Security Management
Executive Summary
Information Security Manager with twenty-five years of success delivering
innovative and fiscally responsible business solutions while ensuring
organizational compliance with relevant regulations and industry best
practices. Proven, hands-on technology expertise, focused on the design,
deployment, management, and protection of enterprise infrastructure,
applications, and data. Forward-thinking leader, providing strategic
guidance in the development and hands-on administration of technical and
non-technical security controls based on comprehensive risk management.
Enterprise Security Architecture Regulatory Adherence
Policy and Procedure Development Budget Forecasting and Control
Vendor Negotiations and Risk Analysis and Management
Procurement
Business Continuity / Disaster Security Controls Design and
Recovery Review
Change Control and Management Project Management
Education
Capella University, Minneapolis, MN 2006
. Master of Science, Information Technology
o Specialization in Information Security
Washington College, Chestertown, MD 1986
. Bachelor of Science, Physics
o Concentration in Computer Science
Certifications & Training
. Certified in Risk and Information Systems Control (CRISC) 2010
. Project Management Professional (PMP) 2010
. Certified Ethical Hacker (CEH) training
. Certified Information Security Manager (CISM) 2007
. Certified Systems Security Professional (CISSP) 2006
. Checkpoint Firewall NG Bootcamp
. ITIL Foundation Training
. Microsoft Certified Systems Engineer (MCSE) 2003
Skills
Regulatory Compliance: GLBA, PCI-DSS, HIPAA HITECH, Sarbanes-Oxley (SOX),
FFIEC, NCUA Part 748
Frameworks: ISO 27001/27002, COBIT, COSO, ITIL, SDLC, UAT methodologies
Development: Perl, PHP, ASP .NET, HTML, VB, Powershell, Shell scripting
Operating Systems: Windows 95 - Windows 7/Server 2008R2, Mac OSX, AIX,
OS/400, Cisco IOS, Linux (Debian, Ubuntu, Red Hat, BSD), VMWare
ESX, Microsoft Virtual Server
Databases: Microsoft SQL Server 6.5 - 2008, Oracle RDBMS, MySQL, Access
Hardware: Cisco switches, routers, PIX/ASA, MARS, Aventail 1500, Reconnix
iGuard, Forescout Counteract, Qualys, nCircle 360, Akonix L7,
Bluecoat ProxySG, Ironmail, Nokia and Crossbeam firewalls,
Citrix NetScaler, F5 LTM & GTM, Juniper Netscreen firewalls, SA
2500 SSLVPN, NSM, IDP-75, Entrust mini tokens, Tripwire, TriGeo,
TriCipher, Imperva
Software: Checkpoint FW-1, VPN-1, Provider-1, Microsoft SCCM, SCOM, IIS,
SharePoint, Symantec/Trend Micro/McAfee Antivirus, Entrust
IdentityGuard, RSA SecureID, Citrix, PGP Universal Server & WDE,
Apache, Tomcat, Snort, Nessus, Wireshark, Nmap, AlienVault OSSIM
SIEM, AppScan, Firemon, EnCase, Solarwinds
Positions Held
Oregon Health & Sciences University, Portland, OR
2010 - Present
Manager, Security Engineering
Management position responsible for overseeing security engineering and
operations for 13,000 user organization consisting of hospitals, clinics,
post-secondary education centers, and research facilities in 156 locations.
Key Contributions:
. Directly managed 4 Security Engineers and 6 Computer Access
Analysts, responsible for designing, implementing, and managing
security controls in accordance with local, federal, and
organizational regulations and policies
. Managed disk encryption project, overseeing the management and
automated deployment of PGP WDE and policy utilizing PGP Universal
Server
. Implemented enterprise-wide unified security event system to detect
computer infections and violations of University Information
Security Directives
. Worked with internal and external audit staff to ensure compliance
with pertinent regulations and industry best practices including
HIPAA HITECH, PCI-DSS, and FISMA
. Direct responsibility in managing $1.1M security engineering budget
including forecasting, purchase approvals, staff compensation, and
capital project requests
. Updated and implemented incident response processes and
communication program to ensure timely and consistent response to
security events within the organization
. Implemented Imperva application firewall to reduce the risk of
attack against poorly written external applications
. As a voting member of organizational security subcommittees,
assisted in University governance, policy development,
implementation, and exception reviews
Epiq Systems, Inc., Kansas City, KS
2009 - 2010
Security Engineer / Information Security Officer
Developed and managed the enterprise security program, encompassing
worldwide corporate infrastructure and IT processes for legal services
firm. Responsible for ensuring compliance with relevant regulations
including SOX, GLBA, FISMA, HIPAA HITECH, and PCI-DSS.
