SUMMARY

• Over 25 years of professional experience in providing strategic and tactical Security and Risk Management and forensics assurance services commercial entities, with 3 years of significant expertise in public / private law enforcement liaison activities, 4 years in a Big 4 public auditing firm Deloitte , with 8 years SOX, PCI and security compliance management.
• Education and certifications include MBA, PMP, CPA, CISA, CISSP-ISSAP, ISSMP, CRISC, CISM, CIPP, CPISM / A, Six Sigma Green Belt, and ITIL Foundations Certified, and COBIT Foundations Certified.

PROFESSIONAL EXPERIENCE

Confidential

Senior Manager - Security Risk Management Practice

• Provide strategic security and risk management consulting, manage staff and provide subject matter expertise to state-of-the-art security architecture and technology projects for select Fortune 100 clients. Key accomplishments include:
• Acting CISO and security mentor to newly established security function within this multi-billion dollar Research Hospital/healthcare organization 350 bed , reporting to the CIO and Audit Committee of the Board of Directors, formulated security solution to achieve HIPAA and PCI compliance, and established Disaster recovery and business continuity DRP/BCP policies and architecture Through redundant data centers.
• Assisted CIO of Leading Utilities organization to establish security policies and procedures to comply with security and privacy in NERC/CIP Critical Infrastructure Protection Regulations and strategize security architecture and operations for new Smart Grid and Cloud Computing ventures.
• Acted as Security Lead/liaison to a major Hotelier to establish and maintain PCI compliance for credit card operations, and architect effective security operations processes and reporting dashboards/metrics.

Confidential

Consultant Risk Security Expert, Office of the CIO, State of New York

Led the implementation of an automated state-wide security and risk management process for the Office of the CIO - Office of Technology.

Confidential

Executive Director, Global Enterprise Security CISO

• Security thought leader and innovator - direct full IS Security operations and IT Security Architecture for this 8 billion global retail and manufacturing entity. Responsible for full security policy, standards, BCP/DRP, security operations and metrics, vulnerability and threat management, security incident response, security awareness training and privacy compliance. Operations included PCI, SOX and other compliance laws and regulations globally, and global Identity Access Management. Managed a staff of 29 persons direct and 50 indirect with an annual budget of 8mm. Security projects completed include the following:
• Identity and Access implementation and management for 16,000 users globally, including PKI certificates, including LDAP engineering and integration to non-Microsoft applications globally.
• Established Digital data management, data classification and content delivery strategy processes and practices in conjunction with various business executives for global Ecommerce sites.
• Workstation/Laptop encryption rollout for 6,000 PC's globally to fulfill PCI compliance risks.
• SAP security globally for ECC, IP, CRM, NetWeaver, and many other modules.
• Firewall globalization, intrusion detection / prevention, centralized log management and event correlation, and incident response for over 150 sites.
• System hardening process and management for 8,000 servers and 22,000 workstations.

Confidential

• Developed and implemented a global security architecture to support Ecommerce and SOA services in a .NET environment.
• Implemented a global Sharepoint/Biztalk architecture strategy and security policy.
• Automated application security process and code review for over 4,000 applications.
• Developed a quality Fraud detection, mitigation and computer forensics process.
• Compliance monitoring, data privacy protection and information classification / Ediscovery processes and management.
• Wireless network security implementation and management.
• CISSP Training program for internal IT staff using self-developed certification training program.
• Migrated security operations to an outsourced entity to manage Security as a Service SaaS .

Confidential

Director, Information Security, Retail Banking North America

• Directed retail banking IT Security for all of North America for the largest bank in the world, covering 900 locations in the US and Mexico. Responsible for a staff of 25 persons, covering security policy, security awareness, FFIEC Exams, Sox and PCI / PII audits, SDLC development, and other security special projects. Left for Estee Lauder position when Citigroup began downsizing corporate functions. Specific security project accomplishments included:
• Implementation of secure full-function financial center / retail banking process in one.
• Responsible for all computer fraud and forensics examinations and remediation for Retail Banking.
• Implementation of process to prevent developer access to production data in a .NET/ASP environment for testing complex applications.
• PCI compliance implementation for JAVA/.NET/ASP Ecommerce applications.
• Business continuity / disaster recovery implementation for retail banking / trading systems for all of North America.
• Coordinated XML application development efforts by integrating security mandates using RUP, change management and MS Project to set tollgates for compliance.
• Heavy Change management, project management MS PROJECT RUP, using structured SDLC tracking status, issues, risks, Work Breakdown Structure WBS .

