SUMMARY:

• I am an experienced IT Risk Assurance professional skilled in performing IT risk assessments (systems security controls) and able to implement new security solutions. Conduct vulnerability assessments and compliance activities to ensure that systems obtain and maintain their ATO's while interfacing with stakeholders in an interdisciplinary environment.
• Proficient in assessing client security systems using NIST Publications 800 - 53A, 800-53, 800-37, FIPS 199, FIP 200, OMB A-130, and all related appendices.
• Proficient in POA&M management used for vulnerability tracking and remediation.
• Experience performing information security assessments in support compliance effort of FISMA, HIPAA, PCI-DSS, SOX, GLBA, and critical security controls.
• In-depth knowledge of System Security Plan (SSP) guidelines, Security Assessment Plan (SAP), Security Assessment Report (SAR), Contingency planning (CP), Plan of Action & Milestone (POA&M).
• Experience managing Deviation Request/False Positive Request POA&Ms, Waiver/ Acceptance of Risk (AoR) Request, CP, CPT, User Re-, Incident Response Plan (IRP), Incident Response Plan test, Pen Test requirements, Privacy Threshold Analysis (PTA), Privacy Impact Assessment (PIA), SORN and Configuration Management Plan requirements.
• Experienced performing security hardening, vulnerability scanning, security event monitoring.
• Extensive knowledge on a wide range of TCP/IP, UDP, IPSEC, HTTP, HTTPS, based systems, network topologies, ports, routing protocols, and services.
• Utilized CSAM & RSA Archer GRC tools in performing operational risk management of new or existing assigned entities/vendors to identify the risk-based level and security posture for each entity, also monitor performance on several risk management activities including risk, control registers, workflow review, and approvals.
• Strong problem solving and analytical skills needed for effective product delivery.
• Ability to adapt and deliver in a fast-paced and time-sensitive environment. Strong critical thinking skills with the ability to analyse, synthesize, and interpret data.
• Team-oriented and collaborative in approach to work.
• Experienced understanding and implementing Trusted Internet Connection-TIC 3.0.
• Advised stakeholders concerning the security categorization and impact levels for confidentiality, integrity, and availability for systems FIPS-199/NIST SP 800-60
• Evaluated security threats and vulnerabilities to information systems to ascertain the need for selecting additional safeguards FIPS-200/NIST SP 800-53
• Support security engineering control implementations NIST SP 800-70
• Conducted comprehensive assessments of security controls employed within or inherited by an IS to determine their overall effectiveness, and submit the assessment and body of evidence for review and authorization decision NIST SP 800-53A
• Upon determination of a major change and subsequently significant security impact, assess security controls impacted by proposed changes to information systems and capabilities in their environment of operation, and mission needs that could affect a system's authorization
• Onboard and off board Cloud systems and applications

WORK EXPERIENCE:

Cyber Security Policy Specialist

Confidential, Falls Church, VA

Responsibilities:

• Works as part of an expert team of more than a dozen security engineering and program management experts to re-architect and re-engineer the security components of the agency's IT infrastructure and operations
• Provides communications and information sharing to ensure that staff know and understand information security responsibilities
• Assesses impact to policies and practices of new and emerging directives and technologies as well as established regulations
• Provides coordination and collaboration with the Privacy Office, the Enterprise Architecture Team, and the Enterprise Software Development Life Cycle (SDLC) Team in the integration of information security with Privacy, Enterprise Architecture, and Enterprise Lifecycle Management, including:
• Provides guidance in effective implementation of policies, standards, procedures, and technical guidance to protect systems, personnel, and information
• Drafts, reviews, and/or comments on changes to policies, standards, procedures, and technical guidance to accommodate changing needs.
• Provides analysis and review of new and emerging federal information security policy, directives, and mandates within the specified timeframes.
• Maintains the inventory of existing information security policies, standards, handbooks, frameworks, procedures, and guidance documentation
• Provides subject matter expertise in drafting, reviewing, and commenting on security documentation and changing requirements within the specified timeframes
• Provides subject matter expertise in drafting, reviewing, and commenting on the impact from changing privacy requirements.
• Creates Information Security Policy Management Strategy detailing how information security policies will be maintained, updated, and enforced across the organization.
• Delivers periodic Information Security Policy Analysis, Review, Impact, Gap and Recommendations Report detailing the impact of authoritative sources, changes, and how compliance was achieved; and
• Maintains liaison and collaboration efforts with the Program Manager and other designated responsible officials in support of Policy and Legislative Support Management activities
• Served as the project manager for DoED TIC 3.0 implementation
• Review and responds CISAs Trusted Internet Connection-TIC 3.0 Executives orders -EO
• Conduct Departments of TIC 3.0 readiness
• Review explained and provided TIC 3.0 use cases to stakeholders.

Senior Information System Security Officer

Confidential

Responsibilities:

• Provided consulting to Agency on Requests for Service for the design, development, and deployment of Ongoing Assessment, Ongoing Authorization, and other Information Assurance (IA) initiatives
• Provided continuous monitoring to enforce client security policy and procedures and create processes that will provide increased visibility to system owners on impacts to the security posture of systems
• Ensured system security measures comply with applicable government policies Monitored configuration management changes and assess the impact of modifications and vulnerabilities for each system
• Ensured that system security requirements are addressed throughout the project and system lifecycle
• Ensured effective controls and processes are in place and working effectively to maintain a strong system security posture.
• Performed vulnerability/risk assessment analyses to support Assessment & Authorization (A&A) activities
• Drove the Assessment and Authorization of the DOD information systems using the NIST Risk Management Framework and DOD Guidance.
• Ensured that the NIST Risk Management Framework (RMF) process is integrated into each level of the information system life cycle development
• Ensured that cybersecurity requirements/controls are allocated into the information system design
• Developed, maintain, and facilitate the appropriate closure of POA&Ms and facilitate with the
• Serve as Agency-designated security Point of Contact (PoC)/ISSO any related remediation activities.
• Monitored operations processes, including but not limited to, the Incident

Information Systems Security Analyst

Confidential

Responsibilities:

• Support the CISOs continuous monitoring initiatives by collecting, compiling, and submitting Information Security Continuous Monitoring (ISCM) and Security Processes Metrics (SPM) for FISMA reporting.
• Review the National Institute of Standards and Technology (NIST) publications applicable to FISMA and other directives for applicability to the DHS IT Security Program.
• Coordinate issues as a member of the CSRA Compliance and Oversight team
• Promote awareness of security issues among management and ensure sound security principles were reflected in the organization's visions and goals.
• Conduct, prepare quarterly and annual reports to the CIO, CISO, Homeland security-DHS, and Congress.
• Develop metrics for measuring and improving the effectiveness of the overall information security posture of the agency.
• Provide guides, develop, implement, and effectively manage security processes and programs (BCP, Incident Response Planning, Risk Management, Vulnerability Management, and Privacy).
• Support the review and maintenance of Security Authorization documents in accordance with Federal, DOC, and applicable local regulations.
• Oversee the delivery for updated security plans policies, standard operating procedures on or before the required due dates.
• Ensure that continuous security monitoring is performed using DOC approved tools such as ELMS BigFix, ArcSight, Firewalls, and NAC.
• Collaborate with other IT teams to assist in resolution of security issues.
• Provide guidance on security threats, technology, standards, and practices.
• Oversee the investigation of security issues that appear under new threat scenarios.
• Provide Critical and High Vulnerability management oversight for DOC compliance to DHS Binding Operational Directives (BOD), currently BOD 19-02
• Participated in the development of intrusion prevention models using a trusted framework and an anomaly approach
• Provide weekly/bi-weekly reports on vulnerability management reports and how actions are being addressed across the enterprise
• Coordinate with stakeholders to provide guidance and oversight in identifying and documenting deficiencies and prioritizing them based on missions, risk, and funding
• Implement an IT Security Review and Assistance Program to aid the Information System Security Officer (ISSO) in authoring security authorization documentation
• Provide expert advice to bureaus on the use of CSAM, CSAM administration, CSAM, organize monthly Q&A session for Agency CSAM users
• Conducted Asset management tool capability research CSAM v RSA Archer)
• Review RSA Archer Demo versions for the purpose tool transition
• Proficiency with the RSA Archer security structure, data feeds/API, workflow, and process to configure RSA Archer with content data feeds
• Used RSA Archer for Security RMF activities
• Review and monitor the Plan of Action & Milestones (POA&M) for each IT system, ensuring timely POA&M updates
• Support the DOC enterprise governance risk and compliance solution CSAM at Tier 2 level providing account management and role-based access control permissions.
• Liaison between DOC and DOJ for GRC solution continuity and patch updates
• Update SOPs and related CSAM policy documentation
• Develop and field data calls as needed for the capturing of CSAM related actions
• Provide and develop enterprise-level reports for POA&M management and ATOs for the enterprise monthly - providing a clear picture of where challenges are, and which organizations are falling behind or having challenges with their system ATOs
• Provide clean- up efforts for system users that no longer require access to CSAM
• Support users with addressing questions related to artifact development, control inheritance
• Lead monthly CSAM working group meetings

Lead Security Control Assessor

Responsibilities:

• Conducted comprehensive security assessments as needed for new or systems changes to ensure information systems (IS) maintain the authorization baseline.
• Reviewed and updated program documentation such as contingency plans, System Security Plans (SSP), System boundaries and Risk Assessments.
• Reviewed artifacts, interviewing personnel and executing testing procedures to obtain security assessment evidence.
• Ensured that rules of engagement (ROE), policy waivers, testing approvals, interconnection security agreements (ISAs), and the ATO documents are reviewed.
• Supported system owners in providing various levels of Information assurance in developing test plans and assessing security controls to ensure operational security measures are implemented.
• Performed annual security controls reviews and evaluates the systems status to ensure validity and integrity of all client's systems.
• Reviewed report from various A&A tools (Nessus, CSAM, etc.) to determine weaknesses and recommends essential measures to remediates vulnerabilities identified during audits process.
• Created and maintains security checklist, templates, and other tools to help aid in the process of A&A package projects as needed.
• Developed and update core documents such as risk assessment documentation, Security Assessment Plans (SAPs), Security Assessment Reports (SARs/RARs), and Plan of Action and Milestone (POA&M) Reports.
• Conducted internal audits to assess effectiveness of controls, document results in the SAR and analyze findings including corrective measures to mitigate weaknesses.
• Conducted Security Authorization document reviews and prepared Security Authorization packages in accordance with the client contractual requirements.
• Actively participated in team meetings and discussions to propose solutions to problems.

Information System Security Officer

Confidential

Responsibilities:

• Collaborated with Security team to Select Security Controls that applies to systems according to their Categorization.
• Monitored security access to ensure that information system requirements are addressed during all phases of the system life cycle.
• Created a defined process to conduct annual assessment of information systems in support of A& A continuous monitoring.
• Conducted Risk Assessments as needed for system changes and new services.
• Provided independent documentation reviews and updates of security controls assessments in support of NIST annual assessment to determine risks findings.
• Conducted in-depth technical reviews of new and existing IT system to identify appropriate remediation strategies for system compliance with established policy and industry guidelines.
• Validated compliance with regulatory standards and identifies opportunities to streamline operational processes.
• Developed and updated a consistent approach to information security programs and adherence with best practices ensuring that the policies reflect current standards in place.
• Work with management to ensured security recommendations comply with company procedures, performed security impact analyses of proposed changes, and drafted various policies and procedures.
• Participated in business continuity by actively involved in Contingency Plan Testing, Disaster Recovery Planning and Testing for all assigned systems and prepared an after-action report.
• Ensured that all Information Assurance systems are properly documented with Configuration Management processes, maintained the security accreditation status of systems.

Confidential

Network Engineering/IT Help Desk

Responsibilities:

• Supervised 30 helpdesk personnel, resolved 468 trouble tickets, and established over 200 accounts keeping all network systems fully operational with 100% communication capability for users.
• Monitored and administered safeguards for local area networks (LAN), wide area networks (WAN), and telecommunications systems; passed 3 security audits with 715 physical and technical requirements to ensure the (LAN) was in compliance to securely connect to the Defence Information Systems Network (DISN).
• Provided, motivation, and performance feedback to all associates.
• Installed, configured, and managed multiple network devices (routers, switches, Cisco VOIP assets, DMZ/FIREWALLS), performed backups for fault tolerance to maintain obligations and responsibilities to aid an upper and lower staffs across all levels of operations.
• Performed and control the full audit cycle including risk management and control management over operations’ effectiveness, financial reliability and compliance with all applicable directives and regulations
• Determined internal audit scope and develop annual plans
• Obtained, analyse and evaluate accounting documentation, previous reports, data, flowcharts etc
• Prepared and present reports that reflect audit’s results and document process
• Act as an objective source of independent advice to ensure validity, legality, and goal
• Identified loopholes and recommend risk aversion measures and cost savings
• Maintained open communication with management and audit committee
• Documented process and prepare audit findings memorandum
• Conducted follow up audits to monitor management’s interventions
• Engaged in continuous knowledge development regarding sector’s rules, regulations, best practices, tools, techniques, and performance standards