CISSE Speakers Added

Larry Wilson of UMASS and David Moscowitz join Charlie Tupitza and Joan Coolidge as CISSE panelists for the session about the Global Forum to Advance Cyber Resilience at the CISSE Consortium Meeting of Centers of Academic Excellence.

CISSE Panelists Larry Wilson and David Moskowitz added

15 June 2016 in Philadelphia, PA[su_row]
[su_column size=”1/2″]

Larry WIlson USMASS

Larry is the Chief Information Security Officer at the University of Massachusetts President’s Office. He is responsible for developing, implementing and managing the University of Massachusetts Information Security Policy and Written Information Security Program (WISP). The University program is based on industry best practices ISO 27001 / SANS 20 Critical Controls, and is implemented consistently across all University campuses (Amherst, Boston, Dartmouth, Lowell, Medical School and the President’s Office). [/su_column]
[su_column size=”1/2″]

david moskowitz
David Moskowitz

David is an IT Service Management Consultant & Professional, PRINCE2 Practitioner, ITIL Expert & Accredited Instructor, and Agile mentor. David is an IT professional with more than 30 years of experience and the proven ability to merge technology with business goals to improve technology ROI, to deliver timely solutions designed to grow with the business.[/su_column]

Larry Wilson

Chief Information Security Officer
University of Massachusetts President’s OfficePrior to joining UMASS, Larry was the Vice President, Network Security Manager at State Street. In this role he was responsible for researching, selecting, implementing and overseeing an engineering staff who managed network security technologies / tools including vulnerability scanning, network firewall policy management, intrusion detection, remote access, DNS security, global and local load balancing, etc.
Larry’s industry experience includes IT audit manager for Deloitte Enterprise Risk Services (ERS) consulting practice. In this role he managed a staff responsible for developing and completing a Sarbanes Oxley compliance audit for MasterCard International. Larry’s team focused on the application level controls and general computer controls for information technology services implemented and managed from the MasterCard data center in St. Louis.
Mr. Wilson holds a Master of Science degree in Civil / Structural Engineering from the University of New Hampshire. His industry certifications include CISSP, CISA and ISA (PCI Internal Security Assessor). He serves on the Advisory Board for Middlesex Community College and CISO Advisory Board for Oracle. He co-chairs the Massachusetts State University and Community College Information Security Council, and serves as Certification Director for ISACA New England. His major 2013 accomplishments include Finalist for Information Security Executive® (ISE®) of the Year for both the Northeast Region and North America; and a SANS People who made a difference in Cybersecurity in 2013 award recipient.
Larry has been teaching CISA certification training for ISACA for 5 year.

David Moskowitz

Davids primary focus is on IT service management and organizational agility.Established mentor, manager, architect, designer, and problem solver with the depth and wide-ranging knowledge and experience to ask the right questions of the right people, and get results.
Founded in 1984, Productivity Solutions is a company focused on the merger of technology with business goals, helping clients to develop business strategies, improve ROI, and insuring efficient software architecture and development processes. PSI is especially well qualified in helping clients align IT efforts with business goals in today’s evolving customer-Web-centric world.The firm also provides ITIL instructor and has also worked with various clients to help plan and implement IT Service Management using ITIL.

Common Lexicon

The Forum has an active focus group creating a reference for use of common lexicon terms and definitions for the purpose of sharing a common language between Service Management, Cybersecurity, and Project Management to assist in the operationalization of mission driven cyber resilient services.

Please contact us at e-mail if you are interested in participating in these focus groups.

Common Lexicon and Language

A lexicon is the vocabulary of a person, language, or branch of knowledge.  The word “lexicon” derives from the Greek λεξικόν (lexicon), neuter of λεξικός (lexikos) meaning “of or for words”.

A common lexicon between all Stake Holders is not enough we need to provide example use within the context of operationalizing cyber resilient services.
We are in the process of developing a reference document that pulls terms from commonly available sources to make them easily available to you for use.  Attribution will be given for the source.  The Forum will provide terms we feel are missing and would add value to operationalizing mission driven cyber resilient services.

example of need for common lexicon
Need for common lexicon.

NIST Special Publication 800-160

The second public draft of the NIST Special Publication 800-160 released.
Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.Public comment period: May 4 through July 1, 2016.

