WORK EXPERIENCE

Information Security Specialist

Confidential

Responsibilities

• Performed Cyber Security Bank Audits, including social engineering tests.
• Accomplishments
• Resolved banking oversight issues relating to cyber security strengthened bank information security by discovery of, and recommendations on how to address weaknesses in information security posture.
• Skills Used
• Utilized the Social Engineering Toolkit, Kali Linux, Hyena, Nexpose, and custom scripts during cyber security audits.

Information Assurance Analyst

Confidential

At the headquarters of Department of Homeland Security DHS , participated in development of a revised DHS FISMA scorecard based upon risk. Conceived and developed an ongoing cyber security authorization methodology which includes continuous monitoring, the inheritance of data center and Component common controls, and enforcement of change control to permit focus upon only what changed since the initial authorization to operate was granted. Researched automated cyber security software tools for use in continuous monitoring and security authorization, including Xacta and McAfee tools. Researched the impact of moving to NIST SP 800-53 Version 4. Conducted headquarters review of DHS Component certification packages.

Information Assurance Analyst

Confidential

• Improved Cyber Security Program Management Office PMO processes within Department of Energy's review and comment on Cyber Security and Information Assurance Interagency Working Group, NIST, Whitehouse National Security Staff, and Department of Homeland Security Information Assurance plans, strategy, guidelines, and pre- decisional executive orders. Developed process defect measurement to support implementation of PMO transformation focused on achievement of improved results.
• Reviewed and commented on Cyber Security and Information Assurance Interagency Working Group, NIST, Whitehouse National Security Staff, and Department of Homeland Security Information Assurance plans, strategy, guidelines, and pre-decisional executive orders.

Information Assurance Analyst

Confidential

• Prepared process documentation for Defense Logistics Agency, covering SAP financial system access controls, change controls, disaster recovery, help desk, technical infrastructure, and application problem management. Reviewed and recommended improvement of functional specifications, internal control
• implementation and design, data mapping, and edits and validations for key controls over financial application systems.
• Information Systems Security Officer

Confidential

Developed Certification and Accreditation documents including security flaw remediation implementation for Homeland Security Investigations intelligence systems, Immigration and Customs Enforcement, Department of Homeland Security. Directed the activities of the cyber security team's application system and technical infrastructure systems security assessment from planning to generation of systems engineering solutions addressing cyber security findings of vulnerabilities. Wrote and directed the implementation of the plan of action and milestones POA M mitigation plans. Developed cyber security plans detailing Intelligence Systems specific security safeguards, operating characteristics, and technical IT system internal controls needing to be implemented. Wrote the cyber security certification package.. Wrote and tested the application systems contingency plans. Performed technical vulnerability assessment, logging and monitoring, security incident handling, and other information assurance activities. Developed and implemented IT monitoring systems and procedures. Oversaw and conducted table-top disaster recovery exercises for application systems. Approved all changes to IT infrastructure and application systems. Planned and oversaw migration to real-time mirrored data disaster recovery. Experienced using RMS and Trusted Agent FISMA tool sets, monitoring compliance with the DHS 4300A Sensitive Systems Handbook, FIPS 200, 199, and NIST 800 series Special Publications, including 800-53, 800-53A, 800-18, 800-30, 800-60. Conducted application systems cyber security vulnerability testing using automated tools and manual testing.

Information Systems Security Engineer

Confidential

Accomplished significant forward changes in cyber security posture enterprise wide. Conducted forensics investigations involving cyber security breaches. Developed hardware and software product selections and cyber security feature configuration plans for Metropolitan Washington Airport Authority and their third party contracted IT service providers. Directed completion of corrective actions, including encryption of data. Performed single sign-on planning. Assisted in planning and implementation of Tripwire and Sourcefire IDS monitoring solutions. Selected targeted areas for review, initiated and managed technical information systems reviews from start to finish. Evaluated alternative means of correcting discovered vulnerabilities. Held kick- off and exit meetings, wrote audit reports, maintained policy, procedures, and audit standards. Execution of cyber security vulnerability NMAP and NESSUS scans.

