Summary of Experience

Over 30 years experience in IT and over 20 years of Security/Risk/Compliance/Audit experience. I have created and implemented strategic plans and the operational frameworks necessary to create the security programs necessary to meet the company’s needs, along with addressing compliance and audit issues involving security for multi billion dollar international companies. Other areas of expertise include; SDLC, networking, applications, Operating Systems, databases, QA, access and identity management to include role base access and segregation of duties.

Significant Positions Held:
VP and CISO, Risk and Reliability Division, IndyMac Bank
VP IT Audit and Fraud, Wells Fargo Bank
CISO, Palmetto GBA (Medicare Company)
Partner, LP Risk Services (IT Audit, Security & Compliance firm)

Education and Technical Certifications

M.B.A., Technology Management
B.A., Management
Certified Information System Auditor (CISA)
Certified Information System Security Professional (CISSP)
Certified Information Security Manager (CISM)
Certified in the Governance of Enterprise IT (CGEIT)
Certified in Risk and Information Systems Control (CRISC)
U.S. Army, Command and General Staff College

Employment Experience

Confidential, 2008 to Present
Chief Information Security & IT Compliance Officer

• Responsible for the day-to-day security requirements for Palmetto GBA, including access (identity management/provisioning), firewalls, IDS, encryption, configuration management and incident response.
• Currently managing over $20mm in compliance, audit and security improvement projects
• Manage, track and report on over 10,000 compliance/legal requirements
• Manage the IT Audit department and co-ordinate all external audits
• Responsible for the monitoring, auditing, compliance and infrastructure necessary to support the Company’s compliance with HIPAA and NIST 800-53.
• Responsible for budgets, P&L, outsourcing and capital projects for security , infrastructure and strategic projects for the entire company
• Responsible for the security of Palmetto infrastructure, applications and services both internally and those attached to Palmetto from external sources.
• Responsible for the strategic plan for the IT Division
• Responsible for Incident Management and Response
• Responsible for Identity and Access Management for over 100 applications
• Manage and update the corporate training for security, compliance, rules of behavior and privacy
• IDS (host and network), firewalls, Virus responsibility for the company
• Role based accesses implementation and segregation of duties.
• Identity Management.
• Conduct a review is prior of any new systems, application, devices etc prior to being put into production to ensure that all security and compliance requirements are meet
• Conduct monthly vulnerability assessments and patch management
• Responsible for the Disaster Recovery and Business Continuity plans to ensure that Palmetto can meet its contractual obligations
• Responsible for ensuring that all audit and regulatory requirements (FISMA, HIPAA, HITECH, NIST 800-53, etc) are meet and effective
• Physical access and two factor authentication

Confidential, 2004 to 2008
Partner IT Auditing Services (Major Clients: Confidential)

• Provide security reviews (penetration tests, etc.) for national and internal companies
• Provide guidance and attestation services to companies in the area of SOX, FFIEC, PCI, HIPAA, OTS, OCC, SAS70 and IT compliance.
• Identity Access Management Programs.
• Role based accesses implementation and segregation of duties
• Identity Management.
• Perform security reviews of architecture to include settings, policies, procedures and effectiveness of the architecture.
• Work with companies to ensure that their ERP systems (Oracle, SAP) are secure and that they will pass regular and compliance audits.
• Conduct reviews of process improvements such as ITIL, ISO, COBIT/COSO to ensure that the correct control set is in place.
• Create automated solutions to reduce cost, error rate and time it takes to complete an audit/compliance control.
• Review privacy polices to ensure that the company limits it legal exposure.
• Manage audit staffs for multi-national corporations to ensure timely completing of risk based audits.
• Perform audits in Europe, Asia as well as North America for clients requiring knowledge of privacy laws and different audit frameworks world wide.

Confidential 2000 to 2004
Vice President and CISO, Risk & Reliability Division

• Created and managed the Risk and Reliability Division, composed of the following departments:
• IT and corporate security (virus, firewalls, IDS, etc)
• Security help desk
• Release management
• QA
• IT policies and procedures
• Business continuity program (business resumption, disaster recovery and emergency response)
• IT compliance and audit and regulatory relationships.
• Oversaw an annual personnel budget of $4 million and staffing of 55.
• In conjunction with this role I was responsible for determining new data center requirements, finding a new data center location, developing the new infrastructure for the data center to include redundancy, high availability and new tape backup systems and getting senior management approval and funding for this $11.5 million project.

Confidential, 1998 to 2000
Audit Consultant

Responsible for writing new audit plans and documenting audit work for both internal and external audit review to include federal regulatory agencies.
Review of all controls, both procedural and automatic for new applications and technology to ensure that they were appropriate and comprehensive.
Wrote and conducted audits on projects involving Secure Electronic Transaction (SET), Firewalls, PKI, Proxy Servers, Smart Cards, SSL3, Encryption and E-commerce.
Monitored and evaluated all Disaster Recovery plans and test. Responsible for reviewing and testing IBM MVS security and disaster recovery plans.

Confidential, 1993 to 1997
Manager IT Audit

• Responsible for managing, auditing, consulting and project leadership of a variety IS projects for Sun-Maid Raisins, Sunsweet Prunes, Diamond Walnuts, Valley Figs, and Oregon Hazelnuts.
• Developed and implemented all audit programs for a variety of computer systems and applications, including; UNIX, Sybase, Novell 3.x & 4.x, Windows applications, UNISYS mainframe, VMS and Client/Server applications.
• All audit documentation had to meet Internal Audit Association standards. Project manager for the installation of the companies first LAN using Novell NDS.

Confidential, 1988 to 1993
Vice President IT Audit/Fraud

• Managed the IT audit program for all of Wells Fargo Bank. Have a department of 10 IT auditors
• Managed the internal fraud program. This program was designed to indentify employee’s who either committed fraud against the company or violated code of conduct.

Confidential, 1972 to Present
Automation Manager

• Managing a MicroVAX/VMS computer center and Microsoft NT LAN. Installed and maintained a mobile IBM mainframe.
• Responsible for designing, procuring, and installing all data processing equipment for the 91st Division. Past assignments have included fielding of mobile IBM mainframes and PC LAN systems and creating disaster recovery plans for all army data centers in the Pacific. Obtained the rank of Lieutenant Colonel.

Professional Accomplishments

• Certified Information System Auditor (CISA)
• Certified Information System Security Professional (CISSP)
• Certified in the Governance of Enterprise IT (CGEIT)
• U.S. Army, Command and General Staff College

Platforms: UNIX, AIX, IBM Mainframe, VMS, NT
Networking: Secure Electronic Transaction (SET), Firewalls, PKI, Proxy Servers, Smart Cards, SSL3, Encryption and E-commerce, Novell, Active Directory
ERP: Oracle, SAP, Lawson, MAS 500, Hyperion, Timberline
Databases: IMS, Oracle, Sybase, MS SQL, Access, IDMS, VSAM
Standards: SOX, ISO, HIPPA, SAS70, PCI
Frameworks: COBIT/COSO, ITIL, EU Privacy, Safe Harbor Act, California Privacy laws
Programming: COBOL, databases, ERP development, Software development