ISSO
Resume:
D. PATRICK BROWN
***** ******* ***, **********, ** 22192
Phone: 202-***-**** E-mail: *************@*****.***
QUALIFICATIONS
Results driven IT professional consultant with 20+ years of Cyber Security/Information Assurance experience in hardware, software, systems engineering, and administration. Enthusiastic and adaptive with stellar technical skills, business acumen, and proactive customer service attitude skilled at developing cutting-edge solutions that meet the requirements for various corporate enterprises, federal civilians, and government agencies. I’m self-motivated and proactive to working on lean and collaborative teams that have a committed attitude to the program/project. I have the ability to work as a lead, team player or independently, while multi-tasking in high-stress, fast-pace environments.
Possess over 12 years of experience providing cybersecurity services with a strong record of past performance in advising and executing cyber missions. Strong acumen of information risk concepts and principles as a means of relating business needs to security controls, information security concepts, protocols, industry best practices and strategies with the ability to anticipate future security needs and potential solutions. Qualified in leading information security team members and work efforts, maintaining customer relations along with excellent verbal, written, and interpersonal communication skills and supporting documentation creation.
Information Assurance: experience within the Intelligence and Health Affairs Communities: ensure the confidentiality, integrity and availability of systems, networks, and data through the planning, analysis, development, implementation maintenance, and enhancement of systems, programs, policies, procedures and tools. Certification expected fall 2017; Certified Information Systems Security Professional (CISSP). (FAA/DoT; NISA-P/DoD; USMC/DoD; INSCOM/DoA; TMA/DoD; DISA/DoD; BAT-A/DoA; OCIO/USDA; IFC/World Bank; CMS/HHS; US Mint).
Hardware and Software systems engineering and administration: A broad understanding of computer hardware and software, including installation, configuration, management, troubleshooting, and support. Network skills: creating and designing LANs, laying cable, deploying network wide patches, CPU, SVR, laptop, scanner, printer and monitor using various hardware devices and troubleshooting skills. Create programs and databases using MS Office, XP, and Vista. (Joint Chiefs of Staff/DoD; FBI/DoJ; DSS/DoD; USMC/DoD).
TECHNICAL PROFICIENCIES
DISA Gold Disk
Linux/Unix
MS Office Pro 2007/2010
My SQL/SQL
HP WebInspect
eEye Retina
Burp Suite
Metaspoit
JIRA
Confluence
SECSCN Solaris/Trusted Solaris WASSP
Windows XP/Vista/7 STAT Scanner
Tenable Nessus
Cenzic Hailstorm
Trustwave AppDetective
Python TFIMS (Treasury)
MS Visio/Power Point/Publisher
eMASS
Xacta
Cyber Security Assessment & Management (CSAM) version 2&3
Perl
EXPERIENCE
Cloudburst Security Washington, D. C. Feb 2016 – present Cybersecurity Program Manager Chief Information Officer US MINT
Perform day-to-day coordination of the overall Chief Information Officer support functions for the US Mint both Operations and Compliance
Organize, direct, and coordinate the planning and production of all support activities for US Mint; demonstrate strong written and oral communication skills
Establish and adjust (as necessary) structure to align with US Mint Business Units support activities
Participate as a lead and member of the Federal Government-led team
Act independently in an advisory capacity as information security Subject Matter Expert (SME) with regards to program management
Prepare requisite review documentation and presentations as well as conduct briefings on behalf of the Cybersecurity team
Coordinate Cybersecurity activities related to Chief Information Officer (CIO) projects, change requests, services, and release management
Provide information security subject matter expert liaison to clarify and promote identification and implementation
Participate as directed in formal and ad hoc meetings and working groups representing the Cybersecurity team and/or coordinate specialized expertise within the Office of Cybersecurity
Coordinate in the administrative functions necessary to serve and support the Office of Cybersecurity, primarily the CISO and Cybersecurity Team Leads
Track and facilitating the review and approval of all significant policy/process/procedure documents maintained by the Office of Cybersecurity
Provide personnel tracking for on-boarding all employees, including, but not limited to, participating in on-boarding Human Capital activities, ensuring equipment is available of the day of employment and arranging for badging
Serve in an administrative support capacity for the Office of Cybersecurity using a wide variety of technologies and platforms, including, but not limited to, Microsoft Office Suites Particular proficiency is required in Outlook, Word, Excel and Power Point
Working both independently and collaboratively in a dynamic, deadline-driven environment
Effectively handling multiple projects and business partners simultaneously while maintaining important particulars and details.
