).

·   Cyber-Security / GRC Policy / Program development, Nuclear Plant Cyber Security Plan (CSP) evaluations (IAW 10 CFR 73.54, NEI 08-09) and drafting Security Evaluation Reports on nuclear power plants for the Nuclear Regulatory Commission (NRC).

·   Conducted IA Control Validations and Verifications, validated cyber-security architecture, wrote whitepapers, evaluated classification criteria and performed penetration scans and vulnerability analyses using Nessus, nmap, wireshark, Retina, SCC, SRR scripts..., for multiple major DOD commands, US CENTCOM and US Army INSCOM.

·   Performed a complete HIPAA compliance and Risk assessment for an ISP in Philadelphia; managed remediation efforts to validate HIPAA-HITECH security and privacy requirements; wrote over 50 HIPAA security policies with another 45 associated procedures (NIST 800-30, 800-39).

·   Performed ISO 27001 assessments, developed GRC (NERC-CIP) project plans and budgets for a leading Smart-grid (SCADA) manufacturer, Trilliant, Inc.

·   Performed Penetration Tests & Vulnerability Assessments of six California State University campuses. 

·   Managed and performed GRC compliance audits, technical and non-technical assessments, security policy/plan reviews, ST&E’s and provided multiple teams of Subject Matter Experts as part of a FISMA / NIST 800-37 & 800-53, Certification and Accreditation Assessment of NASA systems at multiple installations.

·   As FSO; Managed Facility Security program, individual certifications, clearances, training briefings on a DoD LMS system IAW the NISPOM and DSS guidance; passed several DSS security program management inspections for (multiple organizations / CAGE Codes).

·   Developed a comprehensive Program of Instruction for training CISSP certification candidates. 

·   Provided Subject Matter Experts as part of a DoD Inspector General DIACAP penetration testing and risk assessment of the Defense Information Systems Agency (DISA).

·   Deployed senior professionals to develop and implement DISTCAP & Information Assurance Tactics Techniques and Procedures (TTPs) for the US Military in Iraq.

·   Developed Disaster Recovery Plan for critical functions, preventing potential $1.6 million daily loss (MS Project and Visio).

·   Organizational leadership specialist in demanding, deadline-driven environments.

·   Drove technical marketing effort with speaking engagements and media interviews.

·   Updated infrastructure and built internal systems team, saving $3 million in consulting fees.

·   Built IS infrastructure for Xerox spin-off within 4 months, saving $300,000 annually.

 

Academic Qualifications, Certifications and Memberships

·               MS, Operations Research, Florida Institute of Technology, Melbourne, FL;

·               BS, Engineering, U.S. Military Academy, West Point, NY;

·               Certified Information Systems Security Professional (CISSP); (Active)  #38452

·               Federal IT Security Professional (FITSP-M); (Active) #00136

·               Information Assurance Security Officer (IASO); (Active)

·               Facility Security Officer (FSO) ; (Active)

·               Certified Cisco Network Associate (CCNA); 2008-2010; #CSCO11170071

·               Certified Cisco Design Associate (CCDA); 2008-2010; #CSCO11170071

·               Security Clearances – DoD-Top Secret/SCI – SSBI; DOE-‘L’ (Active)

·               Information Systems Security Association (ISSA); SF Chapter – President, 2010-11, (Active), Awarded Senior Member status-2012

·               Member, INFRAGARD; (Active)

 

Technical Skills & Tools:

·   MS Project	·   Visio	·   ProjectLibre
·   Nessus	·   Retina	·   Metasploit
·   Nmap	·   John the Ripper	·   Wireshark
·   Netstumbler ·   ping sweep ·   tcp port scan	·   Snort ·   Cain & Abel ·   Vulnerator	·   NetScanTools ·   SuperScan ·   SCC

 

 

BEAM IT Security, Inc.  

President 2002-Present

Managed Information Assurance/Cyber Security Programs and all information technology supporting immediate and strategic business growth objectives for security systems integration company. Applied expert knowledge of NRC, NIST, Department of Defense, and DHS Cyber Security requirements to develop business relationships and manage Information Security projects. Managed Internet–enabled information technology supporting all immediate and strategic business growth objectives.  Applied expert knowledge of secure network operations, operations management, business development, and production support.

