Summary of Qualifications

An Information Security Professional who is focused on delivering Public and Private Sector Information Security Privacy Services. Over 35 years experience working in Information Security, Risk Management, Attack Penetration Testing, System Development Life Cycle, Regulatory Compliance, and IT Audit. Specializes in Information Security Strategy, Information Security Controls and Governance, IT Compliance, Data Privacy, HealthCare HIPAA Privacy and Security , Payment Card Industry Data Security Standard PCI DSS , Risk Management, IT General Controls Auditing, Network and System Security, Vulnerability Assessment, Access and Identity Management, E-Commerce, Intrusion Detection and Prevention, Cyber Security, Cloud Security, Mobile Security, Cyber Security Incident Response, eDiscovery, and Computer Forensics. Have designed and overseen the secure implementation of IT risk organizations, emerging technologies wireless and cloud computing and world leading e-commerce solutions. Designed control frameworks allowing companies to be fully FISMA, PCI compliant as well as ISO27001 compliant. Have high-caliber presentation and communication skills and a highly sought after speaker on information security, privacy, business continuity and disaster recovery.

Demonstrates working knowledge and understanding system security, controls or information security management environment in the following Healthcare and Information Security domains:

• Information Program Management
• Healthcare Information Technology Security
• Regulatory Compliance HIPAA/HITECH, FISMA/NIST, COBIT, ISO 27001, PCI DSS, SOX, and ITIL
• Policy Development Management
• Security Function Design
• Corporate and IT Governance
• NIST Risk Assessment/Management
• DIACAP
• NIST Risk Management Framework RMF
• Cloud Security and Auditing
• Strategic Security Planning
• Security Architecture and Strategy
• Threat Vulnerability Management
• Identity Access Management
• Network Security Architecture
• Cyber Security Incident Response
• Investigations eDiscovery
• Business Continuity Planning/Disaster Recovery Planning DRP
• Security Awareness, Training, Education
• Data Leakage Prevention DLP
• Health Information Exchange and Patient Health Record Systems
• Auditing Log Management
• Mobile Device Security Strategy
• Business Associate and Third-Party Risk Management
• Large Complex Security Program Execution/Implementation
• Security Infrastructure

Objective

A Certified Information Systems Security Professional who leads by example to effectively meet the information technology challenges of a dynamic organization's business objectives. With my diversified skill set in Information Technology I am seeking an Information Security Director/Manager role that will permit me to apply my leadership skills, creativity, experience, business acumen and technical knowledge to integrate people, process and technology. In addition, the role should enable me to apply the information security concepts of confidentiality, integrity and availability in a leadership capacity to provide cost effective IT solutions.

