Security Management
Resume:
William A. Ross
CELL 804-***-****
Email: ************@*****.***
P O Box 1465, Greensboro, NC 27402
Summary of success:
I have had the honor to serve 21 years in Air Force Intelligence. I have
applied my Intelligence war fighting skills to every corporate job I have
had since leaving the Air Force. In 2013, the need to apply Cyber
Intelligence practices and principles is an essential defensive tool in
fighting the ongoing Cyber Crime that is being waged against government and
corporate institutions.
Working with my team mates achieving great things is one of my absolute
core values. I have proven executive and operational hands on experience at
global financial institutions (AIG, JP Morgan, the Federal Reserve and
HSBC), E-Commerce (Barnes and Noble.com), State governments (Virginia) and
the United States Air Force. I have led complex multi-million dollar
technical transformation projects while leading up to 100 people. As a
successful business manager, I have successfully executed up to $36,000,000
dollar budgets.
Specialties: Recent secret security clearance
CISSP, CISM, IAM, SABSA, Master Intelligence Officer, ITIL
Examples of successful organizational restructuring improvements:
Built or implemented:
- The Intelligence Threat Fusion Center for Balkans War. Named the future
of Intelligence warfighting.
- The Intelligence Operations plan for DESERT STORM. Named best combat
intelligence unit in DS.
- The Intelligence Tactical Intelligence collection program for combat
operations within Central America.
- The Intelligence Fusion plan for the Air Force Security Police
- Numerous Intelligence wargaming scenario plans used throughout the Air
Force
- JP Morgan's first global security architecture
- The Threat Management Security Operations Organization for the Federal
Reserve IT.
- The first technical compliance security program for Barnes and Noble.com
- HSBC.com's first threat management operations team.
- The Threat and Vulnerability management managed Services transformation
effort for the State of Virginia
- The draft risk management process for the California Dept of Corrections
Health Services.
- The Security Lifecycle Management Process that is the end-to-end process
risk management process to build security requirements, testing and
certification into the software development process or the SDLC.
- The first operational remotely piloted vehicle deployment since the
Vietnam War.
- Several other Intelligence programs for the Department of Defense.
Specialties and certifications:
Recent secret security clearance
CISSP, CISM, IAM, SABSA, Master Intelligence Officer, ITIL
Tool and Process Experience:
Sherwood Applied Business Security Architecture (SABSA), National Institute
of Standards and Technology (NIST) control processes, ISO 9001 and 27001,
PCI, SOX, FISMA, detailed risk management and system security plan
development, security road map development, platform security, patch
management, vulnerability management, SOC development, software development
lifecycle (SDLC) security and secure coding management, disaster recovery
planning, Identity access management, IAM workflow tools, Control SA,
Access vault, Siteminder, SailPoint, remote access and authentication,
enterprise systems, NIDS, IPS, HIDS, data base security tools, mail
proxies, SIEM, vulnerability assessment tools, application firewalls,
firewalls, ITIL and change controls tools, encrypted file system (EFS),
hard disk encryption, anti fraud, PKI, data base encryption, Web 2
security, wireless security, incident response, strategic planning, vendor
management, security testing, email filters, log monitoring and etc
JOBS
AIG United Guaranty Corporation, Greensboro, NC
9/12 - current
Director Security Strategy and Architecture
. First ever UGC enterprise Security Architect
. A primary architect for building global AIG secure code process and
procedures
. Architecting complex solutions for multiple technologies (Identity
management, intrusion detection, network access control, password
vaulting, and access control)
. Building risk management and secure application development procedures
. Designing technical engineering flowcharts and documents
. Designed a risk posture metric process
Assura Consulting, Richmond, VA
4/12 - 7/12
Senior Security Consultant
. Three month engagement to build risk management control procedures.
. Defining risk-based solutions for state government agencies
. Conducting risk and compliance assessments upon customer requests
. Implementing NIST-based system security planning
. Defining customer technical, compliance, and IT management
requirements
. Building secure software development programs for state agencies
JP Morgan Chase, Columbus, Ohio
1/12 - 3/12
VP, Information Risk Management for Security
. Created application security testing improvement to include a new
approach to risk score evaluations
. Designed enterprise Data Base Security program management corrective
project plan
. Implemented core metrics improvement for the compliance management
system
. Developed team to re architect bank retail branch instant issue check
card system
. Developed solutions to streamline role based access identity and
access management program
. Job eliminated within three months due to an internal JP Morgan-Chase
merger
INFOSECFORCE, Richmond, VA
11/11 - 1/12
Security Process Design Architect
INFOSECFORCE is a company that originated the Security Lifecycle Management
Process (SLCMP). SLCMP can significantly reduce cyber threats against your
company by integrating the best features of The Sherwood Applied Business
Security Architecture (SABSA) Framework, Open Security Architecture (OSA)
Framework, Open Web Application Security Project (OWASP) guidelines, and
all applicable security IT features of the National Institute of Standards
(NIST) Security Guidelines into a company specific comprehensive
information risk-management architecture framework (IRAF).
California Dept of Corrections Health Services, Sacramento, CA
8/11 - 10/11
Senior Architect and Risk Management Consultant
. HIPPA-based consulting engagement.
. Created baseline process using SABSA risk-based architecture approach.
. Built the draft security control environment and the security input
design for the new Enterprise Architecture (EA) program.
. Built and implemented Initial risk assessment and system security plan
process.
. Created security organization charter and recommended organizational
structure.
Northrop Grumman Corporation, Richmond, VA
4/08 - 8/11
Information Security Officer/Senior Security Advisor/Risk Manager
. Managed approximately 50 employees and contractors in building the
security program for Virginia
. Restructure the vulnerability assessment framework and security patch
management process.
o Patch management went from 40 per cent to 96 per cent compliance
under my plan
. Served as the Program Security Officer and Senior Security Advisor
that built the extensive ITIL and 27001-based risk architecture
framework.
. Converted 85 state agency security programs into a federate MPLS
solution
. Diligently tracked contract to task success, saved 500,000 dollars.
. Managed various audits to include PCI, Internal Revenue, and critical
SAS 70/SSAE 16 audits.
. Designed and structured SLA driven and metrics-based enterprise
security managed operation.
. Created a National Institute of Standards (NIST) control-based
standards development model.
.
AXA-Tech North America, New York, NY
4/07 - 04/08
Director, Information Security Architecture
. Implemented Sherwood Applied Business Security Architecture (SABSA)
process.
. Defined the baseline security architecture framework for North America
... 10 new security projects
. Implemented the PKI framework within AXA Tech for smart card and lap
top encryption.
. Managed the Sarbanes-Oxley compliance management program.
. Introduced the Security Lifecycle Management Process for project
management.
. Designed security risk and work measurement for global data center
consolidation.
Federal Reserve Information Technology, Richmond, VA
8/03 - 4/07
Vice President and Information Security Officer (ISO)
. Led 52 member staff and executed multi million dollar budget.
. I Restructured the information security for the technical backbone of
the Federal Reserve System.
. Saw a 35 per cent change in staff assignments and provided 40 per cent
organizational growth
. Conducted 190 major system risk assessments to prepare for the ISO
27001 certification - we achieved ISO 9001 certification.
. Implemented metrics-based management solutions to run our Information
Assurance business.
. Compliance program focus was COSO, Sarbanes Oxley, NIST, and FISMA
influences.
. My Security Architect called me the "Father of Distributed Security in
the Federal Reserve"
In a private effort, while at the Federal Reserve, I learned our wounded
troops had to pay for their own calls home when they were recovering at
Walter Reed Medical Center. As such, I designed a VOIP solution to enable
them to call home for free. I called CISCO with the idea and CISCO very
generously sponsored the effort and deployed it to Brooks Army Medical
Center in Texas.
Hong Kong-Shanghai Bank Corporation.com, Jersey City, NJ
8/02 - 8/03
Information Security Operations Manager
. Created the Security Operations Program for the E-commerce front end
for global banking.
. Implemented detailed Security engineering test and evaluation
immersion process for the software development life cycle (SDLC), one
of the few in Information Security Industry with this expertise.
. Pioneered the HSBC.com Operational Risk Management processes.
. Implemented application test program designed to harden applications
against attack.
. Created and implemented the security incident response program.
Barnes & Noble.com, New York, NY
3/00 - 8/02
Director, Information Security
. Created the first ever E-Commerce Information Security, Privacy, and
Disaster Recovery program.
. Implemented technical anti-fraud program which had startling and
immediate results.
. Designed and led implementation of extensive business-wide customer
data encryption effort.
. New York Times said Privacy Policy I created was one of the best on
the internet.
. Created extensive Disaster Recovery and Business Continuity Program
with 15 business lines.
. Built the operational security program including key components of
defense-in-depth program.
.
Computer Sciences Corporation (CSC) and Pinnacle Alliance at JP Morgan
06/97 - 03/00
Wall Street, New York
Manager, Information Security Engineering
. Implemented the first ever JPM security global information security
architecture. Tested and implement intrusion detection, compliance
management, VPN, UNIX SUDO, and system auditing.
. Created JP Morgan's first secure application certification procedure
for all financial services apps
. JP Morgan Chief Risk Officer said products would not go into
production without this certification
. Created an extensive web-based compliance tool to capture and evaluate
Information Security reports from hundreds of Security agents ensuring
JP Morgan met security policy standards.
United States Air Force Officer
02/77 - 07/97
Last Air Force job
Director, Global Air Force Intelligence Systems Integration
03/94 - 07/97
My team designed and implemented numerous multi-million dollar global IT
Intelligence programs for Special Operations and conventional wars.
My Intelligence Program for Desert Storm was deemed the "Best Combat
Intelligence Program in the Theater of Operations". A four star general
said my combat support operations center that I designed for the war in
Bosnia were "absolutely perfect" and the Director of the CIA said it was
the future of combat support.
Education:
- Masters of Science, Management Science, Binghamton University, NY
- Strategic Studies, Air War College, Maxwell Air Force Base, Alabama
- BA, Political Theory, Catholic University, Washington, DC
- Air Command and Staff College (Management, military theory, aerospace
studies)
Certifications and training:
- Master Intelligence Officer Rating, United States Air Force
- Certified Information Systems Security Professional (CISSP)
- Certified Information Security Manager (CISM)
- Certified ITIL level 1 Systems and Business
- Systems and Business Security Architecture (SABSA) trained
- Information Assurance Management (IAM) trained by the National Security
Agency
[pic][pic][pic][pic]
Contact this candidate