Career Objective: To acquire the position of an Information Security Consultant in an organization to provide enterprise level security of communication, credentials, information assets and to safeguard organizational and customer data from unauthorized access and misuse.
Certifications: Certified Information Systems Security Professional (CISSP) Year 2012. Currently expired.
Snapshot of Key Information Security Skills:
10+ years of hands-on experience and knowledge of enterprise information security and encryption technologies, infrastructure and implementation techniques, network security, change and project management methodologies of complex technical projects. Address critical audit findings, research, engineer, test, implement and maintain security solutions for the enterprise.
Proficient in all versions of Windows desktop and server operating systems.
Design and Implementation of Microsoft Public Key Infrastructure (ADCS) using X.509 standard, encryption technologies, identity and access management and certificate life-cycle management.
Subject matter expert in the evaluation, on-boarding and final deployment of ArcSight Log Management\ESM product for PCI compliance.
Implementation of NDES/SCEP (for Non-AD devices) for BYOD using CISCO ISE.
Hands-on experience with CyberArk’s Security products such as Enterprise Password Vault, Privileged Identity Management/Privileged Account Security, Central Policy Manager, Password Vault Web Access, Application Identity Management including design, installation and implementation of high-availability and automatic failover.
Practical experience working with common information security standards and frameworks such as NIST, ISO/IEC 27001 and regulations such as PCI/DSS, SOX, COBIT and GLBA.
Experience with security risk Identification and assessment, mitigation and remediation activities.
Experience with implementation and support of Luna SA Network HSMs for private key protection.
Installation and configuration of Thales nShield netHSM 7000, security world, RFS/RAS.
Work Experience with Other Information Security Technologies:
Venafi Encryption Director. Practical experience in setting up Venafi policy containers, granting permission, initializing Certificate Authority and CSR base information, certificate expiration notification process and downloading/installing certificates.
Installation and Administration of SIEM solution ArcSight Logger and Connector Appliance.
Multi-Factor Authentication using smartcard token as well as Yubikey.
McAfee Enterprise Policy Orchestrator, Anti-Virus, Anti-Malware, set up of OnAccess and OnDemand scans.
PCI/DSS and SOX compliance – generated quarterly and yearly Assessments and Audit Reviews.
Work Summary:
Senior PKI Engineer – Bank of America – Addison, Texas – October 2013 to Present
PKI (Public Key Infrastructure) Experience at Bank of America:
CA Hierarchy Migration from SHA-1 to SHA-2: Participated and supported the bank-wide project to migrate the PKI environment from SHA-1 to SHA-2 which involved the generation a new Certificate Authority Hierarchy with Root, Intermediate and Issuing CAs, Key Ceremonies to protect CA private key in Hardware Security Modules, generation of Certificate validation chains, Web-Enrollment servers, design of certificate templates. Participated in the planning and design of the migration plan in staggered batches by geographical area and certificate type.
CRL Publishing\CDP Design Played a significant role in the planning and design of the CRL Publishing schedule. Implementation of CRL Distribution Points (both LDAP and HTTP), the set-up of the Task Scheduler jobs to run scripts to generate the Base and Delta CRLs and transfer them via SSH and publish them to internal as well as DMZ servers for internet facing websites.
PKITools Internal Portal: Supported an internal PKITools website which made use of the CA database to display CA current status, statistics regarding the number of certificates of each certificate type by day/month/year and enabled generation of adhoc reports, approval of certain types of certificate requests, allow clients to submit their code for code-signing and to generate OTPs.
Certificates com website: Maintained the bank’s certificates.com internet site with update-to-date information and FAQs regarding Certificates and PKI in general. Information regarding certificates offered, how to request, obtain approval, download and install certificates, CRLs, Certificate validation chains, VPN, Email Signing and Encryption certificates and how to submit code for signing.
Monitored the overall Security Infrastructure for PCI and GLBA regulations, polices and metrics for access controls, file encryption and security of data at rest and in motion, NPI and PII, application security, password management, end-point security products such as anti-virus as well as SIEM and log management.
NDES Role Service/SCEP Protocol Experience: Worked extensively with NDES Role Service of Microsoft Windows Server 2008. Using the IPSec protocol, implemented 3 different NDES environments at the bank. A BYOD MDM solution (AssociateNet) for bank employees using their personal devices at the bank and a separate environment for guests/visitors (GuestNet) on CISCO ISE platform. Deployed a separate NDES/SCEP environment (RetailNet) to provide bank network access to bank owned iPads used by bank branch retail associates. Implemented a 3rd NDES environment (RetailNetVPN) to provide bank network access via VPN to Bank associates traveling to campuses, libraries, conferences etc. to sign up prospective customers for bank services.
Other areas of PKI experience: Protection of private keys, physical and logical key management, dual control, least possible access principle, Separation of duties, Private key stored on smartcard token, Safepass Yubikey to generate OTPs, VPN, S-MIME, Code-Signing, certificate template design and permissions, SSO, SAN, Self-signed and Wild-card certificates, Business Continuity, Load Balancing. Have also extensively used PKI utilities, such as PKIview.msc, Certutil.exe, Certreq.exe, Certsrv.msc, Certtmpl.msc, Certmgr.msc and CaMonitor.vbs.
Hardware Security Module Experience at Bank of America:
Safenet/Gemalto Luna EFT (Payment) Hardware Security Modules: Primary Engineer (SME) responsible for installing, configuring and supporting all aspects of Safenet/Gemalto Payment (EFT (Electronic Funds Transfer)) HSMs used by the bank’s Online Banking application to generate PIN codes.
Safenet/Gemalto Luna SA (Network Attached HSM) Hardware Secuity Modules: Worked with Luna SA (Network HSM) 5.4 Appliance software and 6.10 (firmware) for protection of CA private keys in hardware. Activities included HSM initialization, network connectivity, setting up of HSM policies and capabilities, certificate generation and bind, setting up of NTLS link, initialization of MofN PED key roles, creating partitions, assigning partitions to clients, helping clients to install and configure Luna Client software, register and exchange certificates between the HSM and client, create HA (High Availability) group, add members to HA group, initialization of Remote PED vector for PED Authenticated Remote Administration, backup and restore of partitions.
Thales nCipher nShield 6000 Connect Hardware Security Modules: Participated in the implementation of Thales nShield Connect HSMs for the protection of Bank of America internal Code Signing Certificate. Activities included were the installation of the Security World software in a Windows environment, client configuration, RFS/RAS setup and configuration of the Remote Administration push.
Radware AppXcel/Alteon Web Malware Scanning devices: Supported the PKI Engineering tasks in the Web Malware and SSL Encrypted Traffic Inspection project.
Systems Engineer II - JCPenney Company – Plano, Texas - 2006 to September 2013
CyberArk Enterprise Password Vault – Privileged Identity Management/Priviledged Account Security – Application Identity Management (AIM) Experience at JCPenney Company:
Involved extensively with CyberArk’s Password Vault product as the Primary SME right from product evaluation to vendor selection and purchase to final deployment. Assisted CyberArk’s Professional Services personnel with installation and configuration of the EPV components (Central Policy Manager, Password Vault Web Access, Application Identity Management (AIM), PrivateArk Web Client Interface, High Availability Vault Cluster, Secure Zone Access, SAN storage, SSL certificates, Load Balancing, Disaster Recovery stand-by site, setup of backup, replication and log reporting to the SIEM solution (QRadar).
Performed in the role of team lead in the creation of use cases, project time-lines and infrastructure high-level design diagrams. Created acceptance testing plans for vault admin and user functions. Implemented secure storage and retrieval of shared passwords, one-time passwords, exclusive, linked and dual-control passwords. Setup Password Management policies, AD Global groups, LDAP Integration for user authentication, Directory Mapping, Disaster Recovery, Audit reporting, Password Vault logging, email notifications, SNMP monitoring and daily scheduled tasks to automate Vault Activity reports.
Presented a demo and conducted on-going end-user training on how to use the Password Vault to retrieve administrator as well as application and database passwords.
Developed in-house documentation detailing the entire CyberArk Password Management project.
Prepared the Business Continuity Plan for Password Vault (using LDRPS - Living Disaster Recovery Planning System) detailing automatic failover to the stand-by Disaster Recovery site and subsequent failback to the Production site.
Team Leader in the implementation of CyberArk’s AIM (Application Identity Management) product. Implemented AIM Agents on Windows and AIX servers for applications running from IBM’s Websphere Application server.
Conducted Password Vault PCI/SOX compliance quarterly and annual reviews and assessments.
PKI (Public Key Infrastructure) Experience at JCPenney Company:
Actively participated in installing and implementing JCPenney’s Internal PKI, comprising the installation and configuration of a 3-tier Internal Certificate Authority.