Professional Experience

Confidential

Information Security Manager ISM

• A senior-level executive responsible for aligning security initiatives with enterprise programs and business objectives, ensuring that information assets and technologies are adequately protected.
• Monitor compliance and ensure enforcement with all SOX, PCI DSS, HIPAA/HITECH, COBIT, and NIST requirements as applicable to the organization.
• Provide oversight on PCI DSS compliance and completes annual PCI DSS Self-Assessment Questionnaire SAQ .
• Conducts annual HIPAA Privacy/Security Compliance Reviews. Identifies compliance gaps, develops security policies and procedures, conducts risk assessments, risk analysis, and supervises ongoing compliance.
• Developed and conducts a Security Checklist for all eCommerce and Software-as-a-Service SaaS Providers.
• Responsible for tracking all organizational risks on Plan of Action and Milestones POA M .
• Responsible for oversight of all ongoing activities related to the development, implementation, and maintenance of HIPAA Security policy compliance to safeguard protected data held by the organization in accordance with federal and state laws including all electronic information and physical security access controls.
• Responsible for Business Continuity Plan/Disaster Recovery Plan BCP/DRP . Work with other Senior Management to document, train, test, and update BCP/DRP.
• Develops and directs technical teams in the investigation and resolution of complex privacy and security problems across the organization and 3rd party providers of SaaS applications.
• Conducts recurring Physical and Systems Assessments across third-party vendors.
• Advises Senior Management on risk issues that are related to information security and recommends actions in support of the organization's wider Risk Management Program.
• Monitors information security trends and evolving technologies as well as keeps Senior Management informed about related information security issues and implications for the organization.
• Understands potential and emerging information security threats, vulnerabilities, and control techniques and communicates this information to appropriate team members throughout the organization on a timely basis.
• Provides guidance to business units as necessary to investigate security breaches and to pursue associated potential disciplinary and legal actions in collaboration with the Compliance Office and Human Resources Departments and Legal Counsel as appropriate.
• Engages and directs third-party consultants as appropriate on all audits.
• Collaborates with Internal Audit as a business advisor on information security matters.
• Establish and maintain an information security strategy in alignment with organizational goals and objectives to guide the establishment and ongoing management of the information security program.
• Establish and maintain an information security governance framework to guide activities that support the information security strategy.
• Integrate information security governance into corporate governance to ensure that organizational goals and objectives are supported by the information security program.
• Establish and maintains Strategic Security Plan and Information Security Policies to communicate Senior Management's directives and guide the development of standards, procedures, guidelines to include strategic planning initiatives.
• Obtain commitment from Senior Management and support from other stakeholders to maximize the probability of successful implementation of the information security strategy.
• Define and communicate the roles and responsibilities of information security throughout the organization to establish clear accountabilities and lines of authority.
• Establish, monitor, evaluate and report metrics for example, key goal indicators KGIs , key performance indicators KPIs , key risk indicators KRIs to provide management with accurate information regarding the effectiveness of the information security strategy.
• Establish and maintain the Information Security Program in alignment with the information security strategy.
• Identify, acquire, manage and define requirements for internal and external resources to execute the Information Security Program.
• Establish and maintain information security architectures people, process, technology to execute the Information Security Program.
• Establish, communicate and maintain organizational information security standards, procedures, guidelines and other documentation to support and guide compliance with information security policies.
• Establish and maintain a program for information security awareness and training to promote a secure environment and an effective security culture.
• Integrate information security requirements into organizational processes i.e., change control, mergers and acquisitions, development, business continuity, disaster recovery to maintain the organization's security baseline.
• Integrate information security requirements into contracts and activities of third parties i.e., joint ventures, outsourced providers, business partners, customers to maintain the organization's security baseline.
• Establish, monitor and periodically report program management and operational metrics to evaluate the effectiveness and efficiency of the Information Security Program.
• Establish and maintain an organizational definition of, and severity hierarchy for, information Cyber Security incidents to allow accurate identification of and response to incidents.
• Establish and maintain an Incident Response Plan to ensure an effective and timely response to information security incidents.
• Develop and implement processes to ensure the timely identification of information Cyber Security incidents.
• Establish and maintain processes to investigate and document information Cyber Security incidents to be able to respond appropriately and determine their causes while adhering to legal, regulatory and organizational requirements.
• Establish and maintain incident escalation and notification processes to ensure that the appropriate stakeholders are involved in incident response management.
• Organize, train and equip teams to effectively respond to information Cyber Security incidents in a timely manner.
• Test and review the Incident Response Plan periodically to ensure an effective response to information security incidents and to improve response capabilities.
• Establish and maintain communication plans and processes to manage communication with internal and external entities.
• Conduct post-incident reviews to determine the root cause of information security incidents, develop corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.
• Establish and maintain integration among the Incident Response Plan, disaster recovery plan and business continuity plan.

Confidential

Information Systems Security Professional

• Acted as trusted Information Security advisor to 26 state agencies.
• Assisted in creating Project Management Office PMO to conduct risk assessments for 36 State Agencies. The PMO provided improved comprehensive project management capabilities to ICS project by implementing best practices and standards as defined by the Project Management Institute PMI . The PMO improved project coordination, project integration, consistency of project management processes, and standardizes project operations.
• Performed PCI Data Security Standard PCI DSS compliance consulting for level 1 grocery chain. Evaluated current compliance status, recommended strategic remediation steps, and developed control standards. Client was able to meet PCI DSS compliance requirements and deadline established.
• Project Manager of Digital Forensics investigation team during HR event at an International Airport. As the team lead, conducted the investigation interviews, worked closely with HR department, assisted with digital information extraction, and created final investigation report. The investigation resulted in the voluntary separation of 3 employees.
• Project Manager of Incident Response team charged with investigating an information breach at a National bank. As the team lead, coordinated all interviews, worked closely with law enforcement, and assisted with creating final incident report. Investigation determined that breach was not specifically targeting information theft and recommended improvements to overall physical security measures to minimize future incidents.
• Performed NIST based FISMA Risk Assessment for State agency. Conducted interviews with client staff, assisted with enterprise scans, reviewed and analyzed existing policies and procedures, and reported findings and recommendations. Client received a strategic security document that is used as a roadmap to better improve their security posture.
• Managed security policy review for Judiciary agency. Created project schedule, assigned consulting staff, performed weekly progress review, and mentored junior staff on how to review existing policies against best practices, and reviewed and edited final document. Client received a revised strategic security policy document that incorporated the latest legislated requirements and best practice recommendations to better improve their security posture.
• Project managed a diverse team of consultants and client personnel in developing enterprise-wide information technology IT security policies, standards, and guidelines for the Commonwealth of Virginia. This project enabled the Commonwealth to provide consistent IT security across its enterprise, and enabled the Commonwealth's IT strategy for consolidation of IT infrastructure.
• Project managed a team of client personnel and consultants and contractors from other firms in development and implementation of a Network Management Strategy for a Fortune 300 consumer electronics retailer. Development and implementation of this strategy enabled the client to provide network services that met business requirements and to support its new Point-of-Sale application.
• Conducted 8 enterprise FISMA risk assessments identifying security control gaps and developed Plan of Action and Milestones POA M to remediate gaps.
• Developed Low, Moderate, and High level System Security Plan SSP templates, 10 Low-level SSPs, and 5 Moderate-level SSPs in accordance with the framework documented in the National Institute of Standards and Technology NIST Special Publication SP 800-18: Guide for Developing Security Plans for Federal Information Systems. Categorized all 16 systems in accordance with Federal Information Processing Standards FIPS Publication 199: Standards for Security Categorization of Federal Information and Information Systems.
• Developed Healthcare approach identifying the current Healthcare environment, Healthcare information security challenges, threats to Healthcare business processes, Healthcare breaches, new Healthcare laws, standards, and frameworks, and North Highland Healthcare Service Offerings.
• Developed Security Service Packs to conduct HIPAA, NIST, ISO 27002/27001, SOX two week Rapid and 9-12 week Comprehensive risk assessments and audits. Developed an approach to implement the 10 ITIL processes into an organizational environment and audit checklists for SOX annual Attestation s .