Experience in Information Systems Security Program (ISSP) operations
Led in managing tasks, schedules, resource allocation, and communication with key stakeholders, etc.
Perform Strategic IT Security Planning
Develop and present formal presentations and executive summaries to senior management
Experience with core PM tools including Microsoft Project, SharePoint, and Microsoft Office
Blue Canopy Reston, VA Apr 2015 – Feb 2016
Project Manager/Sr. Cyber Consultant Chief Information Security Officer (CISO) Services Unit
Trusted cyber advisor to both Federal and Commercial customers, including large complex enterprise organizations, across the country.
Strong project management skills and experience in creating and managing project plans, including budgeting and resource allocation.
Security Liaison to the application teams for the implementation of the Open Web Application Security Project (OWASP) standards into the Software Development Life Cycle (SDLC) process.
Familiarity with applicable legal and regulatory requirements, including but not limited to, the U. S. Sarbanes-Oxley Act, the U. S. Health Insurance. Portability and Accountability Act (HIPAA), and the European Union Privacy Directive.
Experience working with legal, audit, human resource (HR), and compliance staff.
Providing risk management, governance, operations, and compliance services, utilizing our Risk Management Framework (RMF) methodology.
Collaborate with key stakeholders, CISOs, Information System Security Managers (ISSM), and Information System Security Officers (ISSO) to develop an information security framework based on organizational risk and business requirements.
Foster partnerships with business units, management, and peers to help promote security across organizations ensuring business objectives are met in a risk controlled manner to address Information security risk based frameworks, standards and policies.
Identify, prioritize, communicate, gain acceptances, and obtain funding for critical security projects and processes required for a successful RMF implementation.
Develop budget projections based on short/long term goals and objectives of the CISO and key stakeholders.
Monitor and report on compliance of regulatory requirements and policies, as well as the enforcement of security policies across the organization.
Develop a standard set of security and risk management indicators to effectively communicate to upper management and track value to the organization.
Develop and maintain a Vendor Management program to ensure all third party vendors, and the services they provide, align to the organization’s risk profile, policies, and standards.
Implement a methodology to rate the risk of each initiative and third party vendor to track, monitor, and maintain accordingly the services, within acceptable risk levels.
Mentor, lead, and/ or communicate information security, security solutions, and risk expertise.
Collaborate with IT and business units for security tasking and resolution.
Identify security requirements based on business requirements and objectives, standards, regulations, and industry best practices.
Manage staff of information security professionals, train new staff, provide leadership and coaching, set goals and objectives for staff that align with organizations goals and objectives.
Maintain and enhance organization’ s risk levels and implemented security controls by monitoring the security environment for its effectiveness, conducting security analysis on various controls and systems, identifying gaps, educating users, and recommending and implementing improved solutions.
Own and lead efforts in promoting a risk awareness culture by adding value to customer’ s goals and objectives, seeking opportunities to promote security within the organization, and by aligning customer’ s objectives and goals to the organization’ s risk profile.
Develop solutions to business problems with an emphasis on understanding how security solutions, processes, and policies impact risk to the organization.
Experience in developing, maintaining, and implementing policies, procedures, standards, and guidelines.
Proficiency in performing risk, business impact, control and vulnerability assessments, relating security requirements to appropriate security controls and in defining remediation strategies.
SC Foster Washington, DC Apr 2012– Apr 2015
Project Manager/Sr. App. Security Analyst Corporate Business Technology Risk Management (CBTRM)
International Finance Corporation (IFC) is responsible for managing security strategy, operations and compliance activities for the company’s member institutions and protecting assets that total more than $628 billion of annual investments in poor and developing countries. In addition, IFC manages security across remote sites in over 180 countries across the globe.
