SUMMARY:

• Career - oriented individual with Seventeen years of experience in Enterprise Information Security.
• Certified Professional in Information Governance, Risk and Compliance (GRCP); DLP and Quality assurance (Six Sigma Black Belt).
• Provides strategic and managerial oversights for the missions, visions, values, policies, controls and standards.
• Knowledgeable about the NIST Risk Management Frameworks, Crypto-Currency, Core Cyber Security and Cloud technologies - IaaS/PaaS/SaaS for Azure and AWS.
• Responsible for the information security and risk awareness within organizations.
• Sound knowledge of System Information Event Managers, Firewalls, IDS, IPS, PKI, Data encryptions etc.
• Team lead on several IT projects: Documentations, Governance, Security Risk Assessments, Business Continuity/Disaster Recovery Planning, e-Commerce and Audit/ Compliance.
• Experienced with global privacy legislation and regulatory requirements such as: NIST, FFIEC, ISO 27K, COPPA, COSO, FCRA, GLBA, PCI DSS and HIPAA.

AREAS OF EXPERTISE:

Regulatory Compliance, Risk Management, Operations Management, Business Impact Analysis, Technology Architecture, Business Continuity, Client Needs Analysis, Systems Integration, E-Commerce, Information Assurance, Business Development, Identity & Access Management, Budgeting and Cost Control, IT Auditing, Strategic/ Tactical Planning, Change Management, Anti-Money Laundry, Documentations.

SKILLS:

SME in Security & Risk Management, Six Sigma Black Belt, SCADA, NERC, ISO/IEC 27002, Auditing, OCTAVE, FFIEC booklets, Basel II, BSIMM, COBIT, COSO, Data Guard, Excel, Archer, Citrix, FedRAMP, FISMA, Gateways Active Session, ITIL, GLBA, ISO 27001/2, ISO 17799, Mainframe, Nessus, NIST, nMap, UNIX scripting, Java, Oracle Directory,  XACML, SAML, SPML , Oracle IAM, PL/SQL scripting, OSI Model, OWASP, Security monkey, Lazy falcon, Qualys-Guard, Cloud, Firewalls, PCI DSS, PII, PHI, RAC, RFQ, Safe Harbor, SAP Security, SAS70/SSAE 16, SOC1 & SOC2, SB 1386, SOA, SOX, SQL, TCP/IP, ACF2, RACF, Tivoli Insight Manager- IBM, WireShark, Snort, RSA Aveksa, SailPoint Identity IQ, IBM Security IAM, CA SiteMinder, RadiantOne VDS (HDAP), Centralized Enterprise Manager, CMDB, BEA, Avecto, LDAP, Cyber-Ark, Active Directory, HPFortify, IBM App Scan, SIEM, Tripwire, Scrum Master, Product Owner, TOGAF training, CISM training, Cloud Security.

EXPERIENCE:

Newark, DE

Information Security and Risk Manager

Responsibilities:

• Net2Source Inc., One Evertrust Plaza, Suite 305, Jersey City, New Jersey 07302; 05/1 - 09/30/2017
• Information Security Architect
• NIST Risk Management Framework, Analyzed Control gaps and overlaps in the policy using NIST 800-53 r4, SANS CSC, PCI DSS, FFIEC, ISO/IEC, HIPAA, SOX, GLBA and OWASP.
• Conducted MRA and Assessed the System Owners, Plan of actions and milestone.

Jersey City, New Jersey

Lead Security Architect 

Responsibilities:

• Collaborated with various stakeholders from Process Information Security, Enterprise Architecture, and Systems Owners for Access Control and remediation of applications on AWS.
• Created control statement mapping with authoritative sources, policy, and regional privacy laws.
• Documented all relevant evidences on control tools using HP Fortify and Assessors’ guidance
• Analyzed Control gaps and overlaps in the policy using NIST 800-53 r4, SANS CSC, PCI DSS, FFIEC, ISO/IEC, HIPAA, SOX, GLBA and OWASP.
• Conducted MRA and Assessed the System Owners; used OIM, RACF, MFA, SailPoints, Archsight, IBM AppScan, Qualys, SiteMinder, SWIFT and Splunk.
• Created Action Plans and Remediation documents on spreadsheet for migration into GRC Archer

