Security Management
Resume:
Dr. Edgar Carmenatty, CISSP, ITIL Foundations v.*
Herndon, VA 22304
Phone : 703-***-****
*****.**********@*****.***
SUMMARY
Excellent problem solver, with strong communication, teamwork, and interpersonal skills. For more than 23 years, acknowledged for capacity to tackle challenging issues, analyze viable alternatives, and provide innovative solutions. Had accumulated an extensive and diverse technical experience in IT Field, emphasizing in management, computer security, network administration, programming, and PC support. Have a master in computer security management (Summa Cum Laude), CISSP and ITIL v3 certifications.
Persistence, personal integrity, and channeled energies are major strengths consistently cited by managers praising team spirit, independent work habits, and the determination to conquer technical challenges.
• DIACAP (VMS, eMass, Xacta, Gold Disk, and Retina)
• DIACAP (C&A package dev. management)
• Incident Management
• ITIL Foundations - V3
• Policy Development and Implementation
• CISSP
• Exposed to FedRAMP
• CSAM
SKILLS
Experience supporting C level senior executives.
Experienced Security Manager.
Certified Information Systems Security Professional (CISSP).
OS Platform: Windows NT 4.0/ 2000/ 2003 Servers
Knowledge on eMass, Xacta AI Manager, Gold Disk, Retina, MS-Office (Word, Excel, PowerPoint, Outlook, Publisher), 97-2010, MS Project and MS Visio.
Collaborates with other departments (e.g., Risk Management) to direct compliance issues to appropriate existing channels for investigation and resolution.
EDUCATION
PhD, Information Technology,
Capella University, Minneapolis, Minnesota
GPA: 3.42, graduation date, March 2015
Master of Science, Computer Science, Computer Security Management, December 2009
Strayer University, Alexandria, Virginia
GPA: 3.92, Summa Cum Laude
B.S., Computer Science, Computer Programming, Minor: Accounting, June 1985
Interamerican University, Guaynabo, Puerto Rico
GPA: 3.21, Major GPA: 3.53
SECURITY CLEARANCE
Top Secret
HONORS
Summa Cum Laude. Strayer University, December 2009.
Outstanding Performance Award. Command Information, Washington, DC, March 2008.
Appreciation for Contribution. Anvicom, Washington, DC, 2008.
PROFESSIONAL EXPERIENCE
Experience supporting C level senior executives, Computer/Network Security, team building and leading, customer Needs Assessment, Team Development/Motivation and Technical Support.
EXPERIENCE
Raytheon Blackbird Herndon, VA Oct. 2015 – Present
Quality and Compliance Manager
In charge of developing and revising the United States Postal Service (USPS) enterprise-wide cyber security strategy, policies, governance structure, compliance program, and risk management framework. USPS is an organization with 486,822 career employees, 31,662 Postal Service-managed retail offices and annual revenue of 67.9 billion.
Responsibilities:
Interface with the CISO team and other leaders to ensure that security goals and policies are supported by well-defined processes, with measurable results, in strict compliance with applicable laws, regulations, and policies.
Ensure that key configuration change procedures are exercised, measured, and monitored to ensure predictable results.
Coordinate regularly with leadership supporting the CISO.
Serve as key resource in promoting quality and policy compliance.
Contribute to development of training resources.
Work with vulnerability assessment manager to collect measures of policy and configuration compliance.
Measure progress and success, as well as identify weaknesses and remediation.
Provide ongoing status to CISO using accurate and current data.
Contribute to policy development and implementation as it relates to NIST guidance.
Coordinate across organization to ensure that all leadership is aware of goals and requirements.
Provide customer with an end-to-end capability.
Manage policy and policy implementation
RedPort-Information Assurance (USSS) Washington, DC Oct. 2014 – 2015
Compliance Officer
My responsibility as a Compliance Officer includes the reviews of policies and procedures. Assist in the review of FISMA accreditation and authorization (A&A) compliance reports, questionnaires, procedures, certifications and the evaluation o A&A documents.