Designed, developed, documented, implemented, maintained and support the company's information security risk management program in line with the company's information security policy, practices and leading industry standards based upon knowledge of FISMA, OMB, NIST and DITSCAP/DIACAP experience.
Assisted in defining IFC’s information security risks pertinent to its business goals and technology infrastructure and designed an enterprise information security risk program to identify, assess and respond to risks.
Maintained an up-to-date understanding of emerging trends in information security risks; applied new techniques and trends, in-line with overall information security objectives and risk tolerance of the company's, to the company's information security enterprise on appropriate fixes based on reviews and diagnostic tests performed.
Designed, developed and documented risk management policies, practices and procedures utilizing FISMA, OMB and DOD guidance.
Assessed, evaluated, and recommended appropriate security controls to be integrated into the life cycle of software and IT infrastructure’s development and enhancement projects.
Tested for code vulnerabilities and advised developers.
Recommended and devised remediation solutions to ensure application and infrastructure development processes were secure and advised on potential vulnerabilities in the SDLC or of specific code vulnerabilities.
Assessed application and infrastructure projects against secure coding policies and practices.
Ensured adherence to the Enterprise Security Architecture, Internal Controls over Financial Reporting, and other risk and control requirements as necessary.
Resolved challenging problems in collaboration with other infrastructure team such as server team, network team, database team, and development teams on installation, troubleshooting, and problem resolution.
Applied solid technical abilities, analytical, problem solving skills and application knowledge in resolving the production issues.
Evaluated and provided feedback on future security technologies, new releases and upgrades.
Assessed and provided recommendations on their business relevance and deployment.
Identified solutions that met business requirements, in alignment with strategic goals, and improve performance.
Analyzed business and technical requirements.
Coordinated the design of subsystems and their integration with larger systems.
Implemented integration plans. Interfaced with testing teams to incorporate plans into the integration testing process.
Provided strong communication and interpersonal skills to work effectively with geographically distributed technical and business staff.
DISS, LLC Washington, DC Jan 2011 – Apr 2012
Project Manager/Sr. IA Engineer Cyber and Privacy Policy Oversight
Assisted USDA Agency IT security personnel in the security certification and accreditation process, on an on-going basis, to ensure mission requirements are satisfied while meeting the security requirements and employing the security controls defined in the system security plan.
Represented the operational interests of the USDA, OCIO and serve as C&A subject matter experts with regard to current NIST, FISMA, OMB and USDA IT security related initiatives, policies, procedures and guidance.
Verified with agencies if any new systems are being developed or if older systems are planned for retirement.
Served as personal liaisons for each USDA agency throughout the system development life cycle of each individual information system for each Agency.
Maintained status of upcoming systems with expiring ATO’s to ensure timelines are met for Phase 1 and Phase 2 C&A processes.
Conveyed USDA-level guidance and assistance in complying with current NIST, FISMA, OMB, and USDA IT security-related C&A guidance.
Provided guidance to individual agencies with regard to existing, new or changing USDA IT Security C&A initiatives.
Assisted and mentor Agency-level C&A personnel, including Agency ISSPM’s during all phases of the C&A process.
Served as C&A subject matter experts to agencies.
Validated Phase 1 and Phase 2 C&A status for each individual system based on the ATO expiration date.
Kept up-to-date regarding each agency’s mission and purpose, as well as in-depth knowledge of their overall network and system-specific infrastructure for each system, for each agency.
Reviewed all Cyber Security Assessment Management (CSAM) documentation for each information system listed within the agency to ensure compliance, completeness and validity.
Trained agency field personnel on NIST 800-53 Revision 3 control conversion as trained by CSAM Administrator.
Performed as quality control and first contact for all Phase 1 and Phase 2 C&A documentation for each information system, for each agency prior to entrance of USDA OCIO concurrency review process.
Reviewed all documentation and work with agencies individually to work through issues prior to concurrency review.
Provided CSAM Version 3.0 Upgrade training continuously to Agency C&A staff (including contracted personnel).
