Project Manager Security
Resume:
Alain (Alan) Sadeghi
**** *. ******** **** ** #1208,
Johnson City, TN 37604; Cell: 423-***-****; ***********@*****.***
PROFESSIONAL PROFILE- SUMMARY
. 25 years of information security advisor experience, including 15
years in leadership role & IT Security Sales.
. Citizen of USA with an active DOD /DHS Secret Clearance, Eligible for
Top Secret Clearance, Bonded by FBI
. Multi-lingual ; French/Italian/Farsi/Spanish/German
. Excellent written and verbal communication skills, interpersonal and
collaborative skills, and the ability to communicate security and risk-
related concepts to technical and nontechnical audiences.
. Proven track record and experience in developing information security
policies and procedures, as well as successfully executing programs
that meet the objectives of excellence in a dynamic environment.
. Good knowledge of common information security management frameworks
and compliances, such as:
. OBM-A130, NIST SP800-18, FIPS 199, &200, NIST 800-53, NIST-800-53A,
NIST SP800-30, 800-60 V1 & V2, NIST SP800-37, DoD DIACAP, DoD RMF, DoD
8510.01, DoD CNSSI 1253, ISO/IEC 27001 & 27002,ITIL, COBIT,GLBA,
HIPPA/HITECH, HITRUST, SOX, FISMA, FERPA, NRC, PCI DSS, SAS 70/94,
SSAE 16, ISO 17799, NSA IA, NSA Cybersecurity FDIC, FFIEC, Privacy Act
of 1974, Computer Security and Privacy Act of 1987, IRS1075 and MARS-E
Compliance, 10 CFR 73.54, NERC/CIP, US/EU Safe Harbor Security
Framework.
. 200+Security Audit/Assessment, 1,000+ Pen testing in financial,
health, and governmental industries.
. High level of personal integrity, as well as the ability to
professionally handle confidential matters, and show an appropriate
level of judgment and maturity.
. High degree of initiative, dependability and ability to work with
little supervision. Created operations plan such as; calculating
financial projections, forecasting, planning, and projection for 8
million dollar sales per year.
. Responsible for establishing and maintaining a corporate wide
information security management program to ensure that information
assets are adequately protected.
. Responsible for identifying, evaluating and reporting on information
security risks in a manner that meets compliance and regulatory
requirements, and aligns with and supports the risk posture of the
enterprise.
. Proactively working with business units to implement practices that
meet defined policies and standards for information security and
oversee a variety of IT-related risk management activities.
. Serving as the process owner of all assurance activities related to
the availability, integrity and confidentiality of customer, business
partner, employee and business information in compliance with the
organization's information security policies.
. Working with executive management to determine acceptable levels of
risk for the organization. Highly knowledgeable about the business
environment and ensure that information systems are maintained in a
fully functional, secure mode. A thought leader, a consensus builder,
and an integrator of people and processes. Able to coordinate
disparate drivers, constraints and personalities, while maintaining
objectivity and a strong understanding that security is just one of
the business's activities.
. Developing, implementing and monitoring a strategic, comprehensive
enterprise information security and IT risk management program to
ensure that the integrity, confidentiality and availability of
information is owned, controlled or processed by the organization.
. Monitoring the external threat environment for emerging threats, and
advice relevant stakeholders on the appropriate courses of action.
. Being a liaison with external agencies, such as law enforcement and
other advisory bodies as necessary, to ensure that the organization
maintains a strong security posture. Coordinating the use of external
resources involved in the information security program, including, but
not limited to, interviewing, negotiating contracts and fees, and
managing external resources.
. Developing and oversee effective disaster recovery policies and
standards to align with enterprise business continuity management
program goals. Coordinate the development of implementation plans and
procedures to ensure that business-critical services are recovered in
the event of a security event.
. Analyzed security market need such a; near term market drivers; long
term market drivers; complexity and cost, market segments; marketing
strategy; sales strategy; direct sales, alliance partners sales,
competitive analysis, market analysis, competitive landscape, and
competitive differentiators.
