SUMMARY:

• 19 years of providing professional services to companies in developing, implementing, and enhancing information security programs (Privacy and Data Security) and strategies. Industry verticals include healthcare, technology services, insurance,, financial services, material services, and utilities.
• Working knowledge of HIPAA, FFIEC, SOX, GLBA, FISMA, PCI DSS, NY DFS, and GDPR regulatory compliance, as well as COBIT, NIST, NIST Cybersecurity Framework and ISO 2700x standards.

WORK EXPERIENCE:

Confidential, Prospect Heights, IL

Security SME on Risk & Compliance Program Enhancements

Responsibilities:

• Analyzed and closed the security gaps identified during external HIPAA and NY DFS cybersecurity compliance assessments. Updated the GRC tool with the identified artifacts resulting from the assessments.
• Oversaw the direction, development, and updates to the Information Security policies, standards, and processes to address current best practices, regulations and security standards. This included revising the Incident Response Process and Information Security Policies/Standards Exception Process, working with the staff and Legal to rewrite the data classification process and ensuring new and existing data elements were appropriately classified.
• Redesigned and expanded the enterprise information security and application assessment programs utilizing ISO 2700x, NIST, HIPAA, PCI, NY DFS, and GDPR as baseline for a centralized control library. The control library provided the basis for the development and implementation of a holistic strategy linking security and IT policies to supporting standards, procedures and processes.
• Updated and expanded the GRC tool assessment questionnaires.
• Provided strategic guidance on the definition of risk and risk tiers to the update of the third - party assessment program.
• Leveraged the control library to focus on specific information security domains.
• Executed and participated in the Company’s annual internal Information Security self-assessments. The Program and work flow changes resulting from the assessment were incorporated in the GRC tool.

Security Risk Advisor

Confidential

Responsibilities:

• Liaised with business owners and external vendor to perform dynamic web application scans to identify and rank code vulnerabilities. The vendor leveraged OWASP vulnerabilities in base application scans.
• Worked with the business owners on the prioritization and remediation efforts for the critical vulnerabilities. The exception process was performed and followed for vulnerabilities requiring additional remediation efforts.
• Advised on and worked with business users to resolve potential security risks on both new internal and third party technology initiatives connecting to Confidential ’s network.

Information Security Program Enhancement Lead

Confidential

Responsibilities:

• Identified and provided strategic direction in the development of a repeatable process to address and simplify regulatory, security compliance, and customer assessments.
• Established a framework of 18 security domains and their controls to realign the information security policies and security program. These addressed industry best practices and the required regulatory controls for SOX, HIPAA and PCI DSS.
• Analyzed and provided the comprehensive technical direction, structure, and templates for writing future corporate information security policies, standards and processes.
• Assisted the Legal and Information Security teams with revision to the Information Security Handbook.

HIPAA Security Assessment Lead

Confidential

Responsibilities:

• Developed the long range approach for an assessment of the Company’s implemented security controls to ensure compliance to the HIPAA Omnibus Rule and which was based on NIST and the OCR audit protocol.
• Initiated and handed off the self-assessment to internal resources while providing guidance and interpretation of the controls from the HIPAA Final Security Rule.

PCI Remediation Lead

Confidential

Responsibilities:

• Led several remediation projects identified by an external QSA that required the Company to achieve PCI compliance for that current year.
• Validated that Allstate standards using application security best practices were followed by the developers for vulnerability code scans; peer to peer code reviews were performed during development; and developers attended secure coding based on OWASP or similar methodologies.
• Facilitated and managed the roll out of Host Based Intrusion Prevention software, and eDiscovery scanning of call center network devices to remove any identified PAN data or other PII data.

Third Party Information Security Risk Assessor

Confidential

Responsibilities:

• Assessed and evaluated security controls for new and existing vendors as part of a GLBA Third Party Supplier Risk Program. This involved utilizing an internal tool to identify impact and threat likelihood to quantify business risk and provide tiered risk rating.
• Leveraged tool risk rating to develop BITS questionnaire to submit to suppliers for control implementation and effectiveness.
• Analyzed responses to the questionnaire from the third-party suppliers to assess the third-party suppliers’ security posture and to determine if it was sufficient for protecting customer information.
• Identified gaps and provided recommendations to mitigate security risk and severity.
• Identified the third parties’ security gaps, initiated the remediation plans with third-party suppliers to correct and close the security gaps based on the severity and criticality of the risk.

