We provide IT Staff Augmentation Services!

Technical Writer Resume

2.00/5 (Submit Your Rating)

SUMMARY

  • Solutions - oriented Information Assurance Analyst with 15+ years of success in information system security design, planning, implementation, monitoring and conducting risk/privacy assessments for cloud-based, mobile and web-hosted containerized systems. Information Assurance skills extend to the ability to plan and oversee projects from conception to successful conclusion.
  • As an Information System Security Officer (ISSO) for the General Services Administration (GSA), Integrated Award Environment (IAE) SAM.gov program, me provided IT security technical, operational, architectural, and business support for Business Directors, API/Application Developers, Platform Engineers, Governance and GSA IT Security.
  • The GSA SAM.gov program is a cloud migration and legacy system modernization program designed to simplify the complex federal acquisition process. The IAE program is developed using the Agile software development framework employing a Continuous Integration/Continuous Delivery (CI/CD) methodology.
  • The SAM.gov program is built on a GSA Business Service/Tenant Platform that leverages the Amazon Web Services Infrastructure as a Service (IaaS) cloud. The architecture is designed using a GSA Containerization-as-a-Service (CaaS) that includes a microservice driven marketplace, GitHub repository, Jenkins CI/CD Pipeline, API Umbrella, Docker containerized platform.
  • Provided cybersecurity technical, functional and policy guidance for multiple groups including, Application and Platform Development teams, Governance teams, Independent Verification and Validation teams, Continuous Integration/Continuous Deployment teams and Program Management.
  • Facilitated in developing and implementing numerous actionable processes that build security into the cloud migration and legacy modernization programs.
  • Effectively articulated Federal IT Security Policies and Regulations (OMB, FISMA, FedRAMP, NIST, DISA) into clearly defined and actionable solutions while maintaining an attainable Agile cadence.
  • Facilitated refining a Risk Identification Process into a set of achievable IT security risks through decomposition, alternative solutions and better-defined baseline requirements.
  • Facilitated identifying and integrating several DevOps/DevSecOps automation and monitoring processes into the software deployment process.

PROFESSIONAL EXPERIENCE

Technical Writer

Confidential

Responsibilities:

  • Developed IT security-related API test scenarios (daily) for Agile Features and User Stories using Test Driven Development (TDD) methods. Monitored test results to verify that security-related coding errors were fully remediated or mitigated to an acceptable level.
  • Prepared IT Security Delta Assessments at the end of each Sprint. The Delta Assessments provided management with an IT security evaluation of the Features committed to Staging or Production during each two-week Sprint. Evaluations included a security impact analysis of each Feature, unmitigated bugs and flaws identified in development, web application scan results, defects identified in IV&V and containerization scan results.
  • Reviewed Operating System, Web Application and Container scans (weekly) with the appropriate teams to track remediation efforts and produce metrics for Agile and Management dashboards.
  • Facilitated developing, communicating and implementing IT security-related solutions into the architecture and governance framework of the program (me.e., access and identity access controls, encryption, password reuse, data management).
  • Developed, communicated and implemented IT security-related solutions into the Independent Verification and Validation (IV&V) and Continuous Integration and Continuous Delivery/Deployment (CI/CD) process so that code promotions were better controlled and processes were standardized for the microservices and APIs moving through the pipeline.
  • Developed, communicated and implemented actionable key IT security metrics that provided adherence to program scope, cost and schedule goals.
  • Developed, communicated and implemented key IT security (SAFe) Safe Agile Framework metrics to management personnel (PMs, CORs, Finance, Governance) via Dashboards. Agile metrics included sprint tasks, burn rates, hourly task data, contract metrics).
  • Actively participated in all Release/Sprint planning activities, Scrum sessions, Sprint Demonstrations, Backlog Grooming Sessions, Product Deployments, Kanban Boards, etc. as the IT Security representative advising on the type and level of security requirements/tests to include in the acceptance criteria for the applicable Features/User Stories.
  • Provided IT Security (technical) feedback on contract-related deliverables including FISMA/NIST Security/Risk and Privacy Assessment and Authorizations that lead to the successful issuance of Authority to Operate (ATO).
  • Prepared multiple Authorization To Operate (ATO) and Lightweight Authority To Operation (LATO) including all NIST and FedRAMP required documents from the Kickoff Presentations to a receipt of an approved ATO.
  • This included providing management guidance and technical solutions through twelve releases of the Beta.SAM.gov program including oversight, review and preparation of Information Security, Privacy and Risk Management Programs.
Confidential

IT Security Advisor Engineer

Management Duties:

  • Provide technical reviews of contract-related deliverables including FISMA/NIST Security/Risk and Privacy Assessment and Authorizations that lead to the successful issuance of Authority to Operate (ATO).
  • Provide technical reviews of FedRAMP Provisional ATO/Agency ATO packages for Cloud Service Providers and develop gap analysis of security requirements for Interconnection Security Agreements (ISA) and Memorandums of Understanding (MOU).
  • Manage Plan of Action and Milestone (POA&M) reporting requirements for multiple systems as part of a continuous monitoring program.
  • Prepare, present and provide technical guidance for A&A and ATO presentations to clients and management.
  • Provide technical white papers to support security requirements for product testing and evaluations.
  • Provide project scheduling for Assessment and Authorization assignments and task orders.
  • Build effective channels of communication with the CISO, SISO, SO/IO, ISSO, and PM, system engineers, architects and administrators.

