John Munyasya, CISA, PMP

***** ******** *****, **********, ** 20874 202-***-**** acc9y4@r.postjobfree.com

Manager of Information Security Assessment, Audit and Compliance

PROFESSIONAL SKILLS:

• Managing Information Assurance Services including providing advice on Cybersecurity and privacy policy;

Performing information systems security assessments for compliance with Federal Information Security

Management Act (FISMA), Federal Managers Financial Integrity Act (FMFIA), Health Insurance

Portability and Accountability Act (HIPAA), Sarbanes Oxley Act (SOX) as well as Food, Drug and

Cosmetics Act (FDCA).

• Managing and conducting Information System Security Risk Assessment (ISRA) using National Institute of

Standards and Technology Special Publication (NIST SP 37) Risk Management Framework Guide and other

standards.

• Managing Independent Verification & Validation (IV&V) engagements, including supervising

testers/engineers responsible for software testing and documentation review throughout the entire System

Software Development Life Cycle (SDLC); Creating task descriptions for the IV&V review activities;

Creating and presenting IV&V deliverables (Weekly status reports, IV&V finding’s report etc.,) and

managing clients’ relationship.

• Managing, authoring, editing, and updating Security Assessment and Authorization (SA&A) package

including Information Systems Security Risk Assessment (ISRA) report; System Security Plan (SSP);

Privacy Impact Assessment (PIA); Contingency Plan (CP); Contingency Plan Tabletop Test Plan (TTP),

Security Assessment Plan (SAP); Security Assessment Report (SAR); Plan of Action and Milestone

(POA&M) report; and Security Monitoring Reports.

• Managing and performing Security and Privacy Controls Assessments using National Institute of Standards

and Technology (NIST) Special Publication (SP) 800-82 (NIST SP 800-82) on Industrial Control System to

support the Office of Chief Information Technology (OCIO) comply with requirements of FISMA, FMFIA

and the Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for

Internal Controls over financial reporting.

• Managing and performing Security and Privacy Controls Assessments as part of federal systems SA&A

process using NIST SP 800-53 to support the OCIO comply with requirements of FISMA and OMB

Circular A-130 on Security of Federal Automated Information Resources.

• Advising Business Information Systems Owners, System Developers and Program Managers on integration

of information security and privacy safeguards in Systems Development / Deployment Life Cycle (SDLC)

process from inception to maximize Return on Investment (ROI) in Information Security and Privacy

Programs.

1 10

John Munyasya 13304 Bayberry Drive, Germantown, MD 20874 202-***-**** acc9y4@r.postjobfree.com P a g e

2

• Managing and performing annual independent audit of agencies Information Security and Privacy

Programs using NIST SP 800-53 to support the Office of Inspector General (OIG) comply with

requirements of FISMA, FMFIA and the Office of Management and Budget (OMB) Circular A-123,

Management’s Responsibility for Internal Controls over financial reporting.

• Providing Information Technology (IT) Governance, Risk and Compliance advisory services to Federal,

State and private companies IT leaders.

• Managing and conducting Security and Privacy Audits and Investigations for compliance with HIPAA

Privacy and Security Rule Safeguards using NIST SP 800-66 Guide for Implementing HIPAA Privacy and

Security Rule Controls.

• Managing and performing Information Systems Control Audits, as part of Chief Financial Officer’s (CFO)

independent annual integrated Financial Audits of agencies and contractors Financial Information Systems

using Government Accounting Office (GAO) Federal Information Systems Controls Audit Manual

(FISCAM).

• Managing and conducting Compliance audits and inspection for compliance with Food, Drug and Cosmetics

Act (FDCA).

• Managing and performing IT General and Application Controls Audits for compliance with SOX.

• Understanding of Federal Government contracts administration, and managing contract teams.

• Familiar with Information Security and Privacy programs, standards and regulations including NIST SP

800-53, NIST SP 800-82, NIST SP-37, ITIL, ISO 27001/27002, FedRAMP, NERC CIP, COBIT, COSO,

IIA, GMP, Privacy Act, E-Government Act, HIPAA Security and Privacy Rules, ISACA Standards, SOX,

and FISMA.

