SUMMARY OF QUALIFICATIONS:

• Experienced information security analyst and assurance professional with over 23 years of experience supporting Federal Government and commercial information technology.
• Over 18 years of experience in Information Security with extensive knowledge and experience with Confidential, HIPAA, ISO 27000, and associated System Authorization processes and procedures.
• Technical experience spans software and system level design, development, integration, testing, operations, and maintenance of distributed, internetworked, client - server based, and web based computer systems. Strong verbal and written communication skills.

TECHNICAL KNOWLEDGE:

Security Standards/ Frameworks: COBIT, ISO/ICE 270001, NIST CSF, PCI DSS, DIACAP, HIPAA

Databases: Oracle, MySQL, MSSQL

Web Development: Java, PHP, JavaScript, Perl

Web Servers: IBM WebSphere

Cloud Infrastructure (IaaS, PaaS): Amazon Web Services (AWS), Salesforce

PROFESSIONAL EXPERIENCE:

Confidential

Senior Information Security Specialist

Responsibilities:

• Senior level security specialist on customer facing program teams with responsibility for ensuring that the applicable security requirements ( Confidential .g., ARS/CMRSs) are met and that the requisite security artifacts (SSP, RA, PIA, CP, SA&A, etc.) upon which a system’s accreditation depends are properly developed and maintained.
• Plan, schedule, and coordinate with stakeholders/participants as the security point of contact during Security Test and Evaluation ( Confidential & Confidential ) and Annual Security Control Assessments (SCA).
• Perform onsite and remote penetration testing, application testing, web application security assessment, onsite internet security assessment, social engineering, and wireless assessment.
• Develop and implement application security processes and procedures for application development projects in the Confidential CMS portfolio.
• Participate in the creation of IT security policies, procedures, guidelines, baselines, and standards.
• Design and Develop internal developer application security training based on the Open Web Application Security Project (OWASP) Top 10 application security vulnerabilities and the SANS Top 20 Security Controls.

Confidential

Principle Information Security Analyst/Vulnerability Manager

Responsibilities:

• Designed, developed, and implemented Maxim’s Vulnerability Management Program which included the deployment and management of the Beyond Security Advanced Vulnerability Detection System (AVDS).
• Performed vulnerability assessments, penetration tests, and security audits, produced reports of findings, and worked cooperatively with engineers to implement remedial measures.
• Participated in the creation of IT security policies, procedures, guidelines, baselines, and standards.
• Recommended security solutions and processes to improve overall company security.
• Central Point of Contact for the configuration, integration, and deployment of all new or improved security solutions and processes in accordance with standard best practices and the company's security policies.
• Confidential contact for responding to customer and other third-party inquiries regarding the company's security posture.
• Responsible for maintaining up-to-date baselines for the secure configuration and operation of all existing devices, both under direct control ( Confidential .g. security tools) or under Operations control ( Confidential .g. workstations, servers, and network devices).
• Monitored all existing security solutions for efficient and appropriate operations.
• Reviewed logs and reports of all existing devices, whether under direct control (i. Confidential ., security tools) or not (i. Confidential ., workstations, servers, network devices, etc.). Interpreted the implications of that activity and devised plans for appropriate resolution.
• Member of Security Incident Management team tasked with the investigation into possible security issues.
• Provided on-call support for end users of security solutions.
• Participated in the planning and design of company security architecture.
• Participated in Business Continuity and Disaster Recovery planning and design.

Confidential

Senior Information Assurance Specialist/Application Security Engineer

Responsibilities:

• Senior member of Confidential ’s internal Corporate Risk, Information Security, and Privacy ( Confidential ) Department. Specifically a Security Analyst III which is a senior level position responsible for monitoring, evaluating, and maintaining systems and procedures to protect networks, systems and data from unauthorized uses.
• Also responsible for identifying potential threats and responding to reported security violations, determine causes of security violations and recommend corrective actions to ensure data security. Research, recommend, and implement changes to procedures and systems to enhance data systems security, and assist in communicating security procedures to users.
• In this senior level position, report directly to Confidential ’s Corporate Information Security and Privacy Officer (under whose aegis all CMS programs are conducted) but also spends a considerable amount of time embedded on customer facing program teams with responsibility for ensuring that the applicable security requirements ( Confidential .g., ARS/CMRSs) are met and that the requisite security artifacts (SSP, RA, PIA, CP, SA&A, etc.) upon which a system’s accreditation depends are properly developed and maintained.
• Responsible for the development and implementation of Application Security processes and procedures for application development projects in the Confidential portfolio.
• Responsible for the implementation and monitoring of the Health Insurance Portability and Accountability Act (HIPAA) security and privacy rules as they pertain to information systems developed and maintained by Confidential .
• Responsible for providing expert knowledge of HIPAA with regard to Department of Health and Human Services (HHS) and Centers for Medicare & Medicaid Services (CMS) information system audits. This is comprised of not only advising development teams of the responsibilities for information systems as they pertain to HIPAA but also in advising CMS personnel on the impact of HIPAA regulations from s system and development perspective.

