SUMMARY:

• Regulatory compliance, information security and audit professional with experience in the financial, healthcare, manufacturing, commercial nuclear power, electric utilities, oil, and high - tech industries, is seeking to lead and/or work with regulatory compliance, information security management, and audit professionals to ensure the business viability of an organization through best practices in governance, risk management, regulatory compliance and security controls.

PROFESSIONAL EXPERIENCE:

Confidential

Senior IT Compliance Analyst

Responsibilities:

• Develop the IT Compliance Framework of Confidential, Independent System Operator (ISO) for one of the three main power grids of the United States.
• Develop the IT Compliance Team’s processes and procedures for continuous monitoring, periodic evaluation, and in-depth assessment of the IT organization’s conformance with Confidential governance mandates, compliance with external requirements, and management of risk via internal controls.
• Perform technology and operational process risk assessments for Confidential IT-owned assets and activities.
• Evaluate existing internal controls for compliance processes, and assist in the design, testing, and of new internal controls to prevent, detect, or correct process deviations that pose risks to Confidential ’s compliance state.
• Provide technical and compliance guidance to Confidential operational personnel (substations and Energy Management Systems personnel) and to IT support personnel (Human Resources, IT Infrastructure, Supply Chain, etc.).
• Provide audit support (evidence validation and mock audits) to the IT organization prior to and during the offsite and on-site audit for Confidential CIP V5 performed by the Texas Reliability Entity (TRE) and observed by Confidential and FERC.
• Develop and implement IT Compliance staff development initiatives to enhance the knowledge and skills of IT Compliance Analysts

Confidential

Cybersecurity Consultant

Responsibilities:

• Assess current and proposed technical and administrative processes and procedures for achieving and maintaining cybersecurity in compliance with the requirements of the latest Confidential CIP Standards (Version 5).
• Perform technology and operational process risk assessments..
• Evaluate existing internal controls for compliance processes, and assist in the design, testing, and of new internal controls to prevent, detect, or correct process deviations.
• Provide technical and compliance guidance to operational personnel (substations and Energy Management Systems personnel) and to program support personnel (Human Resources, IT Infrastructure, Supply Chain, etc.) regarding cybersecurity and compliance with requirements of the Confidential CIP Standards.

Confidential

Senior Compliance Analyst

Responsibilities:

• Design and implement the Confidential Compliance Management Plan, with particular emphasis on transitioning the various cybersecurity programs towards compliance with the latest version of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards mandated by the U.S. Federal Energy Commission.
• Evaluate technical and administrative processes and procedures for achieving and maintaining cybersecurity in compliance with the requirements of the latest Confidential CIP Standards (Version 5).
• Perform technology and operational process risk assessments..
• Conduct internal controls evaluations and assist in the design, testing, and of appropriate internal controls to prevent, detect, or correct exceptions to or deviations from documented processes and procedures.
• Ensure that compliance processes and procedures are appropriately monitored.
• Design the evidence management process to ensure that compliance evidence are systematically collected and validated for quality and quantity.
• Periodically assess the audit readiness of Confidential and its sites that are within scope of the Confidential CIP Standards.

Confidential

Responsibilities:

