SUMMARY:

A Senior Information Security Analyst with more than 25 years of experience and team leadership in the cyber assessment and compliance field including 20 consecutive years of bridging C - level stakeholders with technical staff, vendors and consultants in Security Information and Event Management (SIEM), Governance, Risk/Vulnerability Management, and Compliance (GRC) expertise with a broad and deep knowledge and understanding of cyber security policy, technology architecture, infrastructure, and programs for log analysis, incident response/remediation. Utilizes POA&M FISMA to meet CMS and OMB requirements. Currently specializing in HIPAA, PCI, SOX, NIST (licensed counter-terror tool deployment) DISA, CJIS Compliance for Cloud (Azure and AWS). Knowledgeable in information systems security regulations, policies, practices, certification and accreditation requirements and processes inclusive of PCI/DSS, HIPAA, HITRUST, ISO 2700xx, SOX, FISMA, NIST, DISA, CJIS and ICSD. Capable of multitasking and performing under short deadlines to complete all assigned tasks in the most efficient manner possible including incident investigation and reporting, forensic examinations and recovery operations.

SKILLS:

Experience Authoring, Developing and Conducting: IT Security Incident Response Management; IT Security Standard Operating Procedures (SOP’s); System Security Plans; Contingency Plans; Configuration Plans; Security Requirements Traceability Matrix (SRTM); Security Test & Evaluation (ST&E); Vulnerability Assessments; Risk Analysis; System Security Planning; Continuity of Operations (COOP). Remediation Plans & Proactive Processes and Procedures for PCI-DSS, HIPAA. Establishes the cyber security policy addressing, developing the cyber security requirements for cyber incident response. Reviews the current and proposed policies for consistency with overall federal, state and local government and program requirements. Develops strategy on current issues affecting national and local government cyber security. Develops Security Awareness Training Programs and supporting media and collateral.

Significant Information Assurance (IA) Training & Experience: Incident Response (IR); Information Security (INFOSEC); Computer Security (COMPUSEC); Physical Security (PHYSEC); Operation Security (OPSEC); Communication Security (COMSEC); Open Source Intelligence (OSINT); Governance, Risk Management, and Compliance (GRC); Identity management and access controls, expertise with the DHS funded CyVision Cauldron Proactive Visual Vulnerability Assessment, Remediation and ACL Management tool applied for automation of PCI/DSS and HIPAA audits; Archer, Hercules Patch Management; Tenable Nessus Scanner Tool; Nmap; Web Sense; OWASP toolset, Splunk, Qualys, Azure RBAC, NIKSUN, Zed Attack Proxy (ZAP); Sam Spade; Snort; Wireshark.

WORK EXPERIENCE:

Confidential, Bethesda, MD

Senior Governance, Risk Management, and Compliance Officer

Responsibilities:

• Works on multiple projects most recent is PCI/DSS and HIPAA RBAC rules based on NIST 800-53 for large Azure Hospital implementation with migration from and integration with existing on-prem.
• Primary responsibility is the Senior Information Systems Security Subject Matter Expert\ (SME) for Governance, Risk Management, and Compliance for government, financial/banking and healthcare compliance arena.
• Identify threat vectors for and between critical and non-critical assets including iOT devices via proprietary CVSS scores.
• Leads and performs installations and training as well as conducts assessments and remediation for regulatory certification and compliance of information systems per Governance, Risk Management, and Compliance (GRC) standards such as PCI-DSS and government regulatory standards including HIPAA, FISMA, RMF, PCI-DSS; DISA; FISMA, SOC2; DIACAP, ICD 503, ICD 705, NISPOM, NIST, DHS 4300A/B/C, KYC/AML, data contamination management, including coordinating cleanup efforts, and reporting requirements and ensures auditing requirements are completed on schedule. He maintains the responsibility for media control, virus scanning, hardware and software success control, and computer security briefings.
• Coordinate and establish cyber security policy and system risk for of assigned systems, developing and maintaining of incident response, proactive emergency planning, continuity of operations planning, and related SOP’s.
• Utilized data from RSA Archer to analyze and provide oversight for cyber security vulnerabilities and implement proactive solutions to correct or mitigate the vulnerabilities, and ensure all current and planned cyber operations are integrated at every level from user provisioning to assessment and compliance of branch offices and other externally connected locations.
• Coordinates cyber security requirements with senior management officials and provides appropriate reports for all relevant laws, regulations and policies on-prem and cloud (Azure/AWS).
• Utilized Visio to create and analyze network security diagrams.