Confidential

Senior Information Assurance Specialist

Responsibilities:

• Subject Matter Expert for Confidential 's FISMA practice which entails creating and implementing all policies, procedures, and templates for all Confidential FISMA projects. As the Subject Matter Expert, provide oversight, mentoring, and training to all Confidential employees on FISMA and FISMA related activities.
• As the lead analyst and quality assurance specialist for a U.S. Coast Guard FISMA project, responsible for the writing and reviewing of all system security documentation which included FIPS 199 security categorization, Privacy Threshold Assessment (PTA), Privacy Impact Assessment (PIA), System Security Plan (SSP), Contingency Plan (CP), Security Assessment Report (SAR), and the system Risk Assessment (RA).
• Provide access/identity management and security support as part of the Center for Medicare and Medicaid Services (CMS) Financial Management Systems Group (FMSG), in its Division of Technical Operations (DTO) organization, focused on Access Control for application technologies of the Healthcare Integrated General Ledger Accounting System (HIGLAS). In the role as the HIGLAS Certified Access Administrator (CAA), provide oversight of the System Integrator access request process for both normal and emergency access to the system. In support of this process, perform troubleshooting of HIGLAS user access problems as reported to CMS, the System Integrator, as well as Medicare Contractors.

Confidential

Senior Information Assurance Specialist

Responsibilities:

• Performed information security consulting and risk services to support Confidential federal government and commercial clients.
• Lead engagements, performed all steps of Certification and Accreditation (C&A) including System Security Planning (SSP), control selection, risk assessment, security control and vulnerability analysis, development of plans of action and milestones (POA&M) and ongoing continuous monitoring assessment and ISSO support.

Confidential

Senior Information Assurance Analyst

Responsibilities:

• Chief Security Analyst for Confidential ’s Office of the Comptroller of the Currency (OCC) contract, reporting directly to the Confidential Director of Security Services provided day-to-day guidance to team members executing FISMA Certification and Accreditation duties and provided status of project progress, general health of the project, and ongoing staffing needs.
• Engaged agency business units, as well as other organizational elements in order to facilitate task objectives, education, and consulting. Met with the Information Security Office Team lead weekly in order to provide project progress; participated in kick-off meetings for all new projects and out-briefing for concluded projects; met with the Chief Information Security Officer (CISO) at the conclusion of projects to identify and discuss lesson learned and implement strategies for the improvement of all projects.
• Developed system security documentation to include data collection efforts, identifying required documentation per organizational policy, producing System Security Plans (SSP), Privacy Threshold Analysis, Privacy Impact Assessments, Security Categorization Reports, Configuration Management Plans, Trusted Facility Manuals, Security Features Users Guides, Business Impact Analysis, Information Technology Contingency Plans, and Security Control Compliance Matrices.
• Planned and executed security control assessments and security test and evaluation ( Confidential & Confidential ) producing Security Test and Evaluation Plans, Security Assessment Report and Risk Assessment Reports. Provided assistance and recommendations for mitigation of gaps and weaknesses.
• Developed continuous monitoring plans in accordance with Confidential SP 800-37, performed assessments and created organizational risk profiles.
• Provided leadership and performed security related activities which included, producing suitable certification and accreditation documentation, and annual assessment reports through the use of various Confidential Special Publications such as SP800-18, SP800-30, SP800-34, SP800-37, SP800-39, SP800-42, SP800-47, SP800-60, SP800-64, as well as others.
• Reviewed Plan of Actions and Milestones (POA&M) changes through the organization’s Request for Change database, reviewed system deficiencies through Trusted Agent FISMA, as well as conducted interviews as part of a continuous monitoring effort.

Confidential

Program Manager/Senior Information Assurance Analyst

Responsibilities:

• Program Manager for all Certification and Accreditation initiatives, which included spearheading the audit and evaluation processes, as well as management and mentoring of junior personnel.
• Security Testing and Evaluation ( Confidential & Confidential ) of Confidential 800-53 technical controls as part of the C&A process and update appropriate C&A documentation accordingly.
• Security Testing and Evaluation ( Confidential & Confidential ) of DIACAP controls for a Department of Defense Agency.
• Developed and implemented technical security plans, policies, and procedures that included but not limited to System Security Plans, Risk Assessments, Configuration Management Plans, and Contingency Plans.

