SUMMARY:

• A recognized expert in Information Security Management & Privacy Services who is focused on delivering Public and Private Sector Information Security & Privacy Services.
• Has a diverse, 38 - year background in IT Security and Compliance including 20 years as a Cryptologist in the Confidential, six (6) years as a Threat Analyst and Security Compliance Advisor for the Confidential ( Confidential ), and 20 years in Healthcare Data Management.
• Have designed and overseen the secure implementation of IT risk organizations, emerging technologies (wireless and cloud computing) and world leading e-commerce solutions.
• Designed control frameworks allowing companies to be fully FISMA, HITRUST, PCI compliant as well as ISO 27001 compliant.
• Have high-caliber presentation and communication skills and a highly sought- after speaker on Confidential Cyber Security Framework (CSF), Confidential Risk Management Framework (RMF), Confidential Security Controls (SP800-53), Incident Response, HIPAA Privacy/Security, Business Continuity and Disaster Recovery (BCP/DRP), and Regulatory Compliance regarding HIPAA, FISMA, PCI DSS, SOX, and GLBA.
• Demonstrates working knowledge and understanding system security, controls or information security management environment in the following Healthcare and Information Security domains:
• Information Program Management
• Healthcare Information Technology Security and Privacy
• Regulatory Compliance (HIPAA/HITECH, FISMA/NIST, COBIT, HITRUST, ISO 27001, PCI DSS, SOX, and ITIL)
• Policy Development & Management
• Security Function Design
• Corporate and IT Governance
• Confidential Risk Assessment/Management
• DIACAP
• Confidential Risk Management Framework (RMF)
• IT General Controls Auditing
• Cloud Security and Auditing
• Strategic Security Planning
• Security Architecture and Strategy
• Threat & Vulnerability Management
• Identity & Access Management
• Network Security & Architecture
• Cybersecurity
• Incident Response
• Attack & Penetration Testing
• Business Continuity Planning/Disaster Recovery Planning (DRP)
• Security Awareness, Training, & Education
• Data Loss Prevention (DLP)
• Health Information Exchange and Patient Health Record Systems
• Auditing & Log Management
• Mobile Device Security & Strategy
• Business Associate and Third-Party Risk Management
• Large Complex Security Program Execution/Implementation
• Security Infrastructure
• C|CISO Certified Chief Information Security Officer (C|CISO) (ECC ) (29Mar2013)
• CISM Certified Information Security Manager (CISM) (Member No. 0301047) (4Sep2003)
• HISP Holistic Information Security Practitioner (HISP) (Member No. 100015) (24Mar2006)
• FITSP-M Federal IT Security Professional-Manager (FITSP-M) (Member ID. 400) (18Jan2011)
• FITSP-A Federal IT Security Professional-Auditor (FITSP-A) (Member ID. 400) (18Jan2011)
• ITIL Foundation Certification versions 2 and 3
• IT-2779 Information System Security Manager (ISSM)
• IT-2735 Information Systems Administrator (ISA)
• IT-2780 Network Security Vulnerability Technician (NSVT)
• CTT-9170 CLASSIC WIZARD Basic Operator
• CT-9168 Advance Non-communications Collection and Analysis Technician
• Cryptologic Technical Technician First Class Petty Officer (CTT1)
• Department of Defense Technical Training Instructor
• Department of Defense Master Training Specialist (MTS)
• Microsoft Certified Professional (MCP)
• Technical Writer and Curriculum Developer
• Prosci Change Management
• Currently preparing for the following certifications:
• (ISACA) Cybersecurity Fundamentals Certificate (CSX)
• (ISC)² Certified Information Systems Security Professional (CISSP)
• EC-Council - Disaster Recovery Professional (EDRP)
• EC-Council - Certified Incident Handler (E|CIH)
• Studying towards a BA in Information Systems Management (IFSM) from University of Maryland - 96 credits completed to date
• Task Based Curriculum Development and Technical Writing
• Check Point FireWall-1 4.0 Certified Security Administrator
• Check Point FireWall-1 4.0 Certified Security Engineer
• ADPSO Concepts and Risk Management Auditing
• Information Systems Security Management (A-531-0009) three weeks
• Information Systems Administrator (A-531-0046) eight weeks
• Network Security & Vulnerability Technician (A-531-0022) eight weeks
• Department of Defense (DoD) Technical Training Instructor 12 weeks
• Configuration Management (D-555-0048) three weeks
• Federal Information System Audit Controls - Confidential SP800-53 (1 week)
• Fundamentals of an Internal IT Auditor (3 days)
• Project Management 1 & II
• Software Quality Assurance and Testing
• Identifying and Confirming User Requirements
• Effective Skills for Technical Managers
• Influence Skills

PROFESSIONAL EXPERIENCE:

Confidential, Tallahassee, Florida

Director Information Security / Manager

Responsibilities:

