Security Customer Service
Resume:
Kathleen Lynch, CISA, CISSP, CRISC
Cell: 508-***-****
Westborough, MA **********@*****.***
IT Security & COMPLIANCE SPECIALIST
C&A . Risk Management . Vulnerability Mitigation . Security Technologies .
Privacy
Technical Certifications
CISSP (Certified Information Systems Security Professional)
CISA (Certified Information Systems Auditor)
CRISC (Certified in Risk and Information Systems Control)
ISO/IEC Prov Lead Auditor
National Security Agency (NSA) IAM Certification
National Security Agency (NSA IEM Certifications
Tivoli Certified Solutions Expert
IBM On Demand Business -Solution Advisor Certification
Websphere Portal V5.0 Deployment and Admin Certification
Sametime Instant Message and Web Conference Admin Certification
Lotus Notes & Domino System Administration Certification
versions: 4, 5, 6, 7
Lotus Notes & Domino Development Certifications versions: 4, 5,
6, 7
IBM Certified Deployment Professional
Six Sigma Green Belt
IBM SOA OnDemand eBusiness Certification
IBM Secureway Firewall for AIX Certification
DOD 8570 certified SECRET Clearance
Summary
An accomplished professional with a Secret clearance and with proven
expertise in Information Assurance, Information Security, IT Audit, and
risk management. Exemplary record in reducing security vulnerabilities,
mitigating business risks, and improving efficiencies. Adept at working
across all levels of an organization and communicating with multiple
departments and levels of management in order to resolve technical and
procedural risks.
Qualifications
IT Security Risk Management Security Technologies
. FISMA Audits . Risk Assessments . Access Control Systems
. ISO 27001 Audits . Vulnerability
. Log Analysis Mitigation . Network architectures
. CCRI Audits . Countermeasure Plans . Forensics and Incident
. SAS 70 Response
. Mobile Device Security . Threat Analysis . ID Credentialing and
. Standards & Policy . Patch Management Badging
Development. . Supply Chain . Network Evaluation
. HIPAA Methodologies
. Virtualization Security
. Cloud Computing and Big
Data
Bootcamps, Training, and Conferences
Intrusion Detection 20 Critical IT Controls
Computer Forensics & Response
Privacy Academy Ethical Hacking SOX 404
Virtualization Security CCNA Boot camp Log
Management In Depth
Auditing the Perimeter Tripwire Mobile Device
Security
NIST Big Data Meta-Data Tags PCI Data
Security Standards
NIST Cloud Security WG ID Trust Supply Chain
Security
Professional Experience
FIS (Fidelity National Information Services)
2013 - Present
St. Petersburg, FL
Information Security/ Compliance Specialist
Primarily involved with Information Security, Risk Management, Security
Configuration Management, Incident Detection, Incident Response,
Operational Intelligence, PCI- DSS, SSAE- 16.
Works with stakeholders to develop and implement a framework consistent
with standards, guidelines and best practices
Acts as a day-to-day liaison between business SME's and technical teams.
SMEs are business units. Technical teams include FIS - in house IT,
Rackspace (outsourced data center) and other
Outsourced vendor teams.
Acts as a day-to-day liaison between external auditors (customer auditors)
and technology teams.
Works closely with SME's in the definition, testing, implementation, and
support of functional requirements.
Gathers requirements, translates requirements into implementation "use
cases" documents and technical specifications.
Creates documentation for day-to-day operations with Tripwire, creates PCI-
DSS and other reports
US AIR FORCE Hanscom AFB Bedford, MA
Dec 2009 to Jan 2013
DCGS Multi-Execution Office (DMO)
ESC Air Operations Center AOC)
ESC Family of Gateways (FOG)
Information Assurance Manager (IAM)
Provided information security analysis and information assurance services
for the development of Enterprise Software for DCGS program, the DIB
(Distributed Integration Backbone) for DOD and IC Communities. Development
teams used Agile processes for J2EE architectures, SOA, WS- Web services,
REST, Identity Management (IdDAM), Federated Identity (SAML, etc.), SSO,
Policy/entitlements (XACML, etc.), and SOA security. Documented, analyzed
and designed business requirements and software requirements specifications
(SRS) within a formalized SDLC. Recommended process improvement within the
SDLC.