Technical Writer

Confidential

Responsibilities:

  • Provide guidance and training in the use of the RSA Archer and Trusted Agent FISMA (TAF) automated information security assessment applications.
  • Provide technical reviews of evidence entered as artifacts into the Archer and TAF automated assessment repositories.
  • Provide technical guidance with security control implementation descriptions entered by System Owners and validations conducted by Information System Security.
  • Develop Assessment and Authorization task scheduling for Service Unit/Systems to incorporate into product acquisition or development programs to meet production deadlines/delivery dates.
  • Develop and direct the preparation of LC System Security/Risk Assessment Programs that define residual risk, risk tolerance, vulnerability flaws, threat ranges, impact levels and Levels of Assurance/Trustworthiness with internal agencies and external service providers.
  • Provide technical reviews of Security Authorization documents (e.g., System Security Plans (SSP), Continuous Monitoring Strategies, Configuration Management Plans,
  • Contingency Plans, Incident Response Plans, Privacy Impact Assessments (PIA), System Test and Evaluations (ST&E), A&A Statement of Residual Risk, Plan of Action and Milestones (POA&M), and remediation recommendations.
  • Analyze Nessus configuration and vulnerability scan results for false-positives and findings related to other general support systems.
  • Conduct and provide oversight of LC Information System Security Control Assessments using the NIST 800-53 Rev. 3 & 4 and NIST 800-53A formats.
  • Conduct configuration baseline security assessments using DISA STIGs, CIS and NIST security baselines, benchmarks and checklists.

Confidential

Project Manager / Lead Information Security Analyst

Responsibilities:

  • Provided technical reviews for all contract-related deliverables including Security/ Risk Assessments & Authorizations (A&A) formerly Certification and Accreditation presentations, managing the technical requirements for security control testing and product evaluations, performance reporting and client training.
  • Managed personnel requirements for the contract including attendance, travel, performance reviews, conflict-resolution, and hiring/dismissal actions.
  • Developed and maintained an Information Assurance SharePoint Portal for contract deliverables including system security authorization milestones, dependencies, resource requirements, constraints, and proposed completion dates.
  • Developed and maintained a master Task Breakdown Schedule for all assigned tasks and projects. (Microsoft Project).
  • Developed and conducted client/team presentations on information security-related policy changes issued by the Department, Agency, Federal regulations and industry best practices.
  • Directed the Annual Information Security Assessment Program for HHS OIG Regional and Field Offices throughout the continental United States.
  • Maintained an open channel of communication with the CIO, CISO, ISSO, SOP and Information Technology System Engineers, architects and administrators.

Technical Writer

Confidential

Responsibilities:

  • Developed and implemented internal and external (cloud-based/FedRAMP) security control responsibilities and requirements matrices for OIG security authorizations.
  • Reviewed contractual relationships (ISA, SLA, MOU) between the OIG and external (tenant) systems. Prepare and review Gap Analysis reports comparing the contractual/legal language with the NIST 800-53 Revision 3 & 4 guidance, FIPS 200, 201, and 140-2 requirements, FedRAMP standards, and HHS information security policy. Final reports include risk-based, cost-benefit recommendations and impact analysis for non-compliance.
  • Developed and directed the preparation of OIG System Security/Risk Assessment Programs that define risk tolerance, vulnerability flaws, threat ranges, impact levels and Levels of Assurance/Trustworthiness with external information systems.
  • Provided the technical review for all Security Authorization documents (e.g., System Security Plans (SSP), Continuous Monitoring Strategies, Configuration Management Plans, Contingency Plans, Incident Response Plans, Privacy Impact Assessments (PIA), System Test and Evaluations (ST&E), Certification and Authorization Statements, Plan of Action and Milestones (POA&M), remediation recommendations and progress tracking.
  • Conducted internal assessments of the McAfee antivirus vulnerability remediation process to evaluate the effectiveness of the remediation procedures and provide the Client with trend/historical metrics to identify recurring weaknesses (me.e., inconsistent images).
  • Conducted and provided oversight of OIG Information System Security Control Assessments using the NIST 800-53 Rev. 3 & 4 and NIST 800-53A formats.
  • Coordinated the Privacy Impact Assessments and Privacy Threshold Analysis for the A&A process and FISMA audits.
  • Responded to Inspector General Audits. Reviewed and edited department IT Security policies and procedures. Maintained Project plans
  • Participated in Change Control Board (CCB) security meetings.
  • Assisted with the coordination of HSPD-12 PIV Identification Badge Project.
  • Reviewed and edited the SAS-70 and OMB-300 report requirements and support training functions as needed.
  • Conducted configuration baseline security assessments using DISA STIGs, CIS and NIST security baselines, benchmarks and checklists.
  • Maintained the monthly OIG POA&M Remediation Tracking and Reporting requirements (me.e., generate monthly POA&M reports for all OIG systems detailing mitigation progress).
  • Maintained the monthly, quarterly and annual FISMA reporting requirements for OIG systems (me.e., CyberScope, Data Calls, Investments, POA&Ms, and Privacy).
  • Developed and presented information security-related presentations on insider threats, mobile technology attacks and social media attacks.
  • Provided security analysis and oversight of OIG Intrusion Detection/Intrusion Prevention (ID/IP) system triggers, alerts and logging capabilities using scripts, audits, and training.
  • Developed, conducted and provided assessments using passive penetration (white/black box) tests on OIG Internet-facing systems using methodologies defined in ISECOM, OSSTMM, OWASP and PTES to identify channels of access (e.g., DATASEC, HUMSEC, PHYSEC, SPECSEC and COMSEC). Tools: Maltego, BackTrack.
  • Conducted extensive technical reviews of information security-related products (data analytic applications, browser-based apps and plug-ins, web-hosting tools, mobile devices, and operating systems) to determine the security impact on the OIG network.
  • Provided oversight of network security operations by monitored firewalls and ID/IP system alerts, rules and logs for malicious activities.
  • Provided oversight for internal threats from excessive or unauthorized access to critical systems by privileged users.
  • Conducted FISMA Contingency Plan/Disaster Recovery/Business Continuity Plan tests (table-top, full functional) and scenario-based training classes for OIG Contingency Plan coordinators.
  • Conducted Annual Incident Response tests and training exercises (EICAR, simulated attacks).
  • Conducted Active Directory Federal Services (ADFS) compliance audits of HSPD-12 access control systems.

