OBJECTIVE:

• Obtain a CISO role or support a CISO/VP of information security implement an effective organizational security program charter and execution, concerned with planning, strategy governance and compliance.
• Oversee internal audits and support external audits through utilization of my skills and experience of 23 years in information systems risk, compliance and analysis. I have competency in applying project management, information security, information security policy, business analysis, IT risk management, compliance, and internal auditing for government and private organizations.

TECHNICAL SKILLS:

Software: - AWS Workdocs, AWS eQuip, AWS Projects, AWS Security Hub, Confluence, Redlock.io, Splunk, IP360, Alienvault, SIEM tools, DBProtect, Spiceworks, SharePoint 2010/2007; MS Access, MS Project, SQL Server, MS Office, MS Visio, Symantec Endpoint Antivirus, MS Anti- Spyware; Windows OS {all versions}, MAC OS X, ClearCase, Adobe Acrobat, Filezilla, Remedy, Nessus/Retina port scanner

Hardware: - Mac, PC, Network Printers, Laptops, Desktops

Platforms: - Office 365, Windows NT, Active Directory, UNIX/LINUX, Sybase, UDB, Mainframe, CentreOS

Other: - Computer Forensics, CIS, NIST, ISO 27001, ITIL, SOC2/3, Sarbanes-Oxley, Cobit, CCNA, Network Administrator, Database, Systems Analysis, Mainframe Administrator, Configuration Management

PROFESSIONAL EXPERIENCE:

Confidential

Senior Federal GovCloud ISSO

Responsibilities:

• Lead responsible for maintaining Apptio GovCloud FedRamp P-ATO.
• Lead responsible for responding to questions, concerns, comments from the JAB.
• Responsible for writing up risk findings, recommend remediations, and draft risk acceptances and report directly to the CISO.
• Senior lead advisor for security impact assessments (SIA) for Apptio GovCloud.
• Senior lead advisor on all Significant Change Request (SCRs) to Apptio GovCloud.
• Scoping for Apptio GovCloud “uplift” from Moderate to IL4 security baseline.
• Perform Moderate to IL4 gap analysis.
• Collaborate with ConMon to ensure vulnerabilities are remediated in a timely manner and meet FedRamp thresholds.
• Lead SSP updates/revisions to include SCRs, and technological changes/updates.
• Developed risk management strategy for Apptio GovCloud.
• Managing security & compliance team daily tasks around information assurance, i.e. security documentation, jira ticketing approval, vulnerability remediations for Apptio GovCloud, and general security & compliance advisory.
• Collaborated with Products & Engineering to ensure vulnerabilities thresholds are not exceeded.
• Collaborated with Information Security team to ensure security monitoring and response/incident mechanisms are operating as intended.
• Communicated cyber security risks, trends, threats from 3rd party sources to ensure Apptio internal threat modeling is continuously updated and security mechanisms configured as needed.
• Collaborate with the Apptio GovCloud stakeholders to ensure all security controls are in place and meet Apptio security policies.
• Worked with Apptio Sales to train personnel on FedRamp GovCloud space advise on sales/advertising strategy.
• Managed FedRAMP Annual Assessments.
• Managed team of two contractors and 3PAO advisor.
• Managed project tickets and and provided input for ServiceNOW implementation project.

Confidential

Senior Security Risk & Compliance

Responsibilities:

• Senior lead advisor for security impact assessments for AWS Cloud Features/Services.
• Project managed AWS features FedRamp approval process.
• Developed risk management strategy for U.S. Government Security & Compliance (UGSC) team responsible for providing oversight and guidance on FedRamp authorizations for AWS Services and Features
• Developed risk registry for UGSC team.
• Collaborated with AWS Service teams.
• Provided weekly status updates with the AWS Global Engineering and Architecture Readiness (GEAR) team.
• Prioritized Features assessments and coordinated yearly roadmap with AWS services teams, GEAR, and vulnerability management (VM) onboarding teams to ensure features met JAB security requirements for U.S Federal clients.
• Developed FedRamp Security Impact Assessments (SIAs) for 3PAO reviews.
• Reviewed 3PAO attestations and provided features authorization packages to the JAB.
• Advised and improved overall features assessments, tracking, and workflow processes.
• Maintain internal AWS features status and wiki page.

Confidential, Atlanta, GA

Enterprise Consultant, Security Controls Assessor

Responsibilities:

• Advised and developed FedRAMP readiness and risk assessment for Deputy CISO at Lexus Nexus for On Prem migration to a cloud environment.
• Drafted FedRamp compliant system security plan for Deputy CISO at Lexus Nexus.
• Lead FedRamp internaudit for Oakland Ridge Nuclear Laboratory (ORNL).
• Developed roadmap for AWS Cloud ATO.
• Drafted a security assessment plan.
• Conducted technical assessment interviews.
• Mapped Control Review items to NIST ; 37;137.
• Drafted and finalized Nexus Lexus system security plan (SSPs), contingency plans (CP).
• Drafted and finalized security assessment reporting, risk exposure tables, and executive summaries.
• Lead two-week ISO 27001 compliance assessment.
• Lead FedRamp readiness assessment.

Confidential, Seattle, WA

Enterprise Risk Management (ERM), Program Manager

Responsibilities:

• Key AWS Enterprise Risk Management member responsible for assessing risk related to information security and data protection.
• Developed roadmap for standing up new AWS Enterprise Risk Management Program.
• Project manager for risk assessment team.
• Developed AWS Third Party Risk assessment questionnaire.
• Evaluated and assessed enterprise risks across the global AWS operations.
• Drafted AWS Enterprise Risk Management policy.
• Drafted the AWS Third party risk management policy.
• Developed AWS third party risk framework.
• Coordinated risk assessment interviews with AWS risk owners and stakeholders across the enterprise.
• Remediated AWS asset management risk concerns relating to GDPR.
• Assessed risks relating to AWS general ledger and Spending and Transaction policy.
• Completed for AWS Security HUB.
• Completed for integrating security findings from AWS Guard Duty and commercial SIEM tools to AWS Security Hub.
• Applied FAIR method for evaluation of AWS corporate risks.
• Developed ERM tool for initial risk scoring of AWS corporate risks.
• Reviewed ERM Implementation Plan.
• Responsible for ERM reporting from AWS Risk registry to upper management.
• Responsible for maintaining AWS risk registry and risk mitigation.

Confidential, Boston

Senior Information Security Specialist

Responsibilities:

• Performed HITRUST self-assessment on MS Azure environment.
• Reviewed cloud implementation security documentation.
• Wrote control implementations descriptions based on documentation review.
• Administered HITRUST MyCSF tool, providing user permissions.
• Drafted security policies based on gap analysis to reflect require security domains.
• Managed HITRUST Assessment via MyCSF tool for entire cloud implementation.
• Provided HITRUST Assessment reporting and results to client including findings report.
• Collected technical artifacts to validate risk assessment results.
• Managed security implementation descriptions for access management controls via Active Directory.
• Performed SOC 2 audits for client.

Confidential, San Diego, CA

Cloud Risk & Security Analyst

Responsibilities:

• Provided executive cloud risk assessment report to VP of Technology Risk.
• Performed cloud security risk assessment baselined against NIST
• Project managed two cloud risk assessments for Director of Risk Management for AWS Landing Zone
• Drafted and finalized 14 security policies aligned with NIST requirements.
• Assesses risk of landing zone for 2 mobile applications.
• Developed Corrections Action Plans based upon risk assessment findings
• Interviewed stakeholders within the Enterprise Operations, Info Sec, and Application Development team.
• Recommended Multi factor Authentication be implemented on a network system component.
• Ensured data encryption is applied to data at rest and data in transit
• Performed SOC 2 audits.
• Ensured CyberArk was implemented for privileged access to AWS/Azure environments.
• Ensured Email scanning was implemented via ProofPoint.
• Ensured code scanning via Veracode.
• Ensured Endpoint protection was implemented via Crowd Strike/Windows Defender.
• Ensured life cycle management was implemented vis Venafi.
• Ensured vulnerability mgmt. was implemented via Nexpose/Splunk.
• Ensured firewalls were configured properly via Palo Alto.
• Ensure server configuration followed CIS hardening baselines.
• Ensured Redlock.io compliance tool is configured on the cloud environment.

Confidential, Washington DC

Senior Information Security Specialist

Responsibilities:

• Developed SAR for government client.
• Developed SSP for Microsoft Azure Cloud solution for government client.
• Drafted and finalized 14 security policies aligned with NIST requirements.
• Managed drafting of security policies aligned with requirements.
• Conducted CIS audit for commercial client.
• Wrote up access control polices and assisted with Microsoft Azure MFA configurations.

Confidential, Washington DC

Senior Information Security Specialist

Responsibilities:

• Performed HITRUST assessment on AWS Cloud solution.
• Administered HITRUST MyCSF tool, providing user permissions.
• Reviewed cloud implementation security documentation.
• Managed HITRUST Assessment via MyCSF tool for entire cloud implementation.
• Provided HITRUST Assessment reporting and results to client including findings report.
• Managed security implementation descriptions for access management controls via Active Directory.
• Performed SOC 2 audits.

Confidential

Lead Senior Security Specialist

Responsibilities:

• Performed IT security support function to the Office of the CISO regarding risk management, internal audits, policy development, project support.
• Responsible for implementing access control polices for management of user accounts.
• Project lead on multiple corporate security control assessments (SCA) on general support systems (GSS)/major applications (MA).
• Developed DAR for Symantec DLP solution.
• Worked with Symantec DLP reps to align network infrastructure with product offering.
• Acted a project coordinator between Symantec DLP rep and QSSI.
• Drafted Corporate Vendor Management Policy.
• Drafted vendor management procedure.
• Developed vendor security assessment questionnaires and business reqs.
• Drafted Sharepoint Administration Policy.
• Supported IT audits for corporate projects for CMS, DSH.
• Working experience with CMS CFACTS audit tool.
• Managed and mitigated POAMs and CP test for ACA exchange systems.
• Developed SSPs, RAs, CPs, POAMs for applications/systems.
• Coordinated infrastructure vulnerability scans using IP360, nCircle CCM, DB protect.
• Responsible for POAM mitigation on corporate GSS systems.
• Provided NIH Proposal QSSI Technical documentation.
• Provided Contingency Plan to IT staff.
• Reviewed security policies and mapped to NIST standards and HIPAA standards.
• Performed security control assessment on major financial applications (Deltek CostPoint).
• Created risk determination methodology for the Chief Information Security Officer (CISO).
• Identified technical common controls for enterprise adaptation.
• Reviewed Incident Response Plans.
• Reviewed Facilities Management Plans.
• Obtained HITRUST assessor /HITRUST Tool experience.
• Provided project plans and goal setting for corporate internal audits.
• Drafted business development initiative plans for acquiring new business.
• Developed Mobile Security, Mobile Code, and Incident Response policies.
• Employed XLC methodologies.
• Monitored firewall configurations for best security practices
• Implemented OpenFISMA for corporate audit needs.
• Drafted Master Corporate Security Plans.
• Regularly reported to the CISO overall corporate infrastructure security status.
• Developed privileged access management policies for organization corporate.
• Developed and advised on Identity Access Management policies and baseline configurations for enterprise implementation.

Confidential, Alexandria, VA

Enterprise Risk Specialist Consultant

Responsibilities:

• Performed security policy reviews and recommendations for technology devices/applications employed at BOA systems.
• Information Security SME on multiple technical policy documents.
• Supported daily activities of the VP, Senior Architect Enterprise Information Security.
• Drafted security control guidelines and practices for BOA Global Information Security (GIS) team.
• Provided new technology recommendations to business units.
• Provided security input on multiple new technologies for baseline implementation.
• Monitored and provided security input within major mobile payment project at BOA.
• Provided weekly updates on mobile payment project to entire global information security (GIS) team at BOA.

Confidential

Independent Security Consultant

Responsibilities:

• Developed Health Care Security Policy for the company.
• Provided daily IT consultation.
• Repaired computers for health-care office.

Confidential, Washington DC

Information Security Specialist III

Responsibilities:

• Mapped Control Review items to NIST ; 37;137.
• Created control criteria for control review questions for C&A effort.
• Wrote guidance document on Continuous Monitoring based upon NIST .

Confidential, VA

Information Security Specialist

Responsibilities:

• Trusted Agent FISMA (TAF) coordinator, assessing NIST documents.
• Quality control management with Risk Management Systems (RMS)
• Mapped Control Review items to NIST A; 37;137.
• Managing multiple applications for FISMA/NIST C&A effort.
• Performing in TAF/RMS for DHS employees.

Confidential, Washington DC

Enterprise Risk Specialist

Responsibilities:

• Proposed IBM Tivoli Access Manager (TAM) for Confidential client.
• Conducted security assessments for 37 web-based applications.
• Prepared risk assessments outlining residual risk levels.
• Prepared security assessment report deliverables for client.
• Prepared AO matrix dashboard for client deliverables.
• Provided & implemented improvement recommendations to AO matrix.
• Provided weekly status reports.
• Performed identity access management (IAM) client assessments for technical solution requirements.
• Performed data loss protection (DLP) client assessments for technical solution requirements.
• Provided Identity access management planning//Data Loss prevention current status reports to client.
• Reviewed client policies regarding information security and enforcement of policies.

Confidential, Washington, DC

Information Security Engineer III/IRS Consultant

Responsibilities:

• Responsible for aligning current IRS technical controls with updated applicable Treasury and NIST guidance.
• Rewrote current Identification and Authentication (IA) controls for IRS organization - wide policy document.
• Provided security controls for web security.
• Rewrote current Access Controls (AC) for IRS policy document.
• Provided applicable guidance for E-Authentication implementation based upon OMB and E-Gov guidance.
• Attended and documented server farm migration meetings.
• Provided weekly status reports.

Confidential, Washington DC

Senior Security Engineer/FAA Consultant

Responsibilities:

• Coordinated SCAP (System & Accreditation Packages) for FAA applications.
• Wrote and reviewed system security plans, incident recovery plans, and contingency plans.
• Performed penetration testing on FAA systems using NESSUS scanner and reviewed and reported on results.
• Created POA&M items for security team and verified completion of existing POA&M items.
• Provided auditable evaluation documentation in the form of reports and checklist for FISMA requirements.
• Created and edited executive summaries, risk assessments, POA&Ms for FAA systems.
• Installed Symantec antivirus on workstation and server levels.

Confidential, Washington DC

Senior C&A Specialist/Department of Interior

Responsibilities:

• Conducted Internal Control Reviews (ICRs) for their National Business Center.
• Reviewed STIGS and verified server baseline configuration implementation.
• Reviewed and verified server configurations and patch management.
• Tested internal controls on servers, and web based software.
• Evaluated system security plans, incident recovery plans, contingency plans, and risk assessments against the a standards.
• Created POA&M items for security team and verified completion of existing POA&M items.
• Provided auditable evaluation documentation in the form of reports and checklist for FISMA requirements.
• Mapped NIST a controls to the existing controls found in place for DOI GSS/MA applications.

Confidential, Washington DC

Senior Information Security Specialist

Responsibilities:

• Evaluated system security plans, incident recovery plans, and contingency plans, against the standards and HUD’s established common controls.
• Created POA&M items for security team and verified completion of existing POA&M items.
• Coordinated ST&E testing for over 10 applications.
• Provided auditable evaluation documentation in the form of reports and checklist for FISMA requirements.
• Evaluated web security vulnerability results.

Confidential, Pentagon City, VA

Senior Information Security Engineer

Responsibilities:

• Information security engineer lead for DEA Security Programs, Information Security section.
• Evaluated and updated NIST special publications database.
• Managed DEA-wide Computer Security Assessment program for web security.
• Information security engineer lead on security programs team responsible for drafting DEA standard regarding use of portable electronic devices within DEA secure facilities.
• Drafted DEA policy regarding the standard operating procedure for employing external vendors for the destruction of classified documents.
• Drafted Memorandum of Agreement regarding Foreign Nationals employment within DEA.
• Drafted standard operating procedure for encrypting storage devices within DEA.
• Administered for appropriate use of portable electronics devices.
• Facilitated and implemented plan for internal social engineering evaluation exercise within DEA.

Confidential, Reston, VA

Senior Information Security Engineer

Responsibilities:

• Administered mainframe security configurations.
• Reset security passwords for database administrators nationwide.
• Performed mainframe help desk duties.
• Provided NIST publication research.
• Updated mainframe records for active veteran benefits.

Confidential, Baltimore, MD

Senior IT Auditor

Responsibilities:

• Team member for central monitoring team, responsible for daily monitoring of 21 financial applications on Active Directory.
• Team member for central monitoring team, responsible for daily monitoring of UNIX root logins, successful su attempts, and failed su-attempts.
• Reviewed daily application logs of 65,000 rows of activity and filtered for privileged activity.
• Managed and created incidents reports in SHAREPOINT and FILEZILLA for all privileged or unapproved activity by internal users.
• Reconciled incident reports through REMEDY ticketing software.
• Escalated incident report status when explanation provided by application teams was considered insufficient.

Confidential, Merrifield, VA

Senior Information Security Specialist

Responsibilities:

• Created complete process documentation for Sarbanes Oxley (SOX) review of internal financial applications as a contractor to Confidential
• Created a complete procedural instructions document for Sarbanes Oxley (SOX) review of internals controls to be followed by all internal auditors of Confidential SOX artifacts.
• Reviewed data security dumps from UNIX, Sybase, UDB, Windows NT, and Mainframe platforms for violations based upon Confidential security policy standards.
• Trained over 50 project managers in the process of SOX reviews through PowerPoint presentations.
• Provided violation reports based upon SOX reviews to senior management weekly and daily team status reports upon request.
• Mapped SOX review items to Confidential policies, CoBIT controls, and ISACA application control standards.
• Managed SOX orientation of new auditors.
• Facilitated and observed security audit meetings between Confidential VP’s, directors and system owners.

Confidential, Washington D.C

IT Support Professional

Responsibilities:

• Advised small business owners on web page development.
• Provided desktop support to user.
• Installed and configured necessary anti-virus components for new systems.

Confidential, Washington D.C

IT Project Manager

Responsibilities:

• Managed 30 workstation technology labs. Responsible for network maintenance, hardware repair, and software installation.
• Managed FacNet project where over $100,000 worth of new desktops/laptop (IBM/Mac) computers were disseminated to various university faculty.
• Coordinated hired installers daily activities and school/department assignments.
• Created documentation for FacNet database conversion plan.
• Exported data necessary for FacNet inventory database.
• Responsible for pc support for all distinguished faculty and high-ranking administrators.
• Provided weekly status reports on all weekly tasks.
• Presented PowerPoint presentation on the strengths and weakness of iMac and IBM compatible PC’s.
• Wrote official Confidential network access documentation for iMac and IBM pc configuration.

Confidential, New York, NY

Interning Computer Specialist

Responsibilities:

• Assisted MCSE professional with daily network maintenance in order to support over 10, 000 end-users.
• Provided PC support to office departments to enhance company work efficiency.
• Managed nationwide inventory auditing project to help accounting department accurately report financial statements to IRS.
• Populated inventory database containing national computer equipment information of over 100 outlets nationwide. (Workstations, modems, faxes, etc.)

Confidential, Rockville, MD

Interning Computer Security Specialist

Responsibilities:

• Assisted with organization of Y2K contingency plan manual for Justice Department Y2K task force.
• Ran daily surveillance of Internet server that facilitated over 20,000 “hits” of different IP address worldwide in order to deter possible Internet intrusion.
• Collected and evaluated over 200 datasets taken daily in order to assure the protection of government networks.
• Administered mainframe software “Top Secret” concerned with storing large datasets.