SUMMARY OF QUALIFICATIONS:

Experienced information security analyst and assurance professional with over 20 years of experience supporting Federal Government and commercial information technology. Over 13years of experience in Information Security with extensive knowledge and experience in all aspects of the NIST Risk Management Framework and associated System Authorization processes and procedures. Technical experience spans software and system level design, integration, testing, operations, and maintenance of distributed, internetworked, client-server based, and web based computer systems. Strong verbal and written communication skills.

PROFESSIONAL EXPERIENCE:

Confidential

Security Analyst/Vulnerability Manager

• Designed, developed, and implemented Maxim's Vulnerability Management Program which included the deployment and management of the Beyond Security Advanced Vulnerability Detection System AVDS .
• Performed vulnerability assessments, penetration tests, and security audits, produced reports of findings, and worked cooperatively with engineers to implement remedial measures.
• Participated in the creation of IT security policies, procedures, guidelines, baselines, and standards.
• Recommended security solutions and processes to improve overall company security.
• Central Point of Contact for theconfiguration, integration, and deploymentof all new or improved security solutions and processes in accordance with standard best practices and the company's security policies.
• Maxim contact for responding to customer and other third-party inquiries regarding the company's security posture.
• Responsible for maintaining up-to-date baselines for the secure configuration and operation of all existing devices, both under direct control e.g. security tools or under Operations control e.g. workstations, servers, and network devices .
• Monitored all existing security solutions for efficient and appropriate operations.
• Reviewed logs and reports of all existing devices, whether under direct control i.e., security tools or not i.e., workstations, servers, network devices, etc. . Interpreted the implications of that activity and devised plans for appropriate resolution.
• Member of Security Incident Management team tasked with the investigation into possible security issues.
• Provided on-call support for end users of security solutions.
• Participated in the planning and design of company security architecture.
• Participated in Business Continuity and Disaster Recovery planning and design.

Confidential

Senior Information Assurance Specialist/Application Security Engineer

• Senior member of Maricom's internal Corporate Risk, Information Security, and Privacy CRISP Department. Specifically a Security Analyst III which is a senior level position responsible for monitoring, evaluating, and maintaining systems and procedures to protect networks, systems and data from unauthorized uses.
• Also responsible for identifying potential threats and responding to reported security violations, determine causes of security violations and recommend corrective actions to ensure data security. Research, recommend, and implement changes to procedures and systems to enhance data systems security, and assist in communicating security procedures to users.
• In this senior level position, report directly to Maricom's Corporate Information Security and Privacy Officer under whose aegis all CMS programs are conducted but also spends a considerable amount of time embedded on customer facing program teams with responsibility for ensuring that the applicable security requirements e.g., ARS/CMRSs are met and that the requisite security artifacts SSP, RA, PIA, CP, SA A, etc. upon which a system's accreditation depends are properly developed and maintained.
• Responsible for the development and implementation of Application Security processes and procedures for application development projects in the Maricom portfolio.
• Responsible for the implementation and monitoring of the Health Insurance Portability and Accountability Act HIPAA security and privacy rules as they pertain to information systems developed and maintained by Maricom.
• Responsible for providing expert knowledge of HIPAA with regard to Department of Health and Human Services HHS and Centers for Medicare Medicaid Services CMS information system audits. This is comprised of not only advising development teams of the responsibilities for information systems as they pertain to HIPAA but also in advising CMS personnel on the impact of HIPAA regulations from s system and development perspective.

Confidential

Senior Information Assurance Specialist

• Subject Matter Expert for Excentium's FISMA practice which entailscreating and implementing all policies, procedures, and templates for all Excentium FISMA projects. As the Subject Matter Expert, provide oversight, mentoring, and training to all Excentium employees on FISMA and FISMA related activities.
• As the lead analyst and quality assurance specialist for a U.S. Coast Guard FISMA project, responsible for the writing and reviewing of all system security documentation which included FIPS 199 security categorization, Privacy Threshold Assessment PTA , Privacy Impact Assessment PIA , System Security Plan SSP , Contingency Plan CP , Security Assessment Report SAR , and the system Risk Assessment RA .
• Provide access/identity management and security support as part of the Center for Medicare and Medicaid Services CMS Financial Management Systems Group FMSG , in its Division of Technical Operations DTO organization, focused on Access Control for application technologies of the Healthcare Integrated General Ledger Accounting System HIGLAS . In the role as the HIGLAS Certified Access Administrator CAA , provide oversight of the System Integrator access request process for both normal and emergency access to the system. In support of this process, perform troubleshooting of HIGLAS user access problems as reported to CMS, the System Integrator, as well as Medicare Contractors.

