Front Page

# Welcome to my wiki. Some ways to contact me:

  • via email: scortes@ccs.neu.edu or sarah.cortes@post.harvard.edu (Optional: PGP Key: 226CCE21)
  • via chat: sarah@ipvtech.is (Optional: OTR Key Fingerprint: 407E6144 40622F8E 011A6D6C 67D8EB70 51F82E87)
  • via Skype: sarah_cortes
  • via phone: 330-99-CYBER
  • via Twitter: @SarahCortes
  • via LinkedIn: www.linkedin.com/in/SarahCortes

Leader and cybersecurity expert with proven track record over 20 years of delivering excellence in security solutions while managing globally dispersed teams of 100+ staff. Financial services, biotech, biopharma, higher education, and defense industries. Extensive Middle East and Europe business experience in Stockholm, Reykjavik, Berlin, Paris, London, Cairo. Technology expertise in a variety of domains, including information security, security operations, privacy and security engineering, audit and compliance, security incident management and response, and privacy. Public speaking and technical presentations at conferences, invited speeches, and extensive peer-reviewed publications.

My other websites

Photos and videos

Biography

@Sarah Cortes, MS, CISA, AAFS, is President of Inman Technology. She earned her undergraduate degree at Harvard University, and holds an M.S. from Boston University, in Computer Science, Information Security. She is ABD PhD in Computer Science, Information Assurance at Northeastern University’s College of Computing and Information Science, and also studies Forensic Science at Boston University Medical School.

Prior to undertaking her Ph.D, Sarah was a Senior Vice President for Security, IT Audit and Disaster Recovery at Putnam Investments, an investment management firm with over $400 billion in assets under management, 79 mutual funds, 96 institutional clients, and over seven million shareholders and retirement plan participants. She oversaw Putnam’s recovery on 9/11 when then-parent company Marsh & McLennan’s World Trade Center 99th floor data center was destroyed. She also supervised over 65 IT audits per year in that capacity. As a senior executive and later consultant for Putnam and other Fortune 500 firms, Sarah also had responsibility for major applications development, data center and other operations, with over 100+ staff and $50m budgets. Before that, Sarah was a Sr. VP for Data Center and Security Operations with BNY Mellon Bank, a global investments company with $1.6 trillion in assets under management, previously a part of Shearson/Lehman/American Express, the giant financial services conglomerate.

Sarah has published extensively on computer security, privacy, and the darknet, including MLAT.is World Treaty Cartel Internet Overlay for Digital Traffic Analytics, featured in the 2017 IEEE International Symposium on Technologies for Homeland Security (HST17). She regularly serves as a referee for Computers & Security Journal.

She has implemented numerous computer applications in use today. Together with Department Chair, Boston University School of Medicine, Department of Biomedical Forensic Sciences and former Cellmark lab director Dr. Robin Cotton et al., Sarah implemented the DNA Mixtures online tool, with a grant from the US Department of Justice. DNA Mixtures was highlighted in the Executive Office of the President, President’s Council of Advisors on Science and Technology (PCAST), Report to the President: Forensic Science in Criminal Courts: Ensuring Scientific Validity of Feature-Comparison Methods in 2016.

A former analyst for the US Department of Energy, she led the National Institute for Science and Technology (NIST) Cybersecurity Working Group sub-team, as co-author of the 2014 NIST: Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid, as well as the 2010 volume, that created the security and privacy laws section of the report. She served on the privacy use cases team for two years and the NIST cybersecurity working group (CSWG) on Smart Grid privacy for seven years. She has co-led Northeastern University Law School Legal Skills in Social Context (LSSC) clinics on surveillance law and online privacy tools and technology, as well as an MIT Co-Design Studio class at MIT Media Lab. She has helped draft data breach laws, and testified before the Massachusetts legislature and regulatory agencies.

In addition to her work on various industry standards bodies, Sarah serves on the IEEE (Institute of Electrical and Electronics Engineers) P1912 Privacy and Security Architecture for Consumer Wireless Devices Working Group. While completing her PhD, Sarah interns at the Alameda County Sheriff’s Office Crime Lab in Digital and Multimedia Evidence. In her work to help end cyberstalking and abuse through technology, Sarah serves on the Boards of Emerge, the first Abuser Intervention Program (BIP), and Each One Teach One, dedicated to training for technology employment.