 

·   Wrote Cyber Security Policies, Procedures, and standards based on PCI-DSS, NIST, ISO 27K and HIPAA-HITECH controls.  Remediation of Network Penetration test and Vulnerability Assessment audits providing recommendation based on best practices and the risk ranking.  Created and managed remediation project test plans, wrote technical reports, performed technical risk analyses. Mentored and provided knowledge transfer to California State Compensation Insurance Fund employees. (2015-2016)

·   Prepared GRC Certification & Accreditation (C&A) packages IAW DIARMF/DIACAP, (NIST 800-30, 37, 39, 53, 61, 82), FedRAMP, and ICD 503 guidance, wrote cyber-security policies and procedures, performed Risk Analyses, conducted IA Technical Analysis evaluated classification criteria and performed penetration scans and vulnerability analyses (servers, switches, routers, firewall, workstations…) using MS Project, Retina, Nessus, Wireshark, Nmap, Visio, SCC, Gold Disk, SRR scripts, MS Office tools,.., presented analysis results to government clients at:

o   USAF Space Command at Vandenberg AFB – 2011, 2013-2015

o   Defense Manpower Data Center (DMDC) – 2013-2015

o   US Army Intelligence & Security Command (INSCOM) – 2012

o   US Central Command (CENTCOM) – 2012

o   US Coast Guard – 2013

o   NASA – 2009, 2010

·   Performed a complete HIPAA compliance and Risk assessment for an ISP in Philadelphia. Wrote over 40 corporate policies along with associated procedures and validated implementation.

·   Managed Vulnerability Risk Assessments / penetration testing of the California State University campuses.

·   Developed GRC project plans, performed ISO 27001 assessments, and prepared budget for a Top 3 Smart-grid technology (SCADA) manufacturer.

·   Evaluated GRC compliance with established information assurance policies and regulations according to DOD, NSA, DISA, NIST, FedRAMP and other IA-related military/Federal requirements.

·   After consideration of risk mitigation countermeasures; wrote reports to System Owner and Designated Accrediting Authority (DAA) recommending issuance of authority to operate levels.

·   Developed an all-inclusive IT Systems Security Program covering all applicable Information Systems Security operational areas.

·   Assisted in Cyber Policy / GRC Program development at the Nuclear Regulatory Commission evaluating NEI and NERC-CIP draft regulations/policy updates.

·   Evaluated / assessed Cyber Security Plans (CSP) for US nuclear power plants IAW 10 CFR 73.54 & NEI 09-09 (evaluated CSPs included plans from: AmerenUE, Arizona Public Service, Indiana Michigan Power, PSEG Nuclear, PG&E, Southern Nuclear Operating Co., Southern California Edison and TVA).

·   Analyzed GRC compliance and compiled NRC Cyber Security Plans deficiencies from of all US Nuclear Power Operating plants as a reference document for the NRC Cyber Security Inspection Team.

·   As FSO; Managed Facility Security program, individual certifications, clearances, training briefings on an LMS system IAW the NISPOM and DSS guidance; passed several DSS security program management inspections.

·   Managed and performed IV&V compliance audits, technical and non-technical assessments, security policy/plan reviews, ST&E’s and provided multiple teams of Subject Matter Experts as part of a NIST 800-37 & 800-53, Certification and Accreditation Assessment of NASA systems at multiple installations.

·   Taught advanced Encryption, Security Assessments & Testing, Network Security, Business Continuity/Disaster Recovery planning, Operations Security, Physical Security and Access Control methodologies, GRC controls (ISO27001/2, NIST 800-53, HIPAA, SOX, PCI, SAS70…) concepts for Information Systems Security Association, San Francisco Chapter membership.

·   Performed Certification and Accreditation assessments of system security plans, associated documentation and systems equipment at multiple installations. 

·   Taught DITSCAP to DIACAP transition strategy to ISACA, DC Chapter.

