SUMMARY:

• 8 yrs. in Data Security Frameworks & Compliance Standards 10 yrs. in Cybersecurity Project Management
• 16 yrs. in overall Privacy, Data Security, and Cybersecurity 8 yrs. in Application, OWASP
• 6 yrs. built & managed data center (securing servers, databases, network devices, and production & development environments)
• Provide cybersecurity solutions that meet and exceed the demands of PCI DSS 3.2
• Possess an in - depth knowledge of and apply Payment Card Industry Security Standards
• Verify and assess the security of POS (Point of Sale) ecommerce applications and devices
• Security Rule requirements for administrative, physical, and technical safeguards
• Breach Notification Rule requirements
• HITECH & Omnibus Final Rule: Implement business associate liability shift & enforce compliance to security rule, secure EMR
• NIST SP R1: An Intro Resource Guide for Implementing the HIPAA Security Rule
• NIST SP R1: Guide for Conducting Risk Assessments
• NIST SP: Guide for Applying the Risk Management Framework to Federal Information Systems
• NIST SP R4: Security and Privacy Controls for Federal Information Systems and Organizations
• NIST SP A R4: Assessing Security & Privacy Controls in Federal Info Systems & Orgs: Building Effective Assmnt Plans
• NIST SP: Technical Guide to Information Security Testing and Assessment

PROFESSIONAL EXPERIENCE:

Managing Director, Security Architect

Confidential, Orem, Utah

Responsibilities:

• Put in place IAM Security Best Practices for HIPAA Compliance.
• Grant least privileges
• Create and used IAM roles instead of root and service accounts
• Required MFA (multi factor authentication) and federated access for other departments
• Implemented strong and secured audit logs

Confidential

GRC Security Consultant-

Responsibilities:

• Conducted risk assessment, measuring the organizational risk posture
• Produced report showing Capability Maturity Model (CMM) levels of maturity in the organizational processes in line with Centers for Medicare & Medicaid Services plicies(CMS)
• Worked towards improving the risk maturity rating
• Conducted HIPAA physical security reviews
• Interviewed organizational leadership for procedure discovery of privacy and security protocols
• Propel strong security compliance that derive from cybersecurity standards:
• PCI DSS 3.2
• HIPAA- OCR Audit Protocol
• Security Rule requirements for administrative, physical, and technical safeguards
• FISMA
• NIST SP 800 Series- Follow Business processes and standards, implement into organizations as needed.
• Risk Management
• Conduct Risk Management initiatives (Needs/Gap Analysis, data and system classification, select and prioritize security controls)
• Business as Usual (BAU)
• Lead compliance assessments of applications/networks in data centers/ Azure, AWS Cloud environments
• Formulate Policies, Processes & Procedures (PPP)
• Train client’s team members on PPPs using Business Process Modeling (BPM)
• Security Control Implementations for On Prem and Cloud environments ((Windows, Mac, and Unix, Servers, & cloud systems)
• Synchronized Security, Cloud Cybersecurity, Endpoint and Server Protection, Mobile Device Management- MDM, Data Loss Protection- DLP for PCI and HIPAA

Executive Team (CISO, CTO), Risk Management, Cybersecurity Consulting

Confidential, Utah

Responsibilities:

• Develop plans to execute for short term and long term corporate objectives and roadmaps.
• Took an active role in developing strong team members by assigning and directing work. Hired and trained staff members.
• Ensure in-house IT initiatives are integrated with business objectives by working with departments to assess business needs.
• Instruct on carrying out a continuous security monitoring program
• Conducted and led compliance assessments of applications and networks in corporate data centers and Cloud environments (Microsoft Azure, Amazon AWS, and Armor).
• Formulated Policies, Processes & Procedures (PPP)
• Trained client’s employees on PPPs using Business Process Modeling
• Managed source code review for customers via Paladion, our Service Provider partner, (train on secure coding practices to meet OWASP and PCI Standards)
• Implemented mobile device management MDM), Endpoint and Server Protection, Ransomware Protection, Next Gen Firewall, Data Encryption

Information Security/Risk Management Consulting

Confidential, Riverton, Utah

Responsibilities:

• Fulfill global business objectives by balancing cybersecurity controls benefits in response to quantified risks.
• Integrate cybersecurity standards and best practices into the business processes to prevent and mitigate cybersecurity exposures.
• Using a custom GRC dashboard and platforms (ServiceNow, Agiliance RiskVision), I provided Cybersecurity posture visibility to senior management, and security personnel. Managers and managing directors had portfolio dashboards to track progress and help them make decisions moving the organization toward security milestones.
• Continuous Cybersecurity Monitoring (Assess, Remediate, and Reporting) of Windows, Mac, and Unix PC's, Servers, and cloud systems.
• Conduct Security Assessments of internal cybersecurity controls, PCI DSS, and HIPAA
• Minimum Security Standards, Maturity Level 1, Maturity Level 2, etc.
• Review and translate audit findings, gathering artifacts/evidence, recommend remediation, and validate mitigation plans.
• Weekly review, delegate and address high risk cybersecurity events
• Mitigation of risk caused by human behavior
• Review and address the results of red/blue team penetration tests of security systems and processes.
• Conduct application cybersecurity and network architecture reviews in data centers within the US, abroad, and in Cloud environments (Microsoft Azure, Amazon AWS).
• Web Services (SaaS, IaaS), ensure cybersecurity is incorporated into the SDLC (OWASP and PCI DSS Standards)
• Enterprise thin/thick client server systems,
• Distributed computing systems and devices, including mobile.
• Policy, Process and Procedure (PPP)
• Direct dissemination of PPPs by Directors and Security Leads to all their team members
• Train personnel on understanding and resource management for execution of PPPs
• Review and approve change requests
• Firewall rules/data flow changes,
• Modifying staff’s “Need to Know” access and security permissions to system components and data,
• Align re-classified data and systems to a higher security environment.

Privacy, Risk, Data Security, and Cybersecurity Consulting

Confidential, Provo Utah

Responsibilities:

• Communicated the need for the organization to move forward on Risk Assessment, Business Impact Assessment and Needs/Gap Analysis. Collaborated with the Information Security Officer to assist in understanding the organization’s Enterprise Risk Management.
• Put in place a BPM (Business Process Modeling) process needed to better meet HIPAA compliance.
• Created a BA (Business Associate) workflow to meet the HITECH & Omnibus Rule (Implement BA liability shift & enforce BA compliance to the Security Rule)
• Provided cybersecurity expertise to the Information Security Officer, CIO, and Legal to assist in refining their current BA agreements and their risks understanding.
• Delineated BA's obligations and HIPAA security requirements so Revere Health was better able to renegotiate terms and whether a BA replacement was required.
• Interviewed BAs to understand their Cybersecurity posture. Outlined cybersecurity remediation options.
• Selected CIS Top 20 Critical Security Controls (SANS Top 20) for use at Revere
• Implemented Tenable SecurityCenter to address 15 out of the 20 Critical Security Controls
• Inventory H/W Assets, Inventory S/W Assets, Secure Configuration of Servers (Hardening),
• Vulnerability Assessment & Remediation, Malware Protection, Application Cybersecurity, Wireless Device Control,
• Secure Config-Network Devices (Hardening), Limit & Control Network Ports, Protocols & Services (IDS/IPS Firewall) on Win, Mac, and Unix.
• Put IAM Cyberecurity Practices and technologies for HIPAA Compliance.
• Grant least privileges and controlled Admin privileges (Role Based Access Control)
• Create and used IAM roles instead of root/service accounts
• Implemented strong and secured audit logs
• Maintain, Monitor & Analyze Audit Logs via SIEM.
• Account Monitoring & Control (Identity Management), Data Loss Prevention (DLP), and Incident Response.
• Proposed an achievable development program for all pertinent personnel.
• Data Security: SANS Top 20 CSCs
• Business as Usual: Project Management Principles, Application, Daily Work Routines (GTD- Getting Things Done)
• Compliance: HIPAA and PCI DSS using:
• NIST SP R1: Guide for Conducting Risk Assessments
• NIST SP R4: Security and Privacy Controls for Federal Information Systems and Organizations
• NIST SP R1: An Introductory Resource Guide for Implementing the HIPAA Security Rule
• Possess understanding of networking and various cybersecurity products/technologies.
• Firewalls- Cisco PIX
• IDS/IPS- Cisco Adaptive Security Appliance (ASA)
• Access Control- Microsoft Dynamic Access Control (DAC)
• Network Access Control- Microsoft NAP
• SIEM- Tenable Security Center
• Vulnerability Assessment- Tenable Security Center, Nessus, Qualysgard.
• Network Traffic Analysis- Tenable Security Center, Wireshark, Splunk
• AntiVirus/Malware- Kaspersky (Win, Mac)
• Computer Forensics- Kali Linux, Autopsy (The Sleuth Kit), FTK Imager (Drive and Memory snapshot), GetDataBack

IT Auditing

Confidential

Responsibilities:

• The scope of the audits focused on performing IT capital asset audits focusing on performing IT trend reporting, physical inventories, IT capital assets identification discrepancies, and tracking
• Produced systematic audit reports of results and findings
• Advised individual sites on risk management, best practices, due diligence and due care of complex systems and environments in an effort to mitigate network outages

Infrastructure Engineering

Confidential, Riverton UT

Responsibilities:

• Supported global users by addressing ITSM/HP Service Manager support incidences in a call center like environment
• Modeled/analyzed customers’ IT infrastructure, applications & services to HPSM/ITIL v3 framework
• Took part in the Remedy to HPSM migration & HPSM uCMDB rollout
• Mitigate continual improvement initiatives with Pareto Analysis
• Generate ad hoc & automated web BI reports using SAP Business Objects, Pivot Tables & SQL queries
• Consulted w/internal IT service providers to define their SLAs & help meet their service level targets
• Took ownership of developing the Microsoft SharePoint reporting & communication intranet portal for the ITSM team

IT Business Workflow & Web Services Consulting

Confidential, Richmond, CA

Responsibilities:

• Advise the IT Director of Information in handling data and creating greater transparency for IT industry compliancy at local, state, and federal levels
• Guiding arm regarding the nuances and consequences of adequate and lack of Due Diligence and Due Care
• Developing a streamlined and robust Change Management System
• Advising the development of the information security/cybersecurity policies & procedure, social media policies, internal storage/sharing policies and comprehensive recruiting guidelines
• Planning future Google Apps migration for all campus and school-board personnel
• Developing a new Joomla website for a pleasant user experience, optimal functionality, and ease of web administration

Founding Member

Confidential, American Fork, UT

Responsibilities:

• Strong technical and business approach in the areas of strategic planning, business development, project management, and system engineering
• Put together the SaaS developer and design teams
• Acquainted with Venture Capital funding approaches

Statistical and Technical Engineering

Confidential, Lehi, UT

Responsibilities:

• Business Analysis Tasks- created goals, developed strategic direction, involved with continuous improvement initiatives, & ran daily team meetings with accompanying presentations
• Exceeded production efficiency doing daily production analysis
• Ran projects (informed stakeholders, monitored schedules, and engaged in constructive meetings).
• Regularly set performance records resulting in at least 20 recognitions & s from management, team members & other departments
• Excelled in statistical data analysis (query databases, six sigma, analyzed statistical charts, create daily reports) which contributed to exceeding corporate goals

Founding Member, Board Member

Confidential, Pleasanton, CA

Responsibilities:

• Performed all IT security reporting, including SOX and PCI assessments, using data security best practices and precursor of:
• NIST SP: Technical Guide to Information Security Testing and Assessment
• NIST SP R4: Security and Privacy Controls for Federal Information Systems and Organizations
• NIST SP: Guide for Conducting Risk Assessments
• Work with our developers to secure our web application and databases; used OWASP guidance.
• Daily/weekly activities comprised of Access Control, Network Security, Information Security Governance and Risk Management, Software Development Security, Cryptography, Cybersecurity Architecture and Design, Operations Security, Business Continuity and Disaster Recovery Planning, Legal-Regulations-Investigations and Compliance, and Physical (Environmental) Security
• Built out and maintained the data center, built all servers, and production and development environments (Oracle database, SQL database, MySQL database, Exchange email, Active Directory/Kerberos domains, DMZ and development zones, DNS, file storage, IIS and Apache web servers, IDS/IPS firewalls, SIEM and Proxy)
• Lead Research and Development for designing new SaaS modules, improving User Experience using SDLC and Agile software development, and improved application cybersecurity by routinely doing OWASP code reviews
• Successfully led over 15 major company projects resulting in of short term and long term goals.
• Re-engineered business workflows for improvement of company operations.
• Increased sales by designing marketing tools, promotional/sales material, website content, and directed the creation of the customers' product user manual

Founding Member

Confidential, Walnut Creek, CA

Responsibilities:

• Analyzed complex processes, assessed risks, evaluated for efficiencies and identified opportunities for improvement.
• Identified internal controls issues, ensured they were well-defined and root causes were analyzed.
• Ensured compliance to PCI DSS (formerly Cardholder Information Security Program, CISP), HIPAA, and other standards.
• Obtain a detailed understanding of Private Client Services’ (PCS) core IT processes and probed for opportunities to aid IT and cyberecurity management in gaining process efficiencies.
• Performed in-depth analysis of the entire PCS architecture (OLAP, AS400 mainframes, PCS backup/recovery systems, telecom circuit lines and infrastructure) to find solutions for failure prevention and contingency plans.
• Directed and oversaw national resolution efforts for LMS stock trading system failures.