SUMMARY:

• Experience in the Risk Management, Risk Analysis and the Confidential 800 - 30, 800-53 Rev 3 &4 Special Publication (SP).
• Coordinate the cyber security projects. These include supporting cyber security for IT infrastructure and IT- based organizations, resource protection, security planning, identity management, security information management systems, Assessment and Authorization, policy and guidance, system test and evaluations ( Confidential & Confidential ).
• Keen attention to detail and expert in providing interpretive knowledge of Confidential IA requirements, policies, and procedures for information/infrastructure protection.
• Seasoned leadership and competence in planning, organizing, and executing agency projects with competing priorities in a fast-paced environment
• Results-driven team player; eager to take on new challenges with personal initiative and a keen sense of urgency, diligence, and enthusiasm.
• Excelled at strategic planning, building high-performance teams, project management, and implementing best practice methodologies and continuous improvement programs.

TECHNICAL AND COMMUNICATIONS SKILLS:

People-oriented: Highly skilled in written and verbal communications with a diverse group of individuals to resolve complex issues with clarity and enthusiasm; able to handle difficult and sensitive issues with diplomacy and objectivity.

Confidential /IA Policies: FISMA, NIST800-53 Rev3 &4, 800-37, 800-137, FIPS199, OMB A-130, TSA1400.3, DHS 4300’s

Information Assurance Tools: ISS (Internet Security System), Nessus Scanner, NetSparker, HP Fortify.

PROFESSIONAL EXPERIENCE:

Confidential, McLean, VA

Senior Information Cloud Security Engineer and Analyst

Responsibilities:

• Supports the developers and manager by assisting with the implementation and interpretation of security requirements governing OIG information and IT infrastructure protection, in particular those applying to cloud hosted environments (for example, AWS GovCloud, Microsoft Azure, etc.) and software development (.Net Framework).
• Assess the USPS/ OIG compliance with the Federal Information Security Management Act (FISMA) and FedRAMP.
• Liaison between programmers and developers during the SDLC for the CRIMES (Case Management) in Agile methodology application (project) and migrate the applications to the Microsoft Azure environment as Infrastructure as a service (Iaas).
• Trained and gained Azure Resource Manager (Azure Resource Management Cloud Microsoft) Certificate.
• Conduct Security Test & Evaluation of web applications/databases to include common application security threats and attacks including Input validation, Buffer overflow, cross site scripting, SQL injection, credential theft, elevation of privilege, disclosure of confidential data, data tampering, Configuration management—Unauthorized access to administration interfaces, unauthorized access to configuration stores, retrieval of clear text configuration data,
• Coordinate with team and manage vulnerabilities, incidents, threats and counter measures within the information processing infrastructure.
• Supports USPSOIG with network and security architecture, and multiple operating system platforms, databases, applications, WEB and other mobile and cloud technologies, such as: malware inspection, and new generation and application layer firewalls, VPN, development plan . Conduct Security Test & Evaluation ( Confidential &E) documents; security assessment and authorization and Confidential &E activities for CIO and other Business leader review and approval and participate in the development of security policies associated with purchased, internally developed, or cloud hosted environments.
• Worked closely with the Cloud Service Provider (SCP) for Confidential 800-53 Rev 4.0 Control Assessment to make sure the critical controls for the Fed RAMP are implemented and compliance with the federal regulations.
• Maintains USPS OIG's compliance with the Federal Information Systems Management Act (FISMA) requirements, in collaboration and cooperation with all OIG staff members. Establishes an Information Systems Security (ISS) Awareness and Training Program.
• Perform and responsible for completing compliance tasks in accordance with the Confidential 800-37 Risk Management Framework (RMF) and submit Assessment and Authorization (A&A) documentation to support an Authority to Operate (ATO) in the Microsoft Azure Environment.
• Developed incident response plans, processes and procedures and performed and reviewed long-range Enterprise Infrastructure forecasts and architecture.

Confidential, Reston, VA

Senior Information Security Analyst

Responsibilities:

• Assisted Department of Health and Human Services (HHS) Security architecture to maximize security of enterprise-level infrastructures, and ensure compliance with the Confidential Risk Management Framework (RMF).
• Responsibilities include identifying current security capabilities, helping to architect technical solutions that leverage in multiple Operational Divisions of the agency and responses to the Shared Cyber Security program for Department of Homeland Security (DHS), continuous diagnostic monitoring (CDM) and the OMB Memorandum M 14-03 requirements.
• Researched, assisted and prepared draft document for the stakeholder of variety of technology and tools such as Security Event Information Management system (SEIM), and Endpoint Protection of the enterprise-level infrastructure.
• Assisted technical staff and stakeholder for preparing draft document and implementation plans for different projects.
• Analyzed, planned, and implemented security approaches and Coordinating and facilitating with other IT teams to ensure federal security requirements are in place through the lifecycle of solution implementation.

