SUMMARY

• A Security Assessment and Authorization (SA&A) professional knowledgeable in Risk Management Framework (RMF), Systems Development Life Cycle (SDLC), and Vulnerability Management using FISMA, and applicable NIST standards and adaptations.
• Detail oriented professional with firm foundation and experience in planning, executing and managing client engagements and projects.
• Independent self - starter and a team leader fostering collaborative efforts toward achieving goals.
• Strong critical thinking, problem solving, and time management skills with proven success at handling multiple responsibilities and projects.
• Proven success at clearly communicating project objectives, findings and recommendations both verbally and in writing.
• 10+ years working experience and background in Cybersecurity, Cloud security, IT Audit, Information Systems Security, Vulnerability Assessment, Information Assurance, Privacy, Systems Development Life Cycle, and Risk Assessment.
• Proficient with COBIT, FISCAM, NIST, ISO, OMB Circular A-123, Internal Control, Internal Audit, Audit Readiness, ERP security control reviews, GRC, Attestation Engagements-SAS70/SSAE 16, IAM/IDM Access Management Strategies, HIPAA and HITECH Compliance, Data Analysis, and Application Integrity.
• Wide-ranging knowledge of audit/assessment of IT Infrastructures; Operating Systems, Databases, Network devices and concurrent cybersecurity trends.

TECHNICAL SKILLS

• IT Governance, IT Management, Risk Management, IS Audit, IT Risk Evaluation, IT Compliance, Access Management, IT Security, Identity Management
• SDLC, Categorization of Information Systems, Information Systems Authorization, Security Control Implementation, Risk Management Framework (RMF)
• Selection of Security Controls, Security Control Assessment, Network Security, ITGC/Application controls Audit, SOX Compliance, SSAE16 Report, COSO
• COBIT, FISCAM, Cloud, SharePoint, MS Office suits (Word, Excel, Outlook, Visio, Power Point and access) Internal Audit, Data Analysis, Vulnerability Assessment, NIST.

PROFESSIONAL EXPERIENCE

Confidential

Sr. Cybersecurity/Compliance Analyst

Responsibilities:

• Perform Security Assessment and Accreditation (SA&A) process for multiple systems requiring an Authorization to Operate (ATO).
• Conduct kick-off meetings with system personnel and stakeholders and Interface with Subject Matter Experts (SMEs) throughout the SA&A process.
• Categorize system levels using FIPS 199/200/NIST 800-60.
• As a SME, coordinated remediation efforts of vulnerabilities discovered on the Wide Area Network General Support Systems (WAN GSS).
• Apply in-depth knowledge of NIST SP 800-53 and NIST SP 800-37 to perform detailed security assessments of all FISMA-categorized information systems.
• Analyzed and updated Business Impact Analyses (BIAs), Privacy Threshold Analyses (PTAs) / Privacy Impact Assessment (PIA), System Security Plans (SSPs), Security Assessment Report (SARs) / Vulnerability Assessment Reports (VARs), and Plan of Action and Milestones (POA&Ms).
• Liaise with the Cybersecurity Compliance office to properly vet all deliverables submission to the Authorizing Official (AO).
• Assist Program Management team in the delivery of multiple ATO packages and managing extended ATO's due to exceptions and waivers ignited by open POA&M's.
• Support designated Cybersecurity priorities advanced by evolving Compliance needs.
• Participate in Continuous Monitoring activities and initiatives.
• Provide recommendations to the organization/client to help balance cyber risks and business needs.
• Scope and tailor security controls for moderate and high systems using NIST SP-800 53 Revision 4 and applicable control overlays.
• Support remediation of findings by providing recommendations for fixing findings documented in the Security Assessment Report (SAR).
• Request and review vulnerability scans and STIG checklist and ensure that open findings/ vulnerabilities are properly documented on POA&M or remediated immediately.
• Partakes in agency Application Tower Meetings.
• Lead, supervise, evaluate and delegate tasks to junior analysts.
• Develop content for security plans, test plans, waivers, POA&Ms, ATOs, SIAs, SARs, IT Contingency plans, BIAs, change management documentations etc.