Confidential

Senior Information Assurance Analyst/Team Lead

Responsibilities:

• Performed Security Test and Evaluation ( Confidential & Confidential ) of Confidential 800-53 technical controls as part of the C&A process and update appropriate C&A documentation accordingly
• Developed and reviewed technical security plans, policies and procedures, which included but were not limited to System Security Plans, Contingency Plans, Configuration Checklists, Risk Assessments, as well as local policies and procedures.
• Analyzed the results of the centralized and onsite risk analysis testing.
• Performed validation testing of mitigated weaknesses and ensure that C&A documentation is updated accordingly.
• Performed security assessment testing and analyze the result of the testing.
• Developed security assessment tests that were used throughout the project lifecycle.
• Participated in C&A Annual Testing and perform Contingency Plan Testing with the VA Information systems.
• Application Security Manager for the U.S. House of Representatives, Office of Information Security. This initiative required the testing and completion of a Certification and Accreditation (C&A) package for three high visibility Major Applications within the U.S. House of Representatives. Responsible for conducting Risk Assessments (RA’s) and Security Test and Evaluations ( Confidential & Confidential ’s). Responsible for evaluating the System Security Plan, Plan of Action and Milestones (POA&M), Incident Response (IR) plan, Contingency (CP) plan, as well as other documents which comprise the Certification and Accreditation package, using the Confidential methodology.
• Based on the results of system evaluations, make an accreditation recommendation to the Director of Information Security.
• Incident Response (IR) plan, and Contingency Plan (CP), based on the Confidential methodology.
• Tasked with the creation and implementation of an organizational Information Security Handbook.
• Created and Implemented an Application Security Program

Confidential

Senior Information Assurance Analyst

Responsibilities:

• Senior Analyst for a Certification and Accreditation initiative for the Department of Commerce. This initiative required the testing and completion of a Certification and Accreditation (C&A) package for nine General Support Systems (GSS’s). Responsible for the writing and implementation of the Certification Work Plan, System Security Plan (SSP), Risk Assessment (RA), Security Test and Evaluation ( Confidential & Confidential ) plan, Plan of Action and Milestones (POA&M), Incident Response (IR) plan, and Contingency Plan (CP) for each of the General Support Systems, based on the Confidential methodology.
• Recommended Configuration settings for Cisco Pix Firewall, in order to regulate inbound/outbound traffic in accordance with agency information security policy and directives.
• NIST 800 Series Subject Matter Expert (SME) for the Certification and Accreditation Team.
• Tasked with training department personnel in Information Assurance best practices and procedures.
• Developed and managed information security policy methodologies and materials for Prometheus Group’s policy and analysis practice.
• Designed and implemented several methodologies for use in Prometheus Group’s auditing/C&A lines of business, covering the following regulations: HIPAA, NIST 800 Series, ISO 17799/BS 7799, Sarbanes-Oxley Section 404, and others.
• Principle Manager/Engineer on a Department of Labor Certification and Accreditation project with responsibilities that included, conducting and implementing Risk Assessments (RA’s), System Security Plans (SSP’s), Contingency Plan’s (CP’s) Plan of Action and Milestones (POA&M) reports, and Security Test and Evaluations ( Confidential & Confidential ’s)

Confidential

Senior Information Security Analyst/Team Lead

Responsibilities:

• Provided support to the Veterans Health Administration C&A initiative utilizing the practices documented within the National Institute of Standards and Technology (NIST) Computer Security Special Publication 800 series.
• Site Point of Contact and Team Lead, responsible for the successful outcome of all C&A testing done at the designated site. Responsibilities included proper assessment and reporting of Windows server and workstation executions, Kernel/Cache/Application testing, LAN testing, physical assessments of wiring closets, and collection of evidence to assure that best practice network and application policies are in practice.
• Set long and short term goals for the C&A team to follow. Created and maintained daily status reports tracking the team progress. Coordinated meetings with the VHA IT staff, and the leadership to ensure a smooth and easy transition thru the SCA process. Facilitated a kick off meeting and an exit briefs, to ensure that the SR. management new of our goals and the expected outcomes of the visit.
• Collaborated with the site Ex-Officio and the customer to ensure that testing was accomplished in a timely manner, with minimal interruption of services, as well as providing an immediate and appropriate response to any complications that may have arisen.
• Performed execution of detailed C&A policy testing, Kernel/Cache/Application technical testing, LAN technical testing, and Windows technical testing while on-site at VA hospitals throughout the United States to ensure both the security of the system and the protection of patient data.

Confidential

Senior Security Architect/Engineer

Responsibilities:

• Team Leader and architect of the next generation of the Learning Management System
• Developed and implemented web based enterprise applications, using J2EE in a multi-tier environment
• Redesigned existing applications from the Lotus Domino environment to the University’s new WebSphere environment. This included implementing Java, Websphere and Oracle on both Windows and Solaris platforms.
• Responsible for the security analysis of the Lotus environment to identify flaws and vulnerabilities in order to modify information security protocols to ensure that the new system conformed to state and federal regulations with regard to personal information.
• Designed and implemented the security architecture for the next generation Learning Management System, based on government regulations and methodologies such as Confidential and HIPPA. This ensured that student and instructor personal information was protected.