SUMMARY:

• Experienced and certified Cyber Security professional, Information Technology (IT) Specialist, PMI certified Project Manager, and IT Audit Team Lead. My al background includes 3 master’s degrees in National Security and Public Safety/Information Protection and Security, Computer Science, and Telecommunications plus a Bachelor’s degree in Math. Strong background in Application and Network Security, Data Analytics, Security Engineering, Compliance Assessments, Development and Testing, Data Privacy, Risk Management, Policy Development and Information Assurance. Seeking a challenging senior position to use my skills to lead project teams in securing and defending systems from cyber - attacks.
• Prior experience includes providing Project Management and security support and guidance to Federal, State, and private sector clients, and performing domestic and international audits of business processes and the associated IT systems and applications. Extensive global experience deploying and using security tools to solve problems. Hands on experience performing detailed analysis of large volumes of data to identify anomalies, and performing penetration testing and vulnerability analysis. Extensive background in requirements engineering, development, programming, and testing with experience on various platforms including mainframes, mid-range, virtual, client server environments, web applications.
• Project Management - PMI/PMP Certified Project Manager with over 25 years of experience successfully managing complex domestic and global multi-million-dollar IT development and security projects for Confidential (ex. AETNA, SNET, New York Metropolitan Transit Authority, Bristol Myers Squibb), JP Morgan, Internal Revenue Service ( Confidential ) (ex. Affordable Care Act (ACA), Archer, Continuous Diagnostics and Mitigation (CDM)) and CDI. Achieved outstanding performance ratings with high customer satisfaction rates delivering high quality solutions on time and within budget. Managed teams of internal, government, and contractor staff across business organizations. Provided Project Management, audit and security support and guidance to private sector and government clients across multiple industries to help clients secure applications, networks, servers, and data.
• Developed Project Plans and integrated tasks from stakeholders into the master Plan and schedule. Identified milestones and tracked tasks and deliverables against planned and actual dates. Led technical meetings, made oral and written status presentations to management and stakeholders. Managed contracts to hire resources. Provided oversight of contractor deliverables. Managed Confidential efforts to comply with the CDM GSA Blanket Purchase Agreement (BPA) mandate. Performed resource forecasting, assisted in development and tracking of the Cyber budget, financials and requisitions. Focal point for several TIGTA and GAO audits of CDM.
• Currently leading the Confidential CDM initiative to transition from Policy Checkers to automated Compliance scans with BIGFIX. Teaming with DHS, Confidential, UNS, EOPs, Criminal Investigations, Enterprise Services, Enterprise Architecture, Cyber and contractor staff to deploy and test the tool, identify process changes, and to deliver a secure compliance solution agency-wide.
• Oral and Written Communications - Led status meetings, prepared written and oral presentations and briefings on project status, budget forecasts, issues, risks, contracts, staffing, audits, technical and security issues, and developed strategic plans. Skilled in delivering presentations to business and technical staff, executive management (Directors, ACIOs, CIO, managers), and to customers. Managed many large development and Security Projects in private sector for Confidential and commercial clients across various industries. As a Senior Audit Team Lead at Confidential, led domestic and global Audit teams. Created and documented audit findings and Audit Reports. Explained controversial or complex findings to the clients and negotiated to reach agreement on audit ratings and risk. Assisted in the development of Confidential ’s annual global Application Audit Plan.
• Analytical/Critical Thinking - Proven critical thinking, communication, problem solving and analytical skills with strong attention to detail. Analyzed large volumes of audit, compliance and security tool data on different platforms for Confidential, Confidential, CDI and commercial clients. Led the Data Validation and Analytics teams for the Confidential SCAPMar, CDM and RSA Archer projects. Detected anomalies and identified vulnerabilities and deficiencies in systems, applications, audit logs, security tools and products. Provided guidance to resolve security deficiencies, improve detection and response capabilities, reduce risk, and to secure networks and applications at Confidential and during audits and investigations with Confidential .
• Expertise with analytics tools including SAS, ACL, MS Access, SPLUNK, and Excel. Extracted and analyzed security, asset and vulnerability data from tools including: Symantec Endpoint Protection (SEP), Tripwire/IP360, Tivoli, BIGFIX, BDNA, Guardium, ForeScout, Proventia, Confidential AppScan, KISAM, ESM, and the Cyber Security Data Warehouse (CSDW). Wrote custom SQL queries to extract, sort, and join asset data (ex. servers, databases) to data from vulnerability scanning tools. Created reports to identify the highest risk assets, critical vulnerabilities, unmanaged assets, and servers not being scanned. Detected and corrected defects in vendor security tools and configuration errors which helped improve Confidential ’s security posture.
• Led Enterprise level requirements gathering and testing sessions for complex FISMA reportable and FIPS 199 low, moderate, and high systems. Worked with stakeholders across organizations to document requirements, analyze and select products, perform feasibility studies, design systems, and test and deploy them to production. Ensured solutions adhered to security and Enterprise Architecture standards and policies. As a Security Engineer, Application Auditor, and Compliance Manager, provided security support and expert guidance on: Application and Network Security, security policies (FISMA, NIST, IRMs, OMB) and directives, security controls, data classification, Data Privacy/Privacy laws, encryption, and risks. Performed ethical penetration testing and application security and compliance reviews to help clients identify vulnerabilities in systems. Provided guidance to protect sensitive data and to secure the systems and inter-connections. Analyzed CDM tools and provided recommendations on how CDM tool data can be used to automate the FISMA scorecard reporting and identify Confidential ’s highest risk assets.

