- A Cyber Security professional with over 6+ years of experience in Vulnerability Management, Security Control Implementation, Assessment and Authorization, POA&M Management, Continuous Monitoring, and Risk Management Framework, Authentication & Access Control, System Monitoring and Regulatory Compliance in accordance with NIST, ISO, and other regulatory bodies.
- I have experience in HIPPA, Security Assessment Report (SAR) and System Security Plan and industry best security standards. I also have experience in NIST SP 800 series, Cloud Computing (FedRAMP), Security Training, developing security policies, procedures, and guidelines as well as international cybersecurity frameworks like ISO 27000 series.
- Dynamic IT professional with the ability to adapt well to changing environments and interact well at all levels with strong verbal and written communication skills and Technical Writing Skills.
- Proven ability to lead and direct, solve problems creatively, and make strategic decisions in fast paced environments.
- Microsoft word, Excel, Outlook, Power Point, SharePoint, Windows, Linux
- NIST SP 800, (30, 37, 53, 53A, 66, 171, 171A, 137)
- ISO 27001 &2, COSO, COBIT, SOX 404, OMB A - 123, OMB A-130, FISMA, HIPPA
- System Developmental Life Cycle (SDLC)
- Assessment and Accreditation (A&A),
- PCI DSS
- Certification and Accreditation (C&A)
- Independent Verification and Validation (IV&V)
- Security Policies, Procedures, and Technical Documentation, Audit and Accountability
- Cloud Computing
- Information Security and Privacy Assurance
- Risk and Vulnerability Assessment
Internal Audit Assessor
- Assist the external audit firm in the performance of quarterly and annual audit procedures.
- Perform tests of internal controls in accordance with SOX 404 requirements or supervising department interns/staff in the performance of the same.
- Assist in the creation of audit reports highlighting major findings and recommendations for correction or change in business processes.
- Develop SAPs, test the documented systems in accordance with applicable policies and guidelines, and document results of the testing in the Risk Traceability Matrix base on NIST SP 800-53A.
- Review and analyze the findings that identify security issues on the system and compile results and finding into a final Security Assessment Report (SAR), along with assessments and recommendations for remediation, base of NIST SP 800-53A.
- Ensure that controls are implemented correctly, functioning as intended and producing the right results.
- Assist in reviewing and updating Change Management Plan, Incident Response (IR), Contingency Plans (CP), Contingency Plan Test (CPT), and system changes activities as part of the Configuration Management process (CMP), using the NIST SP 800 (18, 34, 61, 84, 30, 128) as a guide.
- Perform assessment on Cloud systems and work with cloud service providers like Amazon web Services (AWS).
- Perform SOC 1 audits, making sure third-party vendors security posture is in compliance with the organization regulation.
- Responsible for risk management activities such as tracking Plan of Action and Milestones (POA&M) base on OMB 02-01
- Work with stakeholders to ensure the identified weaknesses from vulnerability scans are remediated in accordance with defined remediation time frames to satisfy SI-2 Control.
- Independently performing assigned audit testing and documenting work performed in compliance with Departmental standards.
- Excellent communication, customer service, analytic, problem solving, writing/documentation, time management and interpersonal skills
- Review and update System Security Plans (SSP) against NIST 800-18 and NIST 800 53 requirements.
- Review A&A package items using NIST guidance for compliance such as the System FIPS 199 Categorization, e-Authentication Assessment, PTA, PIA, Contingency Plan (CP) and Contingency Plan Test (CPT), using NIST SP publication 800 (63, 34,84, 122) as guidance.
- Participate in internal and external reviews, inspections, Security Assessments and Authorizations and audits to ensure compliance with organization, client's security policy as well as NIST, ISO requirements.
- Conduct security control assessment to assess the adequacy of management, operational privacy, and technical security controls implemented.
- In corporate organizational continuous monitoring solutions into information system operations. Ensure compliance with client's continuous monitoring policies and procedures.
- Ensure that established internal control procedures are in compliance by examining reports, records, documentation and operating practices.
- Develop, review and maintain baselines for client's information system such as, System Security Plans, Software & Hardware listing and Diagrams, Control Implementation Matrix, Inheritance, Security Assessment and Authorization artifacts and ATO packages.
- Help in conducting internal auditing assessment of Technical Controls to determine agency compliance prior to external auditor’s audit based on the organizational guidelines.
- Lead remediation efforts when security controls are insufficient, weaknesses are identified in network security configurations, and vulnerabilities deviate from client's security policy by recommending corrective actions to mitigate identified deficiencies and developing Plan of Action and Milestone (POAMs).
