TECHNICAL SKILLS

Security / IT Audit Tools

Kali Linux 1.0.9 distribution for penetration testing, Websense, RSA enVision SIEM, Splunk SIEM, BeEF, Paisley GRC audit program, IBM Appscan, Nessus internal/external network scanner, Rapid 7/Metasploit, Tripwire SecureScan, Snort IDS/IPS, Foundstone, Nmap, NetScan, Wireshark Network Protocol Analyzer, BurpSuite, Mutillidae, Backtrack 4.0, Dell KACE 1000 patch/client configuration management , FOX-T an SAP IAM and SOD tool - Virsa and GRC prototype , log parser 2.2.

Applications / Technologies

SAP R/3 4.5x, 4.6x, 5.0 SAP WebAS Web Application Server , SAP ePortal and NetWeaver, Oracle Financials, Microsoft Dynamics Great Plains , Crystal Reports 2008, Oracle 8i Enterprise Server Microsoft SQL Server 6.5, 7.0, and 2000, CrossWorlds v3.0 eBusiness Enterprise platform middleware now a part of IBM's Websphere Suite , IBM MQSeries Messaging utility including Web Based model , Clarify 6.0 Call Center and CRM software, Remedium now Remedy Incident and Help Desk Case Manager, Poetic Software Entitlement and Licensing Processing , Microsoft IIS Internet Information Server , Microsoft Office and Outlook, Lotus Notes, MS Project, webMethods Integration Server, Visio, MS SharePoint, Apache Web Server 2.2, Tomcat

Standards Guidelines/Frameworks

Cobit 4 and 5, COSO, ISO 27001/02, PCI-DSS 3.0, FISMA/NIST, HIPAA and Omnibus, MA 201 CMR 17, SOC 1/2/3 SSAE16, SAS 70, Carnegie Mellon CMMI maturity model, Cobit 5 Capability Model, NIST and Cobit 5 Risk Management/BCP/DR/BIA Framework

Programming Languages

Microsoft SQL scripting, Oracle SQL PLUS query, UNIX/Linux Scripting HTML 3.0, Crystal Reports

Operating Systems

Windows, UNIX HP-UX LINUX Red Hat, Ubuntu, Mint, Kali , VMware, Z-OS, OpenVMS

Employment

Confidential

PCI Credit Card Security BA / IT Security Analyst Consultant/Contractor

• At their eCommerce education client Ascend Learning,
• Drafting PCI-DSS Business and TechOps Narratives and Flowcharts describing current credit card transaction flows on enterprise-wide eCommerce web portals, both in-house and in the cloud.
• Conducting PCI-DSS Business and IT Security gap analysis, noting findings and making recommendations for PCI credit card processing gap remediation.

Confidential

Director of Information Security and Privacy

• Heartbleed Bug Spearheaded and led investigation of MEMIC's Partner/Vendor claims regarding their Heartbleed Bug status.
• Implemented the following pilot IT Security and Privacy initiatives:
• Liaised with Director of IT Operations, Director of IT Applications, Manager of Web Applications, and MEMIC's external Legal Counsel.
• Assessed security baselines of existing company IT technologies including: email systems MobileIron, Lotus Notes, Domino, Traveler, Websense Gateway , patching and imaging system DELL KACE 1000 and 2000 , Web Proxy/ Filter Websense , laptop encryption Symantec PGP Whole Disk Encryption , Cisco Network edge devices, servers and applications, anti-virus system Trend Micro , SIEM RSA enVision , and logical access Microsoft Active Directory .
• Review of current IT Security policies and procedures for timeliness, accuracy and ownership of the stakeholders.
• Chartered, developed, and led a company-wide Risk Management Plan to locate presence of HIPAA PHI and PII data throughout the environment, and determine logical and physical access to that data.
• Review of PHI and PII transaction flows within the LAN environment, as well as external interfaces to our trading partners and vendors.
• Conducted an IT Security Gap analysis and Risk Assessment of MEMIC's IT Department.
• Drafted HIPAA/PHI/PII Documentation Request Lists DRLs for presentation to the IT Senior Management Team, based on PCI, NIST and the Wisconsin HIPAA Consortium controls.
• Piloted use case analysis of DLP and SIEM vendors and products including RSA envision migration to Security Analytics, and ProofPoint email and DLP .
• Initiated an IT Security gap assessment of the AS 400 iSeries Insurance Claims system.
• Instituted weekly IT Security Status meeting with the Director of IT Operations.
• Reduced the company's annual legal Privacy/Compliance law attorney consultation fees through the recommendation and implementation of a Privacy and PII/PHI Law app and publication.