Additional duties comprise the following:
Gain a thorough understanding of the company’s systems. Learning who has access and where weak points of the systems are. Recommend ways to improve and update the security of the company’s computers. Recommend ways to improve a system’s security, through both hardware and software solutions.
Develop, implement, maintain, and revise policies and procedures for the general operation of compliance processes and its related activities and manages day-to-day Accreditation and Authorization (A&A) operation issues.
Act as part of the CISO’s independent review and evaluation body to ensure that A&A process complies with FISMA requirement and address compliance concerns that may exist within the organization.
Design, monitor and oversee the implementation of a SharePoint A&A portal and application that is been used to coordinate all FISMA compliance activities for the client's systems portfolio such as:
oPOA&M management
oAssessment and Authorization documentation management
oHardware and software inventory
oPolicy Management
oSystems boundary
oAnalysis of scans results on a per boundary basis
oGroups Weekly Actions Reports
oChange request
oWaivers
This portal is been used to identify trends and to measure and improve processes performance.
Identify potential areas of compliance vulnerability and risk; develops/implements corrective action plans for resolution of problematic issues, and provides general guidance on how to avoid or deal with similar situations in the future.
Blue Canopy Herdon, VA Oct. 2013 – Oct. 2014
Sr. Consultant
My responsibility as a consultant was to resolve any security issue that may surface. It does not matter if I am coaching a person, facilitating a meeting, leading a training class, dealing with NIST Risk Management Framework issues or I am dealing with some IT Governance challenge, I will adapt to the needs of my client. My obligation as a consultant was to understand the business problem or need, develop appropriate recommendations, and present the pros and or cons and trade-offs to the executive. He or she must have all available information to help him or her to make an informed decision.
As part of my responsibilities, performed the following duties:
Participate on security control assessments for a federal (civilian) General Support Systems (GSS) and Mayor Applications (MA) to ensure compliance with FISMA security framework controls using CMS Information Security Acceptable Risk Safeguards (ARS) 2.
Verify that that systems owned or managed by the federal agency meet specific security requirements on the following classes of security controls: operational, management and technical.
Determine completeness and compliance of the following documents: System Security Plans (SSP), Contingency Plans (CP), Incident Response (IR) plans, and artifacts.
Verify that the agency security controls and requirements had been satisfied.
Work on reports, presented to ISSOs, CISO, Cyber Security Team, and CIO that depict vulnerabilities and suggested mitigations that could be used to improve the system(s) security posture.
This role also requires interviewing Federal employees and/or contractors with security responsibilities in any of the three security classes (management, operational and technical) during systems security assessments.
RedPort-Information Assurance (DOT) Washington, DC Aug. 2012 – Sept. 2013
IMC/Security Manager (Sr. Security Manager) Manage a team of 21 employees
Gain a thorough understanding of the company’s systems. Learning who has access and where weak points of the systems are. Recommend ways to improve and update the security of the company’s computers.
Recommend ways to improve a system’s security, through both hardware and software solutions.
Revise and set user policies and protocols, monitor them, and enforce them. They must also set up countermeasures that protect the system when an unauthorized user attempts to gain access to the system.
As a member of the team supporting the DOT Office of the Secretary (OST) senior executives under the Information Assurance Office (SSO) I am executing managerial responsibilities as the IMC (Incident Management Center) and Security Manager. In charge of providing an integrated approach to IT security services for monitoring and responding to Infrastructure and Network Incidents throughout the DOT COE (Common Operations Environment) with over six thousand (6,000) users.
In charge of creating and developing a comprehensive set of operational procedures and guidelines that will help DOT the mission and ensure compliance to Federal and DOT security requirements following the: DOT Cyber Security Compendium, FISMA, Computer Security Act of 1987, The Clinger-Cohen Act, OMB Circular A. 130, NIST SP 800-18, SP 800-37, SP 800-53, and FIPS 199 series and Act as a consultant to support information assurance policies, standards, directives and requirements initiatives.
