Security Management Experience Summary

• As a Security Risk Management Executive I have over 20 years of a security experience in Managing complex Security Projects and managing large teams of security professionals, Project managers and technology teams from start to finish. Managing and devising overall strategies for all aspects of system security in house as well as vendor purchased Software Applications, Network Architecture solutions and Government Security Audit regulations. I have 20 years of experience performing hands on Risk Assessments, forecasting and financial analysis managing of resources and budgets for complex security initiatives and projects.
• I have extensive experience dealing with Applications/Software/Architecture for SOX Compliance/PCI Data Security Standard Compliance. Following best practices as outlined in the ISO 27001 - 2 I have extensive experience working with the individual Business units as an ISO Information Security Officer Risk Compliance for the individuals to handle all aspects of Security to meet the Governments regulations in accordance with GLBA, California SB 1386, HIPAA and the Patriot Act for Internal clients and external facing clients at IBM, Merrill Lynch, TD Waterhouse, Bristol Myers, Everest Reinsurance, Becton Dickinson.
• 20 plus years of Management expertise includes strategic business planning, profit and loss management, human resources, operations management, procurement, quality assurance and logistics in high technology, international corporations. Skilled in developing, motivating and supervising large high-performance staffs of Project managers and Security professionals meet security and business objectives. I have Demonstrate excellent leadership, communication and negotiation skills over the years with the ability to get the most out of my staffs while remaining fiscally prudent and with in my forecasted budget.
• IBM, Merrill Lynch, TD Waterhouse, Bristol Myers, Everest Reinsurance High Energy Motivational Manager
• Technical expertise includes Designs, implements and maintains security management principals, objectives and policies consistent with the security management control framework. Designs, implements and maintains enterprise security architecture. Designs, implements and maintains a security/product certification and accreditation program and processes.

Experience:

Confidential

• Hardware: IBM ISERIES AS400, SSICS, PC's and Compatibles, IBM Mainframe, HP-UNIX, Cisco Routers, Switches, Altiga, Lucent Brick, Checkpoint VPN, Intrusion Detection Probes Net Ranger, Dragon. IDS/ISS NT/Servers, Cache Engines, Sybex Switches, Nokia Firewall Appliance
• Software: SAP Basic, IBM Rational AppScan Build Edition, SAP, Microsoft Active Directory, Tivoli, LDAP, Remedy, Enterprise Security Reporter, RSA ClearTrust, Checkpoint/PIX/Raptor Firewalls, CSPM, McAfee Documentum, Desktop Firewall, Powerlock, I series Email Encryption Technologies, Digital Certificates, PKI, PGP, SecurID, ISS, NFR Intrusion Detection, RealSecure, UNIX, WINDOWS NT, MVS, JCL, TSO, SPF, RACF, VTAM, BTAM, AFT/NDM, Disaster Recovery, RJE, IMF, SNA UNISON, Network Protocol, Netegrity Siteminder websense,

IBM Work Experience:

Confidential

• Business Controls - Drive/manage/Develop Risk Program Initiatives and create security budget with the customer to continue to maintain and enhance new Security technologies and software to maintain audit readiness and ISeC/GSD331 compliance within your area of responsibility. Active and timely support of all account, sector or customer driven audits. Commit my staff of Project managers and Security Advisors to execute all tasks assigned to the team with focus on compliance and controls. This includes: adhere to and execute operational procedures and work instructions for our role, take appropriate education, alert my management of risks, threats, etc. which could jeopardize the compliance posture of my direct activities. My team maintains audit-ready at all times for my areas of responsibility, including:
• Technical leadership - Provide overall technical direction for the environments being managed. Develop an understanding of the customer's business requirements and opportunities within your area of responsibility. Apply logical methods to solve problems and identify the most appropriate solution. Give back to the organization in activities outside of your account responsibilities as well as through mentoring or coaching less experienced members of the team. ISA/GSPM Input: Include automation, efficiencies, upgrades, give back, etc.
• Provide oversight and a Risk Strategy now and as future enhancements with changing security landscape to the Transition Project Managers TPM for all of the ongoing security projects.
• Analyze security projects and provide operation as well as acquisition costs and budgeting from start to finish.
• Cost Management - Continually identify ways to reduce cost of delivering the services and actively assist with any account specific cost challenges, or global resource initiatives
• Continually manage my current Project Managers for all Security initiatives we currently have.
• Provide as focal for services by Global Delivery Teams AV, HIDS, NIDS, VScan, Incident Management, URL Filtering, Security Log Reviews
• Serve as a dedicated focal for managing I/T security and virus incidents e.g. IDS alerts, virus alerts, server attacks that occur in the customers environment
• Manage the various projects for NiSource
• DLP and WCCP Functionality for WEBSENSE
• HIDS / NIDS refresh project
• Up sell deployment of 30 HIDS
• IDS Tuning
• Monthly VSCAN Management
• SOX Project and remediation
• Gatekeeper report
• Quarterly review of SOX testing scripts
• Security reviews with clients 3rd party vendors
• Security reviews with client
• Ensure ISA Account Team Room is audit ready. Including the following sections:

1. Scope and responsibilities documents

2. Supporting processes are complete and present in the database

3. Reporting section is present with supporting reports.

4. Continuous improvement section is present with supporting documented actions.

• Ensure I understand and adhere to the Business Controls identified via the Individual Accountability initiative for 2013 comply with controls for passwords and IDs
• ISA/GSPM Input: Include any known or planned KCO testing, corporate audits or customer driven audits.

Confidential

• Business Controls - Drive/manage/Develop Risk Program Initiatives and create security budget with the customer to continue to maintain and enhance new Security technologies and software to maintain audit readiness and ISeC/GSD331 compliance within your area of responsibility. Active and timely support of all account, sector or customer driven audits. Commit my staff of Project managers and Security Advisors to execute all tasks assigned to the team with focus on compliance and controls. This includes: adhere to and execute operational procedures and work instructions for our role, take appropriate education, alert my management of risks, threats, etc. which could jeopardize the compliance posture of my direct activities. My team maintains audit-ready at all times for my areas of responsibility, including:
• Technical leadership - Provide overall technical direction for the environments being managed. Develop an understanding of the customer's business requirements and opportunities within your area of responsibility. Apply logical methods to solve problems and identify the most appropriate solution. Give back to the organization in activities outside of your account responsibilities as well as through mentoring or coaching less experienced members of the team. ISA/GSPM Input: Include automation, efficiencies, upgrades, give back, etc.
• Kaiser is a large account for IBM utilizing many organizations across IBM in the USA and in India and AT T. Kaiser is a strategic outsourcing customer for IBM, IBM delivery services provides IT outsourcing to include server management, etc. as part of this service IBM provides security services, which include policy, Malware, health checking, incident and configuration management, as well and regulatory needs such as SOX, PCI and HIPAA
• My team's role on the project
• Provide a focal for all services delivered by Managed Security Services Network IDS/IPS, VMS, Incident Management, Anti-Virus, IAM
• Provide a focal for all operational security related issues as pertaining to IBM delivery non-ISS/MSS
• Provide technical oversight for initial implementation of ISeC security controls and perform spot checks
• Manage the education of IGS delivery employees on customer applicable security policies and processes
• Answer questions or concerns regarding customer applicable security policies and processes
• Answer questions or concerns regarding applicable security policies and processes submitted by designated POCs
• Provide a standard monthly security operations report to display the health of the customer environment
• Research new security technologies and practices
• Participate in change control review and/or approval activities for changes that may impact the customers security posture Assumes access and availability of appropriate tools and processes
• Serve as a dedicated focal for managing security or anti-virus incidents that occur in the customer's environment
• Provide informal security reviews for IBM delivered processes or architectures
• Manage the completion of the ISEC document where Business Controls does not maintain ownership
• Security oversight of ISEC completion where Business Controls maintains ownership
• Implement and manage operational security processes and policies as required e.g. Security Incident Management Process
• Offer executive-level presentations on operational security posture and/or current activities
• Track and assist in the management of the resolution of reported operational
• security issues
• Enhanced IDS Analysis for Daily Reports includes internal addresses review, customer specific requests outside of SOC analyst scope, custom DB queries
• Specifically define and document the in scope Steady-State ISA responsibilities and deliverables using the SS SDD task descriptions. Define and document any custom requests for SS ISA responsibilities and deliverables.
• Provide oversight and a Risk Strategy now and as future enhancements with changing security landscape to the Transition Project Managers TPM for all of the ongoing security projects.
• Analyze security projects and provide operation as well as acquisition costs and budgeting from start to finish.

