Security Management
Resume:
John Munyasya, CISA, PMP
***** ******** *****, **********, ** 20874 202-***-**** **********@*****.***
Manager of Information Security Assessment, Audit and Compliance
PROFESSIONAL SKILLS:
• Managing Information Assurance Services including providing advice on Cybersecurity and privacy policy;
Performing information systems security assessments for compliance with Federal Information Security
Management Act (FISMA), Federal Managers Financial Integrity Act (FMFIA), Health Insurance
Portability and Accountability Act (HIPAA), Sarbanes Oxley Act (SOX) as well as Food, Drug and
Cosmetics Act (FDCA).
• Managing and conducting Information System Security Risk Assessment (ISRA) using National Institute of
Standards and Technology Special Publication (NIST SP 37) Risk Management Framework Guide and other
standards.
• Managing Independent Verification & Validation (IV&V) engagements, including supervising
testers/engineers responsible for software testing and documentation review throughout the entire System
Software Development Life Cycle (SDLC); Creating task descriptions for the IV&V review activities;
Creating and presenting IV&V deliverables (Weekly status reports, IV&V finding’s report etc.,) and
managing clients’ relationship.
• Managing, authoring, editing, and updating Security Assessment and Authorization (SA&A) package
including Information Systems Security Risk Assessment (ISRA) report; System Security Plan (SSP);
Privacy Impact Assessment (PIA); Contingency Plan (CP); Contingency Plan Tabletop Test Plan (TTP),
Security Assessment Plan (SAP); Security Assessment Report (SAR); Plan of Action and Milestone
(POA&M) report; and Security Monitoring Reports.
• Managing and performing Security and Privacy Controls Assessments using National Institute of Standards
and Technology (NIST) Special Publication (SP) 800-82 (NIST SP 800-82) on Industrial Control System to
support the Office of Chief Information Technology (OCIO) comply with requirements of FISMA, FMFIA
and the Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for
Internal Controls over financial reporting.
• Managing and performing Security and Privacy Controls Assessments as part of federal systems SA&A
process using NIST SP 800-53 to support the OCIO comply with requirements of FISMA and OMB
Circular A-130 on Security of Federal Automated Information Resources.
• Advising Business Information Systems Owners, System Developers and Program Managers on integration
of information security and privacy safeguards in Systems Development / Deployment Life Cycle (SDLC)
process from inception to maximize Return on Investment (ROI) in Information Security and Privacy
Programs.
1 10
John Munyasya 13304 Bayberry Drive, Germantown, MD 20874 202-***-**** **********@*****.*** P a g e
2
• Managing and performing annual independent audit of agencies Information Security and Privacy
Programs using NIST SP 800-53 to support the Office of Inspector General (OIG) comply with
requirements of FISMA, FMFIA and the Office of Management and Budget (OMB) Circular A-123,
Management’s Responsibility for Internal Controls over financial reporting.
• Providing Information Technology (IT) Governance, Risk and Compliance advisory services to Federal,
State and private companies IT leaders.
• Managing and conducting Security and Privacy Audits and Investigations for compliance with HIPAA
Privacy and Security Rule Safeguards using NIST SP 800-66 Guide for Implementing HIPAA Privacy and
Security Rule Controls.
• Managing and performing Information Systems Control Audits, as part of Chief Financial Officer’s (CFO)
independent annual integrated Financial Audits of agencies and contractors Financial Information Systems
using Government Accounting Office (GAO) Federal Information Systems Controls Audit Manual
(FISCAM).
• Managing and conducting Compliance audits and inspection for compliance with Food, Drug and Cosmetics
Act (FDCA).
• Managing and performing IT General and Application Controls Audits for compliance with SOX.
• Understanding of Federal Government contracts administration, and managing contract teams.
• Familiar with Information Security and Privacy programs, standards and regulations including NIST SP
800-53, NIST SP 800-82, NIST SP-37, ITIL, ISO 27001/27002, FedRAMP, NERC CIP, COBIT, COSO,
IIA, GMP, Privacy Act, E-Government Act, HIPAA Security and Privacy Rules, ISACA Standards, SOX,
and FISMA.
