Over fifteen years Information Systems security audit and management experience with specialization in audit, risk, incident response and disaster recovery, regulatory compliance, and industry best practices built from NIST, HIPAA Security and Privacy, PCI - DSS, Massachusetts state law, and others. Industry background includes Hospitals and Clinics, managing a major university IT security program, and Confidential (principally Confidential ) network systems and data security. Have extensive experience in successful project planning, exemplary personal and business communication skills, and experience at the director-level for managing programs and IT compliance.
Information Security Analyst
- Developed and implemented a formal methodology to conduct IT security risk assessments on all systems and applications with access to Lahey networks or data.
- On behalf of IT Security, make go/no-go recommendations for requests to connect new systems to Lahey networks, applications processing Lahey data, or for significant changes to existing systems. Track all accepted risks and approved exceptions to policy.
- Configured and run Lahey’s vulnerability scanners (Nexpose and Qualys) against selected internal and external IP. Report results to leadership and system owners.
- Develop policies and procedures based on internal and external requirements, track compliance to HIPAA Security, HITRUST CSF, PCI-DSS, state law (etc.), and report status to senior leadership.
- Personally conduct “high profile” IT investigations on behalf of the CISO after normal incident response activity/root cause analysis is completed. Evaluate and track corrective actions to completion.
- Wrote Lahey’s first dedicated HIPAA security packages for both initial hire and annual refresher information security training.
- Conduct annual Meaningful Use reviews, PCI compliance reviews, and access validation checks for critical systems and locations.
- Primary point of contact for external and internal audit support within IT.
- Provided security engineering expertise to multiple Confidential airborne network projects at Confidential, MA, for a variety of architectures and use cases.
- Validated that security engineering included full compliance to requirements.
- Activities included assisting with system designs, editing contracts and statements of work, testing, and obtaining approvals to operate from designated senior Confidential leadership.
- Conducted on-site inspections and technical reviews at various locations, at both government and vendor facilities.
- Ran Fortify code scans and evaluated compliance to Confidential
Manager, Information Security Operations
- Managed the Information Security Operations office for the University and was responsible for the day-to-day implementation and operation of tools and methodologies in accordance with the University's tactical and strategic IT security goals.
- Developed and maintained operational security plans, policies and procedures.
- Served as initial point of contact for IT security incident identification and response, and directed forensic analysis of IT security Incidents.
Systems Security Officer
- Directed the corporate information security program to ensure all policies, procedures, and operations remained compliant with applicable laws, guidance, and best practices.
- Supported external / directed internal audits and reviews. Collected, reviewed, and provided documents requested by auditors, coordinated site requirements, test plans, and manages communications between auditors and technical and business units.
- Assisted in creating and developing Disaster Recovery plans and tests.
Information Systems Auditor
- Verified systems documentation such as risk assessments, recovery plans, and system security plans for major applications and general support systems remained accurate.
- Performed internal assessments to validate compliance with CMS Core Security Requirements, CMS mandates, Privacy act security final rule, HIPAA, FISMA, NIST guidelines, FIPS (etc.) and reported vulnerabilities to management.
IT Security Analyst
- Team lead and participant on multiple logical and physical security audits for various global Confidential Network and Global Positioning Satellite ground antenna stations and support organizations.
- Developed various IT test cases, Concept of Operations ( Confidential ), traceability matrices, and other documentation and standardized templates for DAA certification.