Security Manager
Resume:
James E. Simmons III
Information Systems Auditor CISA
*** ***** ****** ****** ** 85713
Summary
Over 10 years of Information Security experience in distributed, heterogeneous, mainframe and client server
environments. CISA Certified, ACF2 Certified Administrator, 6.1. Currently working as an Information Security
Consultant performing GAP Analysis, Project Consulting Sarbanes Oxley - 404. Previously employed as a
contractor for the Unisys DoD Information Technology Security Certification & Accreditation Process Team,
(DITSCAP) Fairfax, VA.
Information Security Knowledge Areas
Certification & ISO/2700
COBIT DITSCAP Accreditation Process SOC I /II
Sarbanes-Oxley 404
GLBA
NIST 800-53 HIPAA (SOX)
Gap Analysis ISS/SCAN Penetration Testing Patch Testing
Remediation
SSAE16
FFIEC Compliance
NIACAP SOX SAS 70 Basel I /II
Application Level IS
Controls
IA Professional Practice
CA Audit Framework COSO Entity level Control
Entity-wide IS Controls DISA STIG PCI/DSS DIACAP
NIACAP Sitemender FISMA NMAP
Technology Proficiencies
IBM PC compatibles RSA/Archer VM .NET
IBM Mainframe User Manager MVS/ESACA11/DCL Java
AS/400 Vantive BISYNC Adobe
RISC 6000 Rumba ASYNC Windows O/S
Tandem Himalaya PC Anywhere IDS Tivoli
DEC VAX Btrieve IDMS Federation
DG Guardian 90 IMS IdM
HP Vanguard Oracle SiteMinder
OS/390 NeXTsTEP DB2 Entrust Grid
Unisys A Series/1100 LDAP DOS/VSE Radius
Tandem K Series Safeguard Windows NT Single Sign-On
ACF2 PKI Entrust UNIX PeopleSoft
RACF Encryption AIX Oracle Financials
CA Top Secret MS Office LAN/WAN Group Policy
JCL Outlook Ethernet LDAP
CICS Lotus Notes Intranet/Extranet PKI Entrust
CICSWS GroupWise TCP/IP Checkpoint Firewall-1
TSO PeopleSoft IPX JD Edwards
CA/7 MQ Series SNA Sun Solaris
VTAM Active Directory-(Hyena) Netware 4x Keon/RSA
Sidewinder Gauntlet Sniffer Tools (various) Lock Box
Professional Experience:
IBM Dubuque, IA 02/13 - Present
Consultant
Duties as a Team member with the logical security and audit group primary functions as a SME with group
Audit policy, and to participate with a group of Access Administration Technicians, and ensure that Security
Administration / Information Security processes and procedures are adhered to according to IBM policy,SOX as
well as HIPAA and ISO standards and Compliance.
• Duties are to oversee and manage controls pertaining to the efficient standardization of policy affecting
access Administration, System Security, and IT practices and security procedures and account creation in
distributed environments.
• Secondary responsibilities are to participate in semi-complex technical support for personal computers,
application software, operating systems and access to networks and to effectively identify problems as they
occur and take appropriate steps to solve them.
•
PNC BANK Pittsburgh PA 11/12- 12/-12
Consultant
Six week emergency backfill, I wasn't available to take the original contract and when the client was let
down halfway through I flew in to complete the project.
Duties included the reviewing of technical validation activities for audit and assessment compliance including
but not limited to, audit planning, risk assessment, control evaluation, audit test development, testing, work paper
documentation, network architecture designs, log data, anti-virus implementations, server configurations and
standards and, key management.
Deliver effective compensating and remediating deficiencies affecting control procedures aligning and
adhering to the Bank policy and industry best practice standards, along with drafting written findings and reports
and presenting to management throughout the audit engagement.
July 2012 –Nov 2012 Wipro, ( Contract) US Bank Minneapolis Mn
Information Security Risk, Compliance and Audit
• Responsible project management duties designed to develop, implement, and support enterprise-wide
information technology security policies, procedures, applications, and systems.
• Specific duties are to test,document and maintain the program to ensure compliance with Federal and
State regulations as well as external guidance (SOX and PCI) and review system-related security plans
throughout the network.
• Duties are also to assist in the establishment of a security strategy program to include determining
appropriate policy to meet regulatory compliance, risk identification and mitigation, security architecture
and necessary infrastructure of the enterprise.
• Liaison with ISS and Infrastructure IT to coordinate pen testing, patch testing, remediation and adoption
of application security best practices.
• Responsible for coordinating support within their respective BIO team to support ISS pen testing of
apps Infrastructure IT monthly patch testing for effect on LOB applications and to assist Infrastructure
ITs remediation of foundational application vulnerabilities (.NET, JAVA, Adobe) PCI/SOX vulnerability
remediation process.
Feb 2012- April 2012 Unisys, (Contract) Ameriprise Financial Minneapolis
MN
• Tasked specifically to develop, execute, and monitor enterprise-wide information security from policy
through implementation to ensure that business information is secure from unauthorized access, protected
from inappropriate alteration and is physically secure.
• In this position my duties serves as the process owner for all ongoing activities that provide appropriate
access as well as protection of confidentiality and integrity of client, employee and proprietary business
information in compliance with federal/state laws and regulations as well as Ameriprise’s policies.
• Some of my duties entailed participating in security investigations and providing on-going communication
to senior management as well as identify root causes of security events, propose solutions, close out and
document investigations, ensure confidentiality and appropriate personnel are involved in the investigation.
• Also, I was assigned to participate in activities/reporting required for regulatory and contractual information
security obligations, and coordinate tasks that are performed within the infrastructure (system
administration, network administration, application support, etc.) for security updates and initiatives.
• One of my major responsibilities was to maintain up-to-date industry knowledge through formal/informal
training, industry associations and research of latest technologies critical to the success of the company’s
data security program and to continuously work to identify and improve security solutions to defend the
company against data security threats.
Oct 2011- Jan 2012 Securely Yours LLC, ( Contract) . Bloomfield Hills MI
• Assess and evaluate mainframe environment and security infrastructure as controlled by CA ACF2 security
system.
• Used NIST 800-53 to map mainframe security controls for Erie Insurance’s Medicare Program.
• Determine the effectiveness of key internal controls, including new (development) and existing processes,
systems and controls, CA-7, CA-Endeavor, CA-Harvest.
• Drive assessment of the significance of control gaps or deficiencies and actively participate in
improvements to processes and the remediation of control deficiencies. Manage facilitation for key
assessors and reviewers within the company to meet ongoing compliance requirements.
• Provide guidance for the process of maintaining high quality control design documentation and periodic
effectiveness testing of key controls.
Oct 2010- Dec 2010 Infosec Security ( Contract ), Tallahassee FL
• Performed a eight week general assessment of the end clients current IBM mainframe security
infrastructure as controlled by the IBM-RACF security system based upon a competent and professional
review of the existing security architecture, operation, organization and security audit findings.
• Performed quantitative analysis conveying primary security metrics such as userid counts, logging rates,
enforcement levels, numbers of privileged users, number of users with security-bypass authority, new
password requirements, obsolete userid counts, etc. review of critical mainframe applications as their
security is handled via RACF (dataset profiles/protections, access to CICS transactions, Started Task and
Batch processes, etc.).
• Provided the client with formal document describing the findings and recommendations resulting from this
security assessment.
Sep 2007 – March 2010 TDBANKNORTH (Contract), Portland, ME
• Performed medium to complex information security reviews of new, modified, or critical applications,
utilizing the information security review process to develop and present findings and plans that prevents,
curtail, and minimize security vulnerabilities and incidents.
