EXPERIENCE SUMMARY

Governance, Risk and Compliance GRC Subject Matter Expert. Accomplished Cyber Security professional who thoroughly understands the threat landscape, and is experienced evaluating risk and designing effective mitigation strategies and countermeasures across the System Development Lifecycle.

Areas of expertise include:

• Subject Matter Expert regarding Federal Information Security Management Act FISMA of 2002 mandated Federal Information Processing Standards FIPS and National Institute of Standards and Technology NIST standards and guidance to Federal agencies.
• Subject Matter Expert regarding all aspects of the Risk Management Framework RMF as defined by NIST Special Publication SP 800-37 Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems, A Security Life Cycle Approach, February 2010, in the context of NIST SP 800-39 Managing Information Security Risk - Organization, Mission, and Information System View, March 2011. For a complete list of FIPS PUBs and NIST SPs experienced with and utilized see Appendix A.
• Perform technical security analysis of designs of new and modifications to existing network topologies and systems to identify security risks and vulnerabilities and recommend hardware, software, process, procedures and methodologies as compensating controls to mitigate identified risks.
• Network and Security Project Management including task scheduling, cost estimation, project team building and communication, and resource and task management.
• Research, development and delivery of Security and Risk Audits and Assessments and presentation of findings to technical and executive management.
• Managing security, network and system engineering personnel.
• Corporate network security management.
• Experienced in all aspects of software and system development life cycle from a program, technical and functional leadership perspective.
• Technical and Proposal writing, including responding to Request for Proposals, Request for Information and Request for Capabilities Statements from Civilian Federal Government customers / potential customers.
• Conversant in Information Technology Infrastructure Library ITIL foundation and planning principles.
• Knowledgeable and familiar with requirements and application of U.S. Environmental Protection Agency EPA or Agency Information Security Policy, Procedures, Manuals, and Directives.

PROFESSIONAL EXPERIENCE

Information Security Officer

Confidential

Serve as Information Security Officer for multiple Lockheed Martin LM contracts with the U.S. EPA including the ITS-EPA II PMO, GSA Schedule and CIO-SP2 NIH Task Orders. Serve as primary point of contact to EPA Personnel Security Branch for personnel security matters and EPA Office of Environmental Information OEI and National Computer Center NCC Security for ITS-EPA II and other Program security requirements, monitoring, issues and incidents.

Information Security projects include:

• Responsible for the information gathering, research, analysis, development, review and management through the approval process of Agency Security Documents with specific expertise in FIPS and NIST compliant Risk Assessment Reports, Assessment and Authorization documentation System Security Plan, Security Assessment Report, and Plan of Action and Milestones , Contingency Plans, Risk Management Plans, Memorandum of Understanding, and Interconnection Security Agreements.
• Perform Third Party independent Technical Security Reviews of a wide variety of Security Requests and Proposals submitted to U.S. EPA National Computer Center NCC Security and report findings and recommendations. As requested by NCC Security, develop a wide variety of Security Documents and Proposals on behalf of requesting EPA organizations for submittal to NCC Security.
• Performed technical security review and analysis of U.S Nuclear Regulatory Agency NRC National Source Tracking System NSTS interim network and system design to determine the extent to which the network and system as designed and documented to date was in compliance with governing FIPS, NIST Special Publications, Office of Management and Budget OMB , Chief Information Officers CIO Council, and General Services Administration GSA eAuthentication Standards and Guidelines including, but not limited to:
• FIPS PUB 140-2 Security Requirements For Cryptographic Modules
• eGov E-Authentication Handbook for Federal Government Agencies
• E-Authentication X. 509 Certificate Policy for E-Government Certification Authorities
• NIST Special Publication 800-63, Version 1.0.1, Electronic Authentication Guideline
• Electronic Risk and Requirements Assessment E-RA
• E-Authentication Credential Assessment Suite
• E-Authentication Federation Legal Document Suite
• Certificate Lifecycle Methodology for E-Governance Certificate Authorities
• CIO Council Guidance:
• OMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies.
• Designed security components, processes, procedures and methodologies that would be required to bring the U.S. NRC NSTS network and system in to compliance with the governing Standards and Guidelines and worked with network designers, Data Center Administration, system, network, database and application development teams to redesign existing and implement additional security components.
• Authored System Security Plans for the LM System Engineering Center SEC General Support System GSS and LM Meridian Park Facility GSS and multiple 40 Agency Major Applications MA compliant with FIPS PUB 199, NIST SP 800-60 Version 2, FIPS PUB 200, and NIST SP 800-53 standards and guidance.
• Performed Risk Assessments and authored Risk Assessment Reports in compliance with NIST SP 800-30, Risk Management Guide for Information Technology Systems for the LM SEC GSS and multiple EPA MAs. Risk Assessment information gathering and analysis techniques included:
• Security Document reviews. Review and compliance analysis of System Security Plan, Contingency Plan, previous Risk Assessment s , previous Independent Verification Validation IV V Report s , System Design Documents, Security Assessment Report s , as available.
• Interviews with key system personnel.
• Use of Automated Vulnerability Assessment Tools.
• Review and analysis of current Fiscal Year FY Assessment performed with the EPA Automated System Security Evaluation and Remediation Tracking ASSERT system and Plan of Action Milestones POA M generated by the EPA ASSERT system.
• Developed NIST SP 800-34 Contingency Planning Guide for Information Technology Systems compliant Contingency Plans and NIST SP 800-47 Security Guide for Interconnecting Information Systems compliant Interconnection Security Agreements ISA and Memorandum of Understanding MOU for LM SEC GSS and multiple U.S. EPA Major Applications. Led annual Contingency Plan Testing and Exercises Reviews for multiple EPA MAs.
• Perform Annual Security Assessments for multiple EPA MAs utilizing the Agency's ASSERT system. Create, schedule and manage POA M Tasks and Milestones in the EPA ASSERT system to correct / mitigate risks and vulnerabilities identified by Security Assessments.
• Developed Standard Configuration Document SCD for network appliance MetaCarta Geographic Text Search GTS and ERulemaking Sun Solaris servers in compliance with security best practices.
• Authored Federal Deposit Insurance Corporation FDIC Contract Security Plan for Lockheed Martin Information Technology Application Services ITAS Contract.
• Responsible for analyzing and interpreting security posture utilizing a wide variety of information resources reviewing system conformance to security requirements including FISMA, OMB, and NIST compliance auditing performance against policy and security plans reviewing adequacy of security controls recommending improvements to security control implementation and methodologies analyzing security requirements of new IT projects and designing compliant security controls and writing in-depth reports to address security requirements for both a management and technical audience.
• Subject Matter Expert in secure network infrastructure network protocols defense-in-depth securing Web enabled Database Applications throughout the development process configuration management system and database administration best practices process improvement and risk remediation and countermeasures.