PMO Oversight of Information Security Program for Separation/Merger

Confidential

Responsibilities:

• Shadowed and advised the PMO to ensure all aspects of the Information Security Program were addressed during the planning and disengagement phases of BCBSFL’s acquisition of Novitas Solutions from Confidential Medicare Services.
• Reviewed and provided analysis on all information security projects, project tasks, timelines, dependencies and handoffs involving people, processes and technology to ensure continued availability of critical security systems and processes.

Disaster Recovery/Business Continuity Asset Inventory Implementation Lead

Confidential

Responsibilities:

• Developed dataflow diagrams to maintain identification of critical systems and components. The dataflow diagrams were instrumental in developing the application database (CMDB). The application database identified aggregated sources mapped to corresponding servers by datacenter of both physical and virtual environments inclusive of names, IP address and locations. The end result was a complete mapping of all known assets for multiple uses which included change management, disaster recovery and business continuity.
• Worked with senior management to discover and identify all known and discover other critical application components and hardware assets as part of a disaster recovery/business continuity effort.

Global IT Security Control Assessment Framework & Baseline Controls Development Lead

Confidential

Responsibilities:

• Developed Confidential 's enterprise-wide security control framework and baseline as part of the Confidential global IT security transformation initiative to address risk, security and compliance concerns.
• The control baseline, derived from global regulations and security industry standards, was the minimum standard to be applied across all Confidential globally regardless of industry or geography.
• The Unified Compliance Framework (UCF) was utilized as the foundation for normalizing the controls from 26 authoritative sources including ISO 2700x, NIST, CobIT, ITIL, PCI DSS, HIPAA, and US state/EU specific laws and regulations.

IT Risk Assessment Framework Development Lead

Confidential

Responsibilities:

• Developed and implemented a framework comprising the security domains and controls derived from COBIT, ISO 2700x, FFIEC and NIST standards for assessing IT Risk in the organization.
• The framework provided the basis for the development of preliminary question sets and required artifacts for performing annual internal risk assessments.
• Mapped GLBA, MAS, FSA and BASEL II controls to the framework to identify regulatory requirements.
• Leveraged the framework when performing the gap assessment of Confidential ’s current policies and standards against identified operational business functions.

Process, Policy Development & Data Classification Lead

Confidential

Responsibilities:

• Developed and implemented information security policies, standards, and processes which included 19 corporate security policies, security awareness and, data classification process, and incident response processes. The Corporate Information Security Incident Response Process included the approach, process flow, phases, and detailed content.
• Expanded and prototyped a general security awareness information security tri-fold brochure to be used in new hire packets and information security presentations for general audiences.
• Created and implemented the data classification framework and process inclusive of roles and responsibilities, definitions, data element categories, data elements, and initiated pilot program.

Incident Management Program Enhancement Lead

Confidential

Responsibilities:

• Reviewed and updated the information security Incident Management Process and corresponding documentation at Confidential to better utilize resources and improve overall effectiveness and user awareness.
• This included normalizing the incident categories, escalation procedures and decision tree for responding to security incidents along with linkages to data classification initiatives in development.

Event Log Inventory & Analysis Lead

Confidential

Responsibilities:

• Identified, inventoried, and analyzed the current state of event log capabilities for several high priority risk based applications at Confidential .
• Resulting information was used in creating a new standard for security event logging, audit log retention, and data classification.

Information Security Assessment Program Development Lead

Confidential

Responsibilities:

• Was the principal developer of a program (process and supporting methodology) to conduct a security assessment for Confidential of IL, NM, OK, TX). The objective was to assess the enterprise information security program against the supporting HIPAA, SOX regulatory compliance initiatives.
• As part of the assessment program development, detailed the control criteria for all elements within security program areas to identify implementation and operational effectiveness. Identified security program areas in the security program and control elements as the basis for maintaining an assessment consistent with regulatory compliance and widely recognized standards (COBIT, ISO 2700x, NIST).
• Conducted information security assessments in 2006 and 2007 to validate security controls effectiveness and managed remediation plans and activities to ensure closure of assessment gaps.

