SUMMARY

• Detailed knowledge of security tools, technologies, and best practices with more emphasis on ISO 27001, ISO 27002, NIST and Vendor Risk Management.
• Over 5 years of experience in developing SSPs, managing POAMs, auditing and evaluation, and Risk Assessment of a variety of information systems (General Support Systems), reviewing policies, conducting attestations, updating information security standards, and performing TPRM.
• Develops, reviews, and evaluates System Security Plans (SSPs) based on NIST Special Publications SP 800 - 18 requirements.
• SIG Questionnaire Overview.
• Performs comprehensive assessments and writes reviews of management, operational and technical security controls for audited applications and information systems.
• Develops and conducts ST&E (Security Test and Evaluation) according to NIST SP 800-53A and NIST SP 800-53.
• Experience in ServiceNow as a GRC tool, SharePoint, and Jira.
• Develops, reviews, and evaluate controls based on ISO 27001, ISO27002, and PCI DSS.
• Compiles data to complete Residual Risk Reports and inserts contents into the POA&M tracking tool.
• Ability to multi-task, work independently and as part of a team.
• Strong analytical and quantitative skills.
• Conducted third party risk assessments (vendor Risk).
• Microsoft Office/Microsoft 365.
• Ensures all remediations are done with stipulated time.
• Effective interpersonal and verbal/written communication skills.
• Microsoft Outlook.
• PeopleSoft.

PROFESSIONAL EXPERIENCE

Confidential

Information Security Specialist

Responsibilities:

• Working with subject matter experts (SME’s) in writing and updating information security standards, guidelines, and procedures.
• Ensuring the controls are vetted with the Information Security team, legal, other key business, and information technology partners from across the globe.
• Drive the prioritization and the creation of a work plan for reviewing, and updating governance documentation.
• Presenting and obtaining approval from the ISR Governance & Change Committee on new and/or updated documents.
• Coaching and training writers, reviewers, and approvers in the use and functionality of the PolicyTech system which is the document management software and repository.
• Assist with developing metrics and dashboards to keep management informed on the adoption of controls and various trends.
• Facilitate the information technology self-assessments (attestation) of the published controls.
• Creating entity types and connecting control objectives to entities(applications).
• Ensures the education of end users on policies, procedures, accountability, and threats necessary to maintain security.
• Assist both business and IT with ideas on how to become compliance with published controls.
• Develops, reviews, and evaluate controls based on ISO 27001, ISO27002, and PCI DSS.

Confidential

Third Party Risk Management Analyst

Responsibilities:

• Assisted in developing and Maintaining TPRM framework.
• Performed third party risk management questionnaire for assessment.
• Reviewed vendor risk assessment responses.
• Communicated TPRM requirement to client and vendors.
• Managed department files and review of soc reports.
• Assisted in the documenting of all the vendors that are associated with the company.
• Prepared questionaries and all document to access vendors before they are considered for onboarding.

Confidential

A&A Engineer

Responsibilities:

• Responsible for uploading data for accreditation review and importing data elements from ATO.
• Provided cyber security testing and security control validation and assessment of technical and non-technical security features implemented on a system or network in support of the RMF A&A process.
• Identify key stakeholders in A&A efforts and ensure system documentation reflects current system security configurations to include hardware and software components, data flow, interconnections, and poets.
• Worked with A&A team members and government customers to resolve issues.
• Identified Potential Risk associated with system configuration and advise on mitigation.
• Participated in A&A status meetings and facilitate moving systems toward a successful A&A effort.
• Created a test plan to determine controls to be tested as well as methods of testing.
• Conducted thorough reviews of all vulnerabilities, architecture, and defense in depth strategies and report findings in POA&Ms document.
• Analyzed, interpret, and apply Federal cybersecurity guidance to customer needs.
• Uploaded data for accreditation review, importing data element from the ATO letter.
• Conducted security assessment and familiarity with all respective events.
• Reviewed relevant artifacts (System Security Plan (SSP), Security Assessment report (SAR), Privacy Impact Analysis/ Assessment (PIAA) to ensure they provide accurate information to support issuance of an accreditation decision.
• Participated in Creating and updating customer facing metrics and presentations designed to provide situational awareness of status of A&A packages and products.
• Provided weekly activity report to program manager.
• Collaborated with other team members in cybersecurity.

Confidential

IT Security Analyst/A&A

Responsibilities:

• Conducted structure security certification and accreditation (C&A) activities utilizing the Risk Management Framework and in compliance with the Federal Information Security Modernization Act (FISMA) requirements.
• Conducted Business Impact Analysis (BIA) to analyze mission-critical business functions and identify and quantify the impact those functions if these are interrupted.
• Conducted IT system testing based on the appropriate analysis and review techniques provided by NIST.
• Developed and updated the information systems security documentation (e.g., System Security Plan, Contingency Plan, Contingency Plan Test, Business Impact Analysis, FIPS-199, e-Authentication, Privacy Threshold Analysis, Privacy Impact Assessment, System of Records Notice).
• Knowledgeable in NIST SP 800 series including SP 800-60, SP 800-53, SP 800-53A, SP 800-18, SP 800-34, SP 800-62, SP 800-37, SP 800-137.
• Assess adequacy and efficiency of security controls by updating Security Control Assessment Plan (SCAP), Security Test & Evaluation (ST&E) Report and Security Assessment Report (SAR).
• Plan, execute and report on IT system vulnerability root causes and mitigation recommendations.
• Provided a security review of system documentation, audit logs, rule set and configuration to validate policy compliance. Report IT security incidents in accordance with established procedures.
• Planed, developed, implemented, and maintained an Incident Response and Audit Program for events of interest and address Plan of Action and Milestones (POA&Ms) in continuous monitoring with various point of contact.
• Planed, scheduled, coordinated, prepared, executed, documented the results of test plans and test scripts, and provide lessons learned for incident response, contingency, and continuity of operations drills, exercises, and activities.
• Effectively communicate technical information to non-technical personnel via email, face-to-face meetings, and periodic bulletins.
• Participated in meetings to discuss system boundaries for new or updated systems to help determine information types for categorization purposes. Determine the classification of information systems to aid in selecting appropriate controls for protecting the system.