PERESENT EMPLOYER: eTechSecurityPro, LLC; TN, VA & DC
01/2002-Present
Senior Consultant and Security Project Manager at eTechSecurityPro, LLC;
TN, VA & DC
. Managed 60+ information technology security engagements in 17 States
including numerous large client IT security projects with 100's of IT
Staff and 1000's of Users. Acted as a security services and solutions
manager and senior cybersecurity advisor for over 10 years for 8 million
dollar sales per year and performed all related BD project such as;
Cybersecurity Development, writing NDA's/SLA's/SOWs/Customer Value
Proposition, Staffing/Training, and QC.
. Successfully collaborating directly with senior management on client-
facing delivery practice. Development and thought leadership related to
information security solution, assessment and implementation, expert-
level abilities as a team member and team manager.
. Managed numerous large sales and implementations of IT security
consulting and solutions services projects for clients such as; DOD, DHS,
VA Hospitals, and Financial Industries as a sub-contractor to Northrop
Grumman, Accenture, and etc.; and have been main point of contact to
CEOs, CFO, and CIOs of Multibillion Dollar Industries.
. Architect and sold IT related security consulting, solutions/services,
and enterprise security auditing with significant expertise in regulatory
compliance.
. Manage and supervise regulatory compliance with the latest industry
standards and information security systems best practices for key
clients, including: Banks, Credit Unions, Government Agencies, Healthcare
Systems and Nuclear Systems among others. Effectively reduced security
exposures and strengthen overall organizational effectiveness by
strategically designing secure networks and managing implementation of
numerous security programs. Adeptly perform security framework,
including: policy, access controls, network security, platform security,
app security, compliance and incident response. Concisely write thousands
of information security scopes of work (SOW) for clients and government
RFPs. Consistently provide coordination support for investigations and
extensive training in DIACAP and Information Assurance for DOD clients.
. Organized mini white-board sessions with client's team to discuss
environments, as it related to their current or future security
initiatives. Demonstrated strategies and established credibility that
helped clients to understand how they can have secure complied data, get
their IT personnel highly trained, and manage their deliverables for
greater ROI. Being a liaison among the information security team and
corporate compliance, audit, legal and HR management teams as required.
Defining and facilitating the information security risk assessment
process, including the reporting and oversight of treatment efforts to
address negative findings. Manage security incidents and events to
protect corporate IT assets, including intellectual property, regulated
data and the company's reputation.
. Managing the enterprise's information security organization, consisting
of direct reports and indirect reports (such as individuals in business
continuity and IT operations). This includes hiring, training, staff
development, performance management and annual performance reviews.
Creating, communicating and implementing a risk-based process for vendor
risk management, including the assessment and treatment for risks that
may result from partners, consultants and other service providers.
Developing and managing information securities budgets, and monitoring
them for variances. Creating and managing information security and risk
management awareness training programs for all employees, contractors and
approved system users. Working directly with the business units to
facilitate IT risk assessment and risk management processes, and work
with stakeholders throughout the enterprise on identifying acceptable
levels of residual risk. Providing regular reporting on the current
status of the information security program to enterprise risk teams,
senior business leaders and the board of directors as part of a strategic
enterprise risk management program. Creating a framework for roles and
responsibilities with regard to information ownership, classification,
accountability and protection. Developing and enhancing an information
security management. Providing strategic risk guidance for IT projects,
including the evaluation and recommendation of technical controls. Being
a liaison with the enterprise architecture team to ensure alignment
between the security and enterprise architectures, thus coordinating the
strategic planning implicit in these architectures. Coordinating
information security and risk management projects with resources from the
IT organization and business unit teams.
. Creating and managing a unified and flexible control framework to
integrate and normalize the wide variety and ever-changing requirements
resulting from global laws, standards and regulations. Ensuring that
security programs are in compliance with relevant laws, regulations and
policies to minimize or eliminate risk and audit findings.