PROFESSIONAL EXPERIENCE:

Consultant

Sept 2009 to Present

Manager of Information Security Assessment, Audit and Compliance

Health and Human Services Centers for Medicare and Medicaid / JANUS Associates, Inc. Project

7000 Security Boulevard Suite 334, Baltimore, MD 21244

• Manages Information Security and Privacy Controls Assessment and Information Technology Audit

engagements for compliance with regulatory requirements, and security and privacy standards, including

FISMA, HIPAA, SOX, GLAB, COBIT, PCI DSS and NIST SP 800 Series.

2

• Reviews Information Technology Auditors, and Information Security and Privacy Control Assessors

workpapers and provides coaching/mentoring as needed.

• Oversees the review of federal agencies clients' SA&A systems packages including, ISRA report, SSP, PIA

report, CP, TTP and POA&M report.

• Manages and conducts SCA of applications and supporting infrastructure (Networks, Databases, Operating

systems, security systems, tools etc.) to determine the effectiveness of security and privacy controls

implemented in federal agencies Information Systems to protect critical data.

• Advices federal agencies Business Owners and Information System Security Officers (ISSO) on a wide

range of compliance challenges, such as dealing with security and privacy issues related to the usage of

sensitive production data in development and testing environments, to help them remediate findings to meet

FISMA compliance requirements.

• Manages and conducts IT Governance, Risk and Compliance (GRC) assessments and provides advisory

services to Federal, State and Private IT Governance leaders to help them effectively and efficiently align IT

objectives with business objectives, create business value and get a good return on IT investment (ROI).

• Manages and creates security and privacy policies, procedures and standards for federal and state clients.

• Assists Business Development teams responsible for writing and presenting project proposals to prospective

clients with writing of the technical proposals.

Health and Human Services Centers for Medicare and Medicaid / Computer Science Corp (CSC) Project

7142 Ambassador Road, Baltimore, MD 21244

• Managed Centers for Medicare and Medicaid (CMS) information systems SA&A process, including

supporting a customer facing team of Business Analysts and System Developers/Maintainers to ensure that

Cybersecurity and privacy controls implemented in federal information systems complied with FISMA

based on NIST SP 800-53, NIST SP 800-82 and NIST SP 800-37.

• Conducted ISRA of CMS systems for compliance with FISMA based on FIPS PUB 199 Security

Categorization Standard, NIST SP 800-30 Risk Assessments Guide and NIST SP 800-37 Risk Management

Framework guide.

• Participated in third party SCA of CMS systems and oversaw the development and implementation of

Corrective Actions Plans (CAP) for resulting findings to ensure compliance with FISMA based on CMS

Acceptable Risk Safeguards / Minimum Security and Privacy Requirements, NIST SP 800-53A and other

relevant NIST SP 800 series standards.

• Created and maintained SA&A security and privacy package artifacts, including ISRA report, SSP, CP, TTP,

SAP, SAR, and POA&M report for supported CMS systems based on NIST SP 800-37.

• Assisted Business Owners obtain /maintain systems Authorization to Operate (ATO) in compliance with

FISMA.

John Munyasya 13304 Bayberry Drive, Germantown, MD 20874 202-***-**** acc9y4@r.postjobfree.com P a g e 3 10

4

• Supported CMS security and privacy related activities including maintaining security and privacy

compliance artifacts in CMS FISMA Controls Tracking System (CFACTS) tool, as well as attending

conferences, discussion groups and ATO briefings for assigned CMS systems.

• Performed continuous monitoring activities to assist in maintaining the assigned CMS systems ATO.

• Managed and performed IV&V reviews, including technical review of project planning software documents

for all SDLC phases based on established standards; supervising and reviewing testers’ workpapers;

managing the assessment schedule; creating and presenting the IV&V deliverables and managing clients’

relationship.

• Supported delivery of systems to healthcare information users through employment of testing and

documentation practices consistent with internal governance and regulatory requirements related to security,

privacy, integrity, and confidentiality of healthcare data.

• Reviewed, analyzed and evaluated system changes as part of the release process to maximize systems

reliability.

Health and Human Services Office for Civil Rights / Computer Science Corp (CSC) Project

7142 Ambassador Road, Baltimore, MD 21244

• Managed the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) National

Cybersecurity and privacy incidents investigations and compliance reviews program for compliance with

HIPAA Privacy, Security and Breach Notification Rules including tracking the incidents in OCR Program

Information Management System (PIMS) and reporting on the status of the incidents investigations/reviews

and resolution on weekly basis.

