- Knowledge of and experience with federal and international security policies, standards, guidelines & frameworks including but not limited to NIST 800 SPs such as 800 - 18, 800-30, 800-37, 800-60, 800-53/53A, FIPS 199/200, OMB, FISMA, FedRAMP, PCI DSS, HIPAA & ISO 27001
- Working knowledge of Risk Assessment, Risk Management Framework (RMF), Systems Development Life Cycle (SDLC) and Assessment and Authorization process (A&A).
- Experience in the development and review of ATO Package documents such as System Security Plans (SSP), Contingency Plans, Disaster Recovery Plans, Incident Response Plans/Training, and Configuration Management Plans, Privacy Impact Assessments, and POA&Ms
- Understanding of Cloud protections as expressed in FedRAMP for Federal Government agencies.
- Able to develop and implement Technology Controls and Information Security related policies, programs and tools.
- Knowledge of project management of moderate to high complexity and provide complex reporting, analysis, and assessments at the functional, business line or enterprise level.
- Experience documenting technical issues identified during security assessments and recommending improvements in the existing service support tools and “standard findings”
- Thrive in a highly collaborative, fast-paced work environment and multidisciplinary team setting where leveraging technology for continuous business improvement is the norm.
Information System Analyst
Confidential, Baltimore, Maryland
- Create and track for corrective actions the Plan of Action and Milestones (POA&M) of all accepted risks upon completion of Security Control Assessment (SCA) exercises and documented in System Security Plans (SSP).
- Develop and review system security artifacts such as Contingency Plans (CP), Incident Response Plans (IRP), Privacy Impact Assessments (PIA), MOUs/ISAs and Risk Assessment (RA) documents for compliance with NIST 800 guidelines and agency’s requirements.
- Monitor controls post authorization to ensure continuous compliance with the security requirements by evaluating threats and vulnerabilities through Nessus scan results and work with the IT staff for mitigation actions.
- Develop and maintain Authorization to Operate (ATO) packages such as the SSPs, SARs and POA&Ms for information systems to ensure they are in compliance with organization’s information security requirements.
- Employ NIST SP 800-60 and FIPS 199 to categorize information systems in order to determine the potential adverse impact for each security objective (CIA) associated with a particular information type and assigned baseline security controls and asses the security controls to determine their overall effectiveness and populate the Requirements Traceability Matrix (RTM) according to NIST SP 800-53A rev 4.
- Review implementation statements and supporting evidence of security controls as to determine if the systems are currently meeting the requirements and provide findings/suggested mitigations to stakeholders.
Systems and Network Technician
- Assembled and configured computer systems from component parts as after sales service for customers. Responsible for repairs of computers brought in by customers. New PC rollouts for client companies. Added new workstations, local printers, photocopiers and scanners to existing network.
- Protected the firm's business information and client information within its custody by safeguarding its Confidentiality, Integrity and Availability (CIA).
- Proactively updated and monitored the status of mitigation plans to ensure weaknesses are resolved in accordance to their scheduled completion dates.
- New LAN, Cat5 Wired and Wireless installation for optimum office layout and operations.
- Reviewed and updated system security documents as needed such as the Contingency Plan and Incident Response Plan and test plans at least annually.
- Deployed Fresh installations and upgrades of Windows Operating Systems- 98, ME, XP, 2000, 2003 server, installation of diverse applications, disk imaging using Norton Ghost, created user and mail accounts in Windows 2003 server.
- Made recommendations for new computer software and hardware as needed to support the company requirements as well as researched and test new hardware/software to ensure compatibility and usability with plant systems.