Work Experience

Inman Technology IT 2004-Present
Launched and run IT company providing consulting to Fortune 500 firms. Provide hands-on services in the following areas: • Security Incident Management and Response • Security Operations • Security Engineering • Information Security and Privacy • IT Audit, Compliance • Complex Application Development and Implementation • Disaster Recovery/High Availability • Data Center Operations Management • Program/Project Management • Darknet • Threat Intelligence • Data Breach • Litigation support

Clients include:
∙ Fidelity Management & Research
∙ Fidelity Brokerage Company
∙ Draper Laboratory
∙ Sanofi Genzyme
∙ Biogen Idec ∙ Harvard Law School
∙ Harvard University Information Systems
∙ Boston University
∙ Venable LLC

Putnam Investments, Boston, MA 1993-2004
A subsidiary of Great-West Lifeco, which is controlled by Power Corporation of Canada. Previously a subsidiary of Marsh & McLennan
Investment management firm, with over $400 billion in assets under management, 79 individual mutual fund offerings, 96 institutional clients, and over seven million shareholders and retirement plan participants.
∙ Sr Vice President, IT Security Operations, SOC, Security Engineering, Security Incident Management and Response, Disaster Recovery/High Availability, Audits & Client Transmissions
∙ Vice President, Investment Trading and Analytics Systems

The Boston Company/Shearson/Lehman/American Express, Boston, MA
A subsidiary of BNY Mellon Bank, a global investments company with $1.6 trillion in assets under management. Previously a subsidiary of Shearson/Lehman/American Express, a financial services conglomerate with brokerage, asset management and investment banking services.
∙ Sr Vice President, Data Center Operations (1992-1993)
∙ Vice President, Disaster Recovery Planning
∙ AVP, Manager of Mutual Fund System Development and Support
∙ AVP, Manager, Portfolio Accounting Operations and Services
∙ Manager of Mutual Fund Performance and Analysis Services
∙ Management Training Program, Executive Assistant to CEO of The Boston Company, and Vice Chairman of Shearson Lehman

US Department of Energy, Office of Hearings and Appeals, US Federal Government Washington, DC
∙ Programmer Analyst- wrote programs to analyze price fluctuations to detect price gouging.
∙ Law clerk and legal analyst for cases heard regarding charges of violations of US Energy Department Regulations and US laws

Sample Consulting Engagements
As IT Security Senior strategic consultant to the Board for a major defense research and development organization:
∙ Reported directly to Board and Audit Committee
∙ Evaluated all aspects of Information Security operations and engineering
∙ Provided opinion on audit readiness
∙ Made strategic recommendations to Board

As project manager for a very large global financial services company:
∙ Led large interdisciplinary teams of up to 50
∙ Implemented a variety of risk and security projects, including:
∙ Application and database authentication and authorization, custom-developed and package, and transmission encryption
∙ Delivered Compliance assessment with 41 security and control policies, including platform configuration, network security, change control, cryptography, firewalls, information architecture, application and database security development
∙ Implemented Database logging across thousands of high-risk databases
∙ Implemented tools/programs to ensure closure for hundreds of outstanding audit issues

As project manager at a large global biotech company:
∙ Implemented new Disaster Recovery infrastructure across four worldwide sites
∙ Reported directly to CIO
∙ Analyzed technical and network architecture and business, applications
∙ Developed technical alternatives for high availability or redundant architecture.
∙ Presented capital expenditure to Capital Investment Committee.
∙ Worked with vendors to implement recoverable application configurations.

As project manager at a major University:
∙ Negotiated major equipment and service increases for Disaster Recovery and Business Continuity on vendor contracts at the same price as university was currently paying.
∙ Implemented automated Disaster Recovery, cutting recovery time and reducing staff time per test
∙ Worked with business units to involve them in the BC/DR process and document business requirements and acceptance criteria
∙ Implemented controls to ensure compliance with audit requirements

Publications

Sarah Cortes, MLAT World Treaty Cartel Internet Overlay for Digital Traffic Analytics, MLAT.is, Proceedings of the 2017 IEEE International Symposium on Technologies for Homeland Security (HST17), 2017, in press.

Aaron Jaggard, Aaron Johnson, Sarah Cortes, Paul Syverson, and Joan Feigenbaum, 20,000 in League Under the Sea, Anonymous Communication, Trust, MLATs, and Undersea Cables, [pdf] Proceedings on Privacy Enhancing Technologies (PETS-15th International Symposium). 1(1), pp 4–24, (2015). ISSN (Online) 2299-0984, DOI: 10.1515/popets-2015-0002.

Sarah Cortes, Legalizing Domestic Surveillance: The Role of Mutual Legal Assistance Treaties in Deanonymizing TorBrowser Technology, Richmond Journal of Law and Technology, Vol. 22 #2 (December 2015), pp. 1-99, http://jolt.richmond.edu/2015/12/05/v22i1article2.

