Over 7 years of Information Security experience in mainframe and client server environments. CISA Certified, ACF2 Certified Administrator, 6.1. Currently working as an Information Security Consultant performing GAP Analysis, Project Consulting Sarbanes Oxley - 404. Previously employed as a contractor for the Unisys DoD Information Technology Security Certification & Accreditation Process Team, (DITSCAP) Fairfax, VA.
IBM PC compatibles, IBM Mainframe, AS/400; RISC 6000, Tandem Himalaya, DEC VAX, DG, HP, OS/390, Unisys A Series/1100, Tandem K Series, ACF2, RACF, CA Top Secret, JCL, CICS, CICSWS, TSO, CA/7, VTAM, VM, MVS/ESACA11/DCL, BISYNC, ASYNC, IDS, IDMS, IMS, Oracle, DB2, DOS/VSE, Windows NT, UNIX, AIX, LAN/WAN, Ethernet, Intranet/Extranet, TCP/IP, IPX, SNA, Netware 4x, Cisco Routers, User Manager, Vantive, Rumba, PC Anywhere, Btrieve, Guardian 90, Vanguard, NeXTsTEP, LDAP, Safeguard, PKI Entrust, Encryption, MS Office, Outlook, Lotus Notes, GroupWise, PeopleSoft, MQ Series. Active Directory-(Hyena).
Oct 2011-Present Confidential,Bloomfield Hills MI
Assess and evaluate mainframe environment and security infrastructure as controlled by CA ACF2 security system. Determine the effectiveness of key internal controls, including new (development) and existing processes, systems and controls, CA-7, CA-Endeavor, CA-Harvest. Drive assessment of the significance of control gaps or deficiencies and actively participate in improvements to processes and the remediation of control deficiencies. Manage facilitation for key assessors and reviewers within the company to meet ongoing compliance requirements. Provide guidance for the process of maintaining high quality control design documentation and periodic effectiveness testing of key controls.
Oct 2010- Dec 2010 Confidential,Tallahassee FL
- Performed a eight week general assessment of the end clients current IBM mainframe security infrastructure as controlled by the IBM-RACF security system based upon a competent and professional review of the existing security architecture, operation, organization and security audit findings. Performed quantitative analysis conveying primary security metrics such as userid counts, logging rates, enforcement levels, numbers of privileged users, number of users with security-bypass authority, new password requirements, obsolete userid counts, etc. review of critical mainframe applications as their security is handled via RACF (dataset profiles/protections, access to CICS transactions, Started Task and Batch processes, etc.). Provided the client with formal document describing the findings and recommendations resulting from this security assessment.
Sep 2007 March 2010 Confidential,Portland, ME
Performed medium to complex information security reviews of new, modified, or critical applications, utilizing the information security review process to develop and present findings and plans that prevents, curtail, and minimize security vulnerabilities and incidents. Also conducts SOX SAS 70 security reviews and PCI risk assessments of applications and infrastructure with industry standard security tools and methodologies based on federal, regulatory, external, and internal audit requirements (Ernest & Young). Participates in security projects that support the Information Security Program by using standard industry best practices …as well as company and program management methodologies and templates for projects, along with initializing corporate awareness policies supported by regulatory compliance as well as enterprise wide metrics and statistics on incidents and security threats for management to demonstrate effectiveness. Also functions as a subject matter expert for securing networks, systems, and applications, and provides internal clients with security solutions in the design and operation of new and existing technologies.
Sept 2005 Sept 2007 Confidential,Sacramento, CA
Responsible for Sarbanes-Oxley compliance, Intel Data security, Risk assessment, and Authentication Authorization, Audit. Responsible for identity management, implementing products for security awareness, command line email encryption along with the designing and implementing security architecture and audit of network security controls and programs to protect the integrity, confidentiality, and availability of information resources supervising the audit project with responsibility for managing team members’ performance and quality of output to meet the overall project objectives.
