QUALIFYING WORK EXPERIENCE

Confidential

Senior Information Security Compliance Analyst

• Gather or create system security documentation.
• Identify key requirements and gaps provide solutions for clients utilizing best practices.
• Identify, track, and monitor security deficiencies.
• Assist with the implementation of security risk management strategies and contribute expertise in formulating a successful security program.
• Develop high-quality assessments that provide an understanding and resolution to security-related events.
• Develop and document vulnerabilities, solutions, countermeasures for identifying signatures.
• Apply FIPS199 categorizations to all information types
• Use FIPS200 to select 800-53 Rev.4 controls for the system
• Perform 800-53A security self-assessment
• Determine acceptability of risks identified in self-assessment
• Development of the overall SA A project Plan, the SA A Process Guide, The Plan of Action Process Guide, and The Security document templates System Security Plan, Risk Assessment, Security Test Evaluation, Contingency Plan, and different evaluation compliance Checklists .
• Establish plan of action and milestones POA M
• Include all of above and other required information in SA A package
• Conduct briefings and knowledge transfer of information security related issues to management and co-workers.
• Address issues, assess impact, determine probable damage and provide recommendations for course of action.
• Identify and investigate client issues and provide recommendations, workarounds, resolutions and benefits by minimizing the client's risk and cost.
• Communicate all project related issues and project status efficiently.
• Consistently look for opportunities to improve processes, and implement appropriate ideas.
• Create and ensure accuracy and currency of technical documentation as needed.
• Conduct or participate in meetings with stakeholders and various IT vertical teams and discuss project issues, risks and status.
• Stay abreast of latest developments and technologies in network security/information assurance to ensure applicability of services delivered.
• Develop several Information Technology Security Policies
• Conduct contingency plan tests for four systems
• Complete Privacy Threshold Analysis PTA for all systems in order to determine if a Privacy Impact Assessment PIA is needed.
• Applied NIST 800-60 I II rev.1 categorizations to all information types
• Develop Contingency Plans per NIST SP 800-34 rev.1.
• Performed two Systems Security Assessment and Authorization's and Security Test Evaluation ST E using NIST Special Publication 800-37Rev.1, 800-53 Rev.4 800-53A Rev.1, 800-34 Rev.1
• Developed a Security Assessment and Authorization statement Letter

Confidential

Senior Information Security Analyst

• Provided essential FISMA support to orchestrate completion of the annual and quarterly reports for OMB
• Liaison between the DOE Office of IT Security and the DOE Information Systems Audit Division and the Office of the Inspector General to gather documentation and completion of the FISMA reports
• Used FIPS200 to select 800-53 rev.4 controls for the system
• Lead Security Analyst for six of Program Offices consisting of twenty systems. In this role tasks included performing full scope Security Assessment and Authorization SA As - including ST Es while applying NIST 800-53 rev.4, NIST 800-53A rev.1, NIST 800-26, NIST 800-30 rev.1, NIST 800-87, NIST 800-18 rev.1, and NIST 800-37 rev1 for the OITS and CISO.
• Assisted CISO's, System Owners, Program Managers, Stakeholders and staff members with writing and updating their annual security documentation. This included Contingency Plans CP , Risk Assessments RA , and System Security Plans SSP , Self- Assessments, conducting Contingency Plan Tests CPT and resolving POA Ms Plan of Action and Milestones vulnerability weaknesses. Provided content updates to the CBT Security Awareness Training as well as training BU POCs about OITS security requirements and updates as needed. Provided expertise to Program Offices for risk remediation, CM, analyzing vulnerability scans, tested security controls, and document policies and procedures.
• Completed Privacy Threshold Analysis PTA for all systems in order to determine if a Privacy Impact Assessment PIA is needed.
• Completed PIA for all systems that have personally identifiable on non-DOE employees or contractors.
• Conducted FISMA compliance reviews with each Program Office. Assisted Office of Information Technology Security OITS staff members as needed on high priority projects, and tasks. Requested to lead tasks by the OITS Director and CISO.
• Developed Department of Energy DOE Continuous Monitoring Plan that includes: Configuration Management and Control, Security Control Monitoring, and Status Reporting and Documentation
• Developed several system security documentation templates including System Security Plan, Risk Assessment, Self-Assessment, Contingency Plan, Memorandum of Understanding/Agreement MOU/A , Configuration Management Plan, Plan of Action and Milestones, Security Test Evaluation, and Certification Accreditation Statement .
• Developed Contingency Plans per NIST SP 800-34 rev.1.
• Established plan of action and milestones POA M
• Reviewed POA M weaknesses to be validated for closure.
• Lead IT Team in addressing and validating findings and weaknesses
• Ensured POAM remediation is performed in compliance with the DOE's policies and standards
• Apply FIPS199 categorizations to all information types
• Maintained professional demeanor, attitude and appearance at all times while on duty, in order to represent Computer Technologies Consultants in a positive and competent manner.
• Developed a Security Assessment and Authorization SA A statement Letter
• Used NESSUS Scan Tool to scan the information sytem.
• Development of the overall SA A project Plan, the SA A Process Guide, the Plan of Action Process Guide, and different evaluation compliance Checklists .
• Determined acceptability of risks identified in self-assessment