Lead Security Architect

Responsibilities:

• Reviewed and evaluated the state of security posture relating to security best practices using ISO standards, NIST, FFIEC, SANS 20 critical security controls, HIPAA, SOX, GLBA, OWASP top 10, and PCI DSS.
• All findings of Vulnerability assessments conducted by the Vendor was reviewed and remediated; (Internal and external penetration testing using Nessus).
• Collaborated with the developers on maintaining secured software development life cycle; Used SSL, TLS, Imperva (WAF), Hardware Security Module and Third Party tokenization.
• The mail gateway integrated with Navient due to merging and acquisition.
• Implemented micro services architecture; OIM, RSA authentication manager and tokens fobs for multi-factor authentication (IAM).
• Reviewed and documented gaps in access management policy.
• Assessed the MICROSOFT SCCM, configuration files of Apache, Active Directory and LDAP for access controls.
• Daily review of audit logs and monitoring of the systems using SIEM (QRadar and Qualys)
• Managed and monitored AWS implementation using Burp Suite, Symantec security endpoint and Privilege Access Management with Cyber-Ark.
• Facilitated the confidentiality, integrity, availability and the privacy of corporate data using KRI, KPI and KCI.

Sr. Auditor

Responsibilities:

• Documented the metrics used in assessing the Key Risk Indicators: the Devices Encryption (PKI), Segregation, Logging & Monitoring, Standard Builds, Patching, Antivirus, Firewalls (e.g Imperva WAF), and Vulnerability Assessments.
• Created the baseline controls on Laptops, Windows Servers (SQL), Desktop Windows (SQL), Cloud (AWS) Networks Data, UNIX/Linus/VM Servers, Web Mail Gateways, and Networks browsing Gateways.
• Created baseline controls on McAfee endpoint Security and control metrics.
• Reviewed the SOC1 and SOC2 deliverables and documented evidences.
• Documented control gaps using the following Frameworks: FEDRAMP, FISMA, NIST, PCI DSS, HIPAA, SOX, SANS CSC, ISO 27K, OWASP top 10 and FFIEC.
• Performed access control assessment with the Stakeholders and documented evidences.

Pittsburg, PA

Application Security Architect

Responsibilities:

• Collaborated with Application Control Assessment (IAM), Vendor Risk Management, Infrastructure Control Assessment (KPI), Privacy Assessment, Cyber Security (Burp Suite), and Business Logic Assessment.
• Knowledgeable using shared assessment tools - Agreed upon Procedure (AUP), Vendor Engagement Risk Assessment (VERA), Vendor Engagement Governance Administration (VEGA), Segmentation Chart, Standard Information Gathering (SIG), Control Matrix, Action Plan etc.
• Created control statement mapping with authoritative sources, policy, and regional privacy laws.
• Documented all relevant evidences on control tools using HP Fortify and Assessors’ guidance.
• Analyzed gaps and overlaps in the policy using NIST 800-53 r4, PCI DSS, PII, SANS CSC, FFIEC, ISO/IEC, HIPAA, SOX, and OWASP.
• Secured AWS cloud services with Imperva WAF, Symantec security endpoint and Privilege Access Management with Cyber-Ark.
• Evaluated SailPoint for various Global Identity and Access Management program (IAM).
• Conducted random assessment of the stakeholders; used SCCM, SailPoints, Qualys, Burp Suite, SiteMinder and Splunk.
• Implemented and evaluated SOC1 and SOC2 deliverables
• Created Application control matrix on spreadsheet for migration into GRC Archer.

