This document is a resume for David A. Santoro listing his experience and qualifications. It summarizes his career working in information security and assurance roles for both government agencies and private contractors. His experience includes managing security programs, performing risk assessments and certification and accreditation activities, implementing security tools like HBSS, and providing security consulting services. He has held roles such as Information Systems Security Officer, Information Assurance Manager, and Information Assurance Engineer.
People are a critical factor in any cyber security imitative. In this session we will cover the roles and responsibilities defined by NIST for the Risk Management Framework (RMF). This is third in a series on NIST’s Risk Management Framework (RMF). This session covers topics in (ISC)2 CAP certification, FISMA, Certification and Accreditation, DIACAP, and DIARMF.
Achieving Continuous Monitoring with Security AutomationTripwire
This presentation provides:
An overview of continuous monitoring
Discusses federal requirements for continuing monitoring
Explains why it is critical for risk mitigation
Describes an effective continuous monitoring strategy that brings together data from different security controls in one place
Watch the webcast here: http://www.tripwire.com/register/achieving-continuous-monitoring-easily-with-security-automation/
Tripwire has released results from an extensive study focused on the state of risk-based security management with the Ponemon Institute.
The study examined the disconnect between an organizations commitments to risk-based security management and its ability to develop the collaboration, communication styles and culture necessary for effective security programs across the organization.
The study respondents included 749 U.S. and 571 U.K. professionals in the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.
“Risk-based security is an extremely complex problem where predictability and outcomes are constantly changing,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
“This means that even the most secure and sophisticated organizations experience risk because there are too many variables in play. Effective communication and collaboration across the organization are crucial in mitigating this risk.”
The full report can be found here: http://www.tripwire.com/register/the-state-of-risk-based-security-2013-full-report/
Continuous Monitoring: Getting Past Complexity & Reducing RiskTripwire
This presentation on Continuous Monitoring was created by Bryce Schroeder, who leads Tripwire's global presales engineering team at Tripwire.
He has over 29 years of IT architectural and security expertise solving Enterprise challenges. Bryce joined Tripwire from NetApp where he led a team of Architects and Systems Engineering in enterprise Cloud infrastructure solutions.
Numerous articles on Continuous Monitoring can be found here:
http://www.tripwire.com/state-of-security/tag/continuous-diagnostics-and-mitigation/
A firewall risk assessment is a detailed assessment approach of a firewall topology and configuration that has been implemented to protect your information, systems, applications, and overall business operations.
People are a critical factor in any cyber security imitative. In this session we will cover the roles and responsibilities defined by NIST for the Risk Management Framework (RMF). This is third in a series on NIST’s Risk Management Framework (RMF). This session covers topics in (ISC)2 CAP certification, FISMA, Certification and Accreditation, DIACAP, and DIARMF.
Achieving Continuous Monitoring with Security AutomationTripwire
This presentation provides:
An overview of continuous monitoring
Discusses federal requirements for continuing monitoring
Explains why it is critical for risk mitigation
Describes an effective continuous monitoring strategy that brings together data from different security controls in one place
Watch the webcast here: http://www.tripwire.com/register/achieving-continuous-monitoring-easily-with-security-automation/
Tripwire has released results from an extensive study focused on the state of risk-based security management with the Ponemon Institute.
The study examined the disconnect between an organizations commitments to risk-based security management and its ability to develop the collaboration, communication styles and culture necessary for effective security programs across the organization.
The study respondents included 749 U.S. and 571 U.K. professionals in the following areas: IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.
“Risk-based security is an extremely complex problem where predictability and outcomes are constantly changing,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
“This means that even the most secure and sophisticated organizations experience risk because there are too many variables in play. Effective communication and collaboration across the organization are crucial in mitigating this risk.”
The full report can be found here: http://www.tripwire.com/register/the-state-of-risk-based-security-2013-full-report/
Continuous Monitoring: Getting Past Complexity & Reducing RiskTripwire
This presentation on Continuous Monitoring was created by Bryce Schroeder, who leads Tripwire's global presales engineering team at Tripwire.
He has over 29 years of IT architectural and security expertise solving Enterprise challenges. Bryce joined Tripwire from NetApp where he led a team of Architects and Systems Engineering in enterprise Cloud infrastructure solutions.
Numerous articles on Continuous Monitoring can be found here:
http://www.tripwire.com/state-of-security/tag/continuous-diagnostics-and-mitigation/
A firewall risk assessment is a detailed assessment approach of a firewall topology and configuration that has been implemented to protect your information, systems, applications, and overall business operations.
