Principal Security Consultant Resume Profile
Windsor Mills, MD
Skills
Please use this table to list the skills noted in the Required/Desired section of the Peoplefluent requirement. In addition, please respond with the years of experience for each skill and the last time each skill was used. Add or delete rows as necessary.
| Skill experience Last Used | ||||||||||||||||||||||||||
|
Employment History
Confidential
Principal Security Consultant
Responsibilities:
- Established a process for assigning tasks to other working groups for the resolution of findings that are outside of my knowledge base
- Established a level of communication with DISA for the purpose of clarification and possible issues with current DISA STIGs for z/OS
- Facilitate issues with Vanguard from all three CMS clients on problem tickets and enhancements for the VCM product
- Identified several applications User Provisioning that were actually creating occurrences on a daily basis, and worked with support application group to modify the Provisioning application to eliminate the creation of Users with occurrences, identified by VCM.
- Reduced the number of occurrences by 67,000 in 8 months
Confidential
Chief Information Security Officer
Responsibilities:
- Currently in the process of evaluating Network vulnerability and monitoring solutions as well as a network scanning solution
- Implementing a User Provisioning process
- Beginning the Role Based Access reviews RBAC
- Physical access control
- Identifying compliance requirements
- Data Ownership
- Data Classification
Confidential
Data Security Senior Analyst
Responsibilities:
- Met with Human Resource personal to determine the start and end of the employee life cycle so that I could understand the implications to the User ID life cycle.
- Completely built from scratch the current User Provisioning application
- Identified and integrated 170 separate user registration applications into the User Provisioning Application that included verification, authorization and notification of all requested resources.
- Identified and Assigned data resource ownership of every type IMS Transaction, CICS Transaction, DB2 Tables, Datasets and Files.
- Documented trained and assigned administrators for every registration.
- Developed new Security Policies and Procedures specifically for our 4 major platforms ZOS, DB2, Windows and Notes .
- Established a Security Awareness program that included validation of the review of our Technology Security Handbook Security Manual for every employee and a process to include all new employees.
- Rewrote or created all Corporate Security Policies
- Established security roles for every position of the company, while working with each business group to help determine enterprise access based on position and common access requirements across the enterprise RACF, Windows and Notes .
- Established a schedule of quarterly reviews of RACF, Windows and Notes User Accounts to maintain integrity of the environment.
- Established a schedule of annual application reviews that included requirements for Sarbanes Oxley SOX .
- And numerous others, can discuss at interview
Confidential
Data Security Consultant, RACF SME
Responsibilities:
- Reviewed Setr Ops Security Parameters within RACF 1.7 in a sysplex environment with VRA 6.3.
- Identify and inventory all Critical SOX applications
- Identify and inventory all Critical SOX application resources Data Files, Transactions, and Reports .
- Created and scheduled numerous reports to support monitoring requirements by SOX on RACF Attributes, Critical Data and Notification of Security Parameter settings.
- Reviewed all Security Policies and Procedures to make sure they supported our SOX Key Controls.
- Implement LDAP to Windows Server 2000 to standardize authentication process as RACF was the key ID registration platform.
- The second phase of my contract was specifically supporting RACF as a Security Consultant to Bank business areas.
- This included security recommendations and consulting to the application and business areas.
- Day to Day administration IDs, Security Settings, and Security Business Solutions etc
- Running Adhoc reporting with VRA Advisor and QuickGen
- Developing and documenting administrative procedures
- Created RACF in DB2 to support administrative processes
- Mentored other administrators
- Creating white papers on CICS, IMS and DB2 to evaluate and identify any risk to these subsystems.
Confidential
Data/Security Analyst
- Served as an IT Technical Auditor attached to a Task Force to review a list of 312 items that were identified by an external audit during an application walk through. Our task was to review documents and mitigate the GAP in a number of ways.
- Procedurally or by creating new Corporate Policies to support and mitigate specific items
- Work with the IT Application Development Groups to mitigate the items by a automated process
- Developed test processes by either an automated or manual process to support each item through mitigation.
