SUMMARY:

Strategic level Information Technology Professional with broad - based experience in system design/administration, PMP program management, IT audit and GRC risk assessment.

PROFESSIONAL EXPERIENCE:

Confidential, Dallas Texas

IT Systems Engineer

Responsibilities:

• Perform project management involving IT security, Access Controls, GRC, Sail Point and manual reporting for Confidential .
• SME involving FFIEC, NIST, Confidential, PCI/DSS, ISO/IEC 9000, 27001,(2), Cyber Security / baselining operations to meet compliance objectives.
• Provide leadership in deciding key points involving timing, staffing, and resources used, project scope.
• Established Governance and Risk management work to involve eGRC Archer, Control Self-Assessment, risk impact, root cause analysis.
• Developed Policy, Standards and Procedure statements to mirror cybersecurity initiatives and existing IT operations. Evaluation of proposed SAP R3 documentation system.
• Research and debate modern methodologies to harden and secure corporate assets involving security patching and review of standards ISO / IEC 27001:2013, FFIEC, NIST, ITAR req., HIPAA 164.310, GDPR, PMP PMBOK, Confidential, Sarbanes-Oxley section 4, SEC, GAAP, SAP ERP 6.0, internal infrastructure and data from US Departments of Treasury, Education, and CMS.
• Financial services SME involving risk methodologies, risk impact for critical systems, business impact analysis, root cause analysis, control self-assessments, Confidential, NIST RMF, threat agent risk assessment TARA and others.
• Expert in the roadmap to Achieve Energy Delivery Systems Cybersecurity provides a plan to improve the cybersecurity of the sector.
• Worked to baseline IT operations and internal controls surrounding access controls and risk management directives.

Confidential, Miami / Tampa, Florida

Program Manager Information Security, IT Auditor, Governance Risk Compliance GRC SME

Responsibilities:

• Provide guidance, direction and oversight for 3rd party assessments, internal audit engagements, baseline security standards, discovery and remediation of IT security and compliance issues surrounding HIPAA, risk standards CMS compliance, PAN data, PCI-DSS compliance, FFIEC directives, NIST, Sarbanes-Oxley SOX, ISO/IEC 27001:2013, ISO/IEC JTC 1, NERC-CIP 007 R2, and DISA/STIGS data standards.
• Managed the Security Services Providers (MSSP) and also supported the enterprise system and Performed Qradar SIEM administration involving report migration, alerts, custom reports and malicious activities.
• Reconciled Qradar with existing inventory to avoid gaps and rogue equipment. Analysis of log sources and metric generation.
• Built relationship with IBM-Qradar, and SIEM security vendors to avoid shortfalls in knowledge base.
• Engaged in Risk Management to perform root cause analysis, TOGAF, Confidential, control self-assessment, enterprise Governance Risk Compliance eGRC and risk impact.
• Authored IT audit engagements, planned requirements, staffed auditors and scheduled work with stakeholders and the Roadmap to Secure Control Systems.
• Provided direction in the selection of an External Audit firm which performs attestation of our Authority to Operate ATO in the analysis of operations surrounding US Centers for Medicare & Medicaid services, PCI compliance, and NIST, ISO/IEC and key points of compliance.
• Promoted to Point of Contact and Project Manager for change configuration management efforts surrounding production and test environments, protected health information PHI, HITRUST, MARS-E, data privacy and FFIEC compliance.
• SME surrounding tools: SCADA Cyber Ark IAM identity access manager, IDM application identity manager, EPV electronic password vault, PSM privileged session manager modules. Proficient with Tripwire Enterprise 8.5.2, IP 360, Proof Point, Q Radar, Core Impact, Hitech, IP360, FireEye, Tenable Nessus, Nexpose Rapid 7, Computer Associates SMDB and Archer eGRC risk and compliance suite.
• Build relationships with vendors IBM-Qradar, Tripwire, Tenable Nessus to earn SME status.
• Perform system administrator interviews, security patching, reviews of pharmaceutical business entities and reporting on controls testing and remediation surrounding data standards and Sarbanes-Oxley SOX, PCI compliance with IT Audits. Peer review performed on final output. SAP process control management and activities.
• Worked to provide technical oversight involving SIEM network and vulnerability configurations surrounding network administration, SCADA cybersecurity analytics, AIX, Linux RHEL 6, NMAP, trace routing and OWASP top 10.
• Authored an approach for HITRUST and FFIEC compliance involving CyberArk, Q Radar report writing, Tripwire Enterprise, Symantec Enterprise and Nexpose Rapid 7, Bit9, Core Impact and Sophos antivirus.
• Support corporate-level IT Audit efforts via SOX controls testing, PCI-DSS 12.3, NERC-CIP, HIPAA, Tripwire Enterprise, HITRUST audit program writing of controls, remediation, risk management elements, control self-assessment CSA, Enterprise Governance Risk Compliance.

