SUMMARY OF QUALIFICATION
- IA/Cyber Security with over 16-year experience in all aspects of IT including Application Security, Information Assurance, Information System Security, Source Code Analysis, Software Development, System Administration, Database, Servers and SharePoint.
- Primary clients cover both the Federal government and corporate clients including DOD, WHS, DISA, Pentagon, US Secret Service, DHS, NASA, DOS, DOJ, DHHS, HUD, FDA, NIH, EPA and other private sectors.
- Information Assurance IA DoD expertise, with emphasis on Federal Information Security Management Act FISMA processes to include, but not limited to: DoDI 8510.1 DoD Information Assurance Certification and Accreditation Process DIACAP , DoDD 8100.1 Global Information Grid GIG Overarching Policy, DoDD 8500.1E Information Assurance, DODI 8500.2 Information Assurance Implementation and NIST 800 Series.
- Proficient in STIGs and its tools - GPO gpedit.msc, dsa.msc, dssite.msc and gpmc.msc , registry regedit , Security Templates Snap-in, security configuration and analysis snap-in and Gold Disk.
- Key Words: Information Assurance IA , Certification and Accreditation Process, DIACAP, VMS, eMASS, base-line management, patch management, STIGs, Information Systems Security, Application Security, Source Code Analysis, Cyber Security, SharePoint, Active DHS TS/SCI, Active DoD Top Secret Clearance.
- OS and Admin Tools: Windows Server 2000/2003/2008/R2, Windows Server 2008 Core, Windows XP, Windows 7, Windows Server 2003 Administration Tools Pack adminpak , Remote Server Administration Tools RSAT - An AdminPak for Windows Server 2008, Microsoft Remote Desktop Connection Manager 2.2, SCVMM 2008 System Center Virtual Machine Manager , Hyper-V Manager, Visual Core Configurator 2008, Core Configurator 2.0, Linux RHEL/CentOS/Ubuntu VM development Infrastructure Setup including caching only DNS, Apache, Mail, PHP and MySQL
- Security-Centric Products: VMS Vulnerability Management System , eMASS Enterprise Mission Assurance Support Services , Retina, Host-Based Security System HBSS , Defense Information Systems Agency DISA Field Security Operations FSO Gold Disk and Security Readiness Scripts SRRs , Bit9 Parity Server, Invincea, Triumfant Server, Symantec Altiris Server, McAfee ePO server, WSUS, BCWipe, WinDump, Wireshark
- Servers and Applications: Microsoft Office SharePoint Server MOSS 2007-2010 , Internet Information Server IIS , SCCM 2007, DHCP Server, DNS Server, SMTP, Active Directory, VMware vSphere, Windows Server 2008/R2 Hyper-V, Virtual PC 2007, Virtual Server 2005, Oracle VirtualBox, Commerce Server, Media Server, Web Trends Enterprise Server, Project, Visio, Power Point, Excel
- RDBMS: SQL Server 2000/2005/2008, Oracle, Access, MySQL, Toad, Oracle SQL Developer, ADO.NET
- Application Development: SharePoint Designer, InfoPath, Visual Studio.NET 2002-2010, SharePoint Object Model, SharePoint Workflow, Visual Source Safe, Front Page, PHP, Subversion, Chart FX, Fireworks, E-commerce Development with VeriSign PayFlow Pro and YourPay API, Crystal Report, SQL Server Reporting Services, Active PDF, Dynamic PDF, Software Development Life Cycle
- Maintained and ensured the security posture and IA compliance of the systems in compliance with the DIACAP, DOD and DISA standard including but not limited to: Ensuring that all systems comply with DIACAP using DISA Gold Disks, Retina scans, NSA Secure Technical Implementation Guides STIGs . Managing VMS for reviewing, responding, tracking and reporting various open IAVAs and POA M development. Providing weekly IAVA status report to IAM. Reviewing monthly Retina Scans to confirm compliance, mitigate risks, and report to IAM. Creating and maintaining system baseline for the systems to meet IA compliance for the DIACAP.
- Performed lab assessment of Non-Signature Based Defense security products Bit9 Parity Server, Invincea and Triumfant Server for DISA's Host Based Security Cyber Pilot Project in MITRE Lab including but not limited to functional security testing and evaluation of how well they detect malware on hosts in 3 focus areas of Protected Hosts, Incident Detection Response and Situation Awareness.
- Supported Certification and Accreditation C A for the UDOP systems for both NIPRNet and SIPRNet for DISA and obtained, and continue to maintain, Authorities to Operate ATO throughout the life cycle of the DIACAP. This includes, but is not limited to: Gathering and organizing technical information about program's mission goals and needs. Analyzing security requirements. Evaluating adequacy of security controls implemented and the level of residual risk. Mitigating findings and developing a POA M. Contributing documents like System Information Profile SIP , Implementation Plans, System Security Plans SSP , System Test and Evaluation Plans ST E , Information System Security Policy, DIACAP Whitepaper and Scorecard.