Researched and documented the PKI health and technology gap analysis review for the existing (external) PKI environment to be replaced.
Participated in the development of the Certificate Policy and Certificate Practice Statement.
Worked with the vendor Thales e-Security to install and configure Thales .netHSM (PCI card HSM) to protect the new Root CA’s private key; contributed in designing and creating the root CA private key split, security world, and the administrator and operator card sets.
Scaled the PKI system by automating the enrollment of non-Active Directory devices, such as iPads, iPhones, and other smart devices that are SCEP (Simple Certificate Enrollment Protocol) compliant by installing NDES role service of ADCS on W2K8 server using Symantec Mobile Management system.
Performed as team leader and developed roll-out plans in an enterprise-wide effort that replaced the company wireless network from user-based authentication to certificate-based authentication.
Presented a training program and provided documentation for Level 1 Problem Resolution groups regarding the process of troubleshooting the new certificate-based wireless network
Researched and assessed PKI Management, Certificate Life Cycle and Reporting tools such as FIM CM and CLM.
Conducted quarterly and annual PCI evaluations of the PKI system for PCI DSS requirements 2, 3, 5, 6, 8, and 10.
ArcSight SIEM Solution – Logger, Connector Appliance, ESM Experience at JCPenney Co.
Performed as SME with the SIEM product ArcSight Log Management for all phases of the project from product purchase to production deployment.
Conducted proof of concept to install and test ArcSight in lower environment.
Worked with the vendor Professional services to assist in the infrastructure design.
Organized meetings with all IT groups and facilitated the identification and collection of company log data in scope for PCI Requirement 10.
Planned and coordinated the installation of SmartConnectors to Windows as well as Linux servers.
Managed and administered the Connector dashboard as well as the Logger Admin Interface.
Worked with ArcSight ESM product to set up ESM reports to collect, analyze and correlate events in real time to resolve issues faster.
Developed custom FLexConnectors for several in-house applications.
Technical Skill Sets:
Operating System Platforms: Windows 7, Windows 10, Red Hat Linux 6.8 (light), Server Software: Windows Server 2008, Windows Server 2012, MS IIS, Protocols/Security: HTTP, HTTPS, TCPIP, VPN, RDP, PCI, FTP, SMTP, DNS. Data Sources: ODBC, SQL, ADO.Net, MS SQL Server, DB2, Software: Visual Studio, Visual SourceSafe, Active Directory, PUTTY, PSCP, WINSCP, Avocent/DsView KVM Solution, Snagit, RSAT, mRemoteNG, Keepass, Nexus, MMC, Skype for Business, Cisco Meetings, QuickBase, Hummingbird Connectivity. Programming Tools: VB .Net, ASP.Net, XML, ActiveX, HTML, DHTML, CSS, JavaScript, VBScript, Windows Script Host. Microsoft Tools: Proficient in Microsoft Word, Excel, Power Point, Access, Project, Visio, Communicator. Methodologies: ITIL Change Management principles, Remedy ITSM, Change Management, Incident Management, Problem Management, CAB and RFC process, IBM Maximo Asset Management Solution, Systems Development Life Cycle (SDLC) and Configuration Management (CM).
Organizational and Interpersonal Skills:
Familiar with working in and delivering large enterprise level security solutions.
Self-starter with strong planning, organizational, technical, and analysis and documentation skills.
Excellent oral and written communication and interpersonal skills.
Able to manage multiple projects simultaneously, seek best practices, adapt easily to changing and new technology; follow through to successful completion.
Accept personal accountability for quality and timeliness of work.
High level of personal and professional integrity and maturity to handle confidential matters.
Set a good example as a consistent role model, maintain positive working relationship with team members and clients.
Professional Affiliations:
Information Systems Security Association (ISSA), International Information Systems Security Certification Consortium (ISC2), SecureWorldExpo, SANS, Windows Security, SecureWorld Digital, Enterprise IT Security Bulletin.
Education:
Cyberark Password Vault Administration - Vendor training - 2012.
Electronic Data Systems – Systems Engineer Development program (3-month curriculum) - Dallas Texas – October 1982 to April 1983.
Cerritos Community College – Norwalk, California
Graduated in June 1982 with an A.A. degree in Computer Science.
Graduated in June 1981 with a diploma as a Business Programmer Analyst.