SUMMARY:

• IT Security professional experience with the NIST Publications Protecting Controlled Unclassified Information systems. Privacy and Data Security Management & Operations, and Accreditation (A&A), Project Management, NIST Rev1 and rev4 and NIST SP rev 1 rev3 and, FIPS, FISMA Security Content Automation Protocol, NIST Family of Security Control, POA&M, Incident and Contingency Planning.
• Information Technology Compliance.
• IT Governance, Security, Identity & Access Management
• Information Systems Security Metrics
• Information Technology Risk Management
• Information Technology System Audits
• Information Security Tools & Techniques / Network & Systems Security
• Security of enterprise architectural components and associated management systems, including telecommunication networks, operating systems, database management systems, web servers, storage devices, etc.
• Documentation (2 years) Risk management (2 years) System Security (3 years) NIST (3 years) Security (3 years
• A&A Packaging: Risk Management Framework (RMF). Assessment Management tools (CSAM, RSA, Archer, Xacta). System Security Plan Development. Information Systems Sensitivity Assessment (FIPS 199). Privacy Impact Analysis. Security Controls Assessment/ Vulnerability Scan Analysis (NIST SP 800 series), System Continuous Monitoring (Risk Assessment, Change Control, Status Reporting, POA&M Management). Expert hands on experience in Microsoft Office. Excellent Communication skills and knowledgeable in good documentation Practices

PROFESSIONAL EXPERIENCE:

Confidential, Fairfax VA

Sr. Security Analyst

Responsibilities:

• Develop and maintain Plan of Action and Milestones (POA&MS) of all accepted risks upon completion of system (C&A)
• Conduct FISMA - based security risk assessments for various application systems - including interviews, tests and inspections; produced assessment reports and recommendations; conducted out-briefings. Assessments conducted following NIST 800 processes and controls.
• Reviewed and updated some of the system categorization using FIPS 199, Initial Risk Assessment, E-authentication, PTA, PIA, SAR, SSP, SAP& POA&M.
• Conducted meetings with the IT team to gather documentations and evidences (Kick-off meeting) about their control environment.
• Developed and conducted SCA (Security Control), Security Assessment plan (SAP) according to NIST SP A.
• Develop NIST Compliant vulnerability assessments, technical documentation, and Plans of Action and Milestone (POA&M), and address system weaknesses.
• Generate, review and update System Security Plans (SSP) against NIST and NIST requirements
• Contribute to initiating FISMA metrics such as Annual Testing, POA&M Management, and Program Management.
• Supporting clients in creating Standard Operating Procedures (SOP) as guidance through Risk Management Framework.
• Sound understanding and experience with NIST Risk Management Framework (RMF) process.
• Document and review System Security Plan (SSP), Security Assessment Report (SAR), Security Plan of Action and Milestones (POA&M), Authorization letter/memorandum (ATO).
• Assist with review of policy, security alerts, guidance, regulations and technical advances in IT Security Management.
• Performed Security Categorization (FIPS 199), Privacy Threshold Analysis (PTA), E-Authentication with business owners and selected stakeholders.

Confidential, Cambridge, MA

Security Analyst

Responsibilities:

• Supported theResearch& Administration Services department for Confidential 's FAS (Faculty of Arts & Sciences).
• Identified information types and select potential impact levels of the information types using NIST
• Assisted in System Security Categorization by determining the highest Water Mark of the confidentiality, integrity, and availability (CIA) of information types processed/stored using (NIST /FIPS 199 as a guide).
• Conducted Privacy Threshold Analysis (PTA), Privacy Impact Analysis (PIA) and SORN when necessary.
• Assisted in conducting E-Authentication assessment.
• Contribute as part of a high-performing team to ensure Operational Excellence.
• Assisted in Virtualization using VMware, HyperV.
• Applies appropriate information control for Federal Information Security based on NIST rev1, SP rev4, FIPS 199 and FIPS 200.
• Conduct Security Assessment via document examination, interviews and manual assessments; Populate the Requirements Traceability Matrix (RTM) with results of Security Assessment.
• Reviewed and update some of the system categorization using FIPS 199. Created and update Contingency plans and Disaster recovery plans for information systems using NIST SP .
• Ensured that appropriate steps are taken to implement information security requirements for IT systems throughout their life cycle, from the requirements definition phase through disposal.
• Reviewed POA&M, enforced timely remediation of audit issues, and update system security plans(SSP) using NIST SP 800 series
• Used and applied knowledge of Security Assessment & Authorization (SA&A) policies, guidelines, and regulations in the assessment of IT systems and the documentation and preparation of related documents
• Supported System Test and Evaluation (ST&E) efforts and other support to the IT Security Office
• Works with project managers to ensure in corporation of security activities in all ongoing projects and to identify security impact of new releases.
• Develops, updates, and completes systems security plans based on the National Institute of Standards and Technology (NIST) Special Publications and conducts an annual self-assessment.
• Developed the audit plan and performed the General Computer Controls testing of Information Security, Business Continuity Planning, and Relationship with Outsourced Vendors.
• Performed vulnerability/risk analyses of computer systems and applications during all phases of the system development life cycle.
• Requested or conducted required information system vulnerability scans in accordance to established policy; Developed system POA&Ms in response to reported vulnerabilities
• Ensure compliance with annual FISMA deliverables and reporting and also investigate any information technology or system security incidents.
• Performed security risk assessments, developed security risk mitigation recommendations, and identified security controls for systems and networks.
• Supported formal Security Test and Evaluation (ST&E) required by government accrediting authority through pre-test preparations, participation in the tests, analysis of the results and preparation of required reports
• Performed the role of Security Control Assessor by reviewing the artifacts and implementations statements provided by the ISSO on a system to determine if the security controls are being met
• Developed systems that assist the organization to secure the CIA by categorizing and selection of controls using NIST SP and FIPS 199 as well as FIPS 200.
• Assist in building and configuring Redhat (VMware) servers.
• Reviewed ATO package documents like PIA, CP, CPT, and SSP.
• Utilized processes within the security Assessment and Authorization such as contingency plans, security test, evaluation, categorization, development of security and system accreditation, and continuous monitoring.
• Collaborated with Security team to Select Security Controls based on system Categorization using NIST Appendix D and their relevant detailed Control requirements and supplemental guidance from NIST Appendix F.
• Monitored Security Controls using NIST as a guide by testing a portion of the applicable security controls annually.

Confidential, Hartfort CT

Security Analyst

Responsibilities:

• Interviewed Business Users to gather Requirements and analyzed the feasibility of their needs by coordinating with the project manager and technical lead.
• Worked with Assessment and Authorization team; to perform risk security control assessments (SCAs), update System Security Plans (SSP), Contingency Plans (CP), and Plan of Actions and Milestones (POA&M).
• Reviewed and interpreted the vulnerability scanned reports, created, tracked and closed POA&M on the weaknesses.
• Employed applicable NIST documents to develop ATO package documents such as SSP, SAR and POA&M, RA, MOUs/ISAs for information systems to ensure they are in compliance with organization's information security requirements.
• Conducted in-house Security Control Assessment (SCA) using NIST 800. 53A rev4 with system engineers and stakeholders for the continuous monitoring of the system security controls in order comply with post ATO requirements.
• Troubleshooting functions, installation and checking of the firewalls.
• Documentation of attacks and contributing to mitigations for future attacks of a similar nature
• Follow Security Operations Center policies of different agencies and procedures for incident
• Primarily responsible for researching and evaluating relevant information security policies, guidance, and best practices, including NIST, FISMA, and OMB circulars for applicability to IT systems security.