Security Engineer Consultant

Confidential

• Provided network security, firewall deployment, firewall configuration and firewall management consulting services to GSK perimeter network services.
• Network Security Engineer Consultant Confidential Co-authored and presented to Fluor Chief Information Officer and Director of IT Security and staff Firewall Validation and Security Assessment Report for Fluor Corporation. Report was product of services contract with IBM to analyze the current design, deployment and configuration of firewalls utilized within the Fluor world-wide corporate network. The standards by which the deployment and configuration of firewalls in the Fluor network Cisco PIX and Firewall Feature Set on Cisco IOS routers was evaluated was based on Fluor IT Security and IBM Global Services standards, and Industry and Vendor Cisco SAFE Security Best Practices.
• Served as Managing Security Engineer on multiple projects including U.S. Internal Revenue Service IRS Security and Technology Infrastructure Release STIR , Transportation Security Administration TSA , McDonald's Integrated Logistics System ILS and Store of the Future SOF , Nationwide Insurance Mercury Project, IBM internal Customer Relationship Management CRM , and multiple IBM internal and IBM Partner projects incorporating firewalls, Load Balancing, Virtual Private Network VPN and AAA Authentication, Authorization, and Accounting technology.
• IRS STIR project management responsibilities included:
• Participating in technical design and security reviews with prime contractor Computer Science Corporation and IRS technical management,
• Participating in Independent Verification Validation, IV V Security Audits, and Penetration and Vulnerability Detection testing of production IRS environment performed by Booz, Allen and Hamilton BAH ,
• Managing and scheduling technical resources, providing technical planning, work assignments and technical direction and support to Junior Engineers.
• Traveled to IRS Data Centers at Sterling, Virginia, Chicago, Illinois, and IRS Martinsburg Computing Center MCC , West Virginia to manage installation of Cisco PIX and Checkpoint Firewall-1 on Nokia devices.
• Provided continuing technical management, planning, technical documentation, and support to all aspects of network security management activities including upgrades, improvements, and problem resolution.
• Served as lead security engineer for complex VPN and AAA projects incorporating Cisco PIX firewalls, Nortel Contivity, Cisco Access Control Server ACS using Radius and TACACS technology, and Voice Over IP VOIP technology Siemens SoftSwitch and Avaya .
• Authored and distributed within IBM Security community Cisco PIX Fundamentals and Standard Build document which explained functional and operational design principles of the PIX and how these principles may be utilized in a variety of network security designs. Document has been adopted as the standard by many IBM firewall teams and is the Standard Build document for the IBM Global Services, Network Services, South Delivery Center.
• Developed UNIX scripts to monitor success / failure of routine firewall operations. Served as architect of follow-on project to develop a comprehensive suite of UNIX scripts to provide early warning of potential problems with Nokia / Checkpoint and AIX / Checkpoint firewalls e.g., failover events, disk utilization, CPU utilization, number of connections .
• Provided ongoing technical direction and support to colleague's projects involving Cisco PIX, VPN, Proxy and AAA technologies.
• Network Engineering Engagement Manager Confidential Led team of Network Engineers in on-site customer engagements to analyze and recommend improvements to Network Engineering process, including policy, staffing, methodologies, and operating procedures. Wrote and presented to Network Management staff report recommending improvements to Configuration, Change, Version, Asset, Inventory, Vendor, Technical Support and Help Desk Management process and procedures. Corporate Network Manager Confidential Responsible for the corporate network including all WAN links and Internet connectivity.
• Budget responsibility for the corporate network.
• Responsible for corporate network security and remote access security.
• Responsible for the management, monitoring, configuration, maintenance, and problem resolution of corporate firewalls Check Point Software Technologies FireWall-1, Cisco PIX Firewall , routers, switches, and T1 and Frame Relay hardware and software components.
• Responsible for designing, implementing and managing security policies and procedures for access to corporate data and databases. Designed and implemented secure network access using Virtual Private Networking VPN technology between headquarters and international sites for the purpose of transferring financial / accounting data.
• Proactively monitored vulnerability of the corporate network and internal servers using various security monitoring and scanning tools. Researched current network security incidents and modified network configuration as necessary to protect against known attack methodologies.
• Responsible for the management of network design and implementation projects. Served as technical manager of complex network design projects requiring the application of technical expertise and resources from a variety of engineering disciplines Cisco network engineers, ISP network engineers, telecommunications provisioning engineers, network security engineers, UNIX, NT, and Webserver System Administration, etc. . Examples of network projects include:
• Managed the technical design, development, and implementation of a second Internet connection to the Family Health International FHI corporate network. Network topology was designed to prevent isolation of remote sites fault tolerance and provide failover capabilities for routing of email, Internet access, and external access to the corporate Website. Design utilized Cisco PIX firewalls, Cisco 1700 and 2500 series routers, and router to router VPN solution to achieve fault tolerance and failover capabilities.
• Managed the technical design, development, and implementation of a Virtual Private Network VPN solution to allow international sites to securely transfer accounting information to corporate headquarters. Design utilized Cisco PIX Firewall, Cisco 2500 series routers and Cisco IOS Firewall feature set at International sites .