Sign in

Security Management

Prairie Village, Kansas, 66208, United States
March 29, 2011

Contact this candidate
Sponsored by:
Post Jobs to
Multiple Job Boards &
Get more Candidates
Try it Free!
Start your 30-day
Free Trial

Executive Summary

Information Security Manager with twenty-five years of success delivering

innovative and fiscally responsible business solutions while ensuring

organizational compliance with relevant regulations and industry best

practices. Proven, hands-on technology expertise, focused on the design,

deployment, management, and protection of enterprise infrastructure,

applications, and data. Forward-thinking leader, providing strategic

guidance in the development and hands-on administration of technical and

non-technical security controls based on comprehensive risk management.

Enterprise Security Architecture Regulatory Adherence

Policy and Procedure Development Budget Forecasting and Control

Vendor Negotiations and Risk Analysis and Management


Business Continuity / Disaster Security Controls Design and

Recovery Review

Change Control and Management Project Management


Capella University, Minneapolis, MN 2006

. Master of Science, Information Technology

o Specialization in Information Security

Washington College, Chestertown, MD 1986

. Bachelor of Science, Physics

o Concentration in Computer Science

Certifications & Training

. Certified in Risk and Information Systems Control (CRISC) 2010

. Project Management Professional (PMP) 2010

. Certified Ethical Hacker (CEH) training

. Certified Information Security Manager (CISM) 2007

. Certified Systems Security Professional (CISSP) 2006

. Checkpoint Firewall NG Bootcamp

. ITIL Foundation Training

. Microsoft Certified Systems Engineer (MCSE) 2003


Regulatory Compliance: GLBA, PCI-DSS, HIPAA HITECH, Sarbanes-Oxley (SOX),

FFIEC, NCUA Part 748

Frameworks: ISO 27001/27002, COBIT, COSO, ITIL, SDLC, UAT methodologies

Development: Perl, PHP, ASP .NET, HTML, VB, Powershell, Shell scripting

Operating Systems: Windows 95 - Windows 7/Server 2008R2, Mac OSX, AIX,

OS/400, Cisco IOS, Linux (Debian, Ubuntu, Red Hat, BSD), VMWare

ESX, Microsoft Virtual Server

Databases: Microsoft SQL Server 6.5 - 2008, Oracle RDBMS, MySQL, Access

Hardware: Cisco switches, routers, PIX/ASA, MARS, Aventail 1500, Reconnix

iGuard, Forescout Counteract, Qualys, nCircle 360, Akonix L7,

Bluecoat ProxySG, Ironmail, Nokia and Crossbeam firewalls,

Citrix NetScaler, F5 LTM & GTM, Juniper Netscreen firewalls, SA

2500 SSLVPN, NSM, IDP-75, Entrust mini tokens, Tripwire, TriGeo,

TriCipher, Imperva

Software: Checkpoint FW-1, VPN-1, Provider-1, Microsoft SCCM, SCOM, IIS,

SharePoint, Symantec/Trend Micro/McAfee Antivirus, Entrust

IdentityGuard, RSA SecureID, Citrix, PGP Universal Server & WDE,

Apache, Tomcat, Snort, Nessus, Wireshark, Nmap, AlienVault OSSIM

SIEM, AppScan, Firemon, EnCase, Solarwinds

Positions Held

Oregon Health & Sciences University, Portland, OR

2010 - Present

Manager, Security Engineering

Management position responsible for overseeing security engineering and

operations for 13,000 user organization consisting of hospitals, clinics,

post-secondary education centers, and research facilities in 156 locations.