Summary of 3 recent projects while working at eTechSecurityPro, LLC
1- 01/25/2014-Present, Information Security Auditor at Citizens Bank and
Highland Union Bank
Responsibilities:
o Gap Analysis on the best Anti-Malware Solution based on the CB's
environment.
o Auditing Citizens Bank Security Control based on the ISO 27001 code
of practices and guidelines.
o Directing the development of ISO 27001 information security
programs, policies and practices.
o Assisted in developing an information security plan and program in
compliance with applicable FDIC and FFIEC federal and state
legislation, regulatory standards, and generally accepted
information security principles.
o Assisted in developing, policies, procedures, and other required
documentation in PCI DSS compliance.
o Assisted in security controls and compliance with Citizens'
information security programs and policies and develops plans to
improve organizational performance where needed.
o Submitting periodic reports on the status of the information
security programs to Senior Leadership and the Audit and Compliance
Committee of the Board.
o Conducting gap analysis and information security audits, and
develops plans to address resulting concerns or to mitigate
organizational risks.
o Updating training programs and materials in support of applicable
changes in state and federal legislation, accreditation standards,
and organizational policies and procedures.
o Performed Security and Vulnerability Assessments.
2- 01/17/2013-10/18/2013, Security Consultant at Mountain States Health
Alliances
Responsibilities:
o Developing Incident Management, Disaster Recovery, and Business
Continuity Program.
o Purchasing and Implementing SIEM, IDM, SSO, and Encryption.
Creating and Implementing Information Security Policies. Designing
Network and Application Security Topology and implementing them.
o Implementing, managing and directing the development and
implementation of information security programs, policies and
practices.
o Developing, implementing, and maintaining an information security
plan and program in compliance with applicable federal and state
legislation, regulatory standards, and generally accepted
information security principles.
o Developing, implementing, and maintaining policies, procedures, and
other required documentation in compliance with applicable federal
and state legislation, regulatory standards, and generally accepted
information security principles.
o Developing, implementing, and maintaining policies methods to
measure compliance with MSHA's information security programs and
policies and develops plans to improve organizational performance
where needed.
o Developing and implementing plans to eliminate or minimize the
impact of identified risks.
o Submitting periodic reports on the status of the information
security programs to Senior Leadership and the Audit and Compliance
Committee of the Board.
o Overseeing and conducts risk assessments, gap analysis, and
information security audits, and develops plans to address
resulting concerns or to mitigate organizational risks.
o Serving as a liaison and resource to MSHA Operation and Compliance
and other entities not covered under the MSHA HITECH/HIPAA/PCI
compliance program. Directing, managing the development and
delivery of effective information security education and awareness
programs for the MSHA workforce, including employees, medical
staff, volunteers, students and business associates.
o Creating and conducting initial and ongoing information security
training programs for the MSHA workforce as required by
HITECH/HIPAA/PCI. Creating and conducting information security
awareness program to include periodic information security
reminders as required by HITECH/HIPAA/PCI.
3- 01/01/2007-01/01/2012, Security Project Manager/SUB-Contractor at
Northrop Grumman
Responsibilities:
o I was security project manager for 83 State Agencies in Virginia as
well as 2 Federal Agencies for 5 years. One of my duties was
assisting the audit team and make sure these agencies complied with
the required law and regulations such as IRS1075 and MARS-E
Compliance. Working with numerous bank and hospital and healthcare
systems, I had to do audit process mapping from ISO27001/27002,
NIST 800-53/800-53A to HIPAA/HITECH and PCI and other regulatory
compliances applicable federal requirements under FISMA, HIPAA,
HITECH, ACA, the Privacy Act, Tax Information Safeguarding
Requirements, IRC 6103 applies if an Exchange IT system receives
FTI, and MARS-E. Written policy and audited "Separation of Duties
(SOD)," to minimize and hopefully prevent fraud by creating
physical control. Used a RBAC or need to know to create an
Authentication Policy and to provide a convenient way to assign a
user to a particular job function or set of permissions within an
enterprise, in order to control access.
