OBJECTIVE:

• Seeking a position that will utilize my strong Cyber security and IT Industry experience, project management skills, technical experience and organizational abilities and that provides long - term stability and growth opportunities.

PROFILE:

Leadership Skills and Proficiency with Security Governance, Manage team of 15 to 20 employees at a time in multiple IT security engagements or experienced IT security staffs. Conduct IT Audit on information system using different methodologies and frameworks such DITSCAP, DIACAP, NIST FISMA, FISCAM, SA&A (formerly known as C&A), RMF, SOX 404, FFIEC, HITRUST, CSF, HITECH, FEDRAMP, Cloud Computing (IaaS, PaaS, SaaS), SSAE16 (SAS 70), SOC1/SOC2, PCI DSS, ISO 1779, ISO 9001, ISO 27001. Help establish audit log polices and processes and make the audit logs review more efficient by using manual process or automated tools such as Splunk and Change Auditor, Tripwire, Symantec and MacAfee. Conduct vulnerability scan using DISA SRR scripts or Gold Disk, IP360 of Ncircle, Nessus Tenable, Eye Retina, NMAP, WebInspect, MacAfee, Confidential Appscan, review scan results based CVE (XSS, CSRF, SQL Injection, DDOS, DOS), CWE and following OWASP. Review and help implement cryptography policy and process to meet the NIST FIPS 140-2 requirements.

Cyber Security - Information System hardening: IT industry standard configurations based on DISA STIGS, CISecurity, NSA guides, or vendors hardening guides and Defense in Depth principles for Unix Solaris (7, 8, 9, 10, 11), Confidential AIX, Linux ERH, HP-UX, Windows 2008/2012, Windows Active Directory (OU-GPO), IIS servers, SharePoint, WebSphere, CISCO routers switches gateways, CISCO ISE, Palo Alto, Juniper, CISCO firewalls, F5 BIGIP, Oracle, Sybase, SQL Server, DB2, PeopleSoft, VMware, Wireless Network, Mobile device (Blackberry, Apple), Mainframe Zos. Using Remedy, Centrify, puppet.

Cyber Security - Threat Analysis and Insider Threat Program, Advised numerous clients on new technology, threats and vulnerabilities. Assessed change management and the ability to track changes back to its first steps and all the people involved in his inception. Used d Confidential integrity checker and system configuration management took such as Puppet, Tripwire to monitor any d Confidential tampering and change Auditor, Solarwinds, and Quest. Reviewed backup and storage system management such an Confidential Tivoli Storage Management (TSM), VERITAS, Hitachi D Confidential System, EMC, HP to make sure there was a sound and serious backup process in place in case of disaster or c Confidential strophic events that could affect the information system. Worked on DRP and COOP plan and participated in multiple organizations test, and exercise. Reviewed D Confidential Center physical security and environmental control as well as Physical tapes and D Confidential transport by reviewing Iron Mountain procedures and logs.

Standards/Frameworks/S&A Controls: COSO/COBIT, Sarbanes-Oxley Act, SSAE 16, Confidentiality, Integrity, Availability, Access Control, Audit & Accountability, & Accreditation, General Computer Controls, Cloud Service Models, Application Controls, Testing, Compliance Testing, Project Management, Risk Assessment, Change Management, Configuration Management, Security Maintenance, Contingency Planning; Policies & Procedures, Implementation; Incident Response, Media Protection, Physical Security, Environmental Security, Personnel Security, OMB Circular A-130 Appendix III, Consulting, FISMA, CMS-ARS, CMS MARS-E, HIPAA, PCI, ISO/IEC 27001, FEDRAMP,CSA-CCM, Agile- DART Process & FFIEC compliance, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. OMB Circular A-123 and A-130 Appendix III and NIST 800-Special Publications, SA&A, RMF, FIPS and DoD directives 8500 and 5200 series. NIST Special publication series A, FIPS 199 and FIPS 200.

Software-Hardware-Platform: Microsoft SharePoint, WordPress 4, Adobe Photoshop CS4, VMware Fusion, VMware Player, and Oracle VM VirtualBox, Mainframes RCAF; UNIX, Sun Solaris, HP-UX, Linux Red Hat, Checkpoint, Cisco Routers/Switches, Fireye, WebInspect, LogRythm, DMZ, IDS, Wireless Network, TCP/IP/UDP, SSH, FTP, LDAP, Next Step, Kalinux, BEEF, ZAP, Microsoft Office Suite, Apache Open Office, Adobe Acrobat XI Professional, Visio, Oracle, Microsoft SQL Server, Access, ELT, Sybase, SQL Server, SAP, Sybase, DB2, PeopleSoft, Appsdetective, Symantec, PGD, DISA SRR, Eye Retina Scan, Centrify, Puppet, Symantec End Point Protection, Tripwire, Rational Rose, MS Office Professional - MS Visio, Excel, Remedy, ArcSight, Veritas, Tivoli Storage Manager, Hitachi Storage Management.