Confidential

Sr. IT Auditor/ Global Security Risk and Compliance Analyst

Responsibilities:

• Liaised with internal and external auditors, coordinated audit timing, findings remediation, engaged issue owners and managed SOX GITCs monthly reporting.
• Updated Senior Management and other stakeholders about identified risks and opportunities for improvement within control environment.
• Reported on status of all audit activities (Internal & SOX) to management. Tracked remediation activities for all findings (POA&M) and reported metrics for audit activity used for executive reporting.
• Worked with management to define and prioritize remediation. Tracked remediation activities and provided remediation guidance, inspected/validated implemented solutions where applicable.
• Accept/refute reported findings by auditors per relevance, and drove findings’ consolidation where appropriate.
• Developed contents for Archer GRC Design, Build, Testing and user Training. Supervised UAT.
• Served as a subject matter expert on various special projects, risk assessments, and initiatives within the organization as delegated.
• Administered gap analysis with senior management to aid decision making process.
• Updated IT security policies, procedures, standards, guidelines and security requirements.
• Performed vendors’ due diligence. Managed third-party security risk assessments.
• Provided projects security assessments; authenticated security controls, data classifications (Tier Categorizations), security requirements, and toll gate validations for business projects prior to all clear to go-live.
• Verified applicable information security essentials- SSAE16 (SOC 1 and 2 reports), ISO 27001, Pen test and vulnerability assessment reports, FISMA compliance etc. to validate vendors reliability.
• Kept internal and external auditors up-to-date with status of findings and remediation, including closed findings.
• Assisted in development and maintenance of IT Governance and Compliance Frameworks for managing IT improvement initiatives.
• Synergized with regional and global info security and business leads on Applications, Database and Operating systems in scope for QUAR (Quarterly User Access reviews) of privilege User IDs globally- LATAM, APAC, North America, and EMEA.
• Validated User Access Reviews/Terminations. Reconciled users’ access levels alongside system generated reports covering Applications, Database and Operating systems as part of QUAR.
• IAM/IDM Access Certification monitoring.
• Reviewed administrators’ rights to restrict access to only needed functions to perform required tasks.

Confidential

Sr. IT Auditor/Information Security Analyst

Responsibilities:

• Conducted testing of Sarbanes-Oxley (SOX), OMB Circular A-123 Audit, and Service Organization Control (SOC) SSAE 16 reviews.
• Conducted integrated audits requiring technical skills for evaluating networks, application development and compliance with security policies from planning phase to completion. Immense familiarity with COBIT, COSO, PCI DSS, OMB Circular A-123, FISCAM frameworks.
• Performed Security Assessment and Accreditation (SA&A) process for multiple systems requiring an Authorization to Operate (ATO).
• Participated in audits and compliance reviews based on FISCAM, FISMA, NIST SP 800-53 series, ISO 27001, OMB circular A-123 and A-127 frameworks.
• Coordinated IT related SOX compliance reviews, assessing IT Application Controls in connection with program development, change management, computer operations, security and configurations as well as vendor service providers.
• Implemented and tested internal controls under Section 404 of the Sarbanes Oxley Act and performing Walkthroughs of controls and evaluated operating effectiveness of controls
• Evaluated segregation of duties and application security involving ERP systems. (SAP, People Soft, Oracle Financials, Momentum, Deltek Costpoint) and execute audit strategy.
• Performed audit of IT general controls (ITGC) - Access control, Change Management, IT operations, Disaster Recovery and Platform reviews (Windows, Mainframe and UNIX).
• Prepared audit scope, report findings, and present recommendations for improving data integrity and internal controls.
• Performed IT General Controls and Application Controls review and monitor segregation of duties and other key management controls for system reliability, availability, and performance.
• Tested compliance with policies and procedures to ensure conformity with industry standards; such as HIPAA and PCI DSS frameworks.
• Performed consolidation of IT audit findings, presentation of drafts/reports with notification of findings and recommendations.
• Conducted systems and network vulnerability scans in order to identify and remediate potential risks.
• Worked with IT Operations and Network Engineers to mitigate system vulnerabilities discovered in network devices (routers, switches, VPN Concentrator), servers, and workstations.
• Update and tracked Plans of Action and Milestones (POA&M)
• Updated and reviewed Configuration Management Plans (CMP), Contingency Plans (CP), Incident Response Plans (IRP), and other tasks and specific security documentation.
• Performed Federal Information Security Management Act (FISMA) audit reviews.

Confidential

HIPAA Compliance Analyst

Responsibilities:

• Handled staff training on operational processes that ensured compliance and best practices, including HIPAA/HITECH regulations together with the review of operational system for control effectiveness and ensured adherence with healthcare regulations.
• Ensured that policies and procedures are implemented and processes are well documented.
• Identified and presented compliance issues to the HIPAA Steering Committee and for the timely completion of any action items approved by committee members.
• Resolved and documented all questions related to privacy and security of patient health information for tracking purposes.
• Reviewed privacy and security compliance training materials and conducted ongoing in-services, new employee orientation, and graduate medical education.
• Coordinated documentation, and timely processing of patient rights (i.e., amendment to medical records, requests for restrictions to health information, requests for confidential communications) activities to ensure compliance with privacy regulations.
• Organized and conducted HIPAA privacy walkthroughs to determine compliance with federal regulations.