Security Management

Location:

Catonsville, MD

Salary:

65-70 hr.

Posted:

July 14, 2015

Contact this candidate

Resume:

Valeria W. James

IT Sr. Security Consultant/Auditor / Information Assurance Engineer

**** ******** ****, ******, ** 20706

acqqgy@r.postjobfree.com 240-***-****

SUMMARY

Over 27 years of experience in the IT sector, with concentrations in systems engineering, security engineering and information assurance, project management and process change management. Lead enterprise wide Information Assurance/Security Programs for Federal Government Agencies and major organizations. A detail oriented team player with the ability to manage multiple tasks, work independently, be a self-starter and excel in a challenging work environment.

ACADEMIC BACKGROUND

MS, Mgmt Information Systems, University of Maryland University College, College Park (1999)

BS, Information Systems Mgmt, University of Maryland University College, College Park (1996)

SECURITY CLEARANCE

SSBI/Top Secret, March, 2014

PROFESSIONAL CAPABILITIES

Independent Sr. Security Consultant/Auditor/ Information Assurance (Multiple Systems Engineering and Consulting Firms), March 2000 – Present.

As an Independent Senior Security Consultant/Auditor, provide services to government agencies and commercial organizations (e.g. EDS, Unisys, IBM, Northrop Grumman, BAE, Microsys, Booz Allen Hamilton, and TMR) that entail implementation of enterprise wide IA programs and security practices.

Related Ventures (Social Security Administration) 3/2015 PRESENT

As a Senior IT Security Consultant, provide FISMA Annual Assessment to SSA that includes:

Lead support team to provide Boundary Scope Memos, FISMA Annual Security Assessments and

Audit Plan Evaluation Report task;

Lead development and review of deliverable reports throughout all tasks;

Provide security controls assessments to satisfy FISMA annual testing and continuous monitoring requirements;

Ensure the selection of NIST SP 800-53Rev4 baseline security controls are appropriate for the information system based on the FIPS 199 security categorization, NIST SP 800-53 guidance, and supplements;

Provide subject matter guidance on technical questions and issues for all systems;

Coordinate working sessions and interviews with systems stakeholders for assigned systems;

Maintain the security assessment documentation for information systems under SSA purview, according to Office of Information Systems;

Assist the System Owner, Information Owner, and OIS in recording all known security weaknesses of assigned information systems in the POA&M in accordance with SSA policy and procedures;

Provide security advice to the AO and System Owner on all matters (technical and otherwise) involving security of the information system;

Ensure required updates are performed to key documents in accordance with NIST SP 800-37 for continuous monitoring as supplemented by OIS Continuous Monitoring Policy or Procedures;

Identify changes to the information system that may impact security controls, perform security impact assessment of proposed changes, report any change in risk posture, and provide recommendations for risk mitigation;

Ensure proper procedures exist for assigned information systems and that procedures are performed and tested in accordance with the System Security Plan;

Ensure audit logs are captured, maintained, and analyzed as required by NIST SP 800-53 and any supplemental OIS Audit Plan document;

Ensure the SSA enterprise information security management system (CSAM or its successors) accurately contains required information system inventory, categorization, POA&Ms and other security metrics required by the SSA CIO through this policy and the OIS for the system(s) for which the Consultant is responsible.

Related Ventures (GSA) 9/2014 3/2015

As a Senior IT Security Consultant, provided GSA Program Office Continuous Monitoring Services that included:

Provided program support to GSA’s Continuous Monitoring Program Officer for the implementation of continuous monitoring activities consistent with Executive Memo 14-03;

Implement DHS continuous monitoring concept of operations, and other related guidance and requirements;

Identify and implement GSA qualitative/quantitative Continuous Monitoring Program Performance Measures;

Support GSA departmental efforts focused on Agency-level Federal Risk and Authorization Management Program (FedRAMP) processes;

Provide GSA Agency ATO logistical and subject matter expertise support for the security reviews CSPs

Support GSA-wide GRC governance oversight program efforts;