Assisted ISSO:
oOn the implementation of applicable cyber security policies for the information system and those aspects of information system-related physical security.
oVerifying and certifying that operational security posture is consistent with DOT’s security policy.
oOn the distribution of cyber security, notices and advisories are distributed to appropriate personnel and that vendor-issued security patches issues were reported.
oAs the manager of the Incident Management Center serves as a focal point for cyber security incident reporting and subsequent resolution for assigned information systems
oOn each phase of the SDLC security-related documentation at each phase meets all identified security needs.
oTo maintain the security assessment and authorization documentation (formerly C&A) for information systems according to Department of Transportation Cyber Security Compendium.
oOn the selection of NIST SP 800-53r3 baseline security controls are appropriate for the information system based on the FIPS 199 security categorization guideline, NIST SP 800-53 guidance, and supplemental Department of Transportation policy and the Departmental Cyber Security Compendium.
oRecording all known security weaknesses of assigned information systems in the POA&M in accordance with Department of Transportation policy and procedures.
oTracking all security education and awareness training conducted for personnel and contractors, as required by Departmental Cyber Security Compendium.
oOn required updates that were performed to key documents in accordance with NIST SP 800-37 for continuous monitoring as supplemented by Departmental Cyber Security Compendium.
oIdentifying changes to the information system that may affect security controls, performing the security impact assessment of proposed changes, reporting any change in risk posture, and providing recommendations for risk mitigation.
oDeveloping an FISMA Compliance Database (MS Access) that it is used as part of the Continuous Monitoring Strategy to monitor and track vulnerability findings from Plan of Action & Milestones (POA&M), identifying vulnerabilities that can be quickly resolved and to follow up with Subject Matter Experts (SMEs) to update current POA&M status. This application manages meetings, agenda/minutes, and dashboard, organize an artifact repository, organize data collection for audits, and research support in addressing POA&M findings.
oVerifying and ensuring that external connections to/from information systems and networks are provided by an approved Trusted Internet Connection Access Provider (TICAP) or DOT-approved Managed TIC Provider Service (MTIPS).
oEnsuring that the information on the security management system (CSAM) accurately contains required information system inventory, categorization, POA&Ms and other security metrics required by the CIO through this policy and the Departmental Cyber Security Compendium for the system(s) for which the ISSO is responsible.
oCompleting mandatory annual specialized information security training.
Managed several projects such as Improvement of the Incident Management Center, POA&M management, and resolution that included the development of an Access Database as part of the vulnerabilities resolution strategy.
TWD & Associates (NAVY) Washington, DC Feb. 2012 – Aug. 2012
HQ Operations Project Services Team PM (Managed a team of 11 employees) – Promotion from prior position.
Responsible for DIACAP and project management teams that provide security engineering, operations and maintenance support to NAVSEA systems.
Responsible for managing the schedule, technical execution, contractual compliance and customer satisfaction in coordination with an internal program management office (PMO), government senior program management and technical points of contact, and subcontractors
Responsible for Project Control team that ensures that HQ NAVSEA IT systems conform to the DoD/DoN Governance Chain. The Chain’s “links” include FISMA, DITPER-DON, DIACAP Certification and Accreditation Process, NMCI Certification, DADMS and SAHRAP Registration and Approval Process, CARS and LNS Initiatives, and a growing number of subordinate requirements and procedures. Project Control performs other duties such as maintaining NAVSEA Server and Software Portfolio in DADMS; producing NMCI and other technical documents that support HQ NAVSEA systems; and assisting system owners by conducting and documenting FISMA Annual Security Reviews, Security Controls Tests, and Contingency Plan Tests.
Provide security guidance in Information Assurance (IA), Certification and Accreditation (C&A), network security, security life cycle management, risk management, and security awareness.