TECHNICAL SKILLS:

OPERATING SYSTEMS, DATABASES, SOFTWARE PACKAGES, PROGRAMMING LANGUAGES, Tools: Windows, SQL servers, LINUX, UNIX, AIX, Solaris, ORACLE z/OS, OS/390, MVS, VM/CMS, DOS, TPF, RACF, JCL, CLISTS, TSO/ISPF, VSAM, DB2, QMF, BRIO, IDMS, CICS Confidential BIGFIX (console expertise), Guardium, Confidential AppScan, Tivoli - ITIM/ ITIM VAULT. Tripwire (Admin Certified). Symantec Endpoint Encryption, BDNA, NetIQ SCM, HP KISAM, ESM RSA Archer eGRC (Admin Certified). Completed CDM on BIGFIX, SPLUNK, ForeScout, RES ONE and familiar with these tools. SAP, SIEBEL, Lotus Notes (admin), ESRI Geographic Information Systems software for Incident Mapping SAS Enterprise Guide Querying and Reporting. ACL. Microsoft Office, Access, Microsoft Project, VISIO, SharePoint. ASSEMBLY, C, C++, PL/1, BASIC, COBOL, FORTRAN, LISP, PASCAL, SQL. Limited experience with JAVA, JAVASCRIPT, PHP, HTML. Basic website development skills.

PROFESSIONAL EXPERIENCE:

Confidential - New Carrollton, Md

IT Specialist - Cybersecurity

Responsibilities:

• Conducted briefings to convey project status, risks, issues, schedules, and financials to technical staff, business focal points and senior executives at Confidential and Treasury. Participated in the Strategic Planning process. Aligned project objectives with the Cybersecurity Strategic Plan. Performed resource and fiscal year budget projections and reconciliation. Ensured projects were adequately staffed and workloads were manageable.
• Analyzed, investigated, and recommended solutions for a variety of critical security and data privacy issues from senior executives including the Commissioner, CIO, ACIOs and Treasury. Responded to audit and FOIA requests. Recommended controls for applications, websites, and interconnections to enable the secure transfer of data.
• Archer Hardware Asset Management and Guardium - Led the pre-CDM project and discussions with business and technical stakeholders to elicit and document the technical, security and reporting requirements for the Archer HWAM and vulnerability management solutions. Extracted and analyzed asset and vulnerability data from a variety of scan tools including Symantec Endpoint Protection (SEP), BIGFIX, Tripwire, Guardium, BDNA, Tivoli, ESM, HP KISAM, Proventia and the Cyber Security Data Warehouse (CSDW). Used tools including SAS, MS Access, and EXCEL. Developed custom SQL queries to link assets to their vulnerabilities. Designed reports which identified missing and unmanaged assets, highlighted trends and high-risk assets, and prioritized vulnerabilities for remediation. Worked with Operations teams to secure servers, workstations, and databases.
• Correlated data across SEIM tools using analytical skills. Identified the strengths and weaknesses with each vendor scan tool. Identified multiple data anomalies and security risks and took actions to correct: unmanaged assets, incorrect agent versions, excessive DNS access, missing servers, assets active on the network but not in the inventory. Identified problems and gaps with the scan tools including: SEP data missing for multiple domains and GSSs, newer operating system versions that were not being scanned, Tripwire’s failure to detect all LINUX/UNIX/Solaris assets since the tool was misconfigured and scans were not completing. Corrected errors in the queries used to extract data from the scan tools which feed the CSDW. Also, identified several bugs in tools including the Confidential Guardium product and BIGFIX which were sent to Confidential for correction.
• Security Compliance Posture Monitoring and Reporting (SCPMaR) project - Data Analysis Team Lead. Analyzed and tested the customized NETIQ Secure Configuration Manager (SCM) tool. Verified the accuracy of the Security Content Automation Protocol (SCAP) content, reports, dashboards, data, and calculations used to assess operating system, database, virtual machine, and web server compliance to FISMA. Reviewed NETIQ security policy content against the Windows and LINUX/UNIX Policy checkers and DISA STIGs. Identified gaps and missing policies.
• Wrote custom SQL queries to capture security events of interest. Created summary activity reports which the Operations teams used to investigate and patch vulnerabilities or to correct configuration errors. Used analytical skills to increase efficiency and reduced the time required to transform data and link assets to vulnerabilities.
• Verified the accuracy of O/S, database and web policy checker scripts; identified false positives or changes needed to scripts due to policy updates. Identified bugs including inaccurate formulas and calculations, errors in trend data and security vulnerabilities, missing security assessments, missing assets, and a persistent zero- day XSS vulnerability. Identified security deficiencies that permitted users to logon without re-entering credentials due to improper caching of ids and passwords. Worked with Operations teams to increase the number of endpoints and servers being assessed. Provided recommendations to the vendor to correct the tool and to resolve security issues.
• Archer Test Team Lead - Managed all testing efforts for several Archer solutions. Created function and system test cases, assisted users with the creation of user acceptance test cases, and performed regression and security testing. Identified and helped resolve numerous problems with Archer including: security flaws in how the tool was configured on the Confidential network and in the production and development/test environments hosted by the RSA vendor; a zero-day XSS vulnerability in the latest Archer product; security issues related to caching of user credentials, lack of audit logging in Archer; and inadequate logging of user activity.
• Assisted in the design, development and testing of multiple customized Archer solutions which collect and consolidate audit, contractor security assessment, risk, incident, asset, and vulnerability data in support of Continuous Monitoring. Developed and/or reviewed project artifacts including the Project Plans/WBS, requirements and design documents, Privacy Assessments security accreditation and packages, vulnerability reports, access management and authentication procedures, Configuration Management procedures, Disaster Recovery and Business Continuity plans, User Guides, packages.
• Confidential Security Risk Compliance Operations (120-day detail) - (4/ /12) - Worked with Pen Testing Code Analysis team to deploy the Tripwire network vulnerability assessment tool. Completed Tripwire administrator and BDNA classes. Wrote the Tripwire Standard Operating Procedure. Configured Tripwire IP360 and ran vulnerability reports on servers and network devices. Analyzed vulnerabilities to eliminate false positives. Prioritized high risk issues. Mapped vulnerabilities to appropriate NIST controls and the associated IT systems, applications, and databases. Cross checked the vulnerabilities against existing risks or issues. Created POAMs to address new security risks. Developed trending reports to show changes in agency security posture over time. Gained hands on experience with Guardium, Confidential AppScan, and the Windows, LINUX/UNIX and mainframe security policy checkers. Also, analyzed the architecture, data, data flows and vulnerabilities for a FISMA HIGH Confidential system with Federal Tax Information (FTI). Corrected an architectural flaw which had exposed FTI in the DMZ.
• Confidential Security Engineering Services - Security Engineer - GS-13 2210 - (5/9/11 - 4/8/12) - Provided security architecture design and engineering support and guidance for projects including Obamacare/ACA. Reviewed security architectures and engineered solutions to proactively protect information. Identified specific threats to and vulnerabilities in applications, web servers, web services, databases, and vendor products. Worked with the architecture and development teams to tailor security controls to meet project requirements and manage risk. Assisted customers in developing System Security Plans and through the security categorization, testing,, and accreditation process. Defined and documented the security requirements and security artifacts for each phase of the Enterprise Life Cycle (ELC) process.
• Reviewed data, application interfaces, and system functionality to determine the FIPS 199 security categorization. Identified sensitive data and assisted in the completion of PIAs and live data waivers. Recommended products, strategies and countermeasures to help mitigate security issues and prevent fraud in systems being integrated into the Confidential or Treasury infrastructure.
• Engineered and applied layered defense mechanisms as appropriate based on NIST controls, Confidential IRM policies, FISMA, and applicable regulatory policies and data privacy laws (ex. HIPAA, PCI, Privacy Act, OMB A-130). Identified appropriate audit security tools including HP Arc Sight for infrastructure and Enterprise Security Audit Trails and Security Audit and Analysis System for logging.
• Worked with the team leads to develop materials and taught an introductory Security Engineering class. Created a sample application, documented the security requirements and recommended and applied security controls. Created the Requirements Traceability Matrix, and the associated security artifacts for each milestone to illustrate how security requirements are written and evolve through the project lifecycle.
• Participated in the pilot testing and feasibility studies for new products, services, and prototypes, including wireless access, soft phone, VOIP phones, and Single Sign-On (SSO) using PIV cards for the Confidential . Assessed network performance and response time. Recommended security controls including FIPS 140-2 encryption capabilities and appropriate cryptographic algorithms. Tested vendor products to assess security compliance, identify vulnerabilities and assisted in product selection.
• Security Policy - Designated as the primary focal point to assist in the development of new security policies or as primary reviewer of updates to existing policies. Provided security guidance on a variety of areas including mobile devices (iPhone/iPad), wireless phones, air cards, database and web security, XML, Service Oriented Architecture, RSA tokens, Cloud Security, GPS updates, SharePoint, s, lightweight directory access protocol (LDAP), firewalls, HIDS, network intrusion detection systems, encryption algorithms, privacy, interconnection agreements.