Assisted CSAM Administrator with training repository updates.
Cyber Security Assessment & Management (CSAM) Administrator.
Assisted Project Manager and Administrator for the largest CSAM application implementation in Civilian Government.
Managed and administered CSAM for all 29 sub-agencies and 700 systems.
Instrumental in CSAM 800-53 Rev3 upgrade.
Participated in DOJ Red Team for CSAM v3.0.
Developed and delivered custom sub-agency training for all phases of the application.
Actively participated in future CSAM development activities with DOJ.
Provided OCIO level reports and system status to senior staff.
Expert in documenting tasks and issues using SharePoint issue tracking template.
Participated in developing agency specific CSAM documentation and user guides.
Assisted in Managing a 600 line CSAM centric project plan.
SeNet International Corp. Washington, DC May 2010 – Dec 2010
Project Manager/Sr. IA Analyst Procurement Systems Division
Evaluated the security posture of the Integrated Acquisition System (IAS), and makes recommendations to the System Owner, Certifying Authority and the Approving Authority.
Provided technical vulnerability assessment of System, for USDA Office of the Chief Information Officer using FISMA, DIACAP, and other approved processes to include: using both automated vulnerability assessment tools (Gold Disk, eEye Retina, AppDetective, WebInspect) as well as manual testing scripts.
Uploaded all C&A Phase I documentation into CSAM for both review and concurrency by the Phase II vendor and Cyber Security for PSD IAS MA.
Evaluated and assessed compliance with established information assurance policies and regulations.
Performed security assessments, reviewed documentation, and support security analysts in a team of technically diverse personnel.
Conducted and documented risk and threat assessments.
Made recommendations for implementing countermeasures, prepared required documentation for and coordinated with senior engineer.
Conducted engineering analysis and evaluation for security-related hardware, software, and system component evaluations.
Developed and provided test plans and vulnerability reports to a team of Security Analysts according to, DOD, Federal, DISA and other Information Assurance (IA) related requirements.
Kept abreast of emerging security technologies and made appropriate recommendations regarding their implementation.
Provided direction, technical experience, and work assignments to direct other Consultants; reviewed work products for correctness and adherence to DOD, NIST, FISMA, and other IA Standards, and tracked progress against work schedules.
Prepared deliverables and delivered presentations in all areas of expertise to colleagues, subordinates, and end-user representatives.
Made coordination with the Task Manager to ensure problem resolution and user satisfaction. Interfaced with external customers to provide IA subject matter expertise throughout the system development lifecycle.
Evaluated and assessed compliance with established IA policies and regulations, and advised management on IA trends and solutions.
Participated in all phases of the systems lifecycle including systems development, integration, and testing.
Gathered and organized technical information about an organization's mission goals and needs, existing security products, and ongoing programs in computer security.
Oberon Associates Springfield, VA Sep 2009 – May 2010
Project Manager/Sr. IA Engineer Program Management Biometrics
Oversight of the daily Information Assurance (IA) activities. Performs schedule, risk, quality, security and administrative duties relative to IA to include supporting additions to current task.
Provide senior level consulting to the PM Biometrics on IA subjects including program development, best industry practices, and enhancements of the Biometric Automated Toolset – Army (BAT – A).
Implemented and managed all C&A documentation into eMASS for review by PEO EIS for PM Biometrics.
Act as primary customer contact for IA activities, leading IA review session with the government to discuss schedule and technical performance.
Task management – Assign duties to team members – ensuring adequate priorities of the tasks are appropriately staffed for coverage.
Report all pertinent matters involving the security of programs, mission support systems, application to the Information Assurance Manager (IAM).
Ensure all staff members receive annual IT Security Awareness Training and Security Responsibility Training.
Provide management of Certification and Accreditation (C&A) activities serving in an advisory role to ensure all phases of the C&A lifecycle are performed.
Conduct reviews of security related policies, audits of security programs, major application systems and associated information assets.
Establish and maintain a remediation program associated with deficiencies in Plan of Action and Milestones (POA&M).