Confidential

SOX IT Internal Audit Consultant - Contractor

• At client John Hancock Insurance Internal IT Audit division in Boston, conducted fiscal year-end SOX TOD and TOE testing of key controls for Manulife Global User Access, Change Management, Incident Response, and Disaster Recovery, utilizing Paisley GRC application.
• Confidential
• PCI Credit Card Security Analyst - Contractor
• As former PCI ISA IT security assessor, was engaged in credit card security project management for State of Massachusetts Department of Transportation MassDOT and MBTA's 2012-2013 PCI-DSS credit card processing compliance and gap assessments effort.
• Liaised between the current PCI QSA external auditing company and MassDOT/MBTA IT senior management stakeholders and process owners.
• Conducted and led PCI scoping, IT stakeholder interviews and IT baseline security controls assessment status meetings with MassDOT/MBTA IT Security, IT Operations, Networking, Desktop, and other IT department heads.
• Oversight of PCI and IT Security documentation and content management for MBTA and MassDOT policies, procedures, standards, as well as archival of workpaper exhibits for the PCI QSA and other IT auditing entities.
• Preparation of various PCI metrics and tools, including CMMI Maturity Model and Microsoft Project Gant Chart, and incorporation of a ROC Report on Compliance mapped Documentation Request list DRL and tracker matrix.

Confidential

SOX Internal Audit Consultant Contractor

• Year-end GCC Logical and Physical Controls testing and findings assessments for client State Street Bank in North Quincy MA.
• Confidential
• FISMA/NIST Security Analyst Contractor
• Collaborated with client's IT Director of Security and also their Manager of IT Security at Abt Associates to develop their pilot SSP System Security Plan for implementation of FISMA/NIST IT Security controls around a Linux and VMWare enclave for HIPAA and PII data.
• Collaborated on Risk Assessment of these FISMA security controls established in the SSP for the enclave.

Confidential

PCI credit card IT Security and Compliance Analyst

PCI ISA certified Project Lead for PCI Credit Card Security and Compliance requirements assessment and gap remediation at over 150 corporate and franchise C-store locations. Obtained PCI training and certification as an ISA Internal Security Assessor through PCI-SSC .

Also responsible for:

• Developing company's SOX and MA 201 procedures for Logical Access and Change Management.
• Designed and developed corporate Risk Management program for PCI-DSS compliance.

Confidential

FISMA Lead Security and Risk Analyst Contractor

• FISMA Compliance moderate level for contractor/vendor readiness consulting Risk Assessment Prepping for C A package
• Provided ongoing FISMA and NIST IT Security guidance, reviews and assessments for one of Sentri's clients Abt Associates, a government contractor during their Technology Transformation migration to the Windows platform from their current Novell/Lotus Notes/Domino platform , consisting of the following Microsoft technologies:
• Windows Server 2008 R2, AD Active Directory , RMS Rights Management Server , SCOM, SCCM, FIM Forefront Identity Manager , Microsoft's Cloud for Exchange BPOS - Business Productivity Online Suite including Blackberry Server , DNS, DHCP, IIS, IE, Windows 7, on-prem PKI as well as non-Microsoft technologies NetApp SAN, and VMware ESXi V-center.
• Enterprise security auditing tools familiarity including Microsoft SCOM - System Center Operation Manager MOM Management Packs, and SCCM - System Center Configuration Manager Desired Configuration Management DCM baselines, leveraging Microsoft Security Solution Accelerators and other Microsoft Security Enterprise auditing tools.

