Resume

Sign in

Security Management

Location:
Franklin, MA
Salary:
130,000
Posted:
April 26, 2014

Contact this candidate

Resume:

** ****** **** ****: 508-***-****

Milford Massachusetts 01757 Mobile: 508-***-****

Email acdvle@r.postjobfree.com

Terrill J. Smith CISSP, CRISC, CCP, CISM

Objective May, 2014 Positions using my experience in regulatory

compliance, Information security technology and

business methods.

Terrill Smith, CISSP, CRISC, CCP, CISM has

over 25 years’ experience managing major

strategic IT programs of large and small,

government, commercial and non-profit

organizations. He has managed small

departments and very large global departments,

has provided global thought leadership,

professional development seminars, and

strategic planning results. Terrill has hands-on

technical experience with all major IT disciplines:

networking, data-storage, virtual systems (SaaS,

PaaS and IaaS), data-center design, and

automation frameworks, Governance, Risk-

Management and Compliance (GRC). He has

implemented compliance programs addressing

regulations such as FDA, HHS, DoD, IRS, FCC,

and is an expert with detail hands-on experience

in all forms of security.

Terrill has successfully completed numerous risk

assessment, forensic, and strategic planning

projects. These range from assessing the

department of health and human services

(DHHS), limited-dataset compliance

(pharmaceutical industry), strategic security

planning for the then newly formed department

of Homeland Security (DHS), to details such as

performing penetration testing and application

and system scanning of both dynamic and static

(source code).

Terrill has assessed, designed, implemented

and operated comprehensive life science related

information assurance and threat management

programs: forensics, log management, scanning

and monitoring, malware defense, risk

management, and compliance and security

architecture. Most of these efforts involved fast-

paced, multiple projects across diverse

stakeholder organizations.

Terrill is an expert in numerous

frameworks/industry sources and how these

relate to each other, i.e. NIST controls, ISO

27000 series, US-CERT, safe-harbor, SANS,

Internet Storm Center, Cloud Security Alliance,

Trusted Computing Group. He keeps up with

security technology by maintaining awareness

Objective May, 2014 Positions using my experience in regulatory

compliance, Information security technology and

business methods.

through such groups as: the NIST, FBI

InfraGard, FS-ISAC, ISACA, ISC2, Mitre and

ISO.

Terrill has frequently participated as a key

trainer, presenter and chairman at industry

conferences focused on global corporate IT

strategy, security, enterprise architecture and

control models (NIST, ISO, CoBit, ITIL) for

diverse enterprise organizations. He has taught

Project-Management at fee based conferences.

Also in association with MIS Training Institutes

provided invitation only, fee based strategic

training to C level executives regarding IT

related global issues: security, Cost-Benefit and

EVA, compliance, life-cycle planning etc.

2013 (October 1) – 2014 (April 18) CGI

Experience Consulting, on the Massachusetts Health

Insurance Exchange (HIX) - Contract

Manager of Compliance and lead Security

Architect for cloud based, SOA, and web facing

applications (federated SaaS model).

Create compliance program and Technical

Detail Design (TDD) –architecture, schedule,

budget, project-plan; for HIX Security.

1. Public Key Infrastructure (PKI)

2. Certificate Authority (issue and manage

digital certificates)

3. Light Directory Access Protocol (LDAP)

4. Federated SaaS

Designed comprehensive compliance and

security infrastructure for cloud-based, SOA.

This included emerging regulations, federated

public key infrastructure (PKI), secured key

management, web application firewalls

(WAFs) and distributed identity management.

Comprehensive Compliance Program

1. FDA, IRS, HIPAA, HITECH, Safe-Harbor,

201 CMR 17.00

2. Business processes

3. Risk Register

4. Security operations

5. Policy creation

6. Security oversight processes

2012 (October 1) – 2013 (April 26)

Massachusetts Department of Transportation -

Contract

Security Architecture Lead for DMV

Modernization Project

My role was security architect of a

Service Oriented (SOA), private cloud

Objective May, 2014 Positions using my experience in regulatory

compliance, Information security technology and

business methods.

based (PaaS/IaaS), architecture for on-

line (Web) Registry of Motor Vehicles

(RMV).

This entailed design and set up of a

Tivoli/Oracle internet facing distributed

system running on a private cloud. This

is a high volume service delivery

operation, and entailed a

comprehensive infrastructure of security

management, technical controls, and

testing, monitoring, and incident

response capabilities.

Compliance included FBI, HITECH,

Safe-Harbor, 201 CMR 17.00

2012 (July 30) – 2012 (September 28) NaviNet, Boston Massachusetts

Security Lead for contract

Create compliance program (GRC1), and created Security Architecture for leading healthcare/

pharmaceutical Value Added Network processing interactions for most major healthcare

organizations and their members. Used AppScan and other scanners to detect and mitigate

weaknesses.

Authored all Security Policies, standards and procedures. I.E. created a comprehensive set of

compliant security policies, standards and procedures (HIPAA, FDA/EMEA, HITECH, PCI,

IRS1075 ETC.): forensics, vulnerability, risk management, audit preparation (SSA16, PCI,

FDA) and compliance.

Training existing staff in emerging security regulations and technologies, including continuous

monitoring for incidents and accountability.

Web portal defense, network encryption identity management, full desk encryption, VPNs, Role Based

Access Control, Common Criteria, Certificate and PKI controls.

2009 - 2012 BlueCross BlueShield of

Massachusetts

Manager of compliance, policy, audit and risk

Developed comprehensive GRC strategy

including full stakeholder coordination (set

up Security Oversight Council) for

compliance, risk mitigation, auditing,

forensics, and operations.

Created security and operational integrity

for all voice systems (PBX, VoIP), Network

security using check-point, Palo Alto, DLP,

IPS, and most other security control

categories.

Purchase Card Industry PCI-DSS, HIPAA,

1 GRC: “Governance, Risk-management and Compliance”

1

Authored all Security Policies, standards and procedures. I.E. created a comprehensive set of

compliant security policies, standards and procedures (HIPAA, FDA/EMEA, HITECH, PCI,

IRS1075 ETC.): forensics, vulnerability, risk management, audit preparation (SSA16, PCI,

FDA) and compliance.

Training existing staff in emerging security regulations and technologies, including continuous

monitoring for incidents and accountability.

Web portal defense, network encryption identity management, full desk encryption, VPNs, Role Based

Access Control, Common Criteria, Certificate and PKI controls.

SOX, FDA, HITECH, CMR 201, were part

of the BCBSMA architecture.

Authored all IT related technical policies,

procedures and guides as well as security

architectural requirements.

Supported ISO 27001 certification efforts

by defining security requirements and

writing detailed security architecture

document sets. Also authored all security

policies and detailed procedures needed

to achieve certification. Implemented

policies, architecture and configuration

standards.

Created Risk Register entailing

assessment risk determination and

presentation to management.

Supported all efforts regarding SSAE16

(SAS70) audits and remediation projects.

Network security including database,

internet facing, SharePoint SEIM and

technical audits and assessments were

my responsibilities. These included

assessments of the risk involved with

mobile access of cloud based applications

under SaaS, PaaS, and IaaS as both

private and public clouds.

Managed team providing security

architecture and development for $150

million development program. This

entailed PCI scope control, hardware

based encryption and whole disk

encryption for Primary Account Number

(PAN) and related data.

Responsible for aligning security program

with enterprise business strategy using

business risk based assessment mapping.

Used Business Objects, SAP, ERP ITIL,

Maturity Models (Carnegie Mellon) and my

own performance dashboard and

Balanced Scorecard methods and tools

based on MS Office capabilities.

Developed corporate Information

Assurance (IA) program. This program

contained: security-architecture,

Authored all Security Policies, standards and procedures. I.E. created a comprehensive set of

compliant security policies, standards and procedures (HIPAA, FDA/EMEA, HITECH, PCI,

IRS1075 ETC.): forensics, vulnerability, risk management, audit preparation (SSA16, PCI,

FDA) and compliance.

Training existing staff in emerging security regulations and technologies, including continuous

monitoring for incidents and accountability.

Web portal defense, network encryption identity management, full desk encryption, VPNs, Role Based

Access Control, Common Criteria, Certificate and PKI controls.

compliance, policies, controls, and risk

management facilities, tools, procedures.

2005 - 2008 Perot System at Harvard Pilgrim

Health Care

Manager of Information Security Services and

Development

Managed 6 person team of security

engineers providing security operation

(AppScan, Log management, identity and

access management) and development in

support of Harvard Pilgrim Healthcare.

Managed development team and

delivered Role Based Security (RBAC),

Forensics, SharePoint collaboration,

network access (NAC), DLP, and risk

assessments.

Developed security and risk policies and

procedures

2004 – 2005 Abacus Technology Corporation

Senior Consulting Engineer and Program/Project

Manager

Developed strategic force protection

standards and model (security

architecture) for securing bases, airports,

and other critical US sites from criminal

and terrorist attack.

Managed activities of other sub-

contractors on this program.

Developed security and IT technical

standards for DoD Physical and

Information Security Infrastructure.

Stakeholders were: USAF, USMC,

USArmy and USNavy. These were

required to align with Security Technical

Implementation Guides (STIGs), and DoD

Information Assurance Certification and

Accreditation Process (DIACAP) using

Committee on National Security

Systems (NCSS), NIST, DISA and NSA

underlying standards.

This program entailed comprehensive

review of all security related technology for use

in specifying details for the Physical/Information

Security program of the DoD. This included

Authored all Security Policies, standards and procedures. I.E. created a comprehensive set of

compliant security policies, standards and procedures (HIPAA, FDA/EMEA, HITECH, PCI,

IRS1075 ETC.): forensics, vulnerability, risk management, audit preparation (SSA16, PCI,

FDA) and compliance.

Training existing staff in emerging security regulations and technologies, including continuous

monitoring for incidents and accountability.

Web portal defense, network encryption identity management, full desk encryption, VPNs, Role Based

Access Control, Common Criteria, Certificate and PKI controls.

Voice, data, and image technology.

I set up and supported a secure

collaboration facility and service used by the four

military services and all other project related

DoD contractors.

Used UML use-cases as well as object

interactions models.

Work entailed modeling of data both in

static terms and as transactions. I created a

database and 8 XML schemas defining many

XML record used to exchange critical security

data.

2002 - 2004 Integris LLC

Senior Consulting Team Lead, auditor, development

program and assessment project manager

Managed (hands on leadership) IT

consulting and auditing teams across

numerous non-profit, commercial and

governmental engagements: HIPAA, FDA,

21CFR11, FISMA, (SAS70 – CMS

compliance audits, now SSAE16 audits,

FDA inspections (security and document

management))

Department of Homeland Security audit

and infrastructure design

Work entailed the merging of 22 different

US government departments into one new

cabinet level operation, with a unified security

model.

Compliance Healthcare Audits for

Department of Health and Human

Services: HIPAA, 21CFR11, FISMA etc.

DHHS contracts with healthcare

organization for the processing of healthcare

claims data. My work for DHHS was to audit the

operations of these organizations to ensure

compliance with DHHS requirements. Massive

databases (all Medicare claims) are a critical

feature of this work.

Enterprise network security compliance

audits (SAS70)

Authored all Security Policies, standards and procedures. I.E. created a comprehensive set of

compliant security policies, standards and procedures (HIPAA, FDA/EMEA, HITECH, PCI,

IRS1075 ETC.): forensics, vulnerability, risk management, audit preparation (SSA16, PCI,

FDA) and compliance.

Training existing staff in emerging security regulations and technologies, including continuous

monitoring for incidents and accountability.

Web portal defense, network encryption identity management, full desk encryption, VPNs, Role Based

Access Control, Common Criteria, Certificate and PKI controls.

2002 - 2002 ING America

Chief Information Security Office (CISO)

As CISO for the Americas (USA, Latin

America, Canada) I was responsible for

strategy, budgets, design, implementation

and operation of all global enterprise

security systems. These included:

Healthcare Insurance, Financial Systems,

Banking, networking, databases, and web

applications.

Financial System security and compliance

- PCI

Developed program management

standards for overall control of multiple

projects and managed all security projects.

1999–2002 United Healthcare

Group (Ingenix)

Chief Information Security Officer (CISO) and Director

of operations.

Created integrated information security

program including security technology

(voice, data, image), policy and cross

department stakeholder coordination.

Designed and implemented distributed

information warehouse systems.

Internal and compliance security for all

Healthcare Operations

Internal audits, incident repose and

security architecture

1997–1999 Rill Technologies (my

own company)

Strategic and project related security consulting

Completed engagements with startups

and established IT operations,

Uwin (a startup within GTECH RI) for on

line gaming. Director of development.

VP of Operations for Jenzabar – a startup

in academic on-line support. Break-off

from Harvard University. Set up web

Authored all Security Policies, standards and procedures. I.E. created a comprehensive set of

compliant security policies, standards and procedures (HIPAA, FDA/EMEA, HITECH, PCI,

IRS1075 ETC.): forensics, vulnerability, risk management, audit preparation (SSA16, PCI,

FDA) and compliance.

Training existing staff in emerging security regulations and technologies, including continuous

monitoring for incidents and accountability.

Web portal defense, network encryption identity management, full desk encryption, VPNs, Role Based

Access Control, Common Criteria, Certificate and PKI controls.

operations from ground up.

Director of security for Allmerica Financial.

Established first use of firewalls.

1993–1997 University of

Massachusetts

CISO and Director of Operations

Responsible for all IT operations, all voice

(PBX) operations and all security (strategy,

compliance, development and operations).

Working with stakeholders drawn from life-

science research labs, hospitals, group

practices and the university’s life science

and medical schools; created strategy,

secured budget, and then implemented

comprehensive IT support. This included

multiple data centers, extensive network,

highly secured systems for intellectual

property (life science research) and

general network security.

Created special system for tracking

generations of genetically pure lab animals

(line of mice and other).

Worked with life science department to

achieve recognition of telemedicine for

mammograms – then not sanctioned due

to resolution of images.

Created worldwide, real-time, video

network for surgical training and

collaboration between academic hospitals.

This involved a then new technique called

minimally invasive surgery. And used

complex satellite links.

Developed requirements, strategy, RFQ,

and implementation of new distributed

PBX infrastructure.

Developed strategy for commonwealth

wide, high-bandwidth, fiber based network,

secured budgeting and then provided

security for implementation. This is now

the backbone Massachusetts network

Designed and implemented first firewall

with Raytheon’s help –no firewall products

were then available.

Authored all Security Policies, standards and procedures. I.E. created a comprehensive set of

compliant security policies, standards and procedures (HIPAA, FDA/EMEA, HITECH, PCI,

IRS1075 ETC.): forensics, vulnerability, risk management, audit preparation (SSA16, PCI,

FDA) and compliance.

Training existing staff in emerging security regulations and technologies, including continuous

monitoring for incidents and accountability.

Web portal defense, network encryption identity management, full desk encryption, VPNs, Role Based

Access Control, Common Criteria, Certificate and PKI controls.

Operated 365/7/24 data centers required

by hospitals – no down time allowed.

Computer Science Illinois Institute of

Education Technology,

Chicago Illinois

BS Computer Science Roosevelt University,

Chicago Illinois

Completed)

MBA (Computer Science/Operations Research

focus) University of Chicago, Chicago Illinois

(Operations Research and Computer Science

Management- incomplete)

Other Training PMP, Special technology courses offered by

IBM, SUN, Cisco and other technology vendors.

CISO program completion.

CISSP International Information Systems

Certifications Security Certification

Consortium (ISC2)

CCP Certified Computing Professional,

Institute for Certification of

Computing Professionals (ICCP)

CRISC Certified in Risk and Information

Systems Control

CISM Certified Information Security Manager

Interests Mensa member



Contact this candidate