Information Technology Audit Supervisor

Confidential

• Managed information systems audits for Inspector General Federal government clients: Federal Communications Commission, Environmental Protection Agency, DC Courts.
• Execution of technical vulnerability assessment with NMAP and NESSUS FISMA scans in support of certification and accreditation. Evaluated potential solutions and developed mitigation plans.

Senior Consultant, Global Public Sector

Confidential

• Client: Veterans Administration, VBA: Provided functional requirement analysis and project management for deployment of automated audit trails and automated reconciliation of detail sub-ledgers to the general ledger. Assisted with planning and implementing application system regression tests. Executed quality assurance
• services in support of the CMMI Level 3 certification of a large development team. Experience with Informatica and Serena software tools.
• Client: Fannie Mae: As part of this information technology engagement team, provided financial restatement and current financial reporting Sarbanes Oxley 404 IT control testing. Performed information security reviews and risk assessment. Identified gaps in internal controls, and developed remediation measures based upon analysis of alternative solutions to information security weaknesses. Recommended security software products and configuration changes. Areas covered included review of regression testing results, access controls, change controls, segregation of duties, and logging and monitoring. Special assignments included reviews of general computer controls specific to Unix and Tandem operating system platforms and their hosted computer application systems.
• Client: Housing and Urban Development HUD : Performed FISMA based information technology A-123 control assessment for HUD, including certification and accreditation review based on NIST security control requirements Special Publication 800-53 . Developed the test approach, documented the control environment, identified issues for remediation and wrote the information technology section of the A-123 report, including alternative mitigation actions. Recommended configuration changes.

IT Audit Sarbanes-Oxley Consultant

Confidential

Conducted Sarbanes-Oxley IT security reviews of the effectiveness of internal control over financial reporting Section 302 404 of the Sarbanes-Oxley Act . Performed general controls audits, including risk assessment, controls documentation, test preparation, access re-certification, user provisioning, and controls testing. Areas of focus included technical access controls, network security test plans, change control, physical facilities security, operating system integrity, and disaster recovery testing. Responsible for designing Sarbanes- Oxley compliance methodologies for multiple Fortune 500 clients. Developed configuration changes and recommended security software alternatives to meet the need for security controls. Conducted reviews of client's IT infrastructure and supporting procedures to identify SOX related risks, vulnerabilities, and remediation. Developed and executed detailed audits to review controls over application development processes. Audited IT controls of a Microsoft SQL Server environment.

IT Specialist/ Risk Manager

Confidential

• Experience with implementation of cyber security control over SQL injection and cross site scripting, and conducted forensics investigations. Provided daily cyber security management of production network security systems such as firewalls, intrusion detection, antivirus, patch management, data encryption. Evaluated operating system, database, and network configurations for cyber security vulnerabilities, threat sources and risks. Identified mitigation steps and procedures, allocated resources, selected intrusion detection products and directed mitigation efforts.
• Performed SAS analytics data mining business analytics security testing. Produced cyber security plans, risk assessments, and contingency plans. Used MS SharePoint for version control of certification package components. Managed a team of cyber security professionals implementing the IT security program, network security operations and FISMA reviews of IT security controls. Directed the deployment of cyber security measures and re-tested again to ensure implementation was successful. Assisted in development and implementation of contingency plans. Implemented cyber security self-audits and in-house web-based software development self-testing, access re-certification, and user provisioning. Developed cyber security benchmarks and metrics. Developed and implemented intrusion detection system continuous monitoring. Researched and deployed cyber security products and services. Recommended process changes to reduce information technology risks, uncovered root causes of cyber security problems, and improved communication of roles and responsibilities.
• Surveyed/ evaluated vendors and solution providers. Developed forecasts of new cyber security vulnerability exposure. Presented written analysis of cyber security market trends, information security vendor functional fit to requirements, and implementation best practice. Consulted with parent organization on cyber security policy development and exercised leadership over policy implementation. Experience with Citrix, SAS data marts, Active Directory, Microsoft Windows network, .NET, Xiotech. Also, experience with OCTAVE risk and control assessment, Xacta IA Manager, SecureInfo, Foundstone, Bindview, Nessus vulnerability scanner, SPI Dynamics WebInspect web application vulnerability scanner.