Confidential

• Business Controls - Drive/manage/Develop Risk Program Initiatives and create security budget with the customer to continue to maintain and enhance new Security technologies and software to maintain audit readiness and ISeC/GSD331 compliance within your area of responsibility. Active and timely support of all account, sector or customer driven audits. Commit my staff of Project managers and Security Advisors to execute all tasks assigned to the team with focus on compliance and controls. This includes: adhere to and execute operational procedures and work instructions for our role, take appropriate education, alert my management of risks, threats, etc. which could jeopardize the compliance posture of my direct activities. My team maintains audit-ready at all times for my areas of responsibility, including:
• Technical leadership - Provide overall technical direction for the environments being managed. Develop an understanding of the customer's business requirements and opportunities within your area of responsibility. Apply logical methods to solve problems and identify the most appropriate solution. Give back to the organization in activities outside of your account responsibilities as well as through mentoring or coaching less experienced members of the team. ISA/GSPM Input: Include automation, efficiencies, upgrades, give back, etc.
• Manpower is a large account for IBM utilizing many organizations across IBM in the USA and Argentina and Singapore and AT T. Manpower is a strategic outsourcing customer for IBM, IBM delivery services provides IT outsourcing to include server management, etc. as part of this service IBM provides security services, which include policy, ID, health checking, incident and configuration management
• My team's role on Manpower is to be the security focals for all services delivered by Managed Security Services Delivery.
• Provide a focal for all operational security related issues as pertaining to IBM delivery non-MSSD
• Act as a technical focal for all security related questions or concerns submitted by designated POCs
• Manage implementation of GSD331 security controls when GSD331 is formalized and approved in transition time frame for the time period not to exceed the agreed to TISA engagement
• Supplement education to transition and delivery teams on obligations to adhere to security standards upon request i.e. ITCS300, ITCS302, GSD331, etc.
• Answer questions or concerns regarding applicable security policies and processes submitted by designated POCs
• Provide a standard monthly security operations report to display the health of the customer environment
• Research new security technologies and practices
• Participate in change control review and/or approval activities for changes that may impact the customer s security posture Assumes access and availability of appropriate tools and processes
• Serve as a dedicated focal for managing security or anti-virus incidents that occur in the customer's environment
• Provide informal security reviews for IBM delivered processes or architectures
• Manage the completion of the GSD331 document where Business Controls does not maintain ownership
• Security oversight of GSD331 completion where Business Controls maintains ownership
• Implement and manage operational security processes and policies as required e.g. Security Incident Management Process
• Offer executive-level presentations on operational security posture and/or current activities
• Track and assist in the management of the resolution of reported operational security issues
• Enhanced IDS Analysis for Daily Reports includes internal addresses review, customer specific requests outside of SOC analyst scope, custom DB queries
• Specifically define and document the in scope Steady-State ISA responsibilities and deliverables using the SS SDD task descriptions
• Define and document any custom requests for SS ISA responsibilities and deliverables
• Provide technical solution support to the Transition Project Manager TPM

Confidential

• Hipaa Hitech was a very large project responsible for reviewing the company's compliance to Hipaa Hitech which IBM is responsible for managing. The teams where responsible for Performing assessments of HIPAA HITECH compliance for assigned accounts. Understanding and interpret the provisions of HIPAA Hitech, and apply them to existing security controls and identify gaps.
• Produce an assessment report using Modulo for each account reviewed
• Present the report to IBM and senior account team management and explain findings
• Participate in peer reviews

Confidential

• Work with the ISS MSS team to provide Security Privacy Consulting in support of system administration and Compliance objectives. Sys admin for the ISS MSS administration team and Security consulting Policy's/Procedures Compliance.
• High level tasks involved for Sys Admin in Support of ITSAS Compliance Controls project include: 1. Review Policy to ensure understand what we MSS are a required to do and/or b committed to do to meet Account Management requirements 2. Update policy where appropriate 3. Create Work Instructions where appropriate that clearly tell how we implement Account Management requirements in MSS 4. Create Remedy work flow where appropriate to ensure we complete required actions when requires and record results in a manner that can be demonstrated during audits and compliance checks. Review the MSS Account Management Procedure available at Instruction
• SME in Remedy and ITSAS ITCS 104 management and specifically:
• Vulnerability Scanning
• Health Checking
• Patch Management
• M.A.D registration
• Device Categorization
• Reviewing Daily queue in Remedy for Tics assigned to me.
• Completing all tasks and updating Remedy.
• Verifying that listed assets are in ITSAS if not adding, classifying and running vulnerability scans to make assets compliant.

