SUMMARY

• Over 20 years combined experience working with Information Security, Management, and IT.
• Experienced with auditors, findings, risk assessments, & cost - effective mitigation strategies.
• Strong Written, Presentation, and Verbal Communication Skills - Capable of effectively communicating needs to Management, Operations, and C-Level executives, board of directors, steering committees, business partners, etc.
• Understands the Relationship between Law, Policy, and Procedure to Security & Corporate Governance.
• Highly Proficient at troubleshooting a wide array of security, network, and application issues.
• Strong knowledge of FISMA, NIST, PCI, ISO 27k, USGCB, FDCC, DISA STIGS, IRS 1075, CIS, OCEG, & SOC2, HITRUST, MARS-E.
• Presentations for CISO executive network, NY HIMSS Chapter, NYC Health IT Summit, and SC Congress
• Professional Organizations: ISC2, ISACA (CRISC Item Writer), Infragard, NY Electronic Crimes Task Force, CISO Executive Network, HIMSS, and so on.

PROFESSIONAL EXPERIENCE

Chief Information Security Officer

Confidential

Responsibilities:

• Presented findings to the C-level executives, the vice president, etc.
• Presented accomplishments, programs, and future plans to the Board of Directors.
• Built consensus working with CISOs around the greater NYC area concerning security maturity and solutions.
• Created security architecture including firewalls, intrusion detection / prevention, WAF, IP shunning, DMZs, VLANs, Zone Architecture, applications, InterSystems Architecture, etc.
• Selected, set up, and utilized a Managed Security Service. Performed incident response related to alerts and trained staff to handle the alerts.
• Selected the hardening standards (CIS) for the organization. Worked with IT and project management to implement the hardening standards.
• Selected range of security solutions for the organization including file integrity, vulnerability management (application and infrastructure), MSS, NIDPS, APT solution, URL filtering, hard drive encryption, remote wipe, a MSSP, multifactor authentication (2 solutions), WAF, etc.
• Created and gave Security Awareness Training, HIPAA Training, and Incident Response Training, for the organization.
• Created security architectural diagrams and held meetings to build consensus around the program. It states why, and how it could greatly improve the security posture of Confidential .
• Proposed providing company laptops for those that have immediate IT access to highly sensitive data.
• Proposed, researched, and risk assessed stronger authentication measures including multifactor authentication and risk based authentication for multiple systems including application, operating system, VPN that took into account SHIN-NY and NIST standards.
• Selected trusted services principles for SOC2 audits and selected the audit firm. Currently leading the company towards SOC 2 and HIPAA compliance including network architecture, change management, configuration management, and so on.
• Spearheaded policy and procedure creation taking into account SHIN-NY policies and procedures, SOC 2 Trust Services Principles, and HIPAA regulations. Wrote Policies and Procedures for Information Security, Compliance, Information Technology, Human Resources, and Executive Management.
• Created Risk Management Program that included a NIST-Centric framework (based on the CMS standard) and started identifying corporate risks in multiple environments and business partners (with mature risk program). Technical, legal, biological, and business risks that include all HIPAA requirements as defined by the Office of Civil Rights (OCR) are considered as part of the program.
• Created Incident Response standards and program utilizing the VERIS framework. Training for junior staff for incident response training was created in relation to the program.
• Worked with the corporate communications department for internal and external security messaging.
• Architected Tripwire use and utilization within the organization taking into account, Security, Incident Response, IT, Compliance, and Change Management.

