Manager Management
Resume:
Frank A. LeFavi
Rochester Hills, MI 48307
BACKGROUND SUMMARY
Architected, implemented and managed the infrastructure for domestic and
multi-national corporations on Wall Street and in Michigan.
Areas of Proven Leadership/Expertise in IT Procurement, Defense in Depth,
Risk Management, IT/Audit Compliance, Helpdesk/NOC management, Networks and
Telecommunications:
. Risk Assessment/Mitigation . Policies & Procedures
. Infrastructure/Architecture Review
. IT Audit /FFIEC/SOX Compliance . Enterprise Risk Management
. Defense in Depth Security
. Security/Compliance Best Practices . Network Management/Control
. Technology Evaluation/Deployment
. Proactive Defense Planning . RFP/RFI
Preparation/Process . Security Incident Management
. Legal/Regulatory (ITU) . Service Level
Management . Budget/Financial Management
. ISP/Carrier/Vendor Management . Contract Negotiations
. Contingency/Disaster Planning
. Network Operations . Strategic
Planning . Cost Reduction Programs
Employment History
GreenPath Debt Solutions
9/23/13 - Present - Manager IT Service Delivery and Security
Working in the Corporate office in Farmington Hills, managed a seven (7)
man team and: Data Center Operations, DR/Business Continuity, Break-fix
help desk, Telecommunications/Network, Information Security and Server/VDI
technology for 55 field offices and WHQ.
From a Security/Audit Perspective:
. Performed a security and compliance gap analysis and recommended
changes in alignment with SANs Top 20 Critical Controls
. Evaluated PII touch-points enterprise wide, and implement DLP
. Assessed and revised the Information Security Program; focusing on
current threat landscape and Compliance requirements
. Developed a framework entitle "Attestation of Information Technology
and Controls"; addressing SOC 2 type requirements mandated by
business partners and regulators
. Implemented A Vulnerability Management and Scanning Program;
identifying security and operational patches that needed to be applied
monthly
. Authored several policies addressing appropriate use and protecting
sensitive information
. Adopted, documented and deployed the Defense in Depth architecture;
layering security controls and technology
. Developed a framework for managing and responding to
regulator/external audits; reducing resource impact during audits
. Personally assumed the responsibility as Internal Audit; coordinating
and managing all third party and regulator audits
. Developed and Implemented a Vendor Management Program; proactively
identifying and mitigating risks
From a Disaster Recovery Perspective:
. Assessed the enterprise-wide infrastructure to identify potential
single points of failure; and set in motion to plans to remediate
those risks
. Assessed, with the Data Center Lead, the back-up and solution, and
replaced the technology with a more stable technology
. Evaluated and resolved the instability of the off-site replication, by
changing the co-location of the replication and the replication
appliances
. Initiated the road map for the eventual implementation of a company
owned DR site
From and Operational Perspective:
. Managed the migration from Outlook 2007 to Exchange 2010
. Deployed Onbase 13, Windows 7, IE 10 to 550 devices across the
enterprise
. Deployed VDI to over 250 users; completing the enterprise-wide
deployment
. Evaluating team skills, functions, and revised job descriptions and
roles
. Changed the Help Desk staffing model; adopting a multi-shift model for
support
FirstMerit Bank - Citizens Bank acquired by FirstMerit
4/15/13 - 9/21/13 - Vice President, Manager - Managing day-to-day
operations of Flint based staff and 240 location
.
5/7/06 - 4/15/13 - Citizens Bank - Vice President, Manager of
Telecommunications - ITIL CERTIFIED
Manage the operations of the largest bank in Michigan, with presence
throughout four states, encompassing 222 sites. With a staff of six
professionals manage enterprise-wide voice, data, cellular and perimeter
security related services.
