BRIAN M. MARVIN
Richmond, VA 23233
OVERVIEW
As a Team Manager, Auditor, Project Manager, and Certified Information
Systems Security Professional (CISSP & CISM) I provide strategic security
auditing, and technical business consulting for our largest national
eCommerce clients. The IT Auditing covered: compliance auditing in
accordance with Federal Information Security Management Act (FISMA),
Sarbanes Oxley (SOX), ISO 27001 & ISO 27005, CoBIT, COSO, and the VISA
Payment Card Standard (PCI). The on-site Auditing also included Interviews,
Observations, and Security Test & Evaluation (ST&E) that consisted of
vulnerability and security scanning, computer forensics, penetration
testing, vulnerability remediation planning, server & network security
architecture reviews, vendor management & outsourcing reviews, Security
Policy and Procedure reviews.
EXPERIENCE
Bon Secours Health Services - Richmond, VA (02/10 to Present)
Senior Information Assurance Architect
As the Sr. Information Assurance Architect, I am responsible for leading
the team building the ISO 27001 Risk Management and Assessment Program and
the development of a Network Security Architecture.
> Audited 9 Hospital / Medical Markets in accordance with SOX - ISO
27001 Baseline Security Requirements (Controls) coupled with a formal
written assessment of each Market. The ISO Control development and
Auditing included the areas of Security Policy, Asset Management,
Human Resources Security, Physical and Environmental Security,
Communications and Operations Management, Access Control, Information
Systems Acquisition, Development and Maintenance, Information Security
Incident Management, Business Continuity Management, and Compliance.
> Architected a Centralized Vulnerability Management Model using the
nCircle IP360 Web Application and Network Vulnerability scanning and
management tool. We analyzed over 50,000 devices for Vulnerabilities
and built an Executive "C-Level" Balanced Score Card/Dashboard for the
remediation of Vulnerabilities in a prioritized structured approach.
> Architected an Enterprise Threat Detection Architecture that included;
Centralized Security Event Correlation (SIEM), IDS/IPS Monitoring,
Data Loss Prevention (Data in Motion & Data at Rest), NetFlow for
Layer 3 Traffic Monitoring, and ASA Firewall Monitoring. The
Architecture also included People, Processes, and Technology solutions
to provide a 3 year Architectural Roadmap using the TOGAF IT
Architectural Model.
> Designed and implemented the enterprise ZIXCorp email encryption
program for HIPAA and Sensitive Data. The ZIXCorp email encryption
program included an enterprise awareness program, the installation and
configuration of ZIXCorp servers and policies for the encryption of
HIPAA, SSN's, and Credit Card data leaving the Bon Secours Network.
Federal Aviation Administration (FAA) - Washington DC (06/09 to 02/10)
Senior Network Security Architect - Technisource Contractor
As the Sr. Network Architect, I was responsible for developing the
Personally Identifiable Information (PII) Protection program using the
Symantec DLP (Vontu) solution for Data at Rest and End Point protection.
The Enterprise-wide Data Loss Prevention solution was used to audit PII
across 5 corporate data centers and provided HIPAA, SSN, and Credit Card
Number protection for 5,000 servers, 250 Oracle and SQL Databases, and
50,000 workstations.
Phillip Morris USA - Richmond, VA (04/07 to 05/09)
Senior Security Architect - Xperts Contractor
As the Sr. Security Architect for Altria I am responsible for building &
developing the Security Architecture Program, Security Solutions, and the
Web based repository to support the Open Group IT Architecture Framework. I
also developed, designed, and implemented several strategic IT solutions,
including Vontu Data Loss Prevention (DLP) for the protection of Privacy
Data and Corporate Intellectual Property sent across the web and email,
Identity Management, and a vulnerability auditing program using Web
Inspect, nCircle, Nessus and Nmap.
NASA, Ames Research Center - San Jose, CA (01/07 to 04/07)
Security Audit Program Manager - AmSEC Contractor
As the Security Program Audit Manager, I coordinated a team of Auditors
that architected, managed, and audited the security Certification and
Accreditation (C&A) programs for the NASA Wind Tunnel and NASA Health &
Safety organizations. The programs included a Security Plan controls audit,
HIPAA Program control assessment, Security Control implementation reviews,
Privacy Impact Assessments, Configuration Management Program assessment
for Linux, Solaris, & Windows, SCADA Program audit, Network diagrams and
boundary identification, and the use of security testing and evaluation
tools. A formal Risk Assessment Report (audit) was completed with
corrective actions and risk classification for determining final
Certification & Accreditation approval.
