Senior System Security Engineer
- Designed and developed a tool based on the CVSS scoring system that can be utilized as a solution for Security Impact Analysis( SIA), and Technical Risk Assessment Report (TSAR). The tool contains a unique capability that will map Confidential controls to the most common vulnerabilities provided by OWASP top 10 and SANS 25. In addition, the tool will measure the likelihood of threat for a designated information system.
- SME on the systems hosted on MS Azure, AWS environment and similar cloud environment.
- SME on cloud systems ATO requirements implying Confidential Rev 4, FedRamp (Security Control Assessment), and Confidential (Risk Management Lifecycle).
- Task lead on FISMA compliance, A&A, and Continues Monitoring Services.
- Contributing as a primary engineer and designer on Risk Assessment Methodologies.
- Task lead on Security Cloud Based Security Impact Analysis (SIAs ) as well as the Technical Security Analysis Report ( TSAR).
- Trained and drafted a methodology on POA&M Management and Analysis.
- In addition, provided consulting solutions to clients on categorization of the information system and security control implementation.
Principal Security Consultant
- Executed Confidential and integrating the security controls employing FedRAMP/ Confidential rev4 including: writing and assessing security controls, analysis of the vulnerability scan reports and creating POA&Ms, and act as an experienced advisor between external auditors and IT resources/operational staff.
- Categorized the information system in accordance with the FIPS 199 and Confidential standards. Documented security controls in System Security Plan (SSP) and created policies/procedures associated with the Confidential security control families.
- Updated the System Security Plan using Confidential rev4 for Xacta IA Manager Software Environment. Task includes updating security controls in accordance with FIPS 199 and identifying the control types (e.g., inherited, hybrid, common, system - specific) in accordance with the control provider (e.g., Cloud) and the owner.
- Performed Security Assessment and Authorization (SA&A): employing Security Control Assessments (SCA) to help the system receive approval to operate (ATO). Provide help to answer questions from the assessors and provide evidence that the system requirements are met.
- Provided and expert advice on POA&M Management, Xacta Management, Security Control Analysis to our client as well as our internal staff.
- Provided monthly support and group to users including: info-sec, software use, POA&M analysis .
- Created system operating procedure (SOP)for the tasks performed during the risk management operations.
- Proficient in data analysis and MS. Excel
- Performed data analysis and GIS related tasks at LNGS along with assisting on FCC licensing processes for wireless carriers.
- Responsibilities included: Creating mapping files using the client data, creating databases for wireless systems to perform propagation analysis, compiling and formatting the resulting data in excel.
Information Security Consultant
- Performed vulnerability analysis through the NVD program at Confidential based on the CVSS scoring system and CPE.
- Vulnerability analysis on daily vulnerabilities and scoring them using the Common Vulnerability Scoring System (CVSS).
- Reviewing the other analysts’ work, and working on Re-analysis queue.
- Evaluating the threat factors as the system might be exposed to.
- Determining the proper countermeasures and recommending patches if required.
- Writing reports regarding the problem areas and associated solutions.
- Maintaining the NVD database as a resource for the public users.
- Worked as a System Security Engineer (SSE) for the Office of Economic Adjustment’s ‘EA Clearinghouse’ system development project in creating and delivering client-ready SRTM utilizing related security controls, Confidential following the FISMA specifications and Risk Management framework, SP .
- Elicited Security/ Technical requirements for the caBIG project at NCI (National Cancer Institute). Designed and developed the Use Cases for the project applying UML. Studied and followed SDLC model by gathering the requirements for this project. CaBIG was a grid system which implied to authenticate the users from different access level. It not only enables the legitimate users to receive the medical information, but also maintains highly secured database that blocks unauthorized individuals from accessing the private records. Specified functional/non-functional requirements, software and hardware requirements, design constraints, and alternatives.