Home

Hi, I’m Dr. Sarah Lewis Cortes. Some of my interests include Privacy Engineering and Privacy Law (MLATs), Information Security, SecOps, Audit, Risk, Compliance, DR, and Investigations. I’m also a Darknet Researcher. Welcome to my wiki.

Cortes_Sarah_linderpix120815-scortes-0652-high res.jpg

Some of my Other Websites

I am involved with a number of organizations and projects. You can find out more about me at:

For professional services, please go to:

For my academic and research interests, please go to my profiles on:

Also:

Quick links to sections below on this page:

Dr. Sarah Lewis Cortes, CIPP/E (GDPR), CISSP, CISA, CRISC

Some ways to contact me

  • via email: sarah.cortes@post.harvard.edu or scortes@ccs.neu.edu (PGP Key: 226CCE21)
  • via chat: sarah@ipvtech.is (OTR Key Fingerprint: 407E6144 40622F8E 011A6D6C 67D8EB70 51F82E87)
  • via Skype: sarah_cortes
  • via phone: 330-99-CYBER
  • via Twitter: @SarahCortes
  • via LinkedIn: http://www.linkedin.com/in/SarahCortes

Biography

  • cv
  • Short Bio

Dr. Sarah Lewis Cortes CIPP/E (GDPR), CISSP, CIPT, CISA, CRISC has more than 20 years of global-scale technology experience in domains including information security, privacy, and data management. As a Privacy Engineer in Information Security at Netflix, she is responsible for implementing comprehensive privacy programs. She earned her degrees at Harvard University, studied Forensic Sciences at Boston University Medical School, and holds a PhD in Computer Science, Cybersecurity from Northeastern University, specializing in the darknet, anonymous network communications, privacy and privacy law as well as information security, topics on which she has published extensively.

Sarah helped draft the first-ever US data breach law, in Massachusetts in 2008, and testified before the legislature on MGL 93H. She also testified before Office of Consumer Affairs & Business Regulation on privacy regulations, including 201 CMR 17.00

As part of the NIST Privacy/Security Working Group 2009-2016, she co-authored the NIST 7628, Smart Grid Security and Privacy Standards in 2010/2014.

She conducts training and research with the FBI, Interpol, the Alameda County Sheriff’s Office Digital Forensics Crime Lab, and other LEAs. Prior to undertaking her PhD, Sarah was Sr VP, Security, IT Audit/DR at Putnam Investments, a $1 trillion investment management firm. Before that, Sarah was Sr. VP,  Data Center/Security Operations, BNY Mellon/American Express, a $1.6 trillion global investments company.

Sarah has published and lectured extensively on privacy, the darknet, and security, including LISA USENIX and other keynotes. She has implemented numerous computer applications. Together with Department Chair, Boston University School of Medicine, Biomedical Forensic Sciences Dept. and former Cellmark lab director Dr. Robin Cotton et al., Sarah designed and implemented NIST DNA Mixtures Online, with a grant from the US Department of Justice. DNA Mixtures was highlighted in the recent Executive Office of the President, President’s Council of Advisors on Science and Technology (PCAST), Report to the President: Forensic Science in Criminal Courts: Ensuring Scientific Validity of Feature-Comparison Methods.

  • Long Bio

Dr. Sarah Lewis Cortes CIPP/E (GDPR)CISA, CRISC is in Privacy Engineering and Assurance at Netflix, responsible for implementing comprehensive privacy programs, including partner privacy. She earned her undergraduate degree at Harvard University, studied Forensic Sciences at Boston University Medical School, and holds a PhD in Computer Science, Cybersecurity from Northeastern University, specializing in the darknet, anonymity and anonymous network communications, privacy and privacy law as well as information security, topics on which she has published extensively.

Sarah helped draft the first-ever US data breach law, 2008 in Massachusetts, and testified before the legislature on Data Breach Laws, and Massachusetts General Law (MGL) Chapter 93H. She also testified before the Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) on its privacy regulations, 201 CMR 17.00

As part of the NIST Privacy and Security Working Group from 2009-2016, she co-authored the NIST 7628, Smart Grid Security, Privacy Standards in 2010, and the 2014 revision.

She conducts training and research with the FBI, Interpol, the Alameda County Sheriff’s Office Digital Forensics Crime Lab, and other LEAs. She has implemented and overseen major security and privacy programs and operations in regulated industries, achieving compliance in SOC2, SOX, PCI and GDPR, and other laws and regulation and IT control frameworks.

Prior to undertaking her PhD, Sarah was Sr VP, Security, IT Audit/DR at Putnam Investments, an investment management firm with over $400 billion in assets under management. She oversaw Putnam’s recovery on 9/11 when then-parent company Marsh & McLennan’s World Trade Center 99th floor data center was destroyed. She also supervised over and 65 compliance and IT audits per year as well as incident investigations. As a senior executive and later consultant for Putnam and other Fortune 500 firms, Sarah also had responsibility for major applications development, data center and other operations, with over 100+ staff and $50m budgets. Before that, Sarah was a Sr. VP, Data Center/Security Operations/Compliance with BNY Mellon Bank/American Express.

Sarah has published extensively on computer security, privacy, mutual criminal legal assistance treaties (MLATs), and the darknet, including MLAT.is World Treaty Cartel Internet Overlay for Darknet and Digital Traffic Analytics for MLAT.is, featured in the 2017 IEEE International Symposium on Technologies for Homeland Security (HST17). She regularly serves as a referee for Computers & Security Journal.

She has implemented numerous computer applications in use today. Together with Department Chair, Boston University School of Medicine, Department of Biomedical Forensic Sciences and former Cellmark lab director Dr. Robin Cotton et al., Sarah implemented the DNA Mixtures online tool, with a grant from the US Department of Justice. DNA Mixtures was highlighted in the Executive Office of the President, President’s Council of Advisors on Science and Technology (PCAST), Report to the President: Forensic Science in Criminal Courts: Ensuring Scientific Validity of Feature-Comparison Methods in 2016.

A former analyst for the US Department of Energy, she led the National Institute for Science and Technology (NIST) Cybersecurity Working Group sub-team, as co-author of the 2014 NIST: Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid, as well as the 2010 volume, that created the security and privacy laws section of the report. She served on the privacy use cases team for two years and the NIST cybersecurity working group (CSWG) on Smart Grid privacy for seven years. She has co-led Northeastern University Law School Legal Skills in Social Context (LSSC) clinics on surveillance law and online privacy tools and technology, as well as an MIT Co-Design Studio class at MIT Media Lab. She has helped draft data breach laws, and testified before the Massachusetts legislature and regulatory agencies.

In addition to her work on various industry standards bodies, Sarah serves on the IEEE (Institute of Electrical and Electronics Engineers) P1912 Privacy and Security Architecture for Consumer Wireless Devices Working Group. Sarah serves as a postdoctoral researcher in Digital & Multimedia evidence at the Alameda County Sheriff’s Office Crime Lab in Digital and Multimedia Evidence, and trains law enforcement in forensic techniques. In her work to help end cyberstalking and abuse through technology, Sarah serves on the Boards of Emerge, the first Abuser Intervention Program (BIP), and Each One Teach One, dedicated to training for technology employment.

Professional

Work Experience

Netflix– Privacy Engineering and Assurance

Salesforce– Sr Program Manager for M&A Security, responsible for implementing comprehensive Security & Privacy programs across large acquired companies such as Mulesoft and Heroku.