Key Contributions:
. Designed technical security architecture and managed the project to
deploy an enterprise-wide external user directory for use in
corporate DMZs
. Managed certification and accreditation program against NIST 800-53
standards for applicable client environments
. Developed, reviewed, and updated corporate security policies and
procedures, focusing on user responsibilities and information
technology management practices
. Reviewed and updated hardening standards surrounding corporate
desktop and server virtualization deployments
. Replaced managed IDS system with Cisco IDS solution saving the
organization approximately $94,000 in the first year and $117,000
for each successive year
. Performed internal and external penetration tests and vulnerability
assessments against corporate information assets and worked with
staff to mitigate found weaknesses
. Deployed WebSense content monitoring solution to review Internet
usage and ensure compliance with acceptable use policies
. Investigated log management and security event management solutions;
selected Cisco's MARS appliance to aggregate and alert on potential
network and security concerns
. Responded to regular audit and RFP questionnaires regarding
information security program practices, controls, and capabilities.
. Prepared and delivered security reports for internal and external
customers detailing risks, vulnerabilities, and mitigation task
tracking.
. Worked to establish appropriate and compliant controls for each
unique business partner agreement.
. Updated Tripwire intrusion detection system to monitor and alert
based on NIST 800-53 standards
Southeast Corporate Federal Credit Union, Jacksonville, FL
2007 - 2009
VP Information Assurance
Recruited by former CIO from Security Savings Bank to establish and manage
the enterprise-wide information security program based on the ISO 27001
framework and ensuring compliance with FFIEC, GLBA, and NCUA regulations
for the corporate credit union and three majority owned subsidiaries.
Key Contributions:
. Managed the documentation, architecture, development, and testing of
the corporate disaster recovery capabilities, protecting 66 individual
applications and infrastructure components. Utilized business impact
analyses to determine recovery time objectives and service level
agreements ensuring Information Technology capabilities meet or exceed
expected business goals
. Fostered partnership with Internal Audit and NCUA examiners to prepare
and manage audit materials and create management responses to
findings. Ensured timely implementation of agreed-upon solutions
. Deployed Entrust IdentityGuard and Self Service Server software and
tokens to provide enhanced multifactor authentication for corporate
applications and access to infrastructure systems for staff and credit
union members.
. Developed and utilized IT operations risk methodology to recommend and
implement appropriate security controls for the enterprise
. Reduced incoming spam and phishing attempts by 45% through the
introduction of Ironmail appliances to filter incoming and outgoing
email and provide a secure messaging platform to securely exchange
confidential information with members and other third parties.
. Co-founded Change Control Board and published board charter with
structured change process, resulting in improved efficiency and
ensuring all production changes are appropriately reviewed and
approved prior to implementation
. Brought managed intrusion prevention service in-house utilizing
Juniper IDP devices thereby reducing operational expenses by $21,000
per year.