PROFESSIONAL EXPERIENCE:
Consultant
Sept 2009 to Present
Manager of Information Security Assessment, Audit and Compliance
Health and Human Services Centers for Medicare and Medicaid / JANUS Associates, Inc. Project
7000 Security Boulevard Suite 334, Baltimore, MD 21244
• Manages Information Security and Privacy Controls Assessment and Information Technology Audit
engagements for compliance with regulatory requirements, and security and privacy standards, including
FISMA, HIPAA, SOX, GLAB, COBIT, PCI DSS and NIST SP 800 Series.
2
• Reviews Information Technology Auditors, and Information Security and Privacy Control Assessors
workpapers and provides coaching/mentoring as needed.
• Oversees the review of federal agencies clients' SA&A systems packages including, ISRA report, SSP, PIA
report, CP, TTP and POA&M report.
• Manages and conducts SCA of applications and supporting infrastructure (Networks, Databases, Operating
systems, security systems, tools etc.) to determine the effectiveness of security and privacy controls
implemented in federal agencies Information Systems to protect critical data.
• Advices federal agencies Business Owners and Information System Security Officers (ISSO) on a wide
range of compliance challenges, such as dealing with security and privacy issues related to the usage of
sensitive production data in development and testing environments, to help them remediate findings to meet
FISMA compliance requirements.
• Manages and conducts IT Governance, Risk and Compliance (GRC) assessments and provides advisory
services to Federal, State and Private IT Governance leaders to help them effectively and efficiently align IT
objectives with business objectives, create business value and get a good return on IT investment (ROI).
• Manages and creates security and privacy policies, procedures and standards for federal and state clients.
• Assists Business Development teams responsible for writing and presenting project proposals to prospective
clients with writing of the technical proposals.
Health and Human Services Centers for Medicare and Medicaid / Computer Science Corp (CSC) Project
7142 Ambassador Road, Baltimore, MD 21244
• Managed Centers for Medicare and Medicaid (CMS) information systems SA&A process, including
supporting a customer facing team of Business Analysts and System Developers/Maintainers to ensure that
Cybersecurity and privacy controls implemented in federal information systems complied with FISMA
based on NIST SP 800-53, NIST SP 800-82 and NIST SP 800-37.
• Conducted ISRA of CMS systems for compliance with FISMA based on FIPS PUB 199 Security
Categorization Standard, NIST SP 800-30 Risk Assessments Guide and NIST SP 800-37 Risk Management
Framework guide.
• Participated in third party SCA of CMS systems and oversaw the development and implementation of
Corrective Actions Plans (CAP) for resulting findings to ensure compliance with FISMA based on CMS
Acceptable Risk Safeguards / Minimum Security and Privacy Requirements, NIST SP 800-53A and other
relevant NIST SP 800 series standards.
• Created and maintained SA&A security and privacy package artifacts, including ISRA report, SSP, CP, TTP,
SAP, SAR, and POA&M report for supported CMS systems based on NIST SP 800-37.
• Assisted Business Owners obtain /maintain systems Authorization to Operate (ATO) in compliance with
FISMA.
John Munyasya 13304 Bayberry Drive, Germantown, MD 20874 202-***-**** **********@*****.*** P a g e 3 10
4
• Supported CMS security and privacy related activities including maintaining security and privacy
compliance artifacts in CMS FISMA Controls Tracking System (CFACTS) tool, as well as attending
conferences, discussion groups and ATO briefings for assigned CMS systems.
• Performed continuous monitoring activities to assist in maintaining the assigned CMS systems ATO.
• Managed and performed IV&V reviews, including technical review of project planning software documents
for all SDLC phases based on established standards; supervising and reviewing testers’ workpapers;
managing the assessment schedule; creating and presenting the IV&V deliverables and managing clients’
relationship.
• Supported delivery of systems to healthcare information users through employment of testing and
documentation practices consistent with internal governance and regulatory requirements related to security,
privacy, integrity, and confidentiality of healthcare data.
• Reviewed, analyzed and evaluated system changes as part of the release process to maximize systems
reliability.
Health and Human Services Office for Civil Rights / Computer Science Corp (CSC) Project
7142 Ambassador Road, Baltimore, MD 21244
• Managed the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) National
Cybersecurity and privacy incidents investigations and compliance reviews program for compliance with
HIPAA Privacy, Security and Breach Notification Rules including tracking the incidents in OCR Program
Information Management System (PIMS) and reporting on the status of the incidents investigations/reviews
and resolution on weekly basis.
