SUMMARY

• Accomplished, experienced and hands - on Information Security leader, having twelve plus years of experience at enterprise IT leadership roles within Global companies. A performance-focused results-oriented management professional specializing in all aspects of Information Security standards management, practices, controls and technologies. Demonstrated achievements in optimizing business operations, elevating productivity, driving competitive advantage and maximizing revenue through methodical information-assurance processes for business information assets.
• Experienced in developing and delivering solutions as a change agent, visionary and forward thinker, capable of critically evaluating and solving diverse Information Security issues. Consistent success in strengthening enterprise corporate value, reducing operation costs, building and leading high-performing global IT teams through planned supervision and stewardship. Proficient in improving bottom-line profitability through innovation, creativity and strategic leadership within the cybersecurity arena.
• IT (Application and Network) Security Governance, Risk and Compliance professional (CISSP, CISA, CISM, CRISC and EnCE certified) with strategic Information Security project management, leadership experience as well as hands-on technical skills.
• Designed, architected, spearheaded and implemented PCI, SOX and HIPAA compliance frameworks using frameworks such as COBIT
• PCI projects included several projects at state/local agencies as well as a cloud-based loan portal for a for-profit college.
• Executed multiple ongoing security-related projects such as Application SDLC vetting and architectural review projects focusing on threat-modeling and remediation.
• Experience in executing Access Management (CyberArk) as well as DLP projects (Forcepoint)
• Experienced in securing cloud by using CIS cloud security benchmarks
• Cloud Security Alliance ‘STAR Cloud Auditor’ certified
• Working towards CCSP Certified Cloud Security Professional (ISC)² Certification
• Experienced in application of IT security/controls based on COBIT5 as a CISA practitioner.
• Led Planning, design and implementation efforts for:
• Web-filtering solutions monitoring Internet usage & compliance to employee usage policy and security mandates from company clients as well as the federal government.
• Infrastructure Vulnerability Assessments, Pen-testing, App-Scan and Security audits.
• Implemented various cloud solutions at Riverside County and HYUNDAI/KIA Motors.
• Assessed Anti-Virus policy-engines (AV), Intrusion Prevention Systems (IPS), forward proxy setups and SIEM reporting (SPLUNK) to assure coordinated timely e-mail notification and mitigation of malware-induced threats to corporate networks.
• CITRIX VPN and three-factor secure authentication for access to Cerner ERP solution.
• SSAE16 SOC2 attestation efforts using third party-led in-house IT Audits (KPMG)
• Scheduled and ad-hoc penetration-testing campaigns to test effectiveness of security controls on all internal and external networked devices, embedded systems and mobile devices in support of company operations
• Advanced heuristic Web Application Firewall & Network IP Firewall infrastructure and designed firewall policies to comply with federal HIPAA and SOX security mandates.

PROFESSIONAL EXPERIENCE

Confidential

Information Security Architect

Responsibilities:

• Strategic leadership in managing and mentoring a small team to identify, analyze, evaluate, manage and adopt application of security standards, practices, controls and technologies
• Security Subject Matter Expert (SME) - Implemented and responsible (on behalf of IT GRC team) for primary approval function for leading and corralling all internally developed apps through Confidential AutoEver Secure Application Development Gate (SSG) Process which is used by Confidential and Kia Motor group business units and ensure apps are free from software defects and vulnerabilities.
• Conducted vulnerability management process with following features (using Rapid7 NeXpose):
• Determine criticality of data assets, owners of assets and frequency of scanning
• Establish timelines for remediation depending on criticality (High, Medium and Low findings)
• Quality of inventory process for assets on the network (non-reporting asset issues);
• Discovery of vulnerabilities on assets and prioritizing remediation of imminent threats
• Reporting and remediation of discovered vulnerabilities.
• Currently provide complete Application Security Pen-Testing and AppScan support to inter-departmental and cross-functional teams to ensure that all vulnerabilities are identified, addressed and remediated through OWASP-compliant framework before go-live.
• Established and oversaw security vulnerability and risk-tracking processes by conducting risk- acceptance, formal sign-off by senior executives and discovering/assigning compensating controls.
• Lead role for routine round-robin quarterly application vulnerability testing/hardening and OS, DB, Web-server, Web Application Server patching guidance for Security Operations group.
• Responsible for certifying third party application vendors using vetted pen-testing (VRM team-lead role).
• Established a vendor risk managementprogram using the following components,
• Worked with the Procurement Group to establish firm MSA’s and SLA’s featuring right-to-audit clauses and tangible security reporting measures.
• Performed routine risk assessments for vendors, identifying high-risk controls and critical actionable red flags.
• Established questionnaire process and an onsite vendor audit plan focusing on discovering critical areas and controls resulting in specific remediable findings of import.
• Subject Matter Expert for security architecture regarding application development, infrastructure, and enterprise technology projects to ensure integrity of HAEA network architecture.
• Responsible for maintaining application security strategy, policy, guidelines, standards and framework for all HAEA applications, whether developed in-house, procured as COTS, or a customized hybrid including defining the following,
• Authentication & authorization (the type of authorization required)
• Confidentiality, Integrity, and Availability of all systems and data.
• Assess project requirements for application security, in compliance to HAEA policies and standards.
• Assess security of cloud storage/processing - both for the company and third-party vendors
• Work closely with technology architects (Infra Planning Group) within the Application Review Board (ARB) as part of the Secure Application Development Gate team to ensure that security is properly provisioned in all applications and domains.
• Identify architectural and other security risks in local data-centers as well as third-party hosted solutions as presented by threat modeling exercises by the solution team and suggest compensating controls if and where necessary.
• Identify gaps in existing application security infrastructure to meet project requirements

