- 8+ years of extensive hands on experience in Information Security in various industries such as Health Insurance, Manufacturing, and Retail with a focus on IT risk mitigation, security management, audit and regulatory compliance, project management, data management and risk remediation.
- Skilled & technically proficient with multiple firewall solutions, network security, and information security practices.
- Performed vendor audits for mid - size to large organizations to identify security gaps in their system landscape.
- Gap analysis and Business Impact Analysis (BIA), Developed road maps to perform remediation, Perform Vendor Information Security Risk Assessment (VISRA).
- Working experience on frameworks: HITRUST, HIPAA, NIST SP 800-53, NIST 800 -37 ISO 27001, COBIT, SSAE 16, SOC 1 and 2 HITECH, ITIL, SOX, CIS, PCI, COSO, FISMA, CSA CSM, OWASP Top 10 Vulnerabilities, Agile Methodology.
- Expert in conduction IT Risk Assessments and providing business risk along with Mitigation/ Remediation plans.
- Experience in ITGC, which involved reviewing existing security posture, reviewing controls, establishing baseline security and help drive implementation of identified remediation plan.
- Developed Information Security Training Program which included policies, standards and guidelines and helped implemented the policies across the organization.
- Firewall technologies including general configuration, risk analysis, security policy, rules creation and modification of Check Point Next-Generation Firewalls R65, R70 & GAIA R77.30, NetScreenFirewall, Palo Alto Next-Generation firewalls, Bluecoat proxies and Cisco ASA.
- Hands on experience on tools: Symantec Endpoint Protection, Office 365 security and compliance, DLP (data loss prevention) (Content filtering tools), FireEye ATP, Nmap, Nessus (Tenable), Wireshark, Nexpose, Qualys, AAA servers, Active Directory, LDAP, Splunk, Alien Vault, RSA Archer, SCAP validation tools,MS Office Suite, Firewall Management tools, anti-virus tools, SIEM tools (Log management tools).
- Working experience of multiple operating systems: windows, Linux, UNIX, Open VMS, Ubuntu, Oracle and SQL databases.
- Working experience with current Big data and NoSQL technologies for data management and handling like Hadoop, HDFS, Pig, HIVE, HBase.
Confidential, Eden Prairie, MN
Sr. Information Security Consultant
- Developed a comprehensive risk management program based on current industry security frameworks to document observations, enterprise risk, remediation, monitoring using frameworks like NIST 800-53, HITRUST V8, ISO 27001, SAE 16 (SOC 1 and 2), HIPAA, HITECH, COBIT and SOX.
- Developed processes of vendor audits using the data aggregation based approach to clearly identify the scope of audit based on the level of data (PHI, PII, PCI) which resulted in reduction in operations cost by 33%.
- Handled and coordinated numerous IT and security risk assessment based projects ranging from small to multi-billion dollar companies to determine compliance with UHG standards. Roles and responsibilities included conducting statistical analysis, identifying vulnerabilities/ gaps, developing reports and managing the remediation project.
- Handled quality management and change management program across the team by maintaining RACI and partnering accountability.
- Identified and eliminated numerous process deficiencies by removing redundant, ineffective and ancillary non-impact areas, procedures. Streamlined procedures by improving the overall process efficiency by close to 25%.
- Provided guidance and feedback to vendors for improving their security controls by managing and implementing tools like SIEM, IDPS/IPS and integrating security into their SDLC process.
- Performed IT Risk Assessments (Onsite Risk Assessment) at over 100 Tier 1 vendor locations. Identified over 1500 high risks and successfully consulted in remediation over 1300 gaps (rest in progress).
- Identified and evaluated technology risks of Vendors, third parties, compliance controls which mitigate risks, and related opportunities for compliance control improvements.
- Provided business risk, recommendations and proposed date for remediation to the vendors and leadership (VRO, VMO and other stake holders) for the gaps found on the onsite assessment at vendor locations.
- Configured GRC tools and office 365 to manage mailboxes, eDiscovery cases, auditing reports, and retention and deletion polices as per the company requirements.
- Executed HIPAA audits of EMR systems including ConnectCare, GEPACS, Athena, Softmed, and Sunquest identify at risk workflow processes, prepare audit summaries with recommendations for follow-up investigations to Corporate Responsibility Officer (CRO).
- Worked on different operating systems like Windows, Linux and Solaris and AWS Cloud (SaaS, PaaS, IaaS).
- Worked extensively on various SIEM (Tanium, Splunk, Skybox), AV, IPS/ IDS, DLP tools, CISO ISO, Juniper JUNOS) and vulnerability scanning tools Retina, Nexpose, Qualys, GFI lan Guard.
- Worked extensively on various SIEM (Tanium, Splunk, Skybox), AV, IPS/ IDS and DLP tools.
- Expert in using eGRC (RSA Archer) tool, Tableau, bWise, Archer and Connect.