Key Contributions:

. Directly managed 4 Security Engineers and 6 Computer Access

Analysts, responsible for designing, implementing, and managing

security controls in accordance with local, federal, and

organizational regulations and policies

. Managed disk encryption project, overseeing the management and

automated deployment of PGP WDE and policy utilizing PGP Universal


. Implemented enterprise-wide unified security event system to detect

computer infections and violations of University Information

Security Directives

. Worked with internal and external audit staff to ensure compliance

with pertinent regulations and industry best practices including


. Direct responsibility in managing $1.1M security engineering budget

including forecasting, purchase approvals, staff compensation, and

capital project requests

. Updated and implemented incident response processes and

communication program to ensure timely and consistent response to

security events within the organization

. Implemented Imperva application firewall to reduce the risk of

attack against poorly written external applications

. As a voting member of organizational security subcommittees,

assisted in University governance, policy development,

implementation, and exception reviews

Epiq Systems, Inc., Kansas City, KS

2009 - 2010

Security Engineer / Information Security Officer

Developed and managed the enterprise security program, encompassing

worldwide corporate infrastructure and IT processes for legal services

firm. Responsible for ensuring compliance with relevant regulations


Key Contributions:

. Designed technical security architecture and managed the project to

deploy an enterprise-wide external user directory for use in

corporate DMZs

. Managed certification and accreditation program against NIST 800-53

standards for applicable client environments

. Developed, reviewed, and updated corporate security policies and

procedures, focusing on user responsibilities and information

technology management practices

. Reviewed and updated hardening standards surrounding corporate

desktop and server virtualization deployments

. Replaced managed IDS system with Cisco IDS solution saving the

organization approximately $94,000 in the first year and $117,000

for each successive year

. Performed internal and external penetration tests and vulnerability

assessments against corporate information assets and worked with

staff to mitigate found weaknesses

. Deployed WebSense content monitoring solution to review Internet

usage and ensure compliance with acceptable use policies

. Investigated log management and security event management solutions;

selected Cisco's MARS appliance to aggregate and alert on potential

network and security concerns

. Responded to regular audit and RFP questionnaires regarding

information security program practices, controls, and capabilities.

. Prepared and delivered security reports for internal and external

customers detailing risks, vulnerabilities, and mitigation task


. Worked to establish appropriate and compliant controls for each

unique business partner agreement.

. Updated Tripwire intrusion detection system to monitor and alert

based on NIST 800-53 standards

Southeast Corporate Federal Credit Union, Jacksonville, FL

2007 - 2009

VP Information Assurance

Recruited by former CIO from Security Savings Bank to establish and manage

the enterprise-wide information security program based on the ISO 27001

framework and ensuring compliance with FFIEC, GLBA, and NCUA regulations

for the corporate credit union and three majority owned subsidiaries.

Key Contributions:

. Managed the documentation, architecture, development, and testing of

the corporate disaster recovery capabilities, protecting 66 individual

applications and infrastructure components. Utilized business impact

analyses to determine recovery time objectives and service level

agreements ensuring Information Technology capabilities meet or exceed

expected business goals

. Fostered partnership with Internal Audit and NCUA examiners to prepare

and manage audit materials and create management responses to

findings. Ensured timely implementation of agreed-upon solutions

. Deployed Entrust IdentityGuard and Self Service Server software and

tokens to provide enhanced multifactor authentication for corporate

applications and access to infrastructure systems for staff and credit

union members.

. Developed and utilized IT operations risk methodology to recommend and

implement appropriate security controls for the enterprise

. Reduced incoming spam and phishing attempts by 45% through the

introduction of Ironmail appliances to filter incoming and outgoing

email and provide a secure messaging platform to securely exchange

confidential information with members and other third parties.

. Co-founded Change Control Board and published board charter with

structured change process, resulting in improved efficiency and

ensuring all production changes are appropriately reviewed and

approved prior to implementation

. Brought managed intrusion prevention service in-house utilizing

Juniper IDP devices thereby reducing operational expenses by $21,000

per year.

