SUMMARY:

Competent IT Security Analyst with 6 years of experience in Information Security with focus on Confidential, Confidential Risk Management Framework(RMF), System categorization, security control selection, implementation, assessment, authorization and Monitoring security controls respectively; in an effort to mitigate risk and vulnerability of the system.

PROFESSIONAL EXPERIENCE:

Security Control Assessor

Confidential, Washington, DC

Responsibilities:

• Operate Risk Management Framework using Confidential 800 - 37 as Confidential guide and FIPS 199 as Confidential guide to categorize information systems.
• Classify information Systems using the RMF processes to ensure system Confidentiality, Integrity and Availability.
• Select security controls using Confidential 800-53 Rev 4 as guidance base on system security categorization.
• Document selected security controls in the SSP that was earlier created using Confidential 800-18.
• Determine likelihood of risk occurrence using Confidential 800-30 as Confidential guide
• Most of my current projects are focused on RMF phase 4 (Assessing security controls)
• Effectively engage in the assessment processing & preparing for assessment, conducting assessment, communicate assessment results, and maintain the assessment.
• Coordinate, participate and attend weekly Confidential forums for security advice and updates.
• Use the implementation section of the (SSP) System Security Plan in addressing how each control is implemented (frequency of performing the controls, control types and status).
• Create SAP (to document assessment schedules, control families to be assessed, control tools and personnel, client’s approval for assessment, assessment approach and scope, ROE if vulnerability scanning is involve).
• Determine assessment method (examining policies and procedures, interviewing personnel and testing technical controls), using Confidential 800-53A as Confidential guide.
• Create (R TM) and Risk Traceable Matrix in which to document assessment result (pass/fail)
• Prepare Security Assessment Reports (SAR) in which all the weaknesses are reported.
• Create Plans of Actions and Milestones to tracing corrective action and resolving weaknesses and findings.
• Conduct Confidential Privacy Threshold Analysis ( Confidential ) and Privacy Impact Analysis (PIA) where necessary by working closely with the Confidential and the System Owner.
• Review Confidential & Confidential package items .
• Set- up and participate in the Assessment Kick-up meetings per Confidential SP 800-53A.
• Prepare Confidential package documents (SSP, SAR, POAM reports, and Confidential & Confidential package) to enable the Authorizing officer to make Confidential risk-base decision to sign the Authorization to Operate ( Confidential )
• Determine threat sources and applying security controls to reduce risk impact.
• Conduct risk management by identifying, assessing, responding and monitoring risk respectively.
• Use POA&M tracking tools like CSAM (Cyber Security Assessment and Management), Excel spread sheet to make sure the POA&M is not in delay status.
• Ensure that controls are implemented correctly, functioning as intended and producing the right results.

Cyber Security Analyst

Confidential Technologies, Washington, DC

Responsibilities:

• Conducted assessment on Management, operational and technical Security Controls.
• Determined security categorization using Confidential 800-60 vol. 2 as information guide.
• Selected security controls using Confidential 800-53 Rev 4 as guidance base on system security categorization.
• Prepared Security Assessment Reports (SAR) in which all the weaknesses are reported.
• Created (RTM) Risk Traceable Matrixes in which Pass/fail assessment results were documented.
• Worked with Confidential and the Security assessment team to Access Security Controls selected.
• Review Privacy Impact Assessment (PIA) documents after Confidential positive Confidential were created and ensure PII findings are recorded in the System of Record Notice (SORN).
• Provided audit briefings to agency and Information Systems Security Officer ( Confidential ), ensuring that all findings are documented in the POA&M within their Trusted Agent Confidential (TAF) tool.
• Applied Risk Assessment to system security and likelihood of risk occurrence using Confidential 800-30 to determine.
• Managed Security Control Assessment schedules for the client’s systems to ensure system remain compliant with Confidential and Continuous Monitoring requirements.
• Prepared and updated the Confidential requirements in the Confidential & Confidential package ready for system authorizing officer to make Confidential risk-base- determination base on the risk level reported.
• Performed Confidential Government-wide program that provides Confidential standardized approach for security assessment, authorization, and continuous monitoring for cloud products/ computing services on multi-agency systems in accordance to Confidential security control baselines.
• Conducted Security Assessments to determine if controls were implemented correctly, operating as intended and meeting desired objectives/results.
• Examined policies and procedures, interviewed personnel on tested controls and conducted screenshot testing of system configuration of technical controls.
• Managed vulnerabilities with the aid of Nessus vulnerability Scanners to detect potential risks on Confidential single or multiple assets across the enterprise network.
• Determined sources of threat and weaknesses to the system.
• Performed vulnerability testing (looking for missing patches, weak password setting, configuration from retention system's default access password and unnecessary services not disabled).
• Monitored controls post authorization to ensure continuous compliance in accordance to Confidential guidelines in Confidential 800-137 for security control continuous monitory.
• Managed vulnerabilities with the aid of Nessus vulnerability Scanners to detect potential risks on Confidential single or multiple assets across the enterprise network.