• Member of team that is responsible for functions necessary for the central, global administration,
management, monitoring of rights, managing access to objects, maintenance, and operation of the Bank
environment. Work within the TdBank/Commerce Access and Identity Management team and coordinate
with other cross-functional infrastructure teams to provide primary engineering support for IdM, Federation,
Radius, Oracle, Tivoli, Entrust Grid, SiteMinder, Authentication and Authorization Services for centralized
Web access management system that enables user authentication and single sign-on, policy-based
authorization, identity federation, and auditing of access to Web applications and portals.
• Also conducts SOX SAS 70 security reviews and PCI risk assessments of applications and infrastructure
with industry standard security tools and methodologies based on federal, regulatory, external, and internal
audit requirements (Ernest & Young).
• Participates in security projects that support the Information Security Program by using standard industry
best practices …as well as company and program management methodologies and templates for projects,
along with initializing corporate awareness policies supported by regulatory compliance as well as
enterprise wide metrics and statistics on incidents and security threats for management to demonstrate
effectiveness.
• Also functions as a subject matter expert for securing networks, systems, and applications, and provides
internal clients with security solutions in the design and operation of new and existing technologies.
Sept 2005 – Sept 2007 INTEL (Contract), Sacramento, CA
• Responsible for Sarbanes-Oxley compliance, Intel Data security, Risk assessment, and Authentication
Authorization, Audit.
• Responsible for identity management, implementing products for security awareness, command line email
encryption
• Responsible for designing and implementing security architecture and audit of network security controls
and programs to protect the integrity, confidentiality, and availability of information resources
• Supervising the audit project with responsibility for managing team members’ performance and quality of
output to meet the overall project objectives
• Leveraging in-depth knowledge of key IT focus areas (such as IT services and business processes, data
centers, remote operating sites, network infrastructure, system software, both externally and internally
facing business applications, and others) to ensure the team’s successful development of their project’s risk
assessments, design of the SAS 70 audit program, and drafting and delivery of the audit reports (Deloitte
and Touche) .
• Reviewing audit work programs and testing documentation to verify that it is produced in accordance with
the IAs Professional Practice Framework
• Influencing and negotiating process improvements with business owners
• Providing recommendations on the design of controls
• Ensuring that identified control gaps are assigned for resolution
• Verifying management’s resolution of completed action items
• Developing and providing training to team members by sharing audit/content expertise in conjunction with
proactively identifying emerging areas of risk and controls focus based on professional understanding of
the business to effectively address those areas before they become audit findings.
Sept 2004 – Sept 2005 Yellow Roadway Corporation (Contract), Overland Park, KS
Information Security Risk, Compliance and Audit
A $3.5B holding company providing freight transportation services and technology through its subsidiaries including
Yellow Transportation, Roadway Express, New Penn Motor Express, Reimer Express, Meridian IQ, and Yellow
Technology Services, Inc.
• Reviewed documented and tested application controls, particularly automated controls on a wide range of
software application packages including PeopleSoft, Oracle Financials.
• Responsible for coordinating, reviewing, and investigating the Information Technology internal controls
documentation and processes to evaluate adequacy and effectiveness to ensure compliance with the
Sarbanes-Oxley Act.) (KPMG)
• Develop and present Information Technology process diagrams outlining risks and mitigating controls for
completeness and accuracy using the COSO and CoBiT framework.
• Coordinate audits using the COSO and CoBiT frameworks with a focus on network infrastructure,
information security, disaster recovery, application controls, and systems development initiatives. (KPMG)
• Perform interviews with company personnel and documenting the application level and entity-wide IS
controls established to mitigate the risk of financial statement errors. (KPMG)
• Conduct Sarbanes-Oxley IT compliance / audit training for information technology staff.
Aug 2003 – Aug 2004 Bank Of America (Contract), Charlotte, NC
Security Consultant
• Responsible for the development and ongoing maintenance of information security documentation
including: policies, procedures, standards, guidelines, checklists, and policy exceptions.