Phoenix, AZ

Information Security Audit 

Responsibilities:

• Prepared and documented Audit/Compliance materials using FFIEC booklets and ISO/IEC 27002 on the followings: Audit, Business Continuity Planning, Development and Acquisition, E-Banking, Information Security, Operations, Outsourcing Technology, Retail and Wholesale Payment Systems.
• Developed matrix for each standard supporting the policy
• Mapped existing artifacts to each identified new standards in support of the policy
• Ensured that all standards support the master policy. e.g. NIST 800-53 r4, PCI DSS, PII, SANS CSC, FFIEC, ISO/IEC, HIPAA, SOX, and OWASP.
• Work with technical writer to ensure a consistent framework
• Developed appropriate tracking and management reporting capabilities

New Castle, DE 

Information Security Architect / Adjunct Lecturer

Responsibilities:

• Led Security Architect for Compliance projects, IT Governance and Documentations.
• Led team that redesigned security work activities with GUI applications, resulting in better performance; planned and managed security projects and activities, including design of security controls of new technologies.
• Monitored adherence to Risk Mitigation strategies on AWS in conjunction with Third Party Vendor Risk Management and Cyber Security team (IAM).
• Developed Cyber security response plans to improve Cyber security control using Burp Suite, Imperva WAF, Symantec security endpoint and Privilege Access Management with Cyber-Ark.
• Responsible for Cyber security assessments using Qualys and nessus (Penetration testing).
• Designed and implemented micro services architecture; and monitored security systems logs and processes.
• Participated in conducting auditing information security program and practices;
• Engagements included Identity & Access Management using RACF and Tivoli.
• Extensive experience with Identity & Access Management, as well as supporting applications.
• Participated in audit related activities as they pertain to Identity & Access Management.
• Managed logistics and development of Information Security Awareness training program and Communications Manual for IT Security using SSAE16, ITIL, COBIT, HIPAA, SOX & NIST.
• Performed penetration testing, security risk assessments and recommended measures to deal with identified risks; evaluated SCCM, COTS/GOTS security products and provided recommendations for use as security tool candidates.
• Ensured appropriate NIST SP 800-34 standards for Information Technology Service Continuity Management Plan.
• Enforced Policies and Standards related to IT Security using ITIL, ISO, NIST, COBIT, and BSIMM.

Information Security Architect/ Engineer

Responsibilities:

• Developed technical strategies for E-Commerce, applications and systems and drove continuous process improvement and innovation using SAS70, ITIL, COBIT, & BSIMM.
• Oversaw and ensured adherence to Information Security policies, standards, and practices across Global E-Commerce platforms; ensured product quality, assurance and risk reduction goals were met across all Global E-Commerce business and functional units using Burp Suite (SIEM)
• Collaborated with business units to determine continuity requirements; established disaster-recovery testing methodology, and utilized McAfee security end point.
• Researched new developments in IT security in order to recommend, develop and implement new security policies, standards, procedures and operating doctrines across a major global enterprise.
• Implemented multifactor authentication using RSA authentication manager and tokens fobs.

Newark, DE

Application Security Consultant (Intern)

Responsibilities:

• Managed consultant teams and engineering security; coordinated with third parties to perform vulnerability tests and create security authorization agreements and standards.
• Performed penetration testing, security risk assessments and recommended measures to deal with identified risks across differing aspects of IT systems.
• Defined global information risk solutions using SIEM and created Information Security Management systems.
• Organized training programs with NIST, PHI, PII, HIPAA, COBIT, PCI DSS, ISO 27k Tool Kits, and SANS Critical Security Control documents.

Newark, DE

Information Security Manager/Engineer

Responsibilities:

• Reviewed Application codes using Static and Dynamic tools in liaison with the other business units.
• Performed system and application vulnerability assessments; applied NIST Information Security Life Cycle; and vendors risk management
• Monitoring of Firewalls, intrusion detection and protection devices, encryption of data at rest and in motion (PKI), certificate authority, and cyber monitoring.
• Performed continuous access management using OIM, RACF, ACF2, and Tivoli (IAM).
• Applied knowledge of international data protection laws; conducted Sarbanes-Oxley audit assessments.
• Implemented internal and external penetration testing and remediation.
• Monitored the implementation of Oracle Identity Management and Privilege Access Management with IBM directory, Active Directory Federation Services (ADFS).
• Prepared information security evaluations for new projects; prepared and presented project improvement and process documentation in BEA and GRC Archer.
• Experienced using the Symantec security endpoints.