SUMMARY

• A Veteran of the US Air Force, I possess over 12 years’ experience working with public and private sector organizations in business process and analysis, security analyst, and IT compliance auditor roles. My primary objective is to advance strategies around cybersecurity analytics, information security governance, risk and compliance (GRC), and business process reengineering (BPR) by leveraging industry security standards and best practices to promote business safety, security, and confidentiality.

PROFESSIONAL EXPERIENCE

Risk Management Analyst/MetricStream Analyst

Confidential, Cordova, CA

Responsibilities:

• Security and Privacy Compliance: responsible for ensuring defined security controls adherence by the various VSP lines of business and external third party suppliers as set forth by NIST 800 - 53 (moderate baseline), HIPAA, ISO-2700X, GDPR, DoD, FedRAMP, FIPS, FISMA, SOX, COBIT, COSO, SSAE, SOC, PCI, the contract, and other governing directives.
• Security Risk Assessments: Salesforce and Apttus leveraged to evaluate and score third party suppliers, based on defined security controls, assuring their technology environment appropriately protects PHI/PII shared data and that the Master Service Agreement and/or Statement of Work have the appropriate security requirements, and that those requirements are met. Escalate any areas of weakness identified within the security of the organization to thwart any security breaches through the use of different techniques, including but not limited to: audits, trend evaluation, and other knowledge. Provide security recommendations to the suppliers to help them satisfy and pass the assessment to successfully onboard with VSP.
• MetricStream Administrator: solid understanding of the various modules such as: GRC Library, Issues, Risks, Third Party, System, Configuration, Risk Assessment Plan/Task (inherent risk score/mitigating controls/residual risk score), and Action Plans. Responsible for managing user-organization role combinations; manage users (creation, deactivation, role transfers); manage roles (role definition, access rights); manage organizational structures (organization hierarchy creation/deactivation); configure parameter values (i.e., rate/scoring, maturity modeling); manage List of Values; create third party surveys and questionnaires; create third party scorecards and qualifications; and manage existing GRC processes to “port” them into MetricStream. Generate various GRC reports (via MetricStream or Cognos 11) for senior management and the CISO.
• Control Reviews: perform control reviews (CAPs, Issues, Risks, POAMs) as part of continuous monitoring to identify new risks, track findings against security policies and guidelines, and management of Plan-of-Action and Milestone (POAM) to closure. Provide bi-weekly POAM status updates to senior management and the CISO. ServiceNow leveraged for request management.
• Risk Management: apply Risk Assessment and Compliance framework (rate/scoring) of inherent risk/mitigating control/residual risks, maturing model, and Qualitative and Quantitative risk modeling.
• Technical Writer: responsible for design and implementation of formal artifacts such as: policies and procedures, runbooks, security risk assessments, and diagrams ensuring alignment and compliance to information security controls framework, state and federal regulations, and industry security best practices.
• Respond to internal and external audit requests by researching and/or reviewing technical information security policies, procedures, standards, and guidelines to support VSP global initiatives. Conducts technical security related research and analysis and translates the results into meaningful input to the Information Security program.

IT Auditor/Compliance Analyst

Confidential Cordova, CA

Responsibilities:

• IT Compliance Auditor: work with businesses across the organization in the design, test and implementation of new controls; assess compliance gaps and risks as required (e.g., provide input on any changes to scope in controls or processes required as a result of audit findings). Serve as primary liaison between auditing bodies such as: SOX PMO, IT security management, system administrators, database administrators, business stakeholders, and independent third-party auditor (PwC).
• Control Executor: audit operating systems UNIX/Linux, AD (Windows), Oracle databases (Hyperion, OBIEE, eBS/Maestro) and applications (GRC, CCG) to assure compliance of shared passwords for privileged service and non-service accounts on SOX servers in the production environment satisfy SOX 404 compliance by auditing encryption parameters, vaulting system, change management of root passwords, local common passwords, account creation/termination process, scripts and reports, and conducting interviews. Responsible for full lifecycle of control: gathering evidence, eliciting requirements, testing for accuracy and completeness, and audit walkthroughs.
• Risk Assessments: audit Oracle e-Business Suite, Oracle RDBMS and UNIX/Linux security and access controls; evaluate operating effectiveness of existing controls and determine the impact of proposed changes to business processes, applications and systems; execute timely remediation of any audit findings to closure to circumvent initiation of a corrective action plan; articulate findings and related risks with auditees throughout the process.
• PBC Audit Checklist: responsible for tracking and management of PBC (Provided By Client) used during the audit to conduct testing.
• Risk Management Framework: responsible for ensuring compliance to NIST 800-53 (moderate baseline). Author policies and procedures in support of compliance framework and alignment to the System Security Plan. Perform control reviews (CAPs, Issues, Risks) as part of continuous monitoring to identify new risks, track findings against Federal security policies and guidelines, and management of Plan-of-Action and Milestone (POAM) to closure.
• Security Compliance: responsible for ensuring defined security controls adherence by the primary vendor and subcontractors set forth by DoD, DFARS, NIST 800-53, FedRAMP, FIPS, FISMA, SOX, COBIT, COSO, SSAE, SOC, the contract, and other governing directives.
• Technical Writer: responsible for design and implementation of formal artifacts such as: policies and procedures for new controls, security risk assessments, security exceptions, white papers, SOX process narratives, SOX work instructions, diagrams, and command media ensuring alignment and compliance to information security controls framework, state and federal regulations, and industry security best practices.