Enterprise Standards working groups, meta-data tagging management, and VOM
identities, data classification structures, cross-domain solutions -- PL-3,
Centaur, used NIST 800- 53 v4, ICD 503, and AFISRA controls. Interviewed,
collaborated, and gathered requirements with "business line" process
analysts (representing all the Services and with the application
developers) while providing feedback for functional specifications
Reviewed flowcharts, Entity Relationship Diagrams (ERD), Dataflow
Documents, (DFD), and schemas
Worked with virtualization, cloud and wireless device implementations,
Chair of DIB (Data Integration Backbone) Compartmented Data Security
Working Group, with goal of PL-3 inter-operability across Services and IC
community. Provides security and information assurance, as well as
education for staff. Participates in ONDI Web Services Security Group and
NIST Cloud Security Working Groups and NIST ID Trust. Working Groups.
Mobile Device Security. Responsible for DCGS Testing Lab C&A, DREN and
DDTE network testing: network management security integration, and
networking protocols. DCGS- I Test bed at China Lake, CA
.
FISMA and CYBERCOM audits, Plans of Action and Milestones (POA&Ms), created
risk remediation plans: Used SecScan, STIGs, Gold Disk, Retina and other
testing media, created classified materials Reviewed PPSM and other DIACAP
artifacts and wrote classified Plans of Action and Milestones (POAMs) and
remediation for findings.
CDRL review: provided feedback to system designers, manufacturers, and
logisticians on the performance of and requirements for improving
performance in the operational environment; and evaluate proposed solutions
for reliability, maintainability, supportability, functionality, and data
integrity.
Provided feedback to system designers, manufacturers, and logisticians on
the performance of and requirements for improving performance in the
operational environment; and evaluate proposed solutions for reliability,
maintainability, supportability, functionality, and data integrity.
Provided security and information assurance education for staff.
Worked with virtualization teams for the global AOCs, cloud C&A. and
implementations, firewall assessments, PPSM / CAL. Provides security and
information assurance education for staff. Participates in NIST Cloud
Security Working Groups and ID Trust. Previously, the IA Manager for 6
different DOD acquisition projects using DIACAP and PIT; and DIACAP IA for
the AOC, an ACAT1 system of systems, encompassing 59 systems, in 26 global
locations.
. Conducted FISMA audits, created risk remediation plans: Used Gold
Disks/ Platinum Disks, STIGs, and other testing media, created
classified and wrote classified Plans of Action and Milestones on
audit findings. Reviewed PPSM and other DIACAP artifacts.
. NSA lead for GEMS; Clinger-Cohen, Program Protection Plan (PPP) and
Critical Program Information (CPI)
. Conducted Vendor initial and exit interviews during site visits, wrote
reports, and classified Plans of Action and Milestones on findings.
. Wrote mitigations and risk reduction for non-compliant features.
Wrote justifications providing necessary evidence/justification for
the statement of residual risks. Wrote UIARs, IATTs, IATOs that led
to ATOs/ATCs.
. Conducted Vendor initial and exit interviews, site visits, wrote
reports, and classified Plans of Action and Milestones on findings.
. Wrote mitigations and risk reduction for non-compliant features.
Wrote justifications providing necessary evidence/justification for
the statement of residual risks. Wrote UIAR, IATTs, IATOs that led to
ATOs/ATCs.
SPECIALIZED COMMUNICATIONS Westborough, MA
1996 - 2007
Owner of a computer/business technology consulting firm. . Coordinated
productive team strategies to organize and manage project personnel,
resulting in reduced project costs.