Confidential

Information System Security Officer

• Gathered and created system security documentation System Security Plan, Risk Assessment, Contingency Plan, and Security Test Evaluation.
• Identified key requirements and gaps provide solutions for clients utilizing best practices.
• Promoting information security awareness.
• Ensuring media handling procedures are followed.
• Complying with APD training requirements for individuals with significant security responsibilities.
• Identified, track, and monitor security deficiencies.
• Assisted with the implementation of security risk management strategies and contributed expertise in formulating a successful security program.
• Developed high-quality assessments that provide an understanding and resolution to security-related events.
• Developed and documented vulnerabilities, solutions, countermeasures for identifying signatures.
• Applied NIST 800-60 I II rev.1 categorizations to all information types
• Applied FIPS199 categorizations to the information system
• Used FIPS200 to select 800-53 rev.4 controls for the system
• Performed 800-53A rev.1 security self-assessment
• Determined acceptability of risks identified in self-assessment
• Development of the overall SA A project Plan, the SA A Process Guide, the Plan of Action Process Guide, the Security Assessment and Authorization IT system Inventory guide, and the Security document templates System Security Plan, Risk Assessment, Security Test Evaluation, Contingency Plan, Configuration Management Plan, Memorandum of Understanding/Agreement, and different evaluation compliance Checklists to evaluate the security documents .
• Established plan of action and milestones POA M
• Included all of above and other required information in SA A package
• Conducted briefings and knowledge transfer of information security related issues to management and coworkers.
• Addressed issues, assess impact, determine probable damage and provided recommendations for course of action.
• Identified and investigated client issues and provide recommendations, workarounds, resolutions and benefits by minimizing the client's risk and cost.
• Communicated all project related issues and project status efficiently.
• Consistently looked for opportunities to improve processes, and implement appropriate ideas.
• Created and ensure accuracy and currency of technical documentation as needed.
• Conducted or participated in meetings with stakeholders and various IT vertical teams and discuss project issues, risks and status.
• Stayed abreast of latest developments and technologies in network security/information assurance to ensure applicability of services delivered.
• Developed Privacy Impact Analysis PIA and Privacy Threshold Analysis PTA
• Put together a list of common controls list spreadsheet
• Developed the Amtrak Police Department Information Technology Security Policy
• Mentored and trained all team member with the various activities associated with the Certification and Accreditation effort i.e., IATO, ATO, Annual Review, and Application Risk Assessment .
• Developed timelines to identify the major milestones for the site's SA A effort in order to meet the time constraints imposed by the Authorizing Official signature date with the customer's schedule.
• Attended weekly status meetings to discuss issues involving the Certification and Accreditation effort.
• Addressed privacy issues within the Department's information-management offices and assisted with resolving any privacy related issues
• Provided guidance on policy implementation and reviewed proposed privacy policies in its area of responsibility to ensure issues are adequately addressed.
• Performed two Systems Security Assessment Authorization's and Security Test Evaluation ST E using NIST Special Publication 800-37Rev.1, 800-53 Rev.4 800-53A Rev.1
• Developed general privacy awareness training in coordination with the Amtrak IT Office for Amtrak Police Department staff and contractors and specialized privacy training for System Owners, and Program Office Managers.
• Have Knowledge of workplace, data protection and common privacy principles and approaches, global data protection models, information security controls and online privacy protections
• Ensured the system is operated, used, maintained, and disposed of in accordance with internal Amtrak security policies and procedures. Necessary security controls should be in place and operating as intended.
• Assisting the Authorizing Official in the system certification and accreditation C A and creating and maintaining C A documentation. In coordination with the System Owner, develop and update the system security plan as well as managing and controlling changes to the system and assessing the security impact of those changes.
• Advising System Owners of risks to their systems and obtaining assistance from the ISSM, if necessary, in assessing risk.
• Reviewing Security Advisory Alerts on vulnerabilities.
• Working with the ISSM and System Owners to develop, implement, and manage POA Ms for assigned systems in accordance with CIO IT Security-09-44, Plan of Action and Milestones POA M .
• Reviewing system role assignments to validate compliance with principles of least privilege
• Evaluating known vulnerabilities to ascertain if additional safeguards are needed ensuring systems are patched, and security hardened.
• Complying with APD training requirements for individuals with significant security responsibilities.
• Reviewing system security audit trails and system security documentation to ensure security measures are implemented effectively.