Security Analyst/Lead Auditor

Confidential Sacramento, CA

Responsibilities:

• Security Risk Assessments: leverage governance, risk management, and compliance (GRC) platform to conduct and validate technical security reviews in alignment with CA-MMIS information security controls framework, state and federal regulations, and industry security best practices, culminating in the production of security risk assessment reports.
• Internal Auditor: audit internal controls and security and privacy policies to ensure security related system and functional requirements satisfy security guidelines set forth by the State of California and industry security standards (e.g., NIST, FedRAMP, HITECH, HITRUST, FIPS, FISMA, EU GDPR, HIPAA, 21 CFR Part 11, ISO 2700X, PCI DSS, SOX, OWASP, COBIT, SSAE, SOC, OMB, ONC, SIMM, SAM, HAM) and contractual agreement.
• SOC Lead Auditor: participated in vendor and independent third party (KPMG) FY15-16 SOC audit set forth by AICPA Trust Principals (SSAE 16 - SOC 2 and 3). Responsible for assessment of operating effectiveness of internal controls, and review testing activity against control objectives. Provide holistic oversight on vendor’s progress to remediate any audit findings to closure. Contributed in planning sessions for future SOC 1-2-3 FY16-17 audit plan.
• Internal Auditor: responsibilities include control reviews (CAPs, Issues, Risks) as part of continuous monitoring to identify new risks, track findings against Federal security policies and guidelines, managing Plan-of-Action and Milestone (POAM) to closure and mitigation planning and remediation of controls in the cloud environment.
• Conduct risk assessments to evaluate the effectiveness of existing controls and determine the impact of proposed changes to business processes, applications and systems.
• Continuity of Operations Plan (COOP): participated in disaster recovery/business continuity exercise; establishing the recovery point objective (RPO), and recovery time objective (RTO).
• Security Posture/Maturity Assessment: contribute to the research/assessment of maturity level of the organization’s current security posture. Track gaps for current vs. future landscape.
• Business System Analysis: assess user requirements, procedures and problems to automate or improve existing systems and review computer system capabilities, workflow and scheduling limitations. Collaborate with stakeholders and vendors to review Statement of Work (SOW), System Security Requirements (SSR), Business Requirements Document (BRD), System Requirements Specifications (SRS), Detailed Design Specifications (DDS), System Functional Design (SFD), General System Design (GSD), Technical Functional Design (TFD), and the contract, ensuring functional and technical requirements align to business requirements.
• Technical Writer: responsible for developing formal artifacts such as: System Security Plan, Security Risk Assessment, Security and Confidentiality Plan, Incident Escalation Plan, Job Aides, Fiscal Intermediary Letters, Statement of Work, Business Associate Agreement, and other information system security documentation as defined by the vendor contract.
• Incident Investigation: responsible for incident response/escalation procedures; leveraging standard incident response approach; gather information from all resources: threat reports, batch reports, log reports, vulnerability and threat identification mechanisms, containment and remediation of incident/breach; escalate findings to senior management.
• Basic knowledge (not practitioner level) of vulnerability scanning procedures and tools (e.g., ACAS, SCAP), system hardening, penetration testing, and compliance assessment tools to oversee the implementation and enforcement of security policies.
• System Design Changes: scrutinize proposed design changes for potential security breaches and alignment to existing service level agreements by leveraging the following: review proposed implementation plans, validation and test plans, and backout plans; validate penetration testing; review SOC playbooks; assess potential impact to environment; security hotfix installs; decommission of CA-7T jobs; timely patch installs; validate encryption parameters; provide recommendation to senior management and engineers for approval or request further clarity.

