SUMMARY

• Experienced IT Cybersecurity, GRC Consultant and Privacy wif over Fifteen (15) years of experience in Aerospace, Government, Health, Financial Institutions, Telecommunication industry and Information Technology security work, including demonstrated experience in policy development, asset management and IT security artifacts in accordance wif ISO, NIST, PCI - DSS, SOX, SOC 1 and SOC 2.
• Experience in Certification and Accreditation (C&A), Vendor Management, Risk Management Framework, Authorization to Operate (ATO) documentation, Security Risk Assessment, Security control assessment, Incident Response Planning, Contingency Planning, Disaster Recovery Planning, Privacy Impact Analysis, PTA, SORN, MOU/ISA, Change Management, Practical Comprehensive understanding of NIST SP rev4, NIST SP A and, ISO 27000 series, UK Cyber Essentials, GDPR, CCPA, CMMC v1.02 Framework, DFARS, ITAR, NIST, NIST CSF, SOX, FIPS 199&200, FISMA, FEDRAMP,PCI-DSS, HIPAA, HiTrust, COBIT, NIST family of security controls and POA&M.
• Excellent reputation for resolving problems, improving customer satisfaction, driving overall operational improvements and recognized consistently for performance excellence and contributions to success in cybersecurity industry

TECHNICAL SKILLS

• SMART
• RSA Archer
• RiskVision eMASS
• Audit Board
• KMC
• IDS/IPS
• SIEM
• Windows
• UNIX
• Linux
• Cloud-based systems
• OSI 7-layer model
• MS Office
• Word
• Visio
• Excel
• PowerPoint
• Access
• Outlook

PROFESSIONAL EXPERIENCE

Confidential, Austin, Texas

GRC/Project Manager

Responsibilities:

• Lead/Manage builds of internal control catalogues and measurement methods/metrics for risk exposure.
• Participate in teh development, review and de-confliction of customer information system security policy and standards, including writing guidelines, standards, procedures, and other technical documentation (technical roadmaps, project plans, etc.)
• Maintain SOX IT documentation, liaise wif internal and external auditors, and provide guidance and support to technology control owners on control design, audit requirements, and issue remediation.
• Lead teh definition of teh project scope, project management/SDLC approach, milestones, tasks, deliverables, and resource requirements wif specific focus on security.
• Develop various policy documents (SOPs/CONOPs) as required. This may include policies regarding Configuration Management, IS Sanitization, Media Security, Password Policy, Business Continuity, Continuity of Operations, Incident Response, Disaster Recover, and Security Assessments
• Lead/Manage methodology development, updates and mapping of governance, risk and compliance (GRC) assessments for changing requirements/criteria related to SOC1, SOC2, SOX, strategic leadership initiatives, and other regulatory or industry requirements such as HITRUST, GDPR per applicable guidelines and frameworks: ISO 27001:2005, NIST 800, NIST/CSF, PCI, GDPR, HITRUST and FISMA.
• Supporting teh Sr. Systems Security Engineer in teh review of technical, management and operational Security Controls in accordance wif teh NIST and FedRAMP approved cloud and on premises system environments to ensure teh completeness and effectiveness of teh IT system’s information technology and security solutions.
• Identify, assess, measure, and monitor information risk by performing and overseeing risk assessments, vulnerability assessments, application security assessments, penetration tests, and 3rd party information security risk assessments.
• Select and oversee staff, vendors, and strategic partners engaged wif teh Information Security function to perform risk assessments, vulnerability assessments, application security assessments, and vendor information security risk assessments.
• Identify and assess security control gaps for information assets. Monitor teh implementation of controls and control mitigations for business processes, data protection, applications, and infrastructure.
• Work wif technology and business teams to develop and document risk treatment plans, including recommendations and options for risk avoidance, risk mitigation, risk transfer, and risk acceptance, in line wif teh enterprise risk appetite.
• Ensure business engagement throughout teh project, including decision making,managing scope/budget changes, eliciting and prioritizing business requirements, planning and executing acceptance testing,developing, and delivering training, migrating to production, and transitioning to support.
• Review and evaluate internal controls and supporting documentation to determine if current client compliance meets requirements for CUI or CMMC.
• Support federal security authorization activities in compliance wif FISMA, FedRAMP, CMS ARS, CMMC
• CISO support, incident response and vulnerability management programs, security assessments, and strategic roadmaps
• Lead/Manage investigations, evaluations and remediation of operations risk/loss events including root cause analysis and process improvement recommendations wifin teh scope of GRC; monitor remediation plans.
• Work wif Privacy and Compliance Counsel develop and/or mature Confidential ’s data privacy and cybersecurity programs, consistent wif local laws and company policies.
• Ensure alignment of day-to-day operations wif Confidential privacy and compliance policies and regulations (e.g., data map, vendor management, data subject rights requests, etc.
• Initiate, and lead on-going information security maturity assessment processes and training, using industry accepted frameworks and implement into teh overall cyber security posture.

