JENNIFER L. BAYUK
973-335-3530
PROFILE An Information Security industry leader experienced in information security management, information technology risk governance and management, cybersecurity tools and techniques, audit of physical and information systems, telecommunications networks, operating systems, database management systems, network management systems, application development, business continuity, operations process, security awareness education, and metrics. Advanced degrees in Philosophy and Computer Science. Certified in Information Systems Audit, Information Systems Security, Information Security Management, and IT Governance (CISA, CISSP, CISM, CGEIT).
Independent Security Consultant, Jennifer L Bayuk LLC, Towaco, NJ, 6/08 to present.
Engaged in a wide variety of industries with projects ranging from oversight policy and metrics for financial institutions to technical architecture and requirements for security product vendors. Lecturing at conferences. Teaching for local industry associations. Teaching graduate courses in security at Stevens Institute of Technology. Participating in public and private committees. Providing expert witness services.
Senior Managing Director, CISO, Bear Stearns & Co., Inc., Whippany, NJ, 4/98 to 6/08.
Designed and implemented firmwide processes to protect, detect, and recover from harm to information. Established and maintained enterprise-wide security, change control, and business continuity metrics. Chair of the Firmwide Information Protection Committee and member of the Global Outsourcing and Firmwide Emergency Response Committees. Drafted, negotiated, and issued global security policies and processes. Devised tools, techniques, roles, responsibilities, and awareness materials for all security processes including digital identity, application inventory and information systems risk management. Provided technical requirements and test programs for new security products and security features of new applications. Directed the activities of development and infrastructure officers globally with respect to security tools and techniques. Directed information security investigations and remediation activities in coordination with human resources, legal and compliance. Coordinated emergency response teams for information security related events. Reviewed physical security efforts in support of data center protection. Contracted and performed penetration tests. Guided management through information technology (IT) audits. Performed due diligence in support of merger, acquisition, research analyst, and investment banking activity. Testified on due diligence efforts when required by regulators. Prepared materials on security measures for prospective clients. Coordinated industry efforts in support of firm goals for information security improvements. Directly managed department budget (~3M) and security tollgates over all projects in IT budget (~600M). Chief Information Security Officer title achieved in 2002.
Manager, Information Systems Business Controls, AT&T Capital Corporation, Morristown, NJ, 2/97 to 4/98.
Led and executed the company’s global internal audit and control assessments with respect to information systems. Conducted security investigations. Provided direction and guidance on systems control issues for the company’s strategic leaders, including the Technology Leadership Team and corporate legal counsel. Developed COSO & COBIT compliant systems audit approach for AT&T Capital that includes quantitative communication of systems vulnerabilities. Evaluated and developed tools for operating system, database management system, and network security testing as well as data analysis, incident tracking, and reporting.
Information Systems Risk Manager, Price Waterhouse LLP, Morristown, NJ, 1995 - 1997.
Managed a wide variety of security consulting and audit projects for the Price Waterhouse Information Systems Risk Management Practice, including penetration tests and physical infrastructure reviews. Performed systems infrastructure analysis directed at improving technical security architecture, security management processes, and information system operational risk management. Developed methodology for evaluating the effectiveness of security management processes and trained both consultants and senior managers on its use. Wrote and customized programs for security testing. Evaluated various types of commercial security software.
Information Security Technical Staff, AT&T Bell Laboratories, Holmdel, NJ, 1990 - 1995.
Led diverse, cross-organizational teams focused on security and data integrity, including the AT&T Network Security Requirements Team, the Security Analysis of the Network Environment Team, and the Security Assessment Team. Envisioned, designed, specified, developed, demonstrated, tested, and documented software for expert systems, graphical user interfaces, databases, and network monitors. Spent most of the last year at AT&T with the CFO Organization in Short Hills performing computer security audits and corporate security consulting for various systems comprising and supporting the AT&T Worldwide Intelligent Network.
Project Manager, UFA, Inc., Newton, MA (www.atcoach.com), 1988 - 1990.
Developed, documented, and maintained ATCoach Expert System and Networked Air Traffic Simulation program. Prioritized programming efforts. Demonstrated ATCoach to Congressional subcommittee at request of the Federal Aviation Administration (FAA) client.
Technical Support Specialist, Dynamic Applications, Inc., Englewood, NJ (now www.bjmurray.com), 1987 - 1988.
Designed, documented, and implemented employee and client training programs for Property Management Financial Accounting System. Responsibilities included custom programming and user support.
Teaching Assistant, Rutgers University (1986-88) and The Ohio State University (1985-86).
