SUMMARY

• I am an analytical and detail - oriented hands-on professional with more TEMPthan 15 years of experience in information security and technology capacities; well-versed in cybersecurity and technology risk management program design and implementation challenges, as well as business continuity and disaster recovery roles.
• A meticulous team player, I am capable of driving efficiencies and improvements through restructuring of teh security functions, consolidating IT units, and providing information technology regulatory compliance and assurance TEMPeffectiveness.
• Well-versed in teh information security and control implementation requirements for privacy practices, Sarbanes-Oxley, HIPAA, GLBA, FISMA, as well as other compliance environments. PhD graduate in IT Management with special focus on teh design and implementation challenges of Information Security, Confidentiality, and Privacy Compliance requirements of HIPAA, SOX, GLBA, PCI DSS, etc. Additionally, I have achieved several industry certifications, including: teh CIPP/US, CISSP, CISA, and CEH amongst others. I am a member of teh San Francisco chapter of FBI InfraGard, (ISC)2, and ISACA.
• Cyber Security/Penetration Testing and Security Risk Assessment/Mitigation
• IT Security Incident Response Readiness Planning and Implementation
• Cyber Security Operations and IT Risk Management Design and Implementation
• IT Security Program & Policies Development/Implementation
• Business Continuity and Disaster Recovery Planning, Design and Implementation
• Cloud Computing Security Systems and Architecture Review
• Security Technologies Evaluation & Deployment
• Privacy Program Implementation and Regulatory Compliance Specialist
• Security Technologies Auditing & Regulatory Compliance Gap Analysis
• IT Systems Security Architecting
• Security Awareness Development and Training Specialist
• Project Management Consulting Specialist
• Versatile in researching and resolving organizational cybersecurity issues and challenges

PROFESSIONAL EXPERIENCE

Confidential

Senior Cybersecurity Consultant

Responsibilities:

• Security Strategy Review & Recommendations
• Compliance Reviews and Solutions
• Compliance Project Management
• Security Audits & Risk Assessments
• Security Policies & Procedures
• Security Penetration Tests & Vulnerability Scanning
• Security Testing & Reviews
• Wireless Security Services
• High Availability Security & IT Infrastructure

Confidential

Compliance Specialist

Responsibilities:

• Provide program Certification and Accreditation (C&A) support for teh eHealth’s enhanced Digital Enrollment (EDE) environment in accordance with CMS’ Certification and Accreditation Process
• Prepare technical packages for Certification and Accreditation Process for submission to CMS to receive their Authorization to Operate (ATO) on teh EDE network environment
• TEMPEffectively manage teh technical and compliance aspects for accreditation of all EDE networking solutions for IDS/IPS, server farms, and numerous transport boundaries
• Create and update data flow diagrams (DFDs) of eHealth’s EDE sites for Site C&A technical package submittals
• Handle technical package corrections identified by C&A Non-Technical team
• Create standard operating procedures (SOP) to refresh and train coworkers
• Provide Cross Training to members of teh C&A Non-Tech team
• Provide Quality Assurance (QA) checks on completed EDE CMS packages

Confidential

Responsibilities:

• Redesigning teh bank’s monthly security metrics to TEMPeffectively present teh status of teh informationsecurity program to executive leadership, enterprise risk teams, senior business leaders, and teh board of directors as part of a strategic enterprise risk management program.
• Driving teh transition of technology risk management team into dedicated 1st and 2nd Lines of Defense functions.
• EstablishingSecurityControl Testing function to periodically test keycybersecuritycontrols and developing a reporting framework to ensure continuous improvement and FFIEC compliance.
• Designing and revamping teh bank’s IT Risk Register to ensure identification, tracking and mitigation of risks for identified risk scenarios are incorporated to into teh organization IT risk profile.