• Managed a team of HIPAA Privacy and Security rules Subject Matter Experts (SMEs), assigned breach

incidents cases to the SMEs for review and reviewed workpapers.

• Advised OCR management and covered entities (health plans, health care clearinghouses and health care

providers) on Cybersecurity and Privacy standards and best practices for implementation of safeguards to

protect Electronic Protected Health Information (ePHI) to reduce Cybersecurity and privacy risks.

• Conducted compliance reviews, investigations, analysis, evaluations and studies of Cybersecurity and

privacy breach incidents reported by covered entities across the country over administrative, technical and

physical safeguards, including risk analysis, risk management, access management, training, encryption,

contingency planning, incident response and reporting, policies and procedures as well as workstation,

network, personnel, and physical security and privacy.

• Developed recommendations to assist covered entities improve their Cybersecurity and privacy program

implementation and operations plans based on analytical research and evaluation of current Cybersecurity

and privacy threats intelligence.

• Supported OCR HIPAA Privacy and Security Rule compliance and enforcement program efforts of

monitoring compliance Resolution Agreements (RA) and Corrective Action Plans (CAP) issued to covered

4

entities to ensure agreed Cybersecurity and privacy safeguards got sufficiently implemented to protect

Electronic Protected Health Information (ePHI).

• Developed resources materials for dissemination to the public and OCR regional offices to provide guidance

on HIPAA Privacy and Security Rule compliance.

• Participated in OCR approved HIPAA conferences and Health Information Privacy (HIP) National calls, on

invitation, to keep abreast with current developments and key milestones in the HIPAA compliance and

enforcement landscape.

Health and Human Services Centers for Medicare and Medicaid / Ernst and Young LLP Project

8484 Westpark Drive, McLean, VA 22102

• Managed and performed FISCAM based Information Systems IT General and Application Controls

Auditing of CMS Services Central Office, CMS Claims Processing Contractors, Enterprise Data Centers,

Medicare Shared Systems Software Development Contractors and Medicare Systems Quality

Assurance/Testing Contractor.

• Evaluated Medicare processing Applications, Operating Systems and Networks documentation to identify

security and privacy weaknesses for mainframe environment (z/OS, DB2, RACF etc.), Windows Operating

System, Oracle database, UNIX Operating Systems and Network Devices (routers, firewalls etc.).

• Performed walkthroughs and conducted independent testing of IT processes controls operating

effectiveness, including testing of Security and Privacy Management, Access Management, Configuration

Change Management, Segregation of Duties, Contingency Planning, Application Security and Privacy,

Business Process, Interface and Database Management Systems Controls to determine the level of

protection of CMS claims processing systems and information hosted at CMS Enterprise Data Centers

(EDC).

• Assisted in information systems Cybersecurity and Privacy Assessments and Authorization activities,

including performing Cybersecurity and Privacy Risk Assessments for compliance with FISMA, HIPAA,

and OMB Circular A-123 directive.

• Reviewed SSP, DRP, BCP, BIA, PIA, ATO, POAM reports, Security and Privacy Policies and Standard

Operating Procedures (SOP) for compliance with FISMA, HIPAA, and OMB Circular A-123 directive.

• Documented and presented IT Audits results and findings with recommendations to CMS management and

CMS contractors for remediation to improve Cybersecurity and privacy posture of the agency and its

contractors.

• Managed and participated in the assessment of CMS Information Security and privacy Program for

compliance with FISMA, through inquiries observations and testing of selected security and privacy

controls supporting major CMS applications and general support systems.

5 10

John Munyasya 13304 Bayberry Drive, Germantown, MD 20874 202-***-**** acc9y4@r.postjobfree.com P a g e

6

United States Postal Services / PricewaterhouseCoopers Project

475 L’Enfant Plaza SW, Washington, DC 20590

• Managed and performed IT General and Application Controls audits of USPS IT Systems including SAP

and Oracle applications Enterprise Resource Planning Systems; UNIX, Mainframe (z/OS), open Virtual

Memory System (VMS) and Windows Operating Systems; DB2 and Integrated Database Management

System (IDMS) databases; and Resources Access Control Facility (RACF) and Active Directory security

systems for compliance with FISMA.

• Provided advisory services on the design and effectiveness of IT Controls across Cybersecurity and privacy

Management, Access Management, Configuration Change Management, Segregation of Duties, Computer

Operations (Data Center, Job Scheduling, Back up etc.) and Application controls.