PhD Systems Engineering, Stevens Institute of Technology, 2012, Thesis in Measuring Systems Security.
MS Computer Science, Stevens Institute of Technology, 1992, GPA 3.9.
MA Philosophy, The Ohio State University, 1986, GPA 3.5.
Thesis compared logic in expert systems to that of compiler design.
BA Computer Science and Philosophy, Rutgers College, Rutgers, the State University of New Jersey, 1985, GPA 3.59, Henry Rutgers Honors Scholar, Thesis in Philosophy of Expert Systems, Rutgers Academic Life Scholarship.
Certified Information Systems Auditor (CISA), 1996.
Certified Information Security Manager (CISM), 2002.
Certified in the Governance of Enterprise IT (CGEIT), 2008
Certified Information Systems Security Professional (CISSP), 2008.
AFFILIATIONS
Stevens Institute of Technology, Industry Professor and Director of Cybersecurity Programs for the School of Systems and Engineering and Adjunct Professor for the Howe School of Technology Management.
Delta Risk, affiliated subject matter expert.
Institute for Defense Analysis, Information Technology and Systems Division, affiliated subject matter expert.
Computers and Security, an Elsevier publication, Editorial Board Member.
Information Systems Audit and Control Association (ISACA), instructor on a wide variety of topics, author, and exam question contributor.
Metricon Program Committee Member, and Chair for Metricon 4.0, MiniMetricon 5.5 ( www.securitymetrics.org ).
International Council on Systems Engineering (INCOSE), co-chair, Security Working Group, 2010+.
Computer Security Institute (CSI), member and speaker.
Association of Computing Machinery (ACM), member.
IEEE Computer Society, member.
Information Systems Security Certification Consortium (ISC2), member.
Research and Development Committee Chair, Financial Services Sector Technology Council (FSSCC), 2006-2008
Securities Industry and Financial Markets Association(SIFMA) Information Security Committee Chair, 2003-2008.
BOOKS
Planned Spring 2012 Cyber Security Policy Guidebook, lead of five authors with different areas of Cyber Security Policy Expertise, Wiley.
September 2010 CyberForensics, Understanding Information Security Investigations, edited this collection of articles by industry experts and provided an introductory framework, Springer.
January 2010 Enterprise Security for the Executive: Setting the Tone at the Top, Praeger.
March 2009 Enterprise Information Security and Privacy, Artech House, co-edited this collection with Warren Axelrod and Dan Schutzer, and wrote chapter on “Information Classification.”
November 2007 Stepping Through the InfoSec Program, Information Systems Audit and Control Association (ISACA), peer-reviewed book.
January 2005 Stepping Through the IS Audit, A Guide for Information Systems Managers, 2nd Edition.
Book published by the Information Systems Audit and Control Association.
January 2000 Stepping Through the IS Audit, A Guide for Information Systems Managers.
Book published by the Information Systems Audit and Control Association (ISACA).
SELECT OTHER PUBLICATIONS & SPEAKING ENGAGEMENTS
Planned 2012 “Measuring System Security,” Systems Engineering, Volume 15, Issue 4.
November 2011 Measuring Cyber Security in Intelligent Urban Infrastructure Systems, International IEEE Conference & Expo on Emerging Technologies for a Smarter World (CEWIT).
Fall 2011 “An Architectural Systems Engineering Methodology for Addressing Cyber Security,” Systems Engineering, Volume 14, Issue 3.
July 2011 Systems-of-Systems Issues in Security Engineering, INCOSE Insight, Volume 14, No 2.
June 2011 Cloud Security Metrics, IEEE Systems of Systems Engineering Conference (SoSE2011).
March/April 2011 “On the Horizon - System Security Engineering,” IEEE Security & Privacy Magazine, Volume 9 Issue 2.
August, 2010 Systems Security Engineering, A Research Roadmap, Final Technical Report, primary author for DoD-sponsored publication for the Systems Engineering Research Center (www.sercuarc.org).
November 2010 “Systems Security Engineering Roadmap,” Rethinking Cyber Security: A Systems-Based Approach, Workshop sponsored by the Center for Risk Management of Engineering Systems and the Institute for Information Infrastructure Protection (I3P), University of Virginia.
October 2010 The Utility of Security Standards, IEEE International Carnahan Conference on Security Technology (ICCST).
June 2010 Pairing Organizational Strategy with Security Solutions, CSO Executive Seminar.
June 2010 “Information Security Metrics,” in Readings and Cases in Information Security Management – Legal and Ethical Issues, Course Technology, edited by Mattord and Whitman.
