Summary of Qualifications

An experienced Information Security Manager/Compliance Advisor, skilled in developing, implementing and maintaining enterprise security, compliance and risk management frameworks. Extensive leadership experience building and maintaining cross-functional teams and projects. Adept at obtaining support and sponsorship from key stakeholders and executive leadership by using strong persuasion, mediation, negotiation and relationship building skills.

Core Competencies

Incident Management Information Security Framework Security Auditing and Monitoring

Process and Service Improvement Risk Management Policy and Standards Development

Disaster Recovery/Business Continuity Infrastructure Re-engineering Regulatory Compliance/Governance

Professional Experience

United States Postal Service 2010 to Present

PCI Program Manager Consultant for RandstadUSA, Inc. – Raleigh, NC

Attended Architecture Review Board meetings – voting member for the Corporate Information Security Officer

Interfaced with AT&T Qualified Security Assessor – contacted QSA for CISO to verify a remediation action plan or determine appropriate PCI compliant approach to an issue

Led and facilitated Executive Briefing Summaries outlining issues/roadblocks and proposed solutions for approval

Led remediation activities, developed and reviewed action plans and developed appropriate Compensating Controls

Identified, assessed, reported and mitigated information security risks and determined action plans that met compliance and regulatory requirements for each Line of Business

Developed PCI Security Awareness Training modules

Represented CISO in PCI meetings

Key Accomplishments

Tracked, reported and presented briefings for PCI Leadership on status of findings from Quarterly Vulnerability Scans and Annual Penetration Tests

Created PCI Program Office, developed Enterprise Strategic PCI Compliance Plan

Determined funding needed for 3-Year and 5-Year DAR (Decision Analysis Report) - $100M+ project

Transitioned PCI Program Management Office to IT Compliance Office for ongoing sustainment

Laboratory Corporation of America Holdings (LabCorp) 2008 - 2009

Corporate Information Security Manager, – Burlington, NC

Developed and implemented architectural requirements for Information Security Framework

Authored the Enterprise Information Protection Policy

Created and enacted physical and logical information security policies, standards, procedures and guidelines, addressing regulatory requirements for HIPAA, SOX, PCI, CLIA, CAP and FDA

Established and revised controls for PCI DSS compliance, ensuring that mandatory quarterly scans passed all regulatory reviews

Presented weekly status briefings to Executive Leadership for PCI Compliance Program

Key Accomplishments

Integrated physical and logical information security requirements into the overall IT Systems Life Cycle process, ensuring comprehensive sustainable compliance with regulatory requirements and corporate policies

Led PCI DSS compliance project to successful Report of Compliance for 2009

Negotiated resources from across the enterprise - Internal Audit, Compliance, Finance, Legal and IT to implement effective security controls for compliance

Blue Cross & Blue Shield of South Carolina (BCBSSC) 2008

Senior Risk and Compliance Security Consultant for York Solutions, Inc. – Columbia, SC

Conducted compliance and risk reviews of network systems

Documented vulnerabilities of all systems against requirements for HIPAA and PCI

Developed remediation plans to mitigate all risks and vulnerabilities to network systems

Key Accomplishments

Developed and implemented the Information Assurance Framework

Developed and implemented the enterprise regulatory governance program, ensuring sustainability of controls for compliance with DoD, FISMA and NIST requirements

Blue Cross & Blue Shield of North Carolina (BCBSNC) 2007

Senior Security Consultant for Matrix Resources, Inc. – Durham, NC

Developed and directed Risk Remediation Project for multiple AS400 audit reports

Presented Final Project Report to Corporate Audit Committee

Documented IT architectural requirements for implementation of ArcSight security event monitoring tool

Ensured all new products purchased and implemented by Privacy and Security Governance group met IT Enterprise Architecture standards and policies

Key Accomplishments

Mitigated and documented 98.4% of outstanding findings and risks detailed in final AS400 audit report

Halifax Community Health System 2005 – 2007

Corporate Information Security Officer – Daytona Beach, FL

Chaired and facilitated Enterprise InfoSec Council and maintained a security dashboard to provide enterprise security status and cyber threat activity

Acted for the healthcare system as the HIPAA Security Officer

Acted as enterprise advocate for information security and business contingency best practices

Conducted business impact analyses - determined regulatory process requirements and business contingency and recovery needs for each line of business (health plan, 2 hospitals, Medicare/Medicaid billing center and 3 Hospice facilities)

Developed and implemented standards for Enterprise Disaster Recovery and Business Continuity Program

Conducted risk assessments; detailed vulnerabilities of all enterprise systems, processes, applications and platforms

Developed and implemented remediation solutions that mitigated 97.4% of all open and documented audit items and risks

Investigated all reported breaches of Security, Privacy and Compliance policies - created Memo of Corrective Action for General Counsel for each breach

Represented the Compliance Office as single point of contact for external law enforcement, legal and government (Homeland Security), as well as authorized public and private entities and third parties

Reviewed hardware, software and services being considered for purchase or implementation by other members of the System; assessed security issues (benefits vs. risks); provided security requirements for all Requests For Purchase

Participated as key member of IT Intrusion Response Team

Performed as Subject Matter Expert (SME) for all audits – federal, state, regulatory and licensing board