• Also assisting with security assessments, remediation planning, security product evaluation and testing,
conducting technical security training, facilitating the risk management process, assisting in the preparation
of security reports and presentations and vendor Sows, and assisting with the incident response process,
duties also include analyzing ACF2 RACF and Windows NT 2000 (Active Directory-Hyena)…group policy
controls and administration (Sarbanes-Oxley), systems and processes, generating reports, setting up jobs
to perform remediation within OS/390 Open Edition and Tandem and AS400 Midrange environments .
March 2003 – June 2003 Option One Consulting (Contract), Fairfax, VA
Information Security Consultant (Department of Defense)
• Primary duties involve providing technical expertise and analytic support to Department of Defense (DoD)
organizations by implementing computer security certification and accreditation procedures for automated
information systems, duties include conducting vulnerability and risk assessments, and conducting
technical security reviews on MVS operating systems using CA-EXAMINE, CA ACF2, CA Top Secret and
RACF, as well as, ISS Network Security Scan, and Secure-ID.
• Used NIST 800-53 to assess security controls for Department of Defense – VA Hospital. Identification and
Authentication Security. Systems and Communication protection.
• Hands-on experience with DITSCAP, DISA STIG, NIST 800-53A, NIACAP and HIPAA standards as applied
to the certification and accreditation four-phase process of all DoD and Civil Federal Government supported
information systems.
Sept 2001 to Jan 2003 Deluxe Corporation (Contract), Minneapolis, MN
Information Systems Security Group Consultant
• Functioned as primary contact for data security projects and or problems affecting successful business
operations.
• Executed and insured timely completion of tasks involved in implementation of new technologies (Win 2000
Active Directory Group Policy administration-Hyena).
• Review problem logs in a timely manner and resolved questions (7x24) from users to determine the nature
of reported problems and possible solutions.
• Act as a liaison with other Information Services departments as needed to assist in problem resolution; also
consult with internal, technical and business personnel regarding system security issues and practices in a
multi-platform heterogeneous environment (Vanguard, RACF/OS390).
• Provide consultation in regards to security policies practices and procedures to internal and external clients.
Dec 2000 – June 2001 State Farm Insurance (Contract), Bloomington, IL
Consultant/Security Analyst
• Primary responsibilities included ACF2 to RACF migration of 27 LPARS with 4 million user sign-ons.
• Duties included analyzing and coding multiple translation tables, which were used as primary filters for the
IBM SMA2RT TOOL.
• Analyzed ACF2 databases for inconsistencies prior to actual migration (Vanguard RACF).
• Perform multiple reconciliation procedures while addressing post migration automation issues (Clist, Rexx,
Cobol). Trouble shot all post migration issues that occurred on any applications (DB2, MQSeries, LDAP,
VTAM, IMS, OS390).
• Provided consultation in regards to security policies practices and procedures to State Farm internal and
external clients.
Jan 1999 – April 2000 Computer Associates, Islandia, NY
Technical Consultant
• Provided extensive security administration (CA-ACF2); (CA Top Secret); performed user registration and
system software product interfacing in an OS/390 Open Edition mainframe environment.
• Provided identification, recommendation and solution for data security risks on most platforms including
LDAP, PKI Entrust, Windows NT User Manager), LAN/WAN and Intranet/Extranet, in a matrix managed
setting.
• Defined rules for individuals and systems; administered data security and documented all security
recommendations and definitions concerning the implementation and maintenance of production
JCL/TSO/CICS, IMS, IDMS, DB2 transaction dataset rules and ownership.
• Advised and consulted with clients on data security issues determining how application systems would be
accessible; monitored access and investigated access violations ensuring security in a large-scale,
enterprise-wide production environment.
• Assisted with problem tracking and resolution.