Systems Security Engineering

This publication addresses the engineering-driven actions necessary to develop more defensible and survivable systems—including the components that compose and the services that depend on those systems. It starts with and builds upon a set of well-established International Standards for systems and software engineering published by the International Organization for Standardization(ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers (IEEE) and infuses systems security engineering techniques, methods, and practices into those systems and software engineering processes. The ultimate objective is to address security issues from a stakeholder requirements and protection needs perspective and to use established engineering processes to ensure that such requirements and needs are addressed with appropriate fidelity and rigor, early and in a sustainable manner throughout the life cycle of the system.

click here for NIST Special Publication 800-160

(second draft)

Reports on Computer Systems Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology (IT). ITL’s responsibilities include the development of management, administrative,
technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in
federal information systems. The Special Publication 800-series reports on ITL’s research, guidelines, and outreach efforts in information systems security and its collaborative activities with industry, government, and academic organizations.
“This publication addresses the engineering-driven actions necessary to develop more defensible and survivable systems—including the components that compose and the services that depend on those systems. It starts with and builds upon a set of well-established International Standards for systems and software engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers (IEEE), and infuses systems security engineering techniques, methods, and practices into those systems and software engineering processes. The ultimate objective is to address security issues from a stakeholder requirements and protection needs perspective and to
use established engineering processes to ensure that such requirements and needs are addressed with the appropriate fidelity and rigor across the entire life cycle of the system.
Increasing the trustworthiness of systems is a significant undertaking that requires a substantial investment in the requirements, architecture, design, and development of systems, components, applications, and networks—and a fundamental cultural change to the current “business as usual” approach. Introducing a disciplined, structured, and standards-based set of systems security engineering activities and tasks provides an important starting point and forcing function to initiate needed change. The ultimate objective is to obtain trustworthy secure systems that are fully capable of supporting critical missions and business operations while protecting stakeholder assets, and to do so with a level of assurance that is consistent with the risk tolerance of those stakeholders.”
Ron Ross
National Institute of Standards and Technology
NIST Special Publication 800-160
example table of taxonomy of security design principles

PSCU Engaged in Forum

The nation’s leading credit union service organization, PSCU, announced today that Gene Fredriksen, the company’s CISO, has been selected to help represent the nation’s credit unions in the Global Forum to Advance Cyber Resilience. The Forum is the first of its kind dedicated to operationalizing cyber resilience.

PSCU’s Gene Fredriksen appointed to the Global Forum to Advance Cyber Resilience

gene fredricksen pscu ciso
Gene Fredricksen _CISO_ PSCU

The Global Forum to Advance Cyber Resilience establishes a public/private collaborative partnership bringing together industry, business, government and critical infrastructure leaders to operationalize cyber resilience. Cyber resilience and security are no longer afterthoughts in the process of developing and implementing services. Boardrooms are now proactively integrating resilience and security tools throughout the organization to deliver services to clients, both internally and externally.

“The holistic concept of resilience encompasses more than traditional security measures. It speaks to the optimization of people, processes and technology to yield systems that are not only secure but will also inherently survive and recover from a wide array of threats and caustic environments,” said Fredriksen. “The Global Forum to Advance Cyber Resilience is the first of its kind targeting operationalizing standards and practices focused on the critical issue of cyber resilience.”

The Forum leverages standards such as the NIST and FFIEC frameworks for improving critical infrastructure cybersecurity and the Department of Defense enterprise service management framework, along with best practices and lessons learned to operationalize cyber resilience and deliver a cyber resilience service management action plan. PSCU, through Fredriksen¹s participation in the Forum, will offer credit unions representation in this critical area and ultimately benefit the credit union industry by bringing back tools and techniques to more effectively fight cybercrime.

The first Forum meeting was held in February 2016, bringing together public- and private-sector representatives. According to Charlie Tupitza, the Forum’s CEO, it was difficult to determine whether individuals were from a particular sector or from a private sector or government organization without reading their name tags.

“This reinforced that the Forum is striking the right note, helping organizations look at cyber resilience via a common approach utilizing a common lexicon, thereby bringing people to a common foundation that generates enormous benefits to advance cyber resilience,” noted Tupitza. “We are fortunate to have Gene as a participant in the Forum, representing PSCU and the nation’s credit unions. His leadership and cybersecurity experience and expertise will greatly benefit both the Forum and the credit union industry.”