Confidential

Information Security Architect

Responsibilities:

• Reporting to Director of Information Security (CISO)
• Leadership responsibility for Strategic Information-Security with two direct reports
• Designed a complex SaaS e-commerce Financial loan-processing application portal
• Architected security for loan portal application with Web-based credential provisioning and authentication (IDaaS solution) with full authentication and authorization controls.
• Responsible for Policy and Procedure development and technical security controls design.
• Reported to Senior Director of Information Security (CISO position)
• Led Security Audits for fifteen thousand users as well as all IT Security risk assessments, code and control review and SSAE16 SOC1/SOC2 attestation review with KPMG and EY auditors.
• Security technical and regulatory guidance as SME to all levels of management.
• Strategic thought-leadership role to partner with web-portal, middleware (ETL) and database teams throughout the company to achieve tactical corporate goals and ensure appropriate balance between risk management and controls.
• Assisted in design of Disaster Recovery infrastructure, DMZ & Firewall frameworks, Data encryption (transport and storage), Data Leak Protection and other controls.

Confidential

Sr. Information Security Analyst

Responsibilities:

• IT Security Consultative role at County CISO office (Full time county employee position)
• Led efforts to migrate County e-mail (Exchange) to cloud apps (Google Apps E-mail & Collaboration system).
• Carried out PCI DSS compliance audits in facilities which processed sensitive credit card data.
• Designed segmented three-tier DMZ networks following 'defense-in-depth' principle.
• Designed and assessed security for firewalls, switches, routers and data processing systems such as Web, Application, Database Applications, Servers etc. to prevent data loss/breach.
• Secure PCI-Compliant configuration of verification software (i.e. ongoing file integrity checking using Tripwire) and custom internet-facing applications.
• Ensured Credit card verification software was being run to minimize any potential for security breaches leading to compromises of Personally Identifiable Customer Information, track data, card verification codes/values and PINs/PIN blocks. This meant (among other things) avoiding wireless data transfers, encrypting network traffic and turning on and verifying native inline transparent encryption in SQL server databases.
• Oversaw Configuration of various host-based and e-mail-centric DLP appliances (e.g. McAfee).
• Developed HIPAA specific security standards for RCRMC Hospital using COBIT framework.
• Conducted pen-testing using Metasploit framework to assess posture for county agencies
• Configured and monitored the resident Tripwire solution (Host Based IDS) to monitor changes to critical server files, such as server file permissions and to critical OS configuration files. Configured Tripwire canned change rules to fine-tune monitoring rules to track changes.
• Coordinated Change Control efforts and participated in Change Control Board meetings
• Planned and coordinated all Information Security Incident-Response efforts
• Led triage efforts for numerous Incident Response situations
• Internal consultation role (SME) on all IT-security related vendor-vetting and purchases.
• Conducted vulnerability assessments, security audits and other routine and compliance-related security initiatives for about 20,000 county desktops in fifteen different agencies.
• Developed HIPAA, PCI and SOX compliant policies, procedures and controls for Riverside County Regional Medical Center (450 bed hospital owned by the County)
• Prepared periodic CISO level reports on technical security posture at various agencies
• Conducted periodic assessments and reporting for Business Continuity and DR posture
• Researched, planned, tested and implemented new cutting-edge security solutions such as BYOD smart-phone network access for employees using android and apple tablets.

Confidential

Information Security Analyst

Responsibilities:

• Designed placement and installation of firewall and Intrusion Prevention devices
• Implemented agent-based DLP solutions
• Maintained and developed firewall policy and IPS filtering rules
• Monitored and controlled Security Incidents and relevant documentation, Anti-virus alerts, Mobilization of Anti-virus remediation efforts, RSA token administration for SSL-VPN access
• Assisted HR with investigation and reporting of IT policy violations
• Generated Business Continuity and Disaster Recovery reports for Director level review and set up Business Continuity and Disaster Recovery framework as a response to post 9/11 threats
• Compiled Personnel Web-filtering Reports for use by HR
• Evaluated and analyzed evolving security technologies for eventual implementation
• Conducted Information Security infrastructure audits, Agency Gap-Assessment Audits, Penetration Tests and Vulnerability Assessments
• Compiled and activated approved HIPAA and SOX-compliant Security Policies & Procedures