DISYS Inc. Falls Church, VA May 2009 – Sep 2009
Project Manager/Sr. IA Engineer Defense Information Systems Agency (DISA)
Provide professional Information Assurance (IA) engineering specific to Certification and Accreditation (C&A), Department of Defense (DOD) IA policy & procedures, security threat/vulnerability assessments in support of Defense Information Systems Agency (DISA) at the Program Management Office (PMO) level.
Knowledge of Federal Regulations such as the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP), DoD Information Assurance Certification and Accreditation Process (DIACAP), Office of Management and Budget (OMB) Circular A-130, DoD Directive 8500.01, DoD Instruction 8500.02, and Department of Central Intelligence Directive 6/3.
Independently develop and assess required documentation, such as System Security Authorization Agreements (SSAAs), System Security Plans (SSPs), Security Test Plans (STPs), Security Test and Evaluations (ST&Es) Results, Vulnerability Matrix’s (VMs), Plan of Actions & Milestones (POA&Ms), and Security Design Documents (SDDs).
Advise the Program Executive Office Information Assurance Network Operations (PEO-IAN) of the C&A development capabilities and the lifecycle impact on current technology infrastructure.
Implemented and managed all C&A documentation into eMASS for review by PEO-IAN DAA for PMO.
Plan, manage, and lead the C&A programs for PEO-IAN.
Change, update or develop C&A packages for Authority to Operate (ATO), Interim Authority to Operate (IATO), and Interim Authority to Test (IATT).
Coordinate, interface, and provide tasking to Field Security Office (FSO), Configuration Management (CM), Program Management Office (PMO), and the Chief Information Office (CIO) on C&A processes and compliance.
Present C&A process charts, briefing and training to the division.
Liaison internal and external user community access to C&A information and identify areas of improvement.
Collaborate across all lines of responsibilities and communicate at all project and program levels for the government leadership.
CACI Inc. Falls Church, VA Jul 2008 – May 2009
Project Manager/Lead InfoSec Engineer Health Affairs/TRICARE Management Activity (HA/TMA)
Provide application and network vulnerability assessment for Health Systems, for DoD Health Affairs and Services (Army, Navy, and AF) using DITSCAP/DIACAP process to include:
oCertification Testing and Evaluation (CT&E)
oSecurity Testing and Evaluation (ST&E)
oUsing both automated vulnerability assessment tools (Gold Disk, eyeRetina, AppDetective, WebInspect) as well as manual testing scripts
Evaluate and assesses compliance with established information assurance policies and regulations.
Conduct technical design reviews on products and designs.
Perform security assessments, review documentation, and support security analysts in a team of technically diverse personnel.
Conduct and document risk and threat assessments.
Make recommendations implementing countermeasures, prepare required documentation for and coordinate with senior management.
Develop certification evaluation and findings reports.
Conduct engineering analysis and evaluation for security-related hardware, software, and network component evaluations.
Evaluate security risk assessments and engineering change proposals.
Develop and provide test plans and vulnerability reports to a team of Security Analysts according to Air Force, DOD, Federal, DISA and other Information Assurance (IA) related requirements.
Keep abreast of emerging security technologies and make appropriate recommendations regarding their implementation.
Bull Dog Technical Services Corp. Stafford, VA Jul 2006 – Jul 2008
Project Manager/Lead IA Analyst U.S. Marine Corps System Command (MARCORSYSCOM)
Function as the technical authority for Information Technology (IT) security management. Areas include: ensuring the confidentiality, integrity and availability of systems, networks, and data through the planning, analysis, development, implementation maintenance, and enhancement of systems, programs, policies, procedures, and tools.
Provide training, system documentation and troubleshooting guidance for on-site Intelligence personnel.
Brief PM Intel project officers semiannually on C&A process.
Implemented and managed all C&A documentation into eMASS for review by PEO EIS for PM Biometrics.
Manage two certification and accreditation information assurance specialists. Provide mentoring to junior and mid-level engineers regarding IA best practices and solving complex problems.
Manage Certification Test & Evaluation (CT&E) and Residual Risk Assessment (RRA) and determine technical recommendations for closing open vulnerabilities.