Provide understanding of DHS CDM Program 15 capabilities and timelines for continuous monitoring implementation;

Provide knowledge of ISCM, Ongoing Authorization and CDM guidance, including OMB M14-03, NIST 800-137, 800-37 rev1, 800-53 rev 4, 800-39, CEASAR framework (NIST IR 7756) ;

Manage major areas of information assurance to include oversight of policy development tasks, such as: policy/standards/procedure, analysis and review;

Interfaces with all levels of management and staff regarding Information Assurance services;

Provide knowledge of ISCM, Ongoing Authorization and CDM guidance, including OMB M14-03, NIST 800-137, 800-37 rev1, 800-53 rev 4, 800-39, CEASAR framework (NIST IR 7756) to GSA processes;

Keeps abreast of local, national, and international trends and developments in the area of information security and relate them to the needs of GSA;

Evaluate cloud systems (Security Plans, POAMs, Continuous Monitoring Reports);

Serve as a liaison between system clients and program management.

Related Ventures (Department of Homeland Security) 5/2014 09/2014

As a Senior IT Security Auditor/Consultant, provided services to the Department of Homeland Security that included:

Plan and execute the day-to-day activities of Information Technology (IT) audit engagements, including system development, package implementation, SSAE 16 readiness assessments, and/or platform reviews for U.S. Federal government clients;

Evaluate the design and effectiveness of technology controls throughout the business cycle;

Identify and communicate IT audit findings to senior management and clients;

Help identify performance improvement opportunities for assigned clients;

Supervise associates and interns on engagements;

Serve as a liaison between clients and upper management;

Related Ventures (Maryland State Board of Elections) 3/2014 04/2014

As an Independent Senior IT Security Auditor/Consultant, provided services to the Maryland State Board of Elections, Department of Information Technology to evaluate the Procurement Process, Personnel and Security Review and Assessment evaluation.of Unatek, Incorporation, who performed a Security Review and Assessment of the Voters Service Web Application.

Reviewed documents produced or generated by SBE’s incumbent security consultant related to the security review of SBE’s online ballot delivery system;

Determine whether the security review, including the vulnerability assessments and penetration tests, performed by SBE’s incumbent security consultant were reasonable and consistent with best practices and industry standards for conducting a security review of a web-based, publicly available application;

Provided regular updates to DoIT’s and SBE’s representative of findings during the entire evaluation period, at a minimum every 2-3 days;

Submitted a report summarizing the evaluation and conclusions about SBE’s incumbent security consultant;

Provided presentation of findings to Maryland State Board of Directors.

Related Ventures (CareFirst Blue Cross/Blue Shield) 9/2013 12/2013

As an Independent Senior IT Security Auditor/Consultant, provide services to CareFirst Blue Cross/Blue Shield’s Manager of Governance and Compliance to facilitate IT security control frameworks for NIST, HIPAA, ISO and PCI DSS compliance for all Service Providers/Trading Partner’s IT systems.

Obtain Quarterly Service Providers/Trading Partner list from Procurement, review to ensure appropriate security controls are established and implemented;

Communicated to external customers, the initial baseline security controls selected which the organization is responsible for based on the vendor risk assessment tool, Standard Information Gathering tool (SIG); previous weaknesses in ongoing controls; material changes in the existing contracts; and high risk/value new partnerships;

Collaborate with clients to gather system documentation, communicate scope, and set deliverable deadlines;

Perform external audit assessments of CareFirst Service Providers/Trading Partners’ to include: Alliance One, SalesForce, NASCO, American Healthways, Bayada, Brandwatch Technologies, Callidas, Crimson Hexagon, HealthSparq, Marketing Cloud, VNA of MD, Vitals, Elavon, Magellan Health Services, Holy Cross, and Med Star security controls based upon NIST 800-53 Rev. 4, HIPAA, ISO 27001 and PCI DSS security frameworks;

Accountable for monitoring and testing the effectiveness of compliance activities, provide feedback on potential issues and trends, and escalate when appropriate;

