Kesy Amana

Cyber Security Compliance Analyst

Interim Secret Clearance

PMP, CISA, ISCAP, CISM, ISCAP, CEH, Security +, OCP, OCA

Phone: 202-***-****

Email: ad183i@r.postjobfree.com

PROFESSIONAL SUMMAY

My competencies are derived from over 11years experience in the IT field working in both Private and Government Sectors. Success in developing, implementing information security and assurance programs in both Federal and private organizations. Expertise in assessing internal/external security vulnerabilities of information systems across multiple business functions, PCI-DSS, ISO 27001, SOC1, SOC 2, HITRUST, and NIST-based security program. Planned and assisted with implementing and analyzing of SOC 2 and SIG reports of third parties/vendors and other artifacts request list during a risk assessment. I have In-depth knowledge of cloud security tools such as Tenant Monitoring, Security Information and Event Management (SIEM - SPLUNK) and virtual network overlays, FedRAMP. She has also supported SOC operations by monitoring and analyzing network traffic, IDS alerts, network, and system Experienced reviewing vulnerability reports with Developers, System Admins, and Engineers to remediate Vulnerabilities identified from scans and create a risk register and risk treatment plan to track the remediation process per classification (Critical, High, Medium, and low). Strong experience and up to date knowledge in Open Systems, Windows, Mobility, Internet and network security products and platforms, including user authorization, encryption tools and techniques, communication protocols, vulnerability assessments, data loss and penetration testing, and secure coding.

CORE COMPETENCIES

Experience using and analyzing technical assessment tools such as Nessus, McAfee Vulnerability Manager (MVM), Wireshark, Snort and Nmap. Tenable Nessus, Active Directory, SIEM tools: Splunk, IBM Q-Radar, Oracle, JIRA, Confluence, ServiceNow, Remedy, Microsoft Office (Word, PowerPoint, Excel, Outlook, One Note, SharePoint) Agile, DAY, Kanban board.

Third Party Risk Analyst with years of experience in audit and controls, risk assessments, in-depth knowledge of Sarbanes Oxley (SOX), Information Technology General Controls (ITGC), SSAE 18 Attestation Engagements.

I have adequate experience with government and industry related regulations/ laws and reports that involve Information Security: ISO 270**-***** and FISMA/ NIST SP 800 series (18, 37, 40, 53, 53 Rev4, 60, 70, 115, 122, 171) FIPS 199 & 200.

Prepare documentation such as Risk Assessment Report (RAR), System Security Plan (SSP), Security Assessment Reports (SAR), SRTM, ST&A, SOP, Contingency Planning, Incident Response Plan, Configuration Plan, and Plan of Action and Milestones (POA&Ms) to ensure compliance with government security policies and procedures using tools like CSAM, eMass, Xacta, SAP GRC and RSA Archer eGRC .

I have plan, coordinate, and facilitate internal and third-party audit engagements for SOX, SOC1, SOC2, HIPAA, CCPA, GDPR, COBIT and ITIL.

Problem solving skills in identifying issues and determining accuracy and relevance of information using sound judgment to generate, evaluate alternatives and make recommendations.

Effectively assess the cyber security controls on cloud systems, help identify potential vulnerabilities, and provide recommendations to strengthen the security posture of the organization's cloud infrastructure.

PROFESSIONAL EXPERIENCE

Information Security Assessment (IT auditor) July 2018 – Present

Washington DC

Valiant Solutions, LLC (JEA- energy company and Ameris Bank)

Successfully performed all key job functions of the Senior Auditor role at a higher level of complexity, scope, and autonomy.

Assisted with coordinating and administering assignments, monitoring the progress of the audit team, and managing budgets and schedules.

Served as the day-to-day project leader for audits, ensuring projects were completed on-time, within scope, and within budget.

Identified risks and assessed the potential impact on the organization, using a risk-based approach to develop and adjust audit plans as appropriate, and determining areas requiring additional analysis.

Reviewed and finalized my own staff work papers and deliverables in collaboration with the IT Audit Manager/Director.