Confidential, Austin, Texas

TEMPPrincipal GRC Security Consultant

Responsibilities:

• Lead risk methodology development and execution maintain updates and mapping of governance, risk and compliance (GRC) assessments for changing requirements/criteria related to SOC1, SOC2, SOX, in addition to other regulatory or industry requirements such as HITRUST, CCPA, GDPR per applicable guidelines and frameworks: ISO 27001:2005, NIST 800, NIST/CSF, PCI, GDPR, HITRUST and FISMA.
• Lead teh development, assessment, and analyzing of cyber security documentation for internal and tenant service offerings information systems in accordance wif FISMA, NIST RMF for Federal Civilian Agencies, RMF for DoD, FedRAMP, and departmental standards.
• Lead teh performance of system/network vulnerability scanning and analysis using both automated tools and manual techniques.
• Lead technical assessments using standard industry tools such as Nessus, DB Protect, Web Inspect, ACAS (for DoD), and others.
• Review and approve teh IS Security Control Assessment Procedures, teh Security Assessment Plan, teh System Security Plan (SSP), and teh Security Control Traceability Matrix (SCTM)
• Knowledge of and experience wif obtaining and maintaining SOC, ISO, HIPAA, HITRUST, FedRAMP, PCI, IL2, GDPR, CCPA and other data privacy regulations.
• Responsible for working across internal stakeholders and product engineering teams to drive key aspects of continuous monitoring requirements, support customer onboarding, and drive continuous improvements wifin teh FedRAMP program.
• Performs vulnerability/risk assessment analysis to support certification and accreditation. Provides configuration management (CM) for information system security software, hardware, and firmware. Manages changes to system and assesses teh security impact of those changes.
• Prepares and reviews documentation to include System Security Plans (SSPs), Risk Assessment Reports, Assessment & Authorization (A&A) packages, and System Controls Traceability Matrices (SCTMs). Supports security authorization activities in compliance wif teh NIST Risk Management Framework (RMF) and any clients tailored requirements.
• Help our customers to implement and enforce NIST, NIST, DFARs, ITAR and CMMC requirements
• Support and lead teh business development process through participation as teh FedRAMP & DoD Cloud A&A SME and NIST for DFARS, ITAR
• Develop and maintain system security plans (SSP), contingency plans (CP), incident response plans (IRP), configuration management plans, security control requirements and assessments, Plan of Action and Milestones (POA&M), and training requirements.
• Facilitate teh Plan of Actions and Milestones (POA&M) program to ensure customer systems have accurately and fully provided information for POA&M activities to include valid remediation of findings.
• Ensuring that existing business environments adhere to Federal Information Assurance policies and procedures to acquire and maintain an Information System's Authority to Operate (ATO) under teh Federal Information Security Management Act (FISMA) and other client specified regulatory/Security standards.
• Coordinate wif internal stakeholder engineering teams to demonstrate teh implementation of security compliance control implementations for technical, management, and operational requirements.
• Audit security control to ensure compliance wif cloud requirements and governance models.
• Support teh development of technical material, operational processes, security policies, and other core documents
• Lead teh performance of system/network vulnerability scanning and analysis using both automated tools and manual techniques.
• Lead technical assessments using standard industry tools such as Nessus, DB Protect, Web Inspect, ACAS (for DoD), and others.
• Lead in teh Identification and application of vulnerability remediations, standard operating procedures, and root-cause analysis procedures, and when necessary mitigation techniques.
• Lead in teh identification and mitigation of cybersecurity risks through formal assessment activities.
• Lead compliance related discussions (this includes expert understanding of applicable compliance frameworks, architectures, and security control requirements both technical and non-technical).
• Support and lead teh business development process through participation as teh FedRAMP & DoD Cloud A&A SME and NIST for DFARS, ITAR.
• Support teh CMPS team and clients by providing guidance and leadership regarding FedRAMP and Cloud Security.
• Define and maintain teh security management program for teh Cloud environment including its security policy, practices, standards, procedures, and processes, coordinate and support regular security audits as part of teh comprehensive System Security Policy, standards, practices and procedures, in order to maintain security authority to operate;
• Coordinate and support risk assessments and ensure corrective action on any identified security exposures.
• Help our customers to implement and enforce NIST, NIST, DFARs, ITAR and CMMC requirements
• Work wif business units in a consulting role to assist in their understanding of internal controls and measurements in addressing strategic initiatives, business/client drivers and concerns, future audits and compliance requirements.

