SUMMARY:

• Creative hands - on IT analyst with more than ten years of success leading IT, IT security and Information Assurance projects and programs for government and business.
• Communicates effectively with both technical and non-technical teams, having supported CIO/CISO at Housing & Urban Development, the Confidential, Confidential, Confidential, and other government agencies.
• Coordinates multiple resources, vendors, and stakeholders and supports high performance technical and professional teams to execute projects of profound complexity, assuring timeliness, effectiveness, and budgetary compliance.
• Leverages deep knowledge of IT engineering, cyber security, and Information Assurance to drive existing programs and proposals in IT and IT security.
• Good understanding of Cyber Security architecture, security controls ( Confidential ), FISMA, OMBs, IT infrastructure Continuous Monitoring Initiatives.

PROFESSIONAL EXPERIENCE:

Confidential, Herndon, Virginia

Information System Security Officer

Responsibilities:

• Conducted the Security Assessment & Authorization (SA&A) Kick-off Meeting
• Applied FIPS199 categorizations to all information types
• Completed Privacy Threshold Analysis (PTA) for all systems in order to determine if a Privacy Impact Assessment (PIA) is needed.
• Created, monitored and tracked (to signature) various application privacy documentation
• Performed interpretations of monthly vulnerability scan results of assigned systems.
• Conducted the Security Assessment & Authorization (SA&A) Kick-off briefing.
• Conducted the ST&E Execution via document examination, interviews and manual assessments; Analyzed automated scan results; Populated the Requirements Traceability Matrix (RTM) with results of ST&E; Performed Risk Analysis.
• Created a Plan of Action and Milestones (POA&M); Conducted ST&E Findings Meeting with the System Owner, and other system personnel as required.
• Gathered (or created) system security documents (System Security Plan, Risk Assessment, Security Assessment Report, Executive including the Plan of Action and Milestones, PTA, and PIA).
• Applied Confidential 800-60 I&II rev.1 categorizations to all information types
• Developed Continuous Monitoring Plan using Confidential 800-137 .
• Used FIPS 200 to select 80 0-53 Rev.4 controls for the system
• Developed the overall SA&A project Plan.
• Developed three contingency plan using Confidential 800-34 rev.1
• Conducted Contingency plan and incident response testing
• Devised ST&E activity results and develop recommendations
• Developed the Security Assessment Report (SAR) and the Security Assessment Plan (SAP)
• Attended daily meetings
• Monitored and tracked (to closure) incident response activities as per the SOW
• Performed five (5) Systems Security Assessment and Authorization’s and Security Test & Evaluation (ST&E) using Confidential Special Publication 800-37 Rev.1, 800-53 Rev.4 & 800-53 A Rev.4, 800-34 Rev.1, and Confidential 800-171
• Developed Systems Designation Account Security Officer and Designation System Owner Letters
• Developed Incident Response Plan
• Developed Authorization to Operate (ATO) recommendation Letters
• Worked with the System Owners to review POAM items for closure.
• Ensured that day to day security is maintained for assigned information systems.
• Worked closely with technical teams for successful Certification & Accreditation of the system that leads to ATO.
• Oversaw, developed, improved and maintained the overall security posture of the system; that includes: Information System Security Plans, Risk Ratings, Contingency Plans, Security Assessments, and Contingency Plan Tests and other associated documentation.
• Acted as a consultant to system owners for the security of the system and system documentation. For example, security incident reports, equipment/software inventories, operating instructions, technical vulnerability reports, and contingency plans.
• Have excellent communication and interpersonal skills that allow me to work with a broad range of people at various level.

Confidential, Washington, D.C

Senior Information Security Compliance Analyst

Responsibilities:

• Developed System Characterization document (SCD)
• Applied FIPS199 categorizations to all information types
• Applied Confidential 800-60 I&II rev.1 categorizations to all information types
• Conducted information security controls assessment using Confidential 800-53 Rev4 and Confidential Security policy Handbook.
• Reviewed security documentation to ascertain PII information through system diagrams/flows/application inputs and documentation.
• Updated all the information security documents include (System Security Plan, Contingency Plan, Business Impact Analysis, & Risk Assessment)
• Created the Executive Summary (ES) and the Security Assessment Report (SAR) documents
• Completed Privacy Threshold Analysis (PTA) for all systems in order to determine if a Privacy Impact Assessment (PIA) is needed.
• Performed two Systems Security Assessment and Authorization’s and Security Test & Evaluation (ST&E) using Confidential Special Publication 800-37 Rev.1, 800-53 Rev.4 & 800-53 A Rev.4, & 800-34 Rev.1
• Reviewed Nessus, Webinspect, and AppScan reports.
• Conducted the Security Assessment & Authorization (SA&A) Kick-off Meeting
• Conducted the ST&E Execution via document examination, interviews and manual assessments; Analyzed automated scan results; Populated the Requirements Traceability Matrix (RTM) with results of ST&E; Performed Risk Analysis.
• Created a Plan of Action and Milestones (POA&M); Conducted ST&E Findings Meeting with the System Owner, ISSO and other system personnel as required.
• Had experience with the Cyber Security Assessment and Management (CSAM) tool.
• Identified and investigated client issues and provided recommendations, workarounds, resolutions and benefits by minimizing the client’s risk and cost.
• Ensured that assigned ISs were accredited by working with IS owners, enforced customer security policies and safeguards, ensured that audit trails were reviewed periodically and were archived in accordance with customer policies, and reported security incidents in accordance to policies.
• Proficient ability to document and explain risks/vulnerabilities to both business and technical stakeholders
• Fast learner and able to learn new technologies and processes quickly.
• Excellent interpersonal skills, presentation skills, and verbal / written communication skills
• Advised component personnel of requirements to remediate discovered vulnerabilities based on Confidential and Census Bureau guidance and policies.
• Revisited existing POA&Ms to determine appropriate milestones to remediate discovered vulnerability or finding.
• Collected system artifacts and created policies to remediate unresolved POA&Ms
• Successfully completed over 90% of opened POA&Ms through the action researching or creating policies and collecting system artifacts

Confidential, Washington, D.C

Senior Information Security Compliance Analyst

Responsibilities:

• Gather (or create) system security documentation.
• Took several cloud systems to ATO
• Created, monitored and tracked (to signature) various application privacy documentation
• Reviewed security documentation to ascertain PII information through system diagrams/flows/application inputs and documentation
• Identify key requirements and gaps; provide solutions for clients utilizing best practices.
• Identify, track, and monitor security deficiencies.
• Assist with the implementation of security risk management strategies and contribute expertise in formulating a successful security program.
• Develop high-quality assessments that provide an understanding and resolution to security-related events.
• Develop and document vulnerabilities, solutions, countermeasures for identifying signatures.
• Apply FIPS199 categorizations to all information types
• Use FIPS 200 to select 80 0-53 Rev.4 controls for the system
• Perform 800-53 A security self-assessment
• Determine acceptability of risks identified in self-assessment
• Development of the overall SA&A project Plan, the SA&A Process Guide, The Plan of Action Process Guide, and The Security document templates (System Security Plan, Risk Assessment, Security Test & Evaluation, Contingency Plan, and different evaluation compliance Checklists).
• Establish plan of action and milestones (POA&M)
• Include all of above (and other required information) in SA&A package
• Conduct briefings and knowledge transfer of information security related issues to management and co-workers.
• Address issues, assess impact, determine probable damage and provide recommendations for course of action.
• Identify and investigate client issues and provide recommendations, workarounds, resolutions and benefits by minimizing the client’s risk and cost.
• Communicate all project related issues and project status efficiently.
• Consistently look for opportunities to improve processes, and implement appropriate ideas.
• Create and ensure accuracy and currency of technical documentation as needed.
• Conduct or participate in meetings with stakeholders and various IT vertical teams and discuss project issues, risks and status.
• Stay abreast of latest developments and technologies in network security/information assurance to ensure applicability of services delivered.
• Develop several Information Technology Security Policies
• Conduct contingency plan tests for four systems
• Complete Privacy Threshold Analysis (PTA) for all systems in order to determine if a Privacy Impact Assessment (PIA) is needed.
• Applied Confidential 800-60 I&II rev.1 categorizations to all information types
• Develop Contingency Plans per Confidential SP 800-34 rev.1.
• Performed two Systems Security Assessment and Authorization’s and Security Test & Evaluation (ST&E) using Confidential Special Publication 800-37 Rev.1, 800-53 Rev.4 & 800-53 A Rev.4, 800-34 Rev.1
• Developed a Security Assessment and Authorization statement (Letter)
• Conducted FISMA compliance reviews with each Program Office to address their vulnerabilities as scheduled, their budget and that their contractors were providing the security safeguards.
• Recommended expertise to Program Offices for risk remediation and continuous monitoring, analyzing vulnerability scans, test security controls, document policies and procedures, etc.
• Developed Incident Response Plan using Confidential Special Publication (SP) 800-61 rev2
• Performed Incident Response test using some scenarios.
• Conducted Incident Response Plan Training.
• Developed Continuous Monitoring Plan using Confidential 800-137 .

Confidential, Washington, D.C

Senior Information Security Analyst

Responsibilities:

• Provided essential FISMA support to orchestrate completion of the annual and quarterly reports for OMB
• Liaison between the Confidential Office of IT Security and the Confidential Information Systems Audit Division and the Office of the Inspector General to gather documentation and completion of the FISMA reports
• Used FIPS 200 to select 80 0-53 rev.4 controls for the system
• Lead Security Analyst for six of Program Offices consisting of twenty systems. In this role tasks included performing full scope Security Assessment and Authorization (SA&As) - including ST&Es while applying Confidential 800-53 rev.4, Confidential 800-53 A rev.4, Confidential 800-26, Confidential 800-30 rev.1, Confidential 800-87, Confidential 800-18 rev.1, and Confidential 800-37 rev1 for the OITS and CISO.
• Assisted CISO’s, System Owners, Program Managers, Stakeholders and staff members with writing and updating their annual security documentation. This included Contingency Plans (CP), Risk Assessments (RA), and System Security Plans (SSP), Self- Assessments, conducting Contingency Plan Tests (CPT) and resolving POA&Ms (Plan of Action and Milestones) vulnerability weaknesses. Provided content updates to the CBT Security Awareness Training as well as training BU POCs about OITS security requirements and updates as needed. Provided expertise to Program Offices for risk remediation, CM, analyzing vulnerability scans, tested security controls, and document policies and procedures.
• Completed Privacy Threshold Analysis (PTA) for all systems in order to determine if a Privacy Impact Assessment (PIA) is needed.
• Completed PIA for all systems that have personally identifiable on non- Confidential employees or contractors.
• Conducted FISMA compliance reviews with each Program Office. Assisted Office of Information Technology Security (OITS) staff members as needed on high priority projects, and tasks. Requested to lead tasks by the OITS Director and CISO.
• Developed Department of Energy ( Confidential ) Continuous Monitoring Plan that includes: Configuration Management and Control, Security Control Monitoring, and Status Reporting and Documentation
• Developed several system security documentation templates including System Security Plan, Risk Assessment, Self-Assessment, Contingency Plan, Memorandum of Understanding/Agreement (MOU/A), Configuration Management Plan, Plan of Action and Milestones, Security Test & Evaluation, and Certification & Accreditation Statement).
• Developed Contingency Plans per Confidential SP 800-34 rev.1.
• Established plan of action and milestones (POA&M)
• Reviewed POA&M weaknesses to be validated for closure.
• Lead IT Team in addressing and validating findings and weaknesses
• Ensured POAM remediation is performed in compliance with the Confidential ’s policies and standards
• Apply FIPS199 categorizations to all information types
• Maintained professional demeanor, attitude and appearance at all times while on duty, in order to represent Computer Technologies Consultants in a positive and competent manner.
• Developed a Security Assessment and Authorization (SA&A) statement (Letter)
• Used NESSUS Scan Tool to scan the information sytem.
• Development of the overall SA&A project Plan, the SA&A Process Guide, the Plan of Action Process Guide, and different evaluation compliance Checklists).
• Determined acceptability of risks identified in self-assessment
• Advised Headquarters Security Officer within the Office of Chief Information Officer of corrective actions for security incidents
• Conducted physical inspections of sensitive areas, equipment and information
• Created Standard Operating Procedures for personnel security in compliance with Security Officers initiatives
• Processed information on foreign travel and foreign visitation requests
• Analyzed and cross-references the sufficiency of technical content of component security documentation against existing Cyber Security guidance researched and authored through the DHS 4300a Security System Handbook, DHS Document Review Checklist, Confidential Special Publications 800-53 rev. 4 and 800-53 a rev.4.
• Provided SME critical feedback and recommendations based on content and technical sufficiency of security documentation to Quality Assurance and Assessment Team Leads.
• Provided metrics to Quality Assurance Team Lead from completed projects to participate in lessons learned activates following the analysis of component system security documentation with in intent of developing a streamlined process for the future assessment of various security documents.

Confidential, Washington, D.C

Information System Security Officer (ISSO)

Responsibilities:

• Gathered and created system security documentation (System Security Plan, Risk Assessment, Contingency Plan, and Security Test & Evaluation.
• Identified key requirements and gaps; provide solutions for clients utilizing best practices.
• Promoting information security awareness.
• Ensuring media handling procedures are followed.
• Complying with APD training requirements for individuals with significant security responsibilities.
• Identified, track, and monitor security deficiencies.
• Assisted with the implementation of security risk management strategies and contributed expertise in formulating a successful security program.
• Developed high-quality assessments that provide an understanding and resolution to security-related events.
• Developed and documented vulnerabilities, solutions, countermeasures for identifying signatures.
• Applied Confidential 800-60 I&II rev.1 categorizations to all information types
• Applied FIPS199 categorizations to the information system
• Used FIPS 200 to select 80 0-53 rev.4 controls for the system
• Performed 800-53 A rev.1 security self-assessment
• Determined acceptability of risks identified in self-assessment
• Development of the overall SA&A project Plan, the SA&A Process Guide, the Plan of Action Process Guide, the Security Assessment and Authorization IT system Inventory guide, and the Security document templates (System Security Plan, Risk Assessment, Security Test & Evaluation, Contingency Plan, Configuration Management Plan, Memorandum of Understanding/Agreement, and different evaluation compliance Checklists to evaluate the security documents).
• Established plan of action and milestones (POA&M)
• Included all of above (and other required information) in SA&A package
• Conducted briefings and knowledge transfer of information security related issues to management and coworkers.
• Communicated all project related issues and project status efficiently.
• Consistently looked for opportunities to improve processes, and implement appropriate ideas.
• Created and ensure accuracy and currency of technical documentation as needed.
• Conducted or participated in meetings with stakeholders and various IT vertical teams and discuss project issues, risks and status.
• Stayed abreast of latest developments and technologies in network security/information assurance to ensure applicability of services delivered.
• Developed Privacy Impact Analysis (PIA) and Privacy Threshold Analysis (PTA)
• Put together a list of common controls list spreadsheet
• Developed the Amtrak Police Department Information Technology Security Policy
• Mentored and trained all team member with the various activities associated with the Certification and Accreditation effort (i.e., IATO, ATO, Annual Review, and Application Risk Assessment).
• Developed timelines to identify the major milestones for the site’s SA&A effort in order to meet the time constraints imposed by the Authorizing Official signature date with the customer’s schedule.
• Attended weekly status meetings to discuss issues involving the Certification and Accreditation effort.
• Addressed privacy issues within the Department’s information-management offices and assisted with resolving any privacy related issues;
• Provided guidance on policy implementation and reviewed proposed privacy policies in its area of responsibility to ensure issues are adequately addressed.
• Performed two Systems Security Assessment & Authorization’s and Security Test & Evaluation (ST&E) using Confidential Special Publication 800-37 Rev.1, 800-53 Rev.3 & 800-53 A Rev.1
• Developed general privacy awareness training in coordination with the Amtrak IT Office for Amtrak Police Department staff and contractors and specialized privacy training for System Owners, and Program Office Managers.
• Have Knowledge of workplace, data protection and common privacy principles and approaches, global data protection models, information security controls and online privacy protections
• Ensured the system is operated, used, maintained, and disposed of in accordance with internal Amtrak security policies and procedures. Necessary security controls should be in place and operating as intended.
• Assisting the Authorizing Official in the system certification and accreditation (C&A) and creating and maintaining C&A documentation. In coordination with the System Owner, develop and update the system security plan as well as managing and controlling changes to the system and assessing the security impact of those changes.
• Advising System Owners of risks to their systems and obtaining assistance from the ISSM, if necessary, in assessing risk.
• Reviewing Security Advisory Alerts on vulnerabilities.
• Working with the ISSM and System Owners to develop, implement, and manage POA&Ms for assigned systems in accordance with CIO IT Security-09-44, “Plan of Action and Milestones (POA&M).”
• Reviewing system role assignments to validate compliance with principles of least privilege
• Evaluating known vulnerabilities to ascertain if additional safeguards are needed; ensuring systems are patched, and security hardened.
• Complying with APD training requirements for individuals with significant security responsibilities.
• Created information security training sessions for specific lines of business
• Developed internal policies and procedures compliant with FISMA regulations and SP 800-53
• Informed internal business groups of government regulated information security standards
• Reviewing system security audit trails and system security documentation to ensure security measures are implemented effectively.

Confidential, Clinton, MD

Senior Information Security Analyst/ Deputy Project Manager

Responsibilities:

• Developed the system Security Plan using documentation policy, Confidential Special Publication 800-53 rev.4, Confidential 800-53 A rev.1, and Confidential 800-18 rev1
• Put together Security Assessment & Authorization Package
• Developed System Information Self-Assessment for HUD systems using Confidential 800-26, Confidential 800-53 rev 4, and Confidential 800-53 A rev.1
• Provided support in the creation, maintenance, and completion of relevant documents needed for SA&A
• Ensuring Privacy Impact Assessments (PIAs) are completed for IT systems that are new, underdevelopment, or undergoing major modifications which impact Privacy Act data.
• Participated in major Information Security projects including ST&E, evaluation, development, and testing of information system contingency plan, and system Re-categorization using FIPS 199 and Confidential Special Publication 800-60 Rev1 volume I & II
• Met short delivery schedule for the development of Business Impact Analysis, Risk Assessments, IT Contingency Plans, IT System Security Plans, Plan of Action and Milestones, and IT Security Test and Evaluations of seventy (70) Information Systems
• Created System Plan of Action & Milestones (POA&Ms) of several HUD systems
• Used Compliance Review Checksheet to evaluate system’s compliance
• Reviewed POA&M weaknesses to be validated for closure.
• Led in/out briefings, interviews, and written formal recommendations for the client
• Well versed in the FISMA Implementation Project, FIPS and Confidential Special Publications.
• Attended weekly briefing meeting with HUD system’s Owners.
• Developed several system security documentation templates including System Security Plan, Risk Assessment, Self-Assessment, Contingency Plan, Memorandum of Understanding/Agreement (MOU/A), Configuration Management Plan, Plan of Action and Milestones, Security Test & Evaluation, and Certification & Accreditation Statement).
• Devised ST&E activity results and develop recommendations
• Support development of Security Control Assessments (SCA) based on Confidential SP 800-53 Rev4.
• Developed Contingency Plans per Confidential SP 800-34 rev.1.
• Developed Business Continuity and Disaster Recovery Planning
• Followed system development methodology, utilize appropriate templates, produce all required documents and ensures all required signatures have been secured.
• Performed Risk Assessments based on Confidential Risk Management guidance
• Support development of Risk Assessments documents.
• Conducted Contingency plan Table Top, Structured walk-through, Simulation testing.
• Followed quality assurance techniques and processes to develop formal reviews and out-brief(s).
• Developed Plan of Action and Milestones (POA&M).
• Communicated and documented risks in Risk Assessment Reports
• Developed accreditation and certification letters.
• Performed more than 100 C&A’s using Confidential Special Publication 800-37 Rev.1, 800-53 Rev.4 & 800-53 A Rev.1.
• Reviewing system security audit trails and system security documentation to ensure security measures are implemented effectively.
• Ensuring Privacy Impact Assessments (PIAs) are completed for IT systems that are new, underdevelopment, or undergoing major modifications which impact Privacy Act data.
• Working with the ISSM and System Owners to develop, implement, and manage POA&Ms for assigned systems in accordance with CIO IT Security-09-44, “Plan of Action and Milestones (POA&M).”
• Served as liaison between the Office of IT Security (OITS), the Information Systems Audit Division and the Office of the Inspector General for providing documentation, and responding to their needs in completion of FISMA reports.

Confidential, Sterling, VA

Senior Information Security Analyst

Responsibilities:

• Performed Business Impact Assessment
• Met short delivery schedule for the development of Business Impact Analysis, Risk Assessments, IT Contingency Plans, IT System Security Plans, Plan of Action and Milestones, IT Security Test and Evaluations of twenty (20) Information Systems, and Information System Security policies (12)
• Analyzed output from network vulnerability assessments and recommended mitigation strategies.
• Supported development of Security Control Assessments (SCA) based on Confidential SP 800-53 rev.4, and Confidential 800-53 A Rev.1
• Assisted in establishing and maintaining security products to include firewalls, intrusion detection systems, antivirus, patch management, etc.
• Document security requirements, policies, and procedures.
• Led in/out briefings, interviews, and written formal recommendations for the client
• Well versed in the FISMA Implementation Project, FIPS and Confidential Special Publications
• Experience in developing security Policies, and performing certification and accreditation of information using Confidential Special Publication guidelines 800-37 rev1.
• Performed vulnerability testing on new systems before placed in production.
• Reviewed and provided input into network designs to ensure compliance with security and enterprise architecture.
• Provided support in the creation, maintenance, and completion of relevant documents needed for Certification and accreditation.
• Re-created and updated the System Security Plan using documentation policy and Confidential special publication 800-18 Rev.1.
• Conducted Contingency plan Table Top, Structured walk-through, Simulation testing
• Gathered information to compile and completed Risk Assessments based on documentation policy and Confidential Special Publication guidelines 800-30 Rev.1
• Developed System Security Plan Controls stated in 800-53 rev4.
• Developed, Communicated, and documented risks in Risk Assessment Reports
• Developed Security Test & Evaluation Reports.
• Developed Security Control Assessment for General Support Systems (GSS’s) and Major Applications (MA’s).
• Administered and maintain user access control systems by providing controls, processes, and procedures to prevent the unauthorized access, modification, disclosure, misuse, manipulation, or destruction of information.
• Conducted InfoSec technical Risk Assessments and prepare reports of the results for presentation to management.
• Supported development of Contingency Plans, Disaster Recovery Plans, and Contingency Plans Test (TableTop, Structured Walkthrough, and Simulation) template.
• Developed Plan of Action and Milestones (POA&M).
• Devised accreditation and certification letters.
• Managed the activities of Technical Writers and Security/Quality Assurance Analyst.
• Performed requirements analysis for a wide range of users, with a focus on quality control
• Developed supporting documentation in support of Security Assessment and Authorization (SA&A), the Office of the Housing (HSG), FISMA reporting, FISCAM audits, Office of Management and Budget (OMB) A-123, OMB A-127, OMB A-130 assessment
• Developed Contingency Plan based on documentation policy and Confidential guidelines 800-34 rev.1.
• Developed several IT Security Policies (Contingency Planning, Audit and Accountability, System and Information Integrity, Risk Assessment, Physical and Environmental, Configuration Management, Security Awareness and Training, Rules of Behavior Acceptable Use, Security Roles and Responsibility and Separation of Duties and Functions, Review/Improve vendor Security, Incident Response, Password Creation & Management, Personnel Security, Patch Management, Data Classification, and Media Protection and Handling Mechanisms for Sensitive Assets) for Upper Occoquan Service Authority.