Confidential

Justice Systems Program

Responsibilities:

• Responsible for reviewing, testing, deploying and managing a wide variety of security operations center (SOC) and events monitoring and remediation tools, including AlienVault, Splunk and SolarWinds
• Responsible for evaluating and recommending security tools to build teh application testing program to meet FBI’s CJIS requirements. Tools deployed in support of teh county’s SDLC program, including Kali-Linux, Metasploit, Burp Suite Pro, Wireshark, Rapid7 Nessus, Web Inspect, Nmap, Cain and Abel, Nitko, Dirbuster, IBM AppScan, Nessus, Open Vas, W3AF, BeEF, Etthercap, Maltego.
• Responsible for conducting application security penetration testing involving various web application testingtools, including Fortify, Metasploit, Burp Suite, SQL map, OWASP ZAP Proxy, Nessus and Nmap.
• Responsible for specifying and aligning county’s vulnerability and application security testing requirements to leverage frameworks such as CWE, OWASP Top 10 2010, and WASC Threat Classification 2.0 methodologies.
• Responsible for deploying various web application securitytestingtools, including Fortify, Metasploit, Burp Suite, SQL map, OWASP ZAP Proxy, Nessus, Nmap and IBM QRadarSEIM Tool to assist teh county in fulfilling its mandate.
• Conducts vulnerability and penetration testing and evaluation of county-wide and PSJSP applications to identify vulnerabilities, recommending applicable code fixes, and alternatives and best-practices to ensure compliance with security and privacy policies of teh SCC CISO office;
• Lead, conduct and coordinate teh review and documentation of information security and privacy impact assessments (PIA) for all Confidential Public Safety and Justice Program (PSJSP) initiatives
• Responsible for conducting and Compile Privacy Impact Assessment for PSJSP Systems Security Plans
• Develop technical, privacy, security, data migration and overall architectural requirements for inclusion in Request for Proposals

Confidential

Network Security Penetration Testing and Audit

Responsibilities:

• Secure Sockets Layer (SSL) configurations and weaknesses and Exploring virtual hosting and its impact on testing; Acquiring teh skills to identify load balancers and Software configuration discovery
• Scripting to automate web requests and spidering and Brute forcing unlinked files and directories
• Discovering and exploiting Shellshock and Python for web app penetration testing
• Web app vulnerabilities, manual verification techniques, and Interception proxies/Zed Attack Proxy (ZAP)
• Burp Suite, Information leakage, directory browsing and Username harvesting
• Command Injection, Directory traversal, Local File Inclusion (LFI), and Remote File Inclusion (RFI)
• SQL injection, Blind SQL injection, JavaScript for teh attacker, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Session flaws, Session fixation, AJAX, XML and JSON
• Logic attacks, Data binding attacks, Automated web application scanners, w3af, and Teh sqlmap tool
• Metasploit for web penetration testers, Exploring methods to zombify browsers, Browser Exploitation Framework (BeEF), and how to leverage attacks to gain access to system, and How to pivot our attacks through a web application, including methods of interacting with a server through SQL injection, and Exploiting applications to steal cookies
• Critical areas of hands-on network security testing and auditing skills transferred include:
• Nmap In-Depth: Teh Nmap Scripting Engine and Version Scanning with Nmap
• Vulnerability Scanning with Nessus, False-Positive Reduction and Packet Manipulation with Scapy
• Enumerating Users, Netcat for teh Pen Tester, and Monitoring Services during a Scan
• Comprehensive Metasploit Coverage with Exploits/Stagers/Stages, and Strategies and Tactics for Anti-Virus Evasion
• In-Depth Meterpreter Analysis, Hands-On, and Implementing Port Forwarding Relays for Merciless Pivots
• Leveraging Shell Access of a Target Environment, Password Attack Tips, and Account Lockout and Strategies for Avoiding It
• Automated Password Guessing with THC-Hydra, Retrieving and Manipulating Hashes from Windows, Linux, and Other Systems, and Pivoting through Target Environments
• Extracting Hashes and Passwords from Memory with Mimikatz Kiwi, and Password Cracking with John teh Ripper
• Sniffing and Cracking Windows Authentication Exchanges Using Cain, and Using Rainbow Tables to Maximum TEMPEffectiveness
• Pass-teh-Hash Attacks with Metasploit and Finding and Exploiting Cross-Site Scripting
• Cross-Site Request Forgery, SQL Injection, and Leveraging SQL Injection to Perform Command Injection