Deborah Kobza, President/CEO of the Global Institute for Cybersecurity + Research (GICSR) and Co-Founder of the Forum, added: “This is a historic opportunity to break down long-standing silos and barriers by bringing together increasingly connected and globally trusted public and private sector leaders to operationalize cyber resilience.”

About PSCU

Established in 1977, PSCU (St. Petersburg, Fla.) is the nation’s leading credit union service organization (CUSO). The company is owned by over 800 Member-Owner credit unions representing 18.9 million credit, debit, prepaid, online bill payment, mobile and electronic banking accounts. 24/7/365 member support is delivered through contact centers located throughout the United States that handle more than 18 million inquiries a year.


Merry Pateuk
VP of Corporate Communications
(404) 906-0758

GSA Technology Transformation Service

The GSA Administrator, Denise Roth announced the creation of the GSA Technology Transformation Service 3 May 2016.

“….. the GSA Technology Transformation Service will help agencies navigate how to build, buy, and share user-centered and emerging technology solutions. This new service will provide both the foundation for our government’s digital transformation and also partner with other agencies to assist them in their own attempts to transform.”  Said Denise Turner Roth

GSA Creates New Service GSA Technology Transformation Service

WASHINGTON — May 3, 2013 Administrator Denise Turner Roth of the U.S. General Services Administration announced the creation of the

GSA Technology Transformation Service
Denise Turner Roth, GSA Administrator

Technology Transformation Service. The new service builds on the success of technology initiatives such as 18F, the Presidential Innovation Fellows program, and the Office of Citizen Services and Innovative Technologies, establishing a permanent home for innovation and technology modernization inside GSA.

“Improving technology services is one of the federal government’s biggest shared challenges,” said Administrator Roth. “By creating the Technology Transformation Service, we are demonstrating our long-term commitment to help agencies create accessible, efficient, user-centered and secure technology.”

“We are in an unparalleled period of innovation that is producing a smarter, savvier, and more effective government. By harnessing the collective power of 18F, the team at the Office of Citizen Services and Innovative Technologies, and the Presidential Innovation Fellows, the Technology Transformation Service will strengthen the way federal agencies develop, buy, and share cutting-edge solutions, and continue the significant progress we’ve seen over recent years in enhancing the way government uses technology to serve the American public.” – U.S Chief Information Officer Tony Scott

Federal agencies are increasingly looking for technologists’ assistance in identifying the best solution, best tools, or the best path to successful implementation of transformative technology and innovative solutions. Creating a dedicated service to meet this need will enable GSA to help partner agencies better build, buy, and share technology, and thereby improve the public’s experience with government. It will also provide GSA with a platform for future emerging technology efforts.

The GSA Technology Transformation Service is GSA’s third service line. Like GSA’s Public Buildings Service, focused on real estate, and the Federal Acquisition Service, focused on acquisitions, the Technology Transformation Service will be led by a Commissioner and Deputy Commissioner. Phaedra Chrousos, former Associate Administrator of the Office of Citizen Services, Innovative Technologies and 18F, is the new service’s first Commissioner, and Aaron Snow, Executive Director of 18F, will serve as Deputy Commissioner. The Service will house the Office of Citizen Services and Innovative Technologies, 18F, and the Presidential Innovation Fellows program and will be the home of new, emerging technology initiatives at GSA. This new service complements GSA’s current technology efforts, bolstering the strong support the agency already provides to partner agencies and allowing us to deliver transformative technology solutions. The Federal Acquisition Service will still lead when it comes to the acquisition of IT products and services outside of emerging technologies. The Office of Government-wide Policy will continue to coordinate interagency IT policy and benchmarking to drive better outcomes, and GSA IT will continue to lead GSA’s internal IT strategy and operations as well as be a test bed for many emerging technologies.

GSA’s mission places it at the forefront of solving government’s common challenges, from improving the way the government buys products and services to adopting the latest and most efficient concepts on workplace design. In technology, GSA has been a leader and an early adopter. GSA was the first civilian agency to provide access to the internet from every desktop and the first agency to transition to the cloud.

” By moving these programs into a new service, we are demonstrating a commitment to make agile, user-centered delivery of technology the way we do business moving forward. This new service complements GSA’s current technology efforts, bolstering the strong support we already provide to partner agencies and allowing us to deliver transformative technology solutions.” Denise Roth said in here blog about the topic.