. Security, Compliance and Audit Related
o Developed and Implemented 802.1x, port authentication, throughout the
enterprise; eliminating the potential of non-authorized devices
accessing the banks infrastructure
o Developed, implemented and maintained "Defense in Depth" layered
security model creating zones of protection
o Developed, documented and implemented a Vulnerability Scanning Program,
proactively identifying and mitigating risk
o Developed and implemented a IDS/IPS architecture, in support of
proactively reducing the risk of an outside intrusion
compromising critical applications and services
o Took the lead in the development and implementation of a corporate wide
RASIC Framework, in order to document security related functions,
responsibilities, stakeholders and mitigating actions
o Developed and implemented numerous IT Controls and processes, focusing
on privileged access, change/release management, use of network
sniffers, segregation of duties, and the use of remote control programs
o Developed a single repository for internal and external audit
documentation, simplifying audit efforts
o Developed a privileged access matrix, outlining who, how and when
internal critical components are accessed
o Implemented Cisco's NCS, in support of deploying and managing Wi-Fi at
targeted bank locations, reducing the risk of rogue devices being
installed or accessed
o Developed the enterprise Security Incident Management work-flow,
incident remediation and escalation process
o Developed a Vulnerability Management Platform, that focused on how
security events are detected, and acted upon
o Developed and implemented a security event escalation and notification
process
o Implemented 24 x 7 x 365 proactive co-managed firewall/security
management and monitoring with SecureWorks
o Developed a risk management matrix, (including recommended remediation)
which identified potential security and operational risks
o Developed and implemented a high availability architecture for the
Internet and their associated firewalls
o Created details diagrams, focusing on the enterprise-wide security
posture
o Revised the corporate Patch Management process, outlining when and how
patches and releases are deployed
o Authored and published numerous policies, standards, procedures and
workflows, in support of regulatory compliance and documented best
practices
o Served as critical point for internal and external auditors, when the
Security posture was a focus on the audit
o Was an active member of the Change Advisory board, assessing every
change to determine potential operational and security risks
. In support of DR and Business Continuity efforts: (also linked to Audit
and Compliance)
o Developed, documented and implemented a critical device back-up process
o Rated all supported systems, in order to determine criticality and
sequence of implementation during DR
o Developed and implemented a network recovery plan, if power should fail
in the data center
o Developed network/device base-line configurations, enabling the bank to
quickly deploy technology when devices failed
o Implemented several layers of redundancy and resiliency, eliminating
single points of failure throughout the enterprise
o Created a DR technical recovery plan for the
Telecommunications/Security areas/assisted other areas in developing
their plans
o Developed a Service Delivery BCP Resource Management Plan, focusing on
how efforts are managed, following the declaration of a disaster
o Created A Contingency Plan Matrix, focusing on identifying mission
critical components, where redundancy exists, the risks associated with
third party managed hardware and solutions, and time to recover
o Developed standards, for all supported hardware, software and services,
including security configurations
o Developed a Pandemic Plan, which outlined, in the event a Pandemic is
declared, how services will be managed
o Developed a DR support Matrix, outlining the sequence of events, which
services are implemented, and prerequisites when a Disaster is declared
. From an Operational Perspective:
o Managed a $ 7 Million annual budget (reduced from $13 Million), by
developing a detailed run rate
o Renegotiated AT&T, Verizon, FIS and Siemens contracts saving $12 million
over seven years
o Evaluated the Telecommunications industry by issuing an RFP. Selected
the following converged technology for deployment (saving the bank $5.2
Million over a 36 month contract term starting 2013) :
> IP telephony, replacing traditional TDM PBX/VM Systems
> SIP, providing enterprise-wide VoIP to 219 locations
> Cisco Call Manager, creating centralized call management/control, with
a back-up located at our DR site
> QOS, enabling the bank to implement unified communications
> Replacing the Call Center technology, providing a scalable, feature-
rich SIP solution
o Developed and implemented methodologies to track internal and external
SLA's, reducing non-compliant services by 75%.
o Managed and successfully executed the integration of Citizens and
Republic banks network and security infrastructure
o Managed centralized dispatching for site break-fix from Flint,
servicing 222 sites.