Confidential

Security, Risk and Compliance Analyst Contractor

• PCI-DSS SAQ, MA 201 and IT Security and Compliance reviews.
• At various Colleges in MA, acting in a QSA capacity for multiple PCI-DSS annual SAQ D preparation and submittals, and implemented MA 201 CMR 17 compliance and audit readiness.
• Additionally performed IT Security controls testing for Banking, Health Care and Retail clients.

Confidential

Software Engineer/ PCI-DSS IT Security and Compliance Consultant Contractor

• Collaborated with an NAC Network Management application software development company's Director of Engineering to design and implement a set of pilot PCI-DSS Payment Card Industry reports utilizing Crystal Reports 2008, based on PCI requirements and BI from their software product's NAC production SQL database.
• Tested and verified the application report results.
• Performed SQL queries with MySQL command line and GUI query browser.
• Validated data transfer and document output/input.

Confidential

Information Security Analyst Consultant Contractor

For client Long Term Care Partners, LLC, administrators of The Federal Long Term Care Insurance Program, sponsored by the U.S. Office of Personnel Management.

Primary responsibilities:

• Assist in the development and management of security documentation policies, procedures, etc.
• Monitor and report on the compliance of information systems.
• Map policies and procedures to:
• FISMA NIST Certification and Accreditation program C A
• The newly-revised HIPAA, specifically arising from the recent ARRA HITECH Act.
• Business Continuity Planning and Disaster Recovery
• Collected, tracked and aggregated Business Unit plan updates, assisted in the development/design, scheduling and testing of BCP/DR plans.

Confidential

IT Risk Assurance Services Consultant Contractor

Collaborated with BDO Seidman Risk Assurance Services Managing Partner to write pilot prototype Global Data Center IT Security Policies for their University client Laureate Education, Inc., including Perimeter Security Firewalls Software Download and Installation Mobile Devices Remote Access Encryption Requirements Internet and Electronic Communication Usage and Acceptable Use

Confidential

IT Security /Risk Consultant Contractor

Collaborated with the Director of IT Security at Harvard University and with school faculty to develop and implement a pilot internal IT Security controls framework and Risk Management / Risk Assessment program for one of Harvard's largest Undergraduate schools. Assessment tools and frameworks including ITIL V3, PCI-DSS, NIST, Cobit, COSO and ISO 27001/ 27002.

Deliverables included:

• Identification of high-risk data used by department systems.
• Development of a Security Controls testing matrix/tool, and mapping the school's University Security Policy standards to each of the frameworks Cobit, ISO, PCI, NIST, ITIL, and COSO .
• Documented remediation recommendations, and additional inherent controls to secure confidential data information systems.

Confidential

SAP IT Security/Controls Lead Consultant Contractor

• Developed SAP Application Controls Objectives and Risk Framework for Aerospace and Defense Government contractor Bell Helicopter. Risk Assessment utilized FMEA Lean 6 Sigma Failure Mode and Effects Analysis tool.
• Ensured security compliance with parent company Textron COE, Military Contracts, U.S. Government DOD Munitions, FAR, DFAR, ITAR, DCMA, DCAA and Commercial Contracts SOX/security control requirements.
• Led controls and process security review of PBL Performance Based Logistics Defense Contract requirements for V-22 and AH-1W attack helicopter aircraft, facilitating retirement of older legacy data systems and interfaces for migration to SAP MRO PBL scenario.
• Reviewed SAP 4.6C modules and Legacy applications, including MRP, BOM, Inventory, AP, AR, Purchase to Pay, during corporate's ongoing Business Systems Modernization ERP projects.
• Contributor to To-Be Design Reviews with SME's for implementing MRO functionality into SAP 4.6C during Wave 1 phase of project with forward looking to Wave 2 SAP 6.0.

Confidential

SAS 70 Consultant Contractor

For client Diversified Credit, implemented pilot internal controls and security framework SAS 70 Type 1 to prepare them for upcoming SAS 70 Type 2 compliance requirements.

