Information Security Risk Management
Value: At Ernst & Young (EY) I joined the newly formed information security consulting practice that spanned the US. This practice contracted with global 1000 companies to test their security perimeters and develop comprehensive risk management approaches. Of the 21 engagements I participated in or led, I was successful 100% of the time in demonstrating we could take full control of the clients computer systems. These engagements started outside the firewall with no security privileges and progresses until we gained access. I later went on to develop an information security risk assessment service at Experian under the Business Information Security Office (BIS0) for Credit Services.
People: For both EY and Experian the client for this service was primarily IT management.
Impact : When I started with the company, Experian had an informal risk assessment process that was largely undocumented. I added policy and procedure to support the service and an online system for documenting the flow of risk assessments using Microsoft's just-launched SharePoint technology. With this we maintained a flow of 80-120 assessments at any given time though our department, and tied this into a comprehensive risk monitoring framework to give management a more comprehensive picture of risk and level of investment in security.
My Role: At Ersnt & Young I came in as an entry level staff and primarily executed the ethical hacking service and other customized engagements for large clients. As I matured in the practiced I started helping develop the lab and teaching classes to clients and other staff. At Experian, I built a risk assessment service from the ground up and helped grow this to include a team of 4 information security analysts. While there was no designated manager for the service, I ran the metrics and recommended how assessments were divided among the team to the BISO.
Article: (2003, Feb.) Detecting Rogue [Wireless] Access Points. Mobile Business Advisor. [Click here to see text of article]
Employer: Ernst & Young, LLP (US) & Experian, Inc. (Subsidary of Experian PLC)