Reviewed and finalized audit reports with the IT Audit Manager/Director.

Tracked the results of prior audits and facilitated appropriate corrective action.

Continually strengthened and improved the governance, risk, and control environment of the organization, acting as a key driver of change within Internal Audit and across the organization.

Provided day-to-day project management oversight to other IT Auditors, offering project guidance and informal coaching.

Conducted the first-level review of work and documentation, leveraging guidance from the IT Audit Manager/Director as needed.

Communicated project team and audit objectives, inspired and motivated team members to achieve results.

Built and maintained relationships with business partners, providing advice and sharing Internal Audit knowledge to strengthen governance, risk, and control environments, as appropriate.

Involved in Due Diligence to determine risk and security posture of Vendors during the onboarding.

Work with vendors in remediating findings discovered during the onsite/virtual assessment.

I am proficient with the SIG Core, SIG Lite and Customized Questionnaire.

Performed continuous monitoring by assessing tools during onsite visits to validate the security questionnaires filled out by the vendors to ensure protection of data at the vendor sites.

Engaged in continuous risk assessments and monitoring of key cyber-related risks confronting the organization.

Work closely with Vendor POC to obtain SIG/VSQs response.

I have reviewed and analyzed Vendors SOC reports and Evidence.

I have reviewed all controls at the vendor site to ensure data confidentiality.

I have a broad knowledge of IT implementations, including key challenges and methodologies.

Experienced with multiple industry regulations and related compliance frameworks.

Recommend actions to resolve or mitigate known weaknesses, or for preventive measures and safeguards for potential threats.

I have experience in creating, reviewing and validate the SSP, IRP, CP, CMP, DRP, ISA, MOU, MOA, PNA/PIA, E-authentication, COOP and SIA.

I ensure that data security and client privacy is maintained in accordance with the privacy act of 1974 and privacy program, HIPPA, HITRUST and CCPA.

Situational awareness through notification of enterprise security issues, solutions, projects, and plans that may impact the assigned systems.

Oversee the development of a variety of Security Authorization deliverables including System Security

Strong background in all stages of the auditing process, including planning, fieldwork/execution /risk assessment, reporting and follow up

Developed audit plans and programs to evaluate control areas on projects such as financial statement audit, SOX testing, SAS 70/SSAE 18.

I have review Information Security Audit reports such as SOC 1 or SOC 2 Reports & SIG questionnaire to make sure it complies with company’s control standards.

Conducted Sarbanes Oxley (SOX) testing in all the IT General Controls within the audit scope, to test their strength, effectiveness, and weaknesses in their control environment

Created final audit reports, and oversee implementation of corrective action plans, while maintaining communication with all levels of management.

Expertise in working in a queue to support Jira/Confluence daily

Information Security Analyst/GRC Analyst April 2016 – July 2018

Emagine IT ( JEA- energy company) Fairfax, VA

Created final audit reports, and oversee implementation of corrective action plans, while maintaining communication with all levels of management.

Performed evaluation of policies, procedures, security scan results, and system settings to address controls that were deemed insufficient during Certification and Accreditation (C&A), continuous monitoring.

knowledge of cloud security tools such as tenant monitoring, Security Information and Event Management (SIEM - SPLUNK) and virtual network overlays.

Conducted FedRAMP Readiness Assessments and reviewing ATO packages for FedRAMP Cloud environments.

Facilitated remediation for any third-party related operational issues as needed. Performed walk-through and detailed testing of controls to determine if controls are properly designed and operating effectively.

I have provided guidance in the development of appropriate corrective measures to resolve control compliance issues as they arise.

I have ensured duties as assigned to maintain the reputation of the organization as a viable business partner.

I have internally assessed, evaluate, and make recommendations to Management regarding the adequacy of the security controls for Client’s information systems.

Provides ongoing monitoring for third party risk due diligence. Participates in IT specific and integrated third party audits, as well as assists in other audit projects/tasks as requested by management.