• Reviewed systems and network documentation to identify security and privacy weaknesses for mainframe

environment (z/OS, DB2, and RACF), windows operating system, Oracle database, UNIX operating

systems and network devices (routers and firewalls).

• Planned, supervised and conducted Enterprise Data Center systems (Networks, Mainframe Environment,

Client/Server etc.,) Cybersecurity and privacy reviews through interviewing Subject Matter Experts,

conducting walkthroughs, and performing physical inspections of configuration setting to determine

compliance with USPS and federal regulatory requirements.

• Documented and presented IT controls testing results and findings in written reports with recommendations

to USPS management for remediation to improve their Cybersecurity and privacy program.

Navy Federal Credit Union Project

820 Follin Lane SE, Vienna, VA 22180

• Supervised three internal Information Technology Auditors and provided advice and guidance to senior IT

management on creation and maintenance of adequate IT security and privacy program for compliance with

National Credit Union Act (NCUA), National Credit Union Administration (NCUA) requirements, FISMA,

Gramm-Leach-Bliley Act (GLBA) and other relevant federal laws.

• Supervised and performed Navy Federal Credit Union (NFCU) IT infrastructure security and privacy audits

over DB2, UNIX, LINUX, Local Area Networks (LAN), Novell Identity and Access Management System,

and Windows systems.

• Performed the annual compliance audit of NFCU’s Automated Teller Machine (ATM) and Point of Sale

(POS) Personnel Identification Number (PIN) Security and Encryption Key Management technology

infrastructure and assisted the Union file its annual compliance report in accordance with VISA

requirements.

• Assisted in inventorying of NFCU information systems, determining critical business units processes,

identify acceptable recovery time periods and establishing resources required for successful resumption of

business operations in the event of a disaster, performing BIA, and preparation of CP for critical NFCU

business information Systems.

• Participated in the annual IT risk assessment and assisted in preparation of NFCU’s risk-based IT audit plan.

6

Johnson Controls Incorporated

July 2008 to July 2009

5757 North Green Bay Avenue, Milwaukee, WI 53201

Lead Information Technology Auditor

• Supervises and conducted risk assessments and created audit programs to address identified risk areas.

• Supervised and performed regulatory compliance audits for compliance with industry regulations and best

practices including SOX and Good Manufacturing Practices (GMP).

• Conducted IT Audit opening, status and exit meetings with all levels of IT leadership including Executive

Vice Presidents to communicate identified IT risks and control deficiencies and negotiated remediation

action plans for agreed recommendations to comply with relevant laws.

• Supervised and performed IT General Controls (ITGC) and Application Controls (ITAC) Audits over

complex business financial applications and supporting database management systems, operating systems

and Local Area Network (LAN) IT infrastructure for compliance with Johnson Controls’ Information

Security and Privacy Policy and Sarbanes-Oxley (SOX) Act.

• Supervised and performed IT Security and Privacy Controls Audits of UNIX Operating Systems, Windows

Operating Systems, Oracle Applications and Databases Systems, SAP Enterprise Resources Planning

Application, QAD Enterprise Applications (MFG/PRO), Progress Databases and AS/400 Applications.

• Participated in System Development Life Cycle (SDLC) based information systems development testing

and evaluations (Security and Privacy Controls Assessments) projects to verify and validate that required

security and privacy controls were correctly designed and implemented, consistently with established

information security and privacy architecture as well as security and privacy controls.

• Performed and supervised data center audits, Business Continuity/ Disaster Recovery Plans (BCP/DRP)

audits.

• Performed aging analysis of account receivables and account payables transactions; tested for duplicate

amounts within account receivables and payables transactions; and tested for gaps in invoice numbers using

Audit Command Language (ACL) Computer Assisted Audits Techniques tool to support financial audits.

• Performed follow-up reviews to ensure that agreed upon findings remediation action plans implemented

were in full compliance with relevant laws.

• Assisted with internal audit department annual IT risk rating and preparation of risk-based IT Audit plan.

KPMG LLP

January 2007 to February 2008

7 10

John Munyasya 13304 Bayberry Drive, Germantown, MD 20874 202-***-**** acc9y4@r.postjobfree.com P a g e

8

303 East Wacker Drive, Chicago, IL 60601

Senior Information Technology Auditor

• Supervised and conducted risk assessments for fortune 100 companies involved with pharmaceutical,

chemical, food, energy, telecommunication, and household appliances quality systems, solutions,

applications and equipment manufacturing, and created audit programs to address identified risk areas.

