Project Manager Security
Resume:
MARIE NELLIST
**** ***** ******* *****, ****** CO 80231
804-***-**** ( **************@*****.*** (www.linkedin.com/in/mnellist
Senior Information Security Consultant
Energetic, visionary and multi-skilled information security consultant
qualified by a 15 year record of ground up success in information security
initiatives. Continuous learner with a passion for innovation in
information security risk and vulnerability management. Driven to improve
the optimization of information security investments, reduce the business
impact of security incidents, improve client retention and enhance
thoughtful and deliberate information security decision making. Persuasive
and articulate communicator.
Extensive experience in vulnerability assessment/penetration testing and
ethical hacking using a variety of commonly accepted and proven open
source/commercial tools, development of incident response programs,
performance of risk assessments, audit interviews, artifact collection,
compliance measurement, tracking, reporting and visual presentation of
results to C-level executives. Driven to obtain results and information
while maintaining a collaborative and persuasive presence.
PROFESSIONAL EXPERIENCE
Senior Vulnerability Management and Risk Consultant, State of Virginia
(November 2013 - Present)
Change agent for the improvement of security, vulnerability/risk assessment
and compliance within a large State Agency. Performed gap analysis and
assumed ownership of critical initiatives to improve the security posture
of the organization. Initiated, developed and drove vulnerability
assessment and remediation efforts to reduce security vulnerabilities,
business risks and to increase protection against advanced persistent
threats. Assumed ownership for the assessment, product recommendation, use
cases and proof of concept for the adoption of open source/commercial
database and web vulnerability scanners. Played critical role
training/mentoring junior staff on complex, highly technical security
vulnerability assessment products. Assumed ownership, drove and managed
security awareness training efforts designed to better enable end users to
defend the enterprise against front line social engineering attacks.
Performed risk compliance audits, interviewing various technical and
functional groups such as application developers, network administrators,
software developers and business owners. Collected, categorized, and
documented findings to determine level of compliance with control
requirements. Conducted penetration testing (network mapping, URL crawling,
OWASP top ten evaluation, exploitation, mobile device/application testing,
wireless testing, application/database and web back end testing and
security evaluation, social engineering, and source code review.)
Selected Achievements:
. Evaluated the incident response program. Made recommendations on
development of the plan, participated in the incident response team as a
first line responder, conducted forensic investigation/analysis and
containment of incidents in a secure offline environment.
. Developed and managed the vulnerability assessment program. Interacted
with vendors, obtained and configured approved commercial tools,
established an automated scanning schedule for externally available
websites and internally available nodes, and evaluated resulting reports
for issues. Collaborated with application developers and system owners to
perform remediation activities on targeted systems and retested systems
to verify compliance with remediation efforts.
. Evaluated and documented the existing risk compliance posture against
NIST, PCI/DSS, and HIPAA compliance control requirements. Identified
audit gaps and prepared plans to remediate gaps or implement compensating
controls to mitigate/reduce overall risk to the enterprise.
. Pioneered ongoing improvements to the risk and vulnerability management
program. Initiated and managed a gap analysis of the existing firewall
and network infrastructure (internal network and DMZ), managed project
from inception to completion, recommending and obtaining adjustments to
the firewall rules to provide a stronger defense in depth security
posture.
. Coordinated and managed eight concurrent risk assessment activities in a
fast-paced, high-visibility business environment.
Information Assurance Management Consultant, Department of Defense, Fort
Lee, VA (May 2013 - August 2013)
Directed a major information security client risk assessment engagement.
Provided leadership and support for on-site systems security certification,
accreditation, and risk management. Provided strategic leadership and
insight to facilitate security architecture gap analysis, augment security
enhancements, and strengthen the defense in depth posture of client
applications and systems. Managed continuous monitoring activities and
vulnerability analysis/remediation efforts. Leveraged lessons learned to
support future security improvements/recommendations. Managed
infrastructure/application accreditation and reaccreditation, which
included evaluating the network and application enclaves against NIST and
PCI/DSS access controls. Managed a team of three direct reports whose
responsibilities included technical writing, security auditing,
vulnerability analysis and system hardening. Redesigned and managed the
incident response team in all aspects of response, forensic analysis,
remediation, and lessons learned. Managed identity access, mobile
device/application security, and source code review efforts.
Selected Achievements:
. Participated in the incident response program as a first line responder.