EMPLOYMENT HISTORY:

Confidential, Projects Washington, DC

Responsibilities:

• Confidential: Cyber Security CISO Advisor
• Manage a team of IT Security specialists and IT auditors to review Bank Supervision and Regulations (BS&R) regional Reserve Bank examination applications in accordance with financial institutions Board Supervisory and Regulation. Conduct IT risk assessment, documented Key controls at the FRB, meetings with the FRB IT Division team to gather evidence; developed test plans; testing procedures and documented test results and exceptions. Supervise and monitor the SOX/FISMA testing of GCC (System Software Support, Information Security, and Operations for UNIX, Linux RHEL and Windows servers (AD), VMware, LDAP, mainframe, applications and d Confidential bases Oracle, PeopleSoft, environmental control, D Confidential Center. Conduct walkthroughs, formulate test plans, document gaps, test results, and exceptions; and develop remediation plans for each area of testing. Perform IT operating effectiveness tests in the areas of security, operations.
• Validate IT key controls to identify control risks, analyze root causes and trends in potential control weaknesses. Suggest new controls to meet compliance standards where applicable. Develop prioritized implementation plans to address identified risks. Conduct a cyber-security review of major financial applications and identified gaps between current practices and leading practices/regulatory requirements and propose architectural & operational security policy changes to upper management.
• Work with Internal and external auditors (Big 4 Firm) to identify gaps in the agency IT control environment against FFIEC requirements and FDIC examination team expectation. Participated in weekly, high level meetings and planning, coordinated assessment logistics scheduling, project site visits and audit work sessions. Work internally and externally with areas of IT SMEs, Business Owners, Government Clients, and Upper Management to facilitate audit engagement effort. Lead the Technology Security Adoption team, for the Federal Risk and Management Program (FEDRAMP) Remediation Work stream, to integrate security and risk mitigation in asset acquisitions & maintenance; to enable the agency to evaluate and attest vendor cloud products based on other government customer comments. Review and analyze existing Policies, Processes and Business Best Practice for completeness and compliance with NIST and FedRAMP requirements. Drive Remediation effort in response to internal/external audits and third-party assessments in compliance with the FEDRAMP framework. Lead weekly meetings with internal and external stakeholders including FEDRAMP security adoption team, business owners, 3PAOs, and senior management. Responsible for periodic engagements with stakeholders SMEs, Product Owners and Business Owners; to review and validate Policies, Processes and Cyber Security Business Best Practices. Lead work as project manager on multiple works streams within the Security adoption team and areas of IT/business units; to review, develop processes, validate facts, schedule meetings, track projects, and update C&A documents and reports. Collaborate with the internal Cloud team to define FEDRAMP Cloud Computing adoption models, Best Practices and FEDRAMP requirements (IaaS, SaaS, PaaS).
• Work with IT technical and architect team, for migration plans encompassing infrastructure baseline, plans and road maps; application migration plans, requirements and needs; industry leading and evolving trends, techniques, products and vendors. Conduct compliance assessments/reviews to ensure that the organization follows applicable control requirements. Reviewed Amazon Web Services (AWS) FISMA and FedRAMP Security Posture for CFPB on behalf of the Federal Reserve Board or the Governors, FDIC and Treasury Department FFIEC community. Worked on virtualization project and cloud computing with VMware products as well as Oracle SaaS and Windows Cloud Services. For FedRAMP compliance requirements, conduct the review of Amazon Web Service (AWS East/ West) on the Behalf of the FFIEC at GSA and CFPB.
• Involve in planning, documenting, testing and reporting. Primarily, we assessed the entity’s internal control environments based on the control objectives across the nine FISCAM areas considered for testing. Provide support to the Senior Management Council (SMC), Senior Assessment Team (SAT), and the Core Assessment Team (CAT) by communicating project objectives, plans, status, and result of activities. As part of the A-123A Assessment Team, used the Federal Information Systems Controls Audit Manual (FISCAM) as the methodology for evaluating the design and operating effectiveness of the IT controls for in scope systems. Helped Mapped FISCAM to NIST Special Publication, Rev.4 to make it easier for FISCAM general and business process control activities d to related NIST controls.
• Evaluate FISCAM controls to determine the associated level of risk to target high-risk controls. Rotate systems or controls based on whether key controls can be tested via business process testing. Specifically, developed a test approach and develop test plans for the IT System Controls Testing. Reviewed Security Management; Access Controls; Configuration Management; Segregation of Duties; Contingency Planning; Application Level General Controls (AS); Business Process Controls (BP); Interface Controls (IN); and, D Confidential Management System Controls (DA). Supervise and work with InfoSec/IT Security Administrators, to verify that terminated/ transferred employee’s user ID are removed from the Network Active Directory & applications. Perform periodic Access Reviews, to determine that terminated, transferred, and unauthorized users do not have access to financial and clinical applications.
• Serve as SME to the IT department in maintaining information assurance processes and work collaboratively with IT & IT security to ensure that identified gaps are reviewed and remediated. Conduct walkthroughs, document gaps, test results and exceptions; and develop remediation plans for different applications.
• Formulate Test Plans in compliance with CSA-CCM, FedRAMP, HIPAA, PCI, ISO 27001 & Joint Commission Standards. Develop and maintained the IT department’s Policies and Procedures matrix. Ensuring that procedures reflect IT management’s expectations, corporate policies and procedures, applicable codes, industry standards, and regulatory requirements.
• Work with IT department information owners to ensure that the Policies and Procedures are reviewed, revised, approved and published in the Microsoft Share point application.
• Participate in the department’s ITIL processes and effectively use BMC Remedy system, in creating remedy ticket for change control processes and documentation request. Participate in meeting with management and external auditors on upcoming audits and audit engagements.
• DHS - USCIS - OCIO: C&A FISMA-FedRAMP
• Worked as a Certifying Agent at DHS USCIS supervising contracting firms such as Booz Allen Hamilton, SAIC, Northrop Grumman, Lockheed Martin, BearingPoint, General Dynamics and other contractors and vendors.

