SUMMARY

• Certified Information Systems Security Professional (CISSP) - February, 2003
• Over 20 years of Information Security and Information Technology experience, including 12 years of management and leadership roles.
• Payment Card Industry Qualified Security Assessor (PCI-QSA) - Feb. 2015-17
• ISO 27001:2013 Lead Assessor and Principal ISMS consultant
• Managed audit engagements for PCI-DSS, ISO 27001, SOX 404 and SOC2 (types 1 & 2)
• Experience with Information Security Program Development and Management, encompassing policy and procedures development, security strategy and security awareness initiatives.
• Experience with team management and budgeting for mid-sized security programs.
• Acted as Information Security liaison to Executive Management including board members, C-Suite and business stakeholders.
• Extensive experience with technical network security, including security architecture, firewalls, server and router security, encryption, cloud security and VPN.
• Expertise with security standards and regulations including Payment Card Industry Data Security Standard (PCI-DSS), HIPAA, HITECH, FERPA, FISMA, FedRAMP, Gramm-Leach-Bliley, Sarbanes-Oxley, AICPA TSP (SOC2), CObIT, and ISO/IEC 27000 series.
• Interim CISO at Deloitte Products and Solutions practice. Responsible for refining the ISMS for the production AWS cloud computing environment in readiness for a SOC2 Type 1 and ISO 27001 certification.
• CISO at Morehouse School of Medicine. Led the implementation of the Information Security Management System (ISMS) aligned with HIPAA and HITRUST, including policies and standards, Risk Analyses, technical controls, BCP/DR and awareness initiatives.
• Developed Information Security Management and Risk Management programs at multiple mid-sized and large private companies.
• Responsible for all regulatory security audits worldwide (US, UK, Canada, Asia-Pacific and Eastern Europe) at Confidential Payments Inc. (credit card processor), including PCI-DSS, SOX 404, sponsoring bank audits, and Federal Agency reviews.
• Responsible for managing teams of 5-6 security resources at various companies. Also responsible for managing all budgetary issues, ranging from $100k to $500k (excluding personnel costs).
• Developed corporate Information Security policies and procedures, including an Enterprise Risk Management framework, at AirTran Airways.
• Led security assessments (PCI-DSS, ISO 27001, SOX 404, SOC2, HIPAA & HITRUST) and Information Security program development for multiple Fortune 500 clients.

PROFESSIONAL EXPERIENCE

Confidential

Present Interim CISO

Responsibilities:

• Implemented the ISMS for the Products & Solution LOB (a practice within Deloitte that develops and hosts cloud-based analytics platforms for clients).
• Ensure readiness for SOC2 Type 1 on a shortened timeframe for the Amazon Web Services (AWS) hosting environment. ISO 27001 & 27017 certifications to follow the SOC2.
• Wrote system description and controls descriptions for the SOC2 project.
• Responsible for team of 2-3 security engineers to design and implement technical controls.
• Consulted on small-to mid-sized security engagements, including security program development, PCI-SAQs and incident management.
• Responsible for client service to Fortune 500 companies for attestation engagements, consulting, Risk Assessment, and outsourced CISO/ISO engagements.
• Certified as a PCI-QSA for 3.1 and 3.2 and lead assessor for all PCI-DSS engagements.
• Principal resource for ISO 27001 readiness consulting and the Lead Auditor for ISO 27001:2013 certification engagements.
• Managed audit engagements for SOC2, PCI-DSS and ISO 27001 certifications.
• Subject matter expert for information security and risk management issues.
• Healthcare IT SME and primary job supervisor for healthcare clients. Responsible for performing HIPAA Risk Analyses and compliance reviews.
• Responsible for client management, business development, engagement management, recruiting, and project management.

Confidential

Chief Information Security Officer

Responsibilities:

• Responsible for creation, implementation, and administration of the Information Security Program at MSM and managing security team resources.
• Tasked with assessing security risks across academic, clinical, and research technology resources, encompassing information subject to Federal regulations including electronic Protected Health Information (ePHI) through compliance with the HIPAA security rule.
• Oversight of security programs for the clinic, research programs, and academic environment.
• Tasked with securing the clinical technical environment, including the EHR and associated networked medical devices.
• Responsible for communicating security principles via Security Awareness Training.
• Managed the security team (3-4 FTEs) and the security budget, which included technical security line items and soft costs (training, awareness, audit, etc.)
• Was responsible for all compliance activities worldwide (US, UK, Canada, Asia-Pacific and Eastern Europe) related to card security and PCI-DSS. Also was responsible for coordinating external audits such as SOX 404, sponsor bank reviews, and the Federal Reserve examination.
• Advised IT and Executive leadership in an effort to coordinate security strategy and initiatives such as audit gap remediation and policy development and updates.
• Administered the Security Awareness training program for the company.
• Provided security consulting services for projects throughout the company, including major platform deployments.

Confidential

Manager of Data Security

Responsibilities:

• Was responsible for all Information Security activities, including policy and procedure development, security awareness training development and delivery, security team management, operations, vendor compliance, and regulatory compliance.
• Was responsible for all Sarbanes-Oxley section 404 compliance activities, including project management, control testing, documentation, and remediation planning.
• Worked directly with the CIO to implement and monitor Information Security initiatives.
• Was responsible for performing security assessments for enterprise business applications, including internal and external applications, focusing on regulatory concerns.
• Was responsible for special projects, such as outsourcing security reviews, internal technology self-assessments, policy exception review, and internal security training.
• Was responsible for consulting projects related to security program development prior to publication of the final HIPAA Security Rule in 2003.
• Performed vulnerability assessments of clients’ infrastructure, policy and procedure reviews, disaster recovery planning, firewall and IDS tuning, and penetration testing.
• Developed security policies and procedures for technical environments aligned with compliance with HIPAA federal regulations and industry best practices.
• Lead technologist for ComTrust, a PKI-based authentication solution for remote physicians.
• Responsible for ComTrust IT internal infrastructure design and deployment, including servers, PKI Infrastructure, web presence, demonstration lab, and firewalls.
• Administered all technical functionality for specialty Solution Development Center.