Forensic analysis, containment, segregation of infected nodes, and
malware analysis and remediation.
. Optimized time spent on projects divided between multiple support teams
by introducing Agile Scrum methodology for project management and team
collaboration.
. Coordinated the full project lifecycle for successful enterprise-wide
deployment of a centrally managed host based antivirus and firewall
solution.
. Managed fourteen concurrent certification and accreditation activities in
a fast-paced, high-visibility government facility.
Information Systems Security Consultant, Department of Veteran's Affairs,
Washington DC (June 2012 - May 2013)
Coordinated and drove a large project to evaluate the 800.53 NIST controls
and Continuous Monitoring Management Framework on the Fed Ramp system (VA
health care.) Provided insight, recommendations and total lifecycle project
management to optimize the incident response process, conducted process gap
analysis, prepared business proposals, and delivered expert training to
junior staff to guide adoption of new risk assessment processes. Oversaw
and drove completion full-lifecycle identity access management solution for
personnel, systems, and applications. Evaluated, selected, and received
approval to implement new continuous monitoring tools to increase
visibility into overall risk posture.
Selected Achievements:
. Managed ten concurrent certification and accreditation projects.
Evaluated network environment against PCI/DSS, HIPAA, and NIST risk
frameworks
. Launched the Identity Access Management Program
. Introduced enhanced continuous monitoring capabilities to proactively
defend against threats while raising security standards for the client
network by sourcing and implementing tools to enhance defense in depth.
Information Assurance Consultant, Department of Defense, Fort Lee VA
(October 2011 - June 2012)
Led planning and implementation for major information assurance projects.
Supervised risk identification and drove project management efforts.
Conducted planning, budgeting, and prioritization to proactively manage
effective remediation of identified risks and vulnerabilities. Directed
continuous monitoring activities. Provided gap analysis, executed budget
preparation, performed business case management, and gained executive level
buy-in for new security initiatives designed to strengthen overall risk and
defense in depth posture. Performed audits against the FISMA/NIST Risk
Management Framework.
Selected Achievements:
. Remediated deficiencies in the continuous monitoring program by
performing gap analysis, preparing executive level reports and
presentations to illustrate the need for augmented security monitoring
tools and a better defined continuous monitoring program, Secured
executive approval and subsequent funding to secure new monitoring tools
and begin the implementation of a continuous monitoring strategy.
. Supervised four direct reports and mentored junior staff. Participated in
hiring and interview processes to identify and retain new security
talent.
. Performed FISMA and NIST audits of various Army enclaves and systems,
including audit of network enclave and 10 application enclaves. Managed
these projects concurrently.
Information Systems Security Consultant, Department of Homeland Security,
Washington DC (June 2011 - October 2011)
Supervised and directed six high visibility security assessment and
authorization initiatives. Conducted evaluation of vulnerability scan
results and host logs to identify potential security risks.
Selected Achievements:
. Delivered return on investment for the client by identifying and
developing proposals for new secure cloud offerings to market as shared
business services to other government entities.
. Performed secure systems architecture analysis, design and implementation
of a secure VPN solution.
Information Assurance Manager Consultant, Department of Justice,
Washington, DC (January 2011 - June 2011)
Conducted risk-based and vulnerability analysis. Directed six accreditation
and certification activities for client systems and networks. Provided
technical expertise and support to the Senior Program Manager on the
subject of information security awareness, delivering in-depth
recommendations, performing sanctioned social engineering and designing
visual aids to improve user security awareness. Recommended, took ownership
and documented a needs based analysis to justify augmentation of additional
end user security education. Launched a training program for FISMA
compliance within the AFMS organization. Worked alongside senior leadership
to audit, document, and submit recommendations to remediate findings in the
risk analysis/compliance verification project.
Selected Achievements:
. Decreased successful hack attempts on the corporate network by 95%
through a complete overhaul of the information security architecture and
monitoring activity to more effectively block penetrations into the
internal network and reduce overall risk to the enterprise.
. Addressed a lack of project, program, and change documentation by
developing the organization's first technical writing program, allowing
improved visibility on all changes and new program additions.
. Initiated the Agency's first formal change management program.
. Reduced time to respond to incidents while raising quality of response by
developing and deploying an Incident Response Program, with authority
over program funding, staffing, employee training, and program testing.