Confidential, Fairfax, VA

Senior Information Security Analyst

Responsibilities:

• Coordinates with the VA cybersecurity team with regards to Enterprise Health Management system (hemp) Project in accordance with the HIPAA Rules and the Federal government requirements, guidance, and directives.
• Integrate HP Fortify within the AWS environment and Continuous Integration pipeline process such that vulnerability scans can occur against the application source code.
• Worked cooperatively with the Director and other applicable organization units in overseeing patient rights to inspect, amend, and restrict access to protected health information when appropriate.
• Serves as a team leader, or technical expert for matters concerning area of responsibility. Overall responsibilities include performing the audit program.
• Performed vulnerability assessments and penetration testing of the Pre-prod and prod IT applications environments.
• I was part of the training application developer’s team in secure coding techniques and helping to integrate security into the software development life cycle (SDLC).
• Configured, performed, and conducted HP Fortify Security Code Analysis (SCA) for scanning the source codes prior to transfer to the pre-production and production environments. As a team lead coordinate with the Development and Dev OP team to conduct the best industry practices for security controls such as OWASP, and SANS Top 20.
• Presented security findings to management and technical staff and assist the IA team in completing compliance tasks in accordance with the Confidential Risk Management Framework (RMF) and submit Assessment and Authorization (A&A) documentation to support an Authority to Operate (ATO).
• Developed Plan of Actions and Milestones (POAMS) and Corrective Action Plans (CAPs) to remediate audit findings.
• Conducted vulnerability assessments and support the mitigation of any defined risks. Create and maintain documentation in support of Assessment and Authorization (A&A) activities for the VA project.
• Experienced in Agile development environment and completed Scaled Agile Framework training and gained SAFe Practitioner (SP) certificate.

Confidential, Sterling, VA

Senior IT Security Analyst

Responsibilities:

• As a Senior IT Security worked closely with the senior security manager for performing the security requirements and preparation of the documents. .
• Provided advice and recommendations to identify weaknesses and recommend corrective actions or improvements to management staff for in corporation into reports to the Government agency and the third party assessor and external audit groups.
• Performed assessment analysis, and evaluation of potential attacks, and coordinate with the team for implementing solutions affecting containment of detected network anomalies.
• Participated in the development, implementation, and ongoing compliance monitoring of all trading partner and business associate agreements, to ensure all privacy concerns, requirements, and responsibilities are addressed.
• Conducted systems scanning and configure Nessus scan tool of vulnerability management for the security compliances of the OS and Netsparker, WebInspect for the software applications.
• Identify security risks, threats and vulnerabilities of networks, systems, applications and new technology initiatives.
• Served as info security Engineer on the NASA government web sites that crossed over into the Cloud.
• Security framework and Confidential requirements to the architecture, design, development, evaluation and integration of systems and networks.
• Ensured compliance with FedRAMP and Confidential technical control requirement for cloud computing as SaaS (software as a service). Coordinate with AWS (Amazon Web Services) Cloud Computing technical staff.
• Worked closely with the third party security Control Assessment (SCA) to make sure the critical controls for the Fed RAMP are implemented and are in place.
• Performed security administration of firewalls, Intrusion Detection Systems, and Security Monitoring Systems.
• Interact with management and other teams in a collaborative, problem solving environment addressing technical and business issues.

Confidential, McLean, VA

Principal IT Security Engineer

Responsibilities:

• Brief Senior Executive Management regarding system documentation, identified vulnerabilities, and POA&M remediation.
• Supported the DHS (Science and Technology) in identifying and meeting information assurance requirements and develop and implement information security policies and procedures.
• Review and recommend mitigations or countermeasures, and resolve integration issues related to the implementation of new systems within the existing infrastructure.
• Oversee development team and ensure application security standards are being followed and compliant with the DHS policies and security handbook.
• Conduct on-site visits to Data Centers and performed interviews with ISSO’s, system Owners, network administrators, and system administrator. Assess security controls in-place in accordance with Confidential guidance.
• Reviewed technical requirements. Work with DHS/S&T BorderNet Team in integrating IA controls into the final solutions.
• Identified security risks, threats and vulnerabilities of networks, systems, applications and new technology initiatives.
• Managed auditing functions that follow national, federal and organizational policy to ensure all unclassified DHS (Science and Technology) information systems (to include general support systems and major applications) are in compliance.
• Provided expertise on the coordination, development, improvement and implementation of the IT security risk management program and risk mitigation strategies.

Confidential, Alexandria, VA

Senior IT Security Engineer

Responsibilities:

• Coordinated with internal and external auditors to determine compliance with policies, directives and standards.
• Provide information on security policies, directives, standards and procedures to trading partners of the agency and interact for operational or commercial reasons.
• Reviewed OS baseline configuration and policies. Audit the Plan of Action and Milestones (POAM) for security weaknesses. Interpret data and create reports and dashboards for senior management.
• Assisted the IT Department in developing a policy and procedures to provide cost effective, quality, system and network security assessment and certification based on unified federal guidelines and procedures.
• Assisted SEC Operational Data Center in identifying and meeting information assurance requirements. Analyzed the development and implementation of information security policies and procedures for patch and vulnerability.
• Used Qualys and Bigfix tools to create regular reports for vulnerabilities and path management in the network systems. .

Confidential, Arlington, VA

Senior Information Assurance Analyst

Responsibilities:

• Recommended mitigations or countermeasures and resolved integration issues related to the implementation of new systems.
• Performed Certification & Accreditation (C&A) activities in accordance with DHS 4300 Handbooks for the OIT managed systems.
• As team lead, supported the process framework project for the implementation and management of controls to ensure that specific security objectives are met.
• Supported DHS (US CIS) Operations & Maintenance division and users throughout the agency in the development and implementation of systems and subsystems to meet the transactional processing needs of the US CIS.
• Ensured application security standards are followed and implemented correctly by the development teams. Provided vulnerability mitigation strategies.
• Evaluated new security technology & trends and recommended ways to strengthen client information security environment.
• Worked closely with the Project Management Office (PMO) to provide risks assessments, cost estimates and schedules for projects and Operations and Maintenance (O&M).
• Provided operational and strategic support to the Department of Homeland Security (DHS) Control Systems Security Program (CSSP).

Confidential, Fairfax, VA

Senior Information Assurance Analyst

Responsibilities:

• Integrated with a team of skilled information technology security professionals demonstrating competence in the application of the system certification guidelines and procedures.
• Conducted on-site visits to Data Centers and performed interviews with ISSO’s, System Owners, Network Administrator, System Administrator, etc. to properly assess security controls in-place in accordance with Confidential guidance,
• Performed Federal Information Security Management Act (FISMA) audit reviews;
• Developed and reviewed system security plans, plan of actions and milestones (POA&M), security control implementation, configuration management plans, contingency plans, incident response plans, security policy, and vulnerability scans at the Veteran Affairs (VA) Department.
• Supported security architects in developing existing and future systems architecture artifacts.
• Performed design and system analysis, requirements definitions, interface and data architectures, lifecycle cost estimation, and governance.
• Prepared informational documents to reduce cyber security risks and threats in critical infrastructure systems at VA OIT office.

Confidential, Washington, DC

Information Security Specialist

Responsibilities:

• Worked closely with the development and staging group in the application. In corporate and integrate the new emerging information security concepts, principles, trends, technologies, and practices in the development and application of infrastructure control system security policies and practices.
• Provided technical expertise in advising and making recommendations for mitigating risks and conduct assessment activities to improve cyber security in critical infrastructures at the OIG office.
• Responsible for maintaining a competency and understanding for Confidential HSPD-12 Implementation Plan and other requirements documents to support leadership and policy developers.
• Conducted functional, regression, feasibility and stress testing vulnerability, risk assessment, gap analysis, in relation to the evaluation PKI related hardware products Write test reports and performance documents including evaluation procedures, product recommendations, and user instructions.
• Implemented Cisco Security Agent software tool ( Confidential ) as proactive intrusion detection and ensure all systems and servers had appropriate system patches installed.
• Performed audits of critical information systems such as mail servers, web servers and host applications and established mechanisms for risk review and mitigation.
• Coordinated with the client with technical understanding of systems and applications to ensure the C&A packages were completed on time.
• Use ISS (Internet Security System) tool and work closely with the OIG director to deploy network vulnerability and scanning to identify patching and vulnerability assessments across the servers, desktops, operating system, firewall, switches and routers.