SUMMARY:

• Adept at developing effective compliance initiatives including ISO 27001, NERC CIP, NIST 800 - 53, Sarbanes-Oxley, SAS 70, RG 5.71,NEI 04-04, NEI 08-09, NRC, BASIL II, PCI DSS, SafeHarbor and HIPAA compliance policies and procedures, process identification, test controls, project documentation, test scripts, milestones, and technical/business specifications
• Track record of increasing responsibility in secure network design, systems analysis and development, and full lifecycle project management.
• Demonstrated capacity to implement innovative security programs like PKI, A/MIME, PGP, Apache Client management, wireless security, RSA Tokens, US-CERT programs that drive awareness, decrease exposure, and strengthen organizations.
• Hands-on experience leading all stages of system development efforts, including requirements definition, design, architecture, testing, and production support.
• Outstanding leadership abilities; able to coordinate and direct all phases of project-based efforts while managing, motivating, and leading project teams.
• Adept at developing effective security strategies to mitigate risk, maintain business continuity, write effective & enforceable policies and procedures, GAP Analysis, auditable trails, project documentation milestones and technical/business specifications.

TECHNICAL SKILLS:

Platforms: UNIX (Solaris, HP-UX), Cisco, Juniper networks, Confidential Windows operating systems Windows NT,2008, Linux (Red Hat, Yellow Dog), Sun SPARC, Mac OS, J2EE, AIX and ClearCase applications.

Networking: TCP/IP, LAN/WAN, Novell, DECnet, Banyan, ISO/OSI, IPX/SPX, SNA, SMS/SQL, Ethernet, Token Ring, FDDI, LDAP, VPN, SSH, SecureID, PGP, PKI, PIX, ASA, Checkpoint

Languages: UNIX Shell Scripting, C, Basic, Troff, Nroff, HTML, Perl, PHP.ABAP, VB, CATT scripting, SQL Server.

Methodologies: CoBIT, COSO, PCAOB AS5, SAS 70, Basil II, GLBA, SOX, PCI DSS, HIPAA, ISO 27001, ISO 27002, ITIL,ePHI,CFR-11, NIST800-53A,NIST800-37,NEI 08-09, 10 CFR 73.54, OSHPD.ISO 17799, ISO 27001, ITIL, SB 1386, Single Sign On (SSO), PMBOK, RUP, SDLC, FAR, DAR

Tools: LAN Manager, SUN IDM, ISS RealSecure, Checkpoint Firewall, Norton Firewall and Ghost, McAfee/Norton Virus Protection Utilities, HP OpenView, Network Flight Recorder, Tivoli, Tripwire, PKI,SSL, DES,IKE, Snort, LDAP, GRC VIRSA, APPROVA, QRadar, Industrial Defender, Foundstone, Tripwire, Nessus, Movaris, Lotus Notes, LiveLink, ARIS, Confidential Office System (including Confidential Word, Confidential Excel, Confidential PowerPoint, Confidential Access, and Confidential Outlook ), Confidential Project, Confidential SharePoint ., VISIO And Confidential FrontPage

PROFESSIONAL EXPERIENCE:

Confidential, Huntington Beach, CA

Information Security & Compliance Officer

Responsibilities:

• Developed enterprise wide information security risk assessment methodology, established key information security matrices related to architecture to mitigate security risks.
• Serves as a Subject Matter Expert in all design reviews and toll gates for designs.
• Established control matrix for the implementation of Cyber Security program under NEI 08-09 Rev 6 for the San Onofre Nuclear Generating Station.
• Wrote Defensive strategies, Defense in depth analysis, CSAT team training and all work related to the implementation of Cyber Security policy guideline 10 CFR 73.54 for nuclear power generation.
• Established and managed Security team for the NERC CIP implementation, brought the utility under compliance, supervised and conducted NERC & FISMA audits.
• Lead a team of auditors to conduct mock audits on NERC CIP requirements, identified gaps, worked on the remediation process, filed TFEs, and updated RSAWs.
• Augment IT and business units with virtual CISO (role) to manage the implementation and/or day-to-day Cyber Security Program/Operations.
• Revised security and end user computing policies and procedures to comply with the new cyber security initiatives.
• Project manager for design and implementation of MS SharePoint Portal Server 2003. Worked with Business stakeholders to determine needs and expectations, enforced Best Practices, Standards and Improvements. Delivered project on-time and under budget.
• Working at PG&E nuclear facility, established Computer Emergency Response Team (CERT) to proactively monitor all sites, report incidents, address vulnerabilities, Denial of Service attacks. Wrote procedures to remediate and escalate the reporting process. Enforced cyber-security NEI-04-04 Policies.
• Implemented and managed a global CSIRP (Cyber Security Incident Response Program) that resulted in better security management and forensic analysis leading an auditable trail for external audit and apprehension & prosecution of the criminals. (Client PG&E Nuclear power plant).
• Instrumental in developing and implementing Business Continuity and Disaster Recovery (BCP & DRP) Plans for corporate sites throughout US and Worldwide Data Centers.
• Performed “As is” assessment for PCI DSS Certification, identified weaknesses and security gaps, then remediated and got VISA level 1 certification for a retail client.
• Performed need analysis, designed and implemented PKI (Public Key Infrastructure) increasing security authentication to comply with SOX and PCI DSS.
• Established Computer Emergency Response Team (CERT) to proactively monitor all sites, report incidents, address vulnerabilities, Denial of Service attacks. Wrote procedures to remediate and escalate the reporting process.
• Enforced and trained security team in effective management of Incident Response, recovery and forensic evidence collection.
• Remediated material weaknesses identified by the third party service (Foundstone), to bring this retail client in compliance with PCI DSS.
• Team Lead for Conducts accurate evaluation of the level of security weigh business needs against security concerns and articulate issues to management. Developed and enforced security polices and guidelines.
• Designed the control framework for this client based on COSO and COBIT framework.
• Worked with external auditors to generate yearly SAS 70 reports.
• Conducted a workshop on SAS 70 landscape in the era of Sarbanes Oxley.
• As a lead external auditor evaluated SAS 70 reports provided by other clients for their outsourced process. Tested controls to validate SAS70 for General Computer Controls.
• Managed a project for spam filtering and malicious content filtering, reducing junk mail by 80% and vulnerability and DDOS attacks by 95%.
• Implemented and managed a global CSIRP (Cyber Security Incident Response program), that resulted in better security management and forensic analysis leading an auditable trail for external audit and apprehension & prosecution of the criminals.
• Project lead for SOD remediation issues, migrated from VIRSA 4.0 to SAP Access Control 5.3 without increase in Remedy tickets. Setup CUA (Central User Administration) and maintenance. Trained Security Administrator on ECC 6.
• Designed and implemented SAP HCM, Segregation of Duties issues, generated Security Access Matrix, trained developers on VIRSA tools and SDLC procedures.
• Implemented paperless Change Management using HelpStar, reduced processing time by 70%, while establishing an auditable trail.
• Materials Management, migrating from a legacy Program managed the RFP and negotiation process for recommending and selecting of HCM system, worked as program manager for implementation of SAP HCM including Personnel management, Time management, Benefits administration, e-recruiting, EEO4 and EEO5 reporting in the public sector
• Project manager for implementation of SAP R3 Materials Management, migrating from a legacy system, maintained project schedule from blue print to production support
• Implemented SAP administrative functions including transport management, client management, peripheral management and user management.
• Setup user IDs for all production SAP/R3 and BW users and assigned authorization levels based on their job descriptions.
• Program manager for a SAP conversion project From ECC 5.0 to ECC 6.0 for a retail client in Southern California and Texas
• Maintained and communicated on the intranet all security policies and practices.
• Designed and Implemented One LDAP on Sun Solaris to support Identity Management.
• Designed Security and Data migration of multiple NT domains into secure Active Directory environment. Migrated all applications to Windows Server 2003
• Spearheaded creation of four new information-security departments, including Risk Assessment, Vulnerability, Penetration Testing, and Security Engineering services.
• Identified key automated controls via review of business process documentation. Validated Sarbanes-Oxley documentation for completeness, adequacy and testability. Reviewed controls for Risks and Gaps
• Instrumental in developing and implementing Business Continuity and Disaster Recovery (BCP & DRP) Plans for corporate sites throughout US and Worldwide Data Centers. Implemented this strategy at Pan American bank, Capital Commercial bank and United Funding.
• Acted as Interim Chief Information Officer for a bank, established SDLC methodology and Change Management, hired and mentored the new CIO for smooth transfer of knowledge
• Spearheaded creation of four new information-security departments, including Risk Assessment, Vulnerability, Penetration Testing, and Security Engineering services.
• Hand selected employees from Information Technology department to build Data Center migration from Sun Solaris to Windows Server 2003, migrated all data and users to the new system with minimum disruptions.
• Participated with administration of SAP Security team including problem resolution, ID creation and maintenance, transport creation/release/move, and role creation/maintenance
• Supported project team security admin and testing requirements for sandbox, development, training, test and production
• Hand selected employees from Information Technology department to build Risk Assessment Team charged with analyzing all critical systems, developing reports to document systems vulnerabilities, and recommending appropriate solutions.
• Created companywide policies and procedures governing corporate security, email and Internet usage, access control, and incident response, implemented VIRSA Compliance Calibrator.

Chief Information Security Officer

Responsibilities:

• Performed operational and financial integrated audits and pre- and post-implementation reviews, worked with stakeholders to remediate weaknesses.
• Helped establish annual audit plan for core competency areas using risk assessment methodology.
• Created and Chaired Change Management and Control automated Change Requests and crated a database for statutory compliance.
• Reviewed systems for adequate management controls, efficiency, and compliance with policies, regulations, and accounting principles. Made recommendations to comply with BS7799 and Safety controls.
• Created flowcharts to document business systems and processes for IT audit reports, automated over 50% controls for auditable trail.
• Coordinated with Engineering, Finance and Treasury departments to create remediation plans for deficiencies found during audits.
• Authored numerous ISO 17799 and BS7799 procedures and security policies in support of engineering operations, participating in regular audits to ensure regulatory compliance.
• Advised process owners on new applications, identified potential security concerns, developed approach to mitigate risks, and worked with IT to implement recommendations.
• Chaired Change Control Board function, maintained Global view of company priorities by providing objective decisions consistent with change control policies and procedures, reduces emergency changes from 80% to 10%.
• Managed creation of high-profile HATP (High Availability Transaction Processing) solution, supervising development teams working in multiple locations.
• Developed highly effective Software Manager Application to enable disk-free software upgrades deployed through ATMs and desktop systems worldwide.
• Deployed over 2,500 systems in Windows 2000 environment, ghost from master in record time.

Director Engineering, Network Developer

Responsibilities:

• Designed and implemented customer call-center support procedures and customer network design strategy for sales and marketing teams.
• Developed and maintained consultative relationships with IT management and staff in the areas of data management, data enter operations, change management, security and contingency planning.
• Recognized for outstanding quality of customer service with numerous customer-support awards and personal commendation from clients.