o Reviewed and approved all change requests, prior to them being
submitted to the Change Advisory Board, reducing the risk of production
impact
Horn, Murdock, Cole (HMC), Troy Michigan
4/3/05 - 4/22/06 Director - Technology Risk Management
Services Practice
Acting as the practice manager, with CISA's, CIA's, CISSP's reporting
directly to me, and as a billable consultant:
. Assisted in the creation and growth of the Technology Risk Management
Practice throughout Michigan
. As a technical infrastructure SME/resource:
o Assessed HMC's infrastructure for vulnerabilities
o Developed/deployed a corporate-wide Information Security Policy
o Set the framework for future infrastructure IT SOX Compliance
o Created a risk management model, which was presented to our customers
o Identified and hired the required technical/audit team members
o Meet with clients to develop the business, and to monitor audit/project
deliverables
o Developed a Business Continuity Risk Matrix, which was presented to
existing and potential customers
. In an internal IT audit capacity, conducted audits for General Motors in
Detroit. Working for the Director of Internal IT Audit:
o Audited GM's 50 billion dollar outsourcing RFP process
o Assessed standardized work processes and their design, which govern how
IT services are managed on a global basis
o Evaluated the effectiveness of the two major families of evaluation
criteria utilized to formalize and assess suppliers bidding on 48
independent RFP's
o Conducted a Data Center audit, for GMAC evaluating security, incident,
problem and change management, managed by IBM
o Assessed the integrity of the supplier selection program; recommending
critical changes to further proactively mitigate risk
o Assessed the supplier transition plans for risk, and mitigating those
risks prior to the transition taking place
. Prepared an orientation program and document, to prepare auditors for
conducting IT and SOX audits for GM
. Conducted HMC internal training for conducting effective IT audits
General Motors globally
. Remediated SOX exceptions by creating an Information Security Policy, 24
IT policies and narratives for a publishing company, enabling them to
comply with year 2 SOX 404 compliance requirements
. Performed Quality Assurance, reviewing and evaluating the SOX controls
and testing performed by field auditors
ArvinMeritor Inc. Troy, MI
2/9/98 - 3/01/05
1/2005 - 3/01/05 Manager, Infrastructure and Data Security
7 Recently appointed to this newly created position. Scope encompasses
several key areas:
. With a staff of six (6) security administrators, manage global security
for production systems and application access
. Reviewed and assessed risks and vulnerabilities for ArvinMeritor's global
infrastructure
. Meet with suppliers, internal and external customers to determine secure
methodology for connecting to both trusted and non-trusted entities
. Identify, evaluate and implement technology to protect the perimeter
. Chaired a cross functional group task force to monitor/correct ongoing
security threats
. Developed, implemented and updated security policies, standards and
procedures
. Evaluated/recommended changes/enhancements to
ArvinMeritor's global voice and data networks
. Review and address legal regulatory issues that
affect data integrity
. Chair a weekly security audit conference to review potential or known
security issues
. Meet with internal/external IT auditors to ensure Sarbanes-Oxley security
compliance
10/1/03 - 1/01/05 Manager - Architecture and Strategy -
This function was created to accomplish the following business objectives:
. Dedicate an internal resource for integrating the acquired infrastructure
of Dana Corp
. Support divestitures, with regards to IT infrastructure, legal
regulatory, and security
. To provide global direction in the following areas:
o Firewall and Perimeter Security
o Mobile/Wireless Computing
o Security Related IT Controls
o 3rd Party Connectivity
o IT Service Level Agreements
o Corporate-wide Change Control
. Take a leadership role in the Architecture Review,
Incident Management and Change Control Committees.
2/9/98 - 10/01/03 Manager - Global Networks and Security
With a staff of seven (7), managed global voice, local area networks,
perimeter security, remote access, audio conferencing and a wide area
network services with presence in 85 cities and 42 countries.
. Managed $ 4.8 Million annual budget
. Reduced the number of network failures by 75% by implementing network
resiliency
. Implemented a network management platform, monitoring the pulse of the
global WAN
. Designed and implemented a high availability Internet solution utilizing
StoneBeat
. Outsourced Router Management, providing 24 x 7 x 365 proactive network
monitoring
. Improved perimeter and enterprise security by:
. Renegotiated corporate contracts reducing the global
budget by $ 23.8 million
. Issued a Global WAN R.F.I. and identified the next generation network
platform
. Planned and executed the relocation of the network corporate hub/data
center
Entertainment Publications - Troy, Michigan
2/28/95 - 6/7/97 Director of Information Systems - Operations
With a staff of eight (8), managed two help desks, a hardware repair, break-
fix area, procurement, voice and a domestic Frame Relay network.