Confidential

IT Security & Compliance Advisor

Responsibilities:

• Provided technical guidance on security and data privacy issues for Confidential ’s strategic outsourcing clients in the Public Sector (State, local, Federal government), biotech, and healthcare industries. Helped Confidential and its customers respond to external PCI, SAS70, and Federal audits. Identified weaknesses in application, database, network, server, and website security settings that could permit insider or external attacks, fraud, or lead to data loss.
• Clients included State of Michigan, State of Texas, Georgia Bureau of Investigation, Amgen, NY Transit Authority, Abbott Medical Optics, Confidential, and backup support for various hospitals and other sectors.
• Documented baseline security agreements. Recommended appropriate controls to secure various platforms including servers, databases, mainframes (RACF), midrange and virtual environments.
• Conducted proactive security control assessments, internal audits, and testing to verify adherence to the relevant contracts, service level agreements, and security and regulatory standards (ex. DoDI 8500.2, DITSCAP/DIACAP, FISMA, NIST, NIST a, NIST, FIPS 199/200, OMB, HIPAA, FDA, FFIEC, Privacy Act of 1974, worldwide Data Privacy laws, European Union Data Protection, PCI, Sarbanes Oxley (SOX), Gramm Leach Bliley Act (GLBA), Denied Parties Lists (DPL), export controls laws, and ITAR. Reviewed, analyzed, and interpreted application and network traffic and system logs using various tools to identify anomalous or malicious traffic that could be indicative of fraud or compromise. Determined potential threat agents and their avenues of attack and tactics.
• Worked with customers to implement corrective actions and POAMs in response to audits or to mitigate risks. Implemented controls to secure taxpayer data, social security numbers, payment card/debit/credit card information, bank accounts, criminal justice information, unemployment claims, clinical trial and medical device data. Identified and investigated Advanced Persistent Threat (APT) cases where foreign nationals were improperly accessing U.S. systems.
• Compiled compliance metrics for each account. Conducted briefings with senior management and executives to help them understand audit findings and security risks. Made recommendations to address each issue. Developed Project Plans and timelines for corrective actions, and communicated the status for each issue.
• Managed the security patch advisory database subscription and distribution process for Confidential ’s customers.