• Managed a team of HIPAA Privacy and Security rules Subject Matter Experts (SMEs), assigned breach
incidents cases to the SMEs for review and reviewed workpapers.
• Advised OCR management and covered entities (health plans, health care clearinghouses and health care
providers) on Cybersecurity and Privacy standards and best practices for implementation of safeguards to
protect Electronic Protected Health Information (ePHI) to reduce Cybersecurity and privacy risks.
• Conducted compliance reviews, investigations, analysis, evaluations and studies of Cybersecurity and
privacy breach incidents reported by covered entities across the country over administrative, technical and
physical safeguards, including risk analysis, risk management, access management, training, encryption,
contingency planning, incident response and reporting, policies and procedures as well as workstation,
network, personnel, and physical security and privacy.
• Developed recommendations to assist covered entities improve their Cybersecurity and privacy program
implementation and operations plans based on analytical research and evaluation of current Cybersecurity
and privacy threats intelligence.
• Supported OCR HIPAA Privacy and Security Rule compliance and enforcement program efforts of
monitoring compliance Resolution Agreements (RA) and Corrective Action Plans (CAP) issued to covered
4
entities to ensure agreed Cybersecurity and privacy safeguards got sufficiently implemented to protect
Electronic Protected Health Information (ePHI).
• Developed resources materials for dissemination to the public and OCR regional offices to provide guidance
on HIPAA Privacy and Security Rule compliance.
• Participated in OCR approved HIPAA conferences and Health Information Privacy (HIP) National calls, on
invitation, to keep abreast with current developments and key milestones in the HIPAA compliance and
enforcement landscape.
Health and Human Services Centers for Medicare and Medicaid / Ernst and Young LLP Project
8484 Westpark Drive, McLean, VA 22102
• Managed and performed FISCAM based Information Systems IT General and Application Controls
Auditing of CMS Services Central Office, CMS Claims Processing Contractors, Enterprise Data Centers,
Medicare Shared Systems Software Development Contractors and Medicare Systems Quality
Assurance/Testing Contractor.
• Evaluated Medicare processing Applications, Operating Systems and Networks documentation to identify
security and privacy weaknesses for mainframe environment (z/OS, DB2, RACF etc.), Windows Operating
System, Oracle database, UNIX Operating Systems and Network Devices (routers, firewalls etc.).
• Performed walkthroughs and conducted independent testing of IT processes controls operating
effectiveness, including testing of Security and Privacy Management, Access Management, Configuration
Change Management, Segregation of Duties, Contingency Planning, Application Security and Privacy,
Business Process, Interface and Database Management Systems Controls to determine the level of
protection of CMS claims processing systems and information hosted at CMS Enterprise Data Centers
(EDC).
• Assisted in information systems Cybersecurity and Privacy Assessments and Authorization activities,
including performing Cybersecurity and Privacy Risk Assessments for compliance with FISMA, HIPAA,
and OMB Circular A-123 directive.
• Reviewed SSP, DRP, BCP, BIA, PIA, ATO, POAM reports, Security and Privacy Policies and Standard
Operating Procedures (SOP) for compliance with FISMA, HIPAA, and OMB Circular A-123 directive.
• Documented and presented IT Audits results and findings with recommendations to CMS management and
CMS contractors for remediation to improve Cybersecurity and privacy posture of the agency and its
contractors.
• Managed and participated in the assessment of CMS Information Security and privacy Program for
compliance with FISMA, through inquiries observations and testing of selected security and privacy
controls supporting major CMS applications and general support systems.
5 10
John Munyasya 13304 Bayberry Drive, Germantown, MD 20874 202-***-**** **********@*****.*** P a g e
6
United States Postal Services / PricewaterhouseCoopers Project
475 L’Enfant Plaza SW, Washington, DC 20590
• Managed and performed IT General and Application Controls audits of USPS IT Systems including SAP
and Oracle applications Enterprise Resource Planning Systems; UNIX, Mainframe (z/OS), open Virtual
Memory System (VMS) and Windows Operating Systems; DB2 and Integrated Database Management
System (IDMS) databases; and Resources Access Control Facility (RACF) and Active Directory security
systems for compliance with FISMA.
• Provided advisory services on the design and effectiveness of IT Controls across Cybersecurity and privacy
Management, Access Management, Configuration Change Management, Segregation of Duties, Computer
Operations (Data Center, Job Scheduling, Back up etc.) and Application controls.
