Confidential is a Certified Information Systems Security Professional (CISSP) with over 25 years of IT experience who is detail oriented and collaborative with extensive success in assessing security controls and implementing standards based IT security strategies and objectives to mitigate risks. He has extensive experience developing, publishing and maintaining IT security policies, standards, procedures, plans and guidelines as well as documenting infrastructures and data flows. He has extensive background in enterprise network security architectures with proven successes in increasing compliance with security regulations in his previous roles. He is also skilled in assessing risks, developing business and security requirements, and developing security controls for new technologies and assisting organizations with evaluating and implementing appropriate solutions.
Federal regulatory compliance (FISMA, HIPAA, HITECH, IRS 1075) and industry compliance (PCI DSS) &ndash Security Architecture &ndash Technology Architecture Vulnerability Assessments (Qualys & Nessus) &ndash Penetration Testing &ndash Gap Analysis Plan of Action Risk Assessments and Mitigations &ndash System Security Plans &ndash Contingency Plans &ndash Corporate Security Policies & Procedures &ndash Project Management &ndash Program Development Team Management &ndash Device Configuration and Management &ndash Access Management &ndash Cloud Computing &ndash Infrastructure &ndash Physical Security &ndash Change Control
Management: Program Management (17 years), Project Management (8 years), Business Management (9 years), Regulatory Compliance (6 years), IT Security Risk Management (5 years)
Security: Network Security (20 years), Servers (20 years), Applications (7 years), Firewalls (10 years), Operations Security (10 years), Access Controls (20 years), Monitoring (4 years), Physical Security (5 years)
Information Security Architect
- Integrated security into the department' s project management and software development life cycles to include risk assessments, security requirements, security assessments, input validation, secure coding, vulnerability assessments, and proper documentation.
- Plan, organize, oversee, and implement security control solutions in collaboration with technicians, project managers, application developers, internal stakeholders, and business partners.
- Test, validate, and certify that newly developed and updated network infrastructure, applications, and information system security controls meet critical Federal, State, Department and other regulatory requirements.
- Develop, implement, and consult with executive management, IS management, and department staff on security configuration standards, guidelines, and procedures for network infrastructure, applications, and information systems.
Owner and GRC Information Security Consultant
For Healthcare Organizations
- Assisted organizations to improve their security posture with focus on Governance, Risk Management, and Compliance (GRC).
- Performed risk and security assessments for healthcare organizations and addressed risk and compliance issues related to HIPAA, HITECH, and PCI DSS regulations. Assisted organization with mitigation of identified risks.
- Audited security controls based on Office of Civil Rights (OCR) audit protocol.
- Performed vulnerability assessments on network infrastructures, applications, and operational processes. Provided reports on vulnerabilities and assisted clients with remediation efforts. Developed vulnerability management plans.
- Reviewed information security mandates, policies, architectures, and standards and assisted organizations in developing security policies and procedures based on industry standards (NIST, ISO) and HIPAA and PCI compliance requirements.
- Analyzed and documented data flows across networks and applications to better determine security controls needed.
- Detected vulnerabilities in web based applications accessible from the Internet and provided remediation suggestions.
- Reviewed configurations for security appliances, such as, firewalls, routers, IDS/IPS, DLP, etc. to determine effectiveness of security controls.
For Other Organizations
- Reviewed information security mandates, policies, architectures, and standards and assisted organizations in developing security policies and procedures based on Federal Information Security Management Act (FISMA) compliance requirements.
Information Systems Security Consultant
- Worked with Healthcare organizations to improve their security posture with focus on Governance, Risk Management, and Compliance (GRC). Developed required policies, procedures, plans, and documentation to comply with regulations governing HIPAA and PCI DSS compliance.
- Worked directly with technical IT and development teams to provide guidance for securing networks and applications.
- Assessed security architecture for various technical IT projects.
- Developed IT Security Policy Manuals and Procedure Manuals based on NIST SP800 53A required security controls for the HIPAA Security Rule.
- Developed detailed System Security Plans (SSP) based on NIST SP800 18 documenting the system and the status of each security control.
- Reviewed change management and incident response processes and proposed enhancements to improve effectiveness.
