SUMMARY

• Over ten years of experience in information assurance, computer network design, systems integration and network security.
• Expertise in security architecture and integration, Assessment & Authorization (A&A, formerly C&A), risk and vulnerability assessment, and security policy development and review

PROFESSIONAL EXPERIENCE

Security Consultant

Confidential

Responsibilities:

• Designate as Information System Security Officer (ISSO) duties include develops and maintains Information Systems Security (ISS) documentation (e.g. SSP, CMP, SCTM, RAR, POA&M, CP, CPT etc.) to support the Assessment & Authorization (A&A) of assigned systems; performs ISS controls assessments as part of the systems' Continuous Monitoring Plan; oversees configuration management of assigned systems; ensures assigned systems remain accredited with no lapses in approvals to operate; trains users on acceptable security practices before access to systems is granted; performs periodic hardware/software inventory assessments; identifies system security controls shortcomings and develops POA&Ms, playing a leading role with remediating control deficiencies; conducts, documents and reports annual ISS Self Assessments to TISCOM.
• Support DISA Command Cyber Readiness Inspection (CCRI) by conduct manual STIG reviews for TISCOM assessment
• On the team conducts scans of all high vulnerable SBU - LAN assets for Vulnerability metrics. Also submitted tickets regarding C-LAN and SBU-LAN asset remediation.

Security Consultant

Confidential

Responsibilities:

• Developed and implemented the security framework for four major systems of the Ginnie Mae Modernization Architecture project (GNMA): GMEP 2 (portals and database servers), IPMS (mainframe applications), GinnieNet, and UFS, utilizing the NIST 800-37 Risk Management Framework (RMF).
• Served as team lead for developing the matrix for evaluating FISCAM controls and for conducting assessments of internal controls for compliance with OMB A-123, FISMA and FISCAM requirements.
• Updated the GNMA system descriptions, system boundary, and network diagrams as part of the System Security Plan (SSP), as well as the Security Assessment Report (SAR) and Information System Contingency Plan (ISCP) from NIST SP 800-53 rev3 to rev4. GNMA systems software included Informatica (for data integration) and Oracle Access Management (for Single Sign-On (SSO)).
• Served as security team lead involved in system and solution architecture and migration of GNMA IPMS (Integrated Pool Management System) with Oracle, WebLogic, Informatica, Business Objects, Linux technologies and Java.
• Supported GNMA multi-tier data flow IPMS using SOAP, XML, XML and web services
• Reviewed SAR’s to identify high risk vulnerabilities to provide recommendations for remediation (POA&Ms) to System Owners as per NIST 800-53 rev 4.
• Provided Security Impact Analysis (SIA) for Ginnie Mae’s web and database applications.
• Represented the security team for the Configuration Control Board (CCB) and served as the Subject Matter Expert on government regulations and standards such as National Institute of Standards and Technology (NIST), FISCAM, FedRAMP, HUD Handbook, and the National Housing Act for senior management and regulatory officials.

Security Consultant

Confidential

Responsibilities:

• Conducted security scans on the GSS, the Accident Investigation System (AIS), and the Accident Data Management System (EADMS) to identify vulnerabilities and threats to the system with Nessus for OS vulnerabilities; BurpSuite Pro for web-based application vulnerabilities; and AppDetective Pro for the database vulnerabilities.
• Evaluated existing security controls to ensure correct implementation and functionality.
• Reviewed results from previous annual audits, assessments, and tests.

Security Consultant

Confidential

Responsibilities:

• Developed and maintained EOP Information Systems Security (ISS) documentation (including SSP, ISCP, PIA, SIA, RAR, POA&M) to support the Assessment & Authorization (A&A) of EOP systems; performed ISS controls assessments as part of the systems' Continuous Monitoring Plan; oversaw configuration management of EOP systems; ensured EOP systems remain accredited with no lapses in approvals to operate; trained users on acceptable security practices before access to systems is granted; performs periodic hardware/software assessments; identifies system security controls shortcomings and develops POA&Ms, playing a leading role with remediating control deficiencies; conducts, documents and reports annual ISS Self Assessments to EOP CIO leadership.
• Utilized C&A (Certification & Accreditation) Xacta tool to provide NIST compliance artifacts for ATO. Documents include System Security Plans (SSP), Risk Assessments, Security Operating Procedures or Guides, Security Test and Evaluations (ST&E), ST&E Test Plan Results Reports, Contingency Plans (CP), Interconnection Security Agreements (ISA), Rules of Behavior and other security related materials.
• Prepared and submitted certification packages for review by the EOP Certification Official and expedited submission of the completed Certification Package to the appropriate Designated Accrediting Authority (DAA) for an accreditation decision, and where necessary, brief the DAA of the Certification Results.
• Delivered 30 IT systems for Certification and Accreditation including the General Support System (GSS) and whitehouse.gov with FedRAMP compliance.
• Participated in the Change Management and Configuration Management processes to ensure designated systems are compliance with information assurance requirements.
• Worked with EOP SOC staff to perform vulnerability scan as part of the risk assessment and ST&E processes. Assisted system owners with implementing corrective remediation where vulnerabilities have been identified.
• Reviewed vulnerability scans of EOP systems to monitor for and track vulnerabilities in workstations, servers and network infrastructure.
• Tasked to make security assessment on hardware and software prior device or application is deployed on EOP production network.

C&A Consultant

Confidential

Responsibilities:

• Supported the Federal Highway Administration (FHWA) of the Confidential (DOT) in the Certification and Accreditation process.
• Completed and maintained system certification and accreditation (C&A) documentation, including creating security plans, risk assessments, and security test and evaluations.
• Assessed the Information Assurance (IA) risk of the agency’s IT systems and ensured agency IT documents are compliant with DOT security policies and procedures.

Senior Engineer

Confidential

Responsibilities:

• Worked with the DHS S&T (Science and Technology) system engineering team to deploy LabNet by providing installation, configuring, testing, and maintenance. LabNet consisted of Cisco 7200 series routers, Cisco Catalyst 6500 series, 4500 series 2900 series and 3700 series switches and Cisco ASA 5500 series firewalls/IPS.
• Reviewed C&A artifacts on LabNet and updated the system description on SSP

Security Engineer

Confidential

Responsibilities:

• Worked with a team of Confidential engineers to produce C&A documentation, including System Security Plans, Risk Assessments, and POA&Ms.
• Member of Confidential ’s Security Incident Response Team (CSIRT) to provide configuration management to track all changes made to Intrusion Detection System (SNORT system) and firewalls.
• Developed and maintained Certification and Accreditation (C&A) documentation for nine Confidential HQ IT systems in accord with FISMA. Documents included Risk Assessment, IT Security Plans and other supporting documentation as required by NIST SP 800-37, 53 and 60.
• Developed HQ Network Service Security Test & Evaluation (ST&E) plan that assess the security control implementations according to the NIST SP 800-53 controls identified and documented in the System Security Plan (SSP). Key deliverables from ST&E included ST&E Plan, ST&E Plan with results and ST&E findings matrix.