Confidential

Senior Information Security Analyst/ Deputy Project Manager

• Developed the system Security Plan using documentation policy, NIST Special Publication 800-53 rev.4, NIST 800-53A rev.1, and NIST 800-18 rev1
• Put together Security Assessment Authorization Package
• Developed System Information Self-Assessment for HUD systems using NIST 800-26, NIST 800-53 rev 4, and NIST 800-53A rev.1
• Provided support in the creation, maintenance, and completion of relevant documents needed for SA A
• Ensuring Privacy Impact Assessments PIAs are completed for IT systems that are new, underdevelopment, or undergoing major modifications which impact Privacy Act data.
• Participated in major Information Security projects including ST E, evaluation, development, and testing of information system contingency plan, and system Re-categorization using FIPS 199 and NIST Special Publication 800-60 Rev1 volume I II
• Met short delivery schedule for the development of Business Impact Analysis, Risk Assessments, IT Contingency Plans, IT System Security Plans, Plan of Action and Milestones, and IT Security Test and Evaluations of seventy 70 Information Systems
• Created System Plan of Action Milestones POA Ms of several HUD systems
• Used Compliance Review Checksheet to evaluate system's compliance
• Reviewed POA M weaknesses to be validated for closure.
• Led in/out briefings, interviews, and written formal recommendations for the client
• Well versed in the FISMA Implementation Project, FIPS and NIST Special Publications.
• Attended weekly briefing meeting with HUD system's Owners.
• Developed several system security documentation templates including System Security Plan, Risk Assessment, Self-Assessment, Contingency Plan, Memorandum of Understanding/Agreement MOU/A , Configuration Management Plan, Plan of Action and Milestones, Security Test Evaluation, and Certification Accreditation Statement .
• Devised ST E activity results and develop recommendations
• Support development of Security Control Assessments SCA based on NIST SP 800-53 Rev4.
• Developed Contingency Plans per NIST SP 800-34 rev.1.
• Developed Business Continuity and Disaster Recovery Planning
• Followed system development methodology, utilize appropriate templates, produce all required documents and ensures all required signatures have been secured.
• Performed Risk Assessments based on NIST Risk Management guidance
• Support development of Risk Assessments documents.
• Conducted Contingency plan Table Top, Structured walk-through, Simulation testing.
• Followed quality assurance techniques and processes to develop formal reviews and out-brief s .
• Developed Plan of Action and Milestones POA M .
• Communicated and documented risks in Risk Assessment Reports
• Developed accreditation and certification letters.
• Performed more than 100 C A's using NIST Special Publication 800-37Rev.1, 800-53 Rev.4 800-53A Rev.1.
• Reviewing system security audit trails and system security documentation to ensure security measures are implemented effectively.
• Ensuring Privacy Impact Assessments PIAs are completed for IT systems that are new, underdevelopment, or undergoing major modifications which impact Privacy Act data.
• Working with the ISSM and System Owners to develop, implement, and manage POA Ms for assigned systems in accordance with CIO IT Security-09-44, Plan of Action and Milestones POA M .

