- I am a Cyber Security professional with over 8+ years’ experience in Information Assurance and Cyber Security.
- Over the past couple of years, I have worked on Compliance and Authorization packages, Risk Assessments, participated in Audit engagements, and the Independent Verification and Validation (IV&V) for assessments of IT Security controls to ensure Confidentiality, Integrity, and Availability of System resources.
- I possess strong problem solving and Project Management skills as well as practical experience in various frameworks such as Confidential Risk Management Framework ( Confidential - RMF) and Commercial Frameworks such as HIPAA, HITRUST, SOX, COBIT, PCI and ISO.
- I am highly capable of working independently or in a team environment with strong verbal and written communication skills.
- Development of various deliverables including Security Control Assessment Plan (SCAP), Prepared by Client (PBC) List, Rules of Engagement (ROE), Work Breakdown Structure (WBS), Security Assessment Report (SAR), Vulnerability Assessment Report (VAR), and various documentations for kick-off and close-out meetings.
- Conducted Security Control Assessments of technical, management, operational and privacy controls for audited applications and FedRAMP systems by examination of various artifacts provided by the client, interviewing system Subject Matter Experts (SMEs) and validation of security controls.
- Reviewed System Security Plan (SSP), Configuration Management Plan (CMP), Contingency Plans (CP), Incident Response Plans (IRP), Rules of Behavior, Memorandum of Understanding (MOU), Interconnection Security Agreements (ISA), and various organizational and system specific Policies and Procedure documents in accordance with Confidential SP 800-53 rev 4, 800-37, 800-18, 800-30.
- Managed Plan of Action and Milestones (POA&M) process to address audit findings.
- Reviewed Residual Risk, Risk Analysis and Threat Matrix reports as part of conducting control reviews for various security assessments.
- Knowledge of best practices with emphasis on various frameworks such as FISMA, COBIT, PCI-DSS, HIPAA, HITRUST, HITECH, ISO 27K, SSAE16.
- Experienced in audit, C&A (Certification and Accreditation) packages and Risk Assessment of GSS (General Support Systems), MA (Major Applications) and MI (Minor Applications).
- Review of scan reports documented in Vulnerability Assessment Reports (VAR) obtained from scans utilizing HPE WebInspect for web applications and web services; and Nessus scans of web servers, networks among others.
- Knowledge of System Development Life Cycle and Vulnerability Management tools leveraging FISMA and applicable Confidential standards.
- Knowledge with risk and compliance assessments, and in-depth knowledge of HIPAA, HITRUST requirements.
- Experience with interpreting HIPAA, HITRUST requirements and lead organization wide efforts to implement the required technical, administrative and physical controls.
Security Technologies: Anti-Virus Tools, HPE WebInspect, Nessus
Systems: Unix, Windows, Linux, MYSQL, Oracle
Networking: Familiar with LANs, WANs, VPNs, Routers/Switches, Firewalls, TCP/IP
Software: MS Project, CSAM 4.0, SharePoint, Splunk, MS Office suite (Word, Excel, PowerPoint, Access, Outlook).
Sr IT Security Engineer
Confidential, Washington, DC
- Performed an Independent Verification and Validation (IV&V) review of assigned systems to determine whether the systems were in compliance with Confidential 800-53 rev 4 requirements.
- Supported the appropriate tailoring of controls to safeguard sensitive data and validate those controls against Confidential 800-53 rev 4 requirements.
- Developed various deliverables including Security Control Assessment Plan (SCAP), Prepared by Client (PBC) List, Rules of Engagement (ROE), Work Breakdown Structure (WBS), Security Assessment Report (SAR), Vulnerability Assessment Report (VAR), and various deliverables for kick-off and close-out meetings.
- Analyzed System Security Plans (SSP), Risk Assessment Reports (RAR), Privacy Impact Assessment (PIA), System specific and organizational policies and procedure documentation and Plan of Actions and Milestones (POA&M) artifacts provided by POCs for review as part of assessment efforts.
- Conducted Security Control Assessments for technical, management, operational and privacy controls of internal and external client applications and FedRAMP systems using Confidential 800-53A rev 4.
- Interviewed subject matter experts (SMEs) to validate system information and to provide clarity where appropriate.
- Conducted reviews of various security scan reports (Nessus and WebInspect tools) and documented findings in the vulnerability assessment report for client review.
- Conducted assessments on Systems using Security Certification and Accreditation package (SC & A) deliverables in order to obtain an Authority to Operate (ATO) approval.
- Reviewed and updated security artifacts that included SAPs, SSPs, POA&Ms and Remediation Plans.
- Reviewed systems and network vulnerability scans reports to identify and remediate potential risks.