June 1997 – Jan 1999 Consulting Assignments, Minneapolis, MN
Technical Consultant for First Bank, Piper Jaffray, Hennepin Co., HBOC Serving Software
Group
First Bank
Security Consultant
• Provided technical support for use of large scale data communications networks, WAN and LAN; provided
performance monitoring assistance to data processing operations personnel in resolving network problems;
provided technical assistance and support surrounding multiple data communications networking
topologies (TCP/IP, SDLC, Async, Bisync)
• Provided professional first level security administrative duties that included the monitoring of intrusion
detection systems supporting OS390 mainframe and AS/400 midrange connectivity; (JD Edwards, Sun
Solaris, Unix, Keon/Rsa, Checkpoint Firewall-1), for connectivity integrity, audit maintenance, and router
alert signalization; ie. Sniffer tools, Lock Box, Sidewinder, Checkpoint Firewall, Gauntlet.
Piper Jaffray
Security Consultant
• Provided users with access, files security and passwords (Safeguard); installed and maintained individual
workstations, assisted in the installation and maintenance of application and network servers; provided on-
site support for Tandem and AS/400 systems (Safeguard; JD Edwards, disaster recovery tape backup Tivoli
ADSM storage manager) along with disks space allocations and job abend resolution for Tandem and
AS/400 real time job stream processing, banking duties also included precise documentation of problem
ticketing, escalation, and resolution procedures performed relating to applications being processed on
mainframes and midranges (AS/400, JD Edwards, Tandem Himalaya, UNIX AIX,OS/390, Unisys/A Series,
RISC 6000 Units, MVS,VM,VSE)
Hennepin County
• Coordinated and administered computer security access rules and procedures for ACF2; utilizing
TSO/ISPF, RUMBA, session/applications to create/delete/maintain security logon ID's for most platforms
(AS400, Tandem, OS390 mainframe and midrange); defined rules for individuals and systems;
administered data security; Windows NT, and created security definitions for remote dial-in access, advised
and consulted with clients on data security issues, assist with problem tracking and resolution.
• HBOC Serving Software Group
• Provided direct support and problem resolution to users via telephone; modem connection. Troubleshot
system software and hardware communication problems by providing appropriate technical procedural
assistance that maintained the integrity of Novell software applications (MS/DOS). Duties included the
testing of system functionality errors (Btrieve); the set-up and configuration of clients PC data file structure
and documentation of all issues and procedural fixes administered, which included all upgrades and end
user problem fixtures performed.
1994 – 1997 University of Minnesota Health System, Minneapolis, MN
Operations Analyst
• Tandem VLX, AS/400 midrange computer systems (running jobs, mounting tapes, checking device status
and monitoring systems).
• Operated and maintained printers including: serial, parallel, laser, dot matrix, and ion devices.
• Operated Microdata, DEC, HP and DG computers, investigated, troubleshot, and resolved (PC, terminal,
printer, and data communications equipment) problems throughout the hospital.
• Mentored subordinate computer operators on UNIX AIX, UNISYS/1100 and standard AS/400 operating
procedures.
• Assisted with problem resolution and escalation; consulted with users concerning LAN/WAN, and Novell
networking applications; application support including software configuration setup and installation of newly
acquired Compaq and HP desktops within various departments; in addition to providing level 2 help desk
functions supported a variety of network platforms and related topologies.
1983 – 1993 Allied Signal Corp. / NASA Goddard Space Flt. Center, Greenbelt, MD
Data Retrieval and Analysis. (MVS/VM/VSE, Operations)
Education / Other
CISA Certification, 2005
Technical Education, NASA - Goddard Space Flight Center, Greenbelt, MD 1979 to 1993
Operating Systems: OS/MVS, Computer Sciences Corporation, 1980, Certificate
Satellite Data Processing Concepts (NIMBUS, GALLILEO), Computer Sciences Corporation, 1980
Telemetry Operations (LANDSAT), Computer Sciences Corporation, 1980, Certificate
ACF2 Certified Administrator, 6.1, Computer Associates, Hennepin County, Minneapolis, MN 1998
Contact this candidate