Confidential, Austin, Texas

TEMPPrincipal Information Assurance Security Analyst

Responsibilities:

• Lead system security consultation wifin cloud-based environments in accordance wif NIST SP, OMB, and other authoritative IT security guidance
• Lead teh development and implementation of teh system-wide risk management function of teh information security program to ensure information security risks are identified and monitored.
• Developing and implementing an effective system security education, training, and awareness program.
• Providing FedRAMP, FISMA, NIST compliance advisory for clients on how to achieve cloud security requirements as part of migrations, greenfield builds, and/or existing environments.
• Adhere to teh NIST Risk Management Framework (RMF) to support teh A&A process, including analyzing teh development of supporting policies, procedures, and plans, designing, and implementing security controls, testing and validating security controls, and analyzing and tracking corrective action plans.
• Advise strategies, tactics, and approaches for applying FedRAMP, FISMA, and NIST security frameworks for Cloud, container, and serverless environments on platforms like Amazon Web Services, Azure, and VMWare amongst others
• Coordinates FedRAMP authorization on behalf of VA BO including FedRAMP intake, kickoff, Work Breakdown Structure (WBS), remediation, and ATO.
• Provides strategic guidance for vendors navigating teh FedRAMP authorization process.
• Provide enforcement of security and compliance related tasks against VA’s accreditation boundaries of systems, to include performance reporting and analysis of trends across VA’s information security compliance program.
• Provides technical, management, and operational security control subject matter expert services on compliance requirements reflective of teh Risk Management Framework (RMF)
• Evaluates teh processes, tools and techniques needed to achieve Cyber Security program strategic objectives and provide direction on compliance standards to meet VA’s RMF/ National Institute of Standards and Technology (NIST) requirements
• Maintaining a working noledge of system functions, security policies, technical security safeguards, and operational security measures.
• Evaluate proposed changes in security architecture and IT solutions to ensure they meet statutory and regulatory requirements for processing and safeguarding sensitive information or controlled unclassified information (CUI)
• Coordinating internal compliance review and monitor activities for Network Operations, including periodic reviews of departments wifin teh Network Operations functional unit and collaborate wif Internal Audit.
• Monitoring all available resources that provide warnings of system vulnerabilities or ongoing attacks and reporting them, as necessary.
• Developing, documenting, and monitoring compliance wif and reporting of teh facility’s system security program in accordance wif Cognizant Security Activity (CSA) guidelines for management, operational and technical controls.
• Performing risk assessments and documenting results in a RAR and keeping teh risk assessment current throughout teh acquisition/development portion of teh system life cycle.
• Developing, maintaining, and updating, in coordination wif all system stakeholders, POA&Ms in order to identify system weaknesses, mitigating actions, resources, and timelines for corrective actions. Entries in teh POA&M will be based on vulnerabilities and recommendations identified during assessments.
• Certifying to teh AO, in writing, that teh requirements and implementation procedures listed wifin teh security plan are in accordance wif teh NISPOM, NIST SP and DAAPM
• Prepare and review compliant documentation to include but not limited to: Systems Security Plans (SSPs), Risk Assessment Reports, Assessment and Authorization (A&A) packages, System Requirements Traceability Matrices (SRTMs) and Readiness Assessment Reports
• Evaluating security solutions to ensure they meet security requirements for processing classified information; perform vulnerability/risk assessment analysis to support certification and accreditation.
• Submitting teh security plan and supporting artifacts to teh ISSP for AO review and consideration.
• Ensuring all system security documentation is current and accessible to properly authorized individuals.
• Implementing security controls to protect teh system, in coordination wif system stakeholders.
• Ensuring audit records are collected and analyzed in accordance wif security plan.
• Obtaining and maintaining NISP Enterprise Mission Assurance Support Services (eMASS) access in order to effectively manage all security authorizations for systems under purview.
• Managing, maintaining, and executing teh continuous monitoring strategy
• Conducting periodic assessments of authorized systems and ensuring corrective actions are taken for all identified findings and vulnerabilities.
• Monitoring system recovery processes to ensure security features and procedures are properly restored and functioning correctly.
• Ensuring proper measures are taken when system incident or vulnerability affecting classified systems or information is discovered.
• Briefing users on their responsibilities wif regard to system security and verifying that cleared contractor personnel are trained on teh system’s prescribed security restrictions and safeguards before they are allowed to access teh system.
• Coordinating wif teh Facility Security Officer (FSO) and teh Insider Threat Program Senior Official (ITPSO) to ensure insider threat awareness is addressed wifin teh system security programs.
• Ensuring user activity monitoring data is analyzed stored and protected in accordance wif teh ITPSO policies and procedures.
• Reviewing system audit log events and identifying any suspicious activities.

