Martin A Hayott II

**** ****** ****** **., *************, MD 20721

202-***-****

ac1r4l@r.postjobfree.com

Summary of Qualifications

Experienced Information Risk Security, Privacy & Compliance Professional /Electrical Engineer seek a position with an organization that will utilize a successful career to meet/exceed company goals. Mr. Hayott develops plans to safeguard Enterprise-wide information and information systems against accidental or unauthorized modification, destruction, or disclosure.

Executive Policy & Subject Matter Expert (SME)

OMB Circular A-130 (Management of Federal Information Systems)

OMB M-03-22, Guidance on Implementing the Privacy provisions of the E-Gov Act of 2002, Sept 2003

OMB M-05-15, Reporting Instructions for FISMA & Agency Privacy Management, June 2005 OMB Circulars A-123 Management Accountability and Control, A-127 Financial Management Systems, A-130 Management of Federal Information Resources, and the Core Financial System Requirements publication entitled Federal Financial Management System Requirements

E-Government Act 2002, FISMA, HIPAA, HITECH, Breach Notification, HITRUST, and the Privacy Act 1974 (as amended)

Additional Expertise

Working knowledge of NIST Information Security Documents by Topic Cluster, Family, and by Legal Requirements. SP 800-53 Rev4, and the NIST Interagency Reports (NISTIR) and NIST Risk Management Framework: (Risk Identification, Risk Assessment, Risk Response & Mitigation, Risk Monitoring & Reporting,

HIPAA Security Rule Crosswalk to NIST Cyber Security Framework, NIST SP 800-66

Hands on knowledge of assessing FISMA controls against VA 6500 & IRS 1075 and, HIPAA controls against CMS MARS-E, CMS ARS

NIST Cyber Security Framework, SANS Institute Infuse Reading Room: Applying the OSI 7 Layer Network Model to Information Security (mapping Vulnerabilities to Controls).

FIPS Publication 199, Standards for Security Categorization of Federal Information & Information Systems: FIPS Publication 200, Minimum Security Requirements for Federal Information & Information Systems

Hands on knowledge of Security Testing Services: Tenable Network Security/ Nessus – Software Vulnerabilities, Web-App Security, Vulnerability Scanning & Assessments, Credentialed Scanning of Windows, Linux and MAC platforms, Policy Creation, Reporting, Windows Compliance, Mobile Device Vulnerability Monitoring Scanning & Analysis.

(FFMSR): NSTISSP11(National Security governing acquisition of Information Assurance (IA), FedRAMP, DoD 8500.01E IA requirements will be identified at the design stage throughout the acquisition life-cycle

DoD 8500.2 IA Implementation, 8510.01 DIACAP, 8520.02 (PKI/PKE), VA Directive 6500 Information Security Program

VA Handbook 6500.3 C & A of VA, VA Handbook 6500.6 Contract Security, and VA Handbook 6500 & Appendices A-F Information Security Program

Deliverables include: Risk – Culture, Register, Appetite, Tolerance, Scenarios, Key performance indicators (KPIs) and Key risk indicators (KRIs) & SDLC.

Working knowledgeable of the Capability Maturity Model(CMM), Common Criteria(CC), COBIT 5, ISO 27002, (PCI.DSS), SOX GCC Configuration Mgmt. Solutions powered by File Integrity Monitoring(FIM)

Education

1984 Bachelor of Science, Electrical Engineering (B.S.E.E.)

Howard University, Washington, DC

1995 Graduate Program: Engineering Management

Catholic University, Washington, DC

Work Experience

ANKH Solutions, Mitchellville, MD 20721 05/14- current (part-time)

Director of HIPAA Compliance Programs

Mr. Hayott developed, authored, directed, and delivered solid HIPAA Compliance Programs for Group Providers. Adopted and performed Risk Assessments. Selected and implemented Security & Privacy Controls across the Group Providers’ network. Monitored updates from federal and state laws. Provided gap analyses, gap Remediation and Assessments for Compliance Programs. Conducted HIPAA audits, documented Findings and initiated Plan of Action & Milestones to correct the deficiencies.

Social Security Administration (SSA) Woodlawn, MD 21235 09/14 – 04/15

Senior Compliance Specialist

Mr. Hayott served as a Senior Compliance Specialist for the Social Security Administration Office of Compliance and Oversight / Office of Information Security. Mr. Hayott worked with the Team that conducts compliance reviews of State Agencies that have been granted access to SSA-provided data as Electronic Information Exchange Partners. This task involved the assessment of policies, technical controls, and internal controls implemented by State Agencies to protect SSA-provided information in accordance with the agreement between the SSA and the Agencies. Mr. Hayott reviewed Information Exchange Agreements and Computer Matching & Privacy Protection Agreements for accuracy and completeness. As recommended in (NIST) Special Publication (SP) 800-122, PTAs are used to determine if a system contains PII, whether a Privacy Impact Assessment is required, whether a System of Records Notice (SORN) is required, and if any other privacy requirements apply to the information system. PTAs should be submitted to an organization’s privacy office for review and approval. PTAs are often comprised of simple questionnaires that are completed by the system owner. PTAs are useful in initiating the communication and collaboration for each system between the privacy officer, the information security officer, and the information officer. The Team also reviews Security Design Plans (SDPs) submitted by State Agencies signing an Information Exchange Agreement with the SSA to gain access to SSA-provided data. The SDPs set out the security controls implemented or planned by the Agency to safeguard SSA data, and the Team provides comments and guidance to the Agencies relating to their SDP and compliance with protecting SSA data.

ANKH Solutions, Mitchellville, MD 20721 12/13 - 8/14

Director of HIPAA Compliance Programs

Mr. Hayott developed, authored, directed, and delivered solid HIPAA Compliance Programs for Group Providers. Adopted and performed Risk Assessments. Selected and implemented Security & Privacy Controls across the Group Providers’ network. Monitored updates from federal and state laws. Provided gap analyses, gap Remediation and Assessments for Compliance Programs. Conducted HIPAA audits, documented Findings and initiated Plan of Action & Milestones to correct the deficiencies.

Computer Science Corporation, Falls Church, VA 22042 03/12 - 11/13

Architectural Security Consultant

Clients included:

Systems Made Simple (SMS)

In response to President Obama’s 2009 initiative to create a Virtual Lifetime Electronic Record (VLER) for service members and veterans, DoD and VA are working together to develop a joint integrated Electronic Health Record (iEHR). Mr. Hayott developed and co-authored numerous Certification & Accreditation artifacts for the (iEHR) system and capabilities. The iEHR program implemented DoD 8500-2 IA Controls at a Mission Assurance Category (MAC) Level 2 Sensitive for a system processing Personal Health Information (PHI). The primary documents Mr. Hayott developed included the Risk Assessment Plan, Incident Response Plan, Vulnerability Management Plan and the Contingency Business Continuity Plan for two systems under development in support of the iEHR initiative. Mr. Hayott added valuable content to the Independent Verification and Validation (IV&V) process to ensure all procedure objectives were met. Security hardening and validation of systems was performed using the Defense Information Systems Agency (DISA) Security Technical Implementation Guidance (STIG) documents. Mr. Hayott and the Security team hardened and provided administrative policies for Red Hat Enterprise Linux 6 (RHEL6) and Windows Server 2008 R2 to document and improve the security posture of the iEHR supporting program. Standard DOD approved security tools were used (e.g. eEye Retina Vulnerability Scanner, HP Fortify Static Code Analysis, and DISA STIG Analyzer) to evaluate system security posture and validate hardening effort.

Social Security Administration (SSA)

Mr. Hayott served as a Senior Compliance Specialist for the Social Security Administration Office of Compliance and Oversight / Office of Information Security. Mr. Hayott works with the Team that conducts compliance reviews of State Agencies that have been granted access to SSA-provided data as Electronic Information Exchange Partners. This task involved the assessment of policies, technical controls, and internal controls implemented by State Agencies to protect SSA-provided information in accordance with the agreement between the SSA and the Agencies. As recommended in (NIST) Special Publication (SP) 800-122, PTAs are used to determine if a system contains PII, whether a Privacy Impact Assessment is required, whether a System of Records Notice (SORN) is required, and if any other privacy requirements apply to the information system. PTAs should be submitted to an organization’s privacy office for review and approval. PTAs are often comprised of simple questionnaires that are completed by the system owner. PTAs are useful in initiating the communication and collaboration for each system between the privacy officer, the information security officer, and the information officer. The Team also reviews Security Design Plans (SDPs) submitted by State Agencies signing an Information Exchange Agreement with the SSA to gain access to SSA-provided data. Mr. Hayott delivered a System Security Plan for Social Security Administration’s (SSA) Hadoop Research Cluster/ (Big Data Project.).