Upon completion of audit assessment, analyze audit findings and provide recommendations for closure;

Performed CareFirst internal audit assessment of controls based upon PCI DSS framework;

Oversee incident management process spanning security events review, incident identification, and research and remediation activities. Provide oversight for reporting results to senior management;

Represent CareFirst in customer meetings, calls, and in security questionnaires to support customer audits, and ongoing compliance;

Research and evaluate new public sector requirements (FISMA, FedRAMP) and determine the impact to existing business practices and customer compliance requirements;

Understand and support existing IT security certification initiatives and corresponding security processes;

Provide feedback on the company's compliance framework to continue improvement of the Information Security Management System;

Determines methods and procedures on new assignments, and provide guidance to others;

Assist with the development of Request for Proposals (RFP) and post award activities of several contracts.

Demonstrate the ability to multi-task and to work under tight deadlines.

Related Ventures (Department of Justice) 9/2012 9/2013

As an ISSO/Auditor support the Director of Information Security & the Chief Information Security Officer (CISO) to facilitate FISMA compliance for all IT systems.

Review National Institute of Standards and Technology (NIST) publications applicable to FISMA and other directives for applicability to the DOJ IT Security Program.

Maintain an appropriate security management posture for all IT systems to obtain an Authority to Operate (ATO).

Provide OMB Circular A-123/SOX control assessments and reporting of Financial System.

Schedule IT security reviews and visits to client locations to schedule tasks and assess priorities to ensure project completion on time.

Develop and update C&A documentation: System Security Plan, Security Testing & Evaluation Plan & Report, Contingency Plan, Privacy Impact Assessment, Privacy Threshold Analysis, Plan of Action and Milestones (POA&M), Risk Assessment Report, Security Assessment Report. Provide recommendations to senior management to address identified risks.

Develop Policies and Standard Operating Procedures to improve operational and business processes and ensure security risks are adequately mitigated to obtain ATO.

Provide recommendations to management on implementing software development projects, new and improved security policies and procedures.

Provide input to technical review meetings regarding all SDLC phases.

Ensure artifact quality control of Certification and Accreditation (C&A) documentation.

Assist with acquisitions, contract and vendor management issues directly related to security requirements and deliverables of projects.

Gather and analyze information for defining requirements, specifications and issues to support the development of new policies, standards and procedures or update existing ones.

Validate all information system security reporting.

Review and monitor POA&Ms process as part of CM for each IT system. Ensure timely POA&M updates and schedules to CSAM.

Oversee incident management process spanning security events review, incident identification, and research and remediation activities. Provide oversight for reporting results to senior management.

Develop and publish procedures to implement the requirements of IT security policy.

Report IT security program status information in the CSAM automated tool.

Attend Change Control Boards (CCBs) and ensure security issues are addressed in configuration reviews.

Support CISO continuous monitoring initiatives by collecting, compiling and submitting monthly ISSO submission quarterly checklist that depict Account Provisioning and De-provisioning, Vulnerability Scan analysis, CM activities (SCR, ISSN results), Incident Response analysis, Interconnection agreements, etc.

Analyze Operating Systems; Web and Application vulnerability scan results to determine critical weakness/vulnerabilities affecting the system. Identify techniques and procedures used to the exploit system.

Identify weaknesses generated from system scans.

Related Ventures (Department of Human Service, Washington, DC Gov’t.) 6/2012 9/2012

As an IT Security/ISSO Consultant supported the Chief Information Officer (CIO) of Department of Human Service to develop and apply security principles, concepts and industry practices and standards in the analysis of information projects.

Participated in program and policy development with peers and leadership.

Supported activities to identify and minimize internal and external client security risks in compliance with corporate security standards and guidelines.

Assists with the development of security presentations to management to address concerns and ensure client requirements were met.

Addressed, responded too and resolved Audit Notice of Findings (NFR) to support the DHS yearly audit.

Developed DHS Enterprise-wide Information Technology Security Policy.

