SUMMARY

• Highly skilled Cyber Security Program Manager - Certified Project Management Professional (PMP) Demonstrated management skills and exceptional results in challenging and high-pressure environments (collaborative and international operations).
• Exceptional ability to build effective solutions to volatile, complex, and ambiguous challenges. Possesses 20+yrs with a comprehensive background in project management, IT delivery, security protocols, information assurance, and cyber security program implementation.
• Key skills include control assessment, and governance, risk, and compliance (GRC) solutions utilizing cyber security standards and frameworks (e.g. FedRAMP, COBIT, ITIL, NEI, NERC/CIP, NIST/FISMA, HIPAA, SOX, PCI-DSS, SANS, SDLC, ISO/IEC, CMS, HITRUST). Progressively performs as subcontractor but ideally seeking long-term permanent opportunities.

PROFESSIONAL EXPERIENCE

Sr. Program Manager/ Consultant/ Business Analyst

Confidential

Responsibilities:

• Managed projects in MS Project & SharePoint to collectively deliver desired business outcomes in support of information security strategy and critical path for the Office of Technology and Information Services (OTIS); led a variety of complex projects in support of DIS consumers throughout the State
• Implemented Archer Services Expansion pilot (NIST CSF; 800-53) enabling agencies to utilize an integrated compliance assessment capability to establish a common repository (eGRC Archer) of compliance data managing information security and privacy risk across state agencies
• Primary Project Manager for the SC Enterprise Information System (SCEIS) Business Application Support team and Admin’s Division of Technology Operations (DTO); responsible for statewide multifactor implementation project across integrated platforms (O365, AWS, Azure, cloud)
• Facilitated compliance management assessment processes for IT risk controls and various GRC frameworks (NIST, HIPAA) using eGRC Archer and inhouse tools; created remediation plans for control deficiencies in support of control testing
• Worked to streamline and mature the Division of Information Security through policy & procedure development and identification of services throughout the state such as security assessment, multifactor authentication, network monitoring, data center services, data classification, Privacy Impact Assessment (PIA)s, Privacy Policy and Program Development (proactive & preventive), enterprise threat management, incident response, and information security engagements
• Developed executive presentations and supporting documents to brief Directorate leadership; examples include workflows, kick-off decks, and master integrated project plans (MIPP) briefs
• Prepared reports, process flows, and executive briefs for senior management and external regulatory bodies as appropriate to include Issue Remediation & closure activities; governance & sustainability reporting routines, and business analytics metrics ( eGRC Archer)

Confidential

Sr. Project Manager

Responsibilities:

• Functioned as Project Manager and Steering Committee Consultant for Federal Reserve Bank Audit MRA; works with Business Lines on Issue Remediation, CAS evidence compilation and Issue Closure.
• Incorporates the fundamentals of Third Party Interconnectedness (TPI) and periodic internal reviews or audits to ensure compliance procedures are followed; aligned with the US Bank’s Insider Threat Mitigation Program (ITP, Fraud & Insider Abuse, and Know Your Customer (KYC) initiatives.)
• Directed the internal investigation of compliance issues, assess product, compliance, or operational risks and develops risk management strategies.
• Collaborated with business divisions and departments (e.g. Risk Management, Internal Audit, Consumer Groups, etc.) to direct compliance issues to appropriate existing channels for investigation and resolution
• Coordinated with risk partners (audit, compliance, legal, risk management) groups to document processes and communicate related information to stakeholders.
• Remained informed of regulatory developments within or outside of the company as well as evolving best practices in compliance control regarding Third Party Interconnectedness (TPI) and Risk Management (TPRM)
• Prepared reports, process flows, workflow diagrams, and executive briefs for senior management and external regulatory bodies as appropriate to include MRA Issue Remediation & closure activities; governance & sustainability reporting routines, and business analytics metrics (Tableau, eGRC Archer)

Confidential

Sr. Cybersecurity Program Consultant

Responsibilities:

• Collaborated with business divisions and departments (e.g. Risk Management, Internal Audit, Consumer Groups, etc.) to direct compliance issues to appropriate existing channels for investigation and resolution
• Coordinated with risk partners (audit, compliance, legal, risk management) groups to document processes and communicate related information to stakeholders
• Provided Data Mapping/ Traceability & Transformation Rules (GDPR) for building Executive Reporting Dashboards on the Splunk Enterprise technology platform, and Symantec endpoint protection (SEP); responsible for establishing data quality standards and specifications for critical business applications.
• Designed and built executive reporting dashboards for cyber threat posture and KPI metrics in Splunk Enterprise; works with LOBs on Imperva WAF business requirements interpretation and documentation (BRD)
• Programmed Splunk dashboards (UAT) to prepare for data correlation across multiple logging sources; work was in support of Wholesale Payment Services Program (e.g. SWIFT).
• Worked with senior architects and engineers to drive remediation of information security vulnerabilities; identifies key elements and obtains approvals for emerging risk; identified threat actor profiles
• Provided recommendations and best practices for identifying and documenting IS controls and processes within Wholesale Security Services.
• Analyzed technical and nontechnical indicators to provide a holistic view of the organization’s Insider Threat Risk (via Wholesale Payment Systems ITP) from individuals identified as potential threats; Included ITP components in such as employee monitoring, awareness & training, and identification and monitoring of critical payment systems assets (e.g. SWIFT) critical assets and intellectual property. Technical indicators included access controls, logging, DLP, and host-based monitoring.
• Provided assessments of security control implementation and recommended methodologies to improve system security posture(s) and related information security practices and procedures; incorporated guidance for continued organizational information assurance and control measures for effective data management

Confidential

Program Manager

Responsibilities:

• Managed projects in MS Project & Clarity to collectively deliver desired business outcomes in support of information security strategy and critical path; leads a variety of information protection projects including launching new products, services, data protection controls, application development (secure coding practices, release management, UAT, unit, & regression testing), systems integration, operational efficiency improvements, process reengineering, endpoint protection (Symantec SEP) and infrastructure upgrades and deployments.
• Designed and developed assessment strategies, methodologies and analyses; evaluated the adequacy and effectiveness of policies, procedures, processes, systems and internal controls; analyzed business and/or system changes to determine impact, identifies and assesses operational risk issues and assigns risk ratings consistent with established policy standards;
• Created security Certification & Accreditation (C&A)/ System Authorizationproducts under NIST guidance to facilitate the C&A process using NIST, FIPS, and FISMA standards and guidance.
• Worked with senior architects and engineers to drive remediation of information security vulnerabilities; identifies key elements and obtains approvals for emerging risk regarding identity and access management (IAM);
• Submitted evidence to the Line of Business (LOB) for self- identified audit issues; liaises between governance teams and engineers for gathering and presentation of evidence for internal/external audits; prepared / presented weekly reports, executive dashboards (SharePoint 2013) and refined corresponding business processes and work streams
• Drove remediation of information security vulnerabilities and obtains/ documents key elements of emerging risk in applicable tracking system; tracked certification deliverables and performs reviews of key elements for risk posture and threshold
• Developed/ refined processes related to risk management by working with multiple teams and vendors (COTS and cloud solutions SaaS/PaaS )
• Assessed security control implementation and effectiveness for critical business applications, secure coding practices, and distributed enterprise architectures spanning the SANS Critical 20 and 18 NIST Control families; utilized hybrid GRC frameworks (i.e. NIST, ITIL, ISO/IEC, SOX, PCI-DSS)

Confidential

Responsibilities:

• Assist Business Information Security Officer's (BISO) in their support of the overall Risk Management agenda across all IT and line of business related initiatives including but not limited to: IT Risk assessments, Issue/Exception entry and management, Metric/dashboard creation and management
• Documentation of processes, standard operation procedures, etc.
• Support communication effort with key business units within the company through the scheduling of meetings, crafting of correspondence and presentations for use by senior staff
• Coordinate with risk partners (audit, compliance, legal, risk management) groups to document processes and communicate related information to stakeholders
• Provide recommendations and best practices related to identifying and documenting IS controls and processes
• Provide subject matter expertise into Information Security policy, standards and IT Risk programs
• Coordinated with IT Risk Service groups on internal and external audits; coordinated patching efforts to resolve deficiencies discovered during the Application Risk Assessment; tracked ad-hoc patching per change management protocol, secure coding practices and QA reviews.
• Assessed endpoint protection mechanisms relative to third party connections to the TIAA infrastructure; endpoint protection (Symantec SEP)