ANKH Solutions, Mitchellville, MD 20721 11/10 to - 02/12

Director of HIPAA Compliance Programs

Mr. Hayott authored, directed, and delivered solid HIPAA Compliance Programs for Group Providers. Adopted and performed Risk Assessments. Selected and implemented Security & Privacy Controls across the Group Providers’ entire enterprise. Monitored updates from federal and state laws. Provided gap Analysis, Gap Remediation and Assessments for Compliance Programs. Conducted HIPAA audits, documented Findings and initiated Plan of Action & Milestones to correct the deficiencies.

SRA International 4300 Fair Lakes Court Fairfax, VA 22033 3/10 to 10/10

Senior Information Assurance Analyst

Mr. Hayott served as a Senior Information Assurance Analyst on the Dept. of Treasury’s Bureau of Engraving and Printing (BEP) Certification & Accreditation (C & A) project. Mr. Hayott created, developed and completed C & A artifacts such as Standard Configuration documents, Security Impact Analysis documents, Privacy Impact Assessments, and System Security Plans.

ANKH Solutions, Mitchellville, MD 20721 04/07 - 2/10

Director of HIPAA Compliance Programs

Mr. Hayott developed, authored, directed, and delivered solid HIPAA Compliance Programs for Group Providers. Adopted and performed Risk Assessments. Selected and implemented Security & Privacy Controls across the Group Providers’ entire enterprise. Monitored updates from federal and state laws. Provided: gap Analyses, Gap Remediation and Assessments for Compliance Programs. Conducted HIPAA audits, documented Findings and initiated Plan of Action & Milestones to correct the deficiencies.

Thompson, Cobb, Bazilio & Associates, NW Washington, D.C. 20005 03/05 - 03/07

Senior IT Auditor /Electrical Engineer

Clients included:

PENSION BENEFIT GUARANTY CORPORATION (PBGC) Performed several Certification and Accreditation Program activities, Acquisition & Development security procedures, Human Resources Security, Access Control & Communication & Operations Mgmt. reviews for PBGC which resulted in decreased risk mitigation to ensure savings of over $1MM. Knowledge of PBGC services & applications which include: NFDE II, Integrator, Common Security Services, and Approval Security Services & Database Redesign. Security Assessment & Authorization (SA&A) Program activities: Provided input into PBGCs System Security Plan. Security requirements included perceived end user needs, Laws, Regulations, prioritized risk scenarios and Best practices and Standards. The Security Plan described the security controls in place, the privacy impact assessment, system interconnection agreements, security configuration checklist, contingency plans, incident response plans, and risk assessment. Provided input into PBGC’s Security Assessment Report by assessing the security controls in the IT Enterprise to determine which controls are implemented correctly, which controls are operating as planned, and delivering the desired outcome as it relates to the system security requirements. Delivered input to Plan of Action and Milestones by suggesting corrective action discovered during the assessment of the IT security controls.

Communication & Operations: Designed, and documented communication procedures for back-up of several PBGC's mission critical applications, denial of service protection, boundary protection, and protection from malicious code. Recommended, documented, and validated the use of validated cryptography (encryption) algorithms which directly addressed Confidentiality, Integrity, Authentication, and Non-Repudiation in the transmission of sensitive data. Developed a plan to deploy and routinely update appropriate anti-virus, anti-spyware, and file extension blocking solutions at the gateway entry points and on the desktop and server systems.