Cloudflare- Principal Information Security Compliance Researcher

Inman Technology IT See Professional Services: Litigation Support/Expert Witness Launched and run IT company providing consulting to Fortune 500 firms. Provide hands-on services in the following areas:

  • Compliance including GDPR, SOC2, SOX, GLB, SSAE, GRX, ISO27000, NIST, COBIT &tc
  • Security Incident Management and Response
  • Security Operations
  • Security Engineering
  • Information Security and Privacy
  • IT Audit, Compliance
  • Complex Application Development and Implementation
  • Disaster Recovery/High Availability
  • Data Center Operations Management
  • Program/Project Management
  • Darknet
  • Threat Intelligence
  • Data Breach
  • Litigation support

Clients include:

  • Fidelity Management & Research
  • Fidelity Brokerage Company
  • Draper Laboratory
  • Sanofi Genzyme
  • Biogen Idec
  • Harvard Law School
  • Harvard University Information Systems
  • Boston University
  • Venable LLC

Alameda County Sheriff’s Office Digital and Multimedia Evidence Crime Lab, Oakland, CA 2017-Present

  • Digital and Multimedia Evidence Crime Lab
  • Sample tools: Cellebrite, EnCase, FTK, JTAG, chip-off, Keepass
  • Postdoctoral internship
  • Evidence identification, preservation, extraction, and analysis, report preparation
  • Hands-on crime scene processing: evidence and onsite extractions, including CCTV
  • Software validation testing, Cellebrite Physical Analyzer, UFED Digital Forensics tools
  • Criminal cases include financial crimes, fraud, skimmers, homicide, sexual assault, child abuse/CP, robbery, identity theft
  • Examine warrants and ensure legal compliance

Putnam Investments, Boston, MA
A subsidiary of Great-West Lifeco (Power Corporation of Canada); previously, Marsh & McLennan
Investment management firm, with over $400 billion in assets under management, 79 individual mutual fund offerings, 96 institutional clients, and over seven million shareholders and retirement plan participants.

  • Sr Vice President, IT Security Operations, Compliance, SOC, Security Engineering, Security Incident Management and Response, Disaster Recovery/High Availability, Audits & Client Transmissions
  • Vice President, Investment Trading and Analytics Systems

The Boston Company/American Express, Boston, MA
A subsidiary of BNY Mellon Bank, a global investments company with $1.6 trillion in assets under management. Previously a subsidiary of American Express, a financial services conglomerate with brokerage, asset management and investment banking services.

  • Sr Vice President, Data Center Operations and Compliance
  • Vice President, Disaster Recovery Planning
  • AVP, Manager of Mutual Fund System Development and Support
  • AVP, Manager, Portfolio Accounting Operations and Services
  • Manager of Mutual Fund Performance and Analysis Services
  • Management Training Program, Executive Assistant to CEO of The Boston Company, and Vice Chairman of Shearson Lehman

US Department of Energy, at the  Office of Hearings and AppealsUS Federal Government Washington, DC

  • Programmer Analyst- wrote programs to analyze price fluctuations to detect price gouging.
  • Law clerk and legal analyst for cases heard regarding charges of violations of US Energy Department Regulations and US laws

Professional Services: Litigation Support/Expert Witness

Certifications

  • CRISC, Certified in Risk and Information Systems Control, ISACA, the International Information Systems Audit and Control Association, 2019
  • CIPP/E (GDPR)IAPP, the International Association of Privacy Professionals, 2019
    • comprehensive GDPR knowledge, perspective and understanding to ensure compliance and data protection success in Europe
    • qualified to fulfill the DPO requirements
  • CISSP, Certified Information Systems Security Professional, 2019
  • CISA, Certified Information Security Auditor, ISACA, the International Information Systems Audit and Control Association, 2008
    • Information systems audit, control and security auditing practices and techniques
    • Gathering and preserving evidence in forensic investigations
    • Control objectives and reporting techniques
    • Applicable laws and regulations affecting investigation scope, evidence collection and preservation
    • Evidence collection techniques (e.g., observation, inquiry, inspection, interview, data analysis
    • Forensic investigation techniques, computer-assisted audit techniques (CAATs) to gather, protect/preserve evidence
  • PMP, Project Management Professional, Project Management Institute (PMI), 2007
  • Boston University, Certificate in Private Investigation– 2010
    • Met educational requirement for Board Certified Criminal Defense Investigator (CCDI) from Criminal Defense Investigation Training Council
    • Investigative research, Investigative Interviewing, Investigative Surveillance
    • Instructor: Former Chief of Police, Town of Winthrop & Town of Spencer, Massachusetts

Academic

Publications

Owenson, Gareth; Cortes, Sarah; Lewman, Andrew. The darknet’s smaller than we thought: the life cycle of Tor Hidden Services. In Digital Investigation, International Journal of Digital Forensics & Incident Response, 2018

Sarah Lewis Cortes, Darknet Investigation and Forensic Techniques. In Proceedings of the American Academy of Forensic Sciences (AAFS), Seattle. v. 24, 2018.