Confidential, Miami, Florida and Livermore, California

Program Manager Information Security IT Audit and Risk SME

Responsibilities:

• Liaison to risk compliance efforts surrounding large financial institutions LFBOs, financial market infrastructures FMIs and significant service providers SSPs in order to support 3rd party assessments, risk management, information systems, vendor risk assessments, eGRC, business resiliency and cybersecurity risk.
• Helped to manage governance risk compliance eGRC efforts in key aspects of the business Portfolio involving program management LFBOs, FMIs and SSP projects involving cybersecurity, NERC-CIP, vulnerability, threat assessment efforts, risk posture, risk assessment, security architecture and key security tools.
• Developed Policy and Procedure statements to mirror cybersecurity initiatives as they relate to LFBOs, FMIs and SSPs.
• Research and debate modern methodologies to harden and secure corporate assets involving security patching and review of standards ISO / IEC 27001:2013, FFIEC, NIST, ITAR req., HIPAA 164.310, GDPR, PMP PMBOK, Confidential, Sarbanes-Oxley section 4, SEC, GAAP, SAP ERP 6.0, internal infrastructure and data from US Departments of Treasury, Education, and CMS.
• Financial services SME involving risk methodologies, risk impact for critical systems, business impact analysis, root cause analysis, control self-assessments, Confidential, NIST RMF, threat agent risk assessment TARA and others and Building on successes and addressing the gaps through the roadmap.
• Provided direction, support and maintenance for risk awareness and risk acceptance where appropriate within a 1,100 user network involving threat landscape, secure development practices, gap analysis and risk posture.
• Security tools utilized: IBM Qradar, Tenable Nessus 6.7, SIEM, Java scripting, Nexpose Rapid 7, Tripwire Enterprise 8.5.0, IP360, FireEye, RedSeal, PGP, ProofPoint, Wireshark analyzer and other methods in establishing benchmarks for cybersecurity, intrusion detection, security patching, SIEM efforts and proactive analysis of threats and vulnerabilities.
• Provided IT Audit and Information Security guidance through standards: CoBIT 5, COSO, ISO/IEC 27001:2013, DISA STIGs, NIST, PCI compliance, SCADA, SharePoint, TOGAF, HITRUST 7 and SAP ERP with 4 pillars, provisioning, and access granting. Provided direction regarding SAP process control activities.
• Authored Programs in risk avoidance, risk transfer, factor analysis of information risk FAIR, suspicious activity reports, technical writing of policies and procedures, security plans, business continuity and intrusion detection efforts.
• Created Qradar and JIRA management reporting script algorithm used to highlight discrepancies between network inventory and critical security tool Qradar inventory. Analysis of log auto discovered items in Qradar to avoid duplication and the mis-reading of log files.
• Extensive cybersecurity, anti-malware and data loss prevention efforts using ProofPoint, Sophos, McAfee and Symantec enterprise.
• Responsible for Information security on a 1,100 + user environment involving Active Directory, Linux RHEL 5, 6, Cisco and Juniper firewalls log analysis and network security appliances.
• Proficient with PGP, RedSeal, QRadar, CyberArk, Tripwire Enterprise, Nexpose Rapid 7, Nessus 6.7, Sophos AV, ProofPoint, BlueCoats, Bit9, Snort, Windows 10 security, Altiris ver. 8 and IP360.
• Provide IT Audit expertise involving Governance Risk Compliance GRC involving Capability Maturity Model CMM, ISO/IEC standards, Confidential, FAIR, TARA, OWASP top 10 controls, CoBit, NIST, FFIEC controls and Centers for Medicaid/Medicare CMS standards.
• Led IT Audit efforts to facilitate a) findings b) recommendations c) risk remediation and ultimately passing US Government CMS reviews of Network security controls, compliance with SOX, Confidential, redundancy, application development involving SDLC, SOX sect. 4 internal controls assessments, IT physical security of operations and co-location data center, IT management reporting structure and internal audit committee functions as well as future IT audit.
• As Project Manager, successfully communicated, via targeted meetings, to facilitate information flow between IT security teams, HR, IT operations in order to remediate compliance shortfalls in PCI compliance, SOC, SIEM and IT audits.