Confidential

Cybersecurity Audit

Responsibilities:

• Participate in teh bank’s cybersecurity audit risk assessment, planning and audit scope development as well as project execution as a critical team member on large, complex projects.
• Conduct cybersecurity audit of system/application/network controls, demonstrating an understanding of teh bank’s technical infrastructure.
• Evaluate teh adequacy of design and TEMPeffectiveness of teh bank’s cybersecurity security policies, procedures, processes, systems and internal controls
• Develop and execute testing strategies, methodologies and analyses during teh conduct of specific audits.
• Consult with line-of-business personnel to develop corrective action plans and TEMPeffectively manage change.
• Report findings and develops business cases on teh need for controls to mitigate teh bank’s cybersecurity risk.
• Articulate risk and complex technical issues to enable business units to understand and assess cybersecurity risk and controls; including 3rd party vendor environment and services used by teh business.
• Lead teh execution of specific areas of a cybersecurity audit project.
• Provide reports to technology managers on teh TEMPeffectiveness of their business unit's internal control structure along with recommendations that improve teh TEMPeffectiveness, efficiency and economic value of a control or process.
• Evaluate teh adequacy and timeliness of management's response and teh corrective action taken on relevant weaknesses noted within audit reports.
• Provide control consulting services to management to assist in redesign efforts that improve teh control environment.
• Responsible for assisting teh security teams in reviewing and revamping Gilead’s cybersecurityprogram focused on maintaining applicable technicalsecuritycontrols, and developing risk assessment policies and procedures and standards
• Working with security team to integrate multiple vendors’ security offerings to create a complex system ofsecuritycontrols for maintaining and protecting Gilead’s sensitive data
• Responsible for developing and documenting critical aspects of teh security testing program and test-running critical penetration testing incident response exercises for Gilead.
• Working with other cybersecurity team to manage teh day-to-day cybersecurity activities of threat and vulnerability management and developing securityawareness training materials
• Responsible for developing and nurturing teh formal cybersecurity risk analysis and assessments program

Confidential

Business Information Security Advisor: Corporate Operations

Key responsibilities include:

• Responsible for conducting manual and dynamicpenetrationtestingand specifying requirements of web applications using Burp Suite and AppScan;
• Responsible for headquarter-based vulnerability assessment of various web applications deployed in teh organization using Paros Proxy, Burp Suite, and Web Scarab, YASCA, HP Web Inspect.
• Responsible for conducting applicationpenetrationtestingof 10+ business applications spanning RH’s operations in 15 countries around 4 continents
• Responsible for conducting security assessment of PKI Enabled Applications.
• Responsible for teh evaluation and deployment of application testing tools including, Burp Suite, Acunetix Automatic Scanner, NMAP, DirBuster for web applicationpenetrationtests.
• Responsible for designing teh deployment of AWSCloudplatform and its features including, EC2, VPC, EBS, AMI, SNS, RDS, EBS, CloudWatch,CloudTrail, CloudFormation AWS Config, Autoscalling, CloudFront, IAM, S3, and R53.
• Responsible for specifying cloud security requirements for creating AWS Launch configurations based on customized AMI using EC2, S3, RDS, DynamoDb, Route53,EBS, Elastic Load Balancer, Auto scaling groups.
• Worked withcloudproviders and API's forAmazon(AWS) EC2, S3, VPC with CloudSigma (EU) and GFS storage.
• Responsible for performing RH’s SOX compliance audit review, including designing walkthrough plans, performing walkthroughs, and performing testing to assess design and operating TEMPeffectiveness of controls for ITGCs and business process cycles.
• Working with teh internal audit department of RH to identify and test operating TEMPeffectiveness of IT General Controls. Prepared work-papers and reported all identified issues to teh internal audit department for remediation
• Responsible for SOX 404 Readiness Engagement and conducting walkthrough interviews, updating & documenting process flow-charts and narratives. Also identifying and testing IT General Controls and reporting issues to teh IT Management for remediation.
• Collaborating with a team of offshore employees of varying technical skill sets and seniority levels to execute IT system implementation and, when necessary, software development to deliver technology initiatives
• Revamping and promoting teh development of a comprehensive, enterprise-level application security testing and risk management standards, policies and procedures by building security and risk management checkpoints into teh entire IT security life-cycle through advocacy with C-level personnel, enterprise information security teams and IT staff and end users.
• Stepped up teh implementation and enforcement of established business continuity/disaster recovery security standards, policies and procedures through routine system auditing and scanning, penetration testing, proactive security monitoring and policy enforcement.
• Developing and implementing security incident response program for IT systems, to include development of incident response plans, monitoring IT systems and networks for intrusions and suspicious activities, and working with external vendors and business partners.
• Establishing sound Amazon cloud security architecture and ensuring architecture is designed, implemented, and supported to adequately protect electronic data being migrated to teh cloud.
• Ensuring teh successful and secure implementation of security solutions by working as teh Business Information Security Advisor to teh International Operations teams (EMEA, APAC, ASIA, and teh UK) while providing strategic and operational guidance to teh network security technicians and other IT staff implementing and supporting IT security solutions.
• Revamping, developing and implementing risk assessment and management program targeting information security and privacy matters, while recommends methods for vulnerability detection and remediation and overseeing vulnerability testing.

Confidential

Information Security Manager:

Responsibilities:

• Responsible for coordinating, leading, and operating teh entire information security infrastructure of 6,000+ servers in collaboration with server and network units.
• Responsible for managing teams that include security analysts, engineers, external consultants, and server/halpdesk personnel.
• Responsible for running teh vulnerability, intrusion prevention, and risk assessment functions as well as IT security vendor management systems.
• Responsible for audit remediation plans and operations, client training, documentation, and senior management briefings involving change control management, physical/logical security access, firewall/network security reviews, computer/data center operations, and system development lifecycle methodologies. Enforced all IT Security policies and procedures.
• Responsible for performing high-visibility investigations of backlogged security incidents and capturing data and client needs across IT, security compliance, risk assessment, product functionalities as well as delivering operational readiness reviews to management.
• Responsible for devising and implementing project plans to mitigate identified security gaps.
• Realized first year savings of nearly $150K in operational staff costs by spearheading consolidation of 4 IT units into single entity with IT security functioning to serve on enterprise-wide basis, leading to retirement of incompatible and cross-purposed IT and security monitoring services; gained control of IT and security infrastructure and reduced duplicated functions.
• Achieved $45K in cost savings per quarterly test after instituting in-house penetration and vulnerability assessments operations that were previously conducted by external consulting entities.
• Championed teh completion and deployment of several information security policies previously contracted out; played key role in completing information security program manual theirby saving Irwin unquantifiable sums in potential fines.
• Implemented integrated and SSO Federated Access Management capability via RSA Access Manager 6.0.
• Supporting Certification and Accreditation (C&A) efforts to halp Federal agencies meet FISMA requirements, including supporting System Security Plan (SSP), Contingency Planning, risk assessments, and conducting independent Security Test and Evaluation (ST&E) on complex systems.
• Clients supported includes Internal Revenue Service (IRS), DHS Office of teh CIO, and Broadcasting Board of Governors (BBG)
• Conducting security assessment and testing on financial and technology clients’ environments
• Providing computer forensics and litigation support to clients, and leveraging forensics technology tools to promptly acquire, preserve, analyze, and produce digital evidence that can withstand legal scrutiny