SUMMARY:

• Senior information security professional with 15+ years experience and established track record of increased responsibility leading, managing and overseeing application development, security design and development, enterprise application integration, full life - cycle system development and project management.
• Strong problem solving skills to analyze complex business problems, identify technology options, and liaison between technical and business groups to facilitate high quality solutions to organizational challenges.

TECHNICAL SKILLS:

Cloud Security, Platform as a service (PaaS), Infrastructure as a service (IaaS), Software as a service (SaaS), Federal Cloud Practice, Cloud architecture, Cloud Solution, Certification and Accreditation (C&A), Security Assessment & Authorization (SA&A, A&A), Risk Management Framework (RMF), E-Authentication, Risk Assessment (RA), Privacy Threat Assessment (PTA), Privacy Impact Assessment (PIA), System Security Plan (SSP, SP), Contingency Plan (CP), Security Assessment Plan (SAP), Security Assessment Report (SAR), Plan of Action and Milestones (POA&M), Security Control Assessor (SCA), OMB, NIST SP A, 508 Compliance, FIPS 199, FIPS 200, and Confidential 4300A, Xacta, Trusted Agent FISMA TAF, Cyber Security Assessment and Management (CSAM), AppDetective, WebInspect, Nessus, Nipper, Nmap, MS Project, Kali Linux, Metasploit, HP Fortify, AWS, SME, DoD 8570, TS/SCI

PROFESSIONAL EXPERIENCE:

SENIOR SECURITY ARCHITECT

Confidential, FAIRFAX, VA

Responsibilities:

• Serves as subject matter expert for securing enterprise information by determining the overall Application Security strategy and requirements planning, implementing, and testing application security systems.
• Provides input into company's overall Application Security strategy, striving to develop a security mindset throughout the full software lifecycle from concept to testing and implementation.
• Develops strategic direction and overall design for cloud services (IaaS, PaaS, SaaS), cloud technologies, to include transition strategies, deployment strategies, mission/vision descriptions, and positioning strategies.
• Manages, plans, architects, and leads multi-platform build efforts for leading edge technologies, including Amazon Web Services, Microsoft Azure, Oracle MySQL, and VMware.
• Reviews architecture design, cloud migration, developing, testing, deploying and managing secure information systems using the Rational Unified Process (RUP) lifecycle framework and Agile process management.
• Collaborates with developers and vendors to ensure legacy and newly deployed applications are developed securely by implementing industry standards, policy and recommended security baselines.
• Conducts application security assessments, application security architecture reviews, and risk modeling for company-developed software, acquired and/or hosted applications and services.
• Responsible for applications security, risk assessment, validation of application security test results, vulnerability remediation and/or mitigation, system documentation, and security defect resolution.
• Responsible for all risk and compliance operations including development of security documentation related to PII, PCI, HIPAA, FedRAMP, and NIST governance and guidelines for the government and financial sectors.

SENIOR IT SECURITY CONSULTANT

Confidential, ARLINGTON, VA

Responsibilities:

• Served as team lead for security vulnerability assessments of 83 mission-critical systems. C&A/A&A approaches and compliance regulations included NIST 800 series, ISO, CNSSI, FedRAMP, and DISA STIGS.
• Developed policy and standards, project plans, analyzed workflow via XACTA, assigned resources and set deadlines to ensure projects were successfully executed to meet the deliverables on time and within budget.
• Analyzed existing and future enterprise systems, reviewed security architectures, evaluated and assessed software during the SDLC Process to include functional and security requirements.
• Trusted advisor to senior leadership for documentation for planning, developing, implementing, assessing and continuously monitoring systems through all steps of the RMF (i.e. FIPS, E-Authentication, RA, PTA, PIA, SSP, CP, CPTR, SAP, ISA, MOA/MOU, SAR, POA&M, and ATO letter).
• Served as the agency subject matter expert for FedRAMP, Cloud computing, Continuous Diagnostics and Mitigation and Ongoing Authorization initiative. Created security policies for implementing FedRAMP, Cloud, and Virtualization best practices.
• Coordinated and facilitated Kick-off and Findings meetings, created security assessment plans, risk assessment reviews for clients, conducted interviews, assessed vulnerabilities and recommended safeguards.
• Responsible for vulnerability management: review/assessment of vulnerabilities, control mapping, SAR and POA&M creation, mitigation timeline, remediation validation, and recommendation of closure or waiver/exception.
• Advised senior management on security requirements of system design, development, implementation, information security compliance, vulnerability management, risk management and risk mitigation.
• Provided technical expertise and recommendations to weekly Integrated Project Teams, system design reviews, Change Control Board, requests for change, and Project Authorization Documents.
• Provided key feedback, analysis and recommendations to Authorization Official (AO) to develop final security authorization packages for Authorizations to Operate (ATO).