Systems Security Engineer Project Manager

Confidential

Managed team of 24 cyber security engineers and analysts working on reviewing, critiquing the implementation of security products and practices. Reviewed Federal IT systems software using manual tests of host and network configuration of UNIX, MS Windows. Utilized Internet Security Systems' ISS Internet Scanner, and ISS Database Scanner to audit system software and Oracle database and network security configuration. Assessed cyber security capability maturity level of Federal Civil Agencies as part of the NIST sponsored FISMA then GISRA assessments, and wrote mitigation options report. Used in depth knowledge of FISCAM, National Information Assurance Certification Accreditation NIACAP , GISRA, and NIST special publications to plan and perform reviews. Developed recommendations for cyber security control improvement for the Federal Emergency Management Agency FEMA , the Department of the Interior DOI , Environmental Protection Agency EPA , National Science Foundation NSF , and United States Patent and Trademark USPTO . Improved the cyber security posture of Federal Government enterprise-wide cyber security programs and integrated superior security performance within the life cycle for EPA, NSF, and USPTO. Devised a patch management process and a system security lifecycle process for NSF. Experience with access re-certification, user provisioning, certification and accreditation of networks and major applications, including cyber security tests and evaluations, FIPS publication encryption for NSF and USPTO.

Senior Information Assurance Engineer

Confidential

Initiated an internal audit/ quality control self-review and cyber security program at the Health Care Financing Administration HCFA now CMS covering vulnerability assessment, access re-certification, user provisioning, risk assessment, review of security controls, and cyber security program planning. Identified sensitive information stores and data in transit. Initiated project to re-authorize authentication and access control. Planned and conducted HIPAA, FISCAM based reviews and developed alternative remediation strategy for external audit findings. Wrote and influenced adoption of key cyber security policy and procedure changes. Instrumental in strategic planning for successful implementation of emerging technologies. Researched, planned, and developed HCFA's HIPAA compliant Enterprise Information Technology Cyber Security 3-Zone Architecture governing future information technology deployment. SABSA and FEAF based IT security architectural expertise.

Systems Engineer

Confidential

Reviewed security of Lockheed Martin Corporation's human resources, benefits/ payroll administration system. Conducted survey, performed gap analysis and developed security requirements. Coordinated security control integration of PeopleSoft HR benefits/ payroll with existing legacy and SAP ERP systems.

Senior Technical Information Systems Auditor

Confidential

• Experience with advanced data extraction techniques. Recreated complex financial application logic. Wrote and maintained Audit Command Language ACL data analytics scripts in support of year-end financial audit.
• Identified established business rules and re-performed control activities and financial system calculations on physical assets. Compared results of internally developed scripts to the financial application results. Developed tools for security access reporting. Conducted IT infrastructure and technical systems technology audits. Performed technical computer security research, analysis and internal audits of computer security controls. Developed white paper for senior management comparing the security assurance capability of Windows network operating system and UNIX. Audited SAP basis controls. Formulated evaluation approach and conducted electronic commerce systems development audits.

Information Technology Auditor

Confidential

Information Technology Auditor

Confidential

Information Technology Auditor

Confidential

Senior Internal Auditor

Confidential

Experience with advanced data extraction techniques. Performed technical audits of IBM mainframe security configuration.

Senior Internal Auditor

Confidential

EDP Auditor

Confidential

Recreated complex financial application logic. Wrote and maintained Audit Command Language ACL data analytics scripts.

Internal Auditor

Confidential