Confidential

Sr. Risk Coordinator

Responsibilities:

• Collaborated with executive leadership within Global Network and Infrastructure Solutions (GNIS) organization, Global Information Security (GIS), Internal Audit and other Risk Coordinators to ensure proper risk management and remediation of Confidential ’s global data network, voice network and cyber security infrastructure.
• Worked with senior architects and engineers to drive remediation of information security vulnerabilities; identifies key elements and obtains approvals for emerging risk; identified threat actor profiles, adversary tools, technology, and procedures (TTP), indicators of attack/compromise (IOA/IOC)
• Coordinated vulnerability remediation efforts for security patches to include scheduling and closeout; worked with infrastructure security patching team to ensure routine and ad-hoc patching was consistently performed and verified completion; ensured application owners and LOBs were proactive in scheduling patching efforts with rollback plan in support of audit remediation or network scan results; validated null assets as applicable.
• Tracks milestones to deliverable date (s) and gathers evidence for existing risk mitigation items; performs 180-day review of key elements for existing risk acceptance items; ensures key deliverables related to access management, business continuity planning and testing, compliance & regulatory management and vendor management (COTS and cloud solutions SaaS/PaaS ; endpoint protection (SEP)) are completed by due date
• Drove remediation of information security vulnerabilities and obtained/ documented key elements of emerging risk in applicable tracking systems; tracked certification deliverables and performed reviews of key programs (e.g. Vulnerability Management, Insider Threat (ITP), Vendor Management & IAM) elements for risk posture and inherent risk ratings.

Sr Confidential Manager/ Change Consultant

Confidential, NC

Responsibilities:

• Served as the Confidential Manager for Wholesale Credit Operations (WCO) within General Wholesale Banking as part of the response to Memoranda for Actions resulting from an Office of the Comptroller of Currency (OCC) Audit.
• Prepared Audit Remediation Reports and Validation files for the Enterprise Compliance Team ensuring deliverable packages were submitted for all identified areas tested.
• Worked with impacted Lines of Business (LOBs) as appropriate to develop an effective compliance training program, including appropriate introductory training for new employees as well as ongoing training for all employees and managers.
• Stood up SharePoint 2013 overflow site for audit evidence document repository; maintained new Flood Compliance policies and procedures and corresponding training aids in new collaborative workspace; managed access permissions and directory rights
• Developed, initiated, maintained, and revised policies and procedures for the general operation of the Flood Insurance Compliance Program and related activities to prevent illegal, unethical, or irregularities in support of governance, risk management, and compliance initiatives.
• Collaborated with other departments (e.g. Risk Management, Internal Audit, Consumer Groups, etc.) to direct compliance issues to appropriate existing channels for investigation and resolution. Consulted with Legal and Enterprise Compliance as needed to resolve issues.
• Responded to alleged violations of rules, regulations, policies, procedures, and Standards of Conduct by evaluating or recommending the initiation of investigative procedures.

Confidential

Responsibilities:

• Served as a IT Project Manager for Enterprise Data Management Solutions-Identity and Access Management(IAM-Oracle OIG and SEP solutions); provided support for Business Transformation / Organizational Change Management (OCM) across the enterprise, within the Technology Operations Group (TOG)
• Functioned as the Business Liaison for LOBs within the Technology Operations Group to successfully implement the enterprise solution and MS Project / Clarity schedule/timeline for IAM solution critical path; captured and integrated business requirements into the solution from design through engineering, testing and deployment (e.g. Business Requirements Documentation (BRD, FRD, TRD, SDLC), Traceability Matrices, and System Requirements Specifications (SRS).
• Educated service liaisons on Change Management Program tenets and structured framework. Coordinates for training sessions with LOBs to enhance awareness and education for the Transformation Readiness workstreams utilizing the PROSCI model.
• Led development of organization/function communication & adoption strategy around changes to people, processes or systems by working with stakeholders or business functions to understand communications & adoption needs / objectives, then developed a comprehensive strategy to meet those objectives; assessed “People Readiness” to determine when people were “ready” to adopt change by use of surveys, focus groups, message maps, ambassador network calls (i.e. ADKAR evaluation).
• Conducted impact analysis using stakeholder analysis and mechanics mapping to determine impact of change prior to rolling out change management; gathered stakeholders’ requirements and synthesizes results to understand key program objectives & identify key changes to occur

Confidential

Program Manager

Responsibilities:

• Responsible for the development and delivery of programs and associated roadmap efforts for the Enterprise Access Control & Governance and Information Security Governance, Risk Management and Compliance teams.
• Functioned as a Senior Program Manager within the Technology Program Management Office supporting information security tenets and implementing guiding principles; responsible for roadmap delivery for enterprise enhancement, technology refresh, and Big Data capabilities improvements within the infrastructure.
• Provided tactical and strategic direction to support corporate growth and future technology advances at the enterprise level for distributed solutions; ensures the availability, security and endpoint (SEP) protection, support and implementation of enterprise Information Security systems and applications
• Managed vendor relationships (COTS and cloud solutions SaaS/PaaS ) to include negotiation of contract and SOW language and costs; communicated the relationships between various functional components of systems, applications, business units and technologies.
• Interacted with internal and external auditors to ensure that corporate security systems have appropriate levels of security controls under a prescribed GRC framework (SOX, ITIL, SDLC, COBIT, PCI-DSS, NIST)
• Supported priority GRC initiatives and Internal Audit Partnership Alliance, functioned as an incident response support resource (SIEM) offering advice and assistance to the general user community for data classification and handling, and reporting security incidents.

Confidential

Program Manager

Responsibilities:

• Functioned as a Sr. Program Manager for Industrial Control Systems Cyber Security. Responsible for policy development and program implementation for governance, risk management, and compliance (GRC) and related physical security of power generation facilities.
• Ensured standard process and procedures align with Federal standards for energy and utility reliability under North American Electric Reliability Corporation (NERC)/ Critical Infrastructure Protection (CIP) requirements.
• Enforced organizational policy to ensure secure, defense-in-depth, and compliant operations for fleet readiness with NERC/CIP (Ver.3 &5) and FISMA - related standards. Provided senior level management with security briefings and updates on critical issues impacting cyber security posture, investments, and strategic initiatives
• Participated in industry committees, working groups, and standards development task forces related to cyber security at power generation facilities and assets; participated in industry benchmarking, developing and executing improvement initiatives, updating, tracking, and closing Plans of Action & Milestones (POA&Ms)
• Established standards and programmatic controls for cyber security technologies involving significant costs and benefits; forecasts initiatives for continuous operational protection and Confidential for cyber security.

Confidential

Sr. INFOSEC Program Manager

Responsibilities:

• Performed phased assessments of security controls under the Common Security Control Framework (CSF) for MARS-E (v1.0) and the HITRUST CSF Program.
• Established Plans of Actions & Milestones (POA&M) and MS Project/ Clarity schedules based on a hybrid approach to conducting enterprise risk assessments of information technologies or specialized general support systems operating at designated HHS Facilities (e.g. public clinics, temporary medical stations, specialty clinics)
• Established control baselines for acceptable risk safeguards and briefed senior leadership on areas of exposure, potential threats, and vulnerabilities.
• Collaborated with other security analysts on a strategic approach to prepare for introducing cloud technologies (SaaS, PaaS) into the enterprise (FedRAMP).