Confidential

• Managed the security pieces for vendor connectivity, including working with the vendors, the business owners, and defining the process. Regularly performed Risk Management functions such as assessing remote access and system access risks for contractors, identify potential security threats and negotiated alternatives with business executives to reduce the risks in the most cost effective and standardized methodologies. Created tracking mechanisms for auditing contractors to comply with Sarbanes, HIPAA, Gramm-Leach-Bliley and Federal Services DIACAP. Developed corporate wide policies/processes for remote contractor access, LDAP, tracking inbound / outbound electronic transfers, firewall audits, portable devices, etc. Vet Remote Access firewall changes for risk, compliance and valid business reasons before forwarding requests to firewall administrators. I performed business systems analysis and work with business sponsors to understand the systems and applications required by contractors and translate that understanding into technical requirements. Worked with ITG to ensure the access requested is available, or understand the infrastructure that needs to be implemented to support the request. Worked with the business sponsor and ITG to ensure the access requirements meet Client security policies. Performed systems network administrator work for LDAP with knowledge of IP addressing, IP ports and protocols, access control lists, and remote access methodologies such as Citrix and VPN, VDI, VMWARE.
• Audit, system role-based groups and contractor network access. Analyze / triage inbound security events produced from IDS devices. I have reviewed and vetted over 500 Remote access requests for Contractors doing work for Health net. I wrote and had implemented a new formal set of Remote access and guidelines document which is used today at Health net for all business partners and contractors.
• As the IT Audit Compliance Manager starting I continued in my current role and took on the lead for all audits for IBM as they pertained to Health net.
• I was added to the team in mid-April as the Audit Focal point for IBM on the Health net Project. Below are results of current activities as well as future Audits. In addition to all the Audit work I have continued to be the focal point for all Health net Remote Access requests is requests . This is the function I was doing from Sept-April performing reviews, approvals and or denials of remote access request for all external vendors requesting access to Health net. I have been the person doing the Vetting process for new requests for VPN Connectivity with AT T, IBM, HEALTHNET and Contractors requesting access.
• Review and perform systems analysis working with business sponsors to understand the systems and applications required by contractors and translate that understanding into technical requirements. Work with ITG to ensure the access requested is available, or understand the infrastructure that needs to be implemented to support the request. Work with the business sponsor and ITG to ensure the access requirements meet Client security policies. A systems or network administrator-level knowledge of IP addressing, IP ports and protocols, access control lists, and remote access methodologies such as Citrix and VPN to determine appropriate levels of Remote Access to be granted.

Confidential

• Project Description: Project Manager and Technical lead for IBM GBS Security Privacy S P Practice team. We were asked to perform an evaluation of the data security and privacy issues with the New York City Department of Education Achievement Reporting and Innovation System or ARIS project DoE . Our approach was to identify key individuals from the IBM core project team and conduct interviews in order to determine the type of data being stored and how it was being handled. The team also reviewed project documentation and was granted project team room access.
• During the course of the evaluation, the S P team examined the provisions of several key federal privacy regulations for applicability to the ARIS Project. The statutes were reviewed at a high level and no legal recommendations were made regarding full compliance with their requirements. The statutes reviewed were the Family Educational Rights and Privacy Act FERPA 1 and the Health Information Portability and Accountability Act HIPAA 2 standards.
• The Security and Privacy team completed a detailed audit of the practices on the ARIS Project around the requirements of the IBM PII Control Document. This audit addressed any concerns found as well and we completed the development of:
• Separation of Duties Document
• Formalized and documented Access Controls Schema
• Completed Data Handling Practices Evaluation which involved an evaluation of how protected PII data is being used by the IBM Team. This necessarily would include data use/security practices on team laptops, and use of protected data in the development, test and production environments.
• Established an Audit Framework consistent auditing procedures and controls as well as an auditing timeframe.
• Performed a comprehensive security solution review of the Family Portal. Included a security assessment of the current state of the Portal as well as a process and procedure examination of the proposed solution.
• Conduct a review of the Portal's architecture and design from a security and privacy perspective. This included a review of the solution development and maintenance processes, its operational processes, and technology components, including the networking services used, and any database or operating platform services used.
• Conducted up to 12 interviews with key staff members responsible for the development, maintenance, deployment and operations related to the Portal.
• Processes and procedures also were reviewed in order to determine if key application security and privacy requirements are met.
• Application design and supporting infrastructure services were reviewed for common errors that can compromise the integrity of the production environment when the application is deployed.