Confidential, St. Petersburg, Florida

Technical Program Manager, Information Security, IT Audit/Risk SME

Responsibilities:

• Oversee active directory project involving PCI-DSS 12.3, Tripwire compliance remediation, define risk management plan, and analyze risk for critical processes, probability, and final risk impact via methodologies Confidential, FAIR and TARA.
• Developed IT audit and risk mitigation strategies, assignment of owner and elicited key remediation actions.
• Monitor identified risks and IT audit issues with tools and teams. Assist critical incident response process with IT engineers and stakeholders. Escalate early to business owner and management team to determine when to engage senior leadership.
• Establish and maintain strong relationships with business operations, technical operations, engineering and finance.
• Direct business processes, product requirements and overall enterprise impacts the project may have on the existing system infrastructure. Identify, confirm, and obtain participation from required cross-functional teams. Work with the other team members and Strategic Business Initiatives to do this effectively. Utilize CSIRT and use OWASP to baseline SIEM event trends and attack patterns and vectors. NERC-CIP 007 R2, SCADA cybersecurity, anti-virus efforts with Symantec Enterprise, PAN data analysis, Amazon Web Services and Golang.
• Work with leadership to help identify and assist in making program trade-offs to balance scope, time, and costs.
• Develop and execute PMBOK defined and led project plans, with dependencies, milestones based on backlog, story points and velocity to establish reachable targets.
• Information security role in auditing Active Directory for remediation. Provide understanding and knowledge of Active Directory, Cybersecurity, ProofPoint, Qradar, security patching initiatives, Amazon Web Services, Golang, Tripwire Enterprise, Tenable Nessus 6.7, Nexpose Rapid 7, Vulnerability Management, Threat Assessment, input validation, Node.js Java scripting, SIEM CVE, security monitoring, Zachman and TOGAF. Apply key controls with risk assessment, remediation as well as internal audit best practices.
• SME to IBM Qradar and upgrades, FAQ knowledge and malicious activity reporting.
• Oversaw a 3000+ computer group a CAT 1 Network and the risk surrounding migration of the activities
• Created reports and coordinated remediation efforts. Qradar CyberArk 9.2 beta tested platform for ID of privileged accounts, access control lists, audit trails and password history analysis. SAP ERP pillar analysis, provisioning and access granting, SAP process control assessments performed.
• Created and implemented a risk management plan. Identified project related risks and triggers; establish risk thresholds and contingency plans using Confidential, FAIR, TARA plans, refine estimates to create baseline resource plan.
• Provide oversight, updates, POA&Ms progress and management of appropriate processes and communication.

Confidential, Miami, Florida

CTO, Program Manager, SME IT Risk and IT Audit

Responsibilities:

• Plan, organize, direct and control small, medium and high value Financial Services, CMS governed Health Insurance Industry, Pharmaceutical and Manufacturing Client audits, business projects and risk assessments involving Project Management Body of Knowledge PMBOK / PMI standards, IT Audit internal controls, SCADA Cybersecurity, Confidential, SOX, HIPAA, HITRUST, NERC-CIIP 007 R2, CSIRT, DIARMF, SIEM, CVE, SAP, application development and systems development life cycle SDLC.
• SME in Banking and Financial Services involving FFIEC, Federal Reserve, LFBOs, FMIs, SSPs Information Technology and Cybersecurity thus providing a reasonable assurance of security and compliance.
• Provided to Financial Services Clients IT governance, IT security awareness, taxonomy-code flaw search, design flaws, Infrastructure, IT environmental standards and Top-level policy direction for operations involving key direction for and operations and network infrastructure.
• Acting liaison to third party security risk management efforts with Health Insurance industry clients, manufacturing and distribution clients, their external vendors and internal audit teams. Utilized SAS-70 (legacy) and SSAE-16 audits and reviews. Applied standards for internal controls with Confidential, SOX 404, NIST, DIARMF, Confidential, FAIR, and referenced CoBIT 5 and COSO enterprise risk management.
• Defined and execute vulnerability risk assessments to include team selection, security scans, internal/external audits and OWASP top 10 incident response project planning, perform triage on McAfee SIEM events. Analysis of ArcSight enterprise service manager, Log Rhythm security intelligence platform, Amazon Web Services, Golang, CyberArk Identity Access, Node.js Java scripting and Tripwire Enterprise with IP360.
• Provided support and administration of Qradar involving Service Level Arrangement SLA with IBM, functionality of reports, malicious activities and reconciliation to existing internal System inventories.
• Strategic level Authoring and execution of Info Sec Policy, IT Security Manuals, SAP ERP 6.0 4 pillars definitions, ISSM Information System Security Manuals, backup BCP disaster plans, additional corporate-level policies and procedures as network systems evolve. Obtained board approval of all written documentation submitted.
• Active role in Information Security working with POA&Ms, SCADA, FISMA, FFIEC, DIARMF, ISO / IEC 27001, ISO / IEC 27002.
• Expert in Vulnerable Scanning, Endpoint Management and Full Disk Encryption with huge technology implementation and integration of endpoint tools.
• Secured and improved IT operations surrounding a FFIEC rework of corporate policies and procedures, BCP, application access controls, POA&Ms, eGRC, OWASP top ten, SSAE-16 audit compliance, SailPoint, SOX, PCI, COBiT 5, and IT governance, security / risk assessments including Confidential and FAIR.
• Research current industry trends in threats, SIEM, CVE vulnerabilities, application design flaws and countermeasures
• Provided SAP process control assessments and engineering analysis.
• Performed SDLC development of technical requirements, system design, quality assurance, user acceptance testing, and pre-production testing of distribution project analysis for operations using AIX UNIX LINUX tools and provided a final report of findings.
• Lead strategy meetings for remediation audit findings and deliverables. Motivate staff to provide accurate and timely reports to ensure a reasonable assurance of security and compliance.
• Managed an inventory control project involving deliveries and product valued at over $500k for Advance Auto stores and worked on DDOS and Firewalls and IPS, VPN, Threat Emulation.
• Hardened and secured network of Win2k8 servers, Checkpoint Load Balancer, TCP/IP, DNS, POP email accounts, cloud security in database. SME with SCADA Cyber security and Symantec enterprise security.
• Managed the Security Services Providers (MSSP) and also supported the enterprise system.
• Volunteered for new project administration duties to include building an IT Audit case, information gathering, access / exploitation, and reporting of findings with Tenable Nessus 5, ProofPoint, Qradar, IP360, Nexpose Rapid 7 and Tripwire Enterprise 3.x.
• Provide Client senior management with a documentation of SOX internal controls and the creation of action plans using POA&Ms, BCP disaster recovery, VISIO design, reporting of milestones reached and follow-up goals.
• Marketed existing Financial Services for Thrift Institutions and Banks to perform IT work involving SSAE-16, IT security assessments, Risk Assessment, FFIEC, FDIC, BASEL II Accord and SEC compliance.

Confidential, Syracuse, New York

IT Systems Manager

Responsibilities:

• Hardened and secured network of Win2k8 servers, workstations, barracuda firewall, Cisco routers, Checkpoint Load Balancer, TCP/IP, DNS, POP email accounts, cloud security in database. SME with SCADA Cyber security and Symantec enterprise security.
• Introduced the internal control need for enhanced IT security, IT audit, ethical hacking and Tenable Nessus usage.
• Implemented cloud computing security, SLA and contract administration. Secured PCI compliance procedures for office.
• Through Roadmap we can recognize that cyber threats to delivery systems are real and are becoming increasingly innovative, complex, and sophisticated and extensive usage of Roadmap.
• Provided key direction in a legacy database conversion project to a virtual web-based application.
• Initiated new service level agreements SLA in vendor management and realized over $200k in cost savings.
• Upgraded new IT security procedures and solicited IT vendor support. Secured remote access and new VPN.
• Hands-on IT technician, Microsoft gold partner skilled with IBM Site Protector, IBM QRadar, IBM Web Gateway, IBM Network IPS and IBM App Scan Enterprise.
• $500k budget, Proficient with Excel, PowerPoint, Project, Access, Backup Exec, and ARC serve.