Below is a chronology of highlights
EMC GLOBAL SECURITY OFFICE Westborough, MA July 05/29
2007 - May 2009
Office of Information Security & Risk Management (OISRM)
Business Information Security Analyst / Risk Manager
EMC Corporation (NYSE:EMC), the world leader in information infrastructure
solutions, reported 2009 revenue of $14 billion. As a member of the Global
Security Office's Information Security & Risk Management (OISRM) team, I
assessed the probability and severity of various global and local threats
to EMC's computing infrastructure. Guided business unit representatives
through EMC's Third Party Access Management (TPAM) process, Merger&
Acquisition process, and recommended Third Party Access (TPA) network
architectures based on requirements of the business and provided Enterprise
Risk Management services. Developed risk remediation programs will
remaining compliant with Sarbanes-Oxley, SEC, PCI DSS.ISO and relevant
compliance and regulatory standards. Participated with the ISO/IE 27001/2
Enterprise Standards group.
Interviewed, collaborated with, and gathered requirements with business
unit process analysts, gathered data for functional specifications and
provided Third Party Access
Conducted risk assessments to identify threats and vulnerabilities; adept
at providing robust countermeasures that result in a strengthened security
posture and reduction of risk for clients.
Identified and implemented relevant business processes and work flows
Communicated with multiple departments and levels of management to resolve
technical and procedural IT security risks.
Maintained Country Threat database (PESTELI analysis) and Country Risk
Control Matrix
Modified business's risky behavior by issuing Risk Letters, Interim
Approval to Operate (IATO) Letters and tracked compliance. Scale: In
addition to employees and contractors, over 5000 Third parties were
involved in 1000 TPA projects; 500 projects were active at a given time.
Some projects involved over 1500+ networked resources.
Applied COBIT, ITIL, Best Practices and EMC Global policy
frameworks/standards to IT environment.
Worked daily with IT Operations re the utilization of: firewalls, ports /
protocols, VPN. etc
Reviewed, developed and wrote IT Standards, Policies and Guidelines for
the EMC Enterprise
PFIZER New London, CT
March 2007 - July 2007
Sr. Business Analyst
Enterprise Analysis, Requirements planning & Management, Requirement
elicitation, Requirements communication, Requirements Analysis &
documentation and solution Assessment & validation.
Built corporate wide risk mitigation and issue resolution guidelines for
project teams
Performed Gap Analysis for new functionality requirements, as well as
prioritized them based on actual business needs so as to align them with
the product release roadmap.
Involved in writing use cases and other design documents like Data Flow
diagrams, and Activity diagrams for better understanding of the system.
Created Process Flow Diagrams, Use Cases, Functional hierarchy diagram,
swim lanes, activity
diagrams, class diagrams and other diagrams using the System architect.
Used Rational Requisite Pro, Microsoft Word, Rational System Architect
OVERTONE SOFTWARE Bethesda, MD
June - Nov 2006
Enterprise Governance, Risk Management, Compliance
Sr. Business Systems Analyst
Spearheaded the IBM platform portion of a GRC start-up which included
Technical pre / post Sales Support, including locally and remotely
demonstrating the archive/ knowledge management/ compliance product.
. RFPs / Solution Designs / Business Process Modeling / Use Cases
. IT Controls / Data Governance / Knowledge Management / Information
Security
. Knowledge of Sarbanes-Oxley, HIPAA, COBiT, FISMA, ISO 27001, GLBA,
Clinger-Cohen Act, etc
. Data Archives / eMail Archives / FRCP.
TERADYNE Boston, MA
January - June 2006
Business Process IT Engineering
Sr. Systems Analyst
After the announcement that IT would be outsourced, there was a snowstorm
of resumes flying out of Teradyne. With a small staff maintained
operations and system administration of a global Enterprise Advanced
Messaging and Collaboration server farm of 35+ servers, until IT was
transferred to the outsourced provider. Mobile Device Management.
Wrote documentation for Knowledge transfer to the outsourced call center
and help desk.
. Digital Signatures and Information Security
. Blackberry / and other mobile device administration and support
. Advanced Messaging and Quality Applications Support
IBM GLOBAL SERVICES
CitiGroup /Met Life Warsaw, Poland 2005
Consultant
Enterprise Messaging and Infrastructure Services
This global project required close integration with ConUS, Singapore and
other project teams around the world to migrate Citigroup Business Units
(Microsoft) to the acquiring company, Met Life (IBM) technologies. As
the sole project person in Poland, I was led a 5 man Polish team to a
successful migration / implementation.