Confidential

Senior Information Security Analyst Consultant

Performed Business Impact Assessment

• Met short delivery schedule for the development of Business Impact Analysis, Risk Assessments, IT Contingency Plans, IT System Security Plans, Plan of Action and Milestones, IT Security Test and Evaluations of twenty 20 Information Systems, and Information System Security policies 12
• Analyzed output from network vulnerability assessments and recommended mitigation strategies.
• Supported development of Security Control Assessments SCA based on NIST SP 800-53 rev.4, and NIST 800-53A Rev.1
• Assisted in establishing and maintaining security products to include firewalls, intrusion detection systems, antivirus, patch management, etc.
• Document security requirements, policies, and procedures.
• Led in/out briefings, interviews, and written formal recommendations for the client
• Well versed in the FISMA Implementation Project, FIPS and NIST Special Publications
• Experience in developing security Policies, and performing certification and accreditation of information using NIST Special Publication guidelines 800-37 rev1.
• Performed vulnerability testing on new systems before placed in production.
• Reviewed and provided input into network designs to ensure compliance with security and enterprise architecture.
• Provided support in the creation, maintenance, and completion of relevant documents needed for Certification and accreditation.
• Re-created and updated the System Security Plan using documentation policy and NIST special publication 800-18 Rev.1.
• Conducted Contingency plan Table Top, Structured walk-through, Simulation testing
• Gathered information to compile and completed Risk Assessments based on documentation policy and NIST Special Publication guidelines 800-30 Rev.1
• Developed System Security Plan Controls stated in 800-53 rev4.
• Developed, Communicated, and documented risks in Risk Assessment Reports
• Developed Security Test Evaluation Reports.
• Developed Security Control Assessment for General Support Systems GSS's and Major Applications MA's .
• Administered and maintain user access control systems by providing controls, processes, and procedures to prevent the unauthorized access, modification, disclosure, misuse, manipulation, or destruction of information.
• Conducted InfoSec technical Risk Assessments and prepare reports of the results for presentation to management.
• Supported development of Contingency Plans, Disaster Recovery Plans, and Contingency Plans Test TableTop, Structured Walkthrough, and Simulation template.
• Developed Plan of Action and Milestones POA M .
• Devised accreditation and certification letters.
• Managed the activities of Technical Writers and Security/Quality Assurance Analyst.
• Performed requirements analysis for a wide range of users, with a focus on quality control
• Developed supporting documentation in support of Security Assessment and Authorization SA A , the Office of the Housing HSG , FISMA reporting, FISCAM audits, Office of Management and Budget OMB A-123, OMB A-127, OMB A-130 assessment
• Developed Contingency Plan based on documentation policy and NIST guidelines 800-34 rev.1.
• Developed several IT Security Policies Contingency Planning, Audit and Accountability, System and Information Integrity, Risk Assessment, Physical and Environmental, Configuration Management, Security Awareness and Training, Rules of Behavior Acceptable Use, Security Roles and Responsibility and Separation of Duties and Functions, Review/Improve vendor Security, Incident Response, Password Creation Management, Personnel Security, Patch Management, Data Classification, and Media Protection and Handling Mechanisms for Sensitive Assets for Upper Occoquan Service Authority.

