KOJO KYEI BADU

ad17wd@r.postjobfree.com

LAUREL, MARYLAND

240-***-****

Objective

Detailed knowledge of security tools, technologies and best practices with emphasis on FISMA and NIST Publications compliance. Over 10 years experience in Risk Management Framework and Vulnerability, specializing in providing guidance and supporting security assessments and continuous monitoring for government FISMA & NIST). Perform Risk Assessments and compliance reviews to ensure Integrity, Confidentiality, and Availability of system resources. Organized, solutions-focused, deadline-focused, and work well independently, or as part of a team.

Education

University of Maryland, University College - Masters of Science in Information Technology

University of Ghana - Bachelor of Arts in Political Science and Psychology

Certifications

CompTIA Security+ Certification

CISSP

Summary of Qualifications

Perform Security Assessment and Authorization (A&A) activities.

Develop, review and evaluate System Security Plans.

Develop and conduct SCA (Security Control Assessments) according to NIST SP 800-53A.

Familiar with FISMA, NIST publications, including SP 800-60, SP 800-53rev4, SP -800-137; and FIPS 199.

Develop and update POA&Ms.

Ability to multi-task, work independently and as part of a team.

Strong analytical skills.

Effective interpersonal and verbal/written communication skills.

Experience

MAXIMUM ATTAIN OCTOBER 2020 – PRESENT.

Information Systems Security Officer (ISSO)

●Analyze and update System Security Plans (SSP), Risk Assessments (RA), Privacy Threshold Assessments (PTA), Privacy Impact Assessments (PIA), Contingency Plans (CP), FIPS 199, Contingency Plan Tests (CPT), System Security Test and Evaluation (ST&E), Security Assessment Reports (SAR) and Plan of Actions and Milestones (POA&Ms).

●Assist System Owners in preparing A&A packages for company’s IT systems, making sure that management, operational and technical security controls comply with security requirements per NIST SP 800-53rev4.

●Designate systems and categorize its Confidentiality, Integrity and Availability (C.I.A) using FIPS 199 and NIST SP 800-60.

●Conduct Self-Annual Assessments (NIST SP 800-53A).

●Perform Vulnerability Assessments, making sure risks are assessed, evaluated and are mitigated to limit their impact on the information and information systems.

●Create standard templates for required A&A documents, including Risk Assessments, Security Plans, Security Assessment Plans and Reports, Contingency Plans, and Security Authorization Packages.

●Monitor and prepare required actions and documents pertaining to the A&A of the system throughout its lifecycle, to include security evaluation findings and residual risks.

●Conduct comprehensive reviews of security authorization documents to ensure appropriate NIST security controls were used during the assessments and relevant to the Confidentiality, Integrity, and Availability of the systems.

●Review SSPs and other A&A documents for all applications to determine if the organization’s mandated procedures and tasks are followed, such as using CSAM.

●Review and process Interconnection Security Agreements (ISAs), Policy Waivers, Approval to Test (ATT), and Interim Approval to Operate (IATO) documents.

●Assist the Government in preparing a written justification, when appropriate, to obtain a written waiver of policy for mandated security features.

VARIQ INC

JULY 2015- SEPTEMBER 2020.

Security Control Assessor

●As an Assessor, focused on RMF phase 4 (Assessing security controls)

●Effectively engaged in preparing for assessments, conducting assessments, and communicating assessment results.

●Coordinated, participated and attended weekly forums for security advice and updates.

●Created Security Assessment Plans (SAP) to document assessment schedules, control families to be assessed, control tools and personnel, client’s approval for assessment, assessment approach and scope, and Rules of Engagement (ROE) if vulnerability scanning was involved.

●Used the implementation section of the System Security Plan (SSP) in addressing how each control was implemented (frequency of performing the controls, control types and status) as part of my interview answers during the Security Testing and Evaluation (ST&E) documentation.

●Determined assessment method (examining policies and procedures, interviewing personnel and testing technical controls), using NIST SP 800-53A as a guide.

●Created Risk Traceability Matrix (RTM) in which to document assessment results (pass/fail).

●Prepared Security Assessment Reports (SAR) in which all the weaknesses are reported.

●Created Plans of Action and Milestones (POA&Ms) to trace corrective action and resolve weaknesses and findings.

●Set up and participate in the Assessment Kick-Off meetings.

●Determined threat sources and applied security controls to reduce risk impact.

●Used POA&M tracking tools like CSAM (Cyber Security Assessment and Management), and/or Excel spreadsheet to make sure the POA&M is not in delayed status.

CONDUENT MARCH 2012 – JUNE 2015.

Compliance Analyst

Reviewed all third-party vendors before onboarding to make sure they aligned with organizational security and data protection measures.

Served as point of contact for audit and risk management inquiries about Service Transition's controls and activities.

Prepared reports and presentations for leaders, managers, analysts, and engineers.

Performed annual re-assessment risk reviews for all existing 3rd party vendors or service providers to make sure they are still in compliance with organizational security requirements.

Assisted with identifying and remediating any control deficiencies or findings.

Collaborated with different departments such as Supply Chain, Privacy (Legal) to review redlines on contracts and manage information security controls.

Ensured the third-party adherence to contractual regulatory compliance to minimize the risk of fines and reputational harm.

Reviewed and updated information 3rd party security policies, processes, and data flow.

Identified improvement opportunities, control enhancements, and developed meaningful reporting metrics to senior levels of management.

Ensured audit and risk requests are communicated to appropriate personnel, such as subject matter experts, and track progress of responses.

Developed, recommended and documented adjustments to workflow to streamline processes.

REFERENCES AVAILABLE UPON REQUEST

Contact this candidate