Confidential

Senior Information Assurance Analyst

Responsibilities:

  • Coordinated the FAS cyber-security incident response process that included identification, isolation, containment, extraction, removal and analysis of entry methods and depth of exploit. Filed Incidents reports with US-CERT according to reporting timeframes, schemas and taxonomy.
  • Managed the FAS vulnerability and remediation scanning programs including handling vulnerability scans of operating systems (Microsoft, UNIX, Cisco VMware), web applications (OWASP, CWE), and databases (DB2, MySQL, Oracle and MSSQL) using FDCC, COBIT, ITIL, ISO 27002, NSA, OVAL, and SANS templates. Fixes were deployed via the McAfee/Foundstone and/or Retina/eEye appliances.
  • Developed and maintained Work Breakdown and Performance Schedules for special applications (me.e., web migration, ID/IP systems).
  • Participated in white-box penetration testing of FAS networks employing both red and blue techniques.
  • Supported the USDA Foreign Agricultural Service COMSEC facility as an assistant COMSEC Custodian. Contributed expertise in the areas of instruction, maintenance, and troubleshooting usage of the SIPRNET (classified Defense Department-administered network). Additional support activities include the disposition of classified cables, daily key management procedures, training and operation of the DIAS (Distributed INFOSEC Accounting System) administered by the National Security Agency.

Confidential

Position: Information Assurance Analyst

Responsibilities:

  • Formulated and implemented approved security enhancements for the Oracle 9g/11g Database and Oracle 11i Federal Financial package. Reviewed and evaluated new and existing procedures for reporting and remediation of security violations.
  • Functioned as the principle security analyst and technical expert for the development of certification and accreditation plans including annual system self-assessments, system Security Plans (SSP), System Test and Evaluation (ST&E), Risk Assessments (RA),
  • Privacy Impact Analysis (PIA), Configuration Management Plans (CMP), Incident Response Plans (IRP), Disaster Recovery and Contingency Plans as required by FIPS, FISMA, OMB, and NIST 800 series for the LEAP project.
  • Develop security procedures for installing hardware VPNs which included compliance with FIPS 140-2, NIST 800-53, NIST 800-53A and IPv6 for handling critical and noncritical sensitive information.
  • Conducted and validated security tests and continuous monitoring processes to ensure that safeguards implemented within the application systems could not be circumvented. Conducted audits to locate security weaknesses and recommended corrective actions. Set up penetration test procedures for determining the adequacy of security safeguards.
  • Analyzed IT System Security environment and provided improvement recommendations. Conducted vulnerability analysis in the areas of Administrative, Physical, Operational, Technical, Personnel and Threat Analysis. Reviewed and revised Standard Operating Procedures for Mission Critical Systems to include Change Management Plan, Contingency Plan and Disaster Recovery.
  • Preformed a full range of Certification and Accreditation (C&A) for multiple line offices within NOAA including Risk Assessments (RA), System Security Plans (SSP), Security Test & Evaluations (ST&E), and Mitigation Analysis Reports.
  • Researched configuration guides and evaluated Harris Stat scans for compliance with DISA Gold Disk standards.

We'd love your feedback!