Confidential, Garden City, NY

Senior Information Business Risk Analyst

Responsibilities:

• Advise the government and corporate entities on overall systems security configurations and serve as primary liaison to system accreditation representative monitors and analyze IS security controls incidents and violations.
• Ensured users were appropriately cleared and have required need to know prior to gaining access to the system.
• Appraised critical and non-critical assets, created risk scores CVSS, CVE profiles, peer comparisons and exposures to vulnerabilities.
• Identified financial impact.
• Integrated remediation strategies with GRC business compliance objectives for PCI/DSS and HIPAA. and mitigate related system security concerns throughout system life cycle of System Security Development Life cycle and Risk Management Frameworks using NIST as the baseline.
• Performed security test and evaluation activities on a variety of hardware and software systems, to include Windows, UNIX and Cisco IOS, using the latest vulnerability scanning tools, including proprietary Integris developed products to insure FDA ISO, SOC2, HIPAA and PCI/DSS compliance.
• Provided daily, ongoing security oversight of assigned systems as to the security impact of proposed modifications, additions, on the security posture of a system and proactively support the certification and accreditation efforts according to the Risk Management Framework process.
• Leads and participates as the technical expert in current and evolving interagency matrix groups for resolving problems in programs requiring innovative proactive solutions.
• Utilized Visio to create and analyze network security diagrams.

Confidential, Lakewood, NJ

HIPAA Remediation Analyst Engineer

Responsibilities:

• Maintained the responsibility for media control, virus scanning, hardware and software control, and computer security briefings.
• Coordinated and established cyber security policy and system risk for of assigned systems, developing and maintaining of incident response, emergency planning, continuity of operations planning, and related SOP’s.
• Analyzed and provided the oversight for cyber security vulnerabilities and implements solutions to correct or mitigate the vulnerabilities, and ensured all cyber operations plans were integrated at all levels with appropriate access controls and user provisioning.
• Evaluates and makes recommendations concerning overall plans and proposals and supervised the physical site requirements for HIPAA for both sites.
• Monitored programs and services that have the potential to change important policies and programs.
• Provided and created training materials and user agreements and negotiated proper cyber-insurance with the involved parties.
• Utilized Visio to create and analyze network security diagrams.

Confidential, Brooklyn, NY

IT Security Specialist

Responsibilities:

• Coordinated and established cyber security policy and system risk for of all private banking systems, Audited client accounts and developed rules and regulations to enforce compliance of international corporations, financial institutions and government agencies for fraud prevention and structured money laundering schemes.
• Additional duty as Security Compliance Officer to ensure training and oversight for bank relationship managers in the deployment of information technology and security controls used during KYC evaluations and audits.
• Served as an interface with the Information Systems Security Manager (ISSM), Information Systems Security Officer’s (ISSO’s), and other IT Security staff to work with program managers, system owners, and staff to ensure systems are properly secured and tested for protection of proprietary and personal information; provide general oversight for the strategy and requirements for PCI/DSS compliance/waivers and compensating controls relative to current industry standards (PCI), Governance, Risk Management, and Compliance (GRC) policies and procedures and emerging Federal and State Banking Regulatory AML compliance.
• Utilized Visio to create and analyze network security diagrams.

Confidential, Brooklyn, NY; Lakewood NJ

IT Security Specialist

Responsibilities:

• Building on ten years of experience as a leader in government and financial/banking industries.
• Assumed primary responsibilities as an independent contractor functioning as the Senior Information Assurance Project Manager and main point of contact for all information systems security, ensuring confidentiality, integrity, and availability of systems/networks planning/analyzing/developing/implementing systems security programs, policies, procedures, and tools.
• He was responsible for conducting surveys and reviews to ensure systems were operated and maintained according to State and FDA regulations and review and evaluate the security impact of system changes, which interfaces with other Automated Information Systems including process controls and systems containing confidential information.
• Secondary duties encompass conducting reviews of network threats and vulnerabilities; review and evaluate effects on security changes to the network to include interfaces with networks; oversee configurations, IDS/IPS operations; ensure security violations are reported, and aid with official investigations and audits related to FDA, PCI/DSS and HIPAA. Utilized Visio to create and analyze network security diagrams.

Confidential, New York, NY

Manager of Citywide Information Security

Responsibilities:

• Designed the unified Citywide email system and engineered the migration of all users. Implemented an enterprise wide intrusion detection system (IDS), hardened Cisco Firewalls and anti-virus protection with 24/7 monitoring and response. By integrating legacy IBM Mainframes to host Unix, most Citywide systems were migrated with a minimum of re-engineering to secured web based client server applications with centrally managed access control at considerable cost savings mitigating the need to migrate to new server and software platforms.
• Assisted and led investigations for CITU (the first Cybercrime Law Enforcement Unit.
• As Special Investigator, Manager of Citywide Information Security, Authored 82 official City of New York information security regulations for all agencies including critical emergency management systems.
• Conducted numerous covert and high-profile investigations.
• Prepared and hosted Quarterly IT Security and Cyber-Crime Seminars for multiple Agency MIS Directors and staff.
• Responsible for the IT Security of the post 9/11 OEM infrastructure and Confidential 's office Post 9/11 replacement Phone System.
• Exposed dirty bomb terror plot on City. Utilized Visio to create and analyze network security diagrams.