• Developed and chair the Governance Risk Management (GRC) Program. Developed GRC Policy and Procedures for enterprise. Lead the establishment of a governance framework to develop, maintain, and approve all information security foundational documentation, which includes policies, standards, procedures, and work instructions.
• Responsible for meeting regulatory compliance regarding Cybersecurity, HIPAA, FISMA, PCI DSS, Fraud, IT Audits, and Financial Audits regarding general security controls. Report to the Chief Information Officer.
• Responsible for oversight and development of all ongoing activities related to the development, implementation, maintenance, and annual reviews of 135 enterprise Compliance Policies, Procedures, and Standards to safeguard protected data held by the organization in accordance with federal and state laws.
• Maintain the Cybersecurity Management and Information Security Risk Management Programs in accordance with National Institute of Standards and Technology (NIST) Standards and Guidelines and ISO 27000 Series Standards to data classification, Security control implementation, regular verification of security control performance, breach preparedness planning and testing, risk acceptance and risk transfer and Data Loss Prevention (DLP) initiatives are successfully working and information data and assets are protected across the organization.
• Responsible for oversight of the Cyber Security Program and implementation of the Confidential Cyber Security Framework (CSF) tailoring it to meet the organization’s risk reduction goals, and routinely Identify, Protect, Detect, Respond, Recover from risks.
• Chair the weekly Security Steering Committee meeting with the CIO, Directors, Managers, and Executive Assistant to report the status of the Information Security Risk Management Program and Plan of Action & Milestones (POA&M) remediation efforts.
• Provide technological leadership and guidance to Senior Management in delivering security solutions to meet or exceed organizational goals and business objectives.
• Established and maintain three-year Strategic Security Plan to communicate Senior Management’s Policies and guide the development of standards, procedures, guidelines to include strategic planning initiatives.
• Have oversight responsibilities of PCI-DSS regulatory compliance. Strengthened PCI environment with new governance, controls, documentation management system and information security training program across 16 Departments.
• Responsible for overall maintenance of the Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) and Hurricane Plan. Work with Senior Management and 16 Department Supervisors to document, train, test, and update BCP/DRP and Hurricane Plan annually.
• Assist the IT Director and Director of Programming and E-Commerce with security design and architecture decisions for all legacy systems and also during the SDLC for new systems and applications that will process, transmit, or store sensitive information as defined within the Data Classification Policy and Data Classification Matrix using the Confidential SDLC methodology and/or Agile software development methods.
• Developed and implemented policies and standards governing intrusion detection and intrusion detection configuration and deployment. Audit intrusion detection configuration to ensure that they are configured in accordance with the guidelines provided by policy.
• Member of the Information Security Leadership Team and Change Advisory Board (CAB) that meets weekly to ensure changes are documented, tested, approved, and made in a controlled fashion to preserve the confidentiality, integrity and availability of the applicable system.
• Maintain Plan of Action and Milestones (POA&M) which identifies tasks that need to be accomplished to remediate security vulnerabilities. The goal of a POA&M should be to reduce the risk of the vulnerability identified.
• Submit quarterly Information Security Program Reports that address the current state of the Risk Management Program and Plan of Action and Milestones (POA&M) remediation status to the Compliance Committee Board and Audit Committee Board.
• Established and maintain an Incident Response Plan to ensure an effective and timely response to information security incidents.
• As Incident Response Leader for all investigations, receive reports of any internal/external security breaches, malicious activity, and take appropriate action to minimize harm, investigate breaches, document accordingly, and identify corrective actions.
• Continuously monitor the Data Loss Prevention initiative. Work closely with Information Technology Systems Support (ITSS) network technicians to monitor systems development and current operations (e.g., McAfee Change Control, McAfee Email Gateway) for HIPAA Privacy and Security compliance.
• Enhanced the Risk Management Program by implementing the six-steps identified in the Risk Management Framework (RMF). This structured process integrated information security and risk management activities into legacy systems and new systems that will go through the SDLC process.
• Coordinate the annual network third-party enterprise vulnerability scan, penetration test, wireless assessment, and develops appropriate POA&M remediation for identified vulnerabilities.
• Conduct annual HIPAA Privacy/Security and Meaningful Use Risk Assessment.
• Developed and conduct a Security Checklist for all new eCommerce and/or Software-as-a-Service (SaaS) Providers as part of the organization’s Breach Notification Procedures.
• Developed third-party monitoring procedures to conduct annual Physical Security Walkthroughs and gather all documentation (e.g., SSAE-16, Risk Assessments, and/or Audits) to ensure third-party regulatory compliance (e.g., HIPAA, PCI) is met.
• Responsible for collecting and reviewing all third-party SSAE-16’s to ensure regulatory compliance is met.
• Engage and directs third-party consultants as appropriate on all Financial and IT Audits.
• Developed and maintain the Mobile Device Management strategy for the organization.