. Oversaw the development and implementation of corporate security
policies and procedures based on the ISO 27001 framework
. Utilized VMWare and Microsoft Virtual Server to create virtual servers
for testing and development
. Deployed TriGeo security event management system and data warehouse to
collect and archive security log information and provide alerting and
reporting to operational staff
. Responsible for Information Assurance budget development, purchasing,
and vendor management including negotiations, contract review and
administration, adherence to terms and conditions for all security
hardware, software, and outsourced resources
. Developed and managed security controls test plan and information
security status report to evaluate and present summary information to
executive staff on the effectiveness of key controls within the
organization
. Managed regular vulnerability assessments with Qualys and Nessus
scanners. Oversaw the successful implementation of mitigating controls
to resolve discovered vulnerabilities
. Partnered with application development staff to provide guidance in
the creation of structured standardized security controls for business
to business applications and services utilizing industry best
practices from ISO and NIST standards
. Directly managed Information Assurance team of 3; responsible for the
hiring, firing, mentoring, and reviewing staff performance
. Developed curricula and conducted security awareness and security
controls training programs for all Southeast Corporate executive
management and staff
. Proposed project to save $85,000 over 4 years by replacing TriCipher
multifactor authentication system with an Entrust solution
. Replaced aging firewall infrastructure to improve performance,
reliability, and reduce costs. The resulting annual savings of $24,000
was realized from the elimination of redundant data circuits and
infrastructure
. Deployed small office Juniper firewalls to establish VPN connectivity
for Cisco IP phones and laptops, reducing long distance charges by
$500 per month and extending full network capabilities to home-based
staff
. Performed, authored, and presented cost-benefit analysis and product
evaluation documentation for capital projects and improvements to
executive leadership
Security Savings Bank, Olathe, KS
2006 - 2007
AVP / Information Security Officer
Executive experience as the Information Security Leader, developing and
managing the information security program for a financial services
organization $650M in assets and 14 branch locations. Responsible for
ensuring IT compliance with FFIEC, FDIC, and GLBA regulations.
Key Contributions:
. Managed annual reviews from Internal Audit, OTS, and third-party
auditing agencies, providing documentation, technical overview, and
management responses for findings against the IT department
. Configured and deployed security event management and alerting system
utilizing security open source tools including OSSIM, Nagios, Snort,
Nessus, and nmap
. Developed and managed disaster recovery planning, testing, and
documentation for each critical system to ensure compliance with
business requirements and expectations
. Recommended and replaced existing ISA proxy for Bluecoat ProxySG
appliances with content management software. The addition of the
Bluecoat system resulted in an extra layer of security against malware
and phishing attacks while significantly improving bandwidth
utilization
. Developed and forecasted annual budget to fund information security
capital improvements and expenses
. Addressing all audience levels, published monthly security column
describing emerging risks and best practices for enterprise and
personal computing
. Performed regular security assessments utilizing Qulays and Nessus
vulnerability scanners and tracking the mitigation of found weaknesses
through resolution
. Implemented secure Cisco wireless networking solution utilizing WPA2
and 802.1x with Active Directory user and system based certificate
authentication to ensure encrypted communication with banking
applications
. Deployed Microsoft WSUS to automate the installation of monthly
Microsoft patches to all sites
. Performed annual technology risk review, recommending changes in
processes and the deployment of technical controls based on findings
. Deployed EMC mail archive solution to offload email space requirements
and improve legal discovery in the event of litigation
H&R Block, Kansas City, MO
2001 - 2006
Senior Security and Compliance Engineer
Provided technology and security architecture design, deployment, and
management for Fortune 500 financial services organization. Led multiple
projects to deploy information security controls to reduce risk to the
enterprise.
Key Contributions:
. Performed system risk analysis of major enterprise applications and
partnered with product owners to aid in the mitigation strategy at-
risk system components
. Deployed, administered, and maintained Nokia firewalls with Checkpoint
software to provide network security to public facing hosts, business
partners, and remote office systems
. Created business case recommendation and oversaw the deployment and
support of Whale Communications SSL VPN appliances to provide secure
remote access for business partners and associates
. Partnered with external audit staff to create and execute Sarbanes-
Oxley 404 controls tests and provide results along with suggestions to
mitigate findings
. Project manager responsible for planning and implementing Microsoft
SMS, deploying the client software, packaged applications, and monthly
OS patches to 12,000 servers and workstations
. Deployed Cisco MARS system to capture and alert on security events
from 2000 critical devices located across four major metropolitan
areas
. Created automated images, scripts, and instructions to upgrade servers
and workstations for Financial Advisor offices from Windows 95 to XP
and Server 2003
. Implemented RADIUS server based on Microsoft's IAS to provide
authentication for remote access VPN devices and administrative level
access to core security systems
. Architected network infrastructure including firewalls, load
balancers, and server farm to support online tax preparation
application
. Created web-based enterprise security dashboard detailing current
vulnerability and mitigation state for IT management and product
owners
Contact this candidate