Technical Writer/Program Analyst

Confidential Sacramento, CA

Responsibilities:

• Analyst assigned to the statewide (in-prison and community) implementation of the following CDCR programs: Automated Reentry Management System (ARMS), Reentry Hub Rehabilitation Address System (RHRAS), Integrated Protocol Television Integration (IPTVI), and eReaders. ARMS is a case management system (web-based solution) that offers holistic performance oversight of the collection, tracking, and data analysis of offenders, parolees and contracted provider programs. RHRAS is the kiosk component installed in reentry hubs preparing inmates for reentry into the community. IPTVI and eReaders are solutions in support of assisting inmates to successfully achieve milestone credits.
• Technical Writer: author authority documents such as: Budget Control Proposals (BCP), Stage 1 Business Analysis (S1BA), Feasibility Study Reports (FSR), Economic Analysis Worksheets (EAW), Risk Registers, Special Project Report (SPR), and Project Summary Package (PSP).
• Technical Writer: author onsite policies and procedures for the ARMS/RHRAS solution directly impacting the CDCR prison system; prepare all-inclusive reports that recommend solutions to improve operations and procedures. Authored instructor manual and user guide for the IPTVI.
• Business Architect: responsible for business process review (BPR) work products; project budget and invoice/procurement processing; other deliverables include assembly of Labor Relations Packages leading to subsequent approval by various Division Chiefs. Duties include: acting liaison between the Office of Labor Relations (OLR) and DRP; interview/survey staff across CDCR.
• Security Compliance Auditor: responsible for internal audit of the business associate (vendor), providers, and their subcontractors comply to Data Sharing Agreement (flow down clause) defined by CDCR ISO and legal department, as well as industry privacy and security GRC regulations such as: NIST 800-53 (SP), FedRAMP, FIPS, FISMA, HIPAA, CFR XX, ISO 2700X, COBIT, PCI DSS, SIMM, SAM), and other governing directives. Audit control/testing activity against control objective set forth by AICPA and the client. Creation of security policies as warranted.
• Business Process Reengineering: responsible for transformation of processes by leveraging analytical thinking, reviewing business process work products; rethinking complex business process problems and documenting results in a concise manner.
• Conversant with new technology and delivery of technical information; engaging closely with internal/external stakeholders such as vendors, Project Managers, Division Chiefs, Parole Agents, Correctional Staff, Gang Intelligence Units, Analyst, and other stakeholders.
• Business Intelligence Data Analytics: assemble statistical data and provide fidelity functions to support Office of Offender Services (OOS), Office of Correctional Education (OCE) and Office of Program Accountability and Support (OPAS). Assist in the development of databases.
• Business Requirements Gathering: responsible for elicitation and concise documentation.
• QA Replication/User-Acceptance Testing (UAT)/IV&V Lead.
• Data Classification: in the context of information security scope all information to determine classification of data, and based on its level of sensitivity, determine appropriate technical security measures to protect, disclose, alter or destruction of data as required.

Senior IT Business Systems Analyst

Confidential Cordova, CA

Responsibilities:

• Technical Writer/Auditor Project Authority Documents: Budget Control Proposals (BCP), Stage 1 Business Analysis (S1BA), Feasibility Study Reports (FSR), Economic Analysis Worksheets (EAW), Risk Registers, Special Project Report (SPR), Project Summary Package (PSP), Request for Information (RFI), and Post-Implementation Evaluation Reports (PIER) - all reportable to various executive agencies.
• Financial Reporting/Auditing: leverage standard accounting and financial management principles for the holistic tracking of project budgets from existing configuration to proposed solution; formulate and audit Economic Analysis Worksheets (EAW) in support of projects to include: operational resources, time, contract services, proposed solution, alternative solutions, and other activities within project scope.
• Security Compliance Auditor: responsible for ensuring defined security controls adherence by the business associate (vendors) and their subcontractors set forth by NIST 800-53, FedRAMP, FIPS, FISMA, HIPAA, CFR XX, ISO 2700X, COBIT, SIMM, SAM), and other governing directives. Creation of privacy and security policies and procedures as warranted.
• Familiar with State budgeting process, Strategic Administrative Manual (SAM), Statewide Information Management Manual (SIMM), Agency Information Management Strategy (AIMS), and CA-PMM toolkit.
• Business System Analysis: responsible for analyzing user requirements, procedures and problems to automate or improve existing systems and review computer system capabilities, and scheduling limitations. Collaborate with stakeholders and vendors to review BRD, SOW, SFD, GSD, TFD, and the contract, ensuring technical requirements align to business objectives.
• Fraud and Security Analytics: investigate and decipher indicators of criminal activity; mobile forensics; manage and map data for clandestine operations (decipher inmate phone calls/text messages) in support of the interdiction of contraband and other suspicious events; provide security insight; data mining; findings to be leveraged as evidence for investigations, seizures, and search warrants. Synthesis reportable to CDCR Secretary, Chiefs, Wardens, ISU members, and in partnership with federal agencies.
• Data Warehousing: knowledgeable of MS SQL for the design and development of data repositories (storage size 5 GB to 15 TB); responsible for forecasting anticipated storage growth based on trending analysis of data extrapolated from various internal and external sources; manage the permissions and accessibility to highly confidential data.