Confidential, Tallahassee, Florida

Information Security Manager / Project Manager

Responsibilities:

• Trusted Information Security advisor to 26 state agencies on Regulatory Compliance for HIPAA, FISMA, PCI, SOX, COSO, GLBA, ISO 27001, HITRUST, COBIT, and ITIL.
• Assisted in creating Project Management Office (PMO) to conduct risk assessments for 36 State Agencies.
• Incident Response Manager charged with investigating an information breach at a National bank. As Manager of a team of four (4), coordinated all interviews, worked closely with law enforcement, and assisted with creating final incident report.
• Project Manager of diverse teams of four (4) to nine (9) consultants to perform Confidential based and ISO 27001 Risk Assessments for 24 State agencies.
• Developed Low, Moderate, and High level System Security Plan (SSP) templates and used the templates to develop 23 Low, 55 Moderate, and 7 High level-impact SSP’s in accordance with the Confidential SP800-18 Guide for Developing Security Plans for Federal Information Systems. Categorized all 85 systems in accordance with FIPS-199 Standards for Security Categorization of Federal Information and Information Systems.

Confidential, Lakeland, Florida

Information Security Consultant / Technical Writer

Responsibilities:

• Provided strategic oversight, responsibility, coordination of information security protection and security compliance efforts.
• Developed 8 of 13 chapters in the new Information Security Policy manual which establishes Publix information security policies required for identifying information resources and supported business processes and appropriately protecting those information resources.
• Developed the corporate Risk Management methodology and Audit Guidelines using the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30: Risk Management Guide for Information Technology Systems.
• Developed the PCI DSS standard approach for the internal organization drafting a complete set of security policies and standards that cover each key security control area.
• Developed the Disaster Recovery Plan Emergency Access Procedures for the Windows, UNIX, and Database environments.

Confidential, Jacksonville, Florida

Chief Information Security Officer (CISO) - Compliance Officer

Responsibilities:

• Manager of eight (8) direct reports. Developed an organizational Information Security Policy Manual in compliance with ISO 17799:2005’s eleven domain requirements in support of the Information Security Management System (ISMS).
• Assumed overall responsibility for the organization’s data security and privacy policies, architecture, and procedures recommending security solutions including financial justifications and operational support options.
• Worked with the CIO to create, document, implement, and oversee policies, procedures, and practices that ensure the availability, integrity, and privacy of information assets.
• Provided appropriate access to and protecting the confidentiality and integrity of customer, employee, and business information in compliance with company policies and standards.
• Developed the SAS 70 Type II audit standard approach for the organization.
• Conducted internal Type II SAS 70 audit in preparation for third-party SAS 70 audit. Worked with third-party auditor in evidence gathering for testing and developed all remediation steps.
• Prepared organization for ISO 27001 certification and accreditation.
• Prepared and presented detailed audit findings to Senior Management; analyzing compiled data making recommendations to mitigate risks, improve processes and controls.
• Chaired the Steering Committee and Information Technology Steering Committee leading efforts in the development and the delivery of the company’s security roadmap.

Confidential, Tallahassee, Florida

Information Security Manager / Project Manager

Responsibilities:

• Project Manager of seven (7) consultants responsible for conducting six (6) PCI DSS assessments and drafted remediation plans to ensure that the set of twelve compliance requirements were met through implementation of standards for configurations, best practices, change management procedures, and validation processes.
• Developed server hardening and firewall rule guidelines to ensure confidentiality, integrity, and availability which resulted in a substantial reduction in vulnerability exposure.
• Developed Information Security Awareness and Training Programs for 12 State agencies.
• Managed a diverse team of 12 consultants, vendors, and employees in the build-out of a new Security Operations Center (SOC) for a 1,500-person New York City-based law firm.

Confidential, Tallahassee, Florida

Information Security Consultant / IT Auditor / Information Security Advisor

Responsibilities:

• Executed audits of business controls, processes, and systems, in accordance with traditional internal auditing standards (ISO 17799, SAS 70, PCI DSS, COBIT, and COSO).
• Implemented a PCI Data Security Program for eight (8) clients ensuring their security configuration will be “lock down” on those computer systems handling cardholder data.
• Managed a team of four (4) to six (6) consultants to conduct Business Security Risk Assessment Audits utilizing ISO 17799/27001 , Confidential 800-53 Standards to identify gaps in the 24 State agencies.
• Provided input into the state Computer Security Incident Response Team (CSIRT) establishing the roles, responsibilities, communications, and eDiscovery procedures for responding to computer security incidents, which may occur within the State of Florida’s government.

Confidential, Jacksonville, Florida

Information Security Consultant / IT Auditor

Responsibilities:

• Managed a SOX remediation project team of three (3) for Confidential .
• Interfaced with external auditors and coordinated with internal teams to satisfy HIPAA and Sarbanes-Oxley concurrence requirements in synchronization with international best practices and regulatory requirements. Conducted internal SAS 70 Type II Audit and prepared organization for external SAS 70 Type II with third-party auditor.

Confidential, Jacksonville, Florida

Information Security Consultant / IT Auditor

Responsibilities:

• Developed twenty-four (24) ISO17799/IS15408 security policies.
• Developed nine (9) COBIT Audit Programs.
• Recommended a comprehensive external and internal security architecture to protect the organizations network and components, which have been endorsed by management and incorporated into their remediation process.
• Developed the System Development Lifecycle (SDLC) five phase approach that included a minimum set of tasks to in corporate security in the system development process.