Chief Information Security Officer/Engineer

Summary

• Fifteen Years of Information Security Risk and Governance Management in two highly regulated industries state government and financial services .
• Fifteen years of developing security policies and standards and reviewed processes for compliance to governance objectives using COBIT 5.
• Fifteen years of developing risk compliance, monitoring and reporting programs.
• Twenty years of producing security requirements for new system implementations.
• Seven years of developing and maintaining security and risk related KPI's/KRI's within IT.
• Developed secure code development program using Fortify with the end goal toward application security in line with OWASP's Top Ten compliance.
• Developed vulnerability management program using Nessus, Qualys, NMAP and other tools. Created performance standards. Made use of third party services to support program.
• Have developed risk reporting programs using Archer.
• Rebuilt SEIM program using ArcSight, QRadar, syslog and other logging and review tools.
• Implement, test and report on information security issues.

Technical Skills

• Security Tools Checkpoint and Juniper Firewalls, NMAP, Nessus, Fortify, syslog, ArcSight, Webinspect, BlueCoat, Socks5, Helix
• Identity Management MS Forefront Identity Manager
• Databases MS SQL, Oracle more from a security and access perspective.
• Encryption/PKI - PGP and Entrust
• Operating Systems Linux, Solaris, Windows server and desktop , Novell
• Administration MS Office Suite, including Visio

Professional Experience

Confidential

Global IT Security Director

Responsible for developing IT Security program world wide with additional responsibility for compliance recommendation and SME for cyber insurance program.

Key Contributions:

• Conducted company-wide security assessment using COBIT 5 principals.
• Developed and tested breach response plan.
• Created company's PCI compliance program.
• Worked with IT to develop event management.

Confidential

Chief Information Security Officer

Responsible for the information security posture this state agency. Directed six people to achieve information security governance objectives. Advised management of IT risk concerns. Reviewed third-party engagement agreements. Aligned security infrastructure according to State Cyber Security Mandates under OCS policy and related Federal guidelines. Drafted policy to support the above initiatives and meet HIPPA, HiTech and FISMA compliance. Used ISO 27001/2, NIST and COBIT5 as policy guidance.

Key Contributions:

• Implemented of Archer to facilitate governance risk and compliance strategy.
• Developed application security program and managed implementation.
• Drafted major policy initiatives and presented to senior management for approval.
• Developed web server security standards to protect agency and customer data. Managed implementation, including intrusion detection.
• Developed threat analysis program to classify the handling of data security threats
• Developed policy for regular scans using Nessus and managed mitigating results.
• Conducted risk analysis on systems to dictate risk posture.
• Directed regular risk-based assessments and penetration tests.
• Worked with administration on physical security issues.
• Worked with Internal Controls in user provisioning and de-provisioning.

Confidential

Senior Security Engineer

Designed and maintained Checkpoint/Nokia firewall infrastructure to support Internet and Market Data areas. Implemented various IT Security initiatives. Worked with CIO in developing security policy for North America. Conducted audits on systems to be deployed. Worked with British/German auditing authorities to support ISO17799 as well as US authorities to support Sarbanes-Oxley and SAS70 audits. Worked with trading community to install new trading system applications and support existing ones.

Key Contributions:

• Instrumental in developing and implementing standards for Sun and Nokia implementations.
• Implemented both ISS RealSecure and Snort for various IDS requirements. Used both Riocco and Netoptics sensor taps. Update Snort as needed.
• Worked with various auditing entities, both internal and external to audit environment. This included SAS70 and COBIT-based audits as well as ISO17799 by German and British banking authorities. Conducted gap analysis on systems not meeting specifications for and coordinated their immediate resolution/mitigation.
• Migrated Sun environment to use NIS and Symark's PowerBroker to mitigate security risks on audited systems.
• Provided consultation and security/configuration assessment of new Trading Systems applications. Worked with both vendor and business user on implementation for a fully secure and auditable implementation.
• Implemented TACACS and SecureID to meet various authentication requirements. This used Active Directory as an authentication back-end. Created functional Kerberos authentication program. Tested various LDAP servers for eventual deployment Sun and Novell .
• Implemented Bluecoat's SG proxy, Permeo's Eborder SOCKS5 proxy and Firewall ToolKit's Plug Gateway to meet corporate IT Security application proxy requirements.
• Built and maintained Sun servers for various applications. Developed hardening standards for Infrastructure group. This included hardening using JASS and scanning using NMAP.
• Implemented Active Directory to BIND DNS and reverse name resolution.
• Worked with lesser experienced and new team members to familiarize them with environment. Acted as consultant to internal business users to make our security initiatives less of an obstacle.

Confidential

Technology and Operations

Was promoted to focus and maintain the networking and security infrastructure and support the networks ever expanded use. Managed the activities of four people and provided guidance in other eight offices. Promoted the use of the network as a strategic expansion of the law firm practice which encouraged collaboration among offices in similar practice areas. Worked with other AD's to plan and budget firm-wide projects and submitted annual budget for infrastructure initiatives.

Key Contributions:

• Implemented firm's first WAN initiative, mainly on Nortel Bay Networks equipment on both T-1 and Frame-Relay technologies. Developed and implemented firm-wide ip addressing scheme.
• Implemented the firm's first internet e-mail using Group-Wise and MimeSweeper.
• Declined to implement the first internet web access solution until a firewall was part of the project. Once the expense of the firewall was allowed. Checkpoint 3 on a Sun Sparc 5 was implemented.
• Upgraded the implemented internet infrastructure to a load-balanced firewall complex using Sun E-220's and RADWare's Fireproof load-balancers.
• Implemented dialup access for remote attorney access.
• Designed and implemented high-speed WestLaw access for Firm-Wide use.
• Evaluated and tested ATM as a possible backbone technology for the firm.
• Designed and implemented entire networks for offices that didn't have networks using 100Mbt Ethernet. This included budgeting, cabling, testing and workstation implementation.

Systems Analyst

Provided comprehensive support for both legal and non-legal staff in desktop and network applications. Supported Token-Ring network infrastructure of New York office. Provided technical consultation for law-firm-specific applications as well as on-site support for major litigation support projects.

Key Contributions:

• Expanded Token-Ring network to span multiple floors. Ultimately installed Switched Token-Ring.
• Moved data center from phone closet to full-fledged datacenter. No productivity was lost during the process.
• Upgraded servers from Novell 3.12 to 4.11
• Worked with users and networks in nearby offices as maintenance required.