Confidential

Network Security Analyst

• Participated in major Information Security projects including the design, development, procurement, integration, installation, evaluation and testing of information security hardware, software, and systems used in Local Area Network LAN and Wide Area Network WAN systems.
• Support development of Security Control Assessments SCA based on NIST SP 800-53 rev.4 and NIST 800-53A rev.1
• Met short delivery schedule for the development of Business Impact Analysis, Risk Assessments, IT Contingency Plans, IT System Security Plans, Plan of Action and Milestones, and IT Security Test and Evaluations of fifteen 15 Information Systems.
• Provided support in the creation, maintenance, and completion of relevant documents needed for SA A.
• Re-created and updated the System Security Plan using documentation policy and NIST 800-18.
• Conduct Contingency plan Table Top, Structured walk-through, Simulation testing
• Gathered information to compile and complete a Risk Assessment based on documentation policy and the guidance of NIST special publication 800-30 rev.1.
• Completed a Contingency Plan based on documentation policy and NIST SP 800-34
• Performed or helped performed audit procedures so as to accomplish steps outlined in approved audit programs
• Led in/out briefings, interviews, and written formal recommendations for the client
• Well versed in the FISMA Implementation Project, FIPS and NIST Special Publications
• Performed SA A using NIST Special Publication Guidelines
• Evaluated or helped evaluate controls systems in areas audited.
• Identified and tested company's internal control policies and procedures with a focus on technology and documented the application and control findings.
• Researched, organized, and analyzed data.
• Participated in the evaluation of security vulnerabilities associated with data processing, LAN, and WAN systems.
• Performed Security Test Evaluation ST E
• Mitigated known technical vulnerabilities
• Maintained compliance with Federal IT Standards Guidelines NIST, FISCAP, FISMA, DITSCAP/NIACAP, and OMB A-130.
• Managed and monitored firewalls
• Managed and monitored intrusion detection systems IDS
• Strong technical background with variety of computer hardware, software, and communication systems including system integration, network architectures and physical communication systems/devices.
• Conducted vulnerability assessments on various types of networks and topologies.
• Participated in the integration and installation of hardware, software, and security systems used to secure data processing, LAN, and WAN systems.
• Developed accreditation and certification letters.
• Performed periodic security audits.
• Reviewed the adequacy and completeness of information system security testing and evaluation efforts.
• Analyzed output from network vulnerability assessments and recommended mitigation strategies.
• Ensuring media handling procedures are followed.
• Experience in performing security risk assessments, developing security plans, and performing certification and accreditation of information systems.
• Business continuity and disaster recovery planning
• Have a solid security background.
• Superior written communication and client interface skills
• Performed other duties as assigned.
• Devised System Security Categorizations using FIPS 199 and NIST 800-60 Volume I II for VA
• Follow system development methodology, utilize appropriate templates, produce all required documents and ensures all required signatures have been secured.

Confidential

System Security Analyst Specialist

• Identified threats and vulnerabilities, assessed risks and developed methods and security configurations to protect and prevent impact systems.
• Reviewed and provided feedback on security plans and procedures regarding all aspects of LAN, WAN as applicable.
• Conduct Contingency plan Table Top, Structured walk-through, Simulation testing
• Support development of Security Control Assessments SCA based on NIST SP 800-53
• Performed hands-on intrusion detection analysis.
• Evaluated potential technologies and provided recommendations on network hardware and security improvements and implementations.
• Keeping current with the latest industry trends and best practices. Prepared recommendations and budgets for all security related services.
• Documented security policies and procedures.
• Led in/out briefings, interviews, and written formal recommendations for the client
• Well versed in the FISMA Implementation Project, FIPS and NIST Special Publications
• Performed Certification and Accreditation using DITSCAP/NIACAP, NIST guidelines.
• Reviewed and provided input into network designs to ensure compliance with security and enterprise architecture.
• Experience with system design and architecture
• Documented and educated co-workers on all implemented solutions as well as improvements in security practices and implementations.
• Participated in the selection and acquisition of Commercial-Off-the Shelf COSTS software, hardware, and security systems required for securing data processing, LAN and WAN systems.
• Experience in systems programming and computer network security
• Performed vulnerability testing on new systems before placed in production.
• Mitigated known technical vulnerabilities.
• Performed Security Test Evaluation ST E
• Assisted in designing, establishing and maintaining security products to include firewalls, intrusion detection systems, and antivirus.
• Responsible for monitoring and enforcing compliance to documented and distributed system security standards, designing, developing and documenting comprehensive Systems security plan, Risk Assessment, Contingency Plan, and Self-Assessment.
• Assisted in the protection of company critical assets by anticipating and leading the response to potential computer related threats and vulnerabilities.
• Supported the independent verification and validation of IT security Program policies, practices, procedures, techniques, tools, and capabilities.
• Prepared working papers, utilizing an electronic work paper program, documenting procedures performed.
• Administered and maintain user access control systems by providing controls, processes, and procedures to prevent the unauthorized access, modification, disclosure, misuse, manipulation, or destruction of information.
• Follow system development methodology, utilize appropriate templates, produce all required documents and ensures all required signatures have been secured.
• Made sure that work is done in accordance with accepted professional standards
• Prepared or helped prepare reports on work performed and opinions developed.
• Made informal presentations to management personnel concerned during and at the completion of examinations, reporting audit results and recommendations when required.
• Designed and implemented security policies for Internal and Internet use.