Assist in the review of DIACAP documentation to support systems accreditation.
Ensured that Department of the Navy, DoD, DIACAP and NIST security requirements and processes are properly implemented on Navy computers, systems and networks and thoroughly documented for formal system accreditation.
Developed and implemented two applications, one for C&A package verification with canned findings and a weekly/ monthly status report used to justify TWD and Associates presence.
C&A Projects Managed:
oEnhancement of the Incident Management Center
oVoice Over Internet Protocol
oProgram Executive Office Integrated Warfare Center Integrated Data Environment
oINAVSEA
oDigital Signage and IPTV
oVideo Teleconference
oSecured Video Teleconference
TWD & Associates (NAVY) Washington, DC Nov. 2011 – Feb. 2012
Configuration Management Analyst 4 (Supervised one employee) – Promoted to the next position
Assists in the maintenance and control of the configuration of identified items such as baselines, documentation, drawings, specifications, and associated documentation within approved Configuration Management parameters.
Check DoD DIACAP C&A packages for quality control.
Delta Resources (DISA) Alexandria, VA May 2011 – Nov. 2011
Senior Information Systems Analyst/ Alternate IAM
Support the IAM on oversight of information systems security for automated information systems assigned to the PEO-MA directorate through participation in working groups and with individual users.
Responsible for understanding, implementing, and complying with all policies and procedures identified in DoDD 8500.1, DoDI 8500.2, DoDI 8570.1 and the DoD Information Assurance Certification and Accreditation Process (DIACAP).
Responsible of developing and maintaining the organization of DoD information system-level IA program that identifies IA architecture, IA requirements, IA Security Plan, IA objectives, and policies. Additionally, the support includes: reviewing, commenting, tracking, and maintaining the DISA repository for all PEO-MA IA certification and accreditation documentation; ensuring that all systems, associated Information Assurance Vulnerability Assessments (IAVA) and Security Readiness Reviews (SRR) results are recorded and in the Vulnerability Management System (VMS); track and report on all IA management review items; monitor IAVA compliance in VMS and prepare weekly IAVA compliance reports.
Support the Directorate IMO in providing automation support to the end users. The IMO’s duties and responsibilities include developing and publishing the Directorate Information Management Plan (IMP); identifying, tracking, recommending automation equipment requirements; developing procedures to validate and manage information requirements; communicating, collecting and reporting data calls related to Action Information Management System (AIMS) suspense’s; researching, responding, and reporting on Requirements Identification Documents (RIDS). The IMO is the first contact for the Help Desk for end-user automation support and is the designated representative to request automation support.
Support the Directorate Equipment Custodian in receiving, tracking, issuing, and disposing of all Automated Data Processing Equipment (ADPE).
Alion Science and Technology (NAVY) Alexandria, VA August 2010 – May 2011
Senior Data Security Analyst
Experience with DIACAP process. Software used for documentation and evaluation of systems: Xacta AI Manager (User and Administrator), Gold Disk, and Retina.
Develop, implement, enforce, and communicate security policies or plans for data, software applications, hardware, telecommunications, and information systems security education/awareness programs.
Carry out all phases of information systems/networks security program that involves access to computers and computerized data enabling company to meet contractual requirements for network security.
Research, evaluate, test, recommend, communicate, and implements new security software or devices.
Conducted regular audits to ensure that systems are being operated securely, and information systems security policies and procedures are being implemented as defined in security plans.
Conducted investigations of computer security violations and incidents, reporting as necessary to the management. Identifies and recommends solutions to security exposures.
Developed, tested, and operated firewalls, intrusion detection systems, enterprise anti-virus systems, and software deployment tools.
Worked with commercial computer product vendors in the design and evaluation of state-of-the-art secure operating systems, networks, and database products.
Coordinated with project teams in system consolidation, information security software upgrades, and contingency management planning and execution.