Perform network vulnerability scans and analysis to produce CT&E and RRA reports.
Create Federal Information Security Management Act (FISMA) scorecards for 41 programs [Program Management Intelligence (PMIntel)] to insure federal compliance.
Managed all C&A documentation via Xacta for briefing for both the Certifying Authority (CA) and the Designated Approving Authority (DAA) for all 41 programs.
Maintain in-depth familiarity with current exploits and vulnerabilities that are pertinent to the Windows, Solaris and Linux operating systems.
Evaluate and recommend IA solutions that support the customer’s military based mission while maintaining functionality of the products and services in specific environments.
Analyze and recommend solutions for IA based problems based on knowledge of IA products, an understanding of their limitations, and a working knowledge of the disciplines of IA (Common Body of Knowledge).
Apply knowledge of current DoD Information Assurance (IA) policies (i.e. NIST, DIACAP, DoDI 8500.2, DODIIS and DCID 6/3) from the DoD top level through the Department of the Navy to the Marine Corps. Analyze how those policies interrelate; report the structural shortcomings; and mitigate or resolve any conflicting issues for the Marine Corps.
Support local system administrators and network engineers in network monitoring techniques, intrusion detection, PKI solutions, reactive measures and prevention, security assessment methodologies, security vulnerability analysis, and data encryption.
American Systems Corp. Alexandria, VA Jan 2006 – Jul 2006
Help Desk Support (FT) Defense Security Services (DSS)
Computer helpdesk support for Facility Security Officers (FSO) nationwide interfacing with DSS to process clearances for DOD contractors. Desktop and laptop configurations, installation of hardware and software, troubleshooting user, printer, and network problems.
Lockheed Martin Corp. Fairfax, VA Jul 2003 – Oct 2004
Systems Engineer (FT) Federal Bureau of Investigation (FBI)
Provide technical analysis in data network planning, engineering, and design.
Recommends tools and techniques needed to implement efficient solutions to network problems.
Maintain technical expertise in various areas involving network and computer operation.
Experience in developing system level requirements, test plans and procedures, concept of operation documents, life cycle cost estimates, and program acquisition schedules within the intelligence community.
Create documents for operational and engineering tasks, procedures, and configurations.
Configure and deploy servers and/or workstations for classified networks. Provide multi-tier support for systems to include setup and maintenance of user accounts.
Perform software installations and upgrades to Windows/UNIX operations systems and layered software packages and maintenance.
Evaluate, implement and manage appropriate software and hardware solutions for Windows/UNIX.
Ensure recoverability of data/media by implementing a schedule of system backups and database archive operations. Support media management through internal methods, procedures and offsite storage and retrieval services.
Conduct routine hardware and software audits of UNIX workstations/servers for compliance with established standards, policies, procedures and configuration guidelines.
DynCorp/CSC Leesburg, VA Feb 2003 – Mar 2004
Senior Network Engineer (FT) Federal Aviation Administration (FAA)
Cyber Security Incident Response Center (CSIRC) Assigned within the Office of the Director of Information Systems Security for the Federal Aviation Administration (FAA), actively participated in a variety of information systems security (ISS) activities, to include monitoring of systems status, analysis of ISS reports, use of various antivirus, intrusion detection, forensics and vulnerability assessment tools, techniques and procedures, policy development, program analysis and review hardware/software evaluation and analysis, process improvement, data management, and coordination and reporting of ISS-related incidents.
Participated in assembling, evaluating, installing and maintaining various intrusion detection sensors and associated soft ware applications.
Submitted daily status reports to executive management personnel, and coordinated with all levels of agency, government and non-government ISS professionals, to ensure situational awareness regarding FAA information systems status, lines of business points of contact threats and vulnerabilities and viable solution to ISS related problems.
Dyn Corp Herndon, VA May 2001 – Feb 2003
Team Lead Systems Engineer (FT) Federal Bureau of Investigation (FBI)
Design and upgraded wide-area and local-area components of large network consisting of nationwide and overseas locations.
Perform site surveys, network assessment, architecture design, and implementation.
Experience in systems
Contact this candidate