Confidential

Director, Enterprise and IT Assurance Services

• Directed SOX, security, risk and compliance projects for the largest healthcare provider in Long Island, covering 10 campuses, 7000 employees and 200 systems.
• Established digital strategies, digital delivery and digital asset management practices for a major Media conglomerate related to motion pictures, global Ecommerce, and digital books.
• Managed the global IT FIC 2005 documentation and controls testing process for Sarbanes Oxley compliance for global operations of XL Capital. Coordinated with outsourced testers, insurance regulators and external public auditors to accomplish this work.
• Developed and taught Forensics, Fraud Audit and Audit Risk training programs for selected clients' internal audit departments.
• Deliver IT Assurance, IT Security, Enterprise Risk and Compliance Management, data and Project management services to the financial service industry.
• Develop Data and risk modeling methodologies and practices for the financial sector.
• IT Integration, compliance, privacy, SOX remediation and business process improvement projects.
• Directed the design project for Identity and access management integration for a major financial services client in Confidential

Confidential

• with Identity management, provisioning and entitlement across multiple platforms, as well as extensive Oracle database auditing and compliance assessment.
• Engaged by a Top 10 US Bank to identify GLBA compliance failures within its Oracle Financial databases at six locations, fix the problems, and bring the bank into compliance.

Confidential

Managing Director, IT Assurance and Security Services

• Selected to build the North America security practice for GE's IT Solutions' professional services group, based in Erlanger, KY, with emphasis on the Northeastern US. Crafted the development of security intellectual capital, marketing promotions, staff development, and project/practice management. Reported
• to the CEO of GE IT Solutions, one of the 11 divisions within GE.
• Speaker at several GE sponsored security conferences, on topics ranging from Homeland Security Opportunities, data quality management and Industry Security Trends to How GE Does Security.
• Crafted the enterprise security assessment, the Quick Look security diagnostic, and penetration testing strategies.
• Architected and directed the ITIL framework implementation for a major Fortune 100 Manufacturing Company, beginning with change management and capacity management.
• Initiated and directed a forensics and data privacy compliance program for one of Canada's largest telecommunications companies, and initiated an Identity Access Management / Provisioning Feasibility Project utilizing IBM's product suite.
• Consulted with several financial services firms for Identity and Access Management Provisioning Tivoli to meet regulatory compliance for GLBA and HIPAA as well as the December 2006 mandate.
• Re-engineered the entire network operations and WAN structure for a major NJ Hospital system, covering 5 campuses, implementing state-of-the-art IPS / IDS and self-healing network features.
• Provided Security and IT Assurance Services to many Regional and University Hospitals.
• Directed the business process improvement using Six Sigma , data center and server consolidation projects for a Fortune 100 company for mergers and acquisition integrations, resulting in multi-million dollar savings and reduction in integration time from six months to two months. This included sixteen sites worldwide.
• Developed Patriot, Sarbanes Oxley SOX , Basel II, GLBA, HIPAA and NASD compliance strategies programs for the financial services industry. Architected an anti-money laundering program for trading operations for a medium sized financial services firm. Penetrated the healthcare security market for HIPAA compliance, as well as Sarbanes Oxley compliance and Critical Infrastructure security energy assessment methodologies. Developed security practice in excess of 4 million since April 2004. Responsible for 80 persons and a budget of 8mm. Left this firm when it was spun off and merged with CompuCom.

Confidential

Independent Consultant

• Architected the compliance-reporting framework for a major financial services firm. Selected as lead project manager at one of the top NYC financial services firms for Sarbanes Oxley section 302 / 404 compliance, utilizing the COSO / COBIT framework, as well as ISO17799 and the Common Criteria, developed data warehousing / data modeling methods and performed internal controls reviews and documentation evaluations.
• Architected security and financial reporting processes for a regional Northeast bank to implement secure customer transactions and regulatory compliance provisions, including Identity Access Management and Provisioning.
• Briefed several financial services firms on current banking regulations and compliance issues, including the Patriot act, GLB, Sarbanes Oxley, HIPAA, Basel II and FFIEC audit considerations. Made recommendations for compliance monitoring and financial reporting processes. Developed, distributed and centralized reporting databases.