Sarah Lewis Cortes and Gareth Owenson, A Freedom Hosting Darknet Case Study: Anatomy of a Takedown. In Proceedings of the American Academy of Forensic Sciences (AAFS), Seattle. v. 24, 2018.

Sarah Lewis Cortes, MLAT World Treaty Cartel Internet Overlay for Digital Traffic Analytics, PhD Dissertation, 2018.

Sarah Lewis Cortes, MLAT World Treaty Cartel Internet Overlay for Digital Traffic Analytics for MLAT.is, Proceedings of the 2017 IEEE International Symposium on Technologies for Homeland Security (HST17), April 2017.

Aaron JaggardAaron JohnsonSarah Lewis CortesPaul Syverson, and Joan Feigenbaum20,000 in League Under the Sea, Anonymous Communication, Trust, MLATs, and Undersea Cables, [pdf]Proceedings on Privacy Enhancing Technologies (PETS-15th International Symposium). 1(1), pp 4–24, (2015). ISSN (Online) 2299-0984, DOI: 10.1515/popets-2015-0002.

Sarah Lewis Cortes, Legalizing Domestic Surveillance: The Role of Mutual Legal Assistance Treaties in Deanonymizing TorBrowser Technology, Richmond Journal of Law and Technology, Vol. 22 #2 (December 2015), pp. 1-99, http://jolt.richmond.edu/2015/12/05/v22i1article2.pdf

Sarah Lewis Cortes, Cyberterrorism. In The SAGE Encyclopedia of War: Social Science Perspectives, Ed. Paul Joseph (2016) DOI: http://dx.doi.org/10.4135/9781483359878.n174 .

Robin W. Cotton, Catherine Grgicak, Sarah Lewis Cortes, Margaret Terrill, Charlotte J. Word, DNA Mixtures, www.DNAmixtures.com. Boston University School of Medicine, Biomedical Forensic Sciences. This project was supported by Award No. 2008-DN-BX-K158 awarded by the National Institute of Justice, Office of Justice Programs, U. S. Department of Justice. Note: This application was highlighted in Executive Office of the President, President’s Council of Advisors on Science and Technology (PCAST), Report to the President: Forensic Science in Criminal Courts: Ensuring Scientific Validity of Feature-Comparison Methods, September 20, 2016, p.83.

https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_forensic_science_report_final.pdf.

Sarah Lewis Cortes, CircuitBlasTor: Practical Privacy Optimizing for Real-life Proprietary Information Protection, (submitted).

“Jurisdictional Arbitrage in Anonymous Network Path Selection” Sarah Lewis Cortes, Andrew Lewman (The Tor Project, OWL Cybersecurity), Aditya Rao and Christo Wilson (Northeastern University)) (under publication review).

Sarah Lewis Cortes, Rebecca Herold, Gal Shpantzer, Chris Veltsos, “Chapter 3: Legal Frameworks for Smart Grid Privacy,” (with the Smart Grid Interoperability Panel Cyber Security Working Group (CSWG)) NIST: NISTIR 7628 2014 Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid, 2014, pp. 8-21 (pp. 304-317).

Sarah Lewis Cortes, Rebecca Herold, Gal Shpantzer, Chris Veltsos, “Chapter 3: Legal Frameworks for Smart Grid Privacy,” (with the Smart Grid Interoperability Panel Cyber Security Working Group (CSWG)) NIST: NISTIR 7628 2010 Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid, 2010, pp. 7-15 (pp. 323-331).