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault
- Overview of the AlienVault USM Platform
- Differentiation through Delivery "Threat Detection That Works"
- Ways to Engage via Managed Services, Security Device Management and Professional Services
- AlienVault MSSP Program Details
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
For many energy companies, readying for compliance with the latest version of NERC Critical Infrastructure Protection (CIP) standards, whether they be v5, v6, v7 or beyond is not the first priority – delivering reliable energy to the BES is. So, how does a company deal not only with the impending changes of CIP v5, but do so in a manner that best positions them for compliance with future versions and secures their cyber environment?
Join our live webcast on Thursday February 5 to hear from ICF, Tripwire, and AssurX industry experts who are helping organizations already grappling with the new and upcoming CIP requirements, implementing a risk based approach, the steps they are taking to get ahead of the curve, and addressing the uncertainty.
Key Takeaways - Regarding Readiness for NERC CIPv5 (and beyond):
•Best approaches for achieving compliance in a changing environment. (i.e. v5, v6, v7).
•How to save time, resources, and achieve automation with practical guidance on compliance efforts for current and future CIP requirements.
•Practical highlights and key controls from those already working on the most pressing issues.
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
What can local government use to help manage IT security threats and IT losses? NIST has developed standards that are recommended for local governments.
To help organizations charged with providing the nation's financial, energy, health care and other critical systems better protect their information and physical assets from cyber attack, the Commerce Department's National Institute of Standards and Technology (NIST) today released a Framework for Improving Critical Infrastructure Cybersecurity. The framework provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault
- Overview of the AlienVault USM Platform
- Differentiation through Delivery "Threat Detection That Works"
- Ways to Engage via Managed Services, Security Device Management and Professional Services
- AlienVault MSSP Program Details
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
For many energy companies, readying for compliance with the latest version of NERC Critical Infrastructure Protection (CIP) standards, whether they be v5, v6, v7 or beyond is not the first priority – delivering reliable energy to the BES is. So, how does a company deal not only with the impending changes of CIP v5, but do so in a manner that best positions them for compliance with future versions and secures their cyber environment?
Join our live webcast on Thursday February 5 to hear from ICF, Tripwire, and AssurX industry experts who are helping organizations already grappling with the new and upcoming CIP requirements, implementing a risk based approach, the steps they are taking to get ahead of the curve, and addressing the uncertainty.
Key Takeaways - Regarding Readiness for NERC CIPv5 (and beyond):
•Best approaches for achieving compliance in a changing environment. (i.e. v5, v6, v7).
•How to save time, resources, and achieve automation with practical guidance on compliance efforts for current and future CIP requirements.
•Practical highlights and key controls from those already working on the most pressing issues.
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
What can local government use to help manage IT security threats and IT losses? NIST has developed standards that are recommended for local governments.
To help organizations charged with providing the nation's financial, energy, health care and other critical systems better protect their information and physical assets from cyber attack, the Commerce Department's National Institute of Standards and Technology (NIST) today released a Framework for Improving Critical Infrastructure Cybersecurity. The framework provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.
John kingsley OT ICS SCADA Cyber security consultantJohn Kingsley
John kingsley OT ICS SCADA Cyber security consultant
SCADA ICS Security Courses
Lack of SCADA ICS security professionals that lead to big gaps between compliance against the respected guidelines with the real situation at site. Critical needs for proper security professional in SCADA ICS
SCADA ICS Security Assurance
Ensuring the SCADA ICS environment to comply with the security requirements in order to maintain the production operations and sustain the business performance
SCADA ICS (OT) Security Services
SCADA ICS Security Services Summary
SCADA ICS Security Asset Management
SCADA ICS Security Risk Management
SCADA ICS Security Assessment
SCADA ICS Standard, Policy & Procedure Management
SCADA ICS Security Implementation
Cyber Security Services
Vulnerability Assessment
Penetration Testing
ISO 27001 Certified Management System Audit
1. David A. Santoro – CISSP
dasantoro@outlook.com
Information Systems Security Officer - RF-ITV -Radio Frequency In-Transit Visibility
LEIDOS -Manassas, VA - February 2015 to Present
Provide for the application and enforcement of IA policies, procedures, and workforce structure