Acquisition & Development: Provided guidance on input and output data validation checks to ensure data is correct and appropriate. Recommended procedures to select, protect, and control test data. Suggested change control procedures to minimize the corruption of information systems. When outsourcing software development, considered contractual language for licensing arrangements, code ownership, quality and security functionality, and escrow arrangements in the event of third party failure. Human Resources Security & Access Control duties included; removing physical and logical access as soon as an employee or contractor leaves, retires, or is terminated, documented a separation of duties by assigning tasks to different personnel, preventing one person from having total control of the security measures. Mr. Hayott conducted Internal Audit reviews of the NFDE II Off-Cycle Payment System and Integrator 2.0. Reviewed and assessed the methodologies of FBA Services, BAPD, and MCU within NFDE II’s Control Matrix. Completed a Control Matrix to identify key potential exposures and mitigate risks. Mr. Hayott recommended a series of process improvements to NFDE II’s business continuity plans which were adopted to ensure federal compliance. Extensive knowledge of PBGC’s internal topology and methodologies: Spectrum, Integrator Common Security Services & Approval Security Services (Authorization, Monitoring, Reporting). Mr. Hayott acquired operational knowledge of PBGC’s Enterprise Architecture Framework. Mr. Hayott co-authored a white paper which covered the functionality of Oracle’s HRMS and PBGC’s Approval Common Services ACS that specifically addressed the authorization process for benefit payments. The scope also included a look at the relevant federal regulations and industry “best practices.” The purpose of this white paper was to compare the functionality of Oracle HRMS suite of applications and PBGC’s Approval Common Services (ACS) against Industry’s Standards and Best Practices.

HOWARD UNIVERSITY: Disaster Recovery & Business Continuity & Risk Mgmt.: Determined the potential threat and the risk associated with several mission critical application software programs by performing threat assessments and vulnerability assessments and performed qualitative risk analysis. Mr. Hayott drafted a formal approval process and identified individuals and roles for approval of new policies and changes to existing ones. Ensured policies, standards, and guidelines address legislative, regulatory, and contractual requirements. Advocated the significant benefits of a structured IT Governance program by reminding senior management it will reduce operational costs by providing predictable outcomes and mitigating risk factors that may interrupt business processes. Asset Protection duties included drafting necessary policies, standards, guidelines, processes, and procedures in order to be in compliance with laws, regulations, and statues with respect to asset inventory, identification, classification, use, and disposition requirements. Mr. Hayott completed a Business Impact Analysis (BIA). The Trusted Computer Security Evaluation Criteria (Orange Book Controls) was a guideline for operational assurance and life cycle assurance.

JIREH Consulting Services, Laurel, Maryland 11/04 - 01/05

Senior Electrical Engineer

THE STATE OF MARYLAND - Mr. Hayott researched and documented the state’s business drivers to assist in the development of the Technical Architecture Framework Reference Model for the State of Maryland. Captured and reviewed facts about the mission, functions, and business foundation to empower managers with the ability to set enterprise-wide standards, increase interoperability between current & future systems with an emphasis on security. Provided architectural views that help elucidate the complexity of large systems. Mr. Hayott recommended security controls be integrated in the beginning phases of any SDLC approach. The outcome would generate opportunities for delivering superior quality, security, and cost savings. Mr. Hayott achieved economies of scale by providing mechanisms for sharing products and services across the enterprise (i.e. recommended the State drop all GroupWise licenses’ & use only MS Exchange for all Government employees).

Internal Revenue Service, Telecommunication Division, Washington, D.C. 02/87 - 08/97

Senior Electrical Engineer

Mr. Hayott was responsible for providing technical management for the 1st Engineering Department in the IRS. Telecommunication services included (LANs, WANs, ACDs, PBXs, Call Centers and Infrastructure Issues) for the nationwide implementation of CRIS (statistical sampling generator). Mr. Hayott streamlined the centralization process for more than 60 locations to determine site management, establishment & closings. Established a systematic approach to detect system fluctuations & provide process & performance recommendations to minimize cost & risk. Telecommunications Team member of a nationwide DISASTER RECOVERY STRATEGY pilot conducted at Martinsburg WV for mission critical Data/Voice applications relating to IRS individual and corporation taxpayer information (QoS, IPv4, Priority, Integrated/Differentiated Services, and RSVP).

Security Clearance & Certifications:

Level 6 - Public Trust

Tenable Certified Nessus User (TCNU) 2016 – 2018

Contact this candidate