Governance, Risk, Compliance, and Security Officer

Confidential

Responsibilities:

• Worked with OCEG to help architect business security processes for GRC program in Archer.
• Managed Security Operations Center and a Data Loss Prevention team. This includes vulnerability management, incident response, next generation firewalls, SIEM, endpoint protection, etc.
• Managed SSAE 16 SOC Type I and Type II audit including audit evidence and discussions
• With others, helped to write and architect a new Client GRC team.
• Evaluated and wrote responses to MSAs, SOWs, Questionnaires, with the intent of protecting Capco from risk. Legal risk, IT Risk, Costs, were evaluated as part of responses.
• Create Presentations for Executive Management.
• Trained junior staff on a range of functions such as IT skills, compliance, GRC, etc.
• Evaluated employees as potential candidates.
• Worked with staff to architect new solutions and educated senior staff on the pros and cons.
• Approved global changes on a change control board.
• Lead Weekly Global GRC meetings.
• Performed SaaS and IT risk based risk assessments with suggested risk remediation strategies.
• Architected the Security for a cloud environment including Altiris and Archer, HSM, CipherCloud, BeyondTrust, Protegrity, etc.

Senior Security Solutions Architect

Confidential

Responsibilities:

• Guided C-Level executives in fortune 500 companies in a presales capacity to;
• Determine appropriate strategies and tactics to mitigate risk
• Eliminate risk and/or audit findings by architecting solutions for implementation
• Ensure appropriate education on cloud platforms and compliance
• Perform gap analysis related to compliance (PCI, HIPAA, etc.)
• Write policies and procedures. Examples include, BYOD, change management, compliance, risk assessments, incident response, etc.
• Provide Training and Education for global threat intelligence, offerings, etc.
• Created and Updated customer & datacenter network maps with security appliances.
• Educated account executives and engineers on how to position security.
• Learned about many tools, architectures, and practices related to security technologies.
• Acted as project lead on many engagements.
• Evaluated security technologies and networks (cloud and premise) to meet customer requirements.
• Created and/or modified internal and customer presentations for a variety of security solutions.
• Collaborated with sales, marketing, and IT teams to promote products and services.
• Analyzed public security intelligence reports such as the Data Breach Investigation Response (DBIR), PCI Report, Trustwave Global Security Report, Congressional Cyber Security Report, Ponemon Institute, etc.
• Staff augmentation doing PCI audit, risk frameworks, gap analysis, etc.

Senior Security Systems Specialist

Confidential

Responsibilities:

• Performed risk assessments, Business Continuity Planning according to CMS guidelines.
• Impacted auditors’ assessment of risk during critical audits.
• Provided incident response for enterprise and perimeter environment from analyzing logs,
• Lead various IT teams to develop remediation strategies for findings relating to Windows, networking, Solaris, Mainframe, database, applications, etc.
• Reported the status of findings to senior management, technical teams, and the CMS.
• Worked with business/IT to respond to audit findings, penetration tests, vulnerability assessments, & war dialing.
• Approved, architected, and project managed IT / security changes to enterprise & perimeter environments.
• Wrote and Hardening Standards for Windows, IIS, Mainframe, VMWare, Databases, Network Devices based on FDCC, USGCB, DISA, NIST, NSA, IRS, CIS, etc.
• Project Manager for security projects; AD Implementation, Endpoint Security, CMS regulations, firewall rules, FIPS compliance, risk mitigation, and so on.
• Audited Bluetooth and A, B, G and Wireless Networks.
• Documented Layer 2 and Layer 3 Network Maps for enterprise and web portals.
• Performed Forensic Investigations & Incident response using Self Created Forensic CDs.
• Wrote and/or Taught Security Awareness Training, Code of Conduct, Configuration Management / Security Lifecycle, Incident Response, etc.
• Wrote and/or Upgraded System Security Plans (numerous).
• Wrote policies and procedures for forensics, logical access, passwords, network devices, windows, IIS, databases, Change Management, Network use, to ensure security and adherence to DISA STIGS and FISMA.
• Analyzed NIDS, Syslogs, Firewall logs, Domain Logs, RACF, & Tripwire on a daily basis.
• Performed physical inspections of the workplace for PHI, FTI, PII, passwords, confidential information, slab-to-slab construction, fire safety, etc.
• Worked with business and IT to implement FISMA: High (CMS enhanced NIST 800-53) controls.