Confidential, New York, New York

Bank Officer, Vice President and Risk Program Manager

Responsibilities:

• Risk project manager; control self-assessment involving risk posture, root cause analysis, key risk indicators, risk assessment, risk impact and Worked Confidential and FAIR risk methodologies
• SME with LFBOs, FMIs, and SSPs regarding BASEL II Accord directives and integrated key components within all projects.
• Utilized a mature Project Management Office and PMBOK in assessing SDLC procedures for critical capital markets application.
• Identified potential risk impact regarding a key IT risk component and mitigated a $30 million exposure.
• Provided ITIL v2, COBIT, FFIEC, FDIC, and OWASP top project best practices analysis for system-network enhancements.
• Develop and Implement New Protective Measures to Reduce Risk through roadmap.
• Wrote key controls and inputs for annual Business Impact Analysis BIA and BCP disaster recovery plan.
• Provided expert analysis involving ISO /IEC 27001, BASEL II accord, Confidential, SOX, FFIEC directives.
• Directed 14 person staff in a corporate governance project utilizing risk, FFIEC and Japanese FSA principles.
• Built project management PMBOK, NIST information quality, and ISACA COBIT standards into IT key controls.
• Highlighted IT risk to effectively mitigate issues in IT network infrastructure, and SDLC/systems development teams.
• $1 million budget, oversaw 14 staff, made key recommendations to management to help direct IT operations.

Confidential, Pine Brook, New Jersey

IT Manager, IT Auditor Program Manager, Risk SME

Responsibilities:

• Authored risk assessment plans.
• Authored and proposed client IT security plans, risk assessments and internal control reviews.
• Created audit program for EDS - Confidential web banking application. Improved security audit programs with audit engagement team involving LFBOs, FMIs, SSPs, GAAP, Confidential, SOX, SEC and utilized 3rd party consultants and sought senior partner approval. Became a sought after SME to the Banking and thrift industry on IT operations and risk assessments
• Led over 200 IT-FFIEC, SAS70 and SSAE4302 audits for 60+ clients including service bureaus and co-location firms.
• Audited third party critical security applications such as Top Secret, AS/400, DASD, IBM 7 series mainframes, Win2k, and Win2k3 distributed operations.
• Industry reference and SME FFIEC safety and soundness security controls audits and risk assessment reviews.
• Lead hands-on technical manager in supporting a 100 user network involving Novell Netware 5x, Windows Server 2003, MS Exchange server, TCP/IP, DNS, POP accounts, Backup Exec, ProSeries Tax, Go Systems Tax, Quick Books Pro, Peach tree Accounting.
• Tally IAVA security metrics and report to staff and management existing security concerns and requirements.
• Participated in network penetration testing and BCP disaster recovery drills.
• Provided corporate level business guidance regarding IT operations, IT governance, internal controls and audit findings.
• Promoted best practices referencing ISACA COBIT, ITIL, BASEL II, FFIEC, GAAP and OTS guidance.
• $500k budget, oversaw 3 staff.

Confidential, New York, New York

Senior Network Administrator

Responsibilities:

• Coordinated IT system administration for a leading pharmaceutical medical advertising agency with multiple locations.
• Negotiated BCP recovery contracts with hot-site, warm-site and cold-site disaster recovery vendors.
• Performed annual Business Impact Analysis BIA and risk assessment within a co-location network.
• Oversaw 2 major system upgrades and corporate relocation project in midst of lengthy merger.
• Built help desk to aid Apple ANS, PC/LAN Novell-NT server, Confidential G3 switch and SCO Unix systems.
• $600k budget, oversee 3 staff.

Confidential, Syracuse, NY

Risk Manager, Systems Analyst

Responsibilities:

• Risk assessment program manager involving worldwide production data and personnel. Saved $100k in single line.
• Completed OTH FPS-118, AN/TPS 59, AN/FPS-117, radar system spares assignments with US DOD, US Navy,
• Confidential (GE Aerospace), Peace Shield (RSAF), ARE Depot, Saudi Arabia, Iceland, Korea and Germany.
• Utilized SAP R3 within X/Open Unix, Oracle v7 MIRR DD250s to facilitate cut over and cost of ownership.
• Helped coordinate the design, implementation, testing and release of a product line SCO UNIX JCL database.
• Conducted risk computation and provided information to senior line management and key stakeholders