Provided services as security controls assessors (SCAs) and perform as an integral part of the Assessments and Authorizations process to include A&A scanning, documentation, reporting and analysis requirements.

Work in a team to Access Security Controls selected, in Updating SAP, ROE where Vulnerability scanning, and penetration testing procedures are included in the assessment.

Assessment finding result be reflexed on the (RTM) or Test case and all weakness noted be reported in our SAR report. Knowledge of SAN-20 and ISO 27001 Security controls and Mapping with NIST.

Have good experience resolving gap analysis issues, working on the process to get to the desired goal of the Organization.

Reviews current technology and information policies and practices for continued applicability with respect to commercial and R&D business programs. Provides recommendations for improvements. Conducted continuous monitoring and analysis of security threat information and event logs via IBM Q-Radar Forensics and Vulnerability manager content development and use cases.

Performed monthly Automated Scans of the online applications in production using Webinspect and followed by report presentation.

Worked with Security Operation Center (SOC) Analyst in making sure Intrusion detection and prevention systems (IDS/IPS) such as SNORT to analyze and detect Worms, Vulnerabilities exploits attempts and IDS monitoring and management using Security.

Experience with e-GRC tools such as RSA Archer to ensure secured and prompt communication of findings and deployments of questionnaire to the vendor and to track vendor progress on remediation.

Escalated issues of 3rd party vendor’s non-compliance to the vendor risk management office (VMO).

Worked closely with management and product development team to effectively plan the delivery of software solutions and develop stories.

Provide guidance on the team helps them along the process of self-governance so they can realize the impact of Agile Scrum frameworks.

Involve in Due Diligence to determine risk and security posture of Vendors during the onboarding

Security Control Assessor/ Vendor Risk Analyst January 2014 – February 2016

Skytech Inc ( United States Patent and Trademark Office) VA

Conducted Security Test and Evaluation (ST&E) assessment and populate Requirement Traceability Matrix (RTM) based on NIST SP 800-53A.

I have developed, Implement, and maintain policies, procedures, standards, and guidelines per applicable regulations including NIST 800-171 Framework Controls, ISO 27001, GDPR, CCPA PCI DSS, NIST, HITRUST and HIPAA.

Provided support and security guidance for IT systems, risk mitigation management, security policy development, and FISMA compliance oversight and reporting.

Reviewed services provided by vendor and defined scope of assessment based on the Standard Information Gathering (SIG) questionnaire

Interviews System Administrators to assist in generating custom reports and/or artifacts in support of the A&A process.

Work with vendors in remediating findings discovered during the onsite/virtual assessment.

Experienced reviewing vulnerability reports with Developers, System Admins, and Engineers to remediate Vulnerabilities identified from scans and create a risk register and risk treatment plan to track the remediation process per classification (Critical, High, Medium, and low)

I have an up-to-date knowledge of cyber threats by researching top vulnerability database website, National Vulnerability database, OWASP Top 10.

Strong background in all stages of the auditing process, including planning, fieldwork/execution /risk assessment, reporting and follow up.

Developed audit plans and programs to evaluate control areas on projects such as financial statement audit, SOX testing, SAS 70/SSAE 18.

Conducted Sarbanes Oxley (SOX) testing in all the IT General Controls within the audit scope, to test their strength, effectiveness, and weaknesses in their control environment

Performed assessment of IT General Controls (ITGC) such as Access Control, Change Management, IT operations, Disaster recovery and Job Scheduling.

Scheduled kick off meetings with system owners to help identify assessment scope, system boundary, the information system's category and attain any artifacts needed in conducting the assessment.

I am proficient with the SIG Core, SIG Lite and Customized Questionnaire.

Assisted in conducted risk assessment on organizations various assets within the system boundaries and documented the vulnerabilities.

Analyze vendor evidence such as SOC, Vulnerability Scans and Penetration Test reports to identify gaps or exceptions.

Plan and execute onsite/virtual risk assessments for third party vendors focusing on compliance with regulations, policies, and internal controls.

