Information Security Professional with broad experience in identifying, assessing and providing recommendations for mitigating organizational risk using NIST Special Publication 800 - 30, 800-53 Rev.4, 800-37, and 800-39. Skillful in preparing Authorization Package SSP, SAR and POA&M.
Nessus (SC 5), CSAM, SAS, Enterprise Information Services (EIS), Microsoft Office, Power Point, Excel, Access, Project, and SharePoint. Splunk, Web inspect, DB Protect, Fortify, App Scan, Nipper, Burp Suite Pro, WebSphere, Active State Perl, Aqua fold, Soap UI Pro, Ultra edit, SNS Scan and XACTA Continuum.
Confidential, Vienna, Va
Compliance Assessor/ ISSO support
- Conducting interviews with key stakeholders in Confidential & Confidential efforts and ensure system documentation reflects current system security configurations to include hardware and software components, data flow, interconnections, and ports, protocols, and services, etc.
- Analysis of potential risks associated with system configurations and advise on mitigation strategies
- Participation in Confidential & Confidential status meetings to facilitate moving systems toward Confidential successful Confidential & Confidential effort
- Assistance to estimate Level of Effort (LOE) involved in performing Confidential & Confidential activities
- Designed SOP to develop and implement detailed test plans and review findings from self-assessments to determine readiness for independent validation and verification (IV&V) assessment
- Assistance of customer program offices in interpreting and applying mitigation strategies
- Execution of IV&V assessments and analyze test results for accuracy, compliance, and adherence to Federal cybersecurity requirements
- Conduction of thorough reviews of all vulnerabilities, architecture, and defense in depth strategies and report findings in Confidential plan of action and milestones (POA&M) document
- Documentaction of residual risks and provide the cybersecurity risk analysis and mitigation determination results
- Development of risk assessment artifacts describing initial risks during system development and residual risks identified during IV&V
- Maintainance of cybersecurity policy and processes as assigned
- Execute document development via FISMA compliance for BIA and PIA creation based of FIPS 199 documentation and control selection and Confidential -mail Authentication workbook development
- Technical writing of control implementation statements in SSP workbook for implemented, non applicable and partially implemented controls for TSP systems containing an average of 900 security controls for multiple subsystems
- Preparation of Confidential TO packages for CIO approval containing SAR, POAMS and SSP documents for all TSP systems upon annual assessment conclusion
- Conduction of annual system assessment as continuous monitoring compliance for RMF FISMA guidelines using NIST publications
Confidential, Rockville, MD
Compliance Assessor/ Team Lead
- Training experience with security risk assessments using the NIST Framework and Compliance automation expertise.
- Validation of artifact documentation for CRF requests, annual assessments and POAM table creation with adherence to DHS and fedramp guidelines.
- Responsible for reviewing and updating/editing security documents (i. Confidential ., Security Plans, Contingency Plan, Contingency Plan Test, Confidential - Authentication workbook, FIPS 199 workbook, etc.)
- Execute Compliance via manual and technical tools to assess computer systems security posture, and conducts quality reviews of required artifacts, i. Confidential ., Security Plans, Contingency Plan, Contingency Plan Test, Confidential - Authentication workbook, FIPS 199 workbook, etc.
- Supports clients in developing processes and procedures in support of Security Compliance and Risk Management for systems, in addition to drafting policies and procedures when needed.
- Managing the information security program and supporting organization, monitoring the work performed, and ensuring quality, on-time performance of information security activities; maintaining the security level of trust as specified in this contract; formulating and implementing Confidential security operations concept; evaluating security compliance in an integrated hardware/software environment; and providing consultations to users and technically evaluate proposals.
- Maintenance of Agile environment with knowledge of Government regulations, manuals, technical orders, standards, and industry publications cited in this contract for information security.
- Organize, direct and coordinate planning and execution of all task order activities, through Management of resources and supervision of contractor staff in the performance of all work on assigned task orders. Perform frequent communications amongst the Engineering and Operations teams for seamless task execution from engineering to operations teams.
- Perform budget analyst of resources that may be necessary for the successful performance of this contract.
- Implement technical and contractual resolution of all issues that pertain to that performance. Actively pursue solutions to correct deficiencies when necessary.
- Research and Presents new products and configuration changes planned, engineered, tested and implemented by integrated project teams led by the Enterprises Architecture & Engineering Project Managers and Implementation Team.
Confidential, Rockville, MD
Information Security Analyst
- Ensure proper system categorization using NIST 800-60 and FIPS 199; implement appropriate security controls for information system based on NIST 800-53 rev 4 and FIPS 200.
- Tests, assess, and document security control effectiveness. Collect evidence, interview personnel, and examine records to evaluate effectiveness of controls.
- Review and update remediation on plan of action and milestones (POA&Ms), in organization s cyber security assessment and management (CSAM) system. Work with system administrators to resolve POA&Ms, gathering artifacts and creating mitigation memos, residual risk memos and corrective action plans to assist in the closure of the POA&M.
- Conduct security assessment interviews to determine the Security posture of the System and to
- Develop Confidential Security Assessment Report (SAR) in the completion of the Security Test and Evaluation ( Confidential & Confidential ) questionnaire using NIST SP 800-53A required to maintain Company Authorization To Operate (ATO), the Risk Assessment, System Security Plans, and System Categorization.
- Reviewing, maintaining, and ensuring all assessment and authorization ( Confidential & Confidential ) documentation is included in the system security package.
- Perform information security risk assessments and assist with the internal auditing of information security processes.
- Assessed threats, risks, and vulnerabilities from emerging security issues and also identified mitigation requirements.
- Review, analyze, and coordinate remediation of vulnerability scans ( Retina, Nessus and CSAM) and other vulnerability information. Recommend corrective action and review remediation actions for effectiveness.
- Ensure vulnerabilities and risks are efficiently mitigated in accordance with the organization continuous monitoring plan.
- Collaborate with ISSO colleagues on the planning and implementation of enhancements to the system s risk management processes.
Confidential, Reston, VA
Information Security Analyst
- Prepared and submitted security assessment plan (SAP) to CISO for approval.
- Provided support in the design and implementation of automation for manual procedures, the development of baseline security configurations, standards, and policy in accordance with industry best standards.
- Developed and updated security plan (SSP), security assessment report (SAR), and plan of action and milestone (POA&M).
- Monitored controls post authorization to ensure continuous compliance with security requirements.
- Created reports detailing identified vulnerabilities and the steps taken to remediate them.
- Maintained plans of actions and milestones (POA&Ms) and supported remediation activities.
- Participated in other governance team initiatives, to include development of comprehensive security awareness program; and audit response activities.
- Implemented company policies, compliance standards (FISMA, NIST 800-18, 53, 53A, 53 Rev4, 30, 37, 60, and 137 and SANS 20), and risk and business management into the RMF for information systems.
- Assisted system owners with developing security requirements for system projects.
- Assisted in the development of IT systems security policies, procedures, and practices.
- Refined and proposed modifications to security requirements and specifications.
- Worked with users, developers, and system administrators to aid, maintain, and continuously improve security posture.
- Reviewed scan reports from Splunk and Nessus.
- Performed continuous monitoring of security control effectiveness.
Confidential, Stafford, VA
- Collected, analyzed, verified, and prepared national threat information for daily intelligence briefing to senior government officials.
- Created Confidential variety of reports, alerts, informational bulletins, operational plans, standard operating procedures, updates, threat assessments, and briefings for upper level management and nationwide dissemination.
- Provided subject matter expertise advisory support to various senior level managers in the Intelligence Community (IC) on issues pertaining to specific domains and areas of responsibility (AOR).
- Supported keeping strategic plans, milestones, and activities current with overall DHS strategy and SANS 20 compliance.
- Reviewed and evaluated threat data for dissemination to special agents and police officers.
- Collected, analyzed, and disseminated crime and threat data to special agents nationwide.
- Monitored awareness of changes to Governmental policies that affect the strategic mission.
- Conducted covert operations, investigated suspicious groups/individuals and worked undercover.
- Worked with special agents conducting investigations, interviews, and interrogations related cyber treats.
- Conducted regular liaison with various law enforcement agencies to ensure accuracy of threat information.
- Performed audits of physical security companies to ensure compliance with national regulations.
- Drafted memos, reviewed, and edited various documents for senior government officials.