SUMMARY:

Detailed knowledge of information system security and contingency planning tools, technologies, and best practices with an emphasis on FISMA/NIST and Federal Information Systems Control Audit Manual (FISCAM) compliance. Experience in system security auditing, monitoring, and evaluation, and C&A, contingency planning, and risk assessments of GSS (General Support Systems) and MA (Major Applications)

SOFTWARE, PLATFORMS, ARTIFACTS:

FIPS 199, E - Authentication, Privacy Threshold Analysis (PTA), Privacy Impact Assessment (PIA), Risk Assessment (RA), SSP, ISCP, ST&E, SAR, Plans of Action and Milestones (POA&M), Authorization to Operate (ATO) Letter, Relativity, LexisNexis Law PreDiscovery, Concordance, Beyond Compare Robocopy, Fast Copy, Scanpst, Truecrypt, Bitlocker, BestCrypt, Veracrypt, PGP, SecureZip, CloneZilla, LogicCube ZClone, MS Office, Visio, SharePoint, Access, PeopleSoft, MapPoint, Lotus Notes, Webview, WebEx, Adobe PageMaker, Photoshop, Nessus Vulnerability Scanning Tool

EMPLOYMENT:

Confidential

Information Systems Security Officer, Washington, DC

Responsibilities:

• Proactively create, monitor and update the status of POA&Ms to ensure weaknesses are resolved in accordance to their scheduled completion dates.
• Create Waivers or Risk Acceptance Memos to assist in the effective management of system risks.
• Conduct an annual assessment in accordance with guidance in the DHS Information Security Performance Plan.
• Review and update security authorization documents as needed, but at least annually;
• Coordinate with ICE IGP Privacy, Records, and Information Governance Divisions related to compliance documentation and other requirements.
• Conduct Contingency Plan tests at least annually and updating the plan;
• Perform system self-assessments as part of ICE’s Ongoing Authorization program;
• Monitor and respond to Information Security Vulnerability Management (ISVM)/Patch Management.
• Provide audit support for assigned systems (Financial, A-123, FISMA, Internal, DHS, etc.), throughout the audit (Pre, During, and Post Audit).
• Maintain knowledge of inventory in accreditation boundary.
• Plan, certify and accredit assigned Information System or Information Systems.
• Ensure CM processes are followed to ensure that any changes do not introduce new security risks.
• Manage system Information Security Vulnerability Management (ISVM) Compliance.
• Respond to emerging requirements or policies as set by legislation, regulation or policy.
• Participate in DevOps Sec (security integrated into Agile processes) requirements for assigned systems.
• Support annual assessments in accordance with guidance in the DHS Information Security Performance Plan.

Confidential

Information Security Assessor/Privacy Specialist, Rockville, MD

Responsibilities:

• Review, assess and implement privacy laws, directives and related functions
• Create, review and update existing privacy documentation (e.g. PIA, PTA, SIA, SORNS)
• Assess the current privacy posture to determine compliance gaps across federal and departmental requirements, regulations, laws, standards and best practices
• Review existing information systems documentation (e.g. data flow diagrams, data dictionary, design documents) to ensure the completeness, correctness, and accuracy of all captured privacy information
• Review and update information systems and organizational privacy and compliance documentation on an annual basis
• Participate in scheduled privacy council meetings
• Assist the Privacy Office in reviewing and analyzing computer matching agreements
• Prepare and conducted kickoff meetings and out briefs for CIO, CISSO, Confidential and SO of systems prior to security assessment and post assessment
• Perform security assessments, conduct security testing and evaluated results for mostly cloud based systems
• Assist in the development of the agency’s IT security policies, standards, guidelines and procedures.
• Perform monthly inventory and weakness reporting and quarterly FISMA reporting
• Assist in management of security documentation deliverables in the Assessment & Authorization (A&A) process, provide Security Packages (FIPS 199, Related Laws, Regulations, and Policies, Rules of Behavior, Continuous Monitoring Plan, Business Impact Analysis, Contingency Plan, Contingency Plan Test Plan & Results, Risk Assessment Report, Security Authorization Letter, FIPS 200, Incident Response Plan, Configuration Management Plan)
• Perform Vulnerability Assessments and identify corrective actions to mitigate known vulnerabilities. Make sure that risks are assessed, evaluated and a proper action taken to limit their impact on the Information and Information Systems

