Loading
Top

Cyber Security and Risk Management

NCTC formed a Risk Committee in 2020 with the goal of formalizing oversite of the organization's risk profile. The primary focus of this committee is Information Technology and Business Operations. I have led this committee since its inception.  This committee has multiple KPIs that roll up to the Board of Directors which include a "Risk Profile" for all technology resources, reports on findings from security audits, operational risks.
+9.0
Common Vulnerability Scoring System
+3
Years of Cyber Insurance Aquired
94
Corvus Score External Scan (Max 100)
+4
Years Leading Executive Level Risk Committee

Risk Committee Members

Activities

  • Cyber Insurance
  • Worked directly with NCTC's in-house counsel (Jeff Nourse)
  • Led on all technical aspects including insurance application, implementation of policies + tools, owner of all security related Organization-Level Commitments
  • 94/100 Corvus Security Score (External Scan)
  • Cyber Insurance Acquired 2023 - Lockton
  • Cyber Insurance Acquired 2022 - Lockton
  • Cyber Insurance Acquired 2021 - Lockton
  • Cyber Security Improvements
  • Record Retention Policy using M365
  • Multi-Factor Authentication - Okta + Azure AD
  • Single Sign On - Okta + Azure AD
  • End Point Protection, Detection, Response
  • Protective DNS
  • Web Application Firewall
  • KnowBe4 - Email Fraud Training Service
  • Password Policies (staff, change schedule, global admins, domain admins, etc)
  • Cloud Hosted VPN Solution
  • Service Accounts configured using "least privilege"
  • Back Up Strategy (cloud, physical, immutable, annual integrity testing)
  • Formalized Server Patch Policy + Schedule
  • Personally Identifiable Information (PII) - GDPR / CCPA Compliant
  • Staff Training and Education
  • Recurring Organization wide security training
  • Led organization-wide in personal training
  • Personally Engaged with training and support for high risk staff
  • Automated staff testing based on performance
  • Penetration Tests + Security Audit
  • 2021 - Conducted by Red Siege
  • 2016 - Conducted by Cino
  • Business Continuity + Disaster Recovery
  • Tested Yearly
  • Addresses each unique line of business, related technical platforms, and alternative business operations during an outage
  • Led Executive level staff, assigning roles, responsibilities, and preparation
  • Commitments on restoration times from IT, testing annually
  • Mock Cyber Security Event (Hack / Ransomware)
  • In-house mock event with NCTC's Executive Level - Ransomware event where critical platforms are encrypted with decryption key being ransomed
  • Author of Cyber Playbook
    [1] Defined Severity Level
    [2] Financial Thresholds
    [3] Law Enforcement + 3rd Party Support (Cyber Security Partner)
    [4] Executive Level Responsibilities and Task Assignments
    [5] Formalized Communication (in-house, public, Board of Directors, social media)
  • Education and Training
  • "Breached" Mock Ransomware - Virtual Wargame (12/9/2021)
  • Security Round Table (2/1/2023) - Hosted by CBIZ, BMO, Polsinelli