• Reviewed systems and network documentation to identify security and privacy weaknesses for mainframe
environment (z/OS, DB2, and RACF), windows operating system, Oracle database, UNIX operating
systems and network devices (routers and firewalls).
• Planned, supervised and conducted Enterprise Data Center systems (Networks, Mainframe Environment,
Client/Server etc.,) Cybersecurity and privacy reviews through interviewing Subject Matter Experts,
conducting walkthroughs, and performing physical inspections of configuration setting to determine
compliance with USPS and federal regulatory requirements.
• Documented and presented IT controls testing results and findings in written reports with recommendations
to USPS management for remediation to improve their Cybersecurity and privacy program.
Navy Federal Credit Union Project
820 Follin Lane SE, Vienna, VA 22180
• Supervised three internal Information Technology Auditors and provided advice and guidance to senior IT
management on creation and maintenance of adequate IT security and privacy program for compliance with
National Credit Union Act (NCUA), National Credit Union Administration (NCUA) requirements, FISMA,
Gramm-Leach-Bliley Act (GLBA) and other relevant federal laws.
• Supervised and performed Navy Federal Credit Union (NFCU) IT infrastructure security and privacy audits
over DB2, UNIX, LINUX, Local Area Networks (LAN), Novell Identity and Access Management System,
and Windows systems.
• Performed the annual compliance audit of NFCU’s Automated Teller Machine (ATM) and Point of Sale
(POS) Personnel Identification Number (PIN) Security and Encryption Key Management technology
infrastructure and assisted the Union file its annual compliance report in accordance with VISA
requirements.
• Assisted in inventorying of NFCU information systems, determining critical business units processes,
identify acceptable recovery time periods and establishing resources required for successful resumption of
business operations in the event of a disaster, performing BIA, and preparation of CP for critical NFCU
business information Systems.
• Participated in the annual IT risk assessment and assisted in preparation of NFCU’s risk-based IT audit plan.
6
Johnson Controls Incorporated
July 2008 to July 2009
5757 North Green Bay Avenue, Milwaukee, WI 53201
Lead Information Technology Auditor
• Supervises and conducted risk assessments and created audit programs to address identified risk areas.
• Supervised and performed regulatory compliance audits for compliance with industry regulations and best
practices including SOX and Good Manufacturing Practices (GMP).
• Conducted IT Audit opening, status and exit meetings with all levels of IT leadership including Executive
Vice Presidents to communicate identified IT risks and control deficiencies and negotiated remediation
action plans for agreed recommendations to comply with relevant laws.
• Supervised and performed IT General Controls (ITGC) and Application Controls (ITAC) Audits over
complex business financial applications and supporting database management systems, operating systems
and Local Area Network (LAN) IT infrastructure for compliance with Johnson Controls’ Information
Security and Privacy Policy and Sarbanes-Oxley (SOX) Act.
• Supervised and performed IT Security and Privacy Controls Audits of UNIX Operating Systems, Windows
Operating Systems, Oracle Applications and Databases Systems, SAP Enterprise Resources Planning
Application, QAD Enterprise Applications (MFG/PRO), Progress Databases and AS/400 Applications.
• Participated in System Development Life Cycle (SDLC) based information systems development testing
and evaluations (Security and Privacy Controls Assessments) projects to verify and validate that required
security and privacy controls were correctly designed and implemented, consistently with established
information security and privacy architecture as well as security and privacy controls.
• Performed and supervised data center audits, Business Continuity/ Disaster Recovery Plans (BCP/DRP)
audits.
• Performed aging analysis of account receivables and account payables transactions; tested for duplicate
amounts within account receivables and payables transactions; and tested for gaps in invoice numbers using
Audit Command Language (ACL) Computer Assisted Audits Techniques tool to support financial audits.
• Performed follow-up reviews to ensure that agreed upon findings remediation action plans implemented
were in full compliance with relevant laws.
• Assisted with internal audit department annual IT risk rating and preparation of risk-based IT Audit plan.
KPMG LLP
January 2007 to February 2008
7 10
John Munyasya 13304 Bayberry Drive, Germantown, MD 20874 202-***-**** **********@*****.*** P a g e
8
303 East Wacker Drive, Chicago, IL 60601
Senior Information Technology Auditor
• Supervised and conducted risk assessments for fortune 100 companies involved with pharmaceutical,
chemical, food, energy, telecommunication, and household appliances quality systems, solutions,
applications and equipment manufacturing, and created audit programs to address identified risk areas.