Confidential

Perform information security and privacy risk assessments for SOX Compliance. Provide project support, as needed, to the Global Information Security Officer to ensure that the information security needs of the businesses/regions are identified and addressed. Perform an evaluation and analysis of existing Security Policy, with specific reference to the ISO 27001-2 Standard. Oversee the periodic review and modification of the Security Policy and related procedures. Evaluate the technical security controls, including system builds, system-level security software and its configuration, and network security controls, and make recommendations improvements. Assist with the design, approval, and testing of business continuity and recovery procedures, as mandated by ISO 27001-2 and HIPAA. Design, perform, or oversee all assessment, audit, and assurance activities mandated by the overall solution design and applicable policies. These activities will include, but are not limited to, physical and logical penetration testing, system-level control audits, and procedural audits. Design and implement a security-specific schedule of deliverables, whereby written reports and direct consultation will be provided in a manner and with frequency sufficient to provide assurance that confidentiality, availability, and integrity are being adequately maintained. Approve the configuration and manage the integrity of audit and logging services within system and network devices. Integrate security-specific log information, including firewall, IDS, and system-level activity logs. Perform event correlation as required, and report on this data as dictated by the schedule of deliverables described above.

Confidential

Director Chief Security Officer

Manage and direct Security Coordination staff and all security related functions for all of Everest Reinsurance in US and overseas. Work directly with the Executive Security Compliance Office, My primary responsibilities of the job include the monitoring and implementation of global IT security policies, determine and provide solutions to mitigate risk to the firm, monitoring and management of Documented system, individual user application security and safeguarding access to corporate data. Other responsibilities include managing and performing periodic recertification of existing application security, platform security and NT/Share security. Program Management for Disaster Recovery and Business Continuation Planning. Overseeing and responsible for all SOX compliance testing and certification. Successfully implement and maintain RSA ClearTrust for Everest Corporate Architecture.

Confidential

Security Consultant

Responsible for performing end-to-end technical security reviews and suggest security solutions and implementations for applications, systems and Architecture environments. Primary responsibilities include: working with project teams in assessing security risks of applications and systems, assistance in development of risk mitigation strategies that support business accepted risk levels, periodic review of existing applications to ensure that approved security thresholds have been met, development of application development standards and guidelines as they relate to security safeguards and controls and the development of assessment reports: In depth technical security knowledge of: TCP/IP networking, Programming PERL, ASP, C, Java, UNIX HP/UX, Solaris, Linux, Windows 2000,XP, Web servers IIS, iPlanet, application development, risk management SOX Regulation databases Oracle, SQL Server, project management, security best practices, including ISO 27001-2.

Confidential

Position: Vice President Information System Security

• Direct and manage Five associates Forensics Investigator, IS Compliance, and IDS Analyst, Policy and Remote Access
• Supervise the day-to-day operations of the group
• Escalation point for risk, investigations, and compliance issues for all government regulations
• Sign off authority on firewall changes
• Implement and Support the TDW CIRT
• Provide leadership and subject matter expertise
• Provide status and metrics
• Assist in restoring the environment
• Take lead in virus outbreaks CIRT framework
• Performs Security Risk Assessments of corporate systems and environment.
• Performs Security Risk Assessments of development efforts for both new and current projects.
• Assist system administrators on system related security issues O/S patches, user controls, operating system attacks, etc
• Review vulnerability alerts, determine risk to TDW environment and provide recomendations
• Work with engineering staff on security solutions to both current and new networking services.
• Report and Assist CSO Chief Security Officer in planning and implementing security solutions for the firm
• Assist CSO Chief Security Officer in working with development staff on security related issues pertaining to both new and current applications.
• Work with IS Compliance staff on establishing appropriate security controls, policy, and procedures.
• Evaluate and report on the Security Risk profile of all services and offering prior their being deployed.