Information Security Management

Professional Summary

** + years of progressive and diverse experience in Information Technology including multi-million dollar budget.

Application & network security architecture, IT project management, application and system administration and Governance, Risk & Compliance (GRC).

Experience with security risk management, incident response, threat analysis, security auditing, security monitoring and other information security practices.

Implemented IRS, CJIS, AAMVA, PCI-DSS, PII, HIPAA, HITECH data protection strategies.

Experience in implementing ISO 27001, PCI, CoBiT, NIST 800-53 and FISMA Compliance standards.

Experience in Payment Gateway Modules like Cybersource, Authorize.net, PayPal, link2gov.

Experience architecting highly scalable, distributed systems using different open source tools as well as designing and optimizing large, multi-terabyte data warehouses.

Able to integrate state-of-the-art Big Data technologies into the overall architecture and lead a team of developers through the construction, testing and implementation phase using database tools like MySQL, MS SQL Server, Oracle, DB2, NoSQL.

Expert in Business Impact Analysis, Capacity Planning, Continuity and Recovery strategies and hands on experience with Data Loss Prevention (DLP) security controls.

Experience in managing all phases of the ITIL and Risk Management Framework (RMF) activities

In-depth knowledge of Azure, AWS and other public and private cloud infrastructure. Expert in Microsoft Active Directory, LDAP and OSI Model.

Security experience with large scale customer facing production operations in a dynamic fast paced environment.

Experience in SaaS, IaaS, PaaS

Experience with ITIL, PMP, Six Sigma tools and Vocabulary.

Experience with Microsoft Office suite including MS Project and Visio and Office 365.

Experience in Encryption, Forensics, Penetration Testing, Firewalls, Proxies, VPN, SSL, IPsec, Application Security, TCP/IP, IEEE 802.X and other communication protocols.

Flexibility and strategic problem solving ability with excellent time management skills.

Extensive knowledge of platforms like Microsoft Windows, Linux, Novell, and UNIX

Proficient in the use of hardware like Routers, Switches, and Servers and common network services (DHCP, DNS, web, mail, FTP, SFTP, SSH etc.)

Working Knowledge on ServiceNow Products.

Working knowledge of IT security products and technologies (IDS/IPS, Malware Protection, URL filtering, & ACL configuration) and CA tools.

Extensive knowledge on SIEM Tools (CA, IBM, Splunk, ArcSight, etc.)

Administered Identity and Access management (IAM), End Point protection, PKI and IT service management.

Full Software development Life cycle experience, from creation and assessments through to execution, validation, remediation. (Secure development - Security Testing - Continuous Monitoring/Protection)

Professional Experience

Office of Superintendent of Insurance Santa Fe, NM

Information Technology Officer June 2013-August 2017

Reporting to the Superintendent of Insurance, recruited to manage IT operations of the agency. Oversee all IT functions including data center management, vendor relationships, technical support, application development, financial monitoring and disaster recovery planning. Manage IT operating budget and direct activities of IT staff.

Challenged to improve productivity and reduce costs through improved uses of technology.

Managed capital budget of $1.84M and completed all documented projects on time, and within budget.

Authored plan to improve software development process, consolidate/upgrade servers and establish consistent hardware/software standards to eliminate unstable, highly mixed operating environment.

Effectively collaborated with Legal, Risk Management, and IT Cybersecurity to evaluate network systems' compliance with applicable laws and policies to perform gap and risk analysis and to update physical and electronic safeguards in response to new threats and vulnerabilities and new legal standards

Responsible for the agency security information and event management (SIEM) hands on experience with Data Loss Prevention (DLP) security controls.

Monitored Governance, Risk & Compliance (GRC) of third parties with legal, regulatory and customer-required privacy obligations.

Performed to collect security log data from operating systems, applications and other log sources, and analyzed that data for signs of compromise, attacks or other malicious activity

Cross departmental liaison educating managers and department heads in the implementation of HIPAA compliance

Reduced non-staff IT costs by 20% while maintaining key metrics through VMware virtualization, application rationalization, legacy system retirement, and SAN storage consolidation

Responsible for IAM release management and integration of IAM platforms with enterprise applications.

Responsible for developing, implementing, and managing effective methods to respond to potential data incidents

Performed vulnerability and risk assessment analysis.

Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks.

Provided an accurate technical evaluation of the software application, system, or network, documenting the security posture, capabilities, and vulnerabilities against relevant cyber security compliances.

Prepared and reviewed documentation to include System Security Plans (SSPs), Risk Assessment Reports, Plan of Action and Milestones (POA&Ms), and System Requirements Traceability Matrices (SRTMs).

Distributed Information Security Vulnerability Management (ISVM) alerts

Performed Security Assessments & Continuous Monitoring

Participated as a contributing team member of the Patch and Vulnerability Management Group (PVG) and provide assistance to O&M and system administrators

Public Regulation Commission Santa Fe, NM

Chief Information Officer March 2011-June 2013

Provide executive leadership as head of IT. Responsible for all aspects of strategic IT planning, implementation and support agency wide as an integral component of business plan. Engineered turnaround of IT’s performance and service levels. Transform IT into a strategic business partner. Mange and deliver multiple scale project on time and within budget. Responsible for budgeting, design and support of all technology.

Provided expertise to senior management and executives levels on information risk.

Ensure the proper functioning of information risk governance on the agency, obtaining senior leadership consensus on information security strategy, reporting to senior leadership the current state of the agency information security program, and balancing information security with privacy concerns for the agency

Managed agency information security policies, standards, procedures and guidelines are aligned with the agency strategy, and regularly reviewed to reflect changing threat landscapes, agency conditions, regulatory requirements, and industry best practices.

Managed agency wide IT policies.