- Performed Information Assurance Officer's role including but not limited to: Developing, updating and implementing the security plans, security policies and procedures, Disaster Recovery/COOP, architecture documentation, security handbook, SOP and other related documents. Ensuring approved procedures are in place for handling of classified material, media tracking, scanning, and releasing HDD, memory, media and output. Monitoring and following up that personnel receive initial and follow-on IA awareness and training. Running security checks and inspections to ensure the safety of the work area and classified/unclassified material being used.
- Supported Windows systems administrative functions including active directory management, backup, installation and configuration, server monitoring, disk mirroring, network management, account management, log analysis/review, implementation of security/STIG parameters, and installation of patches e.g. IAVAs, hotfixes, etc . Managed total of 32 windows systems in UNCLASSIFIED and CLASSIFIED environments. Other experience includes, but is not limited to: Developing security test plans procedures, and performing operational testing to certify that interfaces and interdependencies function properly for COTS products.
- Integrated security requirements into Investment Governance SharePoint Portal for The USSS. These efforts include, but are not limited to role-based access control task assignment and approval by the 5 level of approvers on SharePoint workflow routing automation , property-based access control task assignment and approval by project type and funding amount on SharePoint workflow routing automation , business process design, data and input validation, SQL injection flaws, InfoPath form field auto population from active directory and SQL server, email notification and communication, exception handling and logging, secure code analysis Visual Studio 2008, ASP.net 3.5, C , SharePoint workflow and InfoPath code behind , workflow application security check and documentations.
- Architected SharePoint solutions for team project collaboration, project communication portals, and business process portals for DISA network services including but not limited to migration of existing DISA WorkSpace collaboration site to DEPS SharePoint 2010 and SharePoint portal administration including SharePoint farm, site collections, custom lists, content type, workflow, security, data integration, content document management processes and deployment configuration documentation for future support purposes.
- Implemented whole life cycle of SharePoint development including, but not limited to SharePoint server baseline setup in VM environment as a domain member server, testing, troubleshooting, log analysis, and SharePoint workflow deployment in The USSS network. Other SharePoint experience includes SharePoint server configuration with domain controller, Active Directory, LDAP, Web Service, InfoPath, SQL server, IIS, mail server and configuring the central administration of SharePoint.
Senior Consultant Information Assurance/SA/.NET Security
- Supported C A activities for FOIAXpress, SIPRNet systems, for the Department of Defense through DIACAP DoD Information Assurance Certification and Accreditation Process including but not limited to: Ensuring IA controls were implemented, findings were mitigated or a plan of action and milestones were developed, updating score cards, and evaluating residual risk assessments.
- Maintained and ensured the security posture and IA compliance of the ESDD systems for both NIPRNet and SIPRNet in compliance with the DIACAP and DOD standard including but not limited to: routine system Retina scans analysis, and various audits utilizing tools such as GoldDisk, STIGs and Security Readiness Review SRR scripts, Retina scan engine and audit software update, Fail-Over and COOP, reviewing and mitigating IAVAs prior to the suspense dates, development and execution of POA M and reporting compliance.
- Performed Sys Admin functions including SharePoint portal management, active directory management, group policy creation and implementation, account management and user access control, routine preventative maintenance, troubleshooting problems on various applications and operating systems, installation and configuration, server monitoring, log review, Fail-Over, implementation of security/STIG parameters, and installation of patches e.g. IAVAs, hotfixes, etc .
- Identified security requirements and incorporated security into the application development process for DoD Directives Portal System for the WHS/Pentagon, a collaboration tool to speed the coordination of DoD issuances, to ensure compliance with DoD 8500.2 standards utilizing the DISA Application Security Checklist. These efforts include, but are not limited to role-based access control by page and functionality, multi-tier architecture with custom dlls, session management, data input validation, data encryption, parameter control, error handling logging, web application configuration and file upload folder management on Visual Studio 2005, C , ASP.NET and stored procedures on SQL Server 2005.
- Performed the code review to ensure all security requirements were addressed throughout the software development life cycle including authentication, authorization and access control, session management, data and input validation, malicious file execution, insecure cryptographic, cross site scripting, SQL injection flaws, buffer overflows, error handling event logging and web application configuration.
.NET Consultant Application Security/.NET Development
- Integrated security into the life cycle of the application development for DARMIS Defense Acquisition Regulations Management Information System for Department of Defense to ensure compliance with DoD 8500.2 standards utilizing the DISA Application Security Checklist. These efforts include, but are not limited to multi-tier architecture, authentication, role-based access control on page navigation and function, error handling, data and input validation, log tracking, parameters on stored procedure, session management, web application configuration on Visual Studio 2005, ASP.NET 2.0, C , Crystal Reports, PL/SQL, stored procedures on Oracle 10g backend.
- Performed code reviews and ensured documented security specifications were implemented as new functionalities and to determine the vulnerability of applications. Assisted developers in fixing the vulnerabilities found from DISA's vulnerability scan before it gets to the production.
Senior Systems Analyst
- Other experience includes that CMMI Level III, security requirements collection and analysis, application design documentation and version control of source code, sql script and other project documents on Microsoft Visual Source Safe.
- Performed the code review to find security vulnerabilities. Performing control/data flow analysis by stepping through logical conditions in the code, examining functions to determine branch conditions including loops, switch statements, if statements, and more. Trying to identify which block will execute. Trace data from the points of input to the points of output and matching the code and type of interfaces used.
- Worked with project team to ensure that security was architected into the application during the software development life cycle for the NASA's eBudget Suite, budgeting and reporting tool to Congress and White House. These efforts include, but are not limited to role-based access control development, encrypted logon process across the modules, custom security development for SQL reporting services, structure rollover, budget rollover, data rollover, budget calculation panel and PDF reports on Visual Studio 2003, ASP.NET, VB.NET, C , SQL reporting services, PL/SQL and stored procedures on Oracle 10g backend.
- Re-engineered PLATS windows application VB 6.0 on Oracle to ePermits web application ASP.NET on SQL Server 2000 working with development team to ensure that security was incorporated into the software development life cycle. These efforts include, but are not limited to role-based access control, user management, multi-layered architecture presentation, business, data, and security layer , session management, parameter manipulation, sensitive data encryption, data input validation, error handling, auditing and logging on Visual Studio 2003, ASP.NET, VB.NET, Microsoft Practices Enterprise Library, Windows Services, Microsoft Text-To-Speech Engine, Crystal Report, Installation Package, stored procedures and triggers on SQL Server 2000.
- Manually review the code to find security vulnerabilities based on patterns practices: Security Checklist. This covers aspects of the architecture and design stages of the development life cycle, including: input validation, authentication, authorization, configuration management, sensitive data, session management, cryptography, parameter manipulation, exception management and auditing logging.
- Developed a web-based Grant Application Data Repository and Retrieval System using Visual Studio 2003, ASP.NET, C , multi-tier architecture and stored procedures on SQL server. Features include file search, role-based user access control, file and folder management including file move, copy, delete, rename, backup, upload/download capabilities and reports.
- Developed Call Center Management Console, a web-based call management solutions using Visual Studio 2003, ASP.NET, VB.NET, multi-tier architecture, stored procedures on SQL server that included access restrictions at various levels, multiple access rights, caller information, caller search, call history, user management, admin tools, shipping processing/tracking and PDF report.
- Developed a web-based Paid Time Off System using Visual Studio .NET, ASP.NET, VB.NET and stored procedures on SQL Server 2000. Advanced features include Inbox/Outbox system, sophisticated monitoring and forecasting tools, email notifications, PTO request status tracking, PTO history, calendar view report, administrator tools and .NET mobile site for employee phone book, HR alert notice and holiday calendar. Integrated this system into company's existing Deltek database system to display real-time information related to the employee.
- Developed a web-based Conference Registration and Management System using Visual Studio .NET, ASP.NET, VB.NET, VeriSign Pay Flow and YourPay API, SSL and stored procedures on SQL Server 2000. Features include multi-tier architecture, e-payment capability, email receipt, PDF name tag generator, payment and registration status tracking and member management, admin site and
- reports. Integrated this system into company's existing ISIS database using views, stored procedures and triggers.
- Designed and developed a web-based Grant Application Management and Evaluation System for Department of Housing and Urban Development using Visual Interdev, ASP 3.0, stored procedures on SQL server backend. This remote review system features a panel structure that consists of 3 reviewers 1 chair person, session, layered criteria, scoring, budget evaluation, application, comments, monitoring tools and PDF reports.
- Designed and developed a web-based media library for Department of Health and Human Services using Visual Interdev, ASP 3.0 and SQL Server 2000 including tables, views, stored procedures and triggers. Features include media search, media download/upload, media streaming library, document and picture library, user management, admin site and reports.
- Planned, designed, and implemented the overall strategic goals of a company's Internet/Web system. Serving as a project lead for Windows 2000 and IIS 5.0 migration including design, documentation and implementation of the web servers and responsible for IIS security based on industry standard best practices and administering e-commerce sites providing user access, data backup, and audit trail review to assure unauthorized access did not occurred.
- access, use, and modification, documenting the configuration of the system, developing network policies and SOPs and physical security of the server room.
- Maintained security and the overall data integrity within the company's computer systems. This included, but was not limited to: Creating and managing user accounts and assigning user rights and permissions to ensure compliance with company's network security policies and procedures, performing, securing and verifying routine backups for all LANs and identified clients, restoring data from backups when required, media maintenance and management, network monitoring, routine security log analysis for unauthorized
- Performed daily system admin roles including but not limited to: active directory management, group policy creation and implementation, account creation and management, assisting users with their password resets, routine preventative maintenance like server monitoring and OS update, troubleshooting problems on various applications and operating systems, administering and implementing Microsoft and third party server services including IIS server, Chart FX IE server, Index server, Certificate server, SSL with VeriSign, and Media-Streaming server.
- Other contributions included, but were not limited to: Decreased user hold time by 30 by evaluating, selecting, and implementing web-based help desk system on ASP and SQL server, automating web statistics strategies to replace outdated system and reduced report and maintenance time by 70 using Web Trends Enterprise Suite 3.0.