Sarah Cortes, Cyberterrorism. In The SAGE Encyclopedia of War: Social Science Perspectives, Ed. Paul Joseph (2016) DOI: http://dx.doi.org/10.4135/9781483359878.n174.

Robin W. Cotton, Catherine Grgicak, Sarah Cortes, Margaret Terrill, Charlotte J. Word, DNA Mixtures, www.DNAmixtures.com. Boston University School of Medicine, Biomedical Forensic Sciences. This project was supported by Award No. 2008-DN-BX-K158 awarded by the National Institute of Justice, Office of Justice Programs, U. S. Department of Justice. Note: This application was highlighted in Executive Office of the President, President’s Council of Advisors on Science and Technology (PCAST), Report to the President: Forensic Science in Criminal Courts: Ensuring Scientific Validity of Feature-Comparison Methods, September 20, 2016, p. 83. https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_forensic_science_report_final.pdf.

Sarah Cortes, CircuitBlasTor: Practical Privacy Optimizing for Real-life Proprietary Information Protection, (submitted).

“Jurisdictional Arbitrage in Anonymous Network Path Selection” (with Andrew Lewman (The Tor Project, Norse, Farsight Security), Aditya Rao and Christo Wilson (Northeastern University)) (under publication review).

Sarah Cortes, Rebecca Herold, Gal Shpantzer, Chris Veltsos, “Chapter 3: Legal Frameworks for Smart Grid Privacy,” (with the Smart Grid Interoperability Panel Cyber Security Working Group (CSWG)) NIST: NISTIR 7628 2014 Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid, 2014, pp. 8-21 (pp. 304-317).

Sarah Cortes, Rebecca Herold, Gal Shpantzer, Chris Veltsos, “Chapter 3: Legal Frameworks for Smart Grid Privacy,” (with the Smart Grid Interoperability Panel Cyber Security Working Group (CSWG)) NIST: NISTIR 7628 2010 Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid, 2010, pp. 7-15 (pp. 323-331).

Software Applications

Some sample applications I have implemented for Fortune 500 clients or major educational institutions

  • DNA Mixtures- Boston University Biomedical Forensic Sciences Department, BU Medical School- supported by Award No. 2008-DN-BX-K158 awarded by the National Institute of Justice, Office of Justice Programs, U. S. Department of Justice
  • Biopharmaceutical Clinical Trial System - major global Biopharmaceutical Company located in Cambridge, MA
  • Global Equity, Fixed Income, Cash and Derivative Instruments MultiCurrency Accounting Systems - major Financial Services Company located in Boston, MA, New Hampshire and and Rhode Island
  • Faculty Information System, Harvard Law School
  • Held-Away Assets, for a major asset management company in the Boston area, Major complex application to incorporate all client assets from all financial institutions
  • Global Multi-Currency Investment Company Fund Accounting system, for a major asset management company headquartered in the Boston area
  • Cash Investment Company Fund Accounting system, for a major asset management company

Education

  • ABD PhD, Northeastern University, (Ph.d expected Dec. 2017) College of Computing and Information Science: Computer Science: Information Assurance

  • Northeastern CCIS profile
  • dissertation

    PhD Committee:
    • László Barabási (Northeastern University, College of Computing & Information Science)
    • Engin Kirda (Northeastern University, College of Computing & Information Science)
    • Thomas Koenig (Northeastern University)
    • Paul Syverson (Center for High Assurance Computer Systems (CHACS) of the Naval Research Laboratory (NRL))

    • Software Vulnerabilities, Computer Networking, Network Security
    • Operating Systems, Social Computing
    • Physics 5116: Dynamical Processes on Complex Networks
    • Physics 7331: Network Science Data
    • Cyberlaw

  • Boston University Medical School, Department of Biomedical Forensic Sciences 2015-16
    Dr. Robin Cotton, Department Chair, Advisor
    • M. S. - level classes in the M. S. Biomedical Forensic Sciences Program
    • Forensic Sciences: Crime Scene Analysis
    • Forensic Sciences: Criminal Ethics and Law- Evidence
    • Forensic Sciences: Criminal Law II-Expert Witness
  • MS Boston University, Computer Science - Information Security, 2011

    • Software Security, Database Security, Network Security, Information Security, IT Security Policies
    • Data and Telecommunications
    • Database Management, Data Mining
    • Java Programming, Data Structures, Analysis of Algorithms
    • Digital Forensics, Biometrics
  • AB Harvard University
    • Languages. Coursework in:
    • Applied Mathematics
    • Computer Engineering
    • Circuit Board Engineering
    • Assembly Language
    • Managerial Finance
    • John Harvard Scholar
    • Agassiz Scholar
    • Harvard Crimson Daily newspaper, editorial editor

