- Confidential has over 20 years of Information Security, information technology (IT), systems engineering and technical information security experience supporting a broad range of programs, systems/applications in commercial, federal civil, and DoD environments. He has used his information security/assurance, systems engineering and IT skill set to lead and support numerous efforts in programs/projects
- Confidential extensive commercial/industrial sector experience includes: Health Care, Entertainment, Chemical/Petroleum, Pharmaceuticals, Financial, Technology, etc.
- 20+ Years total IT /IT Management experience
- 15+ Years IT Security/Information Assurance/Infosec & Auditing Experience
- Extensive Program and Project Management Experience
- Extensive IT Security Consulting Experience and Security Architecture Experience
- Exceptional System and Software Engineering, Design, and Development Skills
- Multiple Platform Expertise (Windows\Linux\Unix\Mainframe and Cloud Infrastructures)
- Multiple ERP/Business Applications (SAP (R/3 and ECC 6.0), PeopleSoft, Oracle ERP, Oracle BRM, Oracle AERS, etc.)
- Excellent Communications/Customer Service, Interface and Problem Solving Skills
- Proficient at developing and executing strategic and tactical IT/IT Security plans
- Extensive IT Security Management/Engineering and IT Security Operations Experience
- Secure Software Development Methodologies (S - SDLC)/Agile/DevOps
- Access Control and Identity Management
- Cloud Computing Security Requirements Development
- Information Assurance/IT Security Consulting
- Enterprise Security Architecture/Engineering Development and Analysis
- SOX, PCI DSS, COBIT, ISO 27001, ISO 27002 (17799), ISO 27005, HIPAA and Confidential Compliance; FEDRAMP/FedRAMP+, Confidential 800-37, and Confidential 800-53
- Security Certification and Accreditation ( Confidential /DIACAP), Confidential 800-53 and 800-37
- IT Security Compliance Tools (eMASS, Trusted Agent, and CSAM)
- Penetration Testing/Vulnerability Scanning and Assessments
- Infrastructure, Web, Database and Application Security
- Data Loss Prevention (DLP), Web Services and Source Code Testing/Review
- Web, Database and Network Security Engineering
- Security Programs/Policy Development and Management (IT Security Governance)
- Enterprise Audit Log Management/SIEM Tools (ArcSight, Splunk, etc.)
- NOC/SOC Development/Management (incident response, intrusion detection, etc.)
- Office Productivity Software/Tools: Office Productivity Software MS Word, PowerPoint, Excel, Project, Visio, etc.
AREAS OF EXPERTISE:
Computer/Network Security/Access Control: SAP GRC/Access Control, SAP Application Security/Authorizations, Oracle IAM, Oracle Directory Service, Microsoft Active Director, RSA IAM, Courion IAM, Cloud Computing Security, IAM integration, CA SiteMinder, OpenAM, IBM Mainframe Security (RACF/CA-Top Secret), Cisco PIX/FWSM and Juniper Netscreen Firewalls, Packet Filters, Proxy Servers, DLP Tools, Encryption, Public Key Infrastructures (PKI), Smart Cards, S/MIME, SSL/TLS, WTLS, 802.1X, Cryptographic Standards (e.g., PKCS#10), Authentication (e.g., Kerberos), IPSec, Network and Systems Audits, VPNs, Remote Access Service (RAS) Security, Intrusion Detection/Penetration Testing, NAT, RADIUS, Unix and Windows Security, e-Security, Network Scanners/IDS (e.g., ISS, GFI Languard, FoundScan, SNORT/Sourcefire, Tennable/Nessus ), O/S Hardening Techniques, Code Review and Compliance Tools (Trusted Agent Confidential (TAF), eMASS, CSAM C&A Web Tool, ACAS, WebInpect,, DISA Checklists, SRR/Scripts and CIS Benchmarks, etc.), Computer and Network Forensics Tools, Computer Incident Response and IT Contingency Planning. Confidential DLP, OpenDLP, CA DataMinder and Control Case. SIM/SIEM Tools Confidential ePO/Enterprise Security Manager, HP Arcsight and Splunk Audit Log Management and SolarWinds Log Event Manager, LogRhythm and, DoD HBSS.
Federal Government Laws and Policies/Enterprise Architectures/SDLC: Confidential, HIPPA, Confidential (800-37, 800-53/800-53 a, 800-30, NIACAP, DIACAP, Risk Management Framework (RMF) DITSCAP, NISPOM, DCID 6/3, FedRAMP, FedRAMP+, GPEA, Clinger-Cohen Act, FIPS (140, 199, 200, etc.) OMB A130, Zachman Framework, Federal Enterprise Architecture (FEA), Treasury Enterprise Architecture Framework (TEAF), DODAF, Architecture Frameworks, Army Enterprise Architecture (AEA), Capital Planning and Investment Control (CPIC),DoD 5000 and BCL, Business Case Development (OMB 300s and 53s), FEA Management Performance Management Models, Earn Value Management (EVM), Rational Clear Quest, Harvest, DOORS, etc.
Telecommunications, Communication, Networking: TCP/IP (routing and application protocol suite), IPv6, SNA, Frame Relay, X.25, ISDN, ATM, FDDI, Ethernet (Gigabit, 100BaseT, 802.11b, etc.), Token Ring, Wireless Communications Technologies and Optical Communications, Telco/PBX switches/ACDs, Telephony Network Signaling (e.g., CCS7/SS7, etc.), LAN/Network
Switching (Layers 2/3/4), PSTN, and Services, Packet Switched Networks, VoIP, DSL (e.g., ADSL etc.), Cable TV Network Technology, VLANs, Policy Based Networks (e.g., RSVP)Communications Processors and Servers, and IBM Large System Communications, etc.; Product Experience: Extensive Cisco, Juniper etc
Internet Architecture and Connectivity: Trusted Internet Connections Providers (TICAP), NAPs, MAES, ISP/POP, Backbone and interfaces, routing services and policies,, Web Server Farm Development, Portal Architectures, Web Proxies/Caching Technologies (e.g. BlueCoat), Load Balancers Big IP F5, Server, etc.), Middleware/ORBs (ODBC, CORBA, Active X, DCOM, Microsoft, .NET Framework, MOM, SOAP, etc.). ERPs (SAP (R/3 and ECC 6.0), PeopleSoft, Oracle, Oracle BRM, Web services, etc.) Apache and IIS Web Servers, Service Oriented Architectures (SOA) and Software as a Service (SaaS).
Operating Systems/Computer Languages: NOS/DFS VmWare, Windows 2003 Server, Windows NT, MSNET, CIFS, and other SMB based Network Operating Systems (NOS),etc; Unix, Xenix, Redhat Linux, AIX, Solaris, Windows 2000/XP, Vista, OS/2, Mac O/S, MVS, OS/390, Z/OS, TPF, RTOS, Embedded Operating Systems and proprietary real-time O/S etc.; C, Pearl, .NET, C++, ASP, Java, J2EE, ABAP/4, Object Oriented Programming (OOP) and Design Techniques (e.g. UML, etc.), CGI, HTML, XML, proprietary languages, etc.
Enterprise Management/E-mail/Messaging/GroupWare/Directories: SNMP, RMON, CiscoWorks, Tivoli, HP OpenView/Radia, Unicenter TNG, NetExpert, Sun Enterprise Manager, Protocol Analyzers etc.; X500, Microsoft Active Directory/LDAP, Internet Mail (SMTP, POPIMAP, etc.), Microsoft Exchange 5.5/2000/2003 , X400, Other proprietary E-mail Systems and Architectures, Lotus Notes, MQ Series, etc.
High Availability & Fault Tolerant Systems/Storage Technologies: Storage Area Networks (SANs), Fibre Channel, SCSI, ESCON, RAID, Storage Management Techniques (e.g. HSM), etc; IBM’s Sysplex, Compaq/Tandem Clustered Computing, Microsoft Cluster Service, Proprietary Systems, etc.
Sr. Principal IT Security Consultant
- AWS Cloud Computing Development and Deployment
- FedRAMP Cloud Computing Assessment and Authorization Support
- ISO 27001 Cloud Certification Support
- SOC2 Compliance Support
- General Data Protection Regulation (GDPR) Compliance/Privacy Support
Confidential, Reston, VA
Project Manager/Sr. Information Security Consultant
- Program/Project Management
- Task Assignments and Monitoring
- Quality Assurance
- Monthly Status Reports and COTR/COR Meetings
- Contract Staffing
- DoD/CNSS 1253 ( Confidential 800-53) Security Control Assessments
- DIACAP/DIACAP Annual Reviews
- FedRAMP/FedRAMP+ Cloud Computing Assessment Support
- Security Impact Assessments
- Confidential Reporting/Governance Risk and Compliance (GRC) eMASS Updates
- POA&M/Authorization Official Risk Assessments (AORAs) Development/Management
- Audit Log Review and Analysis using ArcSight
- Incident Response/Reporting
- Vulnerability and Patch Management Support
- IAVA and Secunia Tasking Coordination and Support
- Security Configuration Management (STIGs)
- System Application and Products (SAP) OSS Notes (SAP specific patches)
- ACAS/SCAP Scans Review
- Corrective Action Plan Management
- Security/System Development Lifecycle (EBS changes, enhancements or updates)
- System/Application/Functionality review and overall impact on the EBS Architecture Baseline
- Analysis of SAP Applications Code/Customization Changes
- Analysis Non-SAP Application Code/Customization Changes
- STIG Planning/Review & Vulnerability and Patching update support
- ACAS and Configuration Scanning Reviews
- EBS Document/Artifact updates support
- Continuity of Operation impact review
- POA&M and AORA Support
- System Engineering Gate Review and meeting support
Sr. Security Consultant/Sr. Security Assessor
- Confidential 800-53 Control Assessments
- System Security Authorization Consulting Advice
- Risk Assessments Development
- Extensive FedRAMP/Cloud Computing Review/Requirements
- Security Assessment Report Development
- POA&M Development/Management
- Vulnerability Scan Review
- SSP/SSP Addendum Reviews/Updates
- Security Assessment Package (SAP) Development
- CIO/Authorization Official Briefing Development
- CIO/Authorization Official Meeting Support
Confidential, Falls Church, VA
Subject Matter Expert
- Supported MHS in numerous DIACAP/DITSCAP/DIARMF and Confidential 800-37 rev1 IA Certification and Accreditation (C&A) projects.
- IT Security Program Management, Confidential and IAVM, Compliance, Security
- Architecture Development and Review.
- Completed several PHI/PII discovery, monitoring and management efforts in support of DLP implementations.
- DoD Policy Development, Review and interpretation.
- IA Best Practices and Development Vulnerability Scanning (Retina, Gold Disk, Unix and Oracle SRR scripts, etc.).
- Infrastructure, application, source code, and web services vulnerability reviews.
- IT Security Program Evaluations and SOA Security Assessment and Reviews.
Confidential, Washington, DC
- Enterprise-wide Security Architecture development, PCI DSS Compliance support, IT Security Policy Development, ISO 27001/ISO 27002 Control reviews.
- Credit Card data and PII discovery, monitoring and management techniques.
- Data Loss Prevention (DLP) recommendations and implementation support for Confidential DLP, OpenDLP, CA DataMinder and Control Case.
- Confidential outsourced IDS and SIEM implementation support and review and recommendations.
- Firewall audits and Web Application vulnerabilities (OWASP top 10) scanning/remediation.
- SOX Compliant and Cloud Computing Requirements Development.
Confidential, Rockville, MD
IT Security requirements development
- Application, Database and Network Security Engineering and Project Management; Access Control and Identity Management (Oracle SSO and Active Directory integration) Confidential Compliance, Confidential 800-53 and Confidential 800-37 Based Security Certification and Accreditation (C&A), Data Loss Prevention (DLP) tools/techniques/policy development (Websense), PII/PHI discovery tools, Vulnerability Scanning/Testing and Remediation and Secure Windows and Unix baseline configuration development. System Security Plans (SSP), Risk Assessments, and COOP development.
Confidential, Vienna, VA
- PCI and SOX Compliance reviews, Federal IT Security Certification and Accreditation ( Confidential 800-37 revision 1) effort for a multi-agency (federal & state governments) web based application.
- Confidential 800-53 revision 3 Control Testing and Web Application Security Penetration Testing (OWASP top 10) support.
- Privacy Reviews/Impact Analysis, POA&M Management and IT Security Vulnerability Scanning and Penetration Testing.
Confidential, Washington, DC
- IT Security Program Management, Confidential Compliance/Reporting, Confidential 800-53 Control Testing, A-123/FISCAM Controls Testing, and Confidential 800-37 based Certification and Accreditations (C&A).
- Privacy Reviews/Impact Analysis, POA&M Management and IT Security Compliance Tools (CSAM) use.
- Websense implementation/management, Vulnerability Scanning and Penetration Testing. Confidential 800-37 Revision 1 transition planning and support.
Confidential, Fairfax, VA
- Provided IT Security, Privacy Consulting and Governance Services, to Federal Government Clients.
- IT Security Program Management, Confidential Compliance, Confidential 800-53 and Confidential 800-37 and DIACAP Based Certification and Accreditations (C&A).
- Privacy Reviews/Impact Analysis, IT Security Compliance Tools (Trusted Agent, RMS and CSAM), Security Architecture Reviews and Software and System Security Engineering.
- IT Security Process and Procedure Improvement/Development, Systems Development and Design/Engineering.
- Enterprise Architecture, Program and Systems Requirements Development and Review. Program and Project Management, Software Engineering and SOA/Source Code Review (security vulnerabilities).
Confidential, Reston, VA
- Information Assurance consulting services to Department of Homeland Security’s Immigration and Customs Enforcement (DHS\ICE) component.
- Technical Team and Programmatic Leadership for a staff of 20 Risk Analyst, IT Security Program Management, Confidential Compliance, Confidential 800-53/800-37 and DIACAP Based Certification and Accreditations (C&A).
- IT Security Compliance Tools (Trusted Agent, RMS and CSAM), Privacy Reviews/Impact Analysis, Security Architecture Reviews and Software and System Security Engineering.
- IT Security Process and Procedure Improvement/Development, IT Security Vulnerability Testing (infrastructure, application, code reviews, web services, etc.), SOC review and IT Security Program Evaluations. SOA Security and C&A efforts.