May 2010 “Systems Security Engineering,” Tenth Annual High Confidence Software and Systems Conference, sponsored by the National Security Agency.
March 2010 “The Utility of Security Standards,” Systems Engineering Security Workshop, Stevens Institute of Technology.
December 2009 “Critical Infrastructure Protection Issues in the Financial Industry,” Global Conference on Systems and Enterprises, Stevens Institute of Technology.
September 2009 Prevention Is Better Than Cure, Business Trends Quarterly.
May 2009 Third Party Data Handling, ISACA Control Journal.
March 2009 Data-Centric Security, Computer Fraud and Security.
November 2008 Security Through a Time of Crisis, Computer Security Institute Annual Conference.
October 2008 Key Data Points for IT Governance Metrics, ISACA IT GRC Conference.
July 2008 Metrics for Risk Management versus Security Attribution, Metricon Conference.
June 2008 Third Party Due Diligence, Securities Industry and Financial Markets Association (SIFMA) Technology Management Conference.
October 2007 "Utilising information security to improve resiliency,” Journal of Business Continuity & Emergency Planning.
October 2007 Data Classification, Security and Privacy, Securities Industry and Financial Markets Association, Internal Audit Division, Annual Conference.
Sept/Oct 2007 "IT Attestation Services: What You Need to Know," Journal of Corporate Accounting and Finance.
June 2007 CISM Review Manual, Chapter 5: Information Security Program Management, Information Systems Audit and Control Association.
October 2006 The Homeland Security Front, Securities Industry Association, Internal Audit Division, Annual Conference.
November 2005 Security Review Alternatives. The Computer Security Journal, Fall 2005, a Computer Security Institute publication.
October 2005 Best Practices for Securing and Controlling Offshore Vendors, Securities Industry Association, Internal Audit Division, Annual Conference.
September 2005 Internal Security Reviews, Fourth Annual FDIC Technology Seminar.
June 2004 Sarbanes-Oxley for the IS Professional, Securities Industry Association, Technology Management Conference.
October 2003 Metrics for Due Diligence, Best In Class Security and Operations Roundtable Conference, Carnegie Mellon Software Engineering Institute.
May 2003 Security Forum 2003, The Secure Enterprise, Wireless LAN Panel, Technology Managers Forum.
April 2003 Introducing Security at the Cradle, SANS (System Admin, Audit, Network, Security Institute) Security and Audit Controls that Work Conference.
Summer/Fall 2002 Productive Intrusion Detection, The Computer Security Journal Vol XVIII, No 3-4, a Computer Security Institute publication.
May 2001 Security Forum 2001, Information Risk Management, Risk Management and Security Metrics Panel, Technology Managers Forum.
May 2001 Measuring Security, Information Security System Rating and Ranking, an Applied Computer Security Associates (ACSA)Workshop.
January 2001 Security Metrics, The Computer Security Journal, Vol XVII, No 1, a CSI publication.
August 2000 Assurance and Monitoring of E-business: Technical Control Points, Seminar sponsored by Information Systems Audit and Control Association (ISACA) and the Association of Government Accountants (AGA).
June 2000 Security Metrics: An Audit-based Approach, Computer Systems Security and Privacy Advisory Board (CSSPAB) Security Metrics Workshop (Sponsored by NIST, the National Institute of Standards and Technology).
April 2000 CISA Exam Certification Course, Domain 4: Information Systems Integrity, Confidentiality, and Availability, ISACA North Jersey Chapter (Also taught in April 1998 and April 1999).
October 1999 Infrastructure Monitoring Challenges, 22nd Annual National Information Systems Security Conference.
May 1999 Successful Audits in New Situations, ISACA Control Journal, (v.III).
November 1998 How to Survive an IS Audit, Computer Security Institute Conference, Chicago, IL.
June 1997 Oracle Database Control Issues, Vanguard Information Security Expo, Orlando, FL.
January 1997 Audit & Control of Sybase and Oracle, ISACA NY Metropolitan Chapter.
January 1996 Security Controls for a Client-Server Environment, ISACA North Jersey Chapter.
July 1996 Security Hot Topics, Price Waterhouse Information Systems Risk Management Internal Advanced Training, Tampa FL.
October 1996 Security Through Process Management, 19th Annual National Information Systems Security Conference, Baltimore, MD.
June 1996 Security Controls for a Client-Server Environment, The EDP Audit, Control, and Security Newsletter (EDPACS).
1990-1995 Several proprietary restricted AT&T Bell Laboratories publications.
Oct-Dec 1989 Network Simulation System for Air Traffic Control Training, Journal of Air Traffic Control.