Confidential

Network Security Specialist

• Subject areas of responsibility include network/host based Intrusion Detection, network vulnerability assessment, malicious code defense, enterprise level penetration testing.
• Performed server and workstation virus detection, correction, and prevention.
• Developed detailed technical recommendations to solve security issues.
• Experience defining and conducting software tests and evaluations for technical verification and validation of automation security.
• Designed a perimeter protection strategy
• Coordinated and ensured compliance with system disaster recovery and contingency plans to assure the rapid recovery of system in the event of an emergency or disaster.
• Develop Plan of Action and Milestones POA M .
• Perform Security Test Evaluation ST E
• Performed SA A using NIST Special Publication guidelines.
• Analyze, develop quality assurance approaches and techniques to the design, test and evaluation, and recommend solution specific to project.
• Experience with relevant federal e.g., FISMA, Privacy Act, HIPAA , NIST, OMB, and FIPS information technology security regulations, policies and procedures.
• Have a detailed knowledge of Information Systems, their threats, areas of vulnerability, and associated risk.
• Risk Management: performed limited risk assessments of InfoSec Systems and process determined their threats, vulnerabilities, and risks and recommended cost-effective risk mitigation solutions.
• Applied principles, methods, and knowledge of the functional area of expertise to specific task order requirements.
• Developed and implemented vulnerability management programs to reduce incidental or external risks.
• Support development of System Security Plans per NIST SP 800-18 rev.1.
• Support development of Security Categorizations utilizing FIPS 199 and NIST guidance.
• Used appropriate patches and bug fixes to systems to create a secure computing environment.
• Maintained basic user access control systems by providing processes and procedures to prevent unauthorized access or the destruction of information
• Performed detection and reporting of unauthorized users.
• Revitalized the integrity of all security privileges, and established comprehensive security and disaster recovery protocols that exceeded all audit security recommendations.
• Support development of Security Control Assessments SCA based on NIST SP 800-53 rev.4.
• Provided support in the following areas: reviewed daily log data gathered from various resources such as sensors alert logs, firewall logs, content filtering logs identified possible intrusion attempts or other anomalies and filtered non-threatening network traffic for enhanced reporting accuracy.

Confidential

Technical Consultant

• Provided end user support and assisted in providing system security for 150 users.
• Installed operating systems, created user accounts and assigned passwords
• Upgraded Exchange Server 4.0 to Exchange Server 5.5.
• Installed various operating systems such as WIN 95/98 and WIN 3.11 for Workgroup.
• Troubleshot and resolved issues to NT network, software, and client/server architecture.
• Installed and managed network using MS System Management Server SMS
• Installed and configured Win NT 4.0 workstations
• Resolved remote user workstation problems using MS System Management Server SMS .
• Supported various desktops with TCP/IP, Netscape, Patent Examiners tool kit, MS Schedule, MS Exchange, Outlook 97, MS office, etc
• Assisted staff in upgrading and installing software applications for the Sabre computer.
• Provided general hands-on help in resolving conflicts on software Applications
• Assisted NT Management in troubleshooting department to resolve LAN File Server Software and hardware issues.
• Performed Security Test Evaluation ST E