Provides ongoing monitoring for third party risk due diligence. Participates in IT specific and integrated third party audits, as well as assists in other audit projects/tasks as requested by management.

Provides ongoing monitoring for third party risk due diligence. Participates in IT specific and integrated third party audits, as well as assists in other audit projects/tasks as requested by management.

Cyber Security Engineer November 2008 – December 2013

Ethiopian Airline

Hands-on experience with various approaches to Grey & Black box security testing.

Responded to inquires/issues from end users related to active directory.

Experience with network and security technologies such as Firewalls, TCP/IP, LAN/WAN, IDS/IPS, Routing and Switching.

Provided detailed reports of assessments to business owners and the vendor management office.

Experienced using and analyzing technical assessment tools such as Nessus, McAfee Vulnerability Manager (MVM), HP WebInspect, AppDetective, Wireshark, Nmap, Splunk

Identified issues on session management, Input validations, output encoding, Logging, Exceptions, Cookie attributes, Encryption and Privilege escalations.

Responsible in web application vulnerabilities (OWASP TOP 10, SANS 25,) to review application source code to find its security vulnerabilities (CSRF, XSS, SQL Injection, Privilege Escalation, etc.) and recommend remediation.

Managed Firewalls, IDS/IPS, build out security infrastructure including Vulnerability scanning and SIEM.

Identified the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10

Experienced in detecting - SQL injection, XML injection, techniques to obtain command prompts on the servers, PDF exploits, HTTP response splitting attacks, CSRF, web services vulnerabilities.

Compiled detailed investigation and analysis reports for internal SOC consumption and delivery to management.

I have conducted Vendor Risk Assessments, with focus on Information Security and Privacy. Configured user creation, their roles, and privileges profiles to control access over database objects.

Experienced in Backup & Recovery, Disaster Recovery options, Oracle Recovery Manager (RMAN).

Experienced in Delivering Oracle Database performance-tuning services for customers with EXPLAIN PLAN, TKPROF, AWR report, OEM Grid Monitoring, custom scripts, troubleshooting oracle databases using SQL trace utility.

Supported SOC operations by monitoring and analyzing network traffic, IDS alerts, network, and system logs.

Security technologies/tools:

Vulnerability Management: Quals, NMAP (open ports), Tenable Wireshark, Burp Suite, Appdetective and Webinspect, Rapid7, Microsoft 365 Defender and Nexpose.

Security frameworks and/or methodologies: PCI DSS, HIPPA, GDPR, MITRE ATT&CK, NIST, PCI-DSS, ISO 27001, SOC1, SOC 2, HITRUST, NERC, SOX, HIPPA, HiTRUST, CIS Controls, NIST 800-171. CCPA, GDPR, COBIT, ITIL and CIS Controls, NIST 800-171 and SAN-20.

SIEM: SolarWinds, Splunk, IBM QRadar.

GRC and ISMS: ServiceNow, Jira, Confluence, RSA Archer, Emass, CSAM, Agile

Ticketing solutions: Remedy

EDR/MDR: Crowdstrike and Symantec

Pentest: Metasploit, Burp Suite

AWS Monitoring: SNS, AWS CloudWatch Logs and events, CloudTrail, VPC flow logs, S3 Access logs.

Antivirus software: Cisco, Palo Alto Networks, and McAfee

Operating system: Windows, Kali Linux

Education

Bachelor’s degree in Mathematics & Computer Science - University of Buea

Master’s degree in Information Management - Grand Canyon University (Arizona)

Certification/Trainings

Oracle Database Certified Professional (OCP) 11g, 12c by Oracle Institute.

SQL Certified

CompTIA - Security +

Certified Authorization Professional (ISCAP) by Mile2

Certified Ethical Hacker (CEH) by EC-Council’s

Certified Information Systems Auditor (CISA) by ISACA

Certified Information Security Manager (CISM) by ISACA

Project Management Professional - by PMI

CISSP in progress

Security Clearance:

Active Public Trust issued by DOC (US Citizen)

Contact this candidate