Confidential
Data Security/Compliance
- As the Subject Matter Expert for Data Security and Compliance, he was tasked to work with compliance business management in identifying and inventorying all SOX financial data and processes.
- Identified how each application controls the specific SOX data from both an online and batch process.
- Identified internal controls and measured against SOX 303/404 to insure compliance requirements.
- Built a list of 24 Key Controls that were built from COSO, COBIT and prior experience related to other compliance projects at other facilities.
- Worked with technical groups, applications development groups and business users to review environmental controls, applications controls, policy and processes to measure against our 24 Key Controls.
- Once opportunities were identified, he worked with all levels of clients from business users to senior management to mitigate and recommend changes to both technical and procedural changes to meet SOX 303/404 compliance requirements.
- Presented complete findings to Senior Management and the Internal and External Audit groups to receive support on risk mitigation and continued compliance.
- As a SME in Data Security, he also was asked to implement his recommendations.
- As a SME on RACF Security and in compliance matters, he was tasked with reviewing and working with System Architects in implementing a Provisioning Process that included all 29 RACF databases.
- Provided technical solutions for Role Engineering and evaluated current processes.
- Reviewed all Exits, Authorized Libraries, Started Tasks and Set Parameters as well as reviewing all policies to incorporate ongoing changes in RACF Administration.
- Modified RACF Panels to include the Clist and REXX processes where possible to support a proprietary administrative package.
Confidential
Level III Security Analyst
- As a third level Security Analyst, he was charged with reviewing all facets of previously identified applications for compliance to both HIPAA and SOX.
- There were two separate lists of applications to review, spread across 3 platforms Mainframe/Mid-Range and Client . In evaluating each of these applications, it was determined that we would break the applications down into two forms: 1 online and 2 data and batch processes.
- Developed a list of Key Controls to meet each compliance requirement and created online surveys that were sent out to both technical and business users to identify controls and processes.
- Performed initial Risk Assessment with information provided on surveys and completed assessment with interviews of both technical and business users
- Performed Gap Analysis and identified opportunities in Policy, Technical and Procedural controls that were presented to senior management.
- Oversaw review and provided policies and procedures in stabilizing an environment with 53 RACF databases in OS/390, RACF 2.4, and DB2, IDMS, CICS, and IMS environment.
- Served as the Subject Matter Expert SME in all facets of Mainframe security. Some of the tasks that he completed over the a six month period included:
- Worked with the Windows Project Team on implementing COM
- Worked with the Windows Service Team to mitigate MTS server opportunities
- Worked with the system architecture group to define future direction and integration of RACF and proprietary provisioning application
- Worked with the Windows Project Group to determine opportunities with Host Account Cache
- Defined numerous Security Policies and Published IMS RACF development guidelines in SFAA
- Establishing a baseline of consist SETR Parameters across all 53 RACF databases.
- Reviewed and cleaned up all RACF Catalog entries and Surrogate Profiles all 53 RACF database.
- Reviewed and cleaned up all FTP User Ids and developed a new procedure for requesting and auditing all of the above processes to maintain baselines established during review.
- Currently in the process of writing white papers on the current status of IDMS, DB2, CICS and IMS, that will include recommendations on raising the level of Security within these environments.
Confidential
Project Manager
- As the Project Leader of HIPAA Compliance and Security Privacy, he was required to manage a pool of System Programmers, Technical Engineers, Technical Writers and Business Analysts in growing a consulting and implementation group engaged with several states in evaluating and performing Risk Assessments, Gap Analysis and Integration of compliance into business and technology processes.
- Worked closely with Internal Auditors and State Agencies to implement changes in a professional and timely manner.
- Developed a program based on HIPAA compliance that provided for a smooth process for meeting all HIPAA compliance issues.
Confidential
Security Consultant
- As a Security Consultant, designed and developed a Security Policy Manual that was to be used as a template for customers. The manual included in depth policies and procedures Corporate Security Policy, Authentication Procedures Constraints, Intrusion Detection System IDS , Escalation Procedures, Acceptable Use Policy, Disaster Recovery Procedures, Monitoring Policy/Procedures, Audit log review procedures, Back-up Procedures, Infrastructure Configuration Guides, System Update Change Control, Personnel Security Physical Security Control .