Education

  • PhD, Northeastern University, College of Computing and Information Science: Computer Science: Cybersecurity 2018
  • Northeastern CCIS profile
  • Dissertation PhD Committee:
  •   Coursework Included:
    • Software Vulnerabilities, Computer Networking, Network Security
    • Operating Systems, Social Computing
    • Physics 5116: Dynamical Processes on Complex Networks
    • Physics 7331: Network Science Data
    • Cyberlaw
  • Boston University Medical School, Department of Biomedical Forensic Sciences 2015-16
    Dr. Robin Cotton, Department Chair, Advisor – M.S.-level classes in the M.S. Biomedical Forensic Sciences Program – Forensic Sciences: Crime Scene Analysis
    – Forensic Sciences: Criminal Ethics and Law- Evidence
    – Forensic Sciences: Criminal Law II-Expert Witness
  • MS Boston University, Computer Science – Information Security, 2011
    • Software Security, Database Security, Network Security, Information Security, IT Security Policies
    • Data and Telecommunications
    • Database Management, Data Mining
    • Java Programming, Data Structures, Analysis of Algorithms
    • Digital Forensics, Biometrics
  • AB Harvard University
    • Languages. Coursework in:
    • Applied Mathematics
    • Computer Engineering
    • Circuit Board Engineering
    • Assembly Language
    • Managerial Finance
    • John Harvard Scholar
    • Agassiz Scholar
    • Harvard Crimson Daily newspaper, editorial editor

Academic & Related Appointments

Northeastern University Law School, Legal Skills in Social Context Clinic (LSSC)

MIT CoDesign Studio, MIT Media Lab

The Tor Project, Inc.

  • Researcher – File/Analyze FOIAs/FOIPAs
  • Collaborate with US Naval Research Laboratory (NRL) researchers on network path selection

Harvard Extension School

Suffolk University, Sawyer Business School, Strategy and International Business Department

  • Guest lecturer, MBA class. Project Management and OpenSource

Harvard Senior Common Room, Cabot House

  • Technology and Business Tutor. Appointed by Harvard House masters, SCR members are appointed as prominent achievers in their field to advise students.
  • Advised students, helped them with their resumes, computer skills, and job search.

Prospect Hill Academy, Cambridge, MA

  • Teaching Assistant, teaching high school youth computer programming and related skills.

Cambridge Rindge and Latin School, Cambridge, MA

  • Teaching Assistant, teaching high school youth computer programming and related skills.

Research Interests

  • Privacy
  • Security, including cybersecurity
  • The Darknet
  • Anonymous Networks, Routing algorithms, Path Selection and Internet Communications
  • Cybercrime
  • Mutual Legal Assistance Treaties in Criminal Matters and Investigations (MLATs)
  • Smart Grid, Smart Meters, Technology, Legal Frameworks and Case Law
  • Data Breaches – Technical Analysis, Legal Frameworks and Case Law
  • Cyberstalking – Technical Analysis, Legal Frameworks and Case Law
  • E-discovery
  • Forensics
  • Technology Education

Software Applications

Some sample applications I have implemented for Fortune 500 clients or major educational institutions

  • DNA Mixtures– Boston University Biomedical Forensic Sciences Department, BU Medical School- supported by Award No. 2008-DN-BX-K158 awarded by the National Institute of Justice, Office of Justice Programs, U. S. Department of Justice. DNA Mixtures was highlighted in the Executive Office of the President, President’s Council of Advisors on Science and Technology (PCAST), Report to the President: Forensic Science in Criminal Courts: Ensuring Scientific Validity of Feature-Comparison Methods in 2016.
  • Biopharmaceutical Clinical Trial System – major global Biopharmaceutical Company located in Cambridge, MA
  • Global Equity, Fixed Income, Cash and Derivative Instruments MultiCurrency Accounting Systems – major Financial Services Company located in Boston, MA, New Hampshire and and Rhode Island
  • Faculty Information System, Harvard Law School
  • Held-Away Assets, for a major asset management company in the Boston area, Major complex application to incorporate all client assets from all financial institutions
  • Global Multi-Currency Investment Company Fund Accounting system, for a major asset management company headquartered in the Boston area
  • Cash Investment Company Fund Accounting system, for a major asset management company
  • Darknet Investigator- Darknet Forensic Analysis

Selected Invited Talks, Speaking Engagements and Paper Presentations

2019:

2018:

2017:

2016:

  • NACACS, ISACA’s North America Computer Audit, Control and Security Symposium, Orlando, FL. Invited speaker jointly with Rebecca Herold, the Privacy Professor, a renowned privacy expert. ISACA is the International Information Systems Audit and Control Association.