• Supervised and performed regulatory compliance audits for fortune 100 companies involved with
pharmaceutical, chemical, food, energy, telecommunication, and household appliances quality systems,
solutions, applications and equipment manufacturing for compliance with industry regulations and best
practices including SOX, GLBA, FDCA and Good Manufacturing Practices (GMP).
• Served as a Subject Matter Expert and provided advice to management leadership regarding risks and
compliance issues, and presented audit findings with actionable recommendations to leadership for
remediation to mitigate the associated risks and meet regulatory and industry best practices.
• Planned and executed IT Audits activities on assigned engagement projects, including supervising teams of
two to six specialized IT and Security and Privacy Auditors working on multiple engagement projects
simultaneously; reviewing work papers; conducting IT Audit opening, status and exit meetings.
• Performed and supervised IT General Controls (ITGC) and Application Controls (ITAC) audits over Oracle
Applications and Databases, SAP Enterprise Resource Planning applications, AS/400 Business Planning and
Control Systems, ROSS Enterprise Resource Planning Applications and SyteLine Enterprise Resource
Planning applications for compliance with Laws including Sarbanes - Oxley (SOX) Act, Gramm Leach
Bliley Act (GLBA).
• Performed IT Security and Privacy Controls Assessments over operation systems and networks against
company IT security and privacy policies and industry standards including NIST SP 800 - 53 Security and
Privacy Controls Standards and Payment Card Industry Data Security Standards (PCI DSS).
• Performed IV&V assessments, including technical review of project planning documents, and system
operations and maintenance procedures/processes based on established standards; and creating IV&V
deliverables.
• Reviewed systems and network documentation to identify security and privacy weaknesses for mainframe
environment (z/OS, DB2, and RACF), windows operating system, Oracle database, UNIX operating
systems and network devices (routers and firewalls).
• Performed and supervised Statement on Auditing Standards Number 70 (SAS 70) Audits which are now
known as Statement on Standards for Attestation Engagements Number 16 Service Organizations Controls
(SSAE 16 SOC I, II and III) Audits.
• Performed and supervised data center audits, Contingency Plans audits and System Development Life Cycle
(SDLC) projects pre and post implementation reviews.
• Supervised and performed Automated Teller Machine (ATM) and Point of Sale (POS) Personal
Identification Number (PIN) Security and Encryption Key Management Reviews.
8
• Performed aging analysis of account receivables and account payables transactions; tested for duplicate
amounts within account receivables and payables transactions, and tested for gaps in invoice numbers using
Audit Command Language (ACL) Computer Assisted Audits Techniques tool.
• Prepared and presented final IT Audit report to executive management and board of directors to
communicate identified IT risks and control deficiencies.
• Performed and supervised IT risk assessments, including providing advice and sharing IT internal controls
knowledge with IT Management leadership and staff to strengthen IT risk, IT controls, IT governance and
regulatory compliance.
Mutual of Omaha
June 2004 to November 2005
3301 Dodge Street, Omaha, NE 68131
Auditor
• Planned, supervised and tested SOX IT General Controls and Technical Infrastructure audits of AS/400
BPCS, UNIX, Windows, DB2 Oracle and Network Infrastructure systems.
• Planned and performed IT Computer Operations audits including testing of controls around distributed
computing environments, communication, network connectivity, business continuity management, disaster
recovery plans, data centers, system job scheduling, business financial application incident management
procedures, data backups and restoration, and preparation of supporting audit work papers.
• Communicated deficient IT controls to management with recommendations for remediation
• Performed follow-ups reviews to assure that executed deficient controls remediation action plans were
appropriate.
EDUCATION:
• University of Nebraska, Omaha, NE January 2005 to December 2006
MSC in Management Information Systems, GPA 3.596
CERTIFICATIONS:
• Certified Information Systems Auditor (CISA)
• Project Management Professional (PMP)
SECURITY CLEARANCE:
• Public Trust Level 6 (SF 85P) Sponsored by Department of Health and Human Services (DHHS)
9 10
John Munyasya 13304 Bayberry Drive, Germantown, MD 20874 202-***-**** **********@*****.*** P a g e
10
CITIZENSHIP:
• United States
10
Contact this candidate