Confidential, Westborough, MA

Senior Security Analyst

Responsibilities:

• Conducted walk-through, formulated test plans and testing procedures, document gaps, test results, and exceptions and develop remediation plans for each area of testing.
• NIST risk management framework-categorize systems, privacy impact assessments, security impact assessments, interconnection security agreements, risk assessments, waivers.
• In depth experience in security incident response and management including analysis of events, review of suspected malicious activity, identification of Indicators of compromise and providing guidance on resolution and remediation activities.
• Executed technical risk assessments, advise business and IT leaders on risk of initiatives.
• Defined and executed Third Party / Vendor Information Security Risk Assessment programs.
• Supported organization's Business Continuity Plan (BCP) and Disaster Recovery (DR) processes by evaluating resilience, recovery capabilities and risks inherent in their IT infrastructures for strategic purposes based on ISO 27001 and NIST Special Publications series.
• Experienced designing and implementing controls wifin corporate networks to include computer/network security and operating systems such as UNIX, Linux, and WINDOWS, as well as LAN/WAN internetworking protocols such as TCP/IP and network perimeter protection (firewalls).
• Participated in POA&M remediation by evaluating policies, procedures, security scan results, and system settings to address controls that were deemed insufficient during Certification and Accreditation (C&A), RMF, continuous monitoring, and FISCAM audits.
• Performed assessments, POA&M remediation and document creation using ISO 27001 and NIST SP A rev4.
• Conducted PCI compliance testing to verify corporate PCI security controls meet teh latest PCI DSS requirements.
• Involved in creating System Test & Evaluation (ST&E) documents and helped review and update existing ones for multiple information systems.
• Assisted ISSOs in creating solutions to weaknesses based on system functionality and pre-existing architecture.
• Ensured all weaknesses discovered during assessment of security controls are completed and tested in timely fashion to meet client deadlines.
• Interfaced wif IT operators and network engineers to mitigate system vulnerabilities discovered in network devices.

Confidential, Westborough, MA

Information Security Analyst

Responsibilities:

• Ensured that appropriate steps are taken to implement information security requirements for IT Systems throughout their cycle, from teh requirements definition phase through disposal.
• Performed POA&M oversight and Audit Remediation initiatives across teh infrastructure and information systems to satisfy compliance requirements and manage risks to an acceptable level by building relationships and working directly wif system and business process.
• Coordinated wif enterprise risk management function for appropriate impact analysis.
• Analyzed organizational information security policy needs based on stakeholder interactions, develop and publish policy, standards, security handbook, and procedures for implementation ensuring alignment wif NIST Rev 4, ISO 27001
• Worked wif Service Providers and PMO to help identify security-related items for Payments and vendor-supported Systems and provide Security guidance to new and ongoing infrastructure projects.
• Provided expert technical advice in information security, participate in teh design, planning and implementation of IT infrastructure in teh organization.
• Ensured that compliance for ISO 27001, SOX and PCI standards is maintained across all departments.
• Coordinated and executed proactive Information Security consulting to teh business and technology teams covering Infrastructure Security, Resiliency, Data Security, Network Architecture and Design, and User Access Management
• Monitored PCI DSS compliance of relevant hosting partners and application vendors.
• Perform ongoing security procedures, including review of firewall activity and other system logs, vulnerability (anti-virus, software/firmware patch) management, periodic system intrusion testing and investigation of exception conditions.
• Developed a contingency plan for each information system which addresses emergency response, backup and recovery actions required to provide reasonable continuity of data processing support should events occur that prevent normal operations.
• Ensured that appropriate steps are taken to implement IT system requirements for systems throughout their life cycle, from requirements definition phase through disposal.
• Used and applied experienced in security Assessment & Authorization (SA & A) polices guidelines and regulations in teh assessment of IT systems and teh documentation and preparation of related documents.

Confidential

System Administrator

Responsibilities:

• Performed daily, weekly, monthly maintenance, backups/restorative exercises, reviewing server logs for prospective issues, as well as ensuring that anti-virus software and security patches are routinely updated and functioning.
• Instrumental in developing and implementing Business Continuity and Business Recovery Plan (BC&BRP)
• Worked wif management to update security manual and address current concerns.
• Performed comprehensive investigation of cybersecurity breaches.
• Reviewed system access data and monitored system vulnerabilities.
• Initiated company policies and procedures governing corporate security, email, and internet usage, access control and incident response.
• Conducted comprehensive investigations of cybersecurity breaches.
• Purchased system new security software and made update recommendations.
• Made presentations to management on how to prevent or minimize cybersecurity attacks.