Responded to queries and requests for computer security information and reports. May prepare security reports to regulatory agencies such as Departments of Defense or Energy.
Provided guidance to less skilled Data Security Analysts.
Unisys (TSA) Reston, VA June 2009 – August 2010
Network Design Engineer 4
Analyzed local and wide area network systems, including planning, designing, evaluating, selecting operating systems and protocol suites and configuring communication media with concentrators, bridges and other devices.
Oversee network communications for Cisco routers and switches. Fulfill requested security changes (port security) following contract and change control procedures.
Resolved interoperability problems to obtain operations across all platforms including E-Mail, file transfer, multimedia, teleconferencing and the like.
Configured and harden systems for secure user environments.
Supported acquisition of hardware and software as well as subcontractor services as needed.
Unisys (Census Bureau) Reston, VA February 2009 - June 2009
Consultant 2
Member of the Unisys Training team, in charge of evaluating, modifying training materials for the Census, Office Computing Environment (OCE), and the Mobile Computing Equipment (MCE).
My main responsibility as a member of the team was Puerto Rico’s Spanish documentation validation and QC. This included to verify the correctness in the translation of:
o Personal information and identification (PII) data protection while gathering information.
oInstructions on how to manage government equipment (computers) that contains PII.
Beacon Hill (Census Bureau) Largo, MD November 2008 - February 2009
Trainer
Member of the Unisys Training team, in charge of evaluating, modifying training materials for the Census, Office Computing Environment (OCE), and the Mobile Computing Equipment (MCE).
My main responsibility as a member of the team was Puerto Rico’s Spanish documentation validation and QC. This included to verify the correctness in the translation of:
oPersonal information and identification (PII) data protection while gathering information.
oInstructions on how to manage government equipment (computers) that contains private information
Anvicom/CommandInformation (FAA) Washington, DC May 2006 - November 2008
Helpdesk Manager
Help Desk Manager at FAA, responsible for providing advice to end-users on software and hardware related problems. Computer imaging, AD management, and support to users, printers, and tape library and enforcement of department policies as:
Enforced established policies on physical access to data processing equipment.
Enforced access control policies into network drops.
Magnetic media management protection and destruction.
Did on the spot training on how to identify and protect PII media and data.
Access control to digital resources in digital media.
On the spot training on software usage, access control, phishing, malware, email usage, PII protection, software installation protection. Safe management of recording media.
Friendly presence and helpful attitude; excellent interpersonal skills and ability to work well with others.
Information Network Inc. Lanham, MD September 2005 - May 2006
Network Administrator
Responsible for overseeing the daily operations of thirteen (13) Windows 2000/2003 servers at the headquarters.
In charge of server, workstation anti-virus, installations and updates. Medial protection, backups, access control, system and services acquisition, systems and communications protection.
In charge of controlling physical access to HQ and one additional office.
Managed office expansion for a new contract, this included new drops, and computers physical security of a VPN for remote access to HQ servers. Manage the internal IT helpdesk providing support to desktop to 40 users, and assist the Office of the CIO in building and maintaining the growing corporate IT infrastructure. Additionally, administrator of the following systems: Data Watch (Access control system), Avaya IP Office (IP telephony system).
Florida Hospital Orlando, FL June 2003 - April 2004
System Analyst
Designed analyzed, coded and implemented several applications for the call center using Telescript (call center scripting software for inbound and outbound).
Develop applications that increased productivity and reduced phone time.
Develop programs that had controls for information integrity and access controls to program modules.
Executrain Orlando, FL October 2000 - October 2002
IT Manager
Responsible for the setup and maintenance of six (6) training rooms (100 computers). In charge of network accounts maintenance, connectivity, security, trust, upgrades, troubleshooting (protocols, software, and hardware), installation and configuration of software, the email system, and all computers in both sites. Responsible of supervising one person during this period.
Responsible for overseeing the daily operations of five (5) Windows 2000 and one (1) Novel servers at the headquarters and one office at Melbourne.