- Performed Security Control Assessment by reviewing artifacts and implementations statements provided by the ISSO to determine if the security controls are producing the desired result.
- Updated the control changes from Confidential -800 53 rev 3 to Confidential -800 53 rev 4 and control assessment changes from Confidential -800 53A to Confidential 53A rev4.
- Established schedules and deadlines for assessment activities through the use of WBS.
- Held kick-off and weekly meetings with system POCs prior to assessment engagements and updated them on vulnerabilities discovered to date.
- Supported the development of Security Assessment Plan (SAP) prepared for ISSO approval.
Sr IT Security Engineer
Confidential, Baton Rouge, LA
- Supported in developing risk management program using relevant COBIT 5 Risk Scenarios, mapping associated managed risks (e.g. SOC 2 Trust Services Principle - Common Criteria) to ensure controls are linked with the associated people, process and tools details.
- Conducted walk-through assessments of each program boundary (e.g. asset management) to ensure SANS Top 20 controls are addressed. Conducted triple tier risk reviews by employing interviews/questionnaires to capture key “in-scope” applications, technologies supporting critical business process and consolidating risk scores for each department as a whole.
- Supported compliance efforts such as controls cataloging, controls mapping (i.e. Confidential 800-53, CSF, PCI, SOC 2, etc.), upkeep of controls library, performing Access Control Reviews (ACR’s), following Remediation Plans aimed at addressing gaps in preparation for external audits.
- Hands on operational experience engaging with all technical staff in order to communicate and ingest supporting details and artifacts
- Performed interviews with stakeholders and articulate control deficiencies and remediation techniques both internally and with client senior management.
- Maintained a working partnership between System Owners/Teams and the ISSO Analyst team in order to maintain/update/track policy documentation submittal, and approve statuses, review working memos and templates.
- Participated in Vulnerability Assessment; ensured that risks were assessed, evaluated and proper actions taken to limit their impact on the Information Systems.
- Reviewed existing documents, policies and procedures, and previous assessments reports.
IT Security Compliance Analyst
Confidential, Rockville, MD
- Reviewed relevant HIPAA Security policy documentation implemented to safeguard the integrity, confidentiality, and availability of ePHI.
- Ensured the availability of relevant HIPAA Security policies and procedures to all Health Care Centers (HCCs) and their Workforce Members.
- Audited compliance of the HCCs with the HIPAA Security policies, in cooperation with Internal Audit, the Office of Compliance, and the office of the Kaiser’s Privacy Official.
- Supported the company’s annual HIPAA Security risk assessments and reviewed management remediation plans for identified risks and vulnerabilities in consultation with the IT Security team and the Office of Compliance.
- Assisted the Privacy Officials’ office in investigating, mitigating, and resolving HIPAA incidents involving ePHI.
- Performed site HIPAA audits to ensure compliance with HIPAA regulations
- Assisted in performing periodic internal audits to ensure compliance as well as preparing material for any external IT audit from delegated Health Plans or State and Federal agencies as needed
- Assisted with administration, management, and reporting for security assessments and ongoing monitoring activities; e.g., SOC 2 Type II, SOX, ISO/IEC 27001, PCI DSS, HIPAA
- Tested information security controls, across multiple business processes and/or locations, ensuring implementation techniques meet the intent of organizational compliance frameworks and security requirements
- Updated policies and procedures describing security requirements, guidance, and standards for organizational information systems and architecture
- Monitored the regulatory requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) law
- Coordinated initial and periodic information privacy risk assessments and conducted related ongoing compliance monitoring activities in coordination with the client
- Participated in gap assessment, compliance readiness, and compliance monitoring activities.
- Collaborated cross-functionality with technology and business stakeholders to drive, track, and resolve all aspects of compliance readiness.
- Interfaced with external auditors to facilitate compliance audits.
- Coordinated delivery of audit milestones, ensures audit timelines stay on target by escalating and identifying roadblocks.
- Facilitated and tracked remediation, corrective action plans.
- Participated in continuous improvement initiatives.
- Assisted in the development of metrics and dashboards
IT Security Consultant
Confidential, Atlanta, GA
- Supported the internal audit processes in creating internal audit reports for management review.
- Supported the review of Business Impact Analysis (BIA) documentation to determine and evaluate the plausible effects of an interruption to crucial business operations as a result of a disaster, accident or emergency
- Assisted in identifying vulnerabilities and security risks inherent in new technology, products and external vendor relationships.
- Supported the identification and integration of risk management tools and worked towards complying and minimizing the risk on IT infrastructure like Business applications, Mobile applications, Financial Transaction and Reporting applications that are non-compliant.
- Coordinated with regulators and auditors to provide them with the required validation reports and documentation for various audits.