SUMMARY:

IT Risk and Compliance professional with over 20 years of progressive management experience in IT risk management, security and control assessment, security management, systems security engineering, and IT security compliance testing. Managed multiple cross - division projects focused on NIST SP 800 series, Risk Management Framework, and FISMA. Experience in cloud security strategy, architecture, implementation and operations.

TECHNICAL SKILLS:

• Information Security & Assurance
• People Management/Relationship Building
• Project Management
• Security Engineering
• FedRAMP
• Security Technical Implementation Guides (STIGs)
• Cyber Security Assessment and Management (CSAM) eMASS Repository
• IAVM
• Security Life Cycle
• FISMA
• Nipper Studio
• Threat Guard
• Nessus/ACAS/SCC Scanners
• Security Assessment and Authorization (SA&A)
• Risk Assessment & Management
• NIST 800 Special Publications
• Risk Management Framework (RMF)
• Technical Security Assessment
• Vulnerability Assessment & Management

PROFESSIONAL EXPERIENCE:

Confidential

IT Security Manager

Responsibilities:

• Responsible for assessing selected system controls and providing oversight for the work of 6 other Security Control Assessors (SCA) to support A&A/ATO program and recommending technical process improvements for the overall A&A process
• Responsible for developing and obtaining approval for IT/Cyber Security Policies and Procedures
• Responsible for review and making recommendations for Systems security controls selection and implementation to the AO, ISO and ISSO
• Reviewing recent NIST, CIS, CISA, and DISA publications and develop best practices documents and resource packets based on trending information gathered from my reviews
• Reviewing and providing security requirements analysis of system architectures and designs
• Providing needed on security controls/requirements and guidance to System Owners and System Teams and recommending implementation strategies
• Identifying vulnerabilities and recommending mitigation alternatives for POA&M items
• Reviewing security test results to identify weaknesses, technical flaws, and vulnerabilities
• Performing IV&V review of artifacts provided by system owner to support the remediation of identified security weaknesses, technical flaws, and vulnerabilities
• Developing, implementing, and documenting formal security programs and policies throughout the program and monitors compliance to these policies and programs
• Performs monthly review of federal issuances (NIST, OMB, DISA, CISA, and CIS) to provide update on new security standards, requirements, and regulations and recommendation to management on how to implement required changes to meet new control requirements

Confidential

Responsibilities:

• Assisted the Command’s Information Assurance (IA) Managers (IAM) and Information System Security Managers (ISSM) in performing a deep dive into all open STIGs and developing a strategy for mitigation.
• Assisted the Command in the mitigation of STIG related findings discovered during CCRI by DISA Inspectors and other routing security assessments
• Provided after-action report of STIG non-compliance related to Operating Systems, Web Servers and Databases
• Supported the Command’s Information Assurance (IA) Managers (IAM) and Information System Security Managers (ISSM) in the development and implementation of strong information security and assurance policies, procedures and standard requirements.
• Provided support and assistance to the ISSM in the development of security policies, procedures and standards to address CCRI findings and multiple accreditation packages

Confidential

Responsibilities:

• Provided leadership over the V&V and Blue Teams, overseeing the daily activities of the team at DISA JSP in support of the DoD overall cyber defense initiative/strategy
• Demonstrated ability and capability to lead and direct project team to generate strategic vision, establish direction and motivate team members, creating an atmosphere of trust, leveraging diverse views, and mentoring team members
• Designed, developed and implemented a scheduling system for V&V scans for JSP systems under AO and A&A processes to support the multiple DISA JSP systems accreditation packages
• Provided and presented ad-hoc reporting metrics on cyber security threats and defense on as-needed basis to the agency leadership through the monthly Cybersecurity Advisory Board (CSAB) briefing
• Provided technical and administrative leadership over the information vulnerability management process, including developing and managing vulnerability scans schedule, prioritizing scans according to ATO expiry date
• Collaborated and coordinated with Assessment and Authorization (A&A), Software Engineering and Information Assurance and Vulnerability Management (IAVM) teams to ensure compliance with security standards
• Supervised the design and execution of vulnerability assessments, Blue Team missions, and security audits.
• Researched, evaluated and recommended new security tools, techniques, and technologies and introduces them to the enterprise in alignment with IT security strategy
• Advised government on the evaluation and selection of security and risk management services products
• Prepared vulnerability scanning test plans, coordinate testing, and conduct scans using Nessus/ACAS, Nipper Studio and ThreadGuard
• Performed and documentation of vulnerability/risk analysis of computer systems, network devices and appliances, making recommendation for the issuance of of Net-worthiness (CoN) for new devices or appliances.
• Analyzed vulnerability scan results for validation and root cause, and working with Technical Point of Contacts (TPOCs) and development teams to establish resolution plans and priorities
• Participated in Cyber Security Review Board meetings as part of security system Operations & Management (O&M) sustainment and architecture enhancement
• Performed Security Technical Implementation Guide (STIG) compliance reviews, and Federal Information Security Management Act (FISMA) assessments and annual reporting
• Performed Risk Assessment project that verifies security of third party vendors and tools, collaborating with them and project technical leads to ensure compliance with applicable corporate policies and third-party regulations

Confidential

Responsibilities:

• Led the team that is reviewing all SOC 1 reports received by the OUSD( Confidential ) for compliance with the requirements of the new SSAE 18 standard
• Coordinated the activities of the Information Assurance Vulnerability Management Team. Using network analysis tools to identify vulnerabilities and communicating system security risks to system owners
• Led the team that is working on the development of an official NFR (Notification of Findings and Recommendation) Template for use by all DOD IPAs (Independent Public Accountants).
• Performed security system event analysis, investigation, and validation
• Analyzed vulnerability scan results for validation and root cause
• Participated in developing and apply security system access controls
• Responsible for establishing and maintaining security control assessment activities communications with all stake holders
• Reviewed and validated Security Tools configuration against established DoD security policies, standards and guidance
• Validated the completeness and accuracy of artifacts provided by the SA&A team, System Administration and Security Engineers