2015:

2014:

2013:

2012:

2011:

2010:

2009:

  • Bentley University Usability Forum, Waltham, MA: invited speaker
  • Suffolk University: Project Management and OpenSource: MBA class, Sawyer School of Business, Boston, MA: invited speaker
  • Project Management Institute (PMI) Annual Conference, Waltham, MA: COBIT and IT Standards: invited speaker

Legislative Testimony

In the Press

(Sample)
5/15/17- ‘Dangerous’ ransomware campaign roils global computer networks, EENews
6/26/15- SWIFT Institute and University of Delaware collaborate on cyber security challenges, SWIFT Institute
3/18/15-Experts: Consumer Privacy Bill of Rights may ease privacy compliance, TechTarget Media
Mass. legislator: Revisit data security law, Boston Business Journal
State moving to rework data security law, Boston Business Journal

Honors and Awards

2013 World Bank Hack-a-Thon Team, First Prize, Washington DC

  • First Prize for team development of an application, fuerza.is, to help fight domestic violence

#Sample Professional Organizations, Activities and Affiliations

Alameda County Sheriff’s Office Digital and Multimedia Evidence Crime Lab 2017-Present
American Academy of Forensic Sciences (AAFS)– Member 2017
High Technology Crime Investigation Association (HTCIA)– Member 2017-Present
IEEE P1912 – Institute of Electrical and Electronics Engineers, Privacy and Security Architecture for Consumer Wireless Devices Working Group 2015-present
National Institute for Science and Technology (NIST) SGIP-CSWG: Smart Grid Interoperability Panel, Cyber Security Working Group

  • Led the Legal sub-team that created, and then updated, the privacy section of NISTR report 2009-2014
  • Privacy Use Cases sub-team 2009-2012
  • Smart Grid Interoperability Panel Cyber Security Working Group (CSWG) 2009-present

Journalism

Service

Fundraising

  • Educational Organizations – Harvard University – Annual Giving Co-Chair, Reunion Giving Co-Chair – National Cathedral School for Girls – Capital Campaign Special Gifts Committee – Milton Academy – Annual Giving Committee, 2003-2014 – Shady Hill School – Capital Campaign Major Gifts Committee, 2000-2004 – Cambridge Ellis School – Director. Capital Campaign Steering Committee
  • Social Services Organizations
    – Emerge, Inc. – various fundraising campaigns – Transition House – Board Development campaigns

Community Service

Some of my nonprofit organizations, fundraising and Boards of Directors:

Lobbying

  • Work with members of the MA Legislature on bills affecting employers and cyberstalking

Languages

Advanced: French. Some: Italian, Russian, Latin, Greek, Arabic, Swedish

Skills/Expertise

Other Training

Photography and Videography

Sports

  • Cycling
  • Hiking
  • Girls and Women In Sports
  • Squash coverage
  • Squash videos

Community Service- Sports

– Tennis & Racquet Club, Membership Committee 2006-2012
– University Club, Squash Tournament Liaison Committee 2001-2004
– US Squash Open at Harvard University, Host Committee 2001- 2004
– Tournament of Champions, pro Squash Tournament Host Committee 2002-2009
– Players’ Cup Professional Tennis Tournament, Agganis Arena, Boston University, organizing volunteer 2007-2013

Contact

 

RSS
Follow by Email
Twitter
YouTube
YouTube
LinkedIn
search previous next tag category expand menu location phone mail time cart zoom edit close