Certifications

  • Boston University, Certificate in Private Investigation- 2010
    • Met educational requirement for Board Certified Criminal Defense Investigator (CCDI) from Criminal Defense Investigation Training Council
    • Investigative research, Investigative Interviewing, Investigative Surveillance
    • Instructor: Former Chief of Police, Town of Winthrop & Town of Spencer, Massachusetts
  • CISA, Certified Information Security Auditor, ISACA, the International Information Systems Audit and Control Association, 2008
    • Information systems audit, control and security auditing practices and techniques
    • Gathering and preserving evidence in forensic investigations
    • Control objectives and reporting techniques
    • Applicable laws and regulations affecting investigation scope, evidence collection and preservation
    • Evidence collection techniques (e.g., observation, inquiry, inspection, interview, data analysis, forensic investigation
    • techniques, computer-assisted audit techniques [CAATs]) used to gather, protect and preserve audit evidence
  • PMP, Project Management Professional, Project Management Institute (PMI), 2007

Research Interests

Skills/Expertise

Implementations in the following industries: Financial Services, Academic, Biopharmaceutical, Biotech, Defense, Legal. Fixed Income and Equity Trading, Derivatives, Middle Office, Back Office, Domestic and Global Currency, Cash Management, Investment Analytics, Investment Performance Measurement, Brokerage, Accounting and Fund Accounting, Pricing, Custody, Asset/Liability Management, Finance, HR systems, Inventory management

Regulatory Domain Expertise: Sarbanes-Oxley, COBIT, Securities Act of 1933, Securities Act of 1940, SEC, FDIC, ISEE, Mass Division of Banks, General Privacy Laws, Data Breach Laws, FDA 201 CFR part 11 Federal regulations Control Framework/Audit Expertise: COBIT - ISACA, SSAE- AICPA, NIST 800, ISO/IEC 27000, ITIL, PMBOK, TOGAF, Prince2, US DoD -CMMI SEI

Implementations in the following environments or technologies:
Operating Systems: OSX, Solaris, Windows, Unix, Linux, OS/400, VMS, MVS, Ubuntu, FreeBSD Databases: Oracle, Sybase, MS-Sql, DB/2, Access Messaging: MQ, CICS, Outlook-Exchange Server, Notes-Lotus Domino Application-related: Flex, Netbeans IDE, Flash, xml, html, javascript, Ruby, PHP, C++, SQL, MySQL, Scala, Rhino, java, j2ee, CSS, Sql Server, asp.net, perl, Weblogic/Websphere, RSS, JSP, SharePoint, Documentum, Peoplesoft, SAP, Siebel CRM, Charles River Trading, EzeCastle, Thomson Financial, Reuters, WebEvents, Trumba, Bloomberg, OaSys, SAP Web-related: REST, SOAP, CORBA, Apache Tomcat, Apache http web server. CMS-Rhythmyx-Percussion, CMS-iNet, Dreamweaver, Adobe CS3 ** Other Security:** Fortify, Sun Identity Management Suite, ACF2, RACF, Custom ACL, pgp Digital Forensics: Cellebrite, FTK, Encase Disaster Recovery: Sungard, Comdisco, IBM, Iron Mountain, EMC SRDF System Development Lifecycle Methodologies: Agile, RUP, SCRUM, Summit-D, MS Project, SDLC

Selected Invited Talks, Speaking Engagements and Paper Presentations

2017:

2016:

  • NACACS, ISACA’s North America Computer Audit, Control and Security Symposium, Orlando, FL. Invited speaker jointly with Rebecca Herold, the Privacy Professor, a renowned privacy expert. ISACA is the International Information Systems Audit and Control Association.

2015:

2014:

2013:

2012:

2011:

2010:

2009:

  • Bentley University Usability Forum, Waltham, MA: invited speaker
  • Suffolk University: Project Management and OpenSource: MBA class, Sawyer School of Business, Boston, MA: invited speaker
  • Project Management Institute (PMI) Annual Conference, Waltham, MA: COBIT and IT Standards: invited speaker

Legislative Testimony

In the Press (sample)

6/26/15- SWIFT Institute and University of Delaware collaborate on cyber security challenges, SWIFT Institute blog
3/18/15-Experts: Consumer Privacy Bill of Rights may ease privacy compliance, TechTarget Media
Mass. legislator: Revisit data security law, Boston Business Journal
State moving to rework data security law, Boston Business Journal

