Summary

• Vice President and Chief Information Security Officer with over 22 years of experience in information assurance development, security architecture, and mitigation management for Health Industries, Civilian, Federal, and Department of Defense Agencies. Highly focused and motivated, able to work both independently and collaboratively in a variety of corporate settings, changing conditions and dynamic environments. A dynamic leader who consistently earns the confidence of a variety of professionals, staff and colleagues through the delivery of superior professional support, leadership and personal performance.
• A keen insight into the current security posture reflective of today's business environment for multiple commercial as well as federal agencies. Provides the ability to effectively manage a variety of security functions that deliver exceptional value without degrading operations. Consistently on schedule, under budget, able to prioritize and complete multiple tasks, effectively achieving and exceeding organizational goals.

• Confident, highly energized, effective and persuasive Information Security Professional with strong interpersonal and communication skills and able to translate the security requirements to executive staff as well as users. Able to remain calm and work well in high-pressure situations, possessing skills that achieve maximum productivity from every situation and responsibility.

Winner of the CISO/CTO of the Year Award for mid Atlantic for 2010

CORE COMPETENCIES

SECURITY CLEARANCE:

PROFESSIONAL EXPERIENCE

Confidential

Chief Information Security Officer

• Contract with Verizon for security services for GSA to provide consulting and IT architecture and engineering security services to commercial, state and federal cyber security customers.
• Performing PCI audits against agency firewalls
• Conducting firewall reviews for unused objects and ACL changes required to maintain secure information systems.
• Performing security architecture services for General Service Administration FAS program.
• Developing Blacklist and of potential threats and advancing research into APT.
• Develop Incident response Plan and architectural designs for implementation for Data Loss Prevention.
• Providing daily incident response to DLP and security Incidents
• Review and perform security analysis on security incidents.
• Performing IT security architecture using OWASP ESAPI security standards in implementing secure web applications for General Service Administration GSA Federal Acquisition Service FAS
• Addressing OWASP top ten security vulnerabilities within the GSA enterprise through lowering security risks by assessing injection flaws in SQL and LDAP unstructured data sets.
• Reviewing broken authentication session attempts against GSA web application sites
• Developed procedures to prevent Un-validated redirects and Forwards by identify if any URL is included in any parameter values. Verified that no forwards and redirects are used for GSA and when needed that they don't involve user parameters in calculating the destination.

Confidential

Director of IT Security

Duties include overall development of all IT security initiatives and program management with federal as well as commercial customers and emphasis on client relationship management. Providing Information Assurance Leadership and technical support in the development of the Federal Risk Management Program FedRAMP for GSA technical cloud computing strategy and roadmap documenting the high-level technical architecture and implementation activities to support the strategy.

• Reviewing Security Authorization documentation such as System Security Plan, Continuity of Operations, Privacy Impact Assessment, and Requirements Traceability Matrix RTM of IaaS PaaS and SaaS vendors such as Microsoft, Amazon, GD-IT, Carapthia for compliance with Federal information security standards NIST SP 800-53r3
• Interfacing with Joint Authorization Board members and other key stakeholders including the ISIMC, and FCCI Executive Steering Committee in defining the Continuous Monitoring processes and procedures based on NIST 800-53 guidelines
• Establish Continuous Monitoring roles and responsibilities and overall governance model
• Defining the conformity model assessment board operational model and processes
• Gap Analysis of cloud offerings against federal requirements
• Develop Information System Security Officer ISSO training course on the Security Authorization SA process to reduce about of time need to perform SA and increase quality
• Leading team of over 24 ISSO in the security program development of Federal Emergency Management Agency FEMA
• Lead all IT Security-related proposal development efforts and expands new business initiatives
• Develop documentation and processes and achieved CMMI Level II for the Information Assurance program