Confidential

Senior IT Auditor / SAP Security Analyst Full Time Permanent

• Collaborated with the Director of IT Internal Audit and Compliance to develop the FY 2008 Corporate IT Risk Management Plan for CMGi's Moduslink Division, which specializes in Supply Chain Management SCM .
• Designed Pilot Security Risk Assessment draft framework FY '08 , mapping operational, entity, technical, and security IT risks to CobIT, COSO, ITIL and ISO 27001 High Level and Detailed control objectives.
• Developed an Operations Internal Controls non-SOX risk framework and list, and from that performed a FY '07 Risk Assessment on SAP 5.0, Microsoft SQL Server 2000, Win32/WinNT platform including AD Active Directory LDAP, and Global Network and Application Interfaces, mapping back to CobIT control objectives, for review by Senior Management.
• Reviewed and assessed PCI-DSS audit findings.
• Project Lead, SOX 2007 FYE as of July 31 for year-end TOD and TOE testing and remediation of ITGC GCC controls at CMGi Waltham Corporate headquarters' Data Center. Project lead for roll forward testing and remediation of corporate IT controls for FY '08.
• Retested ITGC remediated controls for four U.S. and International corporate data center locations, for FYE '07, collaborating with external auditor KPMG.
• Hired and trained an IT Auditor in CobIT controls risk assessments, and SAP migration pre- and post-implementation Security controls review. Also interviewed and hired a SOX Coordinator.
• Designed, and then gave a presentation of 2007 IT Audit Plan to the Senior IT management team including the CIO and Director of Internal Audit for the SAP 4.6C -> 5.0 data conversion and upgrade migration rollout to the global data centers.
• Designed, spearheaded and implemented an IT and Application controls framework for the SAP Data Conversion and migration, including SAP Rollout Critical Controls, and their corresponding Test Procedures.
• On-site Project Lead of three-member Risk Assessment team at Moduslink's Newark, CA Data Center in Sept '06, for review and assessment of SAP Data Conversion processes and procedures. Implemented SAP Global Data Center Rollout Critical Controls. Designed corresponding test procedures.
• The following projects were SOX IT Security Audits and engagements, taking place over a two year period between 2004 and 2006, acting as SOX Senior IT Auditor and Consultant:

Confidential

Senior IT Auditor Consultant

At client site at Volt Information Services in Confidential SOX IT Audit Review of Corporate headquarters' UNIX Data Center in Manhattan, and Westbury LI. Developed IT Internal Controls Risk Assessment Matrices and GCC test scripts based on corporate IT control activities, and tested approximately 100 IT Controls for HP 9000 HP/UX GCC Security at both UNIX Data Centers. Also reviewed and assessed Application Controls of Great Plains Software for a remote site installation.

Confidential

SOX IT Compliance Consultant

At a public utility Pennichuck Water Works Corporate headquarters, developed IT process documentation and assessed with CobIT maturity model, collaborated with Manager of IT department on SOX IT General Controls Narratives. Led IT Control Gap Status meetings for Gap remediation. Initiated IT Internal Controls risk assessment, and vetted an initiative with the Board of Directors to create an IT Steering Committee.

Confidential

SOX IT Auditor Consultant -

At Mercury Interactive Corporate headquarters, performed multiple SAS70 risk assessments and reviews of client's numerous outsourced service vendors. GCC testing on Change Control, Backup and Restore, Logical and Physical Security. Reviewed and assessed SDLC policies and procedures Facilitated meetings between PwC external auditors, Mercury BPO's/SME's, and line/senior management.

Confidential

SOX IT Consulting

GCC's control testing at client's XL Capital Insurance Corporate headquarters, a reinsurance Insurance company based out of Bermuda and Stamford, CT. Also evaluated the effectiveness of Logical and Physical Access security measures PwC external auditors.

Confidential

SOX IT Auditor Consultant

• Performed detailed evaluation of data processing systems and operating
• Procedures - GCC's control testing at client in Ann Arbor, MI. KPMG external auditors.

Confidential

SOX IT Consulting

SAP interfaces Gap Remediation consulting for Nortel Networks, submitted recommendations for improving current standards during their IT gap remediation of SAP 4.6, Unix and Oracle Financial interfaces infrastructure 200 interfaces . Deloitte external auditors.