Information Security Officer
- Assessed risks to critical assets; evaluated the effectiveness of existing controls; and developed/ implemented Risk Treatment Plans (RTPs) that mitigate risk to acceptable levels
- Monitored internal compliance against information security governance frameworks by conducting routine testing and internal control reviews as well as enterprise risk assessments in accordance with ISO 27005
- Maintained organizational Framework policies and procedures and assisted with stakeholder communication, training, and awareness.
- Performed assessments for supporting shape third parties to evaluate current security posture and monitor ongoing adherence to shapes information security requirements.
- Identified and communicated control gaps, evaluated management remediation action plans, and provided ongoing monitoring of resolution through briefings to senior management.
- Managed risk assessment activities coordinating with the security team, Senior Leadership, vendors, and contractors.
- Reviewed technology and risk management processes; examine documentation and flow to identify ways to improve and streamline risk mitigation processes.
- Participated in presentations and workshop sessions on Cybersecurity risk management activities, process analysis, risk identification, assessment, control, and mitigation.
- Where required by internal policies or external agencies, developed documentation of reports. This also includes developing, contributing to, and monitoring metrics and reporting (e.g., management reporting, internal reporting, etc.).
- Comprehensively assessed risks and gather insights from issues and events across technology business areas to provide an aggregated risk assessment in accordance with ISO 27005.
- Provided support and recommendations for the organizations by updating policies, procedures and processes to execute Risk Management Framework.
- Lead the risk response team in the effective implementation of the risk response base on the selected response action.
- Identified security design gaps in existing and proposed architectures and recommend changes or enhancements.
- Met with project teams and other system architects to develop system designs and project plans that include the appropriate security controls and meet security standards.
- Complied with standards set by NIST, along with ISO27002, PCI, HIPAA, Hi-Trust and others.
- Developed a comprehensive awareness of security technology and information needs used to develop and test security structures to protect Confidential systems.
- Engaged and participated with cross-functional independent representations of management to ensure appropriate oversight and governance of the security program.
- Participated in the investigation and reporting of security violations of the organization’s Information Security Policies and Standards.
- Identified residual and inherent Risk from Risk Matrix, Control Strength and determine the Risk Factors Associated with transactions, data, accessibility, users and hosts types for the various applications and systems Assessed.
- Maintained great working relationships with site personnel and teammates.
- Lead the development and implementation of the organizational-wide risk management function of the information security program to ensure information security risks are identified and monitored.
- Assisted with conducting internal audit program to conform with Confidential policies, procedures, and standards for internal and cloud system systems.
HIPPA Compliance Security Privacy Officer
- Met with system owners and stakeholders to identify assessment scope and attain artifacts needed for successful completion of assessments.
- Assessed systems of varying scope and complexity and comprised of various technologies.
- Analyzed and updated System Security Plan (SSP), Risk Assessment (RA), Privacy Impact Assessment (PIA), Monitored controls post authorization to ensure constant compliance with the HIPPA regulations
- Ensured that controls are implemented correctly, functioning as intended and producing the right results
- Performed an awareness and training for new and existing employees on about the confidentiality of patient ePHI
- Selects and implements applicable security controls (technical, operational and management) using NIST SP 800-53 Rev 4 as a guide.
- Determined effectiveness of Technical, Operational and Management security controls by assessing whether controls are implemented correctly, operating as intended, and meeting security requirements.
- Classified and categorized of information Systems using the HIPPA standard processes to ensure system Confidentiality, Integrity and Availability.
- Excellent communication, customer service, analytic, problem solving, writing/documentation, time management and interpersonal skills.
- Maintained HIPAA standards, securing ePHI, PHI, and PII information in accordance with NIST SP 800-66, HIPPA regulation, and the Privacy Act.
- Compiled all security reports and submit the findings and lessons learned to management.
- Helped facilitate security projects and audits in a timely manner to meet the company’s Business continuity plan for a fiscal year.
- Assist in maintaining all first line policies and procedures in a form of drafting, reviewing and updating as necessary
- Reviewed authorization documentation for completeness and accuracy in compliance and facilitated Security Control Assessment (SCA), Continuous Monitoring Activities and examine, interview and test procedures in accordance with NIST SP 800-53A Revision 4.
- Reviewed and updated System Security Plan (SSP) based on findings from Assessing controls using NIST SP 800-18 rev1, NIST SP 800-53 and 53A.
- Created and updated the Security Assessment Report (SAR) in compliance with NIST and FISMA regulation.
- Interpret HIPAA / HITRUST controls and properly apply the specifications across the operational responsibilities to help build cost-effective, scalable security controls and infrastructure to sustain certification levels across the enterprise.
- Assisted in the creation, maintenance and periodic review of the organization’s security policies and standards