David L. Phipps, CISSP, IAM, CISM
Iowa City, IA 52245
Hm: 319-***-****
Cell: 512-***-****
abhzxl@r.postjobfree.com
Professional Profile
I am seeking an Information Security / Risk Management senior leadership
position. I bring a broad range of experience to my position in your
organization and a dedication to detail.
Throughout my career I have worked with various standards covering all
aspects of enterprise security, including: COBIT, PCI DSS, FISMA/NIST SP
800-53, ISO/IEC 17799/ 2700x security standards, DoD TCSEC C2 and Common
Criteria and the ISO 7498-2 Security Architecture.
Security Industry Certifications: ISC2/CISSP, NSA/IAM, ISACA/CISM
2006 - Present Director of IT Security ACT,
Inc.
I am currently employed by ACT, Inc. as the Director of Information
Security, building and formalizing their information security program.
My responsibilities include writing corporate information security
policy and standards, leading initiatives for PCI compliance,
Certification & Accreditation for FISMA compliance on government
contracts and leading the Computer Security Incident Response Team
(CSIRT). I have written Information Security Awareness training
materials, delivered training sessions and authored guides on the use
of various encryption technologies. I coordinate work with internal
areas such as: internal audit on COBIT controls, corporate attorneys
on privacy policy, contracts and data retention issues, communications
on corporate messaging, IT operations on ITIL security processes, PKI
and access controls, application solution architectures, integration
of new technology and encryption / key management requirements,
business leaders and development staff on application security
requirements, vendor management to review SAS 70 reports, and the CEO
and senior leadership team on corporate policy. I manage/track
remediation projects to completion as necessary. I developed the risk
assessment framework used across the corporation. I manage the IT
internal audit team for compliance with corporate and external
policies and regulations. I work with external entities on
information security such as our ISP on spam issues, security tool
vendors, vendors for PCI compliance services, and consultants on
various security projects.
2004 - 2006 Development Manager Citrix Systems, Inc.
I worked with the leadership team to shape the content and direction
of the product release, address security and other technical issues
and oversee the execution of the product release with up to 14
software engineers reporting to me. I managed staffing plans,
development plans and evaluations. I pioneered a skills inventory and
planning process with the HR department. I also led a CISSP study
group for those interested in pursuing this certification.
The Citrix Password Manager product is part of an Enterprise Single
Sign-On solution, which controls and protects a user's application
passwords. A user's credentials are protected in storage and transit
with FIPS 140-2 validated cryptography.
1996 - 2004 Sr. Security Consultant IBM Global
Services
I performed both technical and engagement management roles on
engagements lasting from one week to several months. Assessments
resulted in a concise report discussing the threats and
vulnerabilities that were found, the resulting risks, and actionable
technical and business process control recommendations necessary to
mitigate the risks. My operations projects were focused on delivering
systems and custom software. I worked on engagements involving
banking on the Internet, insurance applications, web hosting, firewall
administration, encryption, intrusion detection, application code
reviews and industry best practices for setup and operations. I also
worked on several government accounts, one of which required a
government security clearance.
Other Professional Experience:
1983 - 1996 Staff Programmer (on several projects) IBM
I worked in the AIX operating system development group as the project
lead for the IBM 7318 Communications Server, coordinating customer
service, product test and development and on the Network Terminal
Accelerator Adapter for the RS/6000. This responsibility included
interfacing with vendors for support services and follow-on
development features.
I worked in systems development and had worldwide Product Engineering
responsibility for the 9370 disk & tape subsystem. I authored and
taught classes worldwide on the 9370 integrated disk and tape
subsystem. The microcode implemented the S/370 channel functions and
Fixed Block Architecture (FBA) disk control unit functions on a single
card.
Education:
- Bachelor of Science in Applied Mathematics, Engineering and Physics
from the University of Wisconsin at Madison.
- Master of Science in Computer Science from the University of Wisconsin
at Madison. While in graduate school I conducted research on the
DIRECT project, a back-end parallel database machine.
Professional Training
- PKI Consulting and Services Delivery Methodology
- Wireless Technology
- Digital Forensics
- Oracle Security
Conferences Attended recently:
- RSA Security Conference
- Black Hat briefings
- DefCon conference
- University of Iowa Security Day (speaker)
- ISACA Information Security Governance, Risk & Compliance
- IAPP Privacy Academy
Professional Organizations:
- IEEE, ISC2, ISACA, IAPP
Publications / speaking engagements:
. Zero Latency Service Time Measurements for 370 Adapter Microcode, IBM
Technical Reports, 1991. Also presented at IBM Performance ITC, 1990.
. The 7318 Communications Server, AIXpert, 1995.
. The Network Terminal Accelerator Adapter, AIXpert, 1995.
. PCI Compliance, University of Iowa, 2007.
References provided upon request.