Oversaw agency information security programs (including Identity and Access Management) and activities within the unit and across the agency to ensure effective implementation of the agency information security strategy and critical security-related functions and services.

Maintain and oversee security-related requirements for agency contractors and partners doing business with the agency. Managed large-scale security incident response efforts.

Direct Tech support, Software development, and internet and Microsoft operations for the Corporation Division. Improve service levels. Establish rapport and credibility with department heads. Reduced week-long average helpdesk backlog to 90% responsiveness within same day.

Hire and manage staff of different cultures and weave them in teams. Initiated and developed in-house training that enabled timely and cost-effective delivery of end user training

Responsible for Design, develop, operate and manage comprehensive security architectures, strategies, policies and programs to assess, prioritize, and mitigated business risk with technology controls

Responsible for corrective action plans and alleviate risk to maintain project health.

Mitigated and managed cyber security threats, ensuring systems availability, aligning with global regulatory risk and compliance requirements, managing systems and network complexity

Responsible for protecting the agency, customers and employees by mitigating and identifying technology threats.

Responsible for creating and managing cyber security strategy, programs and execution including threat management services such as vulnerability assessments, threat intelligence, analysis and response, security event monitoring and incident management, digital forensics etc.

Provide expertise for cyber security technical and non-technical solutions; review and provide guidance enabling business system delivery in a manner that adheres to information security policy

Responsible for governing network-related security controls throughout the enterprise, firewall programs, intrusion detection and prevention systems, network data leakage prevention, secure email encryption, and web content filtering

Established the strategic direction for the enterprise, and ensures cohesiveness & strategic alignment of all business line access management initiatives

Responsible for Oversight and management of standards, policies, processes and tools related to user access to information resources and management of logical access risks

Provided crypto key management support to corporation information systems by constructing and analyzing protocols that maintain information security and system availability

Responsible for managing and monitor technology, audit and regulatory risk through governance, oversight, reporting and training initiatives / programs including management of audit and regulatory findings, regulatory reviews, process and strategic risk & control self-assessment, and key risk indicator program. Work to minimize potential impact and exposure to technology threats

Responsible for developing and enforcing an integrated Technology Risk and Control Framework across the agency.

Provided technology risk advice and consultation to business partners; enable businesses to effectively manage risk within their risk appetite and meet business objectives

Facilitated communication and execution of enterprise-wide information security programs and deliver enterprise awareness training

Conducted risk assessments on business applications, third parties and infrastructure and validate that security and technology controls are implemented to support business requirements

Managed and lead a team of Technology Controls and Information Security experts in the development and management of relevant strategies, programs, tools, frameworks and policies

Provided specialized oversight, control and governance activities

Liaison across the organization and primarily interfacing with executive and functional stakeholders to minimize overall technology risks to the agency.

Responsible for Configure, optimize, and maintain current security tools to include network and server monitors as well as vulnerability scanners and intrusion detection

Responsible for reviewing firewall reports and create reports of attack methods and their risk to the agency

Created sit-rep reports for management

Taxation and Revenue Department Santa Fe, NM

IT Generalist August 2002 – March 2011

Responsible for Planning, Developing requirements with customers, requirements analysis, design, resource allocation, development, integration test and deployment of all MVD (Motor Vehicle Division ) Applications profitably.

Responsible for Central Issuance of Driver License Applications and Motor Vehicle Applications, researching, planning, estimating, designing and ensuring customer friendly application and integration of various components including Third party software tools into this solution.

Responsible for maintaining the Internet/Intranet Application, Web Servers, Disaster mitigation and recovery plans, systems security and testing new hardware and software for MVD and TRD Applications.

Responsible for Windows and Linux Administration

Directed PCI compliance assessments and remediation activities to ensure we are always in continuous compliance.

Conducted Privacy Impact Assessments (PIA) of the application’s security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII).

Reviewed authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network.

Developed security compliance processes and audits for external services SaaS, IaaS (e.g., cloud service providers, data centers).

Evaluated the effectiveness of procurement function in addressing information security requirements and supply chain risks through procurement activities and recommend improvements.

Conduct import/export reviews for acquiring systems and software.

Responsible for ensuring information systems are secure and that data maintained in these systems is protected from unauthorized access.

Oversight and review of firewalls and intrusion detection systems that reflect current state of the art in information assurance and monitors and reports on intrusion detection events.

Responsible for ensuring COTS products (hardware and software) meet current information assurance standards and that security patches released by OEMs are installed and verified.

Ensures that uniquely developed systems and software have required level of information assurance and that designs are compliant with current regulatory requirements.

Evaluated current status of potential information system threats from casual intrusion to intrusions meant to permanently or irreparably degrade system performance of protection.

Evaluated complex MVD engineering computer systems.

Helped in developing educational materials and training, creating online self-paced training courses, and provided training in person and online.

Prepared design specifications for MVD engineering computer systems.

Prepared estimates and cost analyses; coordinate organizational support activities for a project.

Interprets and analyzes processing anomalies in major complex engineering systems and take corrective action.

Performed validation of systems, including development of criteria and procedures.

Interpreted mathematical specifications and implemented computational algorithms.

Trained less experienced personnel and develops training material; reviews the work of others for conformance to established techniques procedures.

Analyzed and evaluated results of major complex MVD engineering systems.

Provided effective utilization of resources and directs the technical work of others.

Provided technical oversight of enhancements and tuning of Information Security monitoring tools to collect, integrate and correlate security events, establish operational threshold levels to establish relevant alarms and notifications, and ensure continuous functionality, availability and enhancement of the tools.

Managed integration of Information Security monitoring tools to standardize and enhance reporting.

Education

Bachelor of Engineering from Anna University 1993-1997

Professional References on Request

Contact this candidate