Confidential

Senior Information Assurance Specialist

• Performed information security consulting and risk services to support SecureIT federal government and commercial clients. Lead engagements, performed all steps of Certification and Accreditation C A including System Security Planning SSP , control selection, risk assessment, security control and vulnerability analysis, development of plans of action and milestones POA M and ongoing continuous monitoring assessment and ISSO support.

Confidential

Senior Information Assurance Analyst

• Chief Security Analyst for COACT's Office of the Comptroller of the Currency OCC contract, reporting directly to the COACT Director of Security Services provided day-to-day guidance to team members executing FISMA Certification and Accreditation duties and provided status of project progress, general health of the project, and ongoing staffing needs.
• Engaged agency business units, as well as other organizational elements in order to facilitate task objectives, education, and consulting. Met with the Information Security Office Team lead weekly in order to provide project progress participated in kick-off meetings for all new projects and out-briefing for concluded projects met with the Chief Information Security Officer CISO at the conclusion of projects to identify and discuss lesson learned and implement strategies for the improvement of all projects.
• Developed system security documentation to include data collection efforts, identifying required documentation per organizational policy, producing System Security Plans SSP , Privacy Threshold Analysis, Privacy Impact Assessments, Security Categorization Reports, Configuration Management Plans, Trusted Facility Manuals, Security Features Users Guides, Business Impact Analysis, Information Technology Contingency Plans, and Security Control Compliance Matrices.
• Planned and executed security control assessments and security test and evaluation ST E producing Security Test and Evaluation Plans, Security Assessment Report and Risk Assessment Reports. Provided assistance and recommendations for mitigation of gaps and weaknesses.
• Developed continuous monitoring plans in accordance with NIST SP 800-37, performed assessments and created organizational risk profiles.
• Provided leadership and performed security related activities which included, producing suitable certification and accreditation documentation, and annual assessment reports through the use of various NIST Special Publications such as SP800-18, SP800-30, SP800-34, SP800-37, SP800-39, SP800-42, SP800-47, SP800-60, SP800-64, as well as others.
• Reviewed Plan of Actions and Milestones POA M changes through the organization's Request for Change database, reviewed system deficiencies through Trusted Agent FISMA, as well as conducted interviews as part of a continuous monitoring effort.

Confidential

Program Manager/Senior Information Assurance Analyst

• Security Testing and Evaluation ST E of NIST 800-53 technical controls as part of the C A process and update appropriate C A documentation accordingly.
• Program Manager for all Certification and Accreditation initiatives, which included spearheading the audit and evaluation processes, as well as management and mentoring of junior personnel.
• Security Testing and Evaluation ST E of DIACAP controls for a Department of Defense Agency.
• Developed and implementedtechnical security plans, policies, and procedures that included but not limited to System Security Plans, Risk Assessments, Configuration Management Plans, and Contingency Plans.

Confidential

Senior Certification and Accreditation Engineer

• Performed Security Test and Evaluation ST E of NIST 800-53 technical controls as part of the C A process and update appropriate C A documentation accordingly
• Developed and reviewed technical security plans, policies and procedures, which included but were not limited to System Security Plans, Contingency Plans, Configuration Checklists, Risk Assessments, as well as local policies and procedures.
• Analyzed the results of the centralized and onsite risk analysis testing.
• Performed validation testing of mitigated weaknesses and ensure that C A documentation is updated accordingly.
• Performed security assessment testing and analyze the result of the testing.
• Developed security assessment tests that were used throughout the project lifecycle.
• Participated in C A Annual Testing and perform Contingency Plan Testing with the VA Information systems.

Confidential

Senior Certification and Accreditation Engineer/Application Security Manager

• Application Security Manager for the U.S. House of Representatives, Office of Information Security. This initiative required the testing and completion of a Certification and Accreditation C A package for three high visibilityMajor Applications within the U.S. House of Representatives. Responsible for conducting Risk Assessments RA's and Security Test and Evaluations ST E's . Responsible for evaluating the System Security Plan, Plan of Action and Milestones POA M , Incident Response IR plan, Contingency CP plan, as well as other documents which comprise the Certification and Accreditation package, using the NIST methodology.
• Based on the results of system evaluations, make an accreditation recommendation to the Director of Information Security.
• Information Systems Security Officer for a U. S. House of Representatives financial and benefits system. Responsible for the creation and implementation of the Certification Work Plan, System Security Plan SSP , Risk Assessment RA , Security Test and Evaluation ST E plan, Security Awareness and Training, Plan of Action and Milestones POA M , Incident Response IR plan, and Contingency Plan CP , based on the NIST methodology.
• Tasked with the creation and implementation of an organizational Information Security Handbook.
• Created and Implemented an Application Security Program

