Risk Management Framework
Resume:
ROSALYN DELALI MAHU
New York, NY
ad1b5v@r.postjobfree.com
Career Summary
Currently possess an active DoD Secret clearance
Professional knowledge in providing support and guidance to System Owner's through the NIST Risk Management Framework Assessment and Authorization processes.
Solid experience with NIST Risk Management Framework (RMF) process, Risk assessment, Continuous Monitoring and security audits.
Knowledgeable in Risk Management Framework (RMF) and Systems Development Live Cycle (SDLC
Experienced with the Information Security Lifecycle and vulnerability management in compliance with the Federal Information Security Management Act (FISMA).
Understanding in IT Security Compliance work, including demonstrated experience documenting/reviewing policy, plan and procedures and IT security artifacts in accordance with NIST.
Education & Certifications
MS in Cyber Security Management and Policy, University of Maryland, MD 2021-Present Masters in Finance Lehman College 2019
BS in Information Systems/Accounting, Lehman College, Bronx, NY 2015 CISA, ISACA
Security+, CompTIA
Certified Analytics Professional, Certified Analytics Candidate Technical Expertise
eMASS
Service Now
Cron
JIRA
Help desk support
AZURE
Security log review
NESSUS
STIGS
Microsoft Suites
S.M.A.R.T Tool
IAVM
CTO’s
Slack
Professional Experience
ISSO-Army OPMG (Everbridge INC) 01/2023 -Present
Conducts FISMA reporting bi-weekly to CID with system updates on documentations Stigs, ACAS scan, Vera code Scan, CTO’s, security log reviews, POA&M status and CONMON checklist
Provide requisite information/documentations to senior management for inclusion into the FISMA Scorecard
Upload stigs checklist in eMASS and create POA&Ms on open findings
Update stigs checklist status in stigs viewer on closed finding to remediate POA&Ms
Assistant POC, Continuous Monitoring for AWS SaaS, Onprem System.
Review ConMon assessor checklist ensuring every updates on system details, system information and implementation plan is updated in eMASS and ready for NETCOME to review for ATO.
Review ATO Packages by performing annual review and update to SSP
Ensure compliance with NIST Cyber Security and Risk Management Framework to maintain confidentiality, integrity and availability of information System.
Review CTO’s applicable to our system and track remediation.
Create tickets, track POA&Ms and assign POA&Ms to engineers in Jira. ISSO-Army Corps of Engineers (SAIC) 11/2021- 12/ 2022
Assist the ISSM by providing guidance and recommendations related to Assessment and Authorization (A&A), including the review of eMASS records, and submitting artifacts
(documentation, Plan of Action and Milestones (POA&M), etc.) for accuracy, completion, and applicability.
Main POC, Continuous Monitoring for Azure PaaS, SaaS and IaaS Systems.
Review ATO Packages by performing annual review and update to SSP
Ensure compliance with NIST Cyber Security and Risk Management Framework to maintain confidentiality, integrity and availability of information System.
Monitor and administer Enterprise IT Security policies, maintain IT Security procedures, daily operating checklist, drive process improvements, and continuous security monitoring.
Creates and close tickets on ServiceNow as well as tracked all outstanding tickets and worked closely with Tier 2 Technician ensuring tickets created are resolved in a timely manner.
Review and upload all fulfilled assessment findings as well as evidence and STIG checklist into eMASS for POA&M closure.
Delivers weekly briefs on all Azure L4 and L5 Paas, IaaS and SaaS POA&Ms to CSPMO and PM on open STIGs, Ongoing POA&Ms and remediation.
Creates, review and updates security policy and procedure to satisfy control requirements.
Creates POA&Ms from CCRI and SCA-V test result in eMASS and tracks to remediation.
Performs Security control assessments as part of Continuous Monitoring referencing NIST SP 800- 53 v5 compliance sustainment for application, infrastructure, and network.
Reviews/update FIPS 199, e-Authentication, Privacy Threshold Analysis (PTA)/Privacy Impact Analysis (PIA), Security Plan (SP), Contingency Plan (CP), and Contingency Plan Test (CPT), Interconnection Security Agreement (ISAs).
Reviews and update control implementation statements in eMASS whenever a POA&M is closed.
Coordinate in maintaining Change Management Plans (CMP), Incident Response Plans (IRP), Information System Contingency Plans (ISCP), and System Security Plans (SSP).
Participated in working security group activities and product development meetings to ensure requirements are met according to standards.
Track waivers to make sure that the proper controls have been documented and signed by the appropriate authorities.
ISSO –USCG, NC (CompQsoft Inc. 10/ 2018-10/ 2021
Supported the United States Coast Guard Aviation Logistics Center pertaining to the system.
Reviewed POA&M and enforce timely remediation of audit issues, and update system security plans
(SSP) using NIST SP 800-18 guide when neccessary
Use eMASS tool as an approved repository for artifacts, POA&Ms and testing Controls
Create, track, and remediate Plan of Action & Milestones (POA&Ms)
Tested NIST 800-53 security controls using Enterprise Mission Assurance Support Service (eMASS) and create POA&Ms for failed controls
Updated and revise the Information System Contingency Plan (ISCP) for USCG
Created and ensure there is a root cause analysis for every POA&M that requires one
Ensured Time Compliance Technical order (TCTOs) are responded to in a timely manner and verifying action is being taken.
Categorized the system using FIPS 199 and ensure selected controls in eMASS are in accordance with NIST 800 53rev4
Reviewed weekly vulnerability reports from ACAS scans to determine false positives, vulnerability criticality, and follow up on remediation.
Performed daily user account audits to verify Information System access permissions.
Attained three (3) Authorizations to Operate (ATO) for both major and minor application systems with various impact levels.
Analyzed and updated System Security Plan (SSP), Risk Assessment (RA), Privacy Impact Assessment (PIA), System Security test and Evaluation (ST&E) and the Plan of Actions and Milestones (POA&M).
Assisted System Owners and ISSO in preparing assessment and authorization (A&A) package for company’s IT systems, making sure that management, operational and technical security controls adhere to a formal and well-established security requirement authorized by NIST SP 800-53.
Conducted Self-Annual security control assessment (NIST SP 800-53A).
Performed vulnerability assessment ensures that risks are assessed, evaluated and proper actions have been taken to limit their impact on the information and information systems
Reviewed daily security log authentication failures and root users for indicators of compromise
Tracked and update NFR Tracker, and request POAMs for A123 findings and KPMG PBCs
Updated Master STIG checklist with current status with evidence received
Updated status of IAVM
Assisted A123 with audit artifacts DRLs and KPMG walkthroughs by ensuring the appropriate people/POC are on the call to deliver.
Review change requests (CR) to understand the reason for the change and ensure that the planned CR doesn’t negatively impact the current security policies (Cyber Security Manual 5500.13, NIST 800-53 controls, DHS 4300, etc.) and don't impact privacy (PTA, PIA, SORN, etc.) before signoff. Also ensure that IA Documentation is updated if necessary to reflect current security state after changes.
RMF /Assessor – American Transit Insurance, NY 09/ 2015-08/ 2018
Assisted Security control Assessor with validating controls.
Scheduled Kick-off meetings with system owners to help identify assessment scope, system boundary, the categorization of the information system and any artifact needed to start the assessment.
Coordinated with SCA to create a Requirement Traceability Matrix (RTM) and record which controls passed or failed during the assessment using the NIST SP 800-53A as a guide
Ensured supporting artifacts are uploaded
Developed the Security Assessment Plan (SAP) whilst conducting the assessment of security controls selected on various moderate to high impact level systems to ensure compliance with the NIST SP 800-53A. Conduct interviews and gather artifacts using the assessment methods of interview, examination, and testing.
Ensured security design, controls and procedures are aligned with information security standards.
Conduct vulnerability assessment of information systems to detect any deficiency
Develop the Security Assessment Plan (SAP) whilst conducting the assessment of security controls selected on various moderate to high impact level systems to ensure compliance with the NIST SP 800-53A. Conduct interviews and gather artifacts using the assessment methods of interview, examination, and testing.
Assisted in developing the Security Assessment Report (SAR) to document the assessment findings and recommend remediation actions for all failed control.
Review A&A Package items using NIST guidance for FISMA compliance such as PTA, PIA, Contingency Plan Test, Contingency Text, E-Authentication, and FIPPS 199 Categorization. Conduct vulnerability assessment of information systems to detect any deficiency IT Audit Consultant - Pricewaterhouse Coopers NY, NY 01/ 2013/08, 2015
Perform testing of IT General Controls (ITGC), including Logical Access Controls Data Access Control, internal and operational audits, attestation engagement and audit readiness
Perform walkthroughs and detail testing of controls to evaluate the design and operating effectiveness of controls in the computer system
Assist IT management in identifying control weakness and developing recommendations to remediate control weakness
Plan and coordinate IT Audit, ensuring audit tasks are completed accurately within established time frame and in compliance with client policies and procedures using ITGC, SOX, NIST SP800 and FISMA frameworks in performing audits.
Contact this candidate