. Managed the on-line operation of 155 sites, consisting of local and wide
area networks
. Managed a $ 4 million annual voice/data budget. Reduced operating
expenses by 28%
. Managed the headquarters local area network/infrastructure
. Performed a detailed network audit, identified and implemented diversity,
redundancy and resiliency; reducing down time by 21%
. Evaluated business needs and implemented a corporate wide electronic mail
system for 1600 users
. Evaluated MCI invoices, identifying billing errors totaling $ 520,000.00
. Conducted internal security audits, identifying and resolving security
vulnerabilities
. Evaluated grid power failures and installed a UPS and back-up generator
. Maintained 99.98% uptime during publishing production season
Other Accomplishments:
Published Material: Authored twelve articles/journals - published in trade
magazines and on-line. Recent publications include:
< Mitigating the Risk of IT Outsourcing Efforts - Published 12/11
< Change Management, The Framework for Reducing Infrastructure Failures and
Disruptions-
Submitted the following article: RMLC (Risk Management Life Cycle): New
Term for an Old Challenge
U.S. Military Certified - Graduate of the NCO Academy for Signal Corps -
Top Secret NATO Clearance Attained
U.S. Armed Forces Medallion Veteran
Presented Infrastructure Risk Management Elements and a Technology Risk
Management model to Detroit Chapter of ISACA on October 19th, 2005 in
Southfield. Provided consultative interviews that were published in
Newsweek and in Computer Decisions. Provided consultative services to the
United States Congressional Committee/Office of Technology Assessment on
network, communications and systems security. Presented views and
strategies on maintaining 100% uptime at the Interface Conference.
Recognized early in my career by the editor of Telecommunications Magazine
as a visionary and leader in transnational network management.
Was one of an eight man team at Citicorp presented with the KARP Award, for
creating a weighted criteria for vendor and technology evaluation that
later became an industry standard.
Challenges facing CFO's, CIO's and CTO's
Considering today's changing and demanding economy, data loss, identity
theft, and theft of Intellectual property, Finance and IT Leadership (and
most companies) are typically faced with the following challenges:
. Finding and retaining strong IT leadership, that has a balance of
business, technical and people skills
. Aligning IT with the lines of business; demonstrating IT is an
enabler, not just a cost center
. Disaster Recovery and Business Continuity plans are ineffective, un-
proven, or do not exist
. There are minimal controls in place; whereby elevated or privileged
access is not monitored
. A Security posture has not been developed or documented
. A layered approach to mitigating risk is not in place
. Developing and i9mplementing a vulnerability scanning/risk management
program; to proactively
mitigate risk wherever possible
. Viruses and other forms of malware threaten the integrity of their
infrastructure
. Technology is end-of-life, impacting performance and availability
. The absence of adequate redundancy and resiliency, enterprise-wide
. The impact social media, data loss and theft of intellectual property
has on the company
. Keeping up with the changing regulatory environment; and the need for
3rd party assessments
. The Wide Area Network is not scalable, or capable of supporting
changes in business direction
. Security Awareness programs do not exist or represent the current
threat landscape
. Policies and procedures are not thoroughly documented, or do not
exist
. IT expenses are high; with minimal accurate run-rates or expense
management
. Cost is not leveraged, by means of effective contract negotiations and
vendor management
. Internal and external SLA's do not exist, or are not aligned with the
business needs
. There is an absence of a formal operational framework, such as ITIL,
SDLC, SDP21
. Unauthorized changes are made within the infrastructure, that cause
production outages
. Major exceptions are identified during internal and external audits;
many repetitious from
previous audits
. The development, deployment and maintenance of IT and technology
standards
. Knowing if an intrusion has already taken place; compromising critical
assets and data
While the above noted may seem to focus on areas of challenge, actually, it
is not as uncommon
to find many of these areas are in need of refinement with most IT
organizations.
Attached is a proposal, more specifically, my resume/credentials. I have a
proven/successful
[pic background, and once part of your management team, I will assist
you both tactically and
Strategically; implementing a RISK MANAGEMENT mentality and culture.
Home: 248-***-****
Mobile: 248-***-****
*******@******.***
- Implementing internet monitoring/filtering tools
- Developing, Implementing and monitoring Security Best Practices
- Creating and Publishing 85 Security IT Controls\Procedures
- Developing/Managing a daily risk assessment process/team
- Implementing VPN Technologies for non Trusted Entities
- Implemented a secured IVPN global remote access solution supporting
4,500 users
- - Deploying DMZ architecture
- Conducting Internal Audits
- Outsourcing Firewall Management
- Implementing Enterprise-wide Firewall Change Mgmt
- Centralizing WAN and Internet provisioning
- Conducting External Vulnerability tests/scans
Contact this candidate