Objective:

• Seeking a senior Information System Security Assurance position in a growth oriented organization with focus on system security assessment, auditing, audit engagements, risk assessment, testing of information technology controls and compliance.
• IT Controls - Frameworks - IT Audit Standards: COSO/COBIT, SOX, FEDRAMP, ITIL, ISO 17779, FISMA Risk Management Framework, FISCAM, DLP, DATA SECURITY, PCI.DSS 6.5, PCI-DSS.6.6. General Computer Controls, Application security validation standard, Compliance Testing, Vulnerability Scans, Project Management, Risk Assessment, Risk Mitigation, Change Management, Configuration Management, Continuous Monitoring, Security Maintenance, Contingency Planning Policies and Procedures Boundary protection, Trusted Internet Connection, Managed Trusted Internet Provider Service, Incident Response, Malware protection, Physical Security, Computer operations, Environmental Security, Traffic Analysis ,Network and wireless Security, OS Security, Web security, Personnel Security, OMB Circular A-130 Appendix III, Consulting, NIST 800-53, NSA Guide.
• Software /Hardware /Platform/Technology: Hypervisor, Unix/Linux, SQL Server, Sybase, LDAP, ACS, CSM, Radius, RSA SecurID Metalsploit, VMware, Windows PeopleSoft, LAN/WAN,DLP,TPM,HSM, Remote Access, Wireless Network, IPSEC,VPN, MPLS DMZ, IDS, Checkpoint, Juniper, End point Protection, McAfee ePO, Cisco Routers/Switches, Cisco ASA, Cisco ACS, Big IP F5 Load balancer, Fire Eye, Blue Coat Proxy, Iron Port, WAF
• Imperva , NAC, VDI, Oracle DB, Mongo DB, PostgreQL, Enterprise Service Bus, Service Oriented Architecture, GIS, Clarity, Quest's, Remedy, Agile software development.

Professional Affiliations:

Information Systems Audit and Control Association ISACA , the Institute of Internal Auditors IIA .

Experience:

Confidential

• Created and established the Risk assessment framework for the FCC General Support System using the NIST SP 800-30 rev1. Identified and validated with the security operation center the relevancy of the 138 new threats Adversarial and Non adversarial threats listed and then consolidated the relevant threats in threat event /scenario to capture the following capabilities: reconnaissance, malicious activities, exploits and compromise, attacks vectors internal, external, supply threat , physical logical environment and the common shared infrastructure.
• Determined the overall Risk standing of the Enterprise Architecture using the relevant threats, the impact level associated the countermeasures in place to thwart the threats, the risk associated, the risk pervasiveness and submit the report to the system owner with recommendation for security controls tailoring and implementation as common or Hybrid.
• Established the FCC GSS accreditation Boundary in three services identified as Transport services remote access Load balancers, router switches, DNS, DHCP, NTP, Domain Controllers , Security services NAC, Firewall, Security monitoring, malware protection, WAF, IPS, IDS, Anti spam, Anti Virus, DLP Enterprise services Active Directory, VMware, SharePoint, GIS, SOA, helpdesk, Servers, Exchange, Operating System , Database, SAN, Desktop, printers, Mobile devices, Media, Unified communications . Reviewed the General Support System inventory to identify and mapped assets by subnets while reviewing their software version.
• Assisted with the creation of the existing artifacts PIA, PTA and created literally from scratch the following artifacts FIPS 199, e-authentication assessment report, RAR, System Security Plan for the FCC GSS SA A efforts.
• Reviewed and documented the security controls implementation on switches, routers, Remote access technologies, Wireless network, firewalls, and servers. Created POAM for under standard controls in place and non compliant security controls.
• Reviewed and tested licensing financial applications security functions within the development environment using directory traversal, account creation, password complexity, input validation, field protection, URL injection, escaping, fuzzing, Unsuccessful login attempts, error handling testing methods provided results and made recommendations as how to apply compensatory controls within the FISMA requirements while minimizing additional developing efforts.
• Reviewed the scan report and ensure that remediation efforts are carried out before code is uploaded to the UAT.
• Assisted with the update of existing PTA, PIA by the Privacy officer and created the following artifacts FIPS 199, e-authentication assessment report, System security Plan, POAM for the SA A efforts before applications are moved to production.

Confidential

Security Analyst

• Perform continuous quality assurance reviews of IT security control effectiveness to ensure all applicable areas of OMB and National Institute of Standards and Technology FIPS199 NIST SP800-37, SP-800-60, SP-800-53 compliance criteria were met. Develop, Implement and carry out risk mitigation strategies. This include tracking , controlling and communicating outages and changes to the network infrastructure, systems and applications to keep all department up to date with IT maintenance activities to prevent loss of data and services also ensure any unplanned changes or outages are quickly detected and investigated. Evaluate the Disaster recovery plan and the backup restore procedure to determine the recovery capabilities in event of disaster and the availability of information required to resume processing.
• Perform periodic recertification reviews of end-users in agency general support systems to ensure that users are authorized and have current access privileges. Periodically monitor the existence of necessary services, applications and protocols running on servers and network devices. Develop a more thorough approach to track and mitigate patch management and configuration management vulnerabilities identified during monthly scans.

Confidential

C A FISMA Specialist

C A-Helped guide System Owners and ISSOs through the Certification and Accreditation C A process, ensuring that management operational and technical controls for securing either sensitive Security Systems or IT Systems are in place and are followed according to federal guidelines NIST 800-53 . This includes ensuring that appropriate steps are taken to implement information security requirements for IT systems throughout their life cycle, from the requirements definition phase through disposal. Additional responsibilities include assurance of vulnerability mitigation, training on C A tools, supporting System Test and Evaluation ST E efforts and other support to the IT Security Office. Worked with C A team members and senior representatives to establish and define programs, resources, schedules, and risks. Responsibilities include participation in site or application assessment tasks. Participated in areas of planning, training, and preparation for contingency and disaster recovery operations.

Confidential

Risk Analyst/ SOX 404 Compliance Testing

• TC l3 Conducted the IT risk assessment and documented the control, Conducted meetings with the IT client team to gather evidence Developed test plans testing procedures and documented test results and exceptions. Participate in the SOX testing of GCC Information Security, Operations for UNIX and Windows operating server, access control, applications and databases, environmental control, mostly key controls . Performed IT operating effectiveness tests in the areas of security, operations, change management, and email authentication. Developed the audit plan and performed the General Computer Controls testing of Information Security, Business Continuity Planning, and Clients satisfaction. Identified gaps, developed remediation plans, and presented final results to the IT Management team.
• Other Language Skills: Fluent in French Read-Write-Speak