Key Accomplishments

Developed and implemented the strategic roadmap for the Corporate Information Security and Business Contingency/Disaster Recovery Programs

Implemented a governance framework for policies and standards ensuring HIPAA privacy, confidentiality. integrity and availability of patient information

Developed and presented enterprise security awareness and security training - created online training courses, CBT (computer based training) modules and gave instructor-led presentations

Invited to sit on the Hospital Board of Directors – de facto member for Compliance and Security

American Heritage Life Insurance (Allstate Workplace Division) 2001 – 2005

IT Security Manager – Jacksonville, FL

Planned, developed and led complex projects, delivering GLBA and SOX 404 compliance projects on time and on budget

Planned, developed and managed cross-functional $1.5M HIPAA project – achieved measurable compliance and documented controls by federally mandated HIPAA deadlines for Privacy, Data & Code Sets and Security

Aligned privacy, security and risk programs with Enterprise Information Security and Risk Governance Framework

Implemented access control infrastructure, enhanced and supported enterprise Identity Management framework

Coordinated and led CIRT (computer incident response team) investigating and responding to security and virus incidents

Key Accomplishments

Developed and implemented the HIPAA and SOX compliance programs

Performed as the HIPAA Security Officer to the Allstate Security Governance Council

Re-engineered IT architecture and standardized operational processes - migrated local data center in Jacksonville, FL to enterprise data center in Dayton, Ohio

Blue Cross & Blue Shield of Florida (BCBSFL) 2000 – 2001

Senior Technical Security Consultant for Technisource, Inc. – Jacksonville, FL

Mediated and coordinated multiple federal, state and regulatory audits

Developed and implemented corrective action plans, detailed remediation activities for all outstanding audit issues for SAS70, State of FL Triennial, Office of Inspector General for Medicare/Medicaid and independent third party annual audits

Revised corporate Security Plan, included changes to the overall Operational Security Architecture

Developed and conducted training sessions to facilitate disaster recovery and business contingency planning by each business unit

Ensured adequate audit trails and logs enabled on all relevant platforms for investigations of security-related incidents and compliance with ISO 27000 series and CoBIT standards

Key Accomplishments

Primary subject matter expert for 13 audits - successfully mitigated 100% of all outstanding findings within 90 days of final audit reports

Developed and implemented platform-specific security standards and business resumption plans for IT Infrastructure components – IBM 390 (RACF) security, distributed Network, Unix/Linux systems, and Oracle and SQL databases and for each line of business (LOB)

Texas Education Agency 1998 – 2000

Information Security Officer – Austin, TX

Mediated and negotiated for the 50 division directors within the Agency

Represented the Agency statewide at all inter-agency functions

Developed and implemented policies and standards to ensure Family Education Rights and Privacy Act (FERPA) privacy, confidentiality and availability of student information

Key Accomplishments

Contributed in the creation of a statewide set of Information Security Guidelines and Standards for all statewide agencies

Developed security standards and requirements to implement statewide Public Key Infrastructure (PKI), Virtual Private Network (VPN), Intrusion Protection Systems (IPS)

Motorola, Inc. 1996 – 1998

Program Director Consultant for Gilcorp, Inc. – Austin, TX

Created, developed and implemented strategies to re-engineer supported legacy applications from 40+ systems to 16 systems

Implemented Six Sigma business process improvement methodology - enabled technical mapping of all 40+ applications; identified customer requirements; developed and implemented re-engineering solutions

Key Accomplishments

Reduced supported applications by 60% - reduced annual maintenance and licensing fees by $150M

Re-allocated 30% of application maintenance personnel (25 FTEs) for new application and business development projects

Managed five teams in Austin, TX (38 programmers and analysts) and one team of system engineers and programmers in Phoenix, AZ (6 systems programmers and 2 system engineers)

Education

Appalachian State University, Boone, NC

Bachelor of Science in Business Administration: Management Information Systems

Oklahoma State University, Stillwater, OK

Masters Curriculum – Applied Behavioral Studies (Educational Psychology)

Encryption and Cryptographic Methods, Austin, TX

Engineering Course – University of Texas at Austin

Certifications

CISM (Certified Information Security Manager), 2004 through ISACA (status is current)

PMP (Project Management Professional), 2003 Allstate Workplace Division

TQM (Total Quality Management), 1996 VTEL Corp.

PM (Professional Manager), 1988, Oklahoma State University

Technical Skills

Operating Systems: Windows 20XX, AS400, DEC Vax VMS, Ultrix, IBM AIX and RISC 6000, IBM MVS/CICS/IMS, UNIX, Linux

System Tools: Active Directory, LDAP, ArcSight Security Event Management tool

Compliance Frameworks: ISO 2700X, ITIL, CoBIT, NIST, FISMA, SDLC (system development life cycle), PCI- DSS, SOX, HIPAA, GLBA, and FERPA

Other: Capability Maturity Model (CMM) and Six Sigma process improvement; RACF; IP concepts, VPN (virtual private networks), Intrusion Prevention/Detection Systems (IDS/IPS), Firewalls, Data Loss Prevention (DLP), Logging and Monitoring, Routers, Switches, Hubs and eDiscovery; Oracle and SQL databases

Contact this candidate