- Assisted in the development of a Contingency Plan with a Disaster Recovery Plan, Backup and Recovery Plan, and Emergency Mode Operations Plan.
- Developed Vulnerability Management process and performed vulnerability assessments on external infrastructure and Internet accessible applications.
IT Security and Compliance Consultant
- Developed Vulnerability Management Plan for addressing PCI compliance requirements for vulnerability scans and penetration tests on in scope network infrastructure and web applications. Managed vulnerability tracking and remediation action plans.
- Performed security assessments on specific security controls to evaluate compliance with regulations, including vulnerability scanning, Anti virus, and IPS/IDS implemetations.
- Worked with technical owners on remediation efforts for mitigating risks from discovered vulnerabilities.
- Utilized QualysGuard vulnerability and web application scanner to perform vulnerability assessments as well as testing of remediated vulnerabilities.
HCA IT Security Program Manager
- The highest level expert for the agency in the areas of network and application security, perimeter security, and HIPAA compliance. Ensure compliance with Federal regulations and statutes.
- Defined, established, and managed a new Security program within HCA to ensure the confidentiality, integrity, an availability of HCA systems and data.
- Created strategic and long range plans for security changes within the agency.
- Planned, developed and implemented new security policies and procedures required for federal HIPAA Security Rule compliance based on NIST SP800 53 Rev 3 security controls.
- Worked with cross functional project teams to plan for and assess security controls.
- Centralized system and data access controls for agency critical systems.
- Designed and implement Future Business Models for security and to assist service providers state wide in establishing their security credentials and setting up security for their businesses (HCA has 14,000 medical providers).
- Performed a Security Risk Assessment on the Medicaid MIS system to prepare for federal CMS Certification.
HCA Network and Infrastructure Services Program Manager
- Managed, trained, and mentored expert professional and specialist level staff in the network infrastructure, server services, database services, telecommunications, web publishing, and IT security sections.
- Implemented key technologies to enhance system monitoring to diagnose network infrastructure and application problems.
- Established better processes and procedures for service delivery.
- Improved team collaboration between sections and implemented improved documentation procedures.
- Serve as primary systems architect and solutions implementer for enterprise applications.
ProviderOne Technical Project Manager
- Managed all technical aspects of a $161 Million Medicaid Management Information System re procurement and design project (ProviderOne).
- Managed the planning, documentation and implementation of the enterprise infrastructure, system interfaces, data conversion, user acceptance testing, and system security.
- Ensured vendors met their contractual obligations for technical requirements.
- Designed the Role Based Access Control (RBAC) methodology for the ProviderOne system.
- Oversaw the design and implementation of an enterprise network architecture that spanned the United States with data centers in Virginia, California, Arizona, Illinois, and Washington.
Network & Security Consultant
- IT Manager and Network/Security Engineer for a network services and support corporation Responsible for strategic and long term planning for the company&rsquo s IT support services.
- Oversaw the maintenance and operations of critical business systems for private companies and state agencies Configured and administered security for firewalls, routers, and servers. Managed network infrastructure from the Internet connection to the desktop, including servers, routers, switches, firewalls, etc.
- Designed and implement a wireless network that was capable of delivering wireless Internet access to residential homes in Olympia, Lacey, Tumwater and surrounding areas. This wireless ISP business was sold to a local company.
- Assisted clients in strategic planning and the development of policies and procedures. Consulted with clients about short and long term planning for their Information Technology needs consulted with clients on changes or upgrades to their facilities, systems and infrastructure architected and implemented secure technology solutions.
Network Services & Operations Manager
- Managed network services and operations units and communicated status and recommendations to IT Director.
- Responsible for data center operations Managed internal data center which included MVS, UNIX, Windows NT & NetWare servers, Cisco routers and Ethernet switches Implemented monitoring software system for network components and software services to improve problem resolution for outages
- Supervised 12 technical staff including programmers and network support staff Managed and maintained LAN and WAN infrastructure for ISP business that supported multiple regional libraries in three states Upgraded network infrastructure
- Managed budget
- Provided consultation and expertise on hardware, networking, digital circuits, system software, server software, messaging systems, operating systems, application software development, data and database administration data security.
- Implemented network monitoring solutions for LAN and WAN systems.