Confidential, Projects Falls Church, VA

Responsibilities:

• DISA-TRICARE: Senior STIG Security Engineer
• Performed and Accreditation (C&A) activities for Federal Government agency and private-sector extranet partners Tricare Management Activities UCCI, Confidential based on DOD directive 8500.2 and 5200.1. Supported the implementation of DITSCAP/DIACAP-related doctrine, policies, and architectures.

Confidential, Projects Herndon, VA- Urbana, MD -Washington DC

Responsibilities:

• Senior Risk Analyst /SOX 404 Compliance Risk Team Specialist
• Developed the audit plan and performed the General Computer Controls testing of Information Security, Business Continuity Planning, and Relationship with Outsourced Vendors. Identified gaps, developed remediation plans, and presented results to the IT Management team.
• Secure IT-E&Y-DISA/DODIG Projects Washington, DC- Chicago, IL
• Defense Information Security Agency (DISA): SAS 70/UNIX Testing
• Tested thousands UNIX servers (Sun Solaris, HP-UX, AIX, and ERH Linux) on different USAF bases nationwide. Tested manual and automated controls using DISA automate tools SRR Script (Security Readiness Review). Reviewed the automate output d Confidential for discrepancies and notified the client of the deficiencies. Performed testing of general computer controls (physical security, disaster recovery, and logical access in accordance with DoD 8500.2 guidelines and 5200.40 methodologies).
• SOX 404 Independent Consultant
• Tested the effectiveness of key infrastructure controls in network security, disaster recovery, and change management. Conducted walkthroughs and tested multiple key controls. Also, defined sample size selection and testing methodology for manual and automated controls.

Confidential, Projects Bethesda, MD

Responsibilities:

• US Dept. of Commerce/US PTO Office Oracle Security Specialist
• Conducted security assessments and participated in complete penetration testing activities to quickly identify all security exposures in their network, server and Oracle environment.
• EQUANT: SOX 404 Consultant/Oracle Security Auditor
• Developed and implemented a process for assessment/ranking process, for capturing, managing, and prioritizing technology.

Confidential, Projects Herndon, VA

• Desktop Support Specialist/Network Security Analyst
• Helped troubleshoot hardware and software problems and provided end user support, and maintained a network history record. Installed, configured, and tested network services including DNS, WINS, DHCP, SMS, SNMP, IIS, and upgraded Windows NT Servers.