Security Management
Resume:
** ****** **** ****: 508-***-****
Milford Massachusetts 01757 Mobile: 508-***-****
Email acdvle@r.postjobfree.com
Terrill J. Smith CISSP, CRISC, CCP, CISM
Objective May, 2014 Positions using my experience in regulatory
compliance, Information security technology and
business methods.
Terrill Smith, CISSP, CRISC, CCP, CISM has
over 25 years’ experience managing major
strategic IT programs of large and small,
government, commercial and non-profit
organizations. He has managed small
departments and very large global departments,
has provided global thought leadership,
professional development seminars, and
strategic planning results. Terrill has hands-on
technical experience with all major IT disciplines:
networking, data-storage, virtual systems (SaaS,
PaaS and IaaS), data-center design, and
automation frameworks, Governance, Risk-
Management and Compliance (GRC). He has
implemented compliance programs addressing
regulations such as FDA, HHS, DoD, IRS, FCC,
and is an expert with detail hands-on experience
in all forms of security.
Terrill has successfully completed numerous risk
assessment, forensic, and strategic planning
projects. These range from assessing the
department of health and human services
(DHHS), limited-dataset compliance
(pharmaceutical industry), strategic security
planning for the then newly formed department
of Homeland Security (DHS), to details such as
performing penetration testing and application
and system scanning of both dynamic and static
(source code).
Terrill has assessed, designed, implemented
and operated comprehensive life science related
information assurance and threat management
programs: forensics, log management, scanning
and monitoring, malware defense, risk
management, and compliance and security
architecture. Most of these efforts involved fast-
paced, multiple projects across diverse
stakeholder organizations.
Terrill is an expert in numerous
frameworks/industry sources and how these
relate to each other, i.e. NIST controls, ISO
27000 series, US-CERT, safe-harbor, SANS,
Internet Storm Center, Cloud Security Alliance,
Trusted Computing Group. He keeps up with
security technology by maintaining awareness
Objective May, 2014 Positions using my experience in regulatory
compliance, Information security technology and
business methods.
through such groups as: the NIST, FBI
InfraGard, FS-ISAC, ISACA, ISC2, Mitre and
ISO.
Terrill has frequently participated as a key
trainer, presenter and chairman at industry
conferences focused on global corporate IT
strategy, security, enterprise architecture and
control models (NIST, ISO, CoBit, ITIL) for
diverse enterprise organizations. He has taught
Project-Management at fee based conferences.
Also in association with MIS Training Institutes
provided invitation only, fee based strategic
training to C level executives regarding IT
related global issues: security, Cost-Benefit and
EVA, compliance, life-cycle planning etc.
2013 (October 1) – 2014 (April 18) CGI
Experience Consulting, on the Massachusetts Health
Insurance Exchange (HIX) - Contract
Manager of Compliance and lead Security
Architect for cloud based, SOA, and web facing
applications (federated SaaS model).
Create compliance program and Technical
Detail Design (TDD) –architecture, schedule,
budget, project-plan; for HIX Security.
1. Public Key Infrastructure (PKI)
2. Certificate Authority (issue and manage
digital certificates)
3. Light Directory Access Protocol (LDAP)
4. Federated SaaS
Designed comprehensive compliance and
security infrastructure for cloud-based, SOA.
This included emerging regulations, federated
public key infrastructure (PKI), secured key
management, web application firewalls
(WAFs) and distributed identity management.
Comprehensive Compliance Program
1. FDA, IRS, HIPAA, HITECH, Safe-Harbor,
201 CMR 17.00
2. Business processes
3. Risk Register
4. Security operations
5. Policy creation
6. Security oversight processes
2012 (October 1) – 2013 (April 26)
Massachusetts Department of Transportation -
Contract
Security Architecture Lead for DMV
Modernization Project
My role was security architect of a
Service Oriented (SOA), private cloud
Objective May, 2014 Positions using my experience in regulatory
compliance, Information security technology and
business methods.
based (PaaS/IaaS), architecture for on-
line (Web) Registry of Motor Vehicles
(RMV).
This entailed design and set up of a
Tivoli/Oracle internet facing distributed
system running on a private cloud. This
is a high volume service delivery
operation, and entailed a
comprehensive infrastructure of security
management, technical controls, and
testing, monitoring, and incident
response capabilities.
Compliance included FBI, HITECH,
Safe-Harbor, 201 CMR 17.00
2012 (July 30) – 2012 (September 28) NaviNet, Boston Massachusetts
Security Lead for contract
Create compliance program (GRC1), and created Security Architecture for leading healthcare/
pharmaceutical Value Added Network processing interactions for most major healthcare
organizations and their members. Used AppScan and other scanners to detect and mitigate
weaknesses.
Authored all Security Policies, standards and procedures. I.E. created a comprehensive set of
compliant security policies, standards and procedures (HIPAA, FDA/EMEA, HITECH, PCI,
IRS1075 ETC.): forensics, vulnerability, risk management, audit preparation (SSA16, PCI,
FDA) and compliance.
Training existing staff in emerging security regulations and technologies, including continuous
monitoring for incidents and accountability.
Web portal defense, network encryption identity management, full desk encryption, VPNs, Role Based
Access Control, Common Criteria, Certificate and PKI controls.
2009 - 2012 BlueCross BlueShield of
Massachusetts
Manager of compliance, policy, audit and risk
Developed comprehensive GRC strategy
including full stakeholder coordination (set
up Security Oversight Council) for
compliance, risk mitigation, auditing,
forensics, and operations.
Created security and operational integrity
for all voice systems (PBX, VoIP), Network
security using check-point, Palo Alto, DLP,
IPS, and most other security control
categories.
Purchase Card Industry PCI-DSS, HIPAA,
1 GRC: “Governance, Risk-management and Compliance”
1
Authored all Security Policies, standards and procedures. I.E. created a comprehensive set of
compliant security policies, standards and procedures (HIPAA, FDA/EMEA, HITECH, PCI,
IRS1075 ETC.): forensics, vulnerability, risk management, audit preparation (SSA16, PCI,
FDA) and compliance.
Training existing staff in emerging security regulations and technologies, including continuous
monitoring for incidents and accountability.
Web portal defense, network encryption identity management, full desk encryption, VPNs, Role Based
Access Control, Common Criteria, Certificate and PKI controls.
SOX, FDA, HITECH, CMR 201, were part
of the BCBSMA architecture.
Authored all IT related technical policies,
procedures and guides as well as security
architectural requirements.
Supported ISO 27001 certification efforts
by defining security requirements and
writing detailed security architecture
document sets. Also authored all security
policies and detailed procedures needed
to achieve certification. Implemented
policies, architecture and configuration
standards.
Created Risk Register entailing
assessment risk determination and
presentation to management.
Supported all efforts regarding SSAE16
(SAS70) audits and remediation projects.
Network security including database,
internet facing, SharePoint SEIM and
technical audits and assessments were
my responsibilities. These included
assessments of the risk involved with
mobile access of cloud based applications
under SaaS, PaaS, and IaaS as both
private and public clouds.
Managed team providing security
architecture and development for $150
million development program. This
entailed PCI scope control, hardware
based encryption and whole disk
encryption for Primary Account Number
(PAN) and related data.
Responsible for aligning security program
with enterprise business strategy using
business risk based assessment mapping.
Used Business Objects, SAP, ERP ITIL,
Maturity Models (Carnegie Mellon) and my
own performance dashboard and
Balanced Scorecard methods and tools
based on MS Office capabilities.
Developed corporate Information
Assurance (IA) program. This program
contained: security-architecture,
Authored all Security Policies, standards and procedures. I.E. created a comprehensive set of
compliant security policies, standards and procedures (HIPAA, FDA/EMEA, HITECH, PCI,
IRS1075 ETC.): forensics, vulnerability, risk management, audit preparation (SSA16, PCI,
FDA) and compliance.
Training existing staff in emerging security regulations and technologies, including continuous
monitoring for incidents and accountability.
Web portal defense, network encryption identity management, full desk encryption, VPNs, Role Based
Access Control, Common Criteria, Certificate and PKI controls.
compliance, policies, controls, and risk
management facilities, tools, procedures.
2005 - 2008 Perot System at Harvard Pilgrim
Health Care
Manager of Information Security Services and
Development
Managed 6 person team of security
engineers providing security operation
(AppScan, Log management, identity and
access management) and development in
support of Harvard Pilgrim Healthcare.
Managed development team and
delivered Role Based Security (RBAC),
Forensics, SharePoint collaboration,
network access (NAC), DLP, and risk
assessments.
Developed security and risk policies and
procedures
2004 – 2005 Abacus Technology Corporation
Senior Consulting Engineer and Program/Project
Manager
Developed strategic force protection
standards and model (security
architecture) for securing bases, airports,
and other critical US sites from criminal
and terrorist attack.
Managed activities of other sub-
contractors on this program.
Developed security and IT technical
standards for DoD Physical and
Information Security Infrastructure.
Stakeholders were: USAF, USMC,
USArmy and USNavy. These were
required to align with Security Technical
Implementation Guides (STIGs), and DoD
Information Assurance Certification and
Accreditation Process (DIACAP) using
Committee on National Security
Systems (NCSS), NIST, DISA and NSA
underlying standards.
This program entailed comprehensive
review of all security related technology for use
in specifying details for the Physical/Information
Security program of the DoD. This included
Authored all Security Policies, standards and procedures. I.E. created a comprehensive set of
compliant security policies, standards and procedures (HIPAA, FDA/EMEA, HITECH, PCI,
IRS1075 ETC.): forensics, vulnerability, risk management, audit preparation (SSA16, PCI,
FDA) and compliance.
Training existing staff in emerging security regulations and technologies, including continuous
monitoring for incidents and accountability.
Web portal defense, network encryption identity management, full desk encryption, VPNs, Role Based
Access Control, Common Criteria, Certificate and PKI controls.
Voice, data, and image technology.
I set up and supported a secure
collaboration facility and service used by the four
military services and all other project related
DoD contractors.
Used UML use-cases as well as object
interactions models.
Work entailed modeling of data both in
static terms and as transactions. I created a
database and 8 XML schemas defining many
XML record used to exchange critical security
data.
2002 - 2004 Integris LLC
Senior Consulting Team Lead, auditor, development
program and assessment project manager
Managed (hands on leadership) IT
consulting and auditing teams across
numerous non-profit, commercial and
governmental engagements: HIPAA, FDA,
21CFR11, FISMA, (SAS70 – CMS
compliance audits, now SSAE16 audits,
FDA inspections (security and document
management))
Department of Homeland Security audit
and infrastructure design
Work entailed the merging of 22 different
US government departments into one new
cabinet level operation, with a unified security
model.
Compliance Healthcare Audits for
Department of Health and Human
Services: HIPAA, 21CFR11, FISMA etc.
DHHS contracts with healthcare
organization for the processing of healthcare
claims data. My work for DHHS was to audit the
operations of these organizations to ensure
compliance with DHHS requirements. Massive
databases (all Medicare claims) are a critical
feature of this work.
Enterprise network security compliance
audits (SAS70)
Authored all Security Policies, standards and procedures. I.E. created a comprehensive set of
compliant security policies, standards and procedures (HIPAA, FDA/EMEA, HITECH, PCI,
IRS1075 ETC.): forensics, vulnerability, risk management, audit preparation (SSA16, PCI,
FDA) and compliance.
Training existing staff in emerging security regulations and technologies, including continuous
monitoring for incidents and accountability.
Web portal defense, network encryption identity management, full desk encryption, VPNs, Role Based
Access Control, Common Criteria, Certificate and PKI controls.
2002 - 2002 ING America
Chief Information Security Office (CISO)
As CISO for the Americas (USA, Latin
America, Canada) I was responsible for
strategy, budgets, design, implementation
and operation of all global enterprise
security systems. These included:
Healthcare Insurance, Financial Systems,
Banking, networking, databases, and web
applications.
Financial System security and compliance
- PCI
Developed program management
standards for overall control of multiple
projects and managed all security projects.
1999–2002 United Healthcare
Group (Ingenix)
Chief Information Security Officer (CISO) and Director
of operations.
Created integrated information security
program including security technology
(voice, data, image), policy and cross
department stakeholder coordination.
Designed and implemented distributed
information warehouse systems.
Internal and compliance security for all
Healthcare Operations
Internal audits, incident repose and
security architecture
1997–1999 Rill Technologies (my
own company)
Strategic and project related security consulting
Completed engagements with startups
and established IT operations,
Uwin (a startup within GTECH RI) for on
line gaming. Director of development.
VP of Operations for Jenzabar – a startup
in academic on-line support. Break-off
from Harvard University. Set up web
Authored all Security Policies, standards and procedures. I.E. created a comprehensive set of
compliant security policies, standards and procedures (HIPAA, FDA/EMEA, HITECH, PCI,
IRS1075 ETC.): forensics, vulnerability, risk management, audit preparation (SSA16, PCI,
FDA) and compliance.
Training existing staff in emerging security regulations and technologies, including continuous
monitoring for incidents and accountability.
Web portal defense, network encryption identity management, full desk encryption, VPNs, Role Based
Access Control, Common Criteria, Certificate and PKI controls.
operations from ground up.
Director of security for Allmerica Financial.
Established first use of firewalls.
1993–1997 University of
Massachusetts
CISO and Director of Operations
Responsible for all IT operations, all voice
(PBX) operations and all security (strategy,
compliance, development and operations).
Working with stakeholders drawn from life-
science research labs, hospitals, group
practices and the university’s life science
and medical schools; created strategy,
secured budget, and then implemented
comprehensive IT support. This included
multiple data centers, extensive network,
highly secured systems for intellectual
property (life science research) and
general network security.
Created special system for tracking
generations of genetically pure lab animals
(line of mice and other).
Worked with life science department to
achieve recognition of telemedicine for
mammograms – then not sanctioned due
to resolution of images.
Created worldwide, real-time, video
network for surgical training and
collaboration between academic hospitals.
This involved a then new technique called
minimally invasive surgery. And used
complex satellite links.
Developed requirements, strategy, RFQ,
and implementation of new distributed
PBX infrastructure.
Developed strategy for commonwealth
wide, high-bandwidth, fiber based network,
secured budgeting and then provided
security for implementation. This is now
the backbone Massachusetts network
Designed and implemented first firewall
with Raytheon’s help –no firewall products
were then available.
Authored all Security Policies, standards and procedures. I.E. created a comprehensive set of
compliant security policies, standards and procedures (HIPAA, FDA/EMEA, HITECH, PCI,
IRS1075 ETC.): forensics, vulnerability, risk management, audit preparation (SSA16, PCI,
FDA) and compliance.
Training existing staff in emerging security regulations and technologies, including continuous
monitoring for incidents and accountability.
Web portal defense, network encryption identity management, full desk encryption, VPNs, Role Based
Access Control, Common Criteria, Certificate and PKI controls.
Operated 365/7/24 data centers required
by hospitals – no down time allowed.
Computer Science Illinois Institute of
Education Technology,
Chicago Illinois
BS Computer Science Roosevelt University,
Chicago Illinois
Completed)
MBA (Computer Science/Operations Research
focus) University of Chicago, Chicago Illinois
(Operations Research and Computer Science
Management- incomplete)
Other Training PMP, Special technology courses offered by
IBM, SUN, Cisco and other technology vendors.
CISO program completion.
CISSP International Information Systems
Certifications Security Certification
Consortium (ISC2)
CCP Certified Computing Professional,
Institute for Certification of
Computing Professionals (ICCP)
CRISC Certified in Risk and Information
Systems Control
CISM Certified Information Security Manager
Interests Mensa member
Contact this candidate