Related Ventures (US Treasury, Departmental Office, Cyber Security Office) 4/2011 6/ 2012

As an ISSO support the Chief Information Security Officer (CISO) and facilitate FISMA compliance for all IT systems.

Review National Institute of Standards and Technology (NIST) publications applicable to FISMA and other directives for applicability to the US Treasury IT Security Program.

Maintain an appropriate security management posture for all IT systems to obtain an Authority to Operate (ATO).

Coordinate IT security review and assistance visit.

Develop Standard Operating Procedures to improve operational and business processes and ensure security risks are adequately mitigated.

Schedule IT security reviews and visits to client locations to scheduling tasks and assessing priorities to ensure project completion on time.

Provide recommendations to management on implementing software development projects, new and improved security policies and procedures.

Provide input to technical review meeting regarding all SDLC phases.

Ensure artifact quality control of Certification and Accreditation (C&A) documentation.

Assist with acquisitions, contract and vendor management issues directly related to security requirements and deliverables of projects.

Gather and analyze information for defining requirements, specifications and issues to support the development of new policies, standards and procedures or update existing ones.

Perform and oversee basic to complex enterprise architecture security analysis, standards design, and security gap analysis.

Develop Policies and Standard Operating Procedures to improve operational and business processes and ensure security risks are adequately mitigated to obtain ATO.

Validate all information system security reporting.

Oversee the Plan of Action and Milestones (POA&M) process.

Review and monitor POA&Ms for each IT system. Ensure timely POA&M updates and schedules to the Trusted Agent FISMA database.

Maintain inventory of all information systems.

Supervise incident management process spanning security events review, incident identification, and research and remediation activities. Provide oversight for reporting results to senior management.

Develop and publish procedures to implement the requirements of IT security policy.

Report IT security program status information in the Trusted Agent FISMA automated tool.

Ensure the CISO that security issues are addressed in configuration reviews and Change Control Boards (CCBs).

Conduct annual IT security refresher training.

Support CISO continuous monitoring initiatives by collecting, compiling and submitting monthly ISSO submissions.

Identification of tactics, techniques, and procedures used by malicious actors to exploit the vulnerabilities and weaknesses of a given system and

Identify and determine solutions to remediate weaknesses generated from system scans.

Related Ventures (NIH-National Institute of Allergy and Infectious Diseases) 2/2010 2/ 2011

As an ISSO provide technical knowledge and analysis in areas of Information Assurance (IA) to include: security trends and FISMA/NIST security management practices.

Responsible for developing and/or maintaining system Certification and Accreditation (C&A) documentation to include security plans, risk assessments, system test plans and security test cases and evaluations using existing processes and procedures.

Ensure artifact quality control of C&A documents.

Coordinate issues with the Compliance and Oversight Program Dir./office.

Schedule IT security reviews and visits to client locations, to scheduling tasks and assess priorities to ensure project completion on time.

Develop and complete security plans based on the National Institute of Standards and Technology (NIST) Special Publications.

Complete risk assessments based on NIST standards to ensure IA design sufficiently mitigates IA risk.

Develop and conduct security tests and evaluations based on NIST 800-53A, Rev3.

Prepare risk assessment reports and provide recommendations to the client.

Provide input to technical review meeting regarding all SDLC phases.

Oversee the Plan of Actions and Milestone process for accuracy and currency.

Maintain information system inventory.

Assist with contract and vendor management issues directly related to security requirements and deliverables of projects.

Gather and analyze information for defining requirements, specifications and issues to support the development of new policies, standards and procedures or update existing ones.

Perform and oversee basic to complex security analysis, standards design, and security gap analysis.

Review NIST publications applicable to FISMA and other directives in support of FISMA.

Identification of tactics, techniques, and procedures used by malicious actors to exploit the vulnerabilities and weaknesses of a given system and

Created process for streamlining patch management and maintaining server baseline configurations.

Related Ventures (Federal Reserve Board) 1/2009 1/2010

As a IT Security Consultant/Auditor provide FISMA/NIST security management services and support for new and enhanced Information Systems.