Confidential

Sr Cyber Security Analyst

Responsibilities:

• Developed Certification and Accreditation (C&A) artifacts and system security documentation for FISMA compliance requirements using the NIST SP-800 series. Developed security products for the Department of Energy (DOE) under NIST standards, the Code of Federal Regulations Title 10 (10 CFR 73.54), and Department of the Navy (DON) cyber security guidance.
• Functioned as an IT Project Manager within the integrated Dept of Energy Program Management Organization (PMO); lead and coordinated new projects for the Cybersecurity Operations Team and Power Delivery organizations; utilized the IT Delivery Methodology (ITDM) and the Solution Delivery Lifecycle (SDLC) for all critical path project phases; managed in MS Project & Clarity.
• Interfaced with senior client management and business users to map out and document business and/or IT requirements; documented baseline business processes, systems, information, and technologies. Identified opportunities for organizational improvement and communicated strategies to achieve desired results.
• Validated information system boundaries in support of the C&A process; created Visio system architecture diagrams; worked with information system managers to verify operating environment, system interconnections, and user and system level boundary protections.
• Evaluated security controls for the Computer Security Incident Response Team (CSIRT) providing policies, procedures, training, and testing exercises in conjunction with Contingency Plan Testing and/or Continuity of Operations Planning (COOP).
• Assessed information security requirements for NRC Safeguards Information (SGI) Sensitive Unclassified Non-Safeguards Information (SUNSI), and Restricted Data (RD) as typed for the Office of Nuclear Security and Incident Response (NSIR); Responsible for NSIR modifications to Human Resource Management System decommissioning (legacy due for modernizations)
• Provided ITP training module resources targeting specific business units and roles responsible for handling safeguards (SGI) and SUNSI information (e.g. IT, DBAs, security architects, network admins)

Confidential

Sr. Cyber Security Program Lead

Responsibilities:

• Led project teams in application customizations (Java, SQL, Python, RACF, .NET) and decommissioning of legacy applications. Responsible for inception to completion of specialized applications; leading application development support teams to project completions with emphasis on IT delivery and app modifications (i.e. PeopleSoft implementation, Electronic Information Exchange, License Tracking System, and BPIAD customizations/ modernizations)
• Developed C &A deliverables in accordance with FIPS and FISMA compliance requirements under the NIST frameworks primarily based on scan results. Developed project status reports for detailed and thorough visibility of contract performance and Quality Assurance. Created security products for the US Nuclear Regulatory Commission under NIST standards, the Code of Federal Regulations Title 10 (10 CFR 73.54), and Federal Risk and Authorization Management (FedRAMP)
• Interfaced directly with all levels of management (e.g. Directors, System Owners, administrative personnel, and Information System Security Officers) throughout all phases of C&A; prepared Memoranda of Agreement and Interconnection Security Agreements for interconnecting general support systems
• Performed security testing and evaluation (ST&E) as lead certification agent; developed contingency plans and conducted contingency testing; liaised with customer organizations during the Capital Planning and Investment Control (CPIC) process and assisted in mission/ business planning.
• Provided assessments of security controls and documented implementation status and security posture; documented system security plans(SSP), risk assessments and Plans of Action and Milestones (POA&M) for continuous monitoring activities; worked with system administrators to develop disaster recovery procedures and operational support guides.

Confidential

Senior Information Security Specialist

Responsibilities:

• Created security Certification and Accreditationproducts under NIST standards (i.e. System Security and Contingency Plans; Risk Assessment Reports) and contract deliverables based on fixed price terms and/or other forms of contractual agreements; developed critical system documentation to support the Certification and Accreditation process using NIST, FIPS, and FISMA standards and guidance.
• Provided assessments of security control implementation and recommended methodologies to improve system security posture(s) and related information security practices and procedures; incorporated guidance for continued organizational information assurance and control measures for effective data management
• Developed Security Testing and Evaluation Plans (ST&E) according to the system categorization, operating environment, and information system functionality and capabilities.
• Coordinated with vendors as for Contingency Plan development and Service Level Agreements (SLA) (COTS solutions and cloud SaaS/PaaS ); outlined damage assessment, recovery roles, and system reconstitution procedures.
• Evaluated disaster recovery procedures for business continuity services (warm, hot, and mirrored site support) and implemented enterprise-wide system security policies for contingency operations; developed Business Impact Analyses for System Owners and customer organizations.
• Conducted Independent Verification & Validation (IV &V) assessments, Annual Security Control Testing (Annual Self- Assessments), and internal audits for the Veterans Health Administration for HIPAA and privacy control implementation.