• Supervised and performed regulatory compliance audits for fortune 100 companies involved with

pharmaceutical, chemical, food, energy, telecommunication, and household appliances quality systems,

solutions, applications and equipment manufacturing for compliance with industry regulations and best

practices including SOX, GLBA, FDCA and Good Manufacturing Practices (GMP).

• Served as a Subject Matter Expert and provided advice to management leadership regarding risks and

compliance issues, and presented audit findings with actionable recommendations to leadership for

remediation to mitigate the associated risks and meet regulatory and industry best practices.

• Planned and executed IT Audits activities on assigned engagement projects, including supervising teams of

two to six specialized IT and Security and Privacy Auditors working on multiple engagement projects

simultaneously; reviewing work papers; conducting IT Audit opening, status and exit meetings.

• Performed and supervised IT General Controls (ITGC) and Application Controls (ITAC) audits over Oracle

Applications and Databases, SAP Enterprise Resource Planning applications, AS/400 Business Planning and

Control Systems, ROSS Enterprise Resource Planning Applications and SyteLine Enterprise Resource

Planning applications for compliance with Laws including Sarbanes - Oxley (SOX) Act, Gramm Leach

Bliley Act (GLBA).

• Performed IT Security and Privacy Controls Assessments over operation systems and networks against

company IT security and privacy policies and industry standards including NIST SP 800 - 53 Security and

Privacy Controls Standards and Payment Card Industry Data Security Standards (PCI DSS).

• Performed IV&V assessments, including technical review of project planning documents, and system

operations and maintenance procedures/processes based on established standards; and creating IV&V

deliverables.

• Reviewed systems and network documentation to identify security and privacy weaknesses for mainframe

environment (z/OS, DB2, and RACF), windows operating system, Oracle database, UNIX operating

systems and network devices (routers and firewalls).

• Performed and supervised Statement on Auditing Standards Number 70 (SAS 70) Audits which are now

known as Statement on Standards for Attestation Engagements Number 16 Service Organizations Controls

(SSAE 16 SOC I, II and III) Audits.

• Performed and supervised data center audits, Contingency Plans audits and System Development Life Cycle

(SDLC) projects pre and post implementation reviews.

• Supervised and performed Automated Teller Machine (ATM) and Point of Sale (POS) Personal

Identification Number (PIN) Security and Encryption Key Management Reviews.

8

• Performed aging analysis of account receivables and account payables transactions; tested for duplicate

amounts within account receivables and payables transactions, and tested for gaps in invoice numbers using

Audit Command Language (ACL) Computer Assisted Audits Techniques tool.

• Prepared and presented final IT Audit report to executive management and board of directors to

communicate identified IT risks and control deficiencies.

• Performed and supervised IT risk assessments, including providing advice and sharing IT internal controls

knowledge with IT Management leadership and staff to strengthen IT risk, IT controls, IT governance and

regulatory compliance.

Mutual of Omaha

June 2004 to November 2005

3301 Dodge Street, Omaha, NE 68131

Auditor

• Planned, supervised and tested SOX IT General Controls and Technical Infrastructure audits of AS/400

BPCS, UNIX, Windows, DB2 Oracle and Network Infrastructure systems.

• Planned and performed IT Computer Operations audits including testing of controls around distributed

computing environments, communication, network connectivity, business continuity management, disaster

recovery plans, data centers, system job scheduling, business financial application incident management

procedures, data backups and restoration, and preparation of supporting audit work papers.

• Communicated deficient IT controls to management with recommendations for remediation

• Performed follow-ups reviews to assure that executed deficient controls remediation action plans were

appropriate.

EDUCATION:

• University of Nebraska, Omaha, NE January 2005 to December 2006

MSC in Management Information Systems, GPA 3.596

CERTIFICATIONS:

• Certified Information Systems Auditor (CISA)

• Project Management Professional (PMP)

SECURITY CLEARANCE:

• Public Trust Level 6 (SF 85P) Sponsored by Department of Health and Human Services (DHHS)

9 10

John Munyasya 13304 Bayberry Drive, Germantown, MD 20874 202-***-**** acc9y4@r.postjobfree.com P a g e

10

CITIZENSHIP:

• United States

10

Contact this candidate