Risk and Compliance Assessment Program Development Lead

Confidential

Responsibilities:

• Initiated, tested and documented a process and methodology for Confidential to conduct Security Risk and Compliance Assessments.
• Identified Security Control elements key to Confidential ’s Security program and those applications required for GLBA Compliance.
• Developed and conducted a self-assessment, utilizing CLAD Security Assessment, to identify gaps and remediation areas. Security controls were approved by key groups within Confidential and responsible for security and compliance assessments or audits.
• These key groups included Corporate Compliance, Internal Audit, Security, and several ongoing project teams that provided input into the Enterprise Wide Risk Assessment.
• Developed and prototyped the information security control checkpoints checklist for system development lifecycle projects for Confidential (BCBS).
• Identified required Information Security documentation and management signoff for phase completion of SDLC projects.
• Developed and rolled out the project management questionnaire to be completed when Information Security is involved in tier one and two projects.

Wireless Security Review Lead

Confidential

Responsibilities:

• Acted as the lead for a wireless network security review and documentation project for Confidential .
• Developed a plan and provided team direction and oversight for a security review of a proposed design, vendor selection, and initial deployment of the enterprise Wi-Fi wireless network.
• Enterprise locations included offices, power generation facilities, command centers, distribution yards, and warehouses. Wireless devices included Laptops, handhelds, VoIP phones, cameras, and wireless devices.
• Developed and rolled out the WLAN standards, procedures, and guidelines. These documents included overall WLAN design, intrusion detection, device configuration and implementation, pre-installation site survey, operational and user support.
• Reviewed proposed wireless intrusion prevention solutions as a separate overlay network.

Information Security Program Development Lead

Confidential

Responsibilities:

• Worked directly with the CISO to rebrand and refocus the Information Security Department.
• As part of that effort, developed and deployed a strategic end state and interim Information Security Department to focus on processes and services to be offered to the corporation. This included being the Team Lead in the development and implementation of preliminary organizational roles and responsibilities, processes, and information security services using best practices from NIST, ISO 27001/27002, and COBIT to address business drivers and regulatory issues.
• Created, implemented, and chaired an information security governance committee to address information security awareness, risk identification and mitigation options.
• Identified and initiated development of 25 security processes to be performed by the Information Security Department.
• Created 22 information security policies and supporting procedures to comply with the HIPAA Security Rule.
• Reviewed products from Security Event and Incident Management (SEIM) vendors to comply with the log analysis and monitoring section of the HIPAA Security Rule.

Incident Response Program Lead

Confidential

Responsibilities:

• Identified and established the approach, strategy, and implementation of an incident response program for Confidential (BCBS) to comply with the HIPAA Security Rule. The program, based on the Carnegie Mellon CSIRT Handbook, included charter, incident categories, definitions, processes, roles and responsibilities, policies and procedures, and reporting and documentation templates.
• Identified and analyzed evidence retention solutions for tracking information security incidents for reporting and trend analysis.
• Evaluation Team Member for pilot of Guidance Software’s EnCase enterprise investigation solution computer forensics tool.
• The Incident Response Interim Security Analyst for first year rollout of the program.

Information Security Career Pathing Program Development Lead

Confidential

Responsibilities:

• Developed and piloted an Individual Performance and Evaluation Framework for Confidential (BCBS) for career development and advancement of internal information security personnel.
• Developed and piloted departmental specific domains and development criteria.
• Developed review cycle and evaluation guidelines to monitor individual progress.

Process Improvement Lead

Confidential

Responsibilities:

• Developed and rolled out the approach, design and content for several security related process documents for Confidential (BCBS) to aid in improving overall process efficiency and reducing required man-hours.
• One Specific document, how the information security team should respond to an external SAS 70 audit, provided a proactive approach and simplified the process in preparing for the annual audit.

Confidential, Arlington Heights, IL

Consultant, Management Consulting Services

Responsibilities:

• Provided professional services as a management consultant in the Information Technology Management/Enterprise Systems Management Group to several industry verticals including healthcare, insurance,, material services, technology, and automotive.
• Projects included network implementations, business continuity, infrastructure consolidation, network assessments, IT process improvements, and IT product analysis.

Confidential, Elk Grove Village, IL

Product Application Engineer

Responsibilities:

• Provided technical guidance to sales staff on SCO UNIX / X-Windows based physical security card access control systems.
• Provided sign off of system engineering final design review of security projects prior to proposal submission.
• Developed and provided clients alternative designs and solutions to product restrictions through various networking technologies and products to enhance stand-alone proprietary control systems.
• Developed and implemented acceptance testing at the branch office to enable products to work in non-standard environments.
• Resolved client product application issues as a liaison to corporate engineers.