- Security Technologies: Tenable Security Center, Nessus Nmap, Csam, RSA Archer, Service
- Now, Retina Network Security Scanner, IBM AppScan, Remedy, Tripwire, Packetyzer, DISA, Owasp Zap
- LANs, WANs, VPNs, Cisco Routers/Switches, Firewalls, TCP/IP
Information Security Analyst
- Conduct kick off meetings in order to categorize systems according to NIST requirements of Low, Moderate or High
- Develop security baseline controls and test plan that was use it to assess implemented security controls
- Conduct security control assessments to assess the adequacy of management, operational privacy, and technical security controls implemented. develop Security Assessment Reports (SAR) detailing the results of the assessment along with Plan of Action and Milestones (POA&M)
- Assist in the development of rules of engagement documentation in order to facilitate the scanning of network, applications and databases for vulnerabilities
- Develop risk assessment reports. These reports identify threats and vulnerabilities applicable to systems. The reports also evaluate the likelihood that vulnerabilities could be exploited, assess the impact associate with these threats and vulnerabilities, and identify the overall risk level
- Assist in the development of an Information Security Continuous Monitoring Strategy to help in maintaining an ongoing awareness of information security (Ensure continue effectiveness of all security controls)
- Lead the development of Privacy Threshold Analysis (PTA), and Privacy Impact Analysis (PIA) by working closely with the Information System Security Officers (ISSOs), the System Owners, the Information Owners and the Privacy Act Officer
- Develop an E - Authentication report to provide technical guidance in the implementation of electronic authentication
- Assist in development of a system security plan to provide an overview of federal information system security requirements and describe the controls in place.
- Support the Security Incident Response team in the remediation, documentation and reporting of all incidents for the ISSO assigned system.
IT Risk Auditor
- Performed third party risk assessments and Vendor due diligence using Hiperos Third Party Management (3PM) tool.
- Monitored 3rd party operational risk trends and provided analysis of data and other operational risk metrics using Security Scorecard.
- Tracked exceptions to IT policies and procedures and followed up with management approval for implementation.
- Used GRC tool, Archer, to conduct application assessment and track issues identified during the assessment with supporting mitigations measures.
- Performed IT & Risk Security Risk & Control Assessments for new products/initiatives
- Reviewed services provided by vendor and defined scope of assessment.
- Reviewed assessments performed by 3rd party and provided feedback. Defined appropriate risk levels and corrective actions for issues identified.
- Presented issues to 3rd parties and obtained corrective action plans.
- Input corrective action plans into system. Followed up on corrective action plans and reviewed evidence for closure. Provided metrics on a regular basis (KPI / KRI).
- Periodically reached out to vendors hosting our data regarding current threats to ensure they are taking necessary steps to reduce exposure as part of ongoing monitoring,
IT Risk and Compliance Analyst
- Reviewed ISO27001:2013 and ISO 27002:2013 standards with client to identify potential gaps in required documentation and processes.
- Evaluated the adequacy of internal controls and compliance with company policies and procedures by conducting interviews, examining documents, records, reports, and observing procedures.
- Assisted with creation of Asset register and conducted a test for its relevance.
- Assisted in document gathering and evidence collection for audit purposes.
- Documented security gaps identified as findings that required remediation and/continuous monitoring.
- Conducted Risk Assessment and Business Impact Analysis to identify risks that need to be remediated or continuously monitored.
- Conducted pre-audits for various departments.
- Analyzed and updated System Security Plan (SSP), Risk Assessment (RA), Privacy Impact Assessment (PIA), System Security test and Evaluation (ST&E) and the Plan Of Actions and Milestones (POA&M)
- Assisted System Owners and ISSO in preparing Certification and Accreditation package for IT systems, making sure that management, operational and technical security controls adhere to a formal and well-established security requirement
- Categorized systems based on the information type the system stores, processes or transmits.
- Performed Vulnerability Assessment, making sure that risks are assessed, evaluated and proper actions have been taken to limit their impact on Information and Information Systems
- Conducted IT controls risk assessments that included reviewing organizational policies, standards and procedures and provided recommendations on their adequacy, accuracy and compliance with the Payment Card Industry Data Security Standard