Federal Reserve Automation Services, Richmond, Virginia (1/97 to 12/06)
Vendor Security Manager/Technical Auditor
Results oriented Team manager of a 8 member consulting team that works with
our largest eCommerce national accounts in the areas of security
technology/architecture specification, development of national account
requirements, cost benefit analysis of recommended solutions, and project /
vendor management.
Professional Accomplishments
> Security Manager for the $70 million outsourced eCommerce
Infrastructure operating 18 secure Web based eCommerce Applications.
As the manager of the 7 member Security Team, we conduct annual
security vulnerability and enterprise risk assessments.
> Project Manager that designed, developed, and wrote System Security
polices & plans, Operational Security Polices and Procedures,
Business Continuity plans, Access Control plans, Incident Response
Plans, and established Management, Operation and Technical Security
Controls for our eCommerce Infrastructure.
> As the Team Auditor and Audit Liaison I was responsible for managing
and conducting the semi-annual FISMA, Risk, and Vulnerability Audits
of contracts, SOW deliverables, financial records, and technical
infrastructure controls for CoBIT, ISO 27001, and NIST compliance.
> Customer Relationship Manager of the 12 member cross-functional IT
Contingency Team that built the IT Contingency Communication Center.
The project was completed in 2 months (on time) and under budget. The
IT Contingency Communication Center was staffed with 60 employees
running three shifts and coordinated all IT problems and operations
for the Federal Reserve System.
American Consulting Service, Richmond, Virginia (11/95 to 1/97)
VP of Operations
Developed and marketed business audit & consulting services for the Pulp &
Paper Mill and Chemical Industry in the areas of quality control, process
re-engineering, computer networks, and business decision systems.
Administered new customer contracts, presented proposals, and managed
customer projects.
EDUCATION
Virginia Commonwealth University, Richmond, Virginia
M.B.A. - Masters in Business Administration,
Education completed while working full time.
Texas A & M University, College Station, Texas.
B.S. - Mechanical Engineering, Corp of Cadets.
Scholarship Recipient: Propeller Club of Galveston. Earned 62% of
Educational Expenses.
TRAINIING
Computer Forensics, LTI, Washington, D.C.
This hands-on course provided essential knowledge and skills needed
to conduct forensic analysis and incident response for security
events; 2006.
Public Key Infrastructure (PKI), LTI, Washington, D.C.
This hands-on course provided essential knowledge and skills needed
to select, design, and deploy a PKI to secure eCommerce
applications; 2006.
Assessing Network Vulnerabilities, LTI, Washington, D.C.
This hands-on course provided essential knowledge and skills
necessary to conduct vulnerability scans using NMap, ISS, and Retina
assessment tools. The Assessment Tools were used to explore Cross-
Site Scripting, Man in the middle, and Privilege Escalation attacks
and remediation controls; 2005.
Deploying Security for Windows 2000 (NT) and Internet Firewalls,
LTI, Washington, D.C.
Administration, setup, and configuration of Windows 2000 security.
The Firewall course covered the 7 layer security model using
Gauntlet and Firewall One; 2000.
Executive Leadership, American Management Association, Washington
D.C.
Strategic Planning, Vision and Mission, and Team development for
Executives;1999
Dale Carnegie, Richmond, VA.
Effective Public Speaking and Human Relations; Award Winner - Most
Effective Presentation, 1995; Graduate Instructor 1996, 1997, 1998,
& 1999
Project Management Certification, American Management Association,
Washington D.C.
Project planning, scheduling, and managing resources to execute
successful projects; 1998-2000.
ADJUNCT FACULTY
ITT and J. Sergeant Reynolds, Richmond VA; 2007
Instructed Computer Security students in IT Architecture, Security,
Network tools, and Visual Basic programming. The 5 different courses
were designed to give students IT Architecture experience in applied
Security and Network design principles toward solving security
problems.
ABILITIES/KNOWLEDGE
HIPAA / NIST 800 Series / Vontu & Websense Data Loss
CoBIT / PCI Prevention (DLP)
ArcSight / Enterasys Dragon Vulnerability Scanning &
Enumeration
Solaris, Linux, & Windows Windows 2003 / Red Hat / SUSE
Hardening Linux Server
TOGAF - Security Firewalls and Cisco Router
Architecture
Microsoft Project 2003 Total Quality Management
Team Building / Project 6 Sigma Process Reengineering &
Management Mapping
Microsoft SQL 2000 & Oracle Microsoft Front Page 2003
9i
Tivoli Inventory Manager Netegrity and Lighthouse Identity
Management
ITIL - Problem & Change Mgmt Forensic Analysis and Incident
Handling
Microsoft Office XP Marketing Plans & Product
Promotion
VMware - System Pricing Strategy & Cost Benefit
Virtualization Analysis
TCP/IP and Ethernet Networks Balanced Scorecard & Metrics