to develop, implement, and maintain a secure operational environment
Prepare and review the documentation for of IA Assessment and Authorization (A&A) for the Risk
Management Framework (RMF) process, manage IA performance standards, participate in an IS
risk assessment during the A&A process. Received 2 ATOs for RF-ITV under Risk Management
Framework
Manage the test results for A&A activities using eMass - Enterprise Mission Assurance Support
Service, developing security plans and other supporting documents
Evaluate and approve development efforts to ensure that baseline security safeguards are
appropriately installed, and to monitor and evaluate the effectiveness of the RF-ITV
environment’s IA security procedures and safeguards to ensure they provide the intended level
of protection to include management of the IAV process, security training, Host Based Security
System (HBSS) and security scanning (ACAS) and remediation including conducting and analyzing
vulnerability security scans of both systems and networks
Information Assurance Manager - Defense Treat Reduction Agency (DTRA)
Lockheed Martin -Fort Belvoir, VA - March 2014 to February 2015
Coordinated and managed program's security activities ensuring the information system is
operated, used, maintained, and disposed of in accordance with DoD security policies and
practices. Performed as Government Information Assurance Manager for the Defense Integration
and Management of Nuclear Data Services (DIAMONDS) program
Completed documentation for Certification and Accreditation activities for a MAC I program per
DIACAP and RMF
Provided Security, Test and Evaluation (ST&E) activities for the agency. Ensured all agencies'
assets are compliant to the current security requirements
Used various tools, processes and applications such as VMS, ACAS, eMass, STIG Viewer and others
to analyze and evaluate systems for compliance
Information Assurance Engineer – DISA Defense Messaging System
Lockheed Martin -Manassas, VA -September 2006 to March 2014
Lead for Host Based Security System (HBSS) implementation for Defense Message System (DMS).
Providing extensive guidance, implementation and integration of HBSS/ePO server - Installed and
managed multiple HBSS servers providing support for Windows and UNIX OS. Troubleshooting
agent issues and developed custom queries and reports
Product Lead for operating systems and security applications, Windows and UNIX (HP UX, SUN)
operating systems, Tripwire security auditing program, VMware virtualization software
Evaluated technical content of artifacts required for Certification and Accreditation. Works with
systems engineering to integrate/embed/assess security design throughout the lifecycle Performs
security analysis using risk assessment tools (DISA Gold Disk, Retina, McAfee ePolicy Auditor and
others) and risk management methodologies for the Defense Messaging System
Analyzed and briefed DoD personnel on recommendations regarding current and future
hardware/software and security requirements for the DMS program
2. David A. Santoro – CISSP
dasantoro@outlook.com
Information Assurance Engineer - Protection of Vital Data Program (POVD)
Lockheed Martin -Manassas, VA -September 1999 to September 2006
Security Engineer for in support of The Protection of Vital Data Program, a National Security
Agency (NSA)-sponsored implementation and development program focused on commercial-off-
the-shelf (COTS) technologies to improve the security of computer networks in the US
Government and in our country's industrial base
Provided support for IA technologies, such as IDS, IPS and HIDS, for the establishment of a national
Attack Sensing, Warning and Response (ASW&R) technology evaluation laboratory
Supported the beta testing program that was designed to establish a technical relationship with
market leaders of ASW&R technologies through participation in vendor Beta test programs - The
relationships that developed with vendors provided a path enabling the POVD Program to
recommend future enhancements according to the needs of the Defensive Information
Operations (DIO) Warfighter
Key member in the development of the IDCCL - Intrusion Detection Comprehensive Capabilities
List - The IDCCL is a comprehensive list of capabilities for Intrusion Detection Systems (IDS) –a
precursor to the DISA STIGS
Security Consultant
AXENT Technologies -Reston, VA -February 1999 to September 1999
Provided Security Consulting and Integration services to various clients concerning AXENT
Products - (Merged with Symantec)
Developed security policies and applied these policies to firewall configuration
Provided testing support for AXENT security products to include Y2K testing for DoD
Systems Engineer – Pentagon Renovation
Global Management Systems Inc. -Reston, VA -July 1997 to February 1999
Installed, evaluated and configured Raptor Firewall for UNIX and NT environments
Analyzed network traffic and services for creating and applying appropriate firewall rules
Installed, managed and administered all facets of HPUX 10.20 on various HP devices
Administration/Personnel/Infantry - Sergeant First Class
United States Army -July 1975 to July 1995
EDUCATION
Bachelor of Science – Strayer University - 1999
Master's in Information Technology/Information Security
Cappella University - Minneapolis, MN - 2005
CERTIFICATIONS
CISSP since 2001
Top Secret Clearance