Senior Network Security Engineer, Federal Reserve Bank of Richmond
(November 2009 - January 2011)
Collaborated with internal clients on the analysis and implementation of
firewall boundary crossings. Conducted in-depth security and architectural
evaluation with detailed analysis of the requested ports and protocols.
Acted as key resource and subject matter expert on architectural
evaluation, design and implementation. Change agent for the implementation
of PCI/DSS and NIST control compliance.
Selected Achievements:
. Spearheaded, managed and maintained the adaptation of NIST-based security
policies and DIACAP controls.
. Delivered 90% growth in process efficiency while improving cost control
and eliminating waste through deployment of Lean Six Sigma principles
throughout project management lifecycle.
. Made information accessible and understandable to non-technical executive
leadership through visual aids covering diverse technical principles and
architectures.
Information Assurance Officer Consultant, Department of Defense, Fort Lee,
VA (June 2007 - November 2009)
Partnered with Department of Defense (DOD) client on delivery of new
information systems, system hardening, and certification, accreditation,
and DIACAP 800.53 review activities for twelve different systems. Executed
the continuous monitoring program for the CIO office, encompassing
vulnerability analysis, risk mitigation, and strategic/tactical planning.
Designed and advanced a new network infrastructure aligning with NIST SDLC
criteria. Addressed and followed up on vulnerability alerts and
notifications, working in collaboration with program managers on
achievement of systems compliance. Defined and developed executive level
directives and standard operating procedures (SOPs.) Acted as a proactive
liaison between the DOD and the CIO office to identify and implement new,
enhanced security for wireless network devices. Handled vulnerability
analysis on a monthly and ad-hoc basis. Performed audits against the
network and application enclaves (conducted personnel interviews, collected
artifacts, completed appropriate FISMA compliance paperwork to document
compliance level with NIST based controls, and submitted executive level
reports and accreditation packages for review and subsequent acknowledgment
by the CIO and the Defense Commissary Agency Chief.
Selected Achievements:
. Strengthened compliance with NIST SDLC requirements by designing a new
network infrastructure that enhanced network security, decreased the
number of weak network endpoints, and introduced IPS technology to permit
dropping malformed packets in front of the client firewall.
. Significantly strengthened client network security and improved
defensibility against hacking attacks by evaluating the network defense-
in-depth posture and making recommendations for improvements to security
posture. This included redesigning the wireless network architecture.
. Performed a large audit of the network enclave, selected for this duty by
the Chief of Security, based on demonstrated technical expertise in
network architecture, technology, and security best practices.
Information Assurance/Network Engineer, VITA/NG/State of Virginia IT
Partnership (June 2001 - June 2007)
Performed security scans against the State of Virginia, Department of
Taxation enterprise WAN. Performed network maintenance on firewalls,
routers, switches, and other WAN architecture. Performed server
administration on key infrastructure devices. Participated in rollout of
first VMware servers to the TAX enterprise by initiating and developing a
business proposal and budget, then managing the project from inception to
completion. Managed patching strategy by identifying commercial tools to
perform automated patching, obtaining budget and approval, and implementing
the strategy to maintain and augment server hardening standards. Conducted
audit of firewall ruleset to identify gaps and corrective actions for
insecure firewall rules and protocols (example cleartext FTP). Implemented
SFTP and SSL in DMZ to achieve encrypted transmissions to public entities.
Selected Achievements:
. SDLC Project Manager for the rollout of McAfee antivirus to the
enterprise.
. Project Manager for the rollout of the new Advantage Revenue server
rollout, which required a high level of diligence, perseverance and
visibility with senior TAX and NG leadership.
Career Note:
Senior LAN Engineer, Hamilton Beach Proctor Silex; and Senior Network
Security Analyst, Federal Reserve Bank.
EDUCATION
Master of Science, Communications Technology
Strayer University - Chesterfield, Virginia, June 2008
Bachelor of Science, Internetworking Technology
Strayer University - Chesterfield, Virginia, June 2004
PROFESSIONAL DEVELOPMENT
CISSP
CCNA
MCSE
PMP (in progress, expected completion December 2014)
Skill Soft Leadership Training
Air Force Leadership School
PROFESSIONAL AFFILIATIONS
ISC2
ISACA
PROFESSIONAL SOCIAL MEDIA
(Contributing Blogger on a variety of Information Security/Lean/Process
Improvement topics)
Active Secret Clearance
US Air Force Veteran (Honorable Discharge)
Contact this candidate