Confidential

Information Security Consultant, Tysons Corner, VA

Responsibilities:

• Analyze and update System Security Plan (SSP), Risk Assessment (RA), Privacy Impact Assessment (PIA), System Security test and Evaluation (ST&E) and the Plan of Actions and Milestones (POA&M)
• Conduct audit kickoff meetings with senior management and fellow auditors to gather information, identify scope and align resources for testing
• Conduct interviews with selected personnel, document and evaluate business processes, and execute audit test programs to determine the adequacy and effectiveness of internal controls and compliance with regulations
• Assist System Owners and Confidential in preparing C&A package for companies’ IT systems, making sure that management, operational and technical security controls adhere to a formal and well-established security requirement authorized by NIST SP R4
• Designate systems and categorize its C.I.A using FIPS 199 and NIST SP
• Set-up and perform various walk-throughs with the client's leadership to better understand and document the client's Financial Reporting processes
• Evaluate the effectiveness of internal control systems and identify areas of improvement, best practices, and lessons learned
• Develop and document findings and results in written reports and presentations
• Direct and educate junior team members on auditing techniques and software
• Conduct Self-Annual Assessment based on NIST SP A
• Perform Vulnerability Assessments and identify corrective actions to mitigate known vulnerabilities. Make sure that risks are assessed, evaluated and a proper action taken to limit their impact on the Information and Information Systems
• Create standard templates for required security assessment and authorization documents, including risk assessments, security plans, security assessment plans and reports, contingency plans, and security authorization packages
• Coordinate with stakeholders to gather contingency plan information and develop system (ISCP) and business (BCP) focused contingency plans
• Responsible for writing Standard Operating Procedures to standardize work processes

Confidential

Information Security Analyst, Bethesda, MD

Responsibilities:

• Reviewed and Tested IT General Controls ( Confidential ) of various applications, databases and Operating Systems using various audit Frameworks- SOX, COBIT, COSO.
• Developed audit plans and programs, following COBIT and COSO frameworks
• Performed assessment of IT internal controls as part of financial statement audit, Internal and operational audits, attestation engagement, and audit readiness
• Conducted testing of internal audit - Sarbanes-Oxley 404 compliance in public companies (SOX)
• Prepared audit plans and scope, detailed audit program, risk assessment control matrices, report findings, and present recommendations for improving data integrity and internal controls over financial reporting. Oversee audits from planning, fieldwork (walkthroughs and detailed testing), reporting and follow up phases
• Performed IT general and application control reviews and monitor segregation of duties and other key management controls, review audit activities, including IT risk controls, internal control strengths and weaknesses
• Set up control matrix based on specific client application needs during planning phase of audits
• Participated in integrated audits - carrying out Confidential testing in support of financial statements audits

Confidential

IT Specialist, Bethesda, MD

Responsibilities:

• Monitored customer account information, data and implemented security measures to control cyber information
• Performed on-site security testing using vulnerability scanning tools such as Nessus management to ensure security devices were secured
• Work with support and security coordination team to ensure compliance with security processes and controls
• Handled technical troubleshooting with an enterprise environment including systems crashes, slow-downs and data recoveries
• Engaged and tracked priority issues with responsibility for the timely documentation, and escalation
• Provided information and/or technical assistance to users concerning the development and maintenance of the computer network or for resolution of special problems
• Set up new hire accounts and closed out termed accounts

Confidential

Security Analyst, Washington, DC

Responsibilities:

• Supervisor in a team of 5 security policy analysts supporting the Dept. of Labor; Maintain and delegate incoming jobs in our work queue
• Reviewed and updated security policies related to the company’s security posture
• Performed information security risk assessments and assisted with the internal auditing of information security processes with respect to the appropriate federal guidelines (ie FISMA)
• Assessed threats, risks, and vulnerabilities from emerging security issues and also identified mitigation requirements
• Prioritized workload assignments and resolved any conflicts that may arise
• Trained new hires in all procedures needed to complete assessments based on company requirements
• Worked on a client site collecting and validating evidence and artifacts
• QC and finalized all deliverables to clients
• Ensured compliance with policies and procedures relating to decommissioning of systems
• Updated and maintained all SOPs needed for day to day workflow and responsible for team compliance
• Documented issues and risks; and reported any inefficiencies or suggestions for improved process automation to project manager