INFORMATION SYSTEM SECURITY OFFICER

Confidential, WASHINGTON, DC

Responsibilities:

• Provided strategic direction in leading activities in support of team and enterprise objectives. Managed the day-to-day operational functions of certification and accreditation (C&A) and applicability of security controls assessment criteria using DCID 6/3, ICD 503, CNSSI 1253, and NIST SP A and .
• Created the Enterprise test plan to merge NIST controls with DCID 6/3 and implemented guidelines on how to introduce security throughout the Systems Development Lifecycle.
• Developed and maintained documentation for system security plans, contingency plans, configuration management plans, security categorizations, risk assessments and privacy impact assessments.
• Performed static and dynamic malware analysis and recommended defensive and proactive measures for inappropriate use by any internal or external entities.
• Performed penetration testing and web application testing on NIPRNet and SIPRNet.
• Conducted assessments using AppScan (applications), Nessus (OS), AppDetective (database), Nipper (network) and host discovery and enumeration using Nmap, SSLScan and custom bash scripts.
• Performed weekly enumeration of hosts and network exploitation using Kali Linux, Burp Suite, Metasploit, and Core Impact.

INFORMATION SECURITY RISK MANAGER

Confidential

Responsibilities:

• DoD project manager for large-scale, top-priority and complex technology initiatives. Managed budgets of up to $8M and cross-functional teams of up to 25 developers, programmers, analysts and network specialists.
• Identified and quantified exposures to accidental loss and adopted proper financial protection measures through risk transfer, risk avoidance, and risk retention programs.
• Developed Risk Management and information security policies that were aligned as per the ISO17799, ISO 27001, ISO 27002, DoD DIACAP, DOD 8500, DISA and NIST guidelines.
• Led design and multinational rollout of robust, scalable and secure electronic data interchange (EDI), enterprise resource planning (ERP) and point-of-sale (POS) systems for clients including FEMA, US Army Corps of Engineers (USACE) and US Army 2nd ID Battalion. Completed projects up to two months ahead of schedule, as much as $1.2M under budget and to universal client acclaim.
• Managed all phases of the software development lifecycle (SDLC) for dozens of custom solutions. Demonstrated ability to apply common frameworks and models such as CMMI, ITIL, COSO, FISCAM, and CobIT in the working environment. Delivered industry-leading software that saved clients millions of dollars, shortened processes from weeks to minutes, and generated up to $21M in annual revenues within year one of launch.
• Guided teams in the development of relational database management systems (RDBMS) for compliance with Sarbanes-Oxley (SOX), Federal Information Systems Management Act (FISMA), Health Insurance Privacy and Accountability Act (HIPAA). Improved the confidentiality, integrity and availability of data.
• Project-managed large-scale initiatives involving the transition of programs to new platforms and the merger of disparate systems from acquired client companies. Achieved seamless migrations and integrations that were transparent to client customers, accomplished with no unscheduled downtime and delivered by as much as $750K under budget.
• Directed global rollouts of new software and systems. Conducted internal & external audits of HIPAA, SOX, SAS70, SSAE16, and ISO/IEC 27001 principles, concepts and practices.