PROFESSIONAL SUMMARY:

An information security professional with diverse technology and business management experience seeks to provide information protection and risk management expertise to facilitate business in a secure and cost effective manner, while managing threats. Ability to apply knowledge, innovate, communicate, and manage efficiently completes projects on time and under budget. Proficient at learning new technologies, methods, and concepts quickly to expedite problem determination, implement solutions and streamline operations securely.

PROFESSIONAL EXPERIENCE:

Confidential

Security Engineer

Responsibilities:

• Coordinate peer review assessments with various departments, facilitate meetings, document decisions and archive details.
• Perform vendor IT risk assessments for software as a service, data sharing, and COTS software products using NIST based approach and make recommendations to improve security and reduce risk.
• Answer questions and provide guidance to business management teams and vendors.
• Prepare reports and gain risk acceptance from business management.
• Review independent and self - assessments including HI-Trust, PCI, SSAE 16 SOC and others.
• Make remediation and compensating controls recommendations.
• Coordinate efforts with business and system owners to gather information for system security plans.
• Review system security plan controls, prioritize risks, and develop corrective action plans with input from business teams.
• Provide training and education for line of business staff and executives where appropriate.
• Review provided plans, and request addition information where appropriate. Develop corrective action plan and gain business owner acceptance.
• Assure that corrective action plan is monitored for follow up.
• Approach used is based on NIST Risk Management framework.
• Use OnSpring GRC tool.
• Monitored meetings which performs pre-purchase assessment of IT related purchases for HIPAA compliance.
• Participated on project team to develop strategy to improve security information and event management.
• Developed recommendations to improve security related to remote desktop access, clinical work stations, account management.
• Recommended security enhancements to requirements for new systems and interfaces.
• Use OnSpring to perform pre-purchase risk assessment and compliance based on NIST Risk Management framework and computer security controls.
• Participated on software selection team to determine software for technology asset management, incident management, and change control. Use software.

Confidential

Healthcare Provider Information Security Engineer/ Project Manager

Responsibilities:

• Trouble shot incident response notification process, developed and implemented solution for multiple facility health care organization.
• Also developed Table Top Exercises Participant and Facilitator guide and lead exercises. Wrote up incident response for table top incident for lost or stolen device.
• Updated play books for 9 types of incidents (data breach, ddos, lost or stolen assets, malware, physical compromise, phishing, telephone social engineering, threat intelligence and web compromise) to enhanced them and remediate audit findings.
• Update associated process flows.
• Developed and implemented Incident Response scenarios (9) for table top exercises to exercise response process, enhance play books, and task lists.
• Reviewed new policies, procedures and processes and associated information gathering tools for information technology risk management based on NIST for third parties, data sharing, COTS and internally developed software.
• Recommended enhancements, including considerations for internally developed applications.
• Performed third party and technology risk assessments.
• Reviewed procurement process and recommended enhancements, which included new controls for third party connections and data sharing.
• Past supply chain management provided expertise to review procurement security requirements, contract language and recommend enhancements.
• Participated on enterprise asset management, incident response, and change management implementation project to contributed security requirements and advised of business risk, including business continuity. Participated in product selection process.
• Reviewed security awareness materials and recommended enhancements, as well as related products.
• Developed user guidance for security awareness including compromised accounts, and devices, phishing, use of clinical workstations, Developed technical staff guidance for remote device administration, tools and risks.
• Developed policy and standards for portable media use and protection.
• Developed and/refined security metrics for malware detection products, user accounts, encryption, and intrusion detection systems.
• Assisted with the development and implementation of security operations center, including roles and responsibilities, activities, and metrics.
• Previous engagement ended. Surgery was scheduled and then postponed until end of June.
• Complications required longer recovery period. Job search began in September. Completed training and challenged GIAC Critical Controls certification.

Confidential

Data Center Service Availability and Compliance Consultant

Responsibilities:

• Review data center information security and service offerings. Develop additional and update current policies and procedures to remediate gaps and improve security posture.
• Meet with architecture team members to learn and evaluate technology and software, as well as technology platforms. Review security configuration specifications for vendor software to assure enterprise’s appropriate level of risk tolerance is maintained.
• Coordinate efforts of Enterprise Data Center (EDC) and EDC leadership to define standard processes and procedures to ensure all data center and information system services meet the availability needs of the customer.
• Work with Enterprise Disaster Recovery Coordinator and IS Security department to develop policies supporting information system service availability.
• Coordinated EDC HIPAA, Meaningful Use and NIST compliance with enterprise security and compliance departments. Perform internal reviews, identify compliance deficiencies, and monitor remediation progress to ensure remediation by technical teams.
• Develop risk management strategies to reduce non-compliance and risk associated with architecture, information technology and systems.
• Review the compliance and vulnerability reports, work with technical teams develop remediation schedule, and monitor remediation efforts to assure completion.