Confidential

Information Protections Specialist

• As Information Protection Specialist IPC provided strategic oversight, responsibility, coordination of information security protection and security compliance efforts HIPAA, SOX, and PCI Compliance, Policy Development, Auditing Monitoring, Site and Risk Assessment, Compliance Monitoring, Strategic Contingency Planning, eDiscovery, Acceptable Use Issues, Copyright Infringement, Education Awareness, Security Architecture Design in the Information Systems department.
• Served as the central point of contact for all information security issues and provided overall consultation and advice on information security policies, processes, requirements, controls, services, and issues during the SDLC of three new Pharmacy systems being developed.
• Developed 8 of 13 chapters in the new Information Security Policy manual which establishes Publix information security policies required for identifying information resources and supported business processes and appropriately protecting those information resources. Ensured adherence to information security policies safeguarded the integrity, confidentiality, and availability of critical and sensitive information and will protect the interests of Publix, its associates, customers, shareholders, and business partners.
• Developed the corporate Risk Management methodology and Audit Guidelines using the National Institute of Standards and Technology NIST Special Publication SP 800-30: Risk Management Guide for Information Technology Systems. The Risk Management Program decreases the lack of awareness of current vulnerabilities which increased the potential for multiple and unknown vulnerabilities with unknown impact and loss of confidentiality, integrity, or availability.
• Project manager responsible for all security implemented in MicroStrategy through all stages of its System Development Life Cycle SDLC . Conducted a risk assessment documenting critical observations, risk levels, risk explanation and recommendations associated with each finding. Reviewed reporting structure and developed a Data Classification Tool Kit which established the sensitivity of the data on reports. Constructed the Data Classification of all 875 reports produced by MicroStrategy. Ensured auditing captured user access, use of system privileges and changes to the database schema structure to meet SOX compliance.
• Developed the PCI DSS standard approach for the internal organization drafting a complete set of security policies and standards that cover each key security control area.
• Conducted a comprehensive third-party Information Security audit using the ISF FIRM Fundamental Information Risk Management methodology for the Publix Super Markets credit Union. Identified risks and developed a remediation plan to alleviate risks and documented all deviation residual risk requests and submitted to management for approval.
• Developed the Disaster Recovery Plan Emergency Access Procedures for the Windows, UNIX, and Database environments. Procedures will be utilized in case of key personnel not being available during a Disaster Recovery situation and allow emergency access User-ID and password to be issued to bring up critical systems/applications in the Production environment.