Senior Applications Analyst

Confidential Sacramento, CA

Responsibilities:

• Analyst assigned to the Amador County and Downtown Sacramento Sutter Health Affiliates in support of the Server Refresh project. Lead the implementation of integrated solutions to refresh current servers and operating systems identified as a high security compliance risk. Responsible for performing the planning, analysis, design, enhancements, major deployments, upgrades, support, and monitoring for various IT systems.
• Business System Analysis: responsible for analyzing user requirements, procedures and problems to automate or improve existing systems and review computer system capabilities, workflow and scheduling limitations. Review BRD, SFD, TFD, and other artifacts, to ensure functional and technical requirements align to business requirements.
• Information Security Compliance Auditor: in depth knowledge of NIST 800-53 (SP), FedRAMP, HIPAA, ISO 2700X, and other governing directives. Responsible for ensuring the business associate (vendors) and their subcontractors comply with system security requirements.
• Strong acumen in system/application implementation from inception to deployment; leveraging Agile model of SDLC. Participate in all phases of the development life cycle of new and existing business applications and production systems support for client/server and web based applications; perform critical analysis of server readiness and functional and technical requirements to ensure alignment of the application version, virtualization solution (PTV), and interfaces. Perform physical security inspections as necessary.
• UAT and IV&V Lead: develop test scripts; ensure user-interface and design specifications align.

Senior IT Business Systems Analyst

Confidential Sacramento, CA

Responsibilities:

• Large-scale System Implementation: holistic oversight of the implementation of new system solution to replace legacy architecture; leveraging Scrum methodology in an Agile development environment. Establish project timelines, milestones, risks, total cost of sales analysis, and manage action items throughout release life cycle from initiation to deployment.
• Internal Auditor: thorough understanding of core business applications and the interrelationship with supported business functions; analyzing organizational operating practices or procedures.
• Information Security Compliance Auditor: in depth knowledge of NIST 800-53 (SP), FedRAMP, PHI/PII, HIPAA, SOX, and ISO 2700X; ensuring the business associate (vendors) and their subcontractors comply with information system security requirements defined in contract requirements. Creation of privacy and security policies and procedures as warranted.
• System Development Life Cycle (SDLC): strong business acumen in system and application implementation, software installation and configuration, and data integration from legacy to new/next generation platform; articulate base configuration approach vs. customization parameters. Liaison between internal stakeholders and external customers/vendors in all aspects of product configuration to enhance our current market system.
• Develop and execute UAT test scripts and scenarios, Business Unit Test Plans, Top Level Verification and Validation Test Plans, System Designs, Business Cases, and reusable procedures.

Senior IT Business Systems Analyst

Confidential Sacramento, CA

Responsibilities:

• Ensure critical Tier 1 business processes are receiving appropriate attention and response. Conduct meetings with representatives of the business to discuss change releases and critical outage incidents, and the implementation of provisional updates to: infrastructure availability, custom monitoring, telephony, database and file system backups, network security, TCP/IP protocol and MIR2/MIR3 support. Familiarity with standard hardware platforms including Windows/UNIX/LINUX/AIX systems. Responsible for mapping of network routers, switches, nodes, firewalls, clusters and other network devices.
• SOX and HIPAA Conformance: internal auditor responsible for performance oversight of SOX and HIPAA security and compliance measures, and identification of agreements in close danger of being breached. Holistic overview of contracts, billing and licensing agreements prior to application implementation.
• Information Technology Auditor: internal auditor responsible for technology audits (i.e., Operating System, Database, Application, Enterprise Architecture and SaaS Integration, Disaster Recovery Containment).
• Data Warehousing: collaborate closely with the Enterprise Data Warehouse team for the build and integration of master data management efforts, ensuring consistent business analysis across the enterprise; ensure RDBMS business needs are met.
• Business Intelligence (BI) Reporting: strong acumen in reporting services tools (e.g., Oracle, Microsoft SQL Server, Remedy, Business Objects, Crystal Reporting, and Web Intelligence Reporting). Responsible for monthly departmental metrics reporting, leveraged for high level statistical trending analysis.