- Developed a Risk Assessment Training program for staff engineers.
- Developed a presentation on a new line of business in supporting and performing Security Audits and Risk Assessments in regards to the new HIPAA Simplification Act.
Confidential
Senior Data Security Consultant
- Performed Risk Analysis and directed and trained internal security analyst on developed and selected Security Products, this included PKI, Remote Communication and Monitoring software in a Mainframe OS/390 environment with a Gateway to two versions of UNIX Client Servers, sitting on NT.
- Developed all security procedures and policies to support this environment and worked with internal and external auditors to meet required standards. This corporation was in the Medical field and required extensive understanding of Local and Federal security requirements that included HIPAA requirements Expert level experience .
- Continued to work with Senior Management to establish a Security Awareness Program and developed a comprehensive change management process.
- Trained a new Disaster Recovery Analyst to establish a program for off-site recovery.
Confidential
Vice President, Corporate Security
- Supervised a staff of nine, six administrators, one NT software specialist, one Firewall Communications administrator and one application development specialist for a user base of over 100,000 individual clients accessing the system via Internet applications and over 10,000 personnel accessing internal applications via Mainframe, Mid-Range, Client Server and Internet applications.
- Established one Corporate Security Internet Policy for the Corporation. Worked with individual Internet development groups, to establish a procedure that would include a standardized process of using established Internet Firewalls and Proxy servers into their applications.
- Established a Corporate Security Procedure manual and began to include all processes into this manual.
- Working with Communications Engineer and Technical Staff in strengthening Firewall and Internet structure.
- Reviewed all Corporate Security administrative procedures to identify areas were technology could be applied to improve efficiency and accuracy.
Confidential
Senior Manager, Data Security
- Project Manager of HIPAA compliance project team
- Implementation of all Data Security Standards and Policies
- Development of Audit Manual
- Established a Data Security Policy and documented all Data Security Procedures.
- Negotiated one worldwide account for Merck and its subsidiaries with Security
- Dynamics this included a reduction in price of 38 per item and 28 reduction in maintenance costs. Projected overall savings over four years was 1.8M.
- Negotiated the purchase of Administrative Tool called RACF/CICS Toolkit for the purpose of providing Security Coordinators with a tool to issue RACF commands via CICS transactions without any RACF attributes.
- Established communications with Human Resources to communicate priority information such as Transfers, Termination's and individuals on Leave of Absence through an automated process.
- Developed Daily Production Batch Jobs to report daily activity and developed a procedure to follow-up on violations and other abnormalities.
- During the last six months, Data Security was audited 8 times with one SAS70 Audit. Data Security went from a 65 to 94 audit pass rate.
Data Security Consultant
Confidential
Served as a consultant for two institutions. The first installation DFI Engineering, Canoga Park, CA, developed and implemented RACF 2.1 from an AS/400 environment to a 309X with approximately 5,000 user base. The second installation was for Swiss Bank, New York where he converted an ACF2 environment with 38,000 user base to RACF 2.2.
Confidential
System Specialist
- Responsible for supervising three analysts and developing an implementation plan for implementing RACF throughout the current system of a 3090 MVS/ESA, CICS 3.3 environment.
- Educated users as implementation proceeded throughout the system.
- Implemented RACF 1.9 throughout the MVS/ESA system as well as tape dataset protection.
- Completed total conversion of CICS to RACF and removed application security from all applications.
- In converting CICS to RACF all facets of this conversion were left to Data Security including all CICS changes to meet this conversion. Grouping of CICS transactions in RDO groups and changing of all transactions to call RACF with no interruptions to the online system was also part of his responsibilities.
- Maintained current RACF configuration and worked with internal audit to expedite the implementation of RACF throughout the entire organization.
- Developed and implemented the first Disaster Recovery Test in the company's history.
- Designed total data center move plan which was executed by a third party based on his business and hardware requirement specification. Later trained and passed this function on to a full time person.