Confidential

Information Technology Security Officer

Responsibilities:

• Led organization's information security program. Reviewed program and determined compliance. Made recommendations for program improvement and COV SEC 501 compliance improvement.
• Coordinated response to outside auditor requests. Gathered information and prepared responses for physical security, security awareness training, web application security, environmental safeguards monitoring, and user maintenance inquiries.
• Assessed compliance and develop strategy to realign security priorities based on risk tolerance and compliance goals. Improved process for local administrative access and exception governance. Developed corrective action plan for audit findings.
• Updated security awareness training to include current threats and in accordance with COV SEC 501 Standard. Developed security briefings for summer programs and presented to athletic and summer program participants.
• Recommended improvements to references for students, information security, and IT pages.
• Gathered information, performed risk assessment for technology, and applications, and coordinated implementation to minimize risk and provide solutions for stakeholders.
• Provided guidance to information technology staff to assess and mitigate threats and vulnerabilities to protect electronic assets. Used MS System Center to review malware remediation status and malware detection implementation. Researched and prepared malware defense strategy. Recommended firewall upgrade.
• Recommended changes to Exchange implementation to enhance detection. Reviewed email for threat potential, and recommended blocking and developed awareness guidance and distributed to users.
• Provided guidance on application security risks, including on-line banking risk and mitigation.
• Researched and provided recommendations for encryption of email.
• Reviewed access to tumbler locks for IT staff and coordinated update of it. Reviewed and updated access and business justification for electronic access to server room.
• Updated agreements and policy for administrative access for systems administration and other privileged access.
• Reviewed implementation and recommended modifications to improve security posture.
• Recommended and drafted updates for user account creation and removal.
• Reviewed and recommended updates for Physical Security, Computer Acceptable Use, Mobile Phones, Computer Replacement, Security Awareness Training, Digital Copyright Compliance, and Privacy Policy documentation for presentation to management.

Confidential

Information Security Office - Information Technology Specialist

Responsibilities:

• During extended leave of Information Security Officer, managed and prioritized work effort.
• Developed and implemented enterprise information technology risk assessment program based on IRS Pub 1075, NIST, SANS and OWASP.
• Performed security evaluation and risk assessment for new implementation of complex multi-tier web applications, secure transmission of electronic information, new technologies, and external connections, aligned risk to acceptable levels, recommended and oversaw implementation of counter measures, and prepared detailed reports of findings.
• Have certification and accreditation knowledge according to controls in NIST SP 800.53 and SP 800.53A.
• Performed information security assessment and prepared risk mitigation recommendations for architecture, emerging technologies implementation, including VoIP for enterprise with call center, cloud storage, electronic mail, telecommuting, multiple agency printing consolidation, multi-tenant data center consolidation and virtualization.
• Monitored new threats and changes to threat landscape and recommended improvements to reduce risk.
• Developed supplemental method to detect malware using existing Microsoft Management tools. Knowledgeable about and advanced understanding of the impact of networks, intrusion prevention and detection, wireless and mobile devices, as well as web application firewalls.
• Led initiatives to research, interpret, prepare recommendations for, and perform impact and risk analysis to harden Microsoft Office 2007, including Windows group policy objects, secure configuration, hardening of Internet Explorer 7.0 and code signing with certificates on various Windows systems with role based access control, considering federal requirements.
• Researched best practices, partner, federal and state requirements and evaluated security information and event management solutions to enhance enterprise logging system with the ability to determine detailed data access and its appropriateness. Developed business objects to mine security event information from IBM SMF framework for storage in existing AIX DB2 data warehouse, including data element mapping and validation that information selected is appropriate and accurate.
• Guided information owners in their classification of information, provided assistance, and monitored effort to completion.
• Updated Information Security Office information classification, internal controls and business continuity plans. Coordinated enterprise wide information classification update and review of controls and implementation progress, based on confidentiality, integrity and availability. Prepared two PowerPoint slide presentations and now presented information classification concepts and methodology to more than ten business teams. One was an overview for executive management and the other more detailed for those performing the classification effort.
• Investigated and interpreted best practices and partner requirements, and created a comprehensive plan for web application vulnerability assessment and remediation. NIST, SANS and OWASP were referenced to develop strategy and plans. Led enterprise wide proof of concept evaluations of automated vulnerability assessment tools, including scheduling, scope, issues resolution, timeline management, and documentation of results. Provided guidance to remediation teams that included various technical groups, and external parties. Managed enterprise application and systems vulnerability assessment program. Used QualysGuard, NexPose, WebInspect Familiar with AppScan and others.
• Manual testing of application vulnerabilities to determine whether exploitation is possible.
• Developed filter criteria for and coordinated the implementation of data leakage prevention program. Assisted operations security teams with the modification and tuning of filters, as needed post implementation based on periodic review of quarantined information. Developed procedures for quarantine review and notification of users when information is quarantined.
• Researched Payment Card Industry Data Security Standard. Evaluated organization credit card acceptance process to determine compliance and prepared detailed report, including improvements needed to implement PCI-DSS compliant processing of credit cards in house. Analysis of application, business processes, systems and platforms provided enterprise leaders with information to determine the cost to in source credit card payment acceptance. Analysis of application, business processes, systems and platforms provided enterprise leaders with information to determine cost to in source credit card payment acceptance.
• Assisted outside auditors, prepared information for review, responded to audit findings, and /or coordinated enterprise security compliance evaluations for various entities. Coordinated effort to provide information for computer security evaluation matrices.
• Reviewed processes and contracts to determine compliance and remediate issues for IRS Publication 1075, NIST, FISMA, PCI-DSS, NACHA and NYS Cyber Security Policy. Reviewed external e-discovery compliance requirements and participated on enterprise wide team to determine strategy for compliance with requirements and means to respond to e-discovery requests.
• Researched best practices and legal requirements for and implemented Information Security Breach and Notification Act response, investigation and documentation procedures. Updated policies and procedures based on lessons learned phase of investigation. Led the enterprise wide data breach investigations.
• Led enterprise security awareness program, including management of meetings, development of monthly enterprise wide communications. Designed and implemented information security office intranet site in SharePoint.
• Reviewed contracts and supporting requirements for IRS Secure Data Transport, and Social Security Administration, and developed agency procedures, and standards for technical staff to assure compliance with requirements and obligations. Prepared policy, standards and procedures for Federal data on distributed architecture to comply with federal and contractual requirements, including review of contracts and supporting documents to report gaps and facilitate compliance.
• Provided Disclosure Officer with explanations and assistance regarding technical computer security topics in IRS Publication 1075 and NIST Special Publication 800-53 and 800-53A. Provided training to peers and management in a classroom setting, as well as impromptu coaching. Prepared curriculum for, and instructed courses about information security, including the preparation of lectures, course materials and set up of necessary aides.

