- A Security Assessment and Authorization (SA&A) professional knowledgeable in Risk Management Framework (RMF), Systems Development Life Cycle (SDLC), and Vulnerability Management using FISMA, and applicable NIST standards and adaptations.
- Detail oriented professional with firm foundation and experience in planning, executing and managing client engagements and projects.
- Independent self - starter and a team leader fostering collaborative efforts toward achieving goals.
- Strong critical thinking, problem solving, and time management skills with proven success at handling multiple responsibilities and projects.
- Proven success at clearly communicating project objectives, findings and recommendations both verbally and in writing.
- 10+ years working experience and background in Cybersecurity, Cloud security, IT Audit, Information Systems Security, Vulnerability Assessment, Information Assurance, Privacy, Systems Development Life Cycle, and Risk Assessment.
- Proficient with COBIT, FISCAM, NIST, ISO, OMB Circular A-123, Internal Control, Internal Audit, Audit Readiness, ERP security control reviews, GRC, Attestation Engagements-SAS70/SSAE 16, IAM/IDM Access Management Strategies, HIPAA and HITECH Compliance, Data Analysis, and Application Integrity.
- Wide-ranging knowledge of audit/assessment of IT Infrastructures; Operating Systems, Databases, Network devices and concurrent cybersecurity trends.
- IT Governance, IT Management, Risk Management, IS Audit, IT Risk Evaluation, IT Compliance, Access Management, IT Security, Identity Management
- SDLC, Categorization of Information Systems, Information Systems Authorization, Security Control Implementation, Risk Management Framework (RMF)
- Selection of Security Controls, Security Control Assessment, Network Security, ITGC/Application controls Audit, SOX Compliance, SSAE16 Report, COSO
- COBIT, FISCAM, Cloud, SharePoint, MS Office suits (Word, Excel, Outlook, Visio, Power Point and access) Internal Audit, Data Analysis, Vulnerability Assessment, NIST.
Sr. Cybersecurity/Compliance Analyst
- Perform Security Assessment and Accreditation (SA&A) process for multiple systems requiring an Authorization to Operate (ATO).
- Conduct kick-off meetings with system personnel and stakeholders and Interface with Subject Matter Experts (SMEs) throughout the SA&A process.
- Categorize system levels using FIPS 199/200/NIST 800-60.
- As a SME, coordinated remediation efforts of vulnerabilities discovered on the Wide Area Network General Support Systems (WAN GSS).
- Apply in-depth knowledge of NIST SP 800-53 and NIST SP 800-37 to perform detailed security assessments of all FISMA-categorized information systems.
- Analyzed and updated Business Impact Analyses (BIAs), Privacy Threshold Analyses (PTAs) / Privacy Impact Assessment (PIA), System Security Plans (SSPs), Security Assessment Report (SARs) / Vulnerability Assessment Reports (VARs), and Plan of Action and Milestones (POA&Ms).
- Liaise with the Cybersecurity Compliance office to properly vet all deliverables submission to the Authorizing Official (AO).
- Assist Program Management team in the delivery of multiple ATO packages and managing extended ATO's due to exceptions and waivers ignited by open POA&M's.
- Support designated Cybersecurity priorities advanced by evolving Compliance needs.
- Participate in Continuous Monitoring activities and initiatives.
- Provide recommendations to the organization/client to help balance cyber risks and business needs.
- Scope and tailor security controls for moderate and high systems using NIST SP-800 53 Revision 4 and applicable control overlays.
- Support remediation of findings by providing recommendations for fixing findings documented in the Security Assessment Report (SAR).
- Request and review vulnerability scans and STIG checklist and ensure that open findings/ vulnerabilities are properly documented on POA&M or remediated immediately.
- Partakes in agency Application Tower Meetings.
- Lead, supervise, evaluate and delegate tasks to junior analysts.
- Develop content for security plans, test plans, waivers, POA&Ms, ATOs, SIAs, SARs, IT Contingency plans, BIAs, change management documentations etc.
Sr. IT Auditor/ Global Security Risk and Compliance Analyst
- Liaised with internal and external auditors, coordinated audit timing, findings remediation, engaged issue owners and managed SOX GITCs monthly reporting.
- Updated Senior Management and other stakeholders about identified risks and opportunities for improvement within control environment.
- Reported on status of all audit activities (Internal & SOX) to management. Tracked remediation activities for all findings (POA&M) and reported metrics for audit activity used for executive reporting.
- Worked with management to define and prioritize remediation. Tracked remediation activities and provided remediation guidance, inspected/validated implemented solutions where applicable.