o Involved and performed audit working papers such as; planning, the
examination and evaluation of the adequacy and effectiveness of the
system of internal controls, the auditing procedures performed, the
information obtained, and the conclusions reached, review,
reporting, follow-up.
o Dealt with records retention policy such as: Legal Value,
Administrative Value, Physical value, the responsibility for
administering Destruction of specific records shall be carried out
only in accordance with the authority of the Supervisor of Record
Retention. How to keep all records, including those maintained on
electronic data processing storage media, shall be covered by this
policy. Retention periods specified by government, audited activity
of frequency of reference to the as well as an volume of space and,
and written policy to prevent deliberate destruction of documents
and hoe to manage the records.
o Performed change management; preparing for change, managing change
and reinforcing change as well as; Change Request Flows, Change
Request Form, Scheduled Change Windows, Lead Times for Changes,
Unsuccessful Changes, Roles and Responsibilities, and Change Review
Board.
o SQL Server Audit such as; protection of data, controlling the
access and ensuring the compliances; as well as OWASP Top Ten
Vulnerability and CWE/SANS Top 25 Most Dangerous Application and
Software Errors,
o Done many security audits and my audit process mostly have been as
follows; Audit planning & preparation, Establishing audit
objectives, Performing the review, Issuing the review report,
Network vulnerabilities, Controls Encryption and IT audit, Logical
security audit, Specific tools used in network security,
Application security for Programing, Processing, and Access,
Segregation of duties for fraud prevention.
PREVIUS EMPLOYER: EDS; US, Europe, Middle East & Asia
01/1985-01/2002
Consultant @EDS; US, Europe, Middle East & Asia
. Directed organizational infrastructure and daily IT security operations
in coordination with client staff that included: information technology
control objectives, compliance, policy and procedure templates, and risk:
assessment reports, delivery, management program, profile/vulnerability
testing, final delivery of assessment report and final management policy
and procedures. Tasked with managing the implementation of client HP
OpenView for leading shipping company enabling HP to receive extensive
bonus for smooth product delivery, on-time and within scope. Managed
implementation of HP OpenView project for a large Middle East shipping
company
. Managed and implemented Cisco Routers, Firewalls, and IDS/IPS for
Eastman
. Managed implementation of CA UniCenter for a financial company in
Middle East.
. Managed, enrolled, and implemented IBM AS/400 systems in Europe for
financial industries.
. Managed large scale implementation of Cisco Routers and Firewalls for
Financial Industry in EU.
. Managed Implementation and configuration of IBM Tivoli for a large
Hospital in EU.
. Managed Implementation and Configuration of IBM Mainframe in Asia.
. Managed Implementation of Tivoli at Blue Cross and Blue Shield of San
Francisco, CA.
. Managed Firewalls implementation at Pacific Gas and Electricity
(PG&E).
CORE COMPETENCIES
. Cybersecurity Business Development & Sales / Security Consulting &
Advisory Security Solutions, Services, and PM
. Cybersecurity Intelligence, Crime Law & Investigation / Incident Response
/ Computer Forensic & eDiscovery
. Regulatory Compliance Security Audit / Security Training & Awareness /
Award Winning Customized Reports
. Security Standard & Best Practices / Security Policies &Methodology /
Security Architecture & System Model
. Access Control Systems / Encryption &Cryptography, AKT, RSA Token,
VeriSign PKI / IDM, SIEM, & SSO
. Network & Telecommunications Security / Application Security & Data
Security / Social Engineering
. Vulnerability Assessment &Penetration Testing / Wireless, Mobile & Voice
IP / Cloud Security Audit
. Business Continuity& Disaster Recovery / Operation & Physical Security /
SmartGrid Security
. Risk Assessment & Risk Management / Information Assurance & Risk Analysis
. Manage Global Information Security Governance and Program
. System and Data Classification
. Security Controls& Audit Trails
. Identity, Credential, and Access Management
. Secure Infrastructure and Cloud Computing
. Continuity of Operations and Disaster Recovery
. Compliance Oversight& Privacy
. Information System Security Administration, Management, Program
Implementation and Documenting Mission Needs.