Confidential

SOX IT Auditor Consultant

At 3COM Corp. headquarters, re-assessed and retested onsite one of their outsourced vendor's failed SAS70 at their Santa Clara CA location Conducted SOX GCC controls testing second pass and SAP 4.6 application controls testing. Reviewed corporate binder documentation of Change Control for GCC's and ERP/Enterprise Application s at 3COM's new Corporate Headquarters in Marlborough MA. Reported to 3COM Director of Internal Audit. Deloitte external auditors.

Confidential

SOX IT Consultant

• At Microfinancial Inc., Woburn, MA. Developed Cobit Framework for corporate Control Objectives responsible for development of SOX Pilot documentation Narratives, Process Flows, and Matrices of GCC and Application Controls
• At Zoll Medical, Chelmsford, MA. Delivered guidance documentation on their current SOX 404 strategy, including recommendations to Corporate on Test Plans, Narratives, and Polices and Procedures documents. Oracle 9i and 11i ERP application and GCC testing script and reviews.

Confidential

SOX IT Project Lead Consultant

Lead GCC tester for four Corporate Billing and Financial applications including Oracle 11i OFA application. Concentra specializes in outsourced cost management services for Group Health insurance companies, payer organizations and medical providers, also offering Workman's Compensation and additional healthcare services , Waltham, MA.

Confidential

Manager Consultant

• SOX 404 TSRS Technology and Security Risk Services , reporting directly to E Y's New England Area Director Assurance and Advisory Business Services, at client BankNorth now TD BankNorth for a three month contract.
• Authored and delivered pilot SOX Narrative CobIT framework , Key IT Controls Matrix, and Process Flow for Managed Changes Mainframe , Mainframe Operations was outsourced to Fidelity Information Systems in Philadelphia PA, with their Ops and Applications managers employed on-site. at Banknorth Corporate Headquarters in Portland, Maine. Also collaborated on site with E Y Senior Managers on SOX Narrative, Matrix, and Process Flow for Managed Changes Distributed Systems as well. These deliverables were adopted as the template for all of Banknorth's Sarbanes-Oxley 404 IT documentation going forward. Manage Change documentation was developed and established via individual interviews of all departments/owners, and then group workshop meetings with line and upper level management. Management process owners and department heads included the bank's Business Line, Technology, Dist. Apps/Mainframe, CIO, Risk Management, Production Operations, Business Line Relationship and Support, Application Development, and Internal Audit departments.

Confidential

SOX IT Auditor Consultant

Internal controls consulting for SOX CobIT control objectives, initial kickoff controls scoping and framework assessment. IT Controls risk assessment and testing procedures of Blyth Mfg. Corporation, Greenwich, Ct. Preliminary IT process documentation review, collaborating with Blyth's Director of Internal Audit.

Confidential

SOX IT Auditor Consultant

• PricewaterhouseCoopers Internal Auditor for Citrix, E Y External Auditor for Citrix , worked with PwC in SOX IT internal controls auditor/consultant capacity
• Client: Citrix Software at their Corporate headquarters in Confidential
• Outsourced to Citrix Software through CSI Control Solutions International, Nashua NH One month contract.
• Developed Gap Analysis, Application Controls and Testing using PwC's Control Matrices and Narratives covering the IT processes Backup and Recovery, Computer Operations, Physical Security, Logical Access, Change Management.

• Application Controls review included: SAP 4.6, SRM/EBP Cash-to-Pay and Procurement, Vantive CRM-to-SAP, SAP bolt-on Vertex Sales and Use Tax Module, Citrix proprietary Incentive Sales Commissions application.

Confidential

Through Manpower and other temporary staffing agencies.

Confidential

Entitlement,

subscription and licensing processing SAP SD module for Customer Care Business Center at Autodesk Inc., a software company marketing AutoCAD and Architectural Software to the Construction, CAD Graphics, and Computer Animation industries, for 9 month contract.