• Designing and building the company’s information security and compliance program (Export Management and Compliance Program), specifically tasked with ensuring compliance with U.S. laws and regulations governing transfers of, access to, and the use of, nuclear and dual-use technologies and technical data by non-U.S. persons and entities.
• Formulating and obtaining executive committee approval of the first-ever Export Regulatory Compliance Policy of the company
• Developing key contacts within U.S. government agencies with export licensing authority and jurisdiction over the company
• Collaborating with senior management in establishing the company’s Export Compliance Program Steering Committee
• Providing technical guidance to key stakeholders in developing, documenting, and implementing export compliance processes and procedures, as well as associated internal controls, for business units with export-related tasks and roles surrounding;
• Deemed exports, particularly with regard to nuclear technologies and technical data subject to 10 CFR Part 810, dual-use technologies subject to the Export Administration Regulations (EAR), and defense-related technologies subject to the International Traffic in Arms Regulations (ITAR)
• Physical exports and reexports of commodities subject to 10 CFR Part 110, the EAR, and ITAR.
• Restricted Party Screening
• Verification of US Person status of employees, contractors, vendors, and visitors.
• Leading the development of the first-ever Export Compliance Awareness courses for employees and contractors
• Leading the initiatives for the identification and classification of export-controlled items, technologies, and technical data of APS, and particularly of the Palo Verde Nuclear Generating Station.
• Establishing the mechanisms for monitoring the implementation of regulatory compliance processes within scope of the Export Management and Compliance Program
• Initiating and conducting under guidance of Corporate Legal Counsel a formal investigation of actual compliance violations
• Monitoring the status of implementation of action plans to remediate or mitigate compliance violations
• Conducting periodic assessments of compliance evidence to ensure reliability, appropriateness, and consistency of evidence
• Preparing and submitting required reports to executive leadership and to U.S. regulatory agencies regarding the compliance state of the company
• Obtaining the support and input of the key stakeholders for the Export Management and Compliance Program, particularly of the Legal, IT Security, Human Resources Management, IT Infrastructure, Supply Chain Management, Nuclear Security, Enterprise Applications Development, Corporate Communications, and Corporate and Development leaders.

Confidential

Lead Compliance Investigator/Auditor

Responsibilities:

• Designing and implementing audit and investigative processes for the regulatory compliance efforts of the Confidential CIP compliance program of Confidential and associated entities (BGE, etc.)
• Conducting formal inquiries pertaining to CIP compliance across various business units and organizations of the Confidential Group and its affiliates.
• Assessing the design and effectiveness of internal controls for Confidential regulatory compliance processes.
• Designing and managing the implementation of the Confidential CIP Compliance Auditing Program of Confidential Group and its affiliates.
• Providing guidance on technical and compliance issues related to the requirements of the Confidential CIP Standards for ensuring the physical and cyber security of the critical infrastructure for the Bulk Electric System (BES).
• Serving as consultant and advisor for the Baltimore Gas & Electric (BGE) compliance audit preparedness efforts with focus on the Confidential Reliability Standards (CIP, NUC, MOD, FAC, EOP, TOP, and PRC), including technical audit and review of evidence and mock audit engagements.
• Serving as resource person for Confidential Reliability Standards audit evidence preparation and presentation across the various business units of the Confidential Group.
• Serving as project lead for the Confidential Group’s privacy compliance initiatives to meet the requirements of federal, state, and international laws and regulations governing the privacy of rmation of employees, contractors, and customers.
• Serving as consultant for Confidential affiliates, to equip compliance staff members with basic skills and knowledge regarding controls, audits, risks, and compliance.

Confidential, Austin, TX

IT Security, Audit and Compliance Analyst

Responsibilities:

• Reviewed the IT security and compliance policies, procedures, and processes of each client company as required by specific compliance frameworks (HIPAA, Sarbanes-Oxley, GLBA, PCI, SAS70, etc.) to ensure that best practices and controls are in use to address security and compliance requirements.
• Examined general computer controls (GCC) and application controls with the use of automated and manual tools for AS400, Windows, Linux and Solaris environments running various ERP systems (SAP and Oracle), identified control deficiencies and gaps in controls design and implementation, and recommended adoption of remediation measures consistent with best practices required by risk management frameworks such as COBIT, PCI-DSS, COSO, and ISO 17799/27001/27002.
• Performed risk assessments (e.g., evaluating threats, vulnerabilities, probability, and impact) and identified gaps in controls for identity and access management, change management, network and endpoint security, application security, and database security.
• Reviewed preventive, detective, and mitigating controls at the systems, network, and application levels (HIPS, NIDS, server hardening, database controls, etc) and correlation of various controls/applications (vulnerability assessment, logging, NIDS, etc) for physical and virtual networks.
• Reviewed controls for application development, testing and change management.
• Conducted iterative application testing of ERP systems under development for Texas state government.

Confidential, Round Rock, TX

Technical Analyst

Responsibilities:

• Provided advanced technical support for enterprise networks of Fortune 100 and large companies ( Confidential, Confidential, Confidential, etc.) and government (federal, state, and local) agencies (FBI, USMC, USAF, DOE, etc.)
• Personally managed thousands of cases, as well as assisted in resolving thousands of other cases of complex technical issues involving: