Summary of Qualifications
An experienced Information Security Manager/Compliance Advisor, skilled in developing, implementing and maintaining enterprise security, compliance and risk management frameworks. Extensive leadership experience building and maintaining cross-functional teams and projects. Adept at obtaining support and sponsorship from key stakeholders and executive leadership by using strong persuasion, mediation, negotiation and relationship building skills.
Core Competencies
Incident Management Information Security Framework Security Auditing and Monitoring
Process and Service Improvement Risk Management Policy and Standards Development
Disaster Recovery/Business Continuity Infrastructure Re-engineering Regulatory Compliance/Governance
Professional Experience
United States Postal Service 2010 to Present
PCI Program Manager Consultant for RandstadUSA, Inc. – Raleigh, NC
Attended Architecture Review Board meetings – voting member for the Corporate Information Security Officer
Interfaced with AT&T Qualified Security Assessor – contacted QSA for CISO to verify a remediation action plan or determine appropriate PCI compliant approach to an issue
Led and facilitated Executive Briefing Summaries outlining issues/roadblocks and proposed solutions for approval
Led remediation activities, developed and reviewed action plans and developed appropriate Compensating Controls
Identified, assessed, reported and mitigated information security risks and determined action plans that met compliance and regulatory requirements for each Line of Business
Developed PCI Security Awareness Training modules
Represented CISO in PCI meetings
Key Accomplishments
Tracked, reported and presented briefings for PCI Leadership on status of findings from Quarterly Vulnerability Scans and Annual Penetration Tests
Created PCI Program Office, developed Enterprise Strategic PCI Compliance Plan
Determined funding needed for 3-Year and 5-Year DAR (Decision Analysis Report) - $100M+ project
Transitioned PCI Program Management Office to IT Compliance Office for ongoing sustainment
Laboratory Corporation of America Holdings (LabCorp) 2008 - 2009
Corporate Information Security Manager, – Burlington, NC
Developed and implemented architectural requirements for Information Security Framework
Authored the Enterprise Information Protection Policy
Created and enacted physical and logical information security policies, standards, procedures and guidelines, addressing regulatory requirements for HIPAA, SOX, PCI, CLIA, CAP and FDA
Established and revised controls for PCI DSS compliance, ensuring that mandatory quarterly scans passed all regulatory reviews
Presented weekly status briefings to Executive Leadership for PCI Compliance Program
Key Accomplishments
Integrated physical and logical information security requirements into the overall IT Systems Life Cycle process, ensuring comprehensive sustainable compliance with regulatory requirements and corporate policies
Led PCI DSS compliance project to successful Report of Compliance for 2009
Negotiated resources from across the enterprise - Internal Audit, Compliance, Finance, Legal and IT to implement effective security controls for compliance
Blue Cross & Blue Shield of South Carolina (BCBSSC) 2008
Senior Risk and Compliance Security Consultant for York Solutions, Inc. – Columbia, SC
Conducted compliance and risk reviews of network systems
Documented vulnerabilities of all systems against requirements for HIPAA and PCI
Developed remediation plans to mitigate all risks and vulnerabilities to network systems
Key Accomplishments
Developed and implemented the Information Assurance Framework
Developed and implemented the enterprise regulatory governance program, ensuring sustainability of controls for compliance with DoD, FISMA and NIST requirements
Blue Cross & Blue Shield of North Carolina (BCBSNC) 2007
Senior Security Consultant for Matrix Resources, Inc. – Durham, NC
Developed and directed Risk Remediation Project for multiple AS400 audit reports
Presented Final Project Report to Corporate Audit Committee
Documented IT architectural requirements for implementation of ArcSight security event monitoring tool
Ensured all new products purchased and implemented by Privacy and Security Governance group met IT Enterprise Architecture standards and policies
Key Accomplishments
Mitigated and documented 98.4% of outstanding findings and risks detailed in final AS400 audit report
Halifax Community Health System 2005 – 2007
Corporate Information Security Officer – Daytona Beach, FL
Chaired and facilitated Enterprise InfoSec Council and maintained a security dashboard to provide enterprise security status and cyber threat activity
Acted for the healthcare system as the HIPAA Security Officer
Acted as enterprise advocate for information security and business contingency best practices
Conducted business impact analyses - determined regulatory process requirements and business contingency and recovery needs for each line of business (health plan, 2 hospitals, Medicare/Medicaid billing center and 3 Hospice facilities)
Developed and implemented standards for Enterprise Disaster Recovery and Business Continuity Program
Conducted risk assessments; detailed vulnerabilities of all enterprise systems, processes, applications and platforms
Developed and implemented remediation solutions that mitigated 97.4% of all open and documented audit items and risks
Investigated all reported breaches of Security, Privacy and Compliance policies - created Memo of Corrective Action for General Counsel for each breach
Represented the Compliance Office as single point of contact for external law enforcement, legal and government (Homeland Security), as well as authorized public and private entities and third parties
Reviewed hardware, software and services being considered for purchase or implementation by other members of the System; assessed security issues (benefits vs. risks); provided security requirements for all Requests For Purchase
Participated as key member of IT Intrusion Response Team
Performed as Subject Matter Expert (SME) for all audits – federal, state, regulatory and licensing board
Key Accomplishments
Developed and implemented the strategic roadmap for the Corporate Information Security and Business Contingency/Disaster Recovery Programs
Implemented a governance framework for policies and standards ensuring HIPAA privacy, confidentiality. integrity and availability of patient information
Developed and presented enterprise security awareness and security training - created online training courses, CBT (computer based training) modules and gave instructor-led presentations
Invited to sit on the Hospital Board of Directors – de facto member for Compliance and Security
American Heritage Life Insurance (Allstate Workplace Division) 2001 – 2005
IT Security Manager – Jacksonville, FL
Planned, developed and led complex projects, delivering GLBA and SOX 404 compliance projects on time and on budget
Planned, developed and managed cross-functional $1.5M HIPAA project – achieved measurable compliance and documented controls by federally mandated HIPAA deadlines for Privacy, Data & Code Sets and Security
Aligned privacy, security and risk programs with Enterprise Information Security and Risk Governance Framework
Implemented access control infrastructure, enhanced and supported enterprise Identity Management framework
Coordinated and led CIRT (computer incident response team) investigating and responding to security and virus incidents
Key Accomplishments
Developed and implemented the HIPAA and SOX compliance programs
Performed as the HIPAA Security Officer to the Allstate Security Governance Council
Re-engineered IT architecture and standardized operational processes - migrated local data center in Jacksonville, FL to enterprise data center in Dayton, Ohio
Blue Cross & Blue Shield of Florida (BCBSFL) 2000 – 2001
Senior Technical Security Consultant for Technisource, Inc. – Jacksonville, FL
Mediated and coordinated multiple federal, state and regulatory audits
Developed and implemented corrective action plans, detailed remediation activities for all outstanding audit issues for SAS70, State of FL Triennial, Office of Inspector General for Medicare/Medicaid and independent third party annual audits
Revised corporate Security Plan, included changes to the overall Operational Security Architecture
Developed and conducted training sessions to facilitate disaster recovery and business contingency planning by each business unit
Ensured adequate audit trails and logs enabled on all relevant platforms for investigations of security-related incidents and compliance with ISO 27000 series and CoBIT standards
Key Accomplishments
Primary subject matter expert for 13 audits - successfully mitigated 100% of all outstanding findings within 90 days of final audit reports
Developed and implemented platform-specific security standards and business resumption plans for IT Infrastructure components – IBM 390 (RACF) security, distributed Network, Unix/Linux systems, and Oracle and SQL databases and for each line of business (LOB)
Texas Education Agency 1998 – 2000
Information Security Officer – Austin, TX
Mediated and negotiated for the 50 division directors within the Agency
Represented the Agency statewide at all inter-agency functions
Developed and implemented policies and standards to ensure Family Education Rights and Privacy Act (FERPA) privacy, confidentiality and availability of student information
Key Accomplishments
Contributed in the creation of a statewide set of Information Security Guidelines and Standards for all statewide agencies
Developed security standards and requirements to implement statewide Public Key Infrastructure (PKI), Virtual Private Network (VPN), Intrusion Protection Systems (IPS)
Motorola, Inc. 1996 – 1998
Program Director Consultant for Gilcorp, Inc. – Austin, TX
Created, developed and implemented strategies to re-engineer supported legacy applications from 40+ systems to 16 systems
Implemented Six Sigma business process improvement methodology - enabled technical mapping of all 40+ applications; identified customer requirements; developed and implemented re-engineering solutions
Key Accomplishments
Reduced supported applications by 60% - reduced annual maintenance and licensing fees by $150M
Re-allocated 30% of application maintenance personnel (25 FTEs) for new application and business development projects
Managed five teams in Austin, TX (38 programmers and analysts) and one team of system engineers and programmers in Phoenix, AZ (6 systems programmers and 2 system engineers)
Education
Appalachian State University, Boone, NC
Bachelor of Science in Business Administration: Management Information Systems
Oklahoma State University, Stillwater, OK
Masters Curriculum – Applied Behavioral Studies (Educational Psychology)
Encryption and Cryptographic Methods, Austin, TX
Engineering Course – University of Texas at Austin
Certifications
CISM (Certified Information Security Manager), 2004 through ISACA (status is current)
PMP (Project Management Professional), 2003 Allstate Workplace Division
TQM (Total Quality Management), 1996 VTEL Corp.
PM (Professional Manager), 1988, Oklahoma State University
Technical Skills
Operating Systems: Windows 20XX, AS400, DEC Vax VMS, Ultrix, IBM AIX and RISC 6000, IBM MVS/CICS/IMS, UNIX, Linux
System Tools: Active Directory, LDAP, ArcSight Security Event Management tool
Compliance Frameworks: ISO 2700X, ITIL, CoBIT, NIST, FISMA, SDLC (system development life cycle), PCI- DSS, SOX, HIPAA, GLBA, and FERPA
Other: Capability Maturity Model (CMM) and Six Sigma process improvement; RACF; IP concepts, VPN (virtual private networks), Intrusion Prevention/Detection Systems (IDS/IPS), Firewalls, Data Loss Prevention (DLP), Logging and Monitoring, Routers, Switches, Hubs and eDiscovery; Oracle and SQL databases