Confidential

Senior Associate

• Architected the information technology framework public key infrastructure PKI for secure collaboration and communication of intellectual capital for the Joint Military Strike Fighter JMSF project, with transatlantic collaboration access required from five foreign governments and twelve aerospace vendor companies. This included Identity Access Management interfaces to the PKI framework using several IAM vendor products, with heavy emphasis on Netegrity Siteminder and Identity Minder.
• Provided CPOE design and implementation strategy consulting to several hospitals in the US.
• Provided thought leadership to the DHHS on CPOE systems strategy and integration with multiple vendors and technologies to reduce medical errors and provide performance metrics.
• Authored and implemented corporate governance, forensics and global privacy programs including HIPAA, GLB, Sarbanes Oxley, SEC and ISO17799 for a major financial services firm and several healthcare clients.
• Created a financial services wargame for the US Treasury and Chicago Board of Trade, which was heavily attended by CXO officers from most of the major financial services firms in NYC and forty of the top Fortune 100 firms.
• Authored and implemented an IT performance metrics database process for a major soft drink distributor. This metrics process is now a standard product offering. Implemented data modeling/metrics and data warehousing optimization practices at several organizations.
• Co-architected the incident response, backup/disaster recovery and business resumption plans for a major financial institution in NYC, including the relocation of major IT operations from NYC to a secure, suburban location.
• Managed several IT organization assessments, security diagnostics and policy framework rollout projects for various financial services and commercial clients.
• Developed a security center of excellence and technology forum group for security diagnostics, penetration testing, database security, network security, and security metrics.
• Mentor for several staff members, and driving force for IT information collaboration between public / private sectors, commercial and governmental groups.
• Architected manual and automated anti-money laundering management solutions, as well as trading system security and FIX protocol messaging solutions for all phases of the order management functions for a financial services client.

Confidential

Senior Director, Chief Information Security Officer

• Authored and implemented global enterprise security policies and practices for all intra/internet and E-business applications, including major corporate initiatives i.e. SAP, PeopleSoft, Oracle database, Windows2000, UNIX, Cisco Routers, Firewalls, wireless and Virtual Private Networking VPN .
• Directed the global SAP Security project for warehouse, FI / CO, BW, and CRM utilizing SAP's transaction security processes and Virsa Access Manager.
• Functioned as chief liaison with FDA, DEA and other regulatory authorities to ensure compliance with healthcare and other pertinent regulations, including 21CFR11, HIPPA and other major Privacy and Electronic Signature initiatives.
• Established metrics, risk vulnerability assessment methodologies for all information assets.
• Authored and implemented the framework for Public Key Infrastructure PKI with biometrics and Identity Access management and provisioning, global Intrusion Detection Systems, rapid incident response countermeasures and backup/recovery of all IT applications, systems and databases worldwide. The IAM process included rollout to 3,000 users.
• Developed presented security and privacy education, awareness, and training materials for new employees and consultants.
• Established digital content delivery and management, data classification and secure web sites and content management processes using state of the art delivery mechanisms.

Confidential

• Designed and sponsored a Senior Management Security Council within the company. Reported to Senior Management and international committee for international policy and security formulation.
• Managed a security group and multimillion dollar budget covering international security issues / concerns.
• Authored and implemented numerous IT operations and security standard operating procedures SOP which were sanctioned by the FDA.
• Implemented ERP Peoplesoft modules for HR and Corporate BackOffice systems.

Confidential

• Directed IT global operations based at the Stamford, CT. corporate location, including business process improvement, total cost of ownership TCO , implementation of global help desk and follow-the-sun customer care operations.
• Developed Center of Excellence COE for IT global operations and security functions.
• Integrated data management security practices and protocols in multi-platform global applications and network / client server environment i.e. global Novell and Microsoft local area networks with E-commerce UNIX and Oracle databases spanning global wide area networks .
• Architected and directed global security policies and enterprise backup / recovery and business resumption strategies utilizing outside third party vendors to augment the IT Group.
• Led an Identity Access Management Feasibility Study Project for integration with web-based services for fee. Project resulted in PKI project rollout.
• Co-designed and managed the first profitable web sites for Gartner Group, along with digital delivery and content management. Extensive J2EE and Lotusnotes development. Won the Website of the Year award in 1998.