Performed server, workstation anti-virus, installations, and updates. Responsible of medial protection, backups, access control, system and services acquisition, systems, communications protection, inventory, and configuration control.
In charge of controlling physical access to HQ and one additional office.
Florida Technical College Orange City, FL January 2000 - July 2000
Instructor
Responsible for the technical training of new MCSE 4.0 candidate’s technologies at the college. Gave classes on courses like: Supporting Microsoft Windows NT Server 4.0 Enterprise Technologies, Administering Microsoft Windows NT 4.0, Core Technologies of Exchange Server 5.0, and 5.5, Supporting Microsoft Windows NT 4.0 Core Technologies, Microsoft IIS 4, Supporting Microsoft Windows NT 4.0, and Internetworking with Microsoft TCP/IP.
In charge of MCSE training of setup, maintenance of NT computers, systems hardening, system accounts standards policies (security templates) and maintenance. Additionally, responsible of network connectivity, security, trust, upgrades, troubleshooting (protocols, software, and hardware), system configuration management, contingency planning, media protection and server’s physical protection.
Scala of North America Lake Mary, FL January 1999 - January 2000
Senior Technical Consultant
Responsible for the installation and upgrade of Scala’s accounting application all over US, the Caribbean and South America.
Productivity Point International Santurce, PR June 1997 - November 1998
Senior Technical Instructor
Responsible for delivering technical training for MCSE and MCSD candidates. Delivered seminars and or trainings on Microsoft Certified Development and Network courses, MS Office and Project.
In charge of training MCSE candidates in setup and maintenance of NT computers, systems hardening, system accounts standards policies and maintenance. Additionally, instructed on network connectivity, security, trust, upgrades, troubleshooting (protocols, software, and hardware), system configuration management, contingency planning, media protection, and server’s physical protection.
DRC, Inc. Santurce, PR January 1996 - June 1997
Certified Instructor/Consultant
Worked as an application development consultant and MS Certified Curriculum trainer.
Developed programs that implemented information access and integrity controls coded into program modules.
WSD Corp Rio Piedras, PR September 1994 - January 1996
Owner
In charge of client software, hardware evaluation, for automated solutions. Develop solutions in a Windows environment using Visual Basic 3.00, FoxPro 2.6, Access 2.00, prepared related documentation, and installation of software and servers.
Developed programs that implemented information access and integrity controls coded into program modules.
Interamerican University, Computer Center Guaynabo, PR September 1989 - August 1994
Director
In charge of managing the campus central computing facility operations of as it provided both academic and administrative support to the organization
In charge of budget ($750,000), planning, presentation, and implementation.
Established the first inter-divisional committee, that provided each division technological needs.
Supervised 11 employees.
In charge of systems, service acquisition, protection of systems communications, program management, policy planning, and access controls
AFFILIATIONS
InfraGard
CERTIFICATIONS
Fully Qualified Navy Validator, April 2012
Certified Information Systems Security Professional (CISSP), February 2010
Certified Cisco Network Associate. Cisco Certification (CCNA), October 2009 - June 2012
ITIL Foundations V3, October 2009
MCP. Microsoft, June 2002
MCSE - NT4. Microsoft
MCSD - Visual Basic 6. Microsoft
MCP+Internet. Microsoft
TRAINING
Fully Qualified Navy Validator, April 2012
Cyber Law I, 2011
IA Briefing for Senior Operational Leaders, 2011
NETOPS: An Overview, 2011
NETOPS: Applied to GIG Operation, 2011
Introduction to Continuity of Operations, 2011
Annual Antiterrorism Training, 2011
Annual OPSEC Awareness, 2011
Annual Counterintelligence Training, 2011
DoD Information Assurance Training, 2011
PII Training, 2011
Phishing Ver. 1.0 - Operations, 2011
ITIL Foundations V3, 2009
CISSP, 2009
CCNA, 2009
Contact this candidate