Management Security
Resume:
SIDNEY THOMPSON
***** *********** **. *** #***, Gaithersburg, MD 20879 240-***-**** acv2yr@r.postjobfree.com / acv2yr@r.postjobfree.com
SUMMARY
I am a well-seasoned IT corporate executive, with a proven track record of innovative out-of-the-box strategies for getting mission critical objectives accomplished ahead of schedule and within budget. I have significant experience, from the IT Management, Business Systems/Re-Engineering, and Senior Systems Management & Security Management arenas; including expert knowledge of the SABSA framework methodology. I am a true self starter, having successfully started my own company, and guiding its growth over 10 years to 300 employees serving 5000+ clients, prior to selling it in 2008. I am well versed in agile methodologies, Business Centric IT strategies, and risk adverse stewardship. Experienced in providing guidance and mentorship to my reports, while leading by example. I am an expert at formulating a strategic enterprise approach, while simultaneously directing alignment of IT security policy and governance strategies. I am an expert at complementing and enhancing the enterprises’ business processes and strategies by leveraging current technology to support, sustain and improve the desired corporate strategy. I give direction to Business Process initiatives, aligning IT Enterprise Management initiatives to securely and efficiently sustain them. Always aware of IT Security Compliance requirements. Policies such as ITSM, ITIL framework, FISMA 27001, NIST 800-X family of standards, HiTECH, Fedramp. PCI DSS, OWASP and ISC2 top 10, regulatory compliance, HIPAA, FERPA, SOX, and GLBA compliance, are among my specialties. I am experienced in establishing and Managing Governance Committee priorities, Consulting, Developing and Writing Policy from scratch utilizing established frameworks. I have successfully directed major enterprise-wide SaaS, PaaS, AWS cloud strategic initiatives for the Banking, Mortgaging, Health Insurance and IT Security industries; resulting in higher throughput, improved enterprise wide security, at significant cost savings to the enterprise. While an expert in the NIST SP 800 family guidelines, I am also an expert in the often overlooked NIST SP 500 family frameworks for Cloud, Big Data & emerging technologies, for example NIST SP 500-298, 500-299 NIST Cloud Computing Security Reference Architecture.
Richard S. Carson & Associates & The SAINT Corporation, Bethesda, MD
IT Security Director & IT Security Program Manager 01/2016 – Present
As IT Security Director I advised, developed and implemented a robust IT Security Posture for Carson’s internal infrastructure. As a Security and Management Consultation entity, Carson’s own security posture had to be beyond compromise. I was Hired directly by Mr. Richard S. Carson, after discussing my Master’s Thesis on the need for Behavioral Analytics to be integrated within future SIEM strategies. I was hired to ensure our own IT Security complexion was one that demonstrated a solid and robust proactive approach to IA, VA, SAA, IR, VMS. I relied upon my innovative style of approaching Threat Intelligence, Vulnerability Analysis, Security Controls and compliance all synergistically enveloped within the Confidentiality, Integrity and Availability Precepts of our organization.
As the IT Security Program Manager, I travelled offsite in support of Projects managed by Carson and SAINT for various, private & federal clients. My duties included but were not limited to meeting with Carson staff supporting these clients to determine status of ongoing projects, address potential future issues, and to get an overall status report on each project. Managed budget and scope of projects, to ensure off-site staff were complying with SLAs as written, met regularly with major Stakeholders, data owners and other principals in order to ensure client’s needs are being addressed; and to use such meetings as a means of determining if there are other Carson services that might be of benefit to the client.
(Part Time Adjunct Professor of Information Assurance & Information Security at ITT Technical Institute). Beginning in June 2016, I have been offered a part-time position with ITT to help promote and teach the fundamental principles of INFOSEC to students in the bachelorette program. I will be focusing on teaching SSDLC for applications development, Compliance principles to address myriad State, Federal and industry regulatory compliance, for example; PCI DSS, FedRamp, FISMA, HIPAA, SOX, GLBA, NIST among others.
Xerox, Elkridge, MD 05/2015 – 01/2016
IT Security Principal
I support the state of Maryland’s DHR by ensuring all EPII & PII information is secured. The state maintains distributed offices needing to interact and exchange vast amounts of data between state and federal agencies, for example CSEA, OHEP, OTHS, CARES, IRS. POA&M, SIA, and COOP must be developed, maintained or improved. I am expected to act as an advisor, liaison, and technical SME to ensure our reporting, detection and if necessary remediation and recovery processes and procedures are valid and effective; above all offering recommendations with respect to myriad SOPs, Policies & Standards, among them KRI, RMF, NIST SP 800-53 r3&r4, 137 for CM, FISMA, ITL, ITIL/ITSM v3, 27001 ISO/IEC. Among many of the tools and reports I review and or use daily are Remedy, Nessus, LogRythm, Symantec Endpoint Protection Manager, CA Clarity Project Management Software, Vanguard & Attachmate (Used primarily in support of RACF, CICS and Legacy environment). I am expected to continually evaluate, and proactively strategize for solutions to current and emerging vulnerabilities. I work directly with users, data owners, business unit stakeholders, and technical engineers/administrators. Although to a lesser degree, I am also involved with Avamar Deduplication Backup software and System. In my role as a Principal Security Technical and Compliance Liaison, I am relied upon to ensure Business, Technical, and Regulatory considerations adhere to the tenets of Confidentiality, Integrity, and Availability of DHR’s assets, I have knowledge of with limited experience utilizing SharePoint and CSAM in regards to identity and access management. I Report to both the CISSO and CIO.
Dovel Technologies, Rockville, MD 2014 – 01/31/2015
IT Systems Security Integration Consultant ISSO (6-month Contract, completed in 5 with bonus)
After completely interviewing the various business, IT, development, and operations units, I developed a complete ‘from the ground up’ approach to addressing the severely overlooked vulnerabilities, threats, risks, and compliance short-falls. This was done utilizing my experience with the SABSA model to initiate a business driven and IT collaborative strategy, over what was initially chosen by others; a technology only centric solution.
Responsible for ensuring projects move from development in a standardized, secure manner to Integration, Stage, and Production. Consulted on needed improvements to the SDLC process from a security standpoint, e.g. Requirements/Compliance-Design-code-test-deploy-maintain; for example, ensuring input validation, XXS and Sql-Injection, sql-string-building, phishing vulnerabilities and more are addressed.
Created IT Security Policy from scratch, among security policies defined, created and written are: Risk Assessments methodologies, Asset quantitative and qualitative prioritization, Access control policies & recommended controls to ensure Compliance with FISMA, NIST-53, Data and Information Categorization, Classification and Declassification Policies, Change Management controls, and Change control policies, Configuration Management, and establishment of Baselines.
Incidence Response Policy, including but not limited to: Assignment/Escalation of responsibilities and controls, Response prioritization and determination controls, Breach detection, response, reporting, recovery, remediation and review (including what was learned updates), and including a controlled information dissemination policy or media management policy.
Responsible for developing documentation and standardized policies of on-boarding and off-boarding employees, Deployment procedures, IR, RA, AC policies from scratch, Zabbix, Red Hat JBOSS, Workflow, Data Collection and affiliated Dashboards. Configuration Management, and Change Control Management experience.
Monitoring and addressing environment issues via Zabbix, Nessus monitoring, Tripwire, Jira, SVN, Mcafee, Rapid7, and Jmanage tools e.g. Web and JMX console for application management.
Patching, and re-imaging AWS servers in an EC2 environment. Performing Pen Testing, via Metasploit & Meterpreter scripting, Nmap, Sqlninja, backtrack, and various other tools, including aggregated SIEM ruleset definition, and evaluation of SPLUNK dashboards, Tripwire, Configuration Management DB (CMDB) experience. Familiar with white hat, grey, and authorized ethical black hat Pen Testing.
Updating Deployment Plans, using wiki, Creation of Security SDLC policies and standards, dynamic code analysis using Veracode Security kit for dynamic, static and injection vulnerabilities. Compliance assurance analysis, Privacy, Risk Analysis, Unified Compliance Framework (UCF) knowledge and experience.
Keeping abreast of latest vulnerabilities and remediation strategies to address them, e.g. poodle, Heartbleed-(openSSL), sql injection, APT. last installed and evaluated additional SIEMs including Splunk, Rapid7 User-Insight, and others. Research by using SANS, Symantec CVE, McAfee SNS, Mandiant, ars Technica, among other IT Security journals and Vulnerability Notification Resources.