Confidential - Armonk, NY

IT, and Audit. Senior Application Audit Team Lead

Responsibilities:

• Performed ethical application testing manually and with tools such as Confidential AppScan; performed network vulnerability testing including review of firewall rules. Tested access to the Confidential virtual private network, DMZ, and to customer networks by internal staff, vendors, business partners, and customers via various connectivity methods including inter - enterprise service gateways, SINE, CITRIX, Tivoli Access Manager (TAM)/Tivoli Identity Manager, Aventail, and the AT&T dialer.
• Reviewed audit logs; identified unauthorized system and security administrator or DBA activity or excessive privileges. Verified timely removal of access. Reviewed and tested logging policies, log retention, anti-virus implementation, etc. Reviewed developer access to code and data in production and test environments, production promotion procedures, etc. Identified anomalies in data and logs and investigated root causes.
• Identified and investigated multiple cases where foreign nationals had obtained unauthorized access to DOD and Federal systems. Identified new risks resulting from the cross-border transfer of information and the increased use of global resources through outsourcing. Assisted Corporate Investigations team on several cases.
• Used audit tools including ACL and Excel for data analysis and AppScan reports to identify applications and websites with OWASP security and privacy vulnerabilities. Reviewed the findings with the business owners and helped educate developers on secure coding techniques. Worked with Corporate Security and the development teams to apply appropriate code fixes to prevent cross site (XSS) scripting, SQL injection attacks, malicious file execution, information leakage, session hijacking, and other exploits by hackers.
• Confidential Software Group- Security and Controls/Senior Project Manager - Managed security projects and conducted application security, data privacy, and Section 508 accessibility reviews of domestic and globally based applications, servers, websites, and networks in preparation for audits and to ensure compliance with corporate, legal, and regulatory requirements.
• Trained personnel from worldwide business units and software company acquisitions including AIM, Lotus, Rational, and Tivoli on Confidential security, privacy, architecture, design, and hosting standards. Worked with staff to assess the environments, identify risks, and test and verify application and server compliance to applicable security and country specific data privacy laws, including European Data Privacy, Safe Harbor Principles, etc.
• Provided guidance to resolve security and privacy issues to permit the integration of applications and servers from third party acquisitions into the Confidential infrastructure and production environments.
• Performed risk assessments of security exposures, vulnerabilities and threats, including cost/benefit financial analyses as a member of the Risk Management Review Board. Prioritized risks, established action plans and implemented a monitoring program with metrics to track progress.
• Established a global process to identify servers, server owners, their locations, operating systems and their anti-virus and security patch status. Created a process to ensure timely implementation of patches for critical vulnerabilities and a communications program that Confidential used with the worldwide software labs to enable quick identification of virus attacks, worm attacks, and other threats. Worked with the global teams to ensure servers and applications had appropriate controls in place to ensure the confidentiality, integrity and availability of data.
• Confidential Office of the CIO - Business Transformation Management Compliance Team/Senior Program Manager - Performed technical, security and financial assessments to determine whether Confidential s major IT projects were adhering to corporate standards and to assess whether the IT budgets were being spent appropriately. Assessed project risks, verified adherence to technical, legal, security, privacy, architectural and other CIO standards.
• Managed and provided strategic leadership over two global CIO Corporate Boards which reviewed business exception requests against standards for development and test environments and for DR and business continuity.
• Participated as a voting member of various Confidential CIO technical task forces including the worldwide CIO Security and Privacy board. Assisted in the development of new global security and privacy standards, policies, and guidelines and made recommendations to improve and strengthen existing standards.
• CIO focal point for the creation of a worldwide application Portfolio Management and Compliance Tracking tool. Gathered and documented requirements. Assisted in the design, development, testing, and deployment of an Intranet web-based tool used to assess application risk and adherence to corporate standards, and legal and regulatory policies. Worked with the standards owners to identify and implement compliance requirements related to data classification, application security, privacy, ITAR, SOX, encryption, web and Notes architecture, business data standards, performance and availability, disaster recovery, accessibility, and hosting.
• Confidential Global Financing/Senior Project Manager - Led multiple global projects to develop, test, and deploy financing, leasing, and sales delivery tools in support of worldwide customers who leased or purchased products or services from Confidential . Implemented a customized testing process for each country using local staff and tested applications in multiple languages on websites. Implemented formal testing procedures using requirements traceability matrices and formal Test Plans, Test Cases, and test data which led to much more successful deployments of global systems thereby increasing customer satisfaction.
• Established a formal Project Management process and mentored PM candidates at Confidential .
• Developed project plans (including milestones, work breakdown structures (WBS), deliverables, planned vs. actual dates, etc.), assigned resources to each task, led status meetings with stakeholders, created status reports, meeting minutes, risk assessments, managed problem and change requests, and production promotion plans.
• Led a worldwide task force team in creating a Request for Information (RFI) defining Confidential ’s business and technical requirements for a global financing tool. Worked closely with Procurement, Contracts & Negotiations, and Legal departments to verify that the appropriate legal and confidentiality agreements were in place for correspondence with vendors. Coordinated meetings/demos with the end users and each vendor. Assessed each vendor’s tools against the business and technical criteria. Performed “make” versus “buy” assessments and worked with the end users and management to select the most cost effective and appropriate solution for global deployment.

