We provide IT Staff Augmentation Services!

Penetration Testing Resume Profile

SKILLS

Technology

Relevant Tools/ Applications

Risk/ Threat/ Vulnerability Management Security Tools

CoreImpact, TripWire, SorceFire 3D IDS/ IPS, SNORT, Nessus, WireShark, Nmap, GFI LANguard, Cisco Secure MARS, ASA firewall, ACS, VPN, IPS/IDS, TripWire, VMWare, Altiris, BP-RAT, RSA ARCHER, Too many Open sourced tools to name

Operating Systems/ Applications

Cisco IOS, various Unix and Red Hat Linux. Microsoft Office, MySQL, MS SQL 6.5, Windows 3.1-Vista, Windows NT - 8 server, Norton Ghost, Camtasia.

Industry Specific

Internal or external IT audit portals, risk assessment tracking, business process reengineering, Enterprise Resource Management PeopleSoft, Banner , Engagement Risk Management BP-RAT, RSA ARCHER, e-Advisor , Auditor Assistant.

Networking Hardware

Cisco PIX firewalls, Cisco Switches 1900 to 6500's w/ MSFC/RSM's , Cisco Routers up to 75xx series, WAN trunks, CSU/DSU's. Cabletron Routers.

Regulatory Compliance

FISMA, FFIEC, HIPAA, GLBA, FERPA, SoX, TAC 20x, PCI/DSS, SB 1386, CFAA, ECPA, PCI

Standards and Frameworks

CoBIT, ITIL, ISO 27000, OWASP Top 10, SANS Top 20, FIPS 200 and NIST 800 series.

Industry Experience

Oil Gas, Finance, Higher Education, Federal Government, State Government, Clinical Health Care, Big 4/5 Accounting, Fortune Top 10 Mom Pop.

SUMMARY

Assessment/ Audit/ Ethical Hacking/ Penetration Testing

  • Held the strategic title of Information Security Subject Matter Expert SME over the past 15 years. Have lead Red Team Tiger team engagements chartered to Ethically Hack and Penetrate the Information Protection Defenses white hat hacking of various organizations in the SME role. Tasks included Penetration and Vulnerability testing guided by OSWASP TOP 10 for Web based Applications SANS 20 Critical/ CoBit and NIST Security Control Objectives for Risk, Threats assessing/ modeling and Incident Response. All testing and assessments were performed on Servers, Thick/Thin Clients and Retail POS systems. Ultimately all tests lead to a final assessment of Information Protection in all forms hard-copy print, digitally transferred, processed and stored . Assessments allowed for Strategic Planning, Regulatory Compliance and Systems Certification. Utilizing assessment results Delivered world-class IT, Risk, Governance, Security expert advice. Assessments performed for Federal and State regulated industries to include, but not limited to Banks regulated by FFIEC and GBLA to Healthcare organizations obligated to HIPAA and State institutions following TAC 202.
  • Developed proprietary testing manual and automated and assessment techniques and methodologies based Industry Standard and frameworks and best practice over decades in the field.
  • Using a specialized toolkit of commercial and open source utilities, able to conduct social engineering and intelligence discovery, analysis, reporting and post assessment sanitation. At times limited resources mandated scaled-down analysis such as: simple security investigations and root-cause analysis stemming from misconfiguration, infrastructure design reviews, and compliance issues, with a requirement to defend all findings.
  • Provide Subject Matter Expertise in testing routers, switches, firewalls, Windows and Linux servers, workstations, Web applications and databases systems in LAN, internet, intranet, wireless and virtual environments.

Strategic Documentation and Deliverables

  • Extensive oral and written communication skills for technical to executive reports and presentations such as, Zero-day Exploit findings to Compliance Memos. Developed organizations Strategic documents Library covering all bread and butter , Policy, Standards, Guidelines and Procedures. Interact with and brief the client as required throughout the engagement, and with extra urgency when material risks are discovered that need immediate attention.
  • Technical writing experience developing Assessment Rules of Engagements RoE , Scope of Works, Test Plans, Standard Operating Procedures SOP , Risk Mitigation Action Plans, among others. Extensive research ability used to provide recommendations and knowledge transfer to client for hardening defenses and continuous improvement.
  • Directed technical support staff to identifying, recommend and implement risk mitigation strategies safeguards. Coordinates efforts to assure compliance with assessment findings including root cause analysis strategy sessions. Lead Computer Security Incident Response teams to prevent additional loss and to obtain and preserve forensic evidence. Developed Information Protection Awareness Programs with training curriculum and Systematic distribution of security notices and alerts.
  • Over twenty years of increasingly responsible military and civilian Information Security experience solving business and technical problems through the application of advanced technology in networking, security, systems and resource management. Designed and implemented Comprehensive Information Security Programs from the ground up based on industry standards and frameworks of CoBIT, FIPS 200, ITIL and NIST 800. Experience leading organizations to Information Safeguard Regulatory Compliance, using Industry Standards and Frameworks. Compliance leadership included hands-on implementation of policies, strategic plans, procedures, risk, threat, vulnerability assessments and penetration test to expert recommendations for mitigation plans. Recognized for using strong analytical and problem solving skills for superior and effective communication at multiple levels of organizational hierarchy. Throughout career have had an abundance of Technical and Business exposure on projects for Fortune 100 Corporations to Federal Agencies. Drafted several GISRA reports for Federal Agencies including security assessments according to FISMA requirements. Throughout career as direct hire and self-employed statutory employee have had an abundance of professional exposure on projects for Fortune 100 companies to small information service providers such as:
  • Total Network Solutions TNS , ThruPoint Inc., G. E. Consultants, ARC Inc., Houston Chronicle, Enron Broadband Systems, Accenture Consulting, Computer Science Corporation CSC , Raytheon, Lehman Brothers, Sprint, TSU, TriLink Services, Hearst Publishing, Synthesis Technologies, Court Services and Offender Supervision Agency CSOSA , Department of Justice, Estee Lauder, University of Houston, SHAPE Community Center, Boys and Girls Club of America, Triad Resources, Gartner Research, SunGard, Tidewater Offshore Service, BP Energy, MasTech, KPMG, Cisco, EMC2, VMWare, VCE, Northern Trust, JIT, CurveIT and more.

EXPERIENCE

Confidential

Lead the charge to plan and execute the day-to-day activities of IT audit engagements for clients, including system development, SSAE 16 readiness assessments and platform reviews within Oil Gas support industries. Evaluate the design and effectiveness of technology controls and related risk throughout the business cycle. Identify and communicate findings to senior management and clients utilizing publication quality level writing. Help identify performance improvement opportunities for the organization by documenting newly developed processes and procedures that increased efficiency, reporting capability and enhanced risk culture.

Confidential

  • Functioned as Information Risk Management SME for a Corporation in the highly regulated energy industry. Developed and recommended risk management initiatives from Standards for Central risk registry to risk review and validation that regularly influenced the wider Risk agenda. Regularly utilized strong leadership skills and in-depth knowledge in Infrastructure and Digital Security to interface and network with various International Risk Leaders.
  • In the role of Risk Subject Matter Expert developed, trained and advised Risk Leaders in their development of internal risk management reports for senior management e.g., Quarterly Performance Reviews, Main Board Audit Committee, Risk Management Report, Dashboards and Scorecards with Heat maps etc. . Engaged and advised various levels of management on how to understand and address complex IT and business risk issues. Developed strategies and guidelines for Risk Management/ Process oversight. Supported Risk Champions, facilitating Information and Strategy forums and Risk Culture change programs.

Confidential

Tasked with developing institution wide Comprehensive Information Assurance Security program to support laws and local regulations ground up. Review documentation, business practices, and technical operations to render status of the institutions Information Security Posture. Design and developed Information Security Strategic plan to bring the organization into compliance with Federal and State laws and regulation with regards to securing the information resources. Implementation of Information Security measures in strategic phases based on industry best practices and methodologies guided by NIST, DoD, SANS, ISC2 and other standards organizations. Developed institutional Computer Security Incident Response Team CSIRT . Functional tasks include IT audits, training, policy development/ compliance, testing and evaluations, continuity of operations, risk management analysis, intrusion prevention/ detection/ containment/ recovery/ testing and many other functions of security.

Confidential

Managed information resources and technology for major projects. Proactively researched emerging technologies to anticipate misconfigured designs and malicious threats. Designed network and computer security test labs and prototypes for special projects. Other day to day tasks included incident response, Information Security design, implementation, maintenance and disaster recovery. Developed and implemented budgets, schedules, system automation, security plans and risk analyses. Created policies, procedures, and workflows, performance appraisal with full transfer of knowledge. Authored corporate security manuals, policies, and many IT and Information Security courses. Led Company's Computer Security Incident Response Team CSIRT . Directed the implementation of technical countermeasures against existing and emerging threats to mission-critical networks and systems of Federal Agencies'.

Confidential

INFORMATION SECURITY ARCHITECT/ MANAGING CONSULTANT, MID-ATLANTIC

Managed corporate consulting resources and client engagements. Worked with account executives to manage and win sales opportunities. Worked closely with Executive Officers for revenue forecasting, consultant billable burn-rate reporting, engagement management and corporate technical strategy for Corporate and Federal clients. Performed assessments that consisted of security risk, vulnerability, threats and networks. Mentored and trained junior and senior level consultants to attain various IT certifications CCIE's, CISSP's, CISA's, CCSA's, CCSE's, etc.

Confidential

As professional services team member, consulted as security solutions engineer, with pre- and post-sales support to manage the implementation, design, and development of cutting edge security solutions across international borders. Held various positions from directing teams to implementation of physical security, Internet security, penetration testing, risk assessment, re-engineering secure network designs, and computer security incident response. Duties involved many facets of secure LAN/WAN administration, planning and troubleshooting to name a few.

Confidential

COMMUNICATIONS SECURITY COMSEC SPECIALIST

Managed a team that regularly assisted Special Forces Officers with risk assessments and evaluations of transmitted information and systems. Developed, interpreted, and implemented secure communications and cryptographic keys along with handling policies for ground and wireless communication environments. Responsibilities included maintenance of secure communications to ensure compliance with US Army, DoD and NSA cryptographic security directives. Developed Standard Operating Procedure SOP documentation for Tactical Squadron operations and secure handling of DoD encryption keys.

Hire Now