Analyst/Lifecycle Controls

Roseville, CA

Responsibilities:

• Data Integrity: responsible for the quality of correctness, completeness, wholeness, processing, and identification of requirements for SLAs, OLAs, ECOs, DHFs, MCOs, BOMs, deviations, verification and validation test activity, marketing collateral, Declarations of Conformity, and other product lifecycle activity meet quality management system standards. May also suggest the execution of Corrective Action and Preventive Action management, and resolution of compliance gap remediation.
• Business Process Analysis/Design: analyze business processes, identify pre-requisites and risks for new projects, assemble quality process improvement initiatives, monitor actionable metrics, and advise management and other key quality improvement stakeholders. Investigate and research issues of non-compliance and work with engineers to resolve issues of clarity.
• Technical Writer: analyze, proofread, and interpret business documents, user guides, technical manuals, and other collateral to determine appropriate syntax, style, metadata, and legal identity.
• Business Document Author: quality management process-based instructions, compliance procedures, training documents, Software Development Product Lifecycle (SDLC) mapping process, SOPs, SOIs, and other product lifecycle supporting documentation.
• Quality Assurance and Validation Testing: partner with testing teams, engineers, and IT with test script creation, test case scenarios, user acceptance test case models, and end-user surveys for purpose of verification of intended use case models (IUCM); document functional and technical requirements.
• Data Modeling CASE Tools: familiar with UML for the graphical representation of Entity-Relationship Diagramming (ERD) and Use Case Diagramming (UCD).
• Business Intelligence Reporting: strong acumen in the synthesis of multiple datasets leading to the identification of data patterns; findings reportable to Engineering Review Board (ERB).

Analyst/Agile Product Lifecycle Management

Confidential Folsom, CA

Responsibilities:

• Agile PLM Internal Auditor: review and process all product ecology submissions to ensure corporate guidelines conformity and legal requirements are met in accordance to applicable governing standards.
• SAP Intelligence: SAP subject matter expert and instructor across the organization; manage performance oversight, query extraction, and report analysis in efforts to maximize profitability and holistically fulfill business processes and service solutions across the enterprise.
• Product Lifecycle Management: filtration point for data consolidation and solution points assisting Project Managers, Product Development Engineers, IT, and other stakeholders with data integrity. Ensuring all phases of lifecycle meet requirements criteria ensuring product readiness for timely market launch.Data Integrity: collaborate closely with Product Development Teams, Product Marketing Engineers, and subject matter experts; ensure quality of correctness, completeness, wholeness, soundness and compliance of data, all with acute attention to legal and regulatory compliance. This is achieved by cross-reference against similar entities, SOPs, SOIs, and other governing documents.
• Extract and synthesize financial data at a cost center level. These reports also include the assessment and comparison of information to determine trends and if preventative measures are required.
• Business Documents Author: author business process initiatives in support of translating best business practices into functional solution points. Proofread and ensure the timely submission of all Assistive Technology and Sales and Marketing collateral into Agile PLM system of record repository to ensure legal and regulatory compliance measures are met in accordance to applicable FDA regulations.
• Relational Data Modeling: responsible for the assembly and synthesis of multiple and large datasets extracted from various sources in support of tracking market penetration and predicative analysis, findings reportable to senior staff; responsible fo ongoing maintenance and integrity of the databases.
• Product Lifecycle Management Analyst: partner with Product Development Teams, Sales and Marketing, Product Marketing Engineers, Project Managers, and other stakeholders for the timely management of next generation product release ensuring all check points of lifecycle phases have been met prior to submission to senior level staff for ratification. This entails educating the organization of product lifecycle processes, governing SOI and SOP documents, and Total Quality Management (TQM) conformance.
• Dashboard Reports: weekly status reports of projects, key trends, and business intelligence. Metrics include cost, time, requirements, risks, or other measures critical to the management team.
• Collaborate closely with Channel Product Marketing Engineers, Technical Marketing Engineers, and field engineers in support of product release launches and product implementation of Intel campaigns targeted towards top-tier clients, VARs, OEMs, and other channel partners.
• Data Hygiene: manage the protection, retention, and disposition of confidential material.
• Verification and Validation Testing: support user-acceptance testing teams, engineers, and technicians with acoustic application analysis, shock and vibe testing, troubleshoot and resolve user interface issues, and document findings, risks and dependencies.