Summary

• Over 30 years experience in IT and over 20 years of Security/Risk/Compliance/Audit experience. Created and implemented strategic plans and the operational frameworks necessary tsupport these programs in over 20 countries. My combination of technical knowledge and risk background allows me tcreate comprehensive programs that are cost effective, reduce risk and minimize the impact tthe operation side of the organization.
• Significant Positions Held:
• VP and CISO, Risk and Reliability Division,
• VP IT Audit and Fraud, Wells FargBank
• CISand Compliance Officer,
• Partner, LP Risk Services

Employment Experience

Confidential

Chief Information Security IT Compliance Officer

• Maintains all documentation for the SSdepartment including
• Polices and Procedures
• SAS 70/SSAE 16, A-123, SOX, CFaudits are supported
• Risk assessments
• Ensure compliance with HIPAA
• Ensure compliance with Medicare rules
• 4 full time IT auditors
• Audit and Compliance
• Review and approval of all Business Risk Justifications as required taccept vulnerability findings
• Reviews and coordinates all security scans tensure remediation for all Medicare assets using NESUS, SRR reviews and IP360 scans
• Vulnerability Management
• Conducts weekly, monthly, quarterly and annual re-certification of accesses
• Owns integration of NIST 800-53 Appendix A intthe day-to-day operations of the company
• Conducts the daily, weekly, monthly and quarterly reviews as necessary
• Provides a single access point for all requests for access tall applications for internal and external users.
• Manages and project leads all aspects of the Security Management Applications
• Security Management
• Currently managing over fifty projects timprove Security, Compliance and Privacy with a total value of 20 million plus. Major projects include procuring and installing CA Asset Management system and Hitachi Identity Management Solution. Won the PalmettGBA annual innovation award for the Automation of Security Compliance in 2012. Many of the projects are managed across functional lines with teams in many locations, reporting tdifferent managers. Projects for security and compliance include over 13,000 employees and confidential records of over 100 million individuals.
• Manage the Security, Risk Management and Compliance Programs includes the following 10 departments with a staffing of 50
• Ensues all documentation is reviewed every 365 days
• Business Continuity Program
• Plans for Disaster Recovery and Business Continuity Plan
• Coordinates DR/BCP tests
• Awareness and Training
• Conducts initial security training for new hires and transfers
• Conducts annual security refresher training within every 365 days
• Conducts Rules of Behavior training and receives signed attestation from each individual that they have had the training and understand the rule
• Configuration Management
• Desktops are configured tFDCC standards
• Servers, OS and devices are configured tSTIG standards
• Incident Response
• Intrusion detection systems are in place for both the network and hosts
• Monitors activity on a real time basis tdetermine if possible incident has occurred
• Follows up and reports on any incidents tCMS
• Media Protection
• Ensures that controls are in place tprotect data
• Sanitization and Disposal is done in accordance tNIST 800-88
• Risk Assessment
• Conducts at least annually a risk assessment tthe NIST 800-37 standard
• Conducts the annual FISMA review
• Maintains IScertification

Confidential

Partner IT Auditing Services

• Provide security reviews penetration tests, etc. for national and internal companies
• Provide guidance and attestation services tcompanies in the area of SOX, FFIEC, PCI, HIPAA, OTS, OCC, SAS70 and IT compliance.
• Identity Access Management Programs.
• Role based accesses implementation and segregation of duties
• Identity Management.
• Perform security reviews of architecture tinclude settings, policies, procedures and effectiveness of the architecture.
• Work with companies tensure that their ERP systems Oracle, SAP are secure and that they will pass regular and compliance audits.
• Conduct reviews of process improvements such as ITIL, ISO, COBIT/COStensure that the correct control set is in place.
• Create automated solutions treduce cost, error rate and time it takes tcomplete an audit/compliance control.
• Review privacy polices tensure that the company limits it legal exposure.
• Manage audit staffs for multi-national corporations tensure timely completing of risk based audits.
• Perform audits in Europe, Asia as well as North America for clients requiring knowledge of privacy laws and different audit frameworks world wide.

Confidential

Vice President and CISO, Risk Reliability Division

• Created and managed the Risk and Reliability Division, composed of the following departments:
• IT and corporate security virus, firewalls, IDS, etc
• Security help desk
• Release management
• QA
• IT policies and procedures
• Business continuity program business resumption, disaster recovery and emergency response
• IT compliance and audit and regulatory relationships.
• Oversaw an annual personnel budget of 4 million and staffing of 55.
• In conjunction with this role I was responsible for determining new data center requirements, finding a new data center location, developing the new infrastructure for the data center tinclude redundancy, high availability and new tape backup systems and getting senior management approval and funding for this 11.5 million project.

Confidential

Audit Consultant

• Responsible for writing new audit plans and documenting audit work for both internal and external audit review tinclude federal regulatory agencies.
• Review of all controls, both procedural and automatic for new applications and technology tensure that they were appropriate and comprehensive.
• Wrote and conducted audits on projects involving Secure Electronic Transaction SET , Firewalls, PKI, Proxy Servers, Smart Cards, SSL3, Encryption and E-commerce.
• Monitored and evaluated all Disaster Recovery plans and test. Responsible for reviewing and testing IBM MVS security and disaster recovery plans.

Confidential

Manager IT Audit

• Responsible for managing, auditing, consulting and project leadership of a variety IS projects for Sun-Maid Raisins, Sunsweet Prunes, Diamond Walnuts, Valley Figs, and Oregon Hazelnuts.
• Developed and implemented all audit programs for a variety of computer systems and applications, including UNIX, Sybase, Novell 3.x 4.x, Windows applications, UNISYS mainframe, VMS and Client/Server applications.
• All audit documentation had tmeet Internal Audit Association standards. Project manager for the installation of the companies first LAN using Novell NDS.

Confidential

Vice President IT Audit/Fraud

• Managed the IT audit program for all of Wells FargBank. Had a department of 10 IT auditors and 15 fraud investigators
• Managed the internal fraud program. This program was designed tindentify employee's wheither committed fraud against the company or violated code of conduct. Program was highly effective in reducing compliance and fraud issues.

Confidential

Automation Manager

• Managing a MicroVAX/VMS computer center and Microsoft NT LAN. Installed and maintained a mobile IBM mainframe.
• Responsible for designing, procuring, and installing all data processing equipment for the 91st Division. Past assignments have included fielding of mobile IBM mainframes and PC LAN systems and creating disaster recovery plans for all army data centers in the Pacific. Obtained the rank of Lieutenant Colonel.