Academic & Related Appointments

Northeastern University Law School, Legal Skills in Social Context Clinic (LSSC)

MIT CoDesign Studio, MIT Media Lab 2013-14

The Tor Project, Inc. 2012-15

  • Researcher – File/Analyze FOIAs/FOIPAs
  • Collaborate with US Naval Research Laboratory (NRL) researchers on network path selection

Harvard Extension School 2011-13

Suffolk University, Sawyer Business School, Strategy and International Business Department 2009

  • Guest lecturer, MBA class. Project Management and OpenSource

Harvard Senior Common Room, Cabot House 1990-2013

  • Technology and Business Tutor. Appointed by Harvard House masters, SCR members are appointed as prominent achievers in their field to advise students.
  • Advised students, helped them with their resumes, computer skills, and job search.

Prospect Hill Academy, Cambridge, MA 2014-Present

  • Teaching Assistant, teaching high school youth computer programming and related skills.

Cambridge Ringe and Latin School, Cambridge, MA 2015-Present

  • Teaching Assistant, teaching high school youth computer programming and related skills.

Honors and Awards

2013 World Bank Hack-a-Thon Team, First Prize, Washington DC

  • First Prize for team development of an application, fuerza.is, to help fight domestic violence

Sample Professional Organizations, Activities and Affiliations

Alameda County Sheriff’s Office Crime Lab 2017-Present
- Digital and Multimedia Evidence Processing
- Sample tools: Cellebrite, EnCase, FTK
- Internship while completing PhD
- Evidence identification, preservation, extraction, and analysis, report preparation
- Hands-on crime scene processing: evidence and onsite extractions, including CCTV
- Software validation testing, Cellebrite Physical Analyzer, Cellebrite UFED Digital Forensics tools
- Criminal cases include homicide, sexual assault, child porn, robbery
- Examine warrants and ensure legal compliance

American Academy of Forensic Sciences (AAFS)- Member 2017-Present

High Technology Crime Investigation Association (HTCIA)- Member 2017-Present

National Institute for Science and Technology (NIST) SGIP-CSWG: Smart Grid Interoperability Panel, Cyber Security Working Group

  • Led the Legal sub-team that created, and then updated, the privacy laws section of NISTR report 2009-2014
  • Privacy Use Cases sub-team 2009-2012
  • Smart Grid Interoperability Panel Cyber Security Working Group (CSWG) 2009-present

IEEE P1912 – Institute of Electrical and Electronics Engineers, Privacy and Security Architecture for Consumer Wireless Devices Working Group, subcommittee lead on research and use cases.

Professional Services and Consulting: Technology and Business

  • Professional Services, for Fortune 500 companies and major Universities

    • As Senior Vice President, Putnam Investments, a subsidiary of Marsh & McLennan, and SVP at the Boston Company, a subsidiary of Shearson Lehman and American Express, managed major business units for Fortune 500 asset management companies.
    • As President of Inman Technology Consulting, provide wide range of services to Fortune 500 companies and major universities
    • Executive Management- conducted strategic planning, goal-setting, management and execution for IT operations, IT Application Development and Client Services organizations
    • Human Resources Management- have managed multiple groups with 200+ staff
    • Operations Management- have managed Data Center Operations for mainframe and distributed platforms
    • Information Security, Privacy - managed large IS operations, strategy and incident management teams
    • Litigation Support/Expert Witness
    • Audit- Oversaw over 65 IT audits per year
    • Disaster Recovery - responsible for all DR, including failover on 9/11
    • Project Management- Major Application development
    • Financial oversight- managed budgets of up to $50 million/year

Professional Services: Litigation Support/Expert Witness

Journalism

Photography and Videography

Fundraising

  • Educational Organizations
    • Harvard University - Annual Giving Co-Chair, Reunion Giving Co-Chair
    • National Cathedral School for Girls - Capital Campaign Special Gifts Committee
    • Milton Academy - Annual Giving Committee, 2003-2014
    • Shady Hill School - Capital Campaign Major Gifts Committee, 2000-2004
    • Cambridge Ellis School - Director 1994-1997. Capital Campaign Steering Committee
  • Social Services Organizations
    • Emerge, Inc. - various fundraising campaigns
    • Transition House - Board Development campaigns

Community Service

Some of my nonprofit organizations, fundraising and Boards of Directors:

Lobbying

  • Work with members of the MA Legislature regarding bills affecting Cyberstalking

Languages

Advanced: French. Some: Italian, Russian, Latin, Greek, Arabic, Swedish

Other Training

Sports

Contact