. Secure Messaging and Collaboration
. Information Security
. Training / Consulting
. Support / Migration / Problem Resolution
TJX Framingham, MA
September 2004 - June 2005
Enterprise Quality Messaging Services
Sr. Technical Analyst / Infrastructure Consultant
Integral part of corporate team working on secure advanced messaging
integration, specifically on inter-company /intra-companies' business
units advanced messaging, web conferences, instant messaging and quality
applications.
. Information Security
. Infrastructure Services, Level 3 Support
. Application access controls
. Enterprise Messaging and Quality Apps
RAYTHEON Waltham, MA
January 2004 - August 2004
Enterprise Operations Support /Infrastructure Services
Knowledge Management / Information Security
Sr. Analyst / Enterprise Infrastructure Consultant
Hired to facilitate the solution of secure web conferencing and instant
messaging problem, I was able to fix the network latency issue,
stabilized production environment, and moved the HelpDesk from El
Secundo, CA to Waltham, MA, write/code a HelpDesk database (still in
use), and improve Customer Service by 100%. ITAR and other security
implementations were requirements.
. ITAR Compliance
. Information Security / Knowledge Management
. Information engineering for quality apps
. Collected business requirements
. Help Desk Reporting -Created an Enterprise Level Service Support
ticket application
Computer Associates (formerly NETEGRITY) Waltham, MA January-
2002 - August 2003
Web Security Product Global Technical Support
Resolved customer security product implementation issues and wrote
internal documentation. Provided excellent customer service 98% of the
time.
. Web Security and Policy Server product technical support
. World-wide Technical L3 Enterprise Support
. Developed documentation to support the corporate knowledge base
. Reproduced customer issues
NATIONAL GRID USA - (formerly NEES) Westborough, MA Oct
1999 - Nov 2002
Enterprise Intranet Developer and Infrastructure Implementation
Consultant
Rescued the web-based InfoNet project ( C2 security) which had been
shelved for 3 years due to technical difficulties and organizational
resistance. Was able to successfully deploy the InfoNet product (over
400 databases and 3000 browsers), which was hailed as business essential
and adopted by the acquiring National Grid - UK. Featured for my work in
company newspaper Hailed as a major improvement by acquiring Co, National
Grid- UK, the InfoNet provided secure web access to all internal business
information.
Legacy employee population were unfamiliar with web technologies.
InforNet allowed Content Providers to post to the web without any
training, creating significant savings. LOB managers were able to update
spreadsheets on web for sales force without the I T's intervention.
Creating significant efficiencies, increased business satisfaction, in
addition to cost savings.
Deployed over 400 databases and 3000+ browsers, to create the company's
first intranet.
Due to M&As,the secure web based intranet GUI was redesigned ( 400+
DBs),
Implemented Domain Search to search all databases in intranet securely
Worked with all business units e.g. Retail Marketing, Supply Chain
Management, HR et al to develop business requirement for their web sites
Evaluated program with Customer Satisfaction Surveys
Education
University of MO - Kansas City BA, MA
Harvard Business School PMD
Lowell Institute at MIT
Honors and Awards
Certificate of Recognition NIST Cloud Computing Security
Reference Architecture 2013
NIST Cloud Computing Security Working Group
Member 2011 - Present
NIST Cloud Computing Business Use Cases Working Group
Member 2011 - Present
US Air Force ESC Cyber/Netcentric Directorate LAK Large Team Award
2011
US Air Force ESC Airborne Network Division Outstanding
Engineering Team 2011
US Air Force ESC Airborne Network Division Outstanding Large Test
Team 2010
US Air Force ESC Airborne Network Division Small Team
Information Assurance 2010
SIGMA XI - Honorary Scientific and Engineering - Yale Chapter Now
with MIT Chapter
Organizations / Leadership
Harvard Business School Alumni, Class Secretary -- ongoing
ISACA (Information Systems Audit and Control Association) --
member
ISSA (Information Systems Security Association) -- member
Boston Users Groups (former board member)
ISC2 (Information Systems Certification Consortium) -- member
NIST Cloud Computing Security Working Group
SANS Institute
.
Contact this candidate