Full Time Permanent

Confidential

Staff IS Analyst fulfilling the following roles:

• Middleware Administrator, IBM Websphere Business Integrator WBI and Interchange Server then known as CrossWorlds , which provided EAI business logic between backend SAP 4.5B to CRM Call Center frontend Clarify 6.0 , for worldwide Service Contracts. Project Lead for maintenance, testing, and troubleshooting of four CrossWorlds eCommerce collaborations throughout lifecycle of SAP upgrade and associated WBI connector migration.
• Network administrator, NT 4.0 environment for distributed CrossWorlds Production test, and development servers, and associated SQL engines Microsoft SQL Enterprise Server 6.5, 7.0, and Oracle 8i . Server-based and web-based IBM MQSeries for asynchronous messaging, Visigenics IIOP platform for Corba and ORB communication, BEA Weblogic . Also monitoring and troubleshooting of SAP archive tables, repository and SAP/Crossworlds tables.
• Systems Analyst, providing ongoing Contract business objects and Contact business objects troubleshooting of Enterprise network attributed data/linkage problems - utilized tool set including Microsoft ISQL client, Websphere CrossWorlds Interchange Server, and Microsoft NT 4.0 Administrator utilities. Participated in Alpha and Beta development of Crossworlds SAP-to-CRM collaborations including Worldwide Contracts, Contacts bi-directional , Functional Locations Sites and Items Material and Products . Additional CrossWorlds development including coding, mapping and logic changes using third-party Mercator business object map editor CrossWorlds Rel. 1.3.1 . Project Lead for installation and testing of CrossWorlds SAP 4.5 connector during a successful SAP 3.0f -> SAP 4.5B upgrade. Coordinated Crossworlds SAP transports for upgrades and instance refreshes.
• Support Prime for Unix, NT 4.0/Win2000 Server and Sun Solaris Global Interface Infrastructure Corporate wide proprietary MQSeries-based IHUB of Legacy-to-ERP and CRM Enterprise interfaces, totaling 200 300 Unix shell and wrapper scripted flat file interfaces . 24/7 on-call troubleshooting across dual Unix/NT platforms.
• SAP Business Systems Analyst BSA , Level 3 Sustaining Support - SD, FI, Workflow and EDI modules. SAP EDI Prime, project lead for IDOC mapping development and testing with EDIFACT VAN partner. Implemented EDI ANSI x12 standard transactions between trading partners including purchase order 850 , invoice 810 , advance shipping notice 856 , order acknowledgement 855 , order inquiry 869 , order report 870 . Troubleshooting through SAP Workflow.

Confidential

• NT 4.0 Network Administrator, MIS Coordinator, Webmaster.
• Administrator of corporate-wide PBX/Voice Mail/E-mail systems.
• Project Lead for design and implementation of main corporate website.
• Implemented and maintained back-office accounting application Solomon IV including AR, AP, GL, Inventory, PO, BOM with MRP front-end, Microsoft SQL Server and B-trieve backend.
• Implemented CRM/Sales Commissions Tracking and Contact Manager Goldmine/Act application.
• Deployed intranet for two satellite offices connected through NT RAS Server.

Confidential

• Outside sales marketing to end users: leased lines, Frame Relay, CSU/DSU Router implementations, as well as installation of corporate presence web sites.
• Programmed Telephony /Voice Mail applications for Interactive Voice Response PBX systems. Troubleshooting of dialer program logic.
• Confidential
• Program Director, Weare Community Cable Access Television WCATV . Trained town residents on use of public television broadcasting and editing equipment.. Responsible for production of documentaries and video shorts of local area interest, local historical landmarks, as well as public events such as town meetings, elections, holiday celebrations, and cultural events. Also taught an accredited High School course at Weare High School on Video Production and Film Appreciation to four classes of students per day.

Confidential

Principal of company, Programmer/Programmer Analyst, Systems Analyst, Systems Integrator, VAR, VAD. Implemented and trained on popular accounting software packages Great Plains, Solomon, Real World, and BPI in diverse vertical markets including Manufacturing, Wholesale/Distribution, Scientific, Engineering, MRP. Construction, Job Costing, Architectural, Medical/Dental, Legal time and billing , Real Estate, Retail. Managed team of System Analysts. Utilized IBM PC and Apple desktops and workstations for single user applications, along with Unix multi-user systems.