HWP LLC, Gaithersburg, MD 2008 – 2014
IT Security Manager/ IT Director
Managed the Development, Testing and integration SIEM procedures and policies and review McAfee ePO Vector Trends, keeping informed of Threats, Vulnerabilities in the wild by subscribing to SANS, Mandiant, OWASP, TruSecure, and others.
Supervised the performance of security Gap Analysis, White Box Pen Testing, Security Forensics Post Mortem Evaluations. Some limited experience using Hadoop & HDFS, and ‘R’ for analytics and BI.
Compliance and Audit verification, with respect to varied germane frameworks, including PCI DSS, FISMA, Fedramp, NIST SP-800 family, and NIST SP-500 family.
Relentless leadership in the Improvement, strategic business process alignment and Implementation of Security Policy Governance compliance, ensuring auditing success, strict regulatory compliance direction, while ensuring excellent ROI on enterprise IT investments, and strict adherence to CAI security initiatives.
Provide technical leadership to maximize efficient use of IT Infrastructure leveraging the use of open source tools, cost effective processing mechanisms including virtual clustering, and BI analytics.
Oversee all aspects of Marketing both brick and mortar and internet based, while ensuring PCI DSS compliance.
I make use of my former systems engineering background, and Linux security experience, to ensure junior staff is well trained and equipped to make maximum use of IT tools, IT Security tools & technologies, and network security initiatives including IPsec, SSL, and VPN. Prepared Security Training Syllabus and guidelines pursuant to NIST SP 800-50, among other guidelines as required.
Directed, reviewed, and ensured the Configuration of systems for NIST 800-53, 30, 137 family and FISMA 27001, ensuring smooth auditing & Continuous Monitoring, without sacrificing the tenets of Confidentiality, data Integrity, and process Availability.
Some tools used daily include: Metasploit, backtrack, Tenable Network Security, Security Center CV, Logrythym, arcsight, Tripwire, Snort, Nessus, Nmap, Zen Map, Encase, FTK, Digital Forensic Framework – DFF, P2 commander, Qualys.
BBN Technologies, Columbia, MD 2005-2008
Lead Systems Engineer Support Agent Tier 2 and Tier 3 Escalations Management / IT Director
Directed contract to provide Help Desk technical support to AOL, Bellsouth Internet DSL customers, while assuming responsibility for entire IT infrastructure security in accordance with NIST, OWASP Best Practices and compliance standards.
Mid to large size enterprise specialist, assigned clients of 290 up to 5000 nodes.
Managed a staff of 33 reports, and an annual budget in excess of 27M.
Excellent communication, organizational, and time management skills, along with a keen sense of project prioritization and business management skills.
Required a clear understanding of TCP/IP, bonding, VLAN Tagging, IP and Port redirection, among myriad other technologies and management systems.
Served as SME to clients and C-level management.
Federal Compliance SME
DIGICON Corp, Bethesda, MD 2003-2005
Senior IT Lead UNIX Systems FAA & NIH Contractor
I Worked as a contractor setting up, Troubleshooting, repairing and installing systems for FAA and NIH.
UNIX and Windows Systems Administrator.
Assisted in installing software and applying patch upgrades for campus computers, NIH Systems and Network Analyst and Consultant (DIGICON Corp.)
DIGICON Corp, Bethesda, MD 1995-2002
UNIX Specialist IV
Obtained information to diagnose system problems or networking bottlenecks or points of degradation and resolve them.
Documented client accounts in computer system with scheduling information and collection activity according to company policy.
Reviewed systems to determine security requirements and potential loop holes, I designed appropriate methods for system resolution.
Analyzed network activity to determine trends for denial of system services, and I took the initiative to write pro-active system tools to perform automatic administrator alerts.