. Oversaw the development and implementation of corporate security

policies and procedures based on the ISO 27001 framework

. Utilized VMWare and Microsoft Virtual Server to create virtual servers

for testing and development

. Deployed TriGeo security event management system and data warehouse to

collect and archive security log information and provide alerting and

reporting to operational staff

. Responsible for Information Assurance budget development, purchasing,

and vendor management including negotiations, contract review and

administration, adherence to terms and conditions for all security

hardware, software, and outsourced resources

. Developed and managed security controls test plan and information

security status report to evaluate and present summary information to

executive staff on the effectiveness of key controls within the


. Managed regular vulnerability assessments with Qualys and Nessus

scanners. Oversaw the successful implementation of mitigating controls

to resolve discovered vulnerabilities

. Partnered with application development staff to provide guidance in

the creation of structured standardized security controls for business

to business applications and services utilizing industry best

practices from ISO and NIST standards

. Directly managed Information Assurance team of 3; responsible for the

hiring, firing, mentoring, and reviewing staff performance

. Developed curricula and conducted security awareness and security

controls training programs for all Southeast Corporate executive

management and staff

. Proposed project to save $85,000 over 4 years by replacing TriCipher

multifactor authentication system with an Entrust solution

. Replaced aging firewall infrastructure to improve performance,

reliability, and reduce costs. The resulting annual savings of $24,000

was realized from the elimination of redundant data circuits and


. Deployed small office Juniper firewalls to establish VPN connectivity

for Cisco IP phones and laptops, reducing long distance charges by

$500 per month and extending full network capabilities to home-based


. Performed, authored, and presented cost-benefit analysis and product

evaluation documentation for capital projects and improvements to

executive leadership

Security Savings Bank, Olathe, KS

2006 - 2007

AVP / Information Security Officer

Executive experience as the Information Security Leader, developing and

managing the information security program for a financial services

organization $650M in assets and 14 branch locations. Responsible for

ensuring IT compliance with FFIEC, FDIC, and GLBA regulations.

Key Contributions:

. Managed annual reviews from Internal Audit, OTS, and third-party

auditing agencies, providing documentation, technical overview, and

management responses for findings against the IT department

. Configured and deployed security event management and alerting system

utilizing security open source tools including OSSIM, Nagios, Snort,

Nessus, and nmap

. Developed and managed disaster recovery planning, testing, and

documentation for each critical system to ensure compliance with

business requirements and expectations

. Recommended and replaced existing ISA proxy for Bluecoat ProxySG

appliances with content management software. The addition of the

Bluecoat system resulted in an extra layer of security against malware

and phishing attacks while significantly improving bandwidth


. Developed and forecasted annual budget to fund information security

capital improvements and expenses

. Addressing all audience levels, published monthly security column

describing emerging risks and best practices for enterprise and

personal computing

. Performed regular security assessments utilizing Qulays and Nessus

vulnerability scanners and tracking the mitigation of found weaknesses

through resolution

. Implemented secure Cisco wireless networking solution utilizing WPA2

and 802.1x with Active Directory user and system based certificate

authentication to ensure encrypted communication with banking


. Deployed Microsoft WSUS to automate the installation of monthly

Microsoft patches to all sites

. Performed annual technology risk review, recommending changes in

processes and the deployment of technical controls based on findings

. Deployed EMC mail archive solution to offload email space requirements

and improve legal discovery in the event of litigation

H&R Block, Kansas City, MO

2001 - 2006

Senior Security and Compliance Engineer

Provided technology and security architecture design, deployment, and

management for Fortune 500 financial services organization. Led multiple

projects to deploy information security controls to reduce risk to the


Key Contributions:

. Performed system risk analysis of major enterprise applications and

partnered with product owners to aid in the mitigation strategy at-

risk system components

. Deployed, administered, and maintained Nokia firewalls with Checkpoint

software to provide network security to public facing hosts, business

partners, and remote office systems

. Created business case recommendation and oversaw the deployment and

support of Whale Communications SSL VPN appliances to provide secure

remote access for business partners and associates

. Partnered with external audit staff to create and execute Sarbanes-

Oxley 404 controls tests and provide results along with suggestions to

mitigate findings

. Project manager responsible for planning and implementing Microsoft

SMS, deploying the client software, packaged applications, and monthly

OS patches to 12,000 servers and workstations

. Deployed Cisco MARS system to capture and alert on security events

from 2000 critical devices located across four major metropolitan


. Created automated images, scripts, and instructions to upgrade servers

and workstations for Financial Advisor offices from Windows 95 to XP

and Server 2003

. Implemented RADIUS server based on Microsoft's IAS to provide

authentication for remote access VPN devices and administrative level

access to core security systems

. Architected network infrastructure including firewalls, load

balancers, and server farm to support online tax preparation


. Created web-based enterprise security dashboard detailing current

vulnerability and mitigation state for IT management and product


Contact this candidate