Confidential

Information Technology Specialist and SFS Security Lead

Responsibilities:

• Coordinated multiple team efforts to expedite the determination and resolution of access control and security related issues to facilitate user acceptance and end to end testing of PeopleSoft Financials application.
• Reviewed access requests for PeopleSoft Financials application, and recommended reducing access to conform to least privilege model.
• Evaluated application security program and developed business justification and specifications for implementation of new technology and tools to improve security of PeopleSoft Financials application with Oracle data storage for executive approval.
• Reviewed PeopleSoft permission list, role, and access, implementation and recommended security improvements.
• Coordinated the development of security staffing estimates and justification to support planned software release for over 100,000 users.
• Managed security administration, including user provisioning of Windows, Entrust Smartcards, MS Outlook, PeopleSoft and other access.
• Coordinated implementation of security enhancements with system integrators.
• Monitored enterprise security posture to assure its alignment with management goals, regulations and policy compliance, and recommended actions to realign where needed. Managed multiple efforts using Microsoft Project to assure timely completion.
• Developed/reviewed tasks, milestones, time lines and charters for security projects.
• Coordinated effort to prepare security administration, workflow, employee data administrator, and credit card administrator policies and procedures for financial services agency customers including separation of duties concepts and fraud reduction measures, and its presentation to customer agencies.

Confidential

Information Technology Specialist - Programmer/Analyst

Responsibilities:

• Determined specifications for and developed business components and programs to read and write messages to MQ Series middleware.
• Provided guidance to developers in the use of MQ Series queues. Collected user specifications, designed, coded, tested, documented, and validated Ad Hoc reports using numerous data populations.
• Developed stored procedures, queries, and reports using various BI tools and SQL dialects.
• Led effort to develop Abandoned Property system to generate notices for checks not cashed by payees, maintain contact history, correspondence, and check reissue history, and report for annual reconciliation.
• Maintained and enhanced batch and interactive programs on IBM Z/OS. Enhanced software to store user access security events, collect statistics for web application usage, and the “transaction software bridge” for ecommerce access to IBM Z/OS from AIX web servers. Participated in all phases of SDLC.
• Trained peers and superiors in a classroom setting. Provided impromptu coaching, and shared trouble shooting, and problem resolution expertise. Prepared curriculum for, and instructed a Livelink course. Prepared a quick reference.
• As a member of the Information Systems Standards Team, prepared standards for information systems and software development on IBM Z/OS systems with CICS, DB2, TSO, and IDMS.