SUMMARY:

• Seeking an Information Security or Cyber Security Analyst/Engineer, System Privacy Administrator, System Auditor or Information Assurance/ Risk Assurance/Risk Management Analyst/Consultant, position within a dynamic organization with focus on NIST/FISMA, Cyber Security, Risk Assessment, Risk Management and Information Systems Security including Governance, Risk and Compliance (GRC), Vulnerability Scanning / Monitoring, Security Remediation Processes, and IT Audit with focus on Information Technology (IT) Security, assessments and testing of security controls.

TECHNICAL SKILLS:

• Participate in the FIPS 199 process in which security categorization takes place, and selecting the technical, operational and managerial controls using NIST SP 800 - 60 guidelines.
• Ability to provide support and guidance through the phases of FISMA C&A, including monitoring of the C&A artifacts compliance, helping systems maintain their Authority to Operate (ATO), performing annual self-assessment (NIST SP 800-53A guidelines) and quarterly self-assessment completion using NIST SP 800-26 guidelines.
• Working Knowledge of NIST SP 800-37, SP 800-39, SP 800-60, SP 800-53 Rev 3, SP 800-63, SP 800-18, SP 800-34, SP 800-53A during documentation review and update.
• Review and update the System Security Plan (SSP) using NIST SP 800-18 guidelines
• Review and update MOU (Memorandum of Understanding) and ISA (Interconnection Security Agreement) document.
• Review and update Risk Assessment (RA) using NIST SP 800-30 guidelines.
• Reviewed and update Contingency Plan (CP) using NIST SP 800-34 guidelines.
• Ability to assess the performance of IA security controls based on NIST 800-53A within the IT infrastructure.
• Ability to utilize TAF (Trusted Agent FISMA) and RMS (Risk Management Systems to enforce FISMA data consistencies and increase efficiencies in FISMA Compliance.
• Ability to develop POA&M (Plan of Action & Milestones) document to take corrective actions resulting from ST&E (System Test & Evaluation).
• Ability to design, implement, and/or assess controls as it relates to multiple versions of the SAP and SAP GRC-related application product.
• Identifying key risks and controls, knowledge of Sarbanes Oxley readiness, controls optimization, as well as configuration of controls around security, business process and within the SAP GRC modules.
• Ability to run and interpret vulnerability scans using Nessus.
• Work effectively in a team environment and participate in collaborative initiatives which foster the mutual exchange of knowledge and expertise.
• Ability to multi-task, works independently and as part of a team, shares workloads, and deal with sudden shifts in project priorities.
• Ability to communicate effectively to build and maintain customer satisfaction and express conclusions in a clear, technically sound manner on matters associated with IT security.
• Windows NT/2000/XP operating system & Windows Server 2003
• Setup and Configure. Backup/Restore/Import/ Export SQL and Oracle databases.
• PC Anywhere, Net Meeting and WebEx connectivity software to remotely troubleshoot hotel software and hardware.
• Have working knowledge of Microsoft Office Suite.

WORK EXPERIENCE:

Confidential

Information Security and Compliance Analyst

• Part of Certification and Accreditation team responsible for coordinating the certification and accreditation process of the General Support Systems for field sites and telecommunication centers.
• Work in an Integrated Project Team (IPT) environment requiring interaction with other security analysts, users, and client managers in identifying requirements, specifications and project planning activities.
• Participate in the FIPS 199 process using SP 800-60.
• Perform in a fast-paced environment where project deadlines are critical and multiple projects ran in parallel while being self-managed and self-motivated.
• Create and implement all security documentations required for the certification and accreditation, and take the system through full accreditation.
• Conduct security awareness training and expected rules of behavior for end-users.
• Identify and evaluate the technical, management, and operational security controls.
• Provide and support procedures for reporting and responding to security incident.
• Advise the ISO, System Owner and Program Manager on the security requirements of the system, including updates and changes to FISMA regulations and NIST documentation, and the impact of new security vulnerabilities on the system architecture and that of the interconnected GSS.
• Perform Privacy Impact Assessments (PIA) and Privacy Threshold Analyses (PTA) of IT systems.
• Review and update E-Authentication and Privacy Threshold Analysis (PTA).
• Review and ensure there is a Privacy Impact Assessment (PIA) document after a positive PTA is created.
• Ensured there was a SORN document; made sure there were Incident Response Plan and Contingency Plan.
• Ensure the Contingency Plan Test is done annually.
• Reviewed and updated Security Test & Evaluation (ST&E).
• Documented and finalized Security Assessment Report (SAR).
• Participated in exit conferences to summarize key findings and recommendations.
• Generated, reviewed and updated the System Security Plans (SSP) against NIST 800-53 rev3 requirements.
• Documented and managed Risks in accordance with SP 800-30 and SP 800-37 using nine steps to evaluate the threats, vulnerabilities, and security controls surrounding the information system as well as the likelihood of an exploit and the impact it will have to the system operations.
• Reviewed Risk Analysis Reports, Threat Pairing Reports, and Residual Risk Reports using the Cyber Security Assessment and Management CSAM tool.

Confidential, Centreville, VA

Information Systems Analyst

• Implemented the NIST Cyber security risk based framework (FIPS and SP800 series special practices).
• Conducted system vulnerability scans and recommended remediation actions to ensure systems were in compliance with publications and guidelines for application systems and processes.
• Facilitated and participated in assessments and authorizations; Certification and Accreditation (C&A), compliance reviews, architecture reviews, training, plans of action & milestone resolution (POA&M), and reports on status.
• Prepared documentation for Security Assessment and Authorization and Certification and Accreditation (C&A) using accepted guidelines such as that of the Risk Management (RMF).
• Served as a Security Risk Consultant to Clients regarding Security Risk and Compliance processes.
• Performed all activities of Certification and Accreditation (C&A) to include completion of System Security Plans (SSPs), Contingency Plans, Risk Assessment Reports (RARs) as well as ensuring accuracy of existing procedures.
• Conducted kick off meetings with System and application owners as well as SMEs and all stakeholders prior to security control assessment to gather relevant information.
• Directly responsible for the preparation and completion of the ATO artifacts and documentation ensuring their accuracy and compliance with recommended standards.
• Performed Security Test and Evaluation (ST&E) - technical controls, document review, and management interviews.