- Accept/refute reported findings by auditors per relevance, and drove findings’ consolidation where appropriate.
- Developed contents for Archer GRC Design, Build, Testing and user Training. Supervised UAT.
- Served as a subject matter expert on various special projects, risk assessments, and initiatives within the organization as delegated.
- Administered gap analysis with senior management to aid decision making process.
- Updated IT security policies, procedures, standards, guidelines and security requirements.
- Performed vendors’ due diligence. Managed third-party security risk assessments.
- Provided projects security assessments; authenticated security controls, data classifications (Tier Categorizations), security requirements, and toll gate validations for business projects prior to all clear to go-live.
- Verified applicable information security essentials- SSAE16 (SOC 1 and 2 reports), ISO 27001, Pen test and vulnerability assessment reports, FISMA compliance etc. to validate vendors reliability.
- Kept internal and external auditors up-to-date with status of findings and remediation, including closed findings.
- Assisted in development and maintenance of IT Governance and Compliance Frameworks for managing IT improvement initiatives.
- Synergized with regional and global info security and business leads on Applications, Database and Operating systems in scope for QUAR (Quarterly User Access reviews) of privilege User IDs globally- LATAM, APAC, North America, and EMEA.
- Validated User Access Reviews/Terminations. Reconciled users’ access levels alongside system generated reports covering Applications, Database and Operating systems as part of QUAR.
- IAM/IDM Access Certification monitoring.
- Reviewed administrators’ rights to restrict access to only needed functions to perform required tasks.
Sr. IT Auditor/Information Security Analyst
- Conducted testing of Sarbanes-Oxley (SOX), OMB Circular A-123 Audit, and Service Organization Control (SOC) SSAE 16 reviews.
- Conducted integrated audits requiring technical skills for evaluating networks, application development and compliance with security policies from planning phase to completion. Immense familiarity with COBIT, COSO, PCI DSS, OMB Circular A-123, FISCAM frameworks.
- Performed Security Assessment and Accreditation (SA&A) process for multiple systems requiring an Authorization to Operate (ATO).
- Participated in audits and compliance reviews based on FISCAM, FISMA, NIST SP 800-53 series, ISO 27001, OMB circular A-123 and A-127 frameworks.
- Coordinated IT related SOX compliance reviews, assessing IT Application Controls in connection with program development, change management, computer operations, security and configurations as well as vendor service providers.
- Implemented and tested internal controls under Section 404 of the Sarbanes Oxley Act and performing Walkthroughs of controls and evaluated operating effectiveness of controls
- Evaluated segregation of duties and application security involving ERP systems. (SAP, People Soft, Oracle Financials, Momentum, Deltek Costpoint) and execute audit strategy.
- Performed audit of IT general controls (ITGC) - Access control, Change Management, IT operations, Disaster Recovery and Platform reviews (Windows, Mainframe and UNIX).
- Prepared audit scope, report findings, and present recommendations for improving data integrity and internal controls.
- Performed IT General Controls and Application Controls review and monitor segregation of duties and other key management controls for system reliability, availability, and performance.
- Tested compliance with policies and procedures to ensure conformity with industry standards; such as HIPAA and PCI DSS frameworks.
- Performed consolidation of IT audit findings, presentation of drafts/reports with notification of findings and recommendations.
- Conducted systems and network vulnerability scans in order to identify and remediate potential risks.
- Worked with IT Operations and Network Engineers to mitigate system vulnerabilities discovered in network devices (routers, switches, VPN Concentrator), servers, and workstations.
- Update and tracked Plans of Action and Milestones (POA&M)
- Updated and reviewed Configuration Management Plans (CMP), Contingency Plans (CP), Incident Response Plans (IRP), and other tasks and specific security documentation.
- Performed Federal Information Security Management Act (FISMA) audit reviews.
HIPAA Compliance Analyst
- Handled staff training on operational processes that ensured compliance and best practices, including HIPAA/HITECH regulations together with the review of operational system for control effectiveness and ensured adherence with healthcare regulations.
- Ensured that policies and procedures are implemented and processes are well documented.
- Identified and presented compliance issues to the HIPAA Steering Committee and for the timely completion of any action items approved by committee members.
- Resolved and documented all questions related to privacy and security of patient health information for tracking purposes.
- Reviewed privacy and security compliance training materials and conducted ongoing in-services, new employee orientation, and graduate medical education.
- Coordinated documentation, and timely processing of patient rights (i.e., amendment to medical records, requests for restrictions to health information, requests for confidential communications) activities to ensure compliance with privacy regulations.
- Organized and conducted HIPAA privacy walkthroughs to determine compliance with federal regulations.