Confidential, St. Paul, MN
Information security consultant
- Planned and drove timely execution of PCI-DSS external vulnerability scanning and remediation activities. Managed and drove time lines and closure of vulnerabilities identified during scans.
- Performed internal risk assessment on IT security and controls team that managed security operations (Network Security, SIEM, Firewalls, IDS, encryptions, TCP/IP, DNS Incident Response) to determine compliance with Confidential security requirements.
- Performed periodic audits for 3rd party vendors (covered entities and business associates).
- Conducted client interviews to understand key business processes, assess and identify risks, evaluate internal controls and determine mitigation strategies.
- Analyzed large data sets to detect anomalies/ deviations using pattern recognition cluster analysis methodology for developing business solution.
- Assessed the design and operating effectiveness of IT controls with a specialization in access and segregation of duties controls deemed to be relevant in the context of a financial statement audit.
- Worked with vendors (covered entities and business associates) to review their network designs for provided feedback on the areas for improvement.
- Worked with security team to implement best cryptographic systems and key management processes by segregating data according to the level of confidentially and then using encryption methodology to encrypt the data.
- Worked with security team to identify best practices when come to database security for instance using correct ports, encrypting the data at rest and while in transit.
- Created and managed comprehensive risk and controls for cyber security team as part of 2nd line of defense role in GRC tool.
- Provided feedback and contributed to a new cyber security framework based on NIST, ISO 27001, 27002/27005, SSAE 16 (SOC 1, 2) CSA CCM,Payment Card Industry Data Security Standard (PCI DSS)),Sarbanes Oxley, GLBAand COBIT 5 standards.
- Conducted root cause analysis for identified information security issues and risk observations.
Confidential, Minneapolis, MN
IT Security Analyst
- Accommodated as a technical resource to avail peer teams in understanding identified application security risks and advise on best practices for remediation
- Performed reviews of the internal business risk assessments reports to identify internal and external risks. Provided recommendations to strengthen safeguards and security of confidential customer information in compliance with HIPAA, SOX, ISO 27001, SANS, NIST and current cloud security matrix(CCM).
- Developed and presented precise and timely deliverables outlining susceptibility details, felicitous technical solutions, remedial steps and precise conclusions.
- Interacted with project stakeholders and business groups to identify analyticalrequirements and data issues for risk side, and worked with the technology teamto develop and implement pragmatic business solutions in a timely manner.
- Reviewed Test Plans and Test Cases, analyzed bugs, interacted with development team members to fix errors and conducted progression, regression and smoke tests.
- Assisted the IT Department to diagnose and repair retail and business hardware.
- Implemented and managed security related technologies, including Intrusion Prevention, Privileged Identity Management, SIEM, DLP, IPS/ IDS, Vulnerability Management and Multi Factor Authentication.
- Reviewed architecture designs, security related changes and firewall requests to ensure that all implementations adhere to strict policies and best practices.
- Implemented a Multifactor Authentication solution utilizing DUO Security in coordination with VPN, providing secure access for privileged users with access to confidential data.
IT risk Analyst
- Assisted as a technical security analyst as part of a team responsible for assessing and ensuring NIST 800-53 Rev 4 management, operational, technical, and privacy security control implementation compliance for large apparel organizations.
- Conducted risk assessment and interviewed appropriate system and site personnel, test system technical security configuration settings, review Nessus scan results and developed findings reports.
- Provided guidance and security control assessment (SCA) processes using the NIST, PCI-DSS, ISO 27001 Risk Management Framework (RMF).
- Assisted in developing and reviewing compliance reports that clearly identify security findings and proposed remediation strategies. Comprehend and analyze market trends in conjunction with Cyber security, FISMA, RMF, vulnerability remediation, security control assessments, and security testing to develop business capture strategies tailored to capitalize on those areas.
- Implemented access control mechanism by correctly managing access according to the role and responsibility thus reducing unauthorized access to network devices and other security controls.
- Worked with Network Security policy to configure Juniper Firewalls, SSL VPN, Checkpoint, Palo Alto, RSA, Cisco Nexus, Cisco ACE, Cisco Wireless.
- Worked extensively in VPN rules over to the Cisco ASA solution. Migration with both Checkpoint and Cisco
- Conducted risk assessments and collaborated with clients to provide recommendations regarding critical infrastructure, network security operations and continuous monitoring processes.
- Set up meetings and conference calls with all appropriate Points-Of-Contact including ISO, PM, and ISSO.
- Evaluated threats and vulnerabilities of each system and ensure proper safeguards are in place to protect information system.
- Analyzed assessment findings, suggested remedial measure, planned and implemented the same.
- Implemented change management procedures in relation to business and SDLC based on the current industry standards.
- Performed root cause analysis to identify vulnerabilities based on the assessment reports and discover the potential risk to the business and organization.
- Worked on compliance project to initiate the development of the company’s own security framework based on the industry security frameworks FFIEC, Sarbanes Oxley SOX, COBIT, PCI-DSS (Payment Card Industry Data Security Standard).