Susan M. Burgess, PMP, CSSLP,CSQA,CSPE,CSTE,CQSPE,CSA,CSPM,CSEST,CMSQ,CQE,CMST,CSBA

***** ******* *****, ******, ** 20707

Cell Phone: 301-***-**** Work Phone : 571-***-**** eMail: ad1lj9@r.postjobfree.com

SYNOPSIS:

Susan Burgess is internationally recognized as an expert in Software and Systems Engineering practices, processes, metrics, testing, risk, program management, cybersecurity, process improvement, assessments, audits, asset management and quality assurance. She represents the United States to the International Standards Organization (ISO) and is accredited as a Technical Expert by the American National Standards Institute (ANSI). Ms. Burgess also serves on the IV&V revision committee for IEEE 1012 – Standard for Verification and Validation, ISO 29119 for Software Testing, ISO 20000 – IT Service Management, as well as participating in the DHS Software and Supply Chain Assurance (SSCA) Forum to identify information technology risