SUMMARY:

• Have led or managed the development, implementation, monitoring and enforcement of various security, technology driven and compliance programs.
• Information/Cyber Security/Privacy - Program and policy development. Procedures and SOP development.
• Risk Management - Analysis, Assessments, Remediation, Reporting, Configuration Management, SDLC
• Process and Tool - RSAM, Archer, Paisley, Agiliance, etc
• Audit - Performed and/or reviewed audit language (SSAE16, FFIEC internal and external) for accuracy and corrective action.
• Regulatory Compliance - policies based on federal public and private vertical markets- Hands on knowledge of major regulations (GLBA, HIPAA, PCI, CIP, DHS 4300, NERC, FedRamp) and SCADA/ICS.
• Program/Project Management - Program and project management, SOW’S, RFP - Metrics Expert, PMBOK, PMI, Author SOW’s and scope projects
• Process Methodologies/Frameworks - NIST, ISO, CoBit, COSO, Business process/requirements mapping and process re-engineering, SDLC
• Security Training - development of security policies, training, metrics and employee compliance
• Disaster Recovery/Continuity - policies referencing the obligation of entities and individuals during emergencies and disasters.

PROFESSIONAL EXPERIENCE:

Managing Principal / Information Security Program Director

Confidential, Charlotte

Responsibilities:

• Perform Information Security Program Assessment - Using NIST and ISO frameworks and CoBiT maturitymodel
• Advise client on strategy and security implementation.
• Vetted all existing policies and prepared policy gap analysis.
• Provide future roadmap for client to include organization structure (Vulnerability management, SOC, patching, asset inventory management)
• Prepare reports reflecting security solutions available as offerings.(MaaS, SaaS)
• Advised bank on setting up Information Security Program.
• Revised Organizational Structure to better address “best practices”
• Pointed out/ determine gaps in current process.
• Advised COO and CISO on asset inventory, configuration management, DLP and SIEM requirements.
• Advised on EU regulatory requirements.
• Provided guidance on specific HIPAA and PCI compliance
• Suggested on security solutions available. (SaaS)
• Review and create technical, operational and administrative compliance documentation for health, government, and corporate regulatory compliance. (HIPAA, GLB, FERPA, NERC CIP, SOX)
• Provide consultation to develop practice guidance.
• Develop security policies and policy templates
• Trained staff on NIST guidance and security control requirements.
• Develop processes to map to specific frameworks

Information Systems Security Manager/Compliance Manager

Confidential , Washington, DC

Responsibilities:

• Ensure all systems are secure and compliant with existing security controls. Ensure all risk are accurately accessed and are either managed or mitigated. (firewalls, routers. MFD’s, apps, all infrastructure, OWASP, MOBILE devices)
• Develop new policies and Standard Operating Procedures (SOPs) as necessary relative to internal and federal regulations.
• Developed new processes for NOC and SOC
• Advised organization on SIEM, DLP, IDS/IPS considerations and configurations
• Serve as Security Compliance Reviewer, Technical Reviewer, Product Evaluator and Change Advisory Approver - Ensure evaluation and approval process for all hardware and software - performing application and product testing. Primary security contact for all new vendors submitting RFP responses to product request.
• Wrote SOP for all hardening requirements and changes.(Windows, MFD, UNIX LINUX, MOBILE)
• Program management ( mobile apps and access) and Virtual Desktop Infrastructure (configuration management) and Headquarters
• Evaluated all new technology, applications and network devices as well as OpenSource Applications and created SOPs for usage /non usage of those apps.
• Oversaw alleged information security violations and conduct investigations as needed.
• Review Privacy Assessments, Contingency Plans, Security Plans and Configuration plans as needed.
• Advise on Program direction, current security posture, persistent threats and modernization efforts.
• Alternate lead for the Security Authorization of Confidential.
• Scope projects and submit updated SOW’s

Principle Security Consultant -Audit/Compliance Project Manager

Confidential

Responsibilities:

• Critique and advise on the development of Security/Compliance program. Review ISP Charters/Executive Summary
• Review, vet and develop policies as necessary.
• Serve as project lead for team audits (Data management, Data Governance,Technical Controls)
• Review of previous SSAE16 and FFIEC audits, close outstanding issue items. Validation of controls from previous audits, observations and interviews. Reviewed architectural design for compliance.
• Performed independent PCI, SOX, GLB and HIPAA audits and security assessments.
• Advised on control implementation to reduce or enable fraud detection and tracking.
• Create value added documentation, templates and checklist to ensure efficient repeatable processes.
• Develop process documentation to map to various frameworks (ISO, CoBIT, COSO, NIST)

Information Systems Security Officer

Confidential, Washington, DC

Responsibilities:

• Led or assisted in the drafting of the Charter, Executive Summary, Strategic Plan and presentations.
• Consult on enterprise security architecture design compliance, including IACS network architectures, SCADA systems and WMATA specific
• Policy Compliance and Governance - Managed the periodic policy review, data governance and created strategies to monitor and enforce policies based on Critical Infrastructure Protection (CIP) guidance.
• Wrote processes for cyber security departments (SOC) and advised on tools.
• Wrote SOP’s for hardening, SIEM solutions, encryption techniques.
• Worked with Linux, AIX engineers to remediate vulnerabilities.
• Program Manager directly responsible for ensuring PCI Level1Merchant and HIPAA related Security/Privacy compliance
• Worked with all Metro departments, engineers, QSA
• Prepared Full Report on Compliance, Self Quarterly and Annual Questionnaires
• Managed the SDLC process of Financial (and high risk) systems
• Benchmarked Information Security Governance, Risk Management & Compliance programs against industry models, developed and managed the information security risk and assurance management program jurisdictional and legal requirements.
• Ensured all business units where compliant with architectural compliance requirements policies during and post SDLC process, including OWASP.
• Advised SOC organization on SIEM, DLP, IDS/IPS, firewall considerations and configurations.
• Reviewed and recommended vendor contract language. Participated in the RFP and SOW development and review process.
• Managed investigations for IT security and privacy breaches - Ensure chain of custody and provide recommendations.
• Developed and managed process for internal and external fraudulent activity, including evidence collection and investigations.
• Developed processes/procedures and worked with engineers, architects and system admins on all logging, hardening configurations and patch management to include SCADA systems.
• Ensured all employees, including management received and passed IT Security Training.
• Developed Metrics - Performance measurements, security posture and risk gaps for executive leadership
• Continuity of Operations/Disaster Recovery - Main POC for agency’s COOP - updates, testing, training and dissemination.
• Work with third-party vendors and consultants. Ensure SaaS vendors have proper compliance certifications and ensure the inclusion of security in Statement of Work.
• Mapped PCI, best practices and NERC.

Deputy Chief Information Security Program Manager

Confidential, Fairfax, VA

Responsibilities:

• Conducted information security and business continuity vendor assessments providing services for Confidential .
• Provided framework and for implementing and ensuring governance and compliance processes for federal mandates (SOX, SEC).
• Reviewed and recommended policy and vendor contract language changes
• Ensured the Internal Controls over Financial Reporting (ICFR) mapped to overall risk process.
• Developed process for internal and external business partner fraudulent activity, including evidence collection and investigations.
• Managed the C&A process including the engineers, assessors and technical writing staff.
• Determined and validated the security controls for Confidential global business partners, vendors and consultants to ensure security and privacy controls are in place for general certifications, utilizing NIST and ISO 27001 guidance.
• Managed both the Technical, Operational and Physical risk assessments to include all data centers and Global Partners. Advised on corrective action and remediation of vulnerabilities found through scanning or CERT.
• Developed information security awareness and training documentation to include privacy.
• Developed Disaster Recovery and Continuity of Operations plans.

Task Mgr/Global Tech. Risk and Security SME - Product Manager

Confidential, Falls Church, VA

Responsibilities:

• Identify risk associated with data management and governance
• Provided SME consultation to developers, engineers and COR on all compliance related matters including, documentation and risk analysis/mitigation (operational/technical), policies and regulatory requirements
• Worked with engineers, architects and system admins on all logging and hardening configurations.
• Created and/or vetted all technical documentation (network, dataflow, technical diagrams) for accuracy.
• Ensured all technical and business requirements were documented accurately. Managed technical integration projects to include the planning, development, testing and deployment as well as project task and budget line items.
• Heavy metrics and presentation responsibilities.
• Participated in the RFP and SOW development and contract review process.
• Reviewed/Approved required artifacts, including Risk Assessment, System Security Plan, Disaster Recovery and Continuity of Operations
• Write SOW’s, RFPs, and project guidelines
• Change/Configuration Control Board Member

Information Assurance Project Manager

Confidential, Falls Church, VA

Responsibilities:

• Managed all application, workstation, server, mainframe and network device vulnerability scans and penetration testing.
• Conducted internal assessments to evaluate the network controls and effectiveness of policies and standards.
• Ensure all systems are properly characterized and controls are implemented.
• Provided SME consultation on all remediation efforts. Gave recommendations to improve compliance with information security policies, standards and external requirements
• Provided weekly performance metrics.
• Ensured compliance with DIACAP and prepared presentation to management on the security posture of site.
• Assist in the development of POA&M, MOA’s and LOA’s
• Manage the development of: Risk Management Plan, Security Test Plans, Incident Response, Continuity, Physical Security Assessments, Security Awareness and Training, Security Design and Concept of Operations.

Security Program Manager

Confidential, Washington, DC

Responsibilities:

• Responsible for the overall risk analysis of target agency information.
• Conducted internal assessments to evaluate the network controls and effectiveness of policies and standards.
• Ensured project plans/milestones for nine (9) DC agencies were met during the mitigation process.
• Authored all technical, physical and administrative relevant agency policies and procedures.
• Responsible for researching new/cost effective technology and development of RFP and IDIQs.
• Managed vulnerability assessments, risk assessments/mitigation, IV&V, disaster recovery/business continuity plans and facility security plans.
• Developed training modules: General Awareness, Workforce, and Information Security Officers training.

Director of Information Systems/ Chief Information Security Officer

Confidential

Responsibilities:

• Served dual roles - Oversaw all IT infrastructure (servers, workstations, routers, firewalls )and physical environment - purchasing, business cases, installation, management
• Provided a wide range of KRI, metrics and analysis for state officials.
• Provided guidance and program management for all areas of risk, mitigation, policy enforcement and compliance.
• Direct responsibility for all HIPAA Security related programs and assumed responsibilities of Privacy Officer in his/her absence.
• Assisted in the development of a state-wide EHR application (HEARTS). Researched, purchased and managed all new technology.
• Interpreted regulations, managed compliance process and ISO1799 audit requirements
• Wrote all security policies, and procedures, including facility security plans, risk/security awareness/training
• Developed and authored agency specific Continuity of Operations, Business Continuity and Disaster Recovery Plans. Co- Authored state-wide COOP templates

Managing Principal / Information Security Program Director

Confidential, Charlotte

Responsibilities:

• Provide Certification and Accreditation consulting
• Provide Information Security Program consulting/assessment
• Provided day to day operations of enterprise security consulting, in the area of information asset management, risk and vulnerability management, audit and compliance, security awareness and training.
• Develop SOW’s RFP and new business
• Developed training documentation for GLBA, SOX, AML and HIPAA compliance processes.
• Business development across all vertical markets.
• Developed FISMA, ISO 17799, 27001 and NIST crosswalks and mapping.
• Provided guidance on developing, implementing and effectively managing security processes and programs (BCP, Incident Response Planning, Risk Management, Vulnerability Management, and Privacy)
• Led research and development of intrusion prevention models using a trusted framework and an anomaly approach.

Vice President

Confidential, Charlotte, NC

Responsibilities:

• Access Compliance Review team developed processes to mitigate all risk associated with user access and enterprise level access reports, used in audit, budget, and compliance processes. Created an automated access review process to achieve non-repudiation and enforce regulatory compliance. (SOX, GLBA)
• Developed new policies to address compliance.
• Monitored access control processes, id management, access violations, exception access, and compliance.
• Application Product support team provided first/second level support for all in-house and vendor supplied applications used for access administration and control
• Developed logging and event monitoring solution (SIEM)
• Led program dedicated to implementing a HIDS solution. Conducted research and provided SOP, Proof of Concept, RFP and configuration guidelines.
• Investigative support team (AML, SOX, GLBA, internal fraud) provided audit trail reports to track all fraudulent/suspicious financial transactions, and breaches to customer information.
• Performance Metrics team developed and utilized performance measurement process flows from various databases to produce meaningful security metrics for senior management, business resumption and process re-engineering, and to measure security posture and levels of compliance with existing policies.
• Audit - Met with and responded to OCC regarding GLBA and AML compliance, privacy, internal monitoring and policy compliance. This included responding to action items, updating and managing action plans, and researching emerging technology geared at compliance.
• Policies - Partnered with the Policy and Standards group and created new audit, logging, exception access, and access review policies based on GLBA and SOX requirements.
• Gave recommendations to improve compliance with information security policies and standards and external requirements
• Partnered with business units, provided security awareness training and gave presentations on the effectiveness of good security practices and continuous compliance to line of business managers.

Regional Technology Support Manager/Security Administrator

Confidential

Responsibilities:

• Performed all duties/functions associated with IS Manager, including the region-wide security of client/servers, network, applications, and physical components of infrastructure.
• Authored and administered all policies relative to computer use restrictions and internet practices.
• Developed and maintained disaster recovery plans and contingency procedures for information systems and data security. Co-authored PLCMC ‘Continuity Book’, and provided contingency documentation.
• Configured and documented user/group policies, audit policies and performed server builds, hardware installation, maintenance and upgrades.
• Advised county library system, on various risk and associated network and host defense methodologies.
• Met with and responded to state auditors and subsequent issue items to ensure compliance with policies.
• Established and participated on Incident Response team. Performed necessary vulnerability assessments, and virus response/control.
• Completed asset management including evaluation and approvals for hardware/software licensure, maintenance agreements, and equipment leases, as well as enterprise-wide inventory tracking.

Disaster Recovery Operations Contractor

Confidential, Charlotte, NC

Responsibilities:

• Assisted vendor customer engineers with various hardware installations and documented all procedures.
• Wrote operational procedures installation guidelines, recovery procedures relative to offsite backup collection and retrieval.
• Setup controls for operator and exception access on Unisys, Dec/Vax and NetWare platforms.
• Developed reports to measure resource utilization, document data classification, and control verifications.
• Worked with specified data owners and performed custodial functions.
• Ensured critical applications were properly backed up and retention periods were adhered to.
• Ensured the availability of all resources including TI’s, platforms and applications for contingency.
• Maintained relationship with various vendors.

Vice President - Operations Manager

Confidential, New Hyde Park, NY

Responsibilities:

• Performed physical security and operational risk assessments and ensured the data center was compliant with associated regulations e,g, OCC, FDIC, FFIEC
• Wrote operational procedure documentation for security, data processing, and contingency, to be used corporate wide. Contributing author for the bank standard ‘Disaster Recovery’ manual.
• Participated in and responded to all audits relative to data center functionality and physical security.
• Functionally responsible for all production scheduling, processing, quality assurance, problem resolutions, disaster recovery, resource utilization monitoring, system upgrades, and maintenance.