Responsible for maintaining and updating IT's Information Security Programs and Internal Audit Programs to ensure compliance in accordance with FISMA, SOX, A-123 and FISCAM requirements, guidelines and government mandates.

Ensure all documentation of NIST, SOX and A-123 control activities are in compliance with company policy and are updated on a timely basis.

Schedule IT security reviews and visits to client locations, to scheduling tasks and assess priorities to ensure project completion on time.

Maintain assessment plan for all SOX controls, including scope, resources, and timing.

Provide analyses to IT department’s policies and procedures to ensure they include all regulatory controls

Analyze security policies and certification documents to include Disaster Recovery, Continuity of Operations, C&A and POAMs in accordance with NIST, DOJ, FIPS 199, etc.

Analyze and interpret governmental policies, directives and instructions that impact the organization.

Track mitigation of findings to ensure the system is compliant for C&A utilizing tracking tools.

Identify areas of improvement in the agency’s overall security/audit posture by revealing ineffective security controls and vulnerabilities throughout the agency.

Perform IS security briefings to authorized individual Certifier and Auditors.

Mange and ensure that system users and support personnel receive the requisite security training (e.g., IT security training for IT professionals with significant IT security responsibilities).

Analyze comments and provide feedback related to policies & procedures as part of Audit and C&A efforts.

Provided support and guidance to ISSO/ISSM regarding the C&A process.

Support activities such as technical briefs, business development, and marketing efforts.

Escalate compliance issues to department Director on a timely basis to resolve issues.

Related Ventures (Department of Justice, Asset Forfeiture Management Staff ) 7/2006 1 /2009

As an IT Sr. Security Consultant/Auditor (Team Lead) provide technical knowledge and analysis in areas of Information Assurance (IA) to include: security trends and FISMA/NIST security management practices.

Lead support team to develop and maintain the System Security Plan and ensure the system operates according to the FISMA security requirements or agreed upon requirements.

Evaluate and implement new Information Systems or system enhancement security in accordance with FISMA requirements, guidelines and mandates.

Provided support and guidance to ISSM regarding the C&A process.

Conduct analysis of security policies and posture to include Disaster Recovery, Continuity of Operations, C&A and POAMs in accordance with NIST, DOJ, FIPS 199, etc.

Analyze and interpret governmental policies, directives and instructions that impact the organization.

Experience utilizing SOX and FISCAM compliance auditing controls: Some combination of process auditing, IT General Controls, application security and/or access controls

Identification of tactics, techniques, and procedures used by malicious actors to exploit the vulnerabilities and weaknesses of a given system and

Created process for streamlining patch management and maintaining server baseline configurations, ST&E systems.

Perform IS security briefings to authorized individual certifiers, Information Systems Security Managers, and Auditors.

Schedule IT security reviews and assistance visits scheduling tasks and assessing priorities to ensure success of the project.

Mange and ensure that system users and support personnel receive the requisite security training (e.g., IT security training for IT professionals with significant IT security responsibilities).

Analyze comments and provide feedback related to policies & procedures as part of C&A effort.

Ability to work under tight deadlines and chaotic environments.

Conduct annual assessments to identify security and/or control weaknesses utilizing CSAM.

Track mitigation of findings to ensure the system is compliant for C&A via CSAM.

Receive updates from DOJ Information Technology Security Staff (ITSS) on changes and updates to federal IT security policies and guidance.

Review NIST and FIPS publications applicable to FISMA and other directives in support of FISMA.

BAE Systems, McLean, Virginia, (Internal Engagement) 1/2004 – 1/2006

As a Principal Systems Engineer/Auditor conducted internal audit reviews for BAE Systems North America corporate office and satellite offices. The findings were presented to management for corrective solutions.

Performed internal audit assessment of controls based upon the FISMA framework.

Assist with the development of Request for Proposals (RFP) and post award activities of several contracts.

Collaborate with clients to gather system documentation, communicate scope, set deliverable deadlines, and present performance improvement observations.

BAE Systems, McLean, Virginia (Department of Justice, Office of Justice Program)

As a Principal Systems Engineer perform as security liaison for OJP on the following DOJ teams: IT Security Employees Services Project Team (ISES), and the Information Technology Security Council (ITSC), Computer Security Awareness, Contingency Planning, and the Certification & Accreditation team for the DOJ.

Performed Recertification and C&A efforts of 10 systems based on FISMA and NIST guidance.

Develop and manage all C&A documentation to include System Security Plans (SSP), Information Technology Contingency Plans (ITCP), Disaster Recovery Plans and Procedures (DRP) and the Continuity of Operations Plan (COOP), Privacy Impact Assessment (PIA), Computer Security Awareness Plan (CSAT)..

Analyze and interpret governmental policies, directives and instructions that impact OJP’s IA program.

Analyze audit findings and provide recommendation for closure.

Perform FISMA reporting and establish Plan of Actions and Milestones (POAMS) for operational and technical controls.

Support activities such as technical briefs, business development, and marketing efforts.

Perform gap analysis to identify strengths and weaknesses of systems and enhancements.

Track and record Plans of Action and Milestones (POAM) findings in Trusted Agent.

Constantly review NIST and OMB web sites to ensure that DOJ policies are update and compliant with federal requirements and guidance.

Assist ISSO with responsibilities including documentation, policy compliance, and reviews.

Develop and manage component wide annual computer security awareness training and the IT professional security training.

Report all security incidents to DOJCERT and ISSO to investigate, document and report.

BAE Systems, McLean, Virginia (Department of Defense, Defense Intelligence Group, DLA Project)

As a Principal Systems Engineer develop security policies, procedures, and standards based on DITSCAP methodology.

Conduct Certification and Accreditation activities for 30 systems and applications. The systems consisted of: medical, construction and equipment, clothing and textiles, global (basic order entry systems) and subsistence systems utilizing DITSCAP and 8500.3.

Perform risk assessments of 20 planned and operational information systems to identify vulnerabilities, risks, and security controls needed.

Develop and manage all C&A documentation.

Spherion (International Business Machines), Gaithersburg, MD, 1/2002 – 1/2005 (part-time).

As an Independent Consultant/ Disaster Recovery Specialist supported IBM’s contract for business continuity and disaster recovery test administered on mainframe multi-processing computer equipment operating on VM, MVS, and Net view related input/output units and teleprocessing equipment for American Express, Equifax, MBNA and U.S. Bank clients.

Andrews AFB, Maryland, 1/2002 – 1/2004.

As a Computer Scientist provide second tier computer support for AFB employees, customers, contractors, and subcontractors. Develop Security and HIPAA policies and procedures for annual certification of Andrew Medical Hospital. Additional task include support for software, hardware, data communications, and telecommunications issues. AFB primary clinical system CHCS, is a MUMPS-based system that operates in a single mode VAX environment. REMEDY Call tracking software is used to track outstanding issues and coordinate IT staff response. Computer accounts are created, modified, and deleted according to security access control procedures.

Create and monitor new MHS programs and their assets in VMS to ensure security compliance.

Generate and track the Plans of Action and Milestones.

Maintained the Plan of Actions & Milestones (POA&M) for several MHS systems utilizing the Vulnerability Management System (VMS) to ensure security compliance of these systems.

Coordinate requests for VMS user accounts with the Joint Medical Information Systems (JMIS) Office.

Proficient with various Composite Healthcare System (CHCS) Modules: Medical Expense Performance Reporting System (MEPRS); Medical Records Tracking (MRT); Patient Appointment Scheduling (PAS); Patient Administration System (PAD); Managed Care Program (MCP); Common Files and Workload Assignment Module (WAM).

Respond to complex customer-reported systems problems. Create user accounts, reset passwords, reset ports and tape backups.

Utilized the Virtual Memory System (VMS) (MUMPS System) to update user accounts and troubleshoot the database.

Conducted CHCS training for new hires on the enrollment and

Contact this candidate