PROFESSIONAL EXPERIENCE

Confidential

IT Audit Consultant

Responsibilities:

• Extensive experience with object oriented analysis, design and developing use case narratives.
• Ability to meet deadlines and handle pressure coordinating multiple tasks.
• Solid Analytical skills and the ability to think logically.
• Demonstrate strong interpersonal skills with the ability to work effectively with uppermanagement
• Excellent leadership skills in motivating others and working well as a team.
• Basic SQL skills
• Experience with the System Development Life Cycle
• Knowledge of Compliance Frameworks (FISMA, SOX, PCI - DSS, HIPAA).
• Knowledge of FISMA artifacts (FIPS 199, SORN, E-Autantication, PTA, PIA, Risk Assessment, SSP, CP, CPT, ST&E, SAR, POA&M, ATO-IATO-DATO, NIST 800-53 Rev 4, ISA, MOA, MOU).
• Knowledge of Linux / UNIX system monitoring and performance commands (Linux RedHat, CentOS).
• Penetration testing and Risk Management capability and knowledge.
• Familiar with Assessment tools (Nessus, Nmap, Netcat, MBSA, Cain & Abel, John the Ripper).
• Comfortable with Packet capture tools: Snort, Tcpdump, Wireshark.
• Knowledge of dynamic routing and network protocols (BGP, OSPF, EIGRP, and RIPv2). Access control lists.
• Knowledge of Windows Server environments and Active Directory.
• Knowledge of Cloud Computing and Virtualization.
• Knowledge of Access Control and Autantication techniques.
• Knowledge of Data Protection and Encryption technologies.
• Developed the audit plan and performed the General Computer Controls testing of Information Security, Business Continuity Planning, and Relationship with Outsourced Vendors. Identified gaps, developed remediation plans, and advised IT managers on the OMB/FISMA/FISCAM/IPIA/FFMIA compliance activities and controls.
• Ensuring that management; operational and technical controls for securing either sensitive Security Systems or IT Systems are in place and are followed according to federal guidelines (NIST 800-53). dis included ensuring that Risk Management Framework (RMF) steps were taken to implement information security requirements for IT systems throughout their life cycle, from the requirements definition phase through disposal. Additional responsibilities included assurance of vulnerability mitigation, training on C&A tools, supporting and monitor the security controls assessment team and other IT Security Programs.
• Conducting risk assessments in accordance with NIST Special Publication 800-30 Revision 1, and Incorporates threat and vulnerability analyses, likelihood assessment, Business Impact Assessment (BIA) and considers mitigations provided by security controls planned or in place.
• Prepare and review SSP, Risk Assessment reports, Contingency Management Plan, PII, PTA, PIA, SORN, Access Control policies, SOPs, to identify gaps between documentation and IT Security policy and governance e.g. NIST and other industry standards.
• Conducting security controls assessments by utilizing NIST Special Publication 800-53a to assess control derived from 800-53 Rev4 and performing stakeholder interviews, examination of documentation, and technical testing of the required security control.
• Prepare and update the Plan Of Action and Milestone (POA&M), and writes Security Assessment Reports (SAR).
• Health Insurance Portability and Accountability Act (HIPAA) training and certification, June 2014.
• Conducted kick off meetings using the approved IT security framework, FIPS 199/NIST 800-60 to categorize information and information system.
• Conducted IT Controls risk assessment to identify system threats, vulnerabilities and risk, and generate reports
• Developed and Conducted Security Test and Evaluation (ST&E) according to NIST SP 800-53A.
• Developed a security baseline controls and test plan that was used to assess implemented security controls
• Developed System Security Plan (SSP) to provide an overview of the system security requirements and describe the controls in place
• Developed Security Assessment Report (SAR) detailing the results of the assessment along with Plan of Action & Milestones (POAM)
• Created standard templates for required security assessment and authorization documents; Risk Assessment (RA), System Security Plan (SSP), Contingency Plan (CP) and Security Plan (SP)
• Involve in third party contract evaluation, Review information security accreditation request
• Conducted periodic IT Risk Assessment and Reviewed IA controls for any deficiencies and reported to the ISSO for appropriate mitigation actions.
• Assisted in the development of an information security continuous monitoring strategy.
• Performed assessment base on HIPAA Frameworks
• Conducted Business Impact Analysis (BIA) to identify mission critical functions and high risk areas where audit efforts would be focused.
• Developed the audit plan and performed the General Computer Controls testing of Information Security, Business Continuity Planning, and Relationship with Outsourced Vendors. Identified gaps, developed remediation plans, and advised IT director on the FISCAM/FISMA/SOX compliance activities and controls.
• Evaluated IT and business processes for effectiveness and efficiency, through obtaining an understanding of and documenting key business processes and internal controls.
• Review SSP, Risk Assessment reports, Contingency Plan, PII, PTA, PIA, SORN, Access Control policies, SOPs, Configuration Management Plan to identify gaps between documentation and IT Security policy and governance e.g. NIST and other industry standards.
• Liaised between in-house managers/IT department and External Financial and OperationalAuditors
• Prepare audit scopes, audit report findings and present recommendations for remediating audit findings and system weaknesses.
• Actively participated in decision making with engagement management and sought to understand the broader impact of current decisions.
• SOX 404 Compliance testing Analyst.
• Perform IT risk assessment and document the system security keys controls.
• Meet with IT team to gather evidence, develop test plans, testing procedures and document test results and exceptions
• Design and Conduct walkthroughs, formulate test plans, test results and develop remediation plans for each area of the testing.
• Develop a Business Continuity Plan and relationship with outsourced vendors.
• Collaborated with director of contracts to provide support and implement new initiatives
• Processing invoices, and wire payments for submissions to accounting
• Data Entry to include maintaining control log and updating spreadsheets
• Conducted document review; reports and correspondence; coordinated signature requests for senior managers and administrators