Confidential, New York, N.Y

Project Manager

Responsibilities:

• Managed a global project to install “Listed Trader Workstations” at JPM Wall Street locations and at the New York Stock Exchange, American Stock Exchange and London exchange in support of the Equities/Derivatives traders.
• Coordinated the global deployment of a major VPN project that provided JP Morgan employees’ remote access to the Internet, JPM Intranet, and email in support of business travel and telecommuting.
• Interfaced between the world-wide JPM technical staff, traders, vendors, legal teams, auditors, facilities personnel, contract services, desktop support, LAN/WAN teams, unions, and management chains to ensure that all appropriate parties were involved in the projects. Gathered, documented, and analyzed requirements, developed the Project Plan, performed project scheduling and task assignments, developed and tracked the budget, ensured appropriate staffing, performed testing, tracked issues, resolved problems, led contract negotiations, developed project documentation, performed quality assurance activities, coordinated product distribution and .

Confidential, White Plains, N.Y

Systems Programmer/Analyst/Project Lead

Responsibilities:

• Developed and supported a series of client server and mainframe-based Telecommunications applications which were used to design, configure, engineer, and optimize the routing of calls on Confidential and Advantis’s voice and data networks. Applications included billing applications, traffic engineering programs, on-net, offnet, international, and virtual network traffic matrix creation programs, re-formatter systems, and tariff interface programs which used Call Detail Records (CDRs) from various Private Branch Exchange (PBX) types.
• Used relational database technologies (ex. DB2, QMF, SQL) to develop applications and queries that extracted data from the CDRs. Analyzed the information and pieced together the full call record for billing purposes. Also used the information to identify cheaper routing paths for calls and to identify instances of fraud, including a case where we found prisoners making unauthorized calls using the Confidential network.
• Systems programmer and tester using Assembly language and PL/1 in an S/360 mainframe based environment. Supported Confidential ’s high availability, high volume, high throughput real-time Transaction Processing Facility (TPF) operating system which was used by major airlines, credit card companies, hotels, 911 systems, etc.