. Analyzing, Assessing, Measuring, Managing and Mitigating Information
System Threats, Vulnerabilities and Associated Risks.
. Legal Issues, Intrusion Forensics and Incident Response as well as
Intrusion Prevention, Detection, Response, Recovery and Reporting.
. Physical, System, Data Access Control.
. Life-Cycle Security and Life-Cycle Management in Defending the
Information Environment (Information Operations).
. Configuration Management, Consequence Management, Contingency and
Disaster Recovery Planning (Business Continuity Planning (BCP)).
. Certification, Evaluation and Network Security Certification and
Accreditation (C&A).
. System Certification Requirements including Policies, Processes,
Procedures and Protocols.
. Threat/ Vulnerability Analysis and Risk Management
. Countermeasure IS and Assessment
. Certification and Accreditation of systems
. Testing And Evaluation
INDUSTRIES EXPERIENCE
Financial, HealthCare, Governmental, Nuclear Energy, Education, Retail, and
Information Technology Consulting
TECHNICAL KNOWLEDGE & TOOLS
Qualys, ISS, eEye Iris & Retina, Nessus, Checkpoint, Cisco, Snort, AAA,
IDS/IPS, OpenView, Tivoli, SSO, WSDL, VPN, SSH, SSL, PGP, AKT, PKI, RSA,
VeriSign, SOA, SDLC, UUDI,SOAP, SAML, IDM, SIEM, OWASP, Content and Consent
Management, HL7, EnCase/FTK, familiar with Python, XML, and SQL. Knowledge
of OS: Windows, Linux, UNIX, Mac OS X, AS/400, Mainframe, and VMS/VAX.
EDUCATION
Bachelor in Computer Science, MBA, PhD Information Security (Wilmington/DE,
and Sorbonne/ France)
CERTIFICATIONS
. Certified NSA/CNSS (Information Systems Security Professionals)
. Certified NSA/CNSS( Senior System Managers)
. Certified NSA/CNSS (System Certifiers)
. Certified NSA/CNSS (Risk Analyst)
. Certified NSA/CNSS Assessor and Authorizer(C&A)
. Certified Information Security System Professional (CISSP)
. Certified Information Security Auditor (CISA)
. Certified Information Security Manager (CISM)
. Certified ISO 27001 Security Implanter (CSI)
. Certified Professional PCI (PCIP)
. Certified Expert Cloud Security (CECS)
. Certified Ethical Hacker (CEH)
. Certified Computer Forensic Investigator (CHFI)
. Certified Lead Penetration Tester (CLPT)
. Certified GIAC Security Expert (GSEC)
. Certified ISO 27001 Security Auditor(CSA)
. Certified Project Manager (PMP)
. Certified Information Technology Infrastructure Library (ITIL)
EMPLOYERS
ETechSecurity and EDS
CLIENTS
Citizens Bank, Mountain State Health Alliances, Northrop Grumman,
Accenture, Eastman Credit Union, Nuclear Services, Eastman/Kodak, 83 States
and 2 Federal Agencies, Bank Of Tennessee, CareSpark, Northrop Grumman,
Accenture, HP, Cisco, Home Shopping Center, Jewelry Television, DoD, DHS,
and VA.
JOBS &ROLES
CISO, Security Project Manager, Security Advisor, Security Leader, Security
Consultant.
AWARDS AND INTELLECTUALS
. Tech-Award for "Security Best Methodology" in Healthcare.
. IT Security Audit Best Customized Reports in Financial Industries.
. The Tri-Cities Founder of ISACA/ISSA.
BOOKS & PUBLICATIONS
. Establish Preparedness in Government IT.
. Information Security Operation in Health IT.
. Protecting Security of PII.
. Incident Response Management.
. Disaster Recovery Management
Contact this candidate