Confidential

Senior Information Assurance Engineer

• Senior Engineerfor a Certification and Accreditation initiative for the Department of Commerce. This initiative required the testing and completion of a Certification and Accreditation C A package for nine General Support Systems GSS's . Responsible for the writing and implementation of the Certification Work Plan, System Security Plan SSP , Risk Assessment RA , Security Test and Evaluation ST E plan, Plan of Action and Milestones POA M , Incident Response IR plan, and Contingency Plan CP for each of the General Support Systems, based on the NIST methodology.
• Recommended Configuration settings for Cisco Pix Firewall, in order to regulate inbound/outbound traffic in accordance with agency information security policy and directives.
• NIST 800 Series Subject Matter Expert SME for the Certification and Accreditation Team.
• Tasked with training department personnel in Information Assurance best practices and procedures.

Confidential

Information Security Policy Practice Manager/Senior C A Consultant

• Developed and managed information security policy methodologies and materials for Prometheus Group's policy and analysis practice.
• Designed and implemented several methodologies for use in Prometheus Group's auditing/C A lines of business, covering the following regulations: HIPAA, NIST 800 Series, ISO 17799/BS 7799, Sarbanes-Oxley Section 404, and others.
• Principle Manager/Engineer on a Department of Labor Certification and Accreditation project with responsibilities that included, conducting and implementing Risk Assessments RA's , System Security Plans SSP's , Contingency Plan's CP's Plan of Action and Milestones POA M reports, and Security Test and Evaluations ST E's

Confidential

Senior Information Security Analyst/Team Lead

• Provided support to the Veterans Health Administration C A initiative utilizing the practices documented within the National Institute of Standards and Technology NIST Computer Security Special Publication 800 series.
• Site Point of Contact and Team Lead, responsible for the successful outcome of all C A testing done at the designated site. Responsibilities included proper assessment and reporting of Windows server and workstation executions, Kernel/Cache/Application testing, LAN testing, physical assessments of wiring closets, and collection of evidence to assure that best practice network and application policies are in practice.
• Set long and short term goals for the C A team to follow. Created and maintained daily status reports tracking the team progress. Coordinated meetings with the VHA IT staff, and the leadership to ensure a smooth and easy transition thru the SCA process. Facilitated a kick off meeting and an exit briefs, to ensure that the SR. management new of our goals and the expected outcomes of the visit.
• Collaborated with the site Ex-Officio and the customer to ensure that testing was accomplished in a timely manner, with minimal interruption of services, as well as providing an immediate and appropriate response to any complications that may have arisen.
• Performed execution of detailed C A policy testing, Kernel/Cache/Application technical testing, LAN technical testing, and Windows technical testing while on-site at VA hospitals throughout the United States to ensure both the security of the system and the protection of patient data.

Confidential

Senior SecurityArchitect/Engineer

• Team Leader and architect of the next generation of the Learning Management System
• Developed and implemented web based enterprise applications, using J2EE in a multi-tier environment
• Redesigned existing applications from the Lotus Domino environment to the University's new WebSphere environment. This included implementing Java, Websphere and Oracle on both Windows and Solaris platforms.
• Responsible for the security analysis of the Lotus environment to identify flaws and vulnerabilities in order to modify information security protocols to ensure that the new system conformed to state and federal regulations with regard to personal information.
• Designed and implemented the security architecture for the next generation Learning Management System, based on government regulations and methodologies such as NIST and HIPPA. This ensured that student and instructor personal information was protected.

Confidential

Senior Technical Trainer

• Responsible for instructing InstallShield customers in the latest windows software distribution solutions. Training included how to build custom installations for commercial software products, and the uses of the Installscript language, which is a derivative of the C, Visual Basic, and Pascal languages.
• System Support Engineer/Technical Liaison
• Co-developer for InstallShield's newtraining course, for the InstallShield Java edition. Development responsibilities included, point of contact for Java related issues, as well as course development procedures. Cambridge Research Associates 1999 - 2000
• Responsible for providing technical support on a state of the art, 3D visualization software productfor displaying camera data from ISR platforms.
• Identified new business development opportunities, and assisted in the overall growth and expansion of the 3D-visualization software product.

Confidential

Network Engineer

• Designed, installed, and established an integration test lab for configuring and testing three separate software systems, which included the configuration of the TCP/IP structure to ensure that all platforms were able to exchange data.
• Designed the security architecture for all testing environments to ensure the security of the system as well as system data.
• Authored the standard operating procedure documentation to ensure continued interoperability throughout all project phases.

Confidential

Software System Engineer

• Software Engineer on a development team for a Department of Defense internet pilot project. Lead for all Java implementation issues on the pilot system.
• Designed the internet application security architecture using Java's information security framework to ensure that all data within the application was secure.
• Gathered application requirements and specifications performed requirements analysis and security analysis of the application.