Primary duties consist of Leveraging in-depth knowledge of key IT focus areas (such as IT services and business processes, data centers, remote operating sites, network infrastructure, system software, both externally and internally facing business applications, and others) to ensure the team’s successful development of their project’s risk assessments, design of the SAS 70 audit program, and drafting and delivery of the audit reports (Deloitte and Touche) . Secondary duties consist of:
Reviewing audit work programs and testing documentation to verify that it is produced in accordance with the IAs Professional Practice Framework
Influencing and negotiating process improvements with business owners
Providing recommendations on the design of controls
Ensuring that identified control gaps are assigned for resolution
Verifying management’s resolution of completed action items
Developing and providing training to team members by sharing audit/content expertise in conjunction with proactively identifying emerging areas of risk and controls focus based on professional understanding of the business to effectively address those areas before they become audit findings.
Sept 2004 Sept 2005 Confidential,Overland Park, KS
A $3.5B holding company providing freight transportation services and technology through its subsidiaries including Yellow Transportation, Roadway Express, New Penn Motor Express, Reimer Express, Meridian IQ, and Yellow Technology Services, Inc.
Reviewed documented and tested application controls, particularly automated controls on a wide range of software application packages including PeopleSoft, Oracle Financials.
Responsible for coordinating, reviewing, and investigating the Information Technology internal controls documentation and processes to evaluate adequacy and effectiveness to ensure compliance with the Sarbanes-Oxley Act.) (KPMG)
Develop and present Information Technology process diagrams outlining risks and mitigating controls for completeness and accuracy using the COSO and CoBiT framework.
Coordinate audits using the COSO and CoBiT frameworks with a focus on network infrastructure, information security, disaster recovery, application controls, and systems development initiatives. (KPMG)
Perform interviews with company personnel and documenting the application level and entity-wide IS controls established to mitigate the risk of financial statement errors. (KPMG)
Conduct Sarbanes-Oxley IT compliance / audit training for information technology staff.
Aug 2003 Aug 2004 Confidential, Charlotte, NC
Responsible for the development and ongoing maintenance of information security documentation including: policies, procedures, standards, guidelines, checklists, and policy exceptions.
Also assisting with security assessments, remediation planning, security product evaluation and testing, conducting technical security training, facilitating the risk management process, assisting in the preparation of security reports and presentations and vendor Sows, and assisting with the incident response process, duties also include analyzing ACF2 RACF and Windows NT 2000 (Active Directory-Hyena)…group policy controls and administration (Sarbanes-Oxley), systems and processes, generating reports, setting up jobs to perform remediation within OS/390 Open Edition and Tandem and AS400 Midrange environments.
March 2003 June 2003 Confidential,Fairfax, VA
Information Security Consultant
Primary duties involve providing technical expertise and analytic support to Department of Defense (DoD) organizations by implementing computer security certification and accreditation procedures for automated information systems, duties include conducting vulnerability and risk assessments, and conducting technical security reviews on MVS operating systems using CA-EXAMINE, CA ACF2, CA Top Secret and RACF, as well as, ISS Network Security Scan, and Secure-ID.
Hands-on experience with DITSCAP, NIACAP and HIPAA standards as applied to the certification and accreditation four-phase process of all DoD and Civil Federal Government supported information systems.
Sept 2001 to Jan 2003 Confidential, Minneapolis, MN
Information Systems Security Group Consultant
Functioned as primary contact for data security projects and or problems affecting successful business operations.
Executed and insured timely completion of tasks involved in implementation of new technologies (Win 2000 Active Directory Group Policy administration-Hyena).
Review problem logs in a timely manner and resolved questions (7x24) from users to determine the nature of reported problems and possible solutions.
Act as a liaison with other Information Services departments as needed to assist in problem resolution; also consult with internal, technical and business personnel regarding system security issues and practices in a multi-platform heterogeneous environment (Vanguard, RACF/OS390).
Provide consultation in regards to security policies practices and procedures to internal and external clients.
Education / Other
CISA Certification, 2005
Technical Education, NASA - Goddard Space Flight Center, Greenbelt, MD 1979 to 1993
Operating Systems: OS/MVS, Computer Sciences Corporation, 1980, Certificate
Satellite Data Processing Concepts (NIMBUS, GALLILEO), Computer Sciences Corporation, 1980
Telemetry Operations (LANDSAT), Computer Sciences Corporation, 1980, Certificate
ACF2 Certified Administrator, 6.1, Computer Associates, Hennipen County, Minneapolis, MN 1998