Confidential

Vice President Chief Information Security Officer

• Managed and directed overall security polices, procedures, standards, architecture, and engineering, as well as managed corporate audit records. Additionally, responsible for all security-related tasks on Federal Programs and assisted in contract proposals concerning IA Level of Efforts. Developed Security Awareness Training, reviewed documentation for Authority to Operate, performed firewall reviews and penetration tests to ensure compliance with Federal regulations. Developed an IA team for specialized security skills such as Network Forensics, Incident Response, Data Loss Prevention DLP , and Security audits. Additionally, developed and maintained Disaster Recovery Plan, managed Self-Assessment Security Review, ensured System/Network/Database/Web Administrators had necessary and current security review tools.
• Managed security budget of 10.9 million for security services and architecture that supported corporate as well as federal customers
• Deployed and defined security polices for Data Loss Prevention DLP to alert business units of PHI/PII compliance violations for 10,000 users. Investigated violations and performed mitigations on findings.
• Author and Execute Security Architecture and Plan in compliance with NIST and DoD IT Security Policies.

• Member of the Change Review Board CRB for all network changes.
• Managed corporate audit records, ensuring audit files are retained in compliance with federal regulations, assisting System Administrator with review of audit records for anomalies, ensuring auditing software conforms to specified guidelines ensuring non-auditable actions are documented
• Received independent audit from third party vendors such as MITRE, Deliotte, PWC to verify compliance with government regulations and passed each audit
• Oversaw Self-Assessment Security Review reviewed of technology checklists, ensure System/Network/Database/Web Administrators had current security review tools, review results to ensure IA compliancy, ensure all discrepancies are brought to closure or other acceptable resolution, assist CIO with extension process, assist Project Managers with POA M process
• Developed/Maintained Business continuity plans that provided for the resumption of mission or business essential functions within 24 hours activation
• Responsible for all security-related tasks on Vangent's Federal programs such as Center for Medicaid Services CMS , Center of Diseases Control CDC , Department of Education FASFA program student loans , Department of Labor and Department of Defense Military Health Systems MHS.
• Developed security awareness training for system administrators and privileged users
• Performed quarterly firewall reviews and penetration tests to ensure compliance with Federal regulations.
• Developed Cloud Computing security standards for government contracts and Published Cloud Computing security white paper
• Reviewed individual and teams performance adjust team and/or individual assignments based on business needs.
• Developed security standards for Military Health Systems MHS portal that supported Traumatic Brain Injury for Soldiers returning from combat
• Conducted Physical Security Audits PSA of all Vangent facilities
• Developed security controls for application layer for MHS/TMA web sites to prevent cross scripting and web vulnerabilities in accordance with OWASP top ten for example Missing function Level Access Controls.
  • Verified that the links did not contain an unpredictable token. These tokens are used by hackers to forge malicious requests.

Confidential

Information Assurance Officer

• Developed and maintained a new Security Operations Center for real-time security analysis of network vulnerabilities, managed overall responsibility for Information Assurance of the Health Affairs/TMA Network. Worked directly with IAM to resolve network issues, managed audit records and ensured audit software conforms to specified guidelines. Actively participated with 3rd party vendors to review and assess recommended solutions, identified incompatibilities or issues with proposed solutions, resolved issue within time, cost, and quality constraints.
• Maintained HIPAA Security Compliance of Military health records with 5.4 million security budget
• Overall responsibility for Information Assurance of the HA/TMA network.
• Developed and maintained a new Security Operations Center for real-time security analysis of network vulnerabilities.
• Managed audit records.
• Assist System Administrators with review of audit records for anomalies.
• Ensured audit software conforms to specified guidelines and compliance with Department of Defense classified security controls.
• Provided security architect solutions for enterprise to meet customer needs.
• Verified system configuration baseline.
• Created and maintained Security SOPs.
• Reviewed system and security awareness training requirements.
• Actively participated with 3rd party vendors to review/assess recommended solutions, identifying any incompatibilities, challenges, or issues with proposed solutions work with appropriate individuals and team s to resolve issue within time, cost, and quality constraints.

