Security Management

Summary highlights

An accomplished, result oriented person with a broad base of knowledge and extensive experience in RISK MANAGEMENT (OPERATIONAL, ENTERPRISE, INFORMATION and SUPPLIER), BUSINESS ANALYSIS and PROJECT MANAGEMENT in all sectors. My focus is on Sarbanes-Oxley 404, system security monitoring and auditing; risk assessments; audit engagements, testing information, technology controls and developing security policies, procedures and guidelines.

Develop and conduct ST&E (Security Test and Evaluation) according to NIST SP 800-53A and NIST SP 800-53R4

Ability to multi-task, work independently and as part of a team

Strong analytical and quantitative skills

Effective interpersonal and verbal/written communication skills

Ability to perform management, operational, technical and privacy security control assessments and reviews.

Develop, review and evaluate System Security Plan based on NIST Special Publication

Ability to generate residual risk report in order to update POA&M

Perform Certification and Accreditation documentation in compliance with company standards.

In depth knowledge of COSO, COBIT, ISO, PCI-DSS and HIPAA Frameworks

Have excellent analytical skills

Have effective written and verbal communication skills

Professional Experience & Key Achievements

US Small Business Administration [Washington DC, DC]

IT Security Analyst November 2014 to February 2017

Update IT security policies, procedures, standards, and guidelines according to private and federal requirements.

Prepare and submit Security Assessment Plan (SAP) to ISSO for approval

Develop and update system security plan (SSP) and plan of action and milestone (POA&M)

Create reports detailing identified vulnerabilities and the steps to remediate them

Work with various stakeholders to remediate vulnerability, resolve and close past findings (POAMs)

Review events logs

Conduct Security Test and Evaluation(ST&E) on both systems and facilities

Develop Security Assessment Report (SAR) for both systems and facilities

Participate in change management and Plan Of Action and Milestone (POA&M) meetings

Perform Vulnerability Assessment. Make sure that risks are assessed, evaluated and a proper actions have been taken to limit their impact on the Information and Information Systems

Performing risk analysis that also include risk assessments

Developing, analyzing and implementing security specifications in line with NIST, FISMA

Performing vulnerability checks on desktop computers

Responsible for developing a security authorization package, consisting of; (i) System Security Plan (SSP), (ii) System Assessment Report (SAR), and (iii) Plan of Action & Milestones (POAM)

Gathering evidence for Authorize to Operate (ATO) process

Using NIST SP 800-60 & FIPS 199, determine the system categorization for organizations by evaluating information types and then relate them to the security objectives (Confidentiality, Integrity, & Availability)

US Food & Drug Administration [Rockville, Maryland]

IT Audit Security Compliance and Risk Analyst May 2012 to Nov 2014

Conduct Kick Off meetings in order to categorize systems according to NIST requirements of Low, Moderate or High system.

Develop a security control baseline and plan that was used to assess and implement security control.

Conduct security control assessments to assess the adequacy of management, operational privacy, and technical security controls implemented. Security Assessment Reports (SAR) were developed detailing the results of the assessment along with Plan of Action and Milestones (POA&M).

Develop System Security Plans to provide an overview of Federal Information System Security requirements and described the controls in place or to meet those requirements.

Create and update the following Security Assessment and Authorization (SA&A) artifacts; FIPS 199, Security Test and Evaluations (ST&Es), Risk Assessments (RAs), Privacy Threshold Analysis (PTA), Privacy Impact Analysis (PIA), E-Authentication, Contingency Plan, Plan of Action and Milestones (POA&Ms).

Prepare Security Assessment and Authorization (SA&A) packages to ascertain that management, operational and technical security controls adhere to NIST SP 800-53 standards.

Performs vulnerability assessment, making sure risks are assessed and proper, actions taken to mitigate them.

Conducts IT controls risk assessments including reviewing organizational policies, standards and procedures and providing advice on their adequacy, accuracy and compliance with industry standards.

Develops risk assessment reports. These reports identified threats and vulnerabilities. In addition, it also evaluates the likelihood that vulnerabilities can be exploited, assess the impact associated with these threats and vulnerabilities, and identified the overall risk level.

H.G.A Quest [Garden City, NY]

IT Compliance Analyst Sept 2010-May 2012

Perform IT risk assessment and document the system security keys controls.

Developed a Plan of Action and Milestones (POA&M) dashboard to monitor and report on information system weaknesses

Perform the Assessment & Accreditation (A&A) on General Support Systems (GSS), Major Applications and Systems to ensure that such environments are operating within strong security posture

Perform Security Assessments to determine if controls were implemented correctly, operating as normal and meeting desired objectives

Perform security risk assessments and developed security risk mitigation

Develop, review and update Information Security System Policies, System Security Plans (SSP), and Security baselines in accordance with NIST, FISMA and industry best security practices

Developed and updated security plan and POA&M

Develop systems that assist the organization to secure the CIA by categorizing and selection of controls using NIST SP 800 60, 800 53 and FIPS 199 and 200

Reviewing and updating System Security Plans (SSPs) as well as developing SSPs and supporting artifacts systems and applications; Risk Assessment Reports (RARs); Contingency plans and tests

Conducted risk assessment on organizations various assets within the system boundaries and documented the vulnerabilities

Identified deficiencies, developed remediation plans, and presented final results to the IT Management team for various organizations

Analyze security reports for security vulnerabilities in accordance with the organization Continuous Monitoring Plan and NIST 800-137

Westat [Rockville, MD]

Database Analyst (Contractor) Dec 2008 to Aug 2010

Successfully coordinated installations configurations and updated workstations to meet industry Standards

Granted Users their Resources by creating Profiles, Managing Sessions, Privileges and Roles

Monitored database for security, performance tuning, backup and recovery

Installed and Configured Oracle 10g/11g software on Linux

Upgraded several databases from Oracle 10.2.0.1 to 10.2.0.4-11.1.0.6.

Worked closely with the developers in resolving performance issues and implementation process

Installed and created Oracle databases, tablespaces, redo logs, multiplexed

Control Files, created SQL DDL and DML scripts, helped developers in testing their scripts and implementing code.

Installed and Configured Tax and Accounting Software to connect to Oracle Database.

Performed backups, restore and recovery. Used data pump and regular export to export and import database schemas between different environments.

Refreshed development and test databases with up to data from production

Analyzed database failures and identifies corrective actions for local database users

Troubleshot and researched database issues related to operating system performance.

Resolved query performance, space management, backup and recovery issues, and other database errors.

Communication in this role is very vital as I interact with individuals at various levels concerning technical issues related to database standards.

Responsible for the administration of our test and development databases and also promoted scripts to production databases.

Certification and education

4 Years Bachelors of Science in Business Administration (Accounting)

Certified Six Sigma Master Black Belt (CSSMBB)

Oracle Certified Associate (O.C.A)

Technical skills

Security Technologies: CSAM, McAfee Vulnerability Manager (MVM)

Systems: Unix-Based Systems, Windows 9X/NT/2000/XP,

Networking: LANs, WANs, VPNs, Routers/Switches, Firewall Security, TCP /IP

Software: MS Office (Word, Excel, PowerPoint, Access, Outlook)

Databases: MYSQL, Access, SharePoint, SQL Loader, SQL Developer, Oracle Enterprise Manager.

Contact this candidate