| Contact Information | |
| Name: | Michael Tonick |
| Email: | mike23898 (at) yahoo (dot) com [email concealed] |
| Location: | Rockwall, Texas, United States |
| Resume | |
| Position/Title: | CISO |
| Resume: |
Michael D. Tonick Resume MICHAEL D. TONICK, CISSP, CHSP, IAM, IEM, ACC, ISO 27001 Lead Auditor Security Solutions Leader-South, BearingPoint, Inc. Mr. Tonick is currently the leader of the Security Solutions practice in the Southern region of the USA for BearingPoint, Inc. He has over 30 years of experience in security, currently focused on enterprise risk and compliance management. He has deep experience in risk analysis and security assessment methodologies and solutions. Mr. Tonick is uniquely cross-trained in both IT and Physical Security and is a member of ASIS. He is also experienced in performing security assessments against a variety of security standards and regulatory requirements including ISO17799:2005, ISO 27001:2005, ISO 19011, PCI, HIPAA, SOX, 21 CFR Part 11, Safe Harbor, NIST and ITIL standards. Mr. Tonick is licensed by Sandia National Labs to conduct threat-based physical and cyber-security risk assessments for Homeland Security, in the areas of water (RAM-W), power transmission (RAM-T) and dams (RAM-D). Mr. Tonick is trained and certified by the NSA in their Information Assessment Methodology (IAM) and Information Evaluation Methodology (IEM). In March 2007, he was certified as an ISO27001:2005 Lead Auditor. Mr. Tonick currently serves on the North American Technical Advisory Group for the new Risk Management Standard – ISO 31000. Relevant Experience Mr. Tonick’s accomplishments include: • Team Leader - Developed disaster recovery and security documentation framework for Cricket Communications including policies, procedures, guidelines and standards. April 2008 – Jun 2008 • Team Leader – Performed a security assessment on portions of the SprintLink network, including core and edge routers, firewalls, change management, infrastructure management, network access and back-office systems, including a vulnerability security assessment project for Sprint Nextel – Mar 2008-Apr 2008 • Developed corporate information security architecture framework for Discover Financial Service’s Information Security Program Office (ISPO) and socialized the new architecture framework to other corporate business units – included Information Security Policy; Acceptable Use Policy (AUP); Third Party Standards; Information Security Governing Principles; Access Control Policy; Cryptography Policy; Back-Up Policy; Data Protection and Privacy Policy; Clear Desk Policy; Information Asset Classification Policy; Information Exchange Policy; Intellectual Property Rights Policy; Mobile and Remote Computing Policy; Policy on Risk Acceptance; Security of Customer Information Policy and a Third Party Policy – Aug 2007-Feb 2008 • Team Leader - Performed security assessment of Sprint Nextel’s – OSSN (CDMA), Customer Data Records (CDR) voice CDMA data protection, Outsourcing Process Controls, Text Messaging/SMS and Change Control Processes – Sep 2007-Nov 2007. • Developed Certification & Accreditation (C&A) security documentation for the US Census Bureau hand held census units – Mar 2007-April 2007 • Team Leader – for a network, physical and vulnerability security assessment project for Sprint Nextel – Oct 2006-Dec 2006 • Performed a security program assessment based on ISO17799: 2005 for ViaSat – Jun 2006-July 2006 • Team Leader – for the development of an application security framework, program compliance, policies and procedure assessment remediation project for Pfizer – Jan 2006-Mar 2006. • Team Leader – for a security compliance software development project for Pfizer – Oct 2005-Dec 2005. • Team Leader - identity management rollout project for Southern Company - Sept 2005-Nov 2005 • Team Leader - security organization program architecture, policy, procedure and guideline development and planning project for FEMSA in Monterrey, Mexico Apr 2005-Jul 2005. • Team Leader - enterprise security compliance and risk management vendor trial for Pfizer – Dec 2004-Feb 2005. • Team Leader – a security risk assessment tool selection engagement for Pfizer – Oct 2004-Nov 2004. • Team Leader - a HIPAA privacy and security assessment tool selection project for the State of Illinois – Jun 2004-Sep 2004. • Team Leader - an e-portal security architecture design project for an internal department of the Irish Government in Dublin, Ireland – Feb 2004-May 2004. • Team Leader - the HIPAA Privacy and Security assessment team for the State of New Jersey Department of Human Services (DHS) and Department of Health and Senior Services (DHSS) including development of privacy and security policies – Sep 2003-Jan 2004. • Participated in the Pfizer third party data mapping and data sharing assessment, relative to electronic protected health information (PHI) – Aug 2003-Sep 2003. • Team Leader - a large security assessment project for the DC Gov in Washington, DC, based on the NIST Security Standards – Jun 2003-Aug 2003. • Team Leader - HIPAA Privacy and Security implementation project for Safeway including development of policies and procedures Pharmacies in Livermore, California – Feb 2003-Apr 2003. • Team Leader - HIPAA Privacy and Security implementation project including development of policies and procedures for Cooper Green Hospital in Birmingham, Alabama – Feb 2003-Apr 2003. • Team Leader - HIPAA Privacy and Security implementation project including development of policies and procedures for Carolina Care Health Plan in Columbia, South Carolina – Feb 2003-Apr 2003. • Performed the HIPAA Privacy and Security assessment for Carolina Care Health Plan in Columbia, South Carolina – Dec 2002-Feb 2003. • Performed the HIPAA Privacy and Security assessment for Safeway Pharmacies and Salt Lake City Data Center out of Livermore, California – Dec 2002-Feb 2003. • Team Leader -the HIPAA Privacy and Security assessment team for the Commonwealth of Pennsylvania covering seven different facility types, including a mental retardation center and the Department of Correction (DOC) facility at Graterford, PA. – Dec 2002-Feb 2003. • Team Leader - an ISO/IEC 17799 security assessment for JDS Uniphase in San Jose, California – Oct 2002-Nov 2002 • Team Leader - the HIPAA Privacy and Security implementation project for Ochsner Health Plan of Louisiana including a SSO vendor selection and implementation project, along with the development of appropriate policies and procedures - Oct 2001-Sep 2002. • Team Leader - the HIPAA Privacy and Security assessment and implementation team at the Georgia Department of Human Resources in Atlanta, Georgia - Jun 2002-Aug 2002 • Performed the HIPAA Privacy and Security assessment including development of policies and procedures at county operated Cooper-Green hospital in Birmingham, Alabama - May 2002-Jun 2002 • Performed the HIPAA Privacy and Security assessment at Jefferson County Rehab Center in Birmingham, Alabama - Jun 2002-Jul 2002 • Team Leader - the Lazard penetration testing (pen-test) engagement in New York, New York Jun 2002-Jul 2002 • Performed an assessment of software compliance features for KANA Software in San Jose, California May 2002 • Served as a subject matter advisor on the HIPAA Security assessment for AHCA State of Florida engagement Feb 2002-May 2002 • Performed HIPAA security assessment for Ochsner Health Plan of Louisiana Feb 2001-Apr 2001 • Team Leader - the Security assessment team of (8) members that completed 39 ISO/IEC 17799 security assessments of ING business units, including Canada, US and Latin America, including providing the client with security budget estimates for 2002 Mar 2001-Aug 2001 • Performed a HIPAA security assessment for Jeannette District Memorial Hospital in Pittsburgh, Pennsylvania Mar 2001-Apr 2001 • Developed the HIPAA security methodology and solutions for BearingPoint and Perot Systems HIPAA practices The industries in which Mr. Tonick has specific experience include financial services, manufacturing, retail, consumer products, information and communications, and health care. His client list includes the following: Cooper Green ViaSat US Census Irish Gov Sprint Nextel ING Ochsner Jefferson County, AL JDS Uniphase Lazard KANA Commonwealth of PA GA DHR FL AHCA Safeway Carolina Care DC GOV Pfizer State of NJ FEMSA Professional Background Prior to joining BearingPoint, Mr. Tonick served briefly as Chief Security Officer – HIPAA Practice, Perot Systems. Mr. Tonick led many security consulting and product engagements for Perot System’s clients. He has personally been involved in incident response, intrusion detection, network and system vulnerability assessments, computer forensics, policy development, and implementation of security solutions for a large telecommunications company, health care providers, and transportation firms. While with Perot Systems, Mr. Tonick also served in the highest security role in the company as Manager of Information Security, and managed the development of a corporate wide security awareness program. In addition, he led performed physical penetration testing on client offices and data centers, managed firewall installation projects, developed enterprise policies/procedures/guidelines and chaired an internal network security design/review committee for approvals and authorization of client network interconnections into the Perot Systems corporate network. Mr. Tonick spent 25 years with Southwestern Bell Telephone Company in Dallas, Texas. Mr. Tonick began his security career in corporate security in the mid-70’s, then included IT Security in the early-80’s. He has managed large teams of employees (100+ or more) during his long career with the telephone company. In 1989, while with Southwestern Bell Telephone, Mr. Tonick was requested by the U.S. Secret Service and the Dallas FBI office to lead a team to perform computer forensics analysis on well-known hacker Justin Petersen’s seized personal computer. In 1995, while assisting the US Secret Service and the Houston District Attorney’s office, Mr. Tonick personally tracked down a Houston based hacker, and participated in the raid, arrest and seizure of evidence at the residence. The hacker was convicted and provided information to investigators that eventually brought convictions against four other hackers involved in the ring. The case became known in law enforcement circles as “Operation Cybersnare”. During his career, Mr. Tonick was awarded two (2) NOVA achievement awards and a Ryder service award from Southwestern Bell Telephone Company. Mr. Tonick is a charter member of the Center for Internet Security (CIS). Also he is a member of the High Tech Crime Investigators Association (HTCIA), the Society of Competitive Intelligence Professionals (SCIP), NIPC’s InfraGard, ASIS International (ASIS) and the Information Systems Security Association (ISSA). Certifications Mr. Tonick holds the following security certifications: • Certified Information Systems Security Professional (CISSP #4011) as certified by the International Information Systems Security Certification Consortium (ISC2). • Licensed to perform threat based risk assessments using the Sandia Lab’s Risk Assessment Methodology for Water (RAM-W), Transmission (RAM-T) and Dams (RAM-D). • Certified HIPAA Security Professional (CHSP) as certified by the International Information Systems Security Certification Consortium (ISC2). • Certified by the NSA in both the Information Assessment Methodology (IAM) and Information Evaluation Methodology (IEM). • The Archer Certified Consultant (ACC) from Archer’s Enterprise Security Management product. • Dept of Homeland Security Community Emergency Response Team (CERT) certification. • Certified by BSI Management Systems as an ISO27001: 2005 Information Security Management Systems Auditor/Lead Auditor Professional Certifications • Cisco CCIE Written Exam – October 1996 • CCSA Certification – June 1998 • CCSE Certification – June 1998 • CISSP Certification – August 1998 • CHSP Certification – March 2004 • IAM Certification – December 2004 • IEM Certification – December 2004 • ACC Certification – March 2005 • CERT Certification – December 2005 • ISO27001: 2005 ISMS Auditor/Lead Auditor – March 2007 |