Confidential

Chief Security Architect /Technical Manager

• Established and managed enterprise-wide information-security program, supervised daily activities of Security Architecture team, and facilitated agency efforts to identify and evaluate all systems on GeoScout. Collaborated with all product developers and government to conduct in-depth security analysis, compliance audits, and security testing, presenting all results to senior management. Additionally, developed Security Requirements Traceability Matrix SRTM for certification and accreditation with proposed safeguards from Protection Levels 2-5 that were specific to product under accreditation.
• Created agency policies and procedures governing agency security, access control, and incident response
• Member of the engineering review board, reviewed all submitted artifacts for security relevance

• Provided security architecture briefings for senior government and program management
• Developed the programs Security Composite View which detailed the direction in which the new security architecture program would meet the present and future security requirements for the agency.
• Supervised daily activities of Security Architecture team.
• Instrumental in developing and implementing enterprise security architect with emphasis on defense-in-depth posture for three autonomous networks.
• Developed Security Requirements Traceability Matrix SRTM for certification and accreditation with proposed safeguards from Protection Levels 2-5 that were specific to product under accreditation.
• Created a new Router Security Policy and test procedures for the agency.
• Member of the engineering review board reviewed all submitted artifacts for security relevance
• Created agency policies and procedures governing agency security, access control, and incident response
• Provided web application security based on OWASP top ten security vulnerabilities and addressing the ESAPI secure coding for Intelligence agency application using security coding controls.
• Addressing Cross site scripting issues of web applications using AJAX to dynamically update the page and ensuring the use of safe JavaScripts API's
• Reviewed Whitelist input list validation to protect against XSS.
• Used auto sanitization libraries such as OWASP AntiSamy for ensuring user supplied HTML/CSS compliance with DCID 6/3 security controls for Intelligence agencies.

Confidential

Senior Information Assurance Analyst

• Managed creation of high-profile High Availability Transaction Processing HATP solution, supervising development teams working in multiple locations, as well as Firewall standards for Treasury
• Developed Project Plan for IDS and Enterprise Security Manager deployment

• Coordinated and developed Honeypot project for the United States Secret Services
• Developed project plan for IDS and enterprise security manager deployment with the use of 3D technology to assist IDS analysts
• Reviewed of National Institute of Standards and Technology NIST for Treasury providing feedback to NIST
• Developed wireless security policy using WEP encryption with VPN access to Treasury Communications System
• Member of the US Treasury Security Council concerning enterprise security
• Updated firewall standards from proxy based to stateful and Intrusion detection platforms Network C A supervisor for Treasury Communications System
• Developed Firewall standards for Treasury
• Managed creation of high-profile High Availability Transaction Processing HATP solution, supervising development teams working in multiple locations

Confidential

Program Manager, Network Security

• Managed information technology projects to ensure continual successful system operation, expedited time sensitive issues to resolution and completion. Performed risk management, systems design, development and documentation, and software testing for security plan.
• Performed certification and accreditation, security testing, writing, for Air Force Legacy project.

• Presented security plans to the DoD Defense Advisory Board
• Developed Security System life cycle procedures
• Negotiated contracts with vendors for training, service, and all warranties
• Performed risk management, systems design, system development, software testing and systems documentation for security plan
• Managed large-scale information technology projects to ensure continual successful system operation and moving of time sensitive issues to resolution and completion.
• Designed and configured ACL rulesets for new PIX firewalls
• Developed disaster recovery plan for all syslog security devices
• Presented security plans to the DoD Defense Advisory Board
• Revised security plan with new technology baseline

Confidential

Chief Information Security Officer

• Validated network security requirements, local area network administrator.
• Company Security Officer for network.
• Intrusion with the emphasis in risk analysis and countermeasures.
• Managed Windows NT environment serving over 200 clients.
• Performed performance evaluations on 150 personnel