Confidential

Curriculum Developer/Board Member

• Developed a detailed five day Holistic Information Security Practitioner HISP NIST/FISMA C A process course plus certification exam. This is the only integration course that provides practical education on the integration of best practices for Information Security Management, Information Systems Auditing and multiple Regulatory Compliance requirements and how to map multiple regulatory requirements to the internationally accepted best practices framework of ISO/IEC 27002:2005 and the ISO/IEC 27001:2005 standard. The first two days covers the mapping of ISO/IEC 27002:2005 with COBIT, COSO and ITIL then explains a methodology to map regulations such as UK Data Protection Act, EU Directive on Privacy, HIPAA Security, FFIEC, GLB Act, FISMA NIST 800-53/FIPS 200 , SAS 70, Sarbanes-Oxley Act Security , FACT Act, PCI Data Security Visa CISP , California SB-1386, Canadian Bill C-198, OSFI, PIPEDA, PIPA, PHIPA to the ISO 27002:2005 framework.
• Course includes implementing the provisions of FISMA and related policies, C A documentation package, and NIST 800-53 security controls. The following key federal documents in the area of FISMA compliance and the NIST/FISMA C A process are defined in the course Federal Information Security Management Act FISMA , OMB Circular A-130, Appendix III, NIST SP 800-18 Security Plans , NIST SP 800-37 Guide to Certification and Accreditation , FIPS 200 NIST SP 800-53 Security Controls , NIST SP 800-53a Assessment of Security Controls , NIST SP 800-30 Risk Assessment . NIST SP 800-34 Contingency Planning , and FIPS 199 NIST SP 800-60 System Categorization

Confidential

Chief Information Security Officer CISO

• Developed an organizational Information Security Policy Manual in compliance with ISO 17799:2005's eleven domain requirements in support of the Information Security Management System ISMS . Assumed overall responsibility for the organization's data security and privacy policies, architecture, and procedures recommending security solutions including financial justifications and operational support options. Worked with the CIO to create, document, implement, and oversee policies, procedures, and practices that ensure the availability, integrity, and privacy of information assets. Provided appropriate access to and protecting the confidentiality and integrity of customer, employee, and business information in compliance with company policies and standards.
• Promoted NIST Standards and Guidelines, ISO 17799 and SAS70 Financial compliance through communication of standards and procedures, monitoring compliance, and reporting non-compliance to the Chief Operating Officer COO . Conducted internal compliance assessments against the existing ISMS system. Conducted compliance risk assessments of projects and/or systems using the ISF FIRM Fundamental Information Risk Management methodology. Supported and defended the organization during internal and external audits. Managed and tracked corrective actions to audit observations. Supported on-going ISO 17799 activities. Developed and implemented stated SOP security policies and procedures. Delivered an on-going ISO 17799 compliance training and education to the organization. Managed and maintained relationships with Corporate Regulatory and Internal Audit partners.
• Developed the SAS 70 Type II audit standard approach for the internal organization.
• Conducted internal Type II SAS 70 audit in preparation for third-party SAS 70 audit. Worked with third-party auditor assisting in evidence gathering for testing and developed all remediation steps.
• Utilizing the nine 9 categories identified by NIST developed the following PCI security policies in the following categories: Account policies, Local policies, Event Log policies, Restricted Groups, Systems Services, File Permissions, Registry Permissions, Registry Values, and File and Registry Auditing.
• Ensured compliance with PCI DSS Payment Card Industry Data Security Standard by implementing a set of twelve individual compliance requirements for protecting credit card numbers and other sensitive cardholder data from loss or compromise and a set of ongoing validation requirements and guidelines for verifying compliance.
• Managed the overall organization, implementation and ongoing support and maintenance of the information security framework. Responsible for overseeing and coordinating the evaluation, design, implementation and maintenance of safeguards to protect the confidentiality, availability and integrity of critical information maintained or transmitted electronically. Evaluated existing systems and procedures for HIPAA and ISO 17799:2005 compliance, and makes recommendations for improvements as required. Had taken organization from 0 ISO 17799 compliance to 83 ISO 17799 compliance within six months. Prepared organization for ISO 27001 certification and accreditation.
• Prepared and presented detailed audit findings to senior management analyzing compiled data making recommendations to mitigate risks, improve processes and controls. Developed further internal controls and procedures to eliminate potential weakness areas Ensured timely completion of assigned project phases applied understanding of client policies and proficiency in our client's methodologies.
• Created and chaired the Information Security Council Committee and Information Technology Steering Committee leading efforts in the development and the delivery of the company's security roadmap.
• Developed a Security Awareness Program providing training interacting with all employees to affect heightened focus on operational security risks within the business areas. Delivered a comprehensive, high-quality security materials targeting three distinct audiences, covering relevant, topical and interesting subject areas each month.
• Reviewed existing IT policies and identified weaknesses and developed 16 additional policies needed to ensure compliance which have been endorsed by management and incorporated into their remediation process.
• Recommended a comprehensive external and internal security architecture to protect the organizations network and components, which have been endorsed by management and incorporated into their remediation process.
• Developed a Security Awareness Program Outline that management endorsed and incorporated into their remediation process.
• Developed the System Development Lifecycle SDLC five phase approach that included a minimum set of tasks to incorporate security in the system development process.

.