SUMMARY:

• Strategic information assurance, privacy, risk management and compliance executive delivering proven solutions through sound security program management, ethical business practices and systems audit expertise while remaining current with relevant security technologies, methodologies, federal and industry regulations, threats and countermeasures to positively impact fiscal growth and business continuity by demonstrating an optimal security posture. Nearly 20 years delivering proven technical solutions through hands on security risk assessments, systems analysis and compliance audits with expertise in system authorization (C&A and A&A) of Federal systems, commercial system compliance, security event analysis, incident management, immediate vulnerability remediation and plans of action & milestones (POAMs), continuous monitoring and risk management framework implementation.

TECHNICAL SKILLS:

Technical Skills: Penetration Testing, Web application scanning, firewall management, log analysis, event correlation, system enumeration, forensic analysis and recovery, NOC and SOC operations

Security Standards/Regulations Applied: Corporate Security Compliance, US Federal Government Compliance, Global Privacy Regulations, ITIL, GRC Solutions, Federal C&A and A&A, NIST Risk Management Framework, CJIS, SAS - 70, BITS SIG, BITS Shared Assessment AUP, ISO 17799/27001/27002, COBIT, NIST 800 Series Publications a, DoD 8500.2, FERPA, NERC CIP, DHS 4300A, 4300B, IRS 1075, FIPS, FFIEC, FISMA, MTSA, NIMS, DoDAF, DIACAP, NIACAP, NSA IAM, GLBA, PCI DSS, HIPAA, PHIN

Business Processes Employed: ITIL v3, Policy Frameworks, Six Sigma, Program Management

PROFESSIONAL EXPERIENCE:

Confidential, Washington, DC

Security Audit and Compliance

Responsibilities:

• Perform audits of IT, IT Security, Physical Security, Personnel and Privacy controls
• Provide recommendations for regulatory compliance
• Develop executive risk reports with recommendations for remediation & compliance
• Develop Governance and Risk Management Policies
• Develop corporate security plan for cyber risk insurance qualification
• Implement supplier security assessment and remediation program
• Develop remediation strategies for identified risks
• Evaluate solution providers for policy and requirements compliance
• GLBA and Security Awareness
• Represent clients during regulatory and customer audits
• Perform country specific privacy and regulatory gap analysis

Confidential, Washington, DC

Information Systems Security Officer

Responsibilities:

• Executed NIST risk management framework to achieve Authorization to Operate (ATO) in accordance with FISMA regulations, Commerce policies, NOAA procedures and CIO compliance for Web Operations Center and Network Operations Center
• Performed architecture analysis of distributed data centers
• Scheduled agency wide meetings and discovery sessions on security solutions and risk mitigation efforts
• Prepared and Delivered ATO briefings to Authorizing Officials (AO)
• Examined vulnerability scan reports for remediation action
• Performed technical system testing of 100% of High and Moderate impact system security controls
• Updated entire System Security Plan in correspondence with ATO package documentation
• Completed and delivered Configuration Management Plan
• Performed comprehensive security risk assessment and delivered risk assessment report (RAR) to system owner for awareness and acceptance
• Prepared FIPS199 system classification documents for system owner approval and acceptance
• Developed SOW for independent assessment of security controls for HIGH system
• Updated FIPS200
• Performed Security Control Assessment (SCA) testing
• Developed detailed plans of actions and milestones (POA&Ms) for security control remediation
• Updated configuration management plan, business impact analysis and contingency plan
• Developed remediation procedure to address findings from vulnerability scan reports
• Collaborated with CIRT team members for incident response testing and validation
• Managed ATO package change control within project management system and CSAM repository
• Attended regular Tag Ups with IT Security Officer (ITSO) for system security status briefings

Confidential, Washington, DC

Information Security Policy Advisor

Responsibilities:

• Advise executive staff, technical management and agency leadership on security and compliance risks of proposed and existing solutions and architecture
• Initiated WebEx sessions and face to face meetings District-wide to discuss proposed security application or system implementation and provide advise on security technologies and compliance
• Developed the District’s information security policy and distribution strategy to align with FISMA, international standards and industry regulations
• Developed the District’s HIPAA Security Policy inclusive of 2013 Omnibus Rule in alignment with District’s HIPAA Privacy Policy
• Collaborate with Health Benefit Exchange leadership to ensure security policy compliance
• Evaluated and modified existing policy for technical and regulatory relevance
• Developed and documented new policy framework to support policy deficit and compliance
• Collaborated with District agencies to ensure collaboration with existing initiatives
• Advise on Cloud services procurement and security impact of enterprise implementation
• Developed Security Operations Center White Paper for District executives and stakeholders
• Developed Security Operations Center Concept of Operations for SCIF
• Developed and documented processes for security operations incident response program
• Directed network and security operations cyber incident response for District wide cyber attack exercises in collaboration with District’s Homeland Security Emergency Management Agency
• Reviewed SIEM logs for event correlation and security activity reporting
• Advise the District’s Homeland Security Emergency Management Agency on Cyber Attack vectors
• Served as a cyber security resource to the Washington Regional Threat Analysis Center
• Convened a cyber attack working group with FBI, USSS and the District to implement information sharing and remediation strategies during attacks on District critical systems
• Served as Federal and Industry cyber incident liaison to manage information sharing and disclosure during cyber attacks against District infrastructure
• Developed protocols for cyber attack notification to the public in collaboration with District public information officers by convening a public awareness working group
• Facilitated IRS, SSA and other Federal Agency audits of District systems to demonstrate compliance and recommend remediation activities
• Developed framework and content for State of Security reports to Mayor and executive leadership
• Represented the District of Columbia during DHS FEMA nationwide cyber attack exercises
• Prepared security management briefings for Mayoral and executive leadership approval
• Provided advice and corrective action plans for policy audits from Federal regulatory agencies including Dept. of Treasury for FTI and Dept. of Health and Human Services agencies PHI

Confidential, Washington, DC

ContractorCyber Security Architect / FISMA Security Consultant

Responsibilities:

• Reviewed and modified planned security architecture of classified systems
• Mapped NIST with DoD security controls for Systems Security Plans
• Correlated 4300A, 4300B, ISO 27002 and COBIT for comprehensive security control application
• Developed security control statements based on classified system functionality
• Presented continuous monitoring strategy for Government approval

Confidential, Suitland, MD

ContractorSenior Security Specialist

Responsibilities:

• Provided support in establishing and updating System Security Plans (SSP) security policies and procedures including C&A/A&A package documentation, CSIRC, CIP, and MOU/ISAs
• Provided full-scale C&A/A&A activities including maintaining policies, FIPS 199 support, risk assessments, test and evaluations, and physical site assessments
• Served as advisor on security control product and service selection
• Performed security risk analysis of system interconnections
• Performed network architecture security risk analysis of proposed system and network connections
• Provided disaster recovery planning and testing
• Prepared FISMA reports, managed POA&Ms, and collaborated with GAO/IG
• Developed and oversaw security materials
• Advised security operations on incident remediation

Confidential, Suitland, MD

ContractorSenior Security Advisor

Responsibilities:

• Provided guidance to ISSO on policy compliance for Bureau and Division
• Wrote security standards and guidelines to enhance Interconnection Service Agreement Policy
• Prepared and Accreditation package via CSAM (Federal Cyber Security Asset Management)
• Provided full-scale C&A activities including maintaining policies, FIPS 199 support, risk assessments, test and evaluations, and physical site assessments
• Developed security policy and controls cross document based on NIST to ensure policy compliance
• Created plans in compliance with ATO
• Performed POA&M remediation with 100% successful completion
• Managed System Security Plan updates
• Evaluated security risk assessment results for remediation to policy conformance
• Developed Govt. Shutdown Plans for operational integrity
• Created DR Plans, Exercises and Reports
• Provided NIST Guidance on Risk Management Framework
• Developed continuous monitoring strategy

Confidential, Washington, DC

Security Audit

Responsibilities:

• Perform audits of IT, IT Security, Physical Security, Personnel and Privacy controls
• Provide recommendations for regulatory compliance
• Develop remediation strategies
• Evaluate solution providers for policy and requirements compliance
• Represent clients during regulatory and customer audits
• Perform country specific privacy and regulatory gap analysis
• Provide policy and regulatory advice and guidance to global clients and executive leadership on security posture for identity and access management solutions and audit compliance.
• Develop Policies, Standards and Guidelines based on NIST, COBIT, ISO 27001 mapped with industry specific regulations and organizational operations
• Develop business unit specific security policy awareness and presentations
• Deliver security policy, standards and guidelines to technical staff and senior management
• Perform vulnerability Nessus/Metasploit scans against internal and customer operational environments
• Produce and deliver technical and management vulerability reports
• Provide remediation reports to technical personnel
• Brief management on security posture and risk levels
• Identify access control solutions for implementation throughout the SDLC
• Implement end point protection and application security for desktops and mobile devices including full disk encryption management
• Design cloud architecture solutions for hybrid Exchange, Sharepoint, Salesforce and Office 360
• Implement web content filtering solution and security program for GLBA and PCI compliance
• Evaluate cloud services and serve as SME for web services implementation
• Evaluate COTS and custom software for functional suitability and alignment with security controls
• Ensure assessment of applications, vendors and operational efficacy with reports and recommendations to management
• Perform security architecture analysis, system log analysis, design and resource implementation
• Collaborate with operations, architecture, application development and management teams for various solutions
• Advise on cloud service security requirements and vendor selection process
• Manage team collaboration to ensure project delivery
• Redesign existing IT security architecture to support the use of existing user authentication directory structure
• Evaluate solutions based on existing resources, technology and processes to determine impact of growth, application functionality, enterprise security and PCI and HIPAA compliance
• Determine approaches to encryption with public use data on share private networks
• Deliver solution briefings to management and stakeholders
• Wrote policies to establish convergence authority for identity and access management
• Manage physical and information security leads on successful solution implementation

Confidential, Atlanta, GA

Global Director, IT Security / Corporate Security Advisor

Responsibilities:

• Developed corporate security program and provided directives for implementation
• Developed global information security policies and for policy awareness
• Developed region specific policies based on industry, local and national regulations
• Created security policy, standards and guidelines architecture in MS SharePoint for global corporate distribution and customer viewing
• Performed Peer reviews of Policy documentation for completeness, regulatory accuracy and approval
• Modified policies after peer review or change control board action
• Advised senior executives on data security, privacy, compliance and regulatory requirements
• Communicated policy and compliance violations and corrective action plans to management
• Modified policies as a result of critical impact or incident response actions
• Revised existing and developed new security policies reflective of current threats and operations
• Enforced the use of developers guide for securing applications, security in the SDLC and code level pre-production analysis
• Successfully implemented and obtained BITS Shared Assessment Program / Audit of Agreed Upon Procedures Report
• Successfully obtained global PCI DSS compliance for regions and all service lines
• Initiated internal audit for SAS70 compliance and developed customer notification process
• Served as core team member to develop the company’s privacy program with General Counsel, Outside Counsel and VP of Operations
• Instituted culture of RBAC and principle of least privilege
• Developed global security program to address deficiencies and meet country specific compliance
• Consulted, Advised and Approved strategic direction for new security offerings
• Addressed security concerns during RFP selection process and delivered security posture presentations to potential financial industry customers internationally
• Ordered the development of an IT Security Intranet for knowledge transfer, awareness, reporting metrics and customer evidence posting to Archer GRC and vendor management systems
• Responded to customer inquiries regarding corporate security posture and system architecture
• Instituted security posture knowledge base for sales and account management team self service
• Participated in review meetings to provide security risk assurance for all proposed IT projects
• Communicated Information Security strategy to corporate stakeholders and auditors
• Trained sales and account teams to sell security features of corporate security program
• Served as SME and presenter for industry organizations and customer prospect engagements
• As a result of my technical, analytical and highly articulate communication skills I represented the company to customer executives, parent company board of directors and top prospects. on security matters.
• Traveled globally to customer closings and prospective customers to provide pre-sales technical support which helped shape deals by cross-selling and/or up-selling security services based on client architecture and operating environment
• Successfully prepared the organization for big six bank audits and assessments resulting from pre-sales security endorsements
• Supported senior sales executives on large deals by demonstrating security subject matter expertise to customer security SMEs and validating our stated security posture
• Responsible for writing and modifying security related components of proposals
• Developed policies and facilitated the creation of actual and sanitized versions of security architecture diagrams, incident response flow process and data center racking for disaster recovery and security project scoping purposes
• Implemented Unified Threat Management approach with Defense-In-Depth architecture inclusive of NIDS, HIDS, endpoint protection, application security, vulnerability scanning, system integrity and redundancy
• Integrated security technologies into existing framework
• Implemented authentication failover solution for critical applications
• Developed vendor management program to examine existing and potential vendor /partner security posture
• Conducted vendor premise audits and issued security remediation requirements
• Developed and issued Managed Security Services RFP including selection and terms negotiation
• Reviewed MSS proposals for operational and customer management suitability
• Developed the company’s security incident response program
• Investigated and developed remediation plans for security breaches
• Engaged Law enforcement, forensic analysts and customer stakeholders
• Documented information risk control gaps including remediation planning well as investigation and resolving contrail incidents.
• Identified local, international and market security risks to corporate sustainability.
• Comprehensively assessed existing security posture with risks to compliance and recoverability
• Recommend solutions reducing risks to acceptable levels to enable business efficiency while protecting information assets.
• Developed and delivered region specific security awareness with local regulatory compliance
• Served as a member and advisor to the global risk management team and change control board to ensure appropriate security controls and risk mitigation
• Collaborated with International Physical Security and Safety leaders for development of cohesive security standards and IT platform convergence and compliance
• Developed data protection security plan for executive global travel and business continuity

Confidential, Atlanta, GA

ContractorInformation Security Architect/ Analyst/ Advisor

Responsibilities:

• Evaluated environment for security risks, IT standards, policies and frameworks including FISMA, ISO 17799, ISO27001, COBIT, HIPAA and PHIN, HL7 Protection
• Developed security policy, standards and guidelines
• Trained 18 Public Health District IT leaders on Policy and Guidelines for new security controls
• Provided technical security review of applications, systems and security processes
• Performed security management compliance audit readiness assessments
• Assisted with planning and scoping agency wide engagements including vendor product evaluation
• Served as SME for bioterrorism, emergency preparedness, contingency planning and continuity of operations processes
• Ensured relevant, current and authorized information availability for ISSO responsibilities
• Delivered clear instructions and explanations regarding security related subject matter
• Arranged and attended client engagement meetings for risk assessments and prepared status reports throughout security project engagement
• Provided security recommendations to agency business units
• Designed and implemented RSA SSO, three factor authentication web solution for critical national emergency and bioterrorism response system
• Provided information security advice relative to physical and industrial security incidents
• Evaluated security plans for consistency with existing policies, procedures and guidelines
• Determined security incident susceptibility to court injunction
• Examined risk factors and made recommendations for legal engagement
• Designed, documented and diagrammed defense in depth WAN security architecture for central and remote facilities
• Developed system flow diagrams and business process models for SOPs, BCPs and DR
• Reviewed and approved data architecture framework in compliance with federal cross functional component requirements
• Reengineered existing .Net application inclusive of SecurID for role based authentication incorporating LDAP
• Reviewed and Developed technical and security requirements for RFPs and RFQs
• Implemented HIPAA Compliance System to Identify and Mitigate security vulnerabilities in Public Health systems
• Reviewed and revised vendor contracts for compliance and liability irregularities
• Developed physical, technical, and security management guidelines for laboratory access
• Coordinated vendor efforts/Gathered technical requirements of regional public health regions for HIPAA Compliance solutions
• Developed strategic plans to install 10,000 client agents that report system compliance to central policy console for mitigation and report generation
• Implemented Intrusion Prevention Systems on critical servers
• Consulted with CDC and HRSA on regulatory crypto requirements for national emergency response program
• Reviewed compliance mitigation plans to ensure quantitative ROI
• Gathered security compliance statistics, developed reports and presented to senior management
• Implemented an Intrusion Detection System to Identify and Mitigate malicious attacks on Public Health Systems
• Custom Configured, Documented and Delivered Intrusion Detection Systems to regional Public Health Districts
• Configured regional IDS with central IDS Console for reporting, monitoring and mitigation
• Implemented and documented secure access procedures to statewide Public Health Laboratory resources from Vendors, Partners and System Administrators
• Performed Vulnerability Assessment, Documented and Gathered Technical Requirements of the Public Health Laboratory
• Instituted change management process for laboratory vendors and service providers
• Developed security test scripts and performed pen test during UAT for new and critical systems
• Prepared security FAQs and Problem/Resolution Documentation for agency Help Desk upon security product deployment
• Trained technical users on new Policy, IDS, IPS, Compliance, Access Control and Vulnerability management systems via technical working sessions
• Performed forensic analysis and recovery on breached systems

Confidential, Wash, DC

ContractorSr. Security Advisor / Systems Auditor / Policy Writer

Responsibilities:

• Manage security projects for the development, design and implementation of Government, SCADA, Financial, al and Industrial security programs
• Implement industry security controls based on a combination of regulatory standards for compliance including security convergence
• Perform and Accreditation of mission critical Government applications and systems
• Consult with business managers on terrorism threats and risk management
• Review existing client policies for accuracy, completeness and enhancement
• Interview business units for operational development of policies, guidelines and standards
• Developed information security policies and delivered of the policies to stakeholders.
• Developed train-the-trainer program for policy awareness in workshops, classroom and panel forums
• Develop baselines for security risk assessments, drills, exercises and
• Investigated and interviewed personnel for security clearances
• Developed media plans to address security breaches
• Consult executives on security best practices regarding U.S. and DHS security initiatives, in financial services, public health, transportation, maritime and information security regulatory compliance
• Provide security investigation and analysis on security related issues
• Document and provide situation reports or briefings to customers and senior management.
• Perform Investigations relating to computer fraud, governance and privacy regulations
• Consult on development of security solutions for e-commerce and B2B solutions
• Consulted developers throughout SDLC for C, Java and .Net applications for information assurance
• Perform critical infrastructure risk analysis and implement security solutions
• Consult with management on security risks, analysis and disaster recovery planning
• Review vendor products for proof of concept environments and program implementation
• Provide physical security assessments for executive clients and corporate events
• Implement firewalls, Intrusion Detection Systems and networking equipment at client sites
• Provide supervision for remote installation and administration of security devices
• Train technicians on remote troubleshooting of information and physical security equipment

Confidential, Alexandria, VA

Contractor Network Security Engineer & Team Lead

Responsibilities:

• Led team to design security architecture from over 52 different network configurations for mission critical environment
• Provided executive level situation reports to team and key personnel

Confidential, Washington, DC

ContractorNetwork Security Engineer

Responsibilities:

• Performed network security risk analysis and assessments
• Designed and implemented network security policy

Confidential, Annapolis, MD

ContractorNetwork Security Engineer

Responsibilities:

• Managed, administered and documented more than 170 CheckPoint / Nokia Firewalls
• Configured rule bases, including net objects, entities, custom protocols and services

Confidential, Washington, DC

ContractorNetwork Security and Support Engineer

Responsibilities:

• Provided Network Operations Center support for Confidential internal switched and external network
• Configured 2500 and 2600 series routers for new subnets and manage connectivity to remote locations

Confidential, Reston, VA

Senior Security Analyst

Responsibilities:

• Provided technical support for Confidential Corporate IP Security
• Managed Confidential internal and Confidential customer firewalls

Confidential, Hanover, MD

FTENetwork Engineer/Technical Project Lead

Responsibilities:

• Provided technical guidance to server upgrade project manager
• Served as liaison between project manager and systems engineers

Confidential, Washington, DC

ContractorSystems Engineer/Help Desk Manager

Responsibilities:

• Monitored and maintained corporate IP network in mixed 400+ user environment
• Provided technical design solutions to engineers and management

Confidential, Confidential, MD

ContractorNetwork Engineer/Technical Support

Responsibilities:

• Provided tier two desktop support in 800 plus Win95, NT 3.51, NT 4.0, NetWare 3.12 & 4.11, Notes 4.5, cc:Mail 6 environment
• Trained new technicians on desktop installation and reconfigure

Confidential, Owings Mills, MD

Contractor Network Engineer

Responsibilities:

• Migrated users from NetWare to NT 4.0 Network
• More than 1000 users in Win95 and NT 4.0 environment

Confidential, Washington, DC

ContractorSystems Engineer/Help Desk Coordinator

Responsibilities:

• Designed and implemented a corporate helpdesk
• Created policies and procedures, Service Level Agreements and technical documentation

Confidential, Reston, VA

ContractorSystems Engineer

Responsibilities:

• Provided tier three support for IWS/LAN Social Security Administration project; currently the largest NT 4.0 implementation
• Supported SSA Administrators during test and acceptance phase after installation in 700 LAN, 3500 workstation environment

Confidential, Annapolis Junction, MD

ContractorNetwork Technician/Trainer

Responsibilities:

• Traveled to various cities installing LANs for corporate rollout
• Installed and configured NT 4.0 Servers and workstations

Confidential, Bethesda, MD

ContractorSystem Administrator/Trainer

Responsibilities:

• Supported 200 user facility in NT & NetWare Environment
• Installed and configured Desktops during NT Migration

Confidential, Rockville, MD

ContractorHelp Desk Coordinator

Responsibilities:

• Supported Multiple ISPs via phone in 24 x 7 hour operation
• Trained and supervised new technicians on internet software and connectivity