Charlie and Joan Speaking at itSMF USA FUSION16 Conference at the MGM Hotel, Las Vegas, NV November 1 – 4 2016

Charlie, Joan, Speaking at itSMF USA FUSION16

Advancing Cyber-Resilience Through Collaborative Innovation

Date and Time:  Wednesday, November 2, 3:00pm – 4:00pm
Track:   Security, Risk, and Vulnerability
Track Chair:   Jeanette McGuillicuddy

Centers of Academic Excellence Annual Meeting

13-15 June: Our Forum will Sponsor and Participate in the annual meeting of the National Centers of Academic Excellence in Philadelphia.

We are pleased to announce the Forum will be responsible for bringing the business perspective of cyber resilience to the annual meeting. We are providing a panel with subject matter experts in the field of service management and cyber resilience.  We will also be holding a Collaborative Forum event at the end of the conference at the same location.  Please find information about the Colloquium for Information Security Education event here (CISSE).    This is the 2oth year for this event.  More details about our participation and forum event will be available May 1.

Think Differently

Cyber Resilience in Support of Mission Driven Service Management

Value of taking advantage of investments:

Topics: Value of investments

1) Public and private investments in a foundation of standards, best practices, and frameworks.

2) A “common lexicon” of terms and definitions derived from the above investments.
3) Taking advantage of these investments by looking at whole systems.

Rational: Meet a large constituency where they are

Many private sector leaders direct their organizations to conform with standards, frameworks and best practices adopted by the Forum, especially NIST Cybersecurity Framework, ITIL and many more (Executive Suite, Management and Operations). In the public sector, the CIO of the Department of Defense, Mr. Terry Halvorsen, directs the DoD to conform to the Department of Defense Enterprise Service Management Framework (DESMF) in a directive he signed 24 Dec 2015. ITIL is at the foundation of the DESMF as a best practice framework and basic lexicon. Many private and public service management contracts globally call for the use of ITIL.

Context: Forum Events utilize Cyber Resilient Service Management Action Plans (CRSMAP)

The Forum facilitates collaborative events for leaders to share lessons learned and to continually improve their strategies, utilizing a CRSMAP designed to help leaders apply cyber resilient service management investments for organizational efficiency and effectiveness amidst cyber events.

Foundation of Standards, Best Practices and Frameworks:

CRSMAP starts with the foundation of the DESMF recognizing ITIL, COBIT, Lean Six Sigma, CMM, eTOM, ISO/IEC 20000 and is adding other elements such as the NIST Cyber Security Framework, RESILIA, DevOps and Agile.

A Common Lexicon

The CRSMAP is a common lexicon of terms and definitions for sustaining cyber resilience. In scope are terms with value across an organization, one definition for each term, duplicates maintained in Forum archive, with attribution, and continual improvement. Terms with limited value across an organization are left out intentionally for ease of use.
Whole System in relation to its Parts
Cyber Resilience requires a whole systems approach to strike the right balance between

Software and Supply Chain Assurance Forum

8 March 2016: The Software and Supply Chain Assurance Forum sponsored by the DHS, DoD, GSA, and the NIST met to discuss concerns about security and resilience of the nations supply chain.  We had several guest speakers including one from the White House about supply chain assurance and how the Cybersecurity National Action Plan which was released by the Office of Management and Budget (OBM) of the White House will support supply chain efforts. This forum meets each quarter and is a combination of public and private sector organizations.  The format is mostly lectures by subject matter experts.

RSA Conference Great Success

8 March 2016  Over Seventy companies committed financial to sponsor our forum during the resent RSA conference in San Francisco.  We are very pleased for the interest.  It is just as exciting to find more then that number interested in participate as subject matter experts shaping the direction of the forum.  We also identified several stakeholder organizations who will participate to share lessons learned.

All recognized Private and Public Collaboration is the key to this success and each recognize the value of focusing on mission driven services enabled by cyber resilience.  The opportunities for improvement are enormous.

Charlie Tupitza
Acting CEO

DESMF Cyber Resilience Focus Group Starts

I7 March 2016 The initial meeting of the DESMF Cyber Resilience Focus Group began regular meetings 2 March via conference call facilitated by our Joan Coolidge  members of the private and public sector including the DoD participated and will be working on the draft charter of the group this week.  It was the consensus to keep a focused purpose which is easy to understand and accomplish.  Stay tuned.  If you want to participate in the forum please let us know via   e-mail.

Charlie Tupitza
Forum  Acting CEO