Experience

RSH Consulting, Inc.

• United States
• Information Technology & Services
• 1 - 100 Employee

• President and Lead RACF Specialist

  • Jul 1992 - Present

  Mr. Hansel has helped over 150 organizations strengthen their RACF and z/OS cybersecurity. His clients include insurance companies, Payment Card Industry (PCI) firms, financial services firms, utilities, universities, retailers, healthcare providers, and manufacturers. He has worked with RACF databases ranging in size from less than 100 users to well over 750,000. He has completed nearly every conceivable RACF-related task, including: _Conducted extensive RACF security reviews and audits _Reduced privileges and access authority of Started Tasks _Enhanced z/OS UNIX security controls _Protected operator commands, JES, SDSF, and EJES resources _Implemented protection for tape datasets, RMM, and CA-1 _Replaced OPERATIONS with storage administration authorities _Improved RACF backup and recovery procedures _Implemented password rules, exits, KDFAES, and mixed-case _Developed customized REXX and DFSORT/ICETOOLS control status and monitoring reports _Implemented dataset PROTECTALL _Enhanced RACF controls for CICS, IMS, DB2, and MQ _Protected z/OS Communication Server TCP/IP resources _Implemented RACF interfaces with system software products such as TMON and ZEKE _Compared, synchronized, merged, resized, and reorganized RACF databases _Automated administration using HR data _Eliminated obsolete and invalid profiles and permissions _Activated SETROPTS and other options to improve user activity monitoring and logging _Implemented RACF performance enhancements _Redesigned RACF group naming conventions and architectures using RBAC principles _Enhanced delegation of administration authorities _Brought controls into compliance with SOX, HIPAA, GLB, DISA-STIG, PCI, and SOC2 requirements _Drafted RACF security policies and standards, and instituted data ownership Mr. Hansel has delivered hundreds of presentations on RACF at training seminars, conferences, and RACF user group meetings. He is the author of several magazine articles on RACF and RSH's quarterly RACF Tips newsletter. Show less



Coopers & Lybrand (now Pricewaterhousecoopers)

• Manager, Northeast Region IT Security Services Practice Leader and IT Auditor

  • Aug 1990 - Jun 1992

  Conducted security audits and reviews of over 40 implementations of RACF, CA-ACF2, and CA-Top Secret for international banks, insurance firms, telecommunication companies, financial services firms, state government agencies, and universities. Assisted a major financial services firm with developing their data ownership and classification program. For same client, developed technical guidelines for implementing security standards in CA-Top Secret, Novell LANs, and DEC minicomputers. Assisted with the design of security functionality for a DB2-based application. Participated in the enhancement of RACF and DB2 security standards for a telecommunications company. Prepared and presented MVS, RACF, and application audit training to in-house staff. Show less



Fairfax County Government

• United States
• Government Administration
• 700 & Above Employee

• Computer Security Manager

  • Dec 1986 - Jun 1990

  Hired as the first computer security manager for Fairfax County, Virginia and established the County's initial information security management program. Working directly with senior management, defined program goals and plans, published their first security policy, established data ownership, and won approval for project budgets totaling over $500,000. Developed job descriptions for new positions and recruited, hired, and trained security administration staff. For the County's MVS/ESA system with 4,500 users, implemented RACF from initial installation to full control over batch, TSO, ROSCOE, DB2, CICS, and IDMS users and resources. Trained over 160 decentralized security administrators and IT staff in the design, implementation, and administration of RACF controls. Prepared RFPs and managed RACF consulting projects. Evaluated, implemented, and administered access controls within ROSCOE, CICS, VTAM, and several other MVS system software products and within VM. Participated in the design, implementation, and administration of internal security controls in CICS financial applications. Completed many other security-related projects for the County. Designed physical security controls for an existing and new data center. Led efforts to develop dataset naming conventions and institute the County's first software change management process. Reorganized and modernized production batch management processes to facilitate the implementation of more effective RACF controls. Revised disaster recovery plans and initiated acquisition of hot-site backup services. Created a county-wide security awareness program which included briefings, monthly newsletters, and posters. Educated and advised end-users in the selection and implementation of PC and LAN security measures. Show less



Advanced Information Management

• Senior Computer Security Consultant

  • Jul 1985 - Dec 1986

  Provided computer security advice and assistance to commercial and Federal government clients. Assisted the U.S. EPA in establishing their computer security program and preparing their initial overall IT security policy as well as policies and standards specific to PC security. Assisted in the preparation of IT disaster recovery plans for a major university, a stock exchange, and a Federal agency. Evaluated the implementation of Top Secret for a university. Developed the computer security module for the World Bank's quality assurance program which included system access control standards for their Burroughs mainframe. Assisted a large mid-west savings and loan in developing their computer security program, policy, and plans. Show less



The George Washington University

• United States
• Higher Education
• 700 & Above Employee

• Cybersecurity Instructor, Adult Continuing Education Program

  • Feb 1984 - Aug 1985

  Taught a course in IT security and auditing. Course provided an overview of the managerial and technical issues associated with IT security. Designed the structure and content of the course, developed all lecture and audiovisual materials, and conducted all lectures including using live TV. Taught a course in IT security and auditing. Course provided an overview of the managerial and technical issues associated with IT security. Designed the structure and content of the course, developed all lecture and audiovisual materials, and conducted all lectures including using live TV.



Advanced Technology, Inc. of Reston, VA

• Computer Security Consultant

  • Jul 1984 - Jul 1985

  Provided computer security advice and assistance to the U.S. Department of Education. Developed a comprehensive application security review guide and conducted detailed security reviews of financial, payroll, personnel, and program management applications. Participated in an in-depth security review of a major MVS data center with ACF2. Revised department-wide security policies. Prepared an extensive handbook on designing and programming application security technical controls which was still in use 15 years later. Developed and presented training IT security program objectives and classes. Show less



Marine Corps Recruiting

• Armed Forces
• 700 & Above Employee

• Lieutenant Colonel (retired), Data Systems Officer (MOS 4002)

  • Jun 1976 - Jul 1984

  While on active duty (1976-1984), held various data center management positions including computer operations manager, source data automation minicomputer manager, programming manager, and deputy director. Designed and developed on-line data entry applications and a property management COBOL application. Developed a base-wide policy on IT services and supervised revision of disaster recovery plans. Awarded the Commanding General's Certificate of Commendation for accomplishments at MCRD, Parris Island. For last three years on active duty, served as a computer security instructor for the Department of Defense Computer Institute (since incorporated into the National Defense University (NDU)). Taught classes covering all facets of computer security management as well as physical, technical, administrative, and personnel controls. Developed and enhanced lectures covering security regulations, risk analysis, operating systems security, database security, and security implementation. Made significant contributions toward revising the overall content and structure of the 5-day computer security course. Awarded the Defense Meritorious Service Medal. As a Reservist (1984-1997), assisted in the development of Marine Corps IT security policies, standards, and procedures. Conducted technical security reviews of CA-Top Secret implementations and updated MVS mainframe security standards. Revised guidelines for preparing system security plans and evaluated plans developed using these guidelines. Drafted security standards for Banyan VINES and performed a security assessment of a large VINES network. Developed and taught IT security courses covering general security topics as well as the implementation of security controls with CA-Top Secret, VINES, and Windows NT. Drafted major changes to the U.S. Department of the Navy Physical and Personnel Security manual. Awarded the Marine Corps Meritorious Service Medal for accomplishments at Marine Corps Computer Sciences School. Show less