PROFESSIONAL EXPERIENCE:

Confidential

Cyber Security Analyst

• Perform Assessment and Authorization (A&A) activities and provide guidance to System Owners and ISSOs through the Security Assessment and Authorization (SA&A) process.
• Develop and update the following application documentation within the DOT/OST systems: System Security Plan (SSP), supporting documents and appendices. Memo Request for Authorization Activities;
• Security Categorization (FIPS199)
• Privacy Impact Analysis (PIA)
• Contingency Plan (CP) and Contingency Plan Test (CPT)
• Business Impact Analysis (BIA).
• Conduct systems risk assessment through risk analysis, assess assets within system boundaries, and identify all possible vulnerabilities within the system.
• Reviewing, analyzing and evaluating the security controls used to protect the data of the organization.
• Analyze vulnerability scan outputs and recommend remediation actions for identified vulnerabilities.
• Create Security Assessment Plan (SAP) to document assessment schedule, tools and personnel as well as obtain approval of the client for the assessment approach and scope.
• Create test cases to document results of assessment using NIST SP A as a guide for determining assessment methods.
• Complete risk assessments based on NIST standards to ensure IA design sufficiently mitigates IA risk and prepares risk assessment reports and provide recommendations to the client.
• Responsible for reviewing and finalizing Security Control Assessment Report (SAR).
• Support the ISSO in the remediation actions to correct assessment findings, development of Plan of Action and Milestone (POA&M) and the update of System Security Plan (SSP).
• Work with the ISSO to perform continuous monitoring on information systems in accordance with NIST to maintain ongoing ATO and also assist in the initial remediation action of failed security controls.
• Update Security Documentations and Upload them into Cyber Security Assessment Management (CSAM) tool.

Confidential

Information Assurance Analyst

• Assisted the Information Assurance Director in ensuring that management, operational and technical controls for securing either sensitive Security Systems or IT Systems are in place and are followed according to federal guidelines.
• Worked with project managers to ensure in corporation of security activities in all ongoing projects and to identify security impact of new releases.
• Modified controls from NIST SP Rev 3 to Rev 4 and documented them in the SSP.
• Reviewed and updated Security Assessment and Authorization (A&A) documents including System Security Plan (SSP), Risk Assessment (RA), Contingency Plan (CP), Privacy Impact Analysis (PIA), and other artifacts required for the ATO package.
• Created System Test and Evaluation (ST&E) and finalized the Security Assessment Report (SAR).
• Coordinated the remediation actions to correct assessment findings and develop supporting plan of Plan of Action and Milestone (POA&M) reports.
• Requested draft approval, Plan of Action & Milestone (POA&M) cancellation/approval from Independent verification and validation (IV&V) through CSAM
• Participated in updating Systems Security Plans (SSP) based on the National Institute of Standards and Technology (NIST) SP and the conduct of annual self - assessments.
• Performed vulnerability/risk analyses of computer systems and applications during all phases of the system development life cycle (SDLC)
• Supported and conducted required information system vulnerability scans and updated system POA&Ms in response to reported vulnerabilities.
• Participated in weekly meetings to identify changes within the Operation and IT processes to identify areas of risk and define audit plan based on risk assessment methodology.
• Additional responsibilities included assurance of vulnerability mitigation, training on A&A tools and other support to the IT Security Office.

Confidential

Cyber Security Analyst

• Managed vulnerability assessments and application testing.
• Performed routine risk assessments of Information Systems ensuring that weaknesses are reported/tracked and documented to adhere to established security standards.
• Directed, maintained, and implemented the necessary controls and procedures to protect information systems assets from intentional or inadvertent access modification, disclosure or destruction.
• Determined if security events monitored should be escalated to incidents and followed all applicable incident response and reporting processes and procedures
• Operated Network Intrusion Detection System and handled Information Systems security incidents; supported COOP/DR plans and performed certification of Information infrastructure.
• Documented the Enterprise Log Management Architecture.
• Inspected configuration, checked configuration compliance, tested IT Controls functionality and inspected logs.
• Reviewed signatures within IDS/IPS tools to ensure signatures are up to date to minimize false positives and false negatives in the System .
• Participated in security team meetings and rendered other support to IT Security office, which included ensuring appropriate steps are taken to implement information security requirements for all IT systems.
• Conducted on site Cyber Security Awareness training for all new employees.