EDUCATION
Georgetown University, Washington, DC 2015
Master of Science Degree Information Systems Security, Technology Management & Cyber Security Management
With concentrations in Health Technology Security, Business & Big Data Technologies
GPA 3.867/4.00
ITT Technical Institute, Chantilly, VA 2014
Bachelor of Science Degree Information Systems & Cyber Security (with Honors)
GPA 3.98/4.00
ITT Technical Institute, Chantilly, VA 2011
Associates of Applied Science, Computer Networking Systems (with Honors)
GPA 3.97/4.00
Recipient of the Highest Honors Award all years of attendance, Graduating with Special Honors
SKILLS, INTERESTS AND OTHER INFORMATION
President of OWASP, Georgetown University Chapter. (Open Web Application Security Project).
Currently registered and completing CEH, CISM, CISSP certification programs.
Native speaker of English and Spanish, with a strong interest in learning Mandarin.
Trans-disciplinary: literacy in and ability to understand concepts across multiple disciplines.
Virtual collaboration: ability to work productively, drive engagement, and demonstrate presence as a member of a virtual teams.
Sense-making: ability to determine the deeper meaning or significance of what is being expressed.
Social intelligence: ability to connect to others in a deep and direct way, to sense and stimulate reactions and desired interactions.
Cross-cultural competency: ability to operate in different cultural settings. I am also fluently bi-lingual.
Cognitive load management: ability to ingest and filter information for importance, and to understand how to maximize cognitive functioning using a variety of tools and techniques.
Novel and adaptive thinking: proficiency at thinking and coming up with solutions and responses beyond that which is rote or rule-based.
Computational thinking: ability to translate vast amounts of data into abstract concepts and to understand data-based reasoning.
New media literacy: ability to critically assess and develop content that uses new media forms, and to leverage these media for persuasive communication.
Design mindset: ability to represent and develop tasks and work processes for desired outcome.
Excellent Communication Skills: ability to communicate effectively, even the most esoteric and highly technical details, in a manner easily understood by all audiences, both highly technical and non-technical.
MS in Information Systems Security Management, with a concentration in Business IT Management, and Health Systems Security Management.
Strong fluency with large enterprise networks, ITSM, UNIX and Linux systems, including Red Hat, Centos, HP-UX, Solaris
AIX, Cloud Technology, AWS, EC2, VPN, SSL, CRM, UTM, UC, ITIL, DR, BCP, BIA, IDS IPS, DDoS, CISCO, Juniper, SCRUM, SaaS, Document Management Systems, Collaboration and Communications Technologies, M2M, Cybersecurity, Compliance, and Business Continuity, Defense in Depth, SSO, Two Factor Authentication, Business Structured Analytic Techniques, Operational Intelligence, Big Data, & Big Data Security Research, Cloud Data Security Research.
Growing companies often face a critical hurdle: how to scale operations to keep pace with expansion. This typically leads to upgrading or adopting new systems to handle increased operational workload. When transitioning to a new platform, integration is critical. Implementing new systems can result in data fragmentation, with transactional and customer information making its way into multiple locations, often in pieces. This can have a major impact not just on customer service, but also on your ability to stay compliant in all areas of your business. My background in IT, Business Management, IT Security, IT Policy and Governance, coupled with my unique leadership skills is perfectly suited to not just correct such situations, but avoid them to begin with. I am an expert in ITIL, FISMA R3 & R4, FIPS 199, PIA, PTA, SSP, C&A, SA&A, COBIT, COTS, HIPAA, NIST SP 800-53, 66, 30, 92, 37, 14, 122, 50, 100,61, 137, ISO/IEC, FISMA 27001, HiTECH, Fedramp, NIST SP 500-298,299, PCI DSS, FERPA, SOX, GLBA, among other federal, state, and municipal compliance.
Other companies and organizations I have worked for in the past include:
American Society of Civil Engineers (ASCE), NY. NY. Chemical Bank, NY. NY. CAC, MD., Prudential Home Mortgage, MD., United Health, MD, Claims Administrators Corp, Verizon
Some limited experience utilizing Splunk1, Hadoop1,HDFS, Cassandra, zookeeper, Puppet1, R & Mapreduce, Solar Winds SIEM, Bit 9 Carbon Black SIEM, Rapid7 Security Suites (installed and evaluated only)
*1* - I have used these tools in school, and will give special consideration to organizations using or considering any of them, included among them are: (Splunk, Hadoop, Puppet and other Business Intelligence tools and workflow management strategies).
Contact this candidate