Ronaele Carpenter
Information Security Manager
IT Program & Project Management – Vulnerability Management – Regulatory Compliance
********@*****.*** 513-***-**** Lebanon OH PMP, PCI-ISA, PCIP, MPCS
Summary
Information Security Manager with over 20 years IT experience including: vulnerability management, PCI compliance and assessments, IT project management, application development (full SDLC), vendor and customer contract negotiation and management, IT Support, employee development, and government contracting.
Excellent analytical and troubleshooting skills and ability to manage complex projects. Self-starter who seeks win-win balance between competing priorities (security, compliance, business drivers, corporate risk tolerance, and people) yet able to make the hard decisions when necessary.
PMP, PCI-ISA, PCIP, and MPCS certified. CISSP test planned for 2019.
Work History
Convergys Corporation (now Concentrix Corporation) (2000 – 2018)
Information Security Manager – (Program and Project Management) (Jan 2016 – Dec 2018)
At CISO request, developed and successfully executed strategic security roadmap to create a mature vulnerability management program. Team was responsible for: vulnerability scanning, network and application penetration testing, phishing campaigns, vulnerability risk assessments and risk ranking, vulnerability identification, remediation tracking and reporting, employee development, training and security awareness. Also oversaw architecture and maintenance of scanning infrastructure and tools.
Managed all phases of IT security projects related to vulnerability management including: scoping, test design, vendor selection and management, team assignments, execution, analysis, documentation, stakeholder review, remediation tracking and reporting.
Used asset management and discovery tools, change management processes, and risk assessments to identify and prioritize assets and applications to be tested. Assets and applications were located in the trusted network, client networks, or in the cloud (AWS or Azure).
Maintained relationships with stakeholders and department leadership to facilitate both proactive security practices and timely remediation efforts. Assisted owners in prioritizing remediation efforts based on risk, corporate policies, and regulatory, legal and contractual requirements. Departments included infrastructure, network, server, desktop, application development, application maintenance and support, operations, change management, asset management, monitoring and client account teams. Led global cross-functional teams to achieve organizational and compliance objectives by remediating vulnerability findings in a timely manner based on negotiated prioritization.
Perform risk assessments and identify course of action based on corporate risk tolerance. Document compensating controls for both technical and non-technical audiences. Reported security status to CISO, CIO, and to leaders of IT departments.
Developed efficient policies, standards, processes, guidelines and templates to meet company, customer, and regulatory requirements. Sponsored semi-annual documentation reviews and process improvement discussions.
Continuously monitored sources for new priority vulnerabilities, changing trends and best practices. Communicated status and recommendations to leadership.
Met with clients to discuss security needs and expectations, to ensure customer satisfaction, and to review information during client-initiated audits. Negotiated with clients to provide alternative solutions that would better meet their needs and reduce overhead costs. Ensured compliance with customer contracts in the area of vulnerability management and regulatory compliance. Reviewed draft contracts and advised the Legal department on language and impact. Responded to RFPs and client security questionnaires.
Represented Information Security in regulatory audits, especially PCI and ISO. Short term assignment as security liaison for DHS project in 2017.
Reviewed proposals to change infrastructure or applications. Made security recommendations in line with policies, standards, and regulatory, legal and client requirements.
Managed vendor relationships to troubleshoot, review new products, optimize existing tools, or perform assessments.
Primary tools, technologies and standards: Nexpose, Qualys, Metasploit, Nmap, Kali Linux Tools, OWASP, PCI-DSS, ISO, FedRAMP, GDPR, HITRUST, HIPAA, NIST.
Cost Savings: Changes to scanning infrastructure netted $100,000 annual savings on license costs.
PCI Compliance Project Manager (2009-2015)
Successfully managed global cross-departmental PCI compliance and assessments for platforms and call centers. Directly responsible for all phases of compliance from “cradle to maturity” in a technologically and culturally diverse organization. Phased included: requirements analysis, scoping, gap analysis, system configuration and firewall reviews, risk and financial assessments, solutioning, vendor management and agreement negotiation, implementation, documentation, audit scheduling, auditor reviews, remediation, and on-going compliance efforts. Also responsible for leading reviews for firewall rulesets, logging, identity management (active directory), data encryption, change management, secure coding practices, and system configuration and hardening. Worked closely with PCI-QSA to complete PCI-DSS and PA-DSS certification processes.
Reported audit and compliance status to key stakeholders and leadership (SVPs, CISO, CIO).
Proactive in establishing PCI compliance and security as “a way of doing business” before this was mandated by PCI SSC.
Member of PCI Governance Board as well as two interdepartmental process committees. The first process committee initiated the company’s PCI compliance program for application and services platforms in 2009. The second process committee expanded the program to include global call centers and workstations in 2014-2015.
Developed repository for tracking PCI DSS and PA-DSS compliance and artifacts. This reduced time and cost by continuously monitoring compliance, allowing stakeholders to quickly identify and re-use artifacts that were accepted in previous assessments, and reducing transition time for new employees. Our process and repository received frequent compliments from PCI auditors.
Procurement Analyst - Telecommunications (2007 - 2009)
Success in negotiating vendor agreements while working as a Lotus Notes developer led to this opportunity to join the Procurement team.
Responsible for negotiating telecommunications agreements for global call and data centers.
Managed mobile device and webinar program.
Cost Savings: Over $1M savings realized by restructuring these two programs. This included convincing leadership to accept and implement new products, changing how assets are managed, and negotiating/renegotiating with new and existing vendors.
Lotus Notes Developer and Administrator (2000 - 2007)
Primary responsibilities: Automation of processes through scripting and database development; web application development; administration of Lotus Notes environment.
Experienced with all stages of SDLC. Familiar with secure coding methods.
Automation efforts that I initiated resulted in reduced overhead costs and the ability to handle new business without adding headcount.
Other Relevant Experience:
IT Consulting (1999 – 2000)
Government Contracting (IT) (1995-1999)
Formal Education
Pennsylvania State University (University Park) - BA –General Arts & Sciences
oIncluded 2 years advanced mathematics and physical sciences
Master of Philosophy in unrelated field from Hebrew Union College