·   Developed a 5-day Program of Instruction covering all 10 subject area domains for CISSP Certification.

·   Migrated IT infrastructure to more intentional, scalable systems, achieving high availability in an enterprise-wide solution.

 

Frontier Systems Integrators, Fairfax, VA -- 2004-Feb2009

Chief Information Officer / Chief Information Security Operations / FSO

Reporting to CEO and COO maintained P&L. Managed Information Assurance Programs and all information technology supporting immediate and strategic business growth objectives for global security systems integration company. Brought in $2.8 million of new business in first 18 months. Applied expert knowledge of Department of Defense Information Assurance requirements to develop business relationships and manage global Information Assurance projects. Managed Internet–enabled information technology supporting all immediate and strategic business growth objectives.  Applied expert knowledge of secure network operations, operations management, business development, and production support.

 

·   Provided Subject Matter Experts and Attack & Penetration team manager as part of a DoD Inspector General DIACAP Risk Assessment of the Defense Information Systems Agency (DISA).

·   Successfully deployed and managed nine senior IT Security and Information Assurance professionals to assist the US Military tighten down IT Security infrastructure in Iraq using MS Project and Office tools.

·   Managed Facility Security program IAW the NISPOM and DSS guidance, processed clearances, conducted security briefing and required refresher training.

·   Managed development of the Continuity of Operations Program (COOP) and counter-terrorism programs at the Defense Advanced Research Projects Agency (DARPA).

·   Implemented architecture and procedures to improve company's business process collaboration, security awareness and productivity.

·   Migrated IT infrastructure to more intentional, scalable systems, achieving high availability in an enterprise-wide solution.

 

 

Conference Planners, LLC, Burlingame, CA  -- 1999-2003

 Information Systems Security Consultant -- 2002-2003 

After reorganization, and elimination of my position, I was retained as a contractor to reorganize the department, manage the TruSecure certification program and prepare a draft Business Continuity Plan.

·   Wrote and implemented using MS Project a complete IT Security program with over 35 new Security operations policies.

·   Successfully managed and obtained TruSecure/CyberTrust Certification.

·   Developed comprehensive user security awareness training program to complement IT Security Policies.

·   Coordinated Disaster Recovery Plan development and implementation.

 

Chief Information Officer -- 1999-2002

Reporting to CEO; managed Internet–enabled information technology supporting all immediate and strategic business growth objectives for global integrated event planning and marketing company.  Applied thorough knowledge of secure network operations, E-commerce rapid application development, production support and Customer Relationship Management (CRM).  Managed 3-tier Internet heterogeneous environments (PCs-UNIX-MACs) for over 400 client websites, web-database integration projects, contact-center support, and customer issue resolution. Managed $3.5 million budget, P&L, and 55 employees.

 

Implemented architecture and procedures to improve company's IS security posture.

·               Installed firewalls and implemented VPNs for remote access and inter-office connectivity.

·               Established IT security program for companywide implementation.

·               Coordinated Disaster Recovery Plan implementation.

·               Established secure ad hoc networks of up 500 PC internet stations with internet access, firewalls and online audio/video delivery as part of many major events.

 

Built Network Operations group to support internal technical and onsite event network operations.

·               Hired staff, organized department and wrote standard operating procedures.

·               Implemented an Extranet so that external partners could have secure real-time access to our helpdesk, submit help request and see status on all their trouble tickets.

·               Managed technical teams that supported over 200 high technology conference/events each year (MS Project).

·               Event support teams/packages all had to be planned, developed, pre-tested and delivered on time.

 

Implemented architecture for revolutionary, profitable E-commerce business process solution. 

·               Migrated to more strategic, scalable systems, achieving high availability in an enterprise-wide solution.

·               Built world class technical services group to generate new revenue for engineering services and support

·               Implemented external data center and Network Operations Center to monitor production SLAs.

·               Adopted Oracle 9iAS development tools, allowing company to reuse 50-75% of its application code from event to event.  Ultimately resulted in acquisition of Oracle and Gartner as new clients with multi-year, multi-million dollar global contracts.

 

Established vendor relationships to support company system growth needs. 

·               Negotiated and established agreements with technology partners (IBM, Cisco, Sun, Oracle, Remedy….) when my staff did not have the initial expertise to implement new technologies.

·               Asked to present success story at Oracle Technology Days for Oracle Corporation, August, 2002.

 

 

dpiX Inc., a Xerox company, Palo Alto, CA  -- 1996-1999

Information Systems Manager

Reporting to CEO and CFO, directed network design, planning, systems integration, information systems delivery, Internet security, Y2K software upgrades and software licensing.  Hired and managed teams, developed web presence, wrote and established IT policies, and managed budget for new high tech manufacturer of super-resolution flat–panels.

 

Built secure information systems infrastructure for high-tech startup within four months, saving $300,000 annually. 

·               Hired staff and migrated existing research data into new 400-node (PC-UNIX-MAC), multi-segment LAN/WAN (MS Project). 

·               Met aggressive implementation schedule on time and within budget. 

·               Eliminated external technical support service fees. 

·               Helped dpiX establish itself and prepare for sale to consortium of clients.

·               Established Technical Support group to support internal customer and technical manufacturing operations.

·               Implemented an Intranet so that employees could have real-time access to our helpdesk, submit help request and see status on all their trouble tickets.

·               Installed new phone system with over 400 lines.

·               Established and implemented procedures for Y2K mitigation to PCs, Application Servers and Network appliances.

 

 

Kikkoman Management Systems, South San Francisco, CA -- 1990-1996. 

Information Systems Manager

Implemented and supported an integrated software package for all financial applications, inventory control, purchasing, requirements planning and manufacturing control.  Developed comprehensive policy governing processing, handling and storage of sensitive information.  Designed, tested and validated Disaster Recovery plans from alternate sites.  Directed design and implementation of enhancements to over 800 programs and development of over 250 new programs.

 

Developed Disaster Recovery Plan for mission-critical functions, preventing potential $1.6 million daily loss.

·                   Designed all policy governing processing, backup, handling and storage of sensitive information.

·                   Personally monitored compliance with risk management procedures. 

·                   Coordinated contracts with third-party providers for off-site data storage and backup data processing centers. 

·                   Developed incremental test plans over next 12 months. 

·                   Tests validated ability to restore operations to standard within 24 hours of declared emergency.

 

Updated antiquated computer system and built internal systems team, saving $3 million in outsourcing fees to Andersen Consulting. 

·                   Reduced planned system downtime from several hours per week to less than 30 minutes per month. 

·                   Cut average system response time from 8-10 seconds to sub-second screen changes.

·                   Installed new IBM AS/400 systems and new ERP software application.

·                   Installed Novell LANs at HQs and all branch offices and tied all branches together in a totally meshed WAN across all North America.

 

U.S. Army, -- 1975-1990 (MAJOR – Retired)

Inspector/Systems Auditor

Planned and conducted over 80 organizational Information Systems Security audits for the Sixth U.S. Army Headquarters commanding all U.S. Army Reserve and National Guard forces in 12 western states. 

 

Assigned as subject matter expert for all Information Systems Security issues.

·               Developed security inspection program as basis for over 250 IT systems audits

·               Developed inspection researched, wrote and published inspection criteria and methodology.

·               Prepared guidance and trained 24 systems auditors to conduct IT security compliance evaluations.

·               Personally led over 80 inspections, identified systemic trends briefed results, recommended remediation actions and conducted follow-up inspections when required.

 

Developed model adopted as standard tool for logistics-transportation emergency contingency planning for Department of Defense (DOD). 

·               Using medical items for prototype model, prepared data, wrote over 80 programs and tied them together to simulate time-phased logistics replenishment for global contingency plans. 

·               Expanded model and simulation to include remaining classes of supply for DOD.

·               Presented model to DLA and then Pentagon and other major US Military Commands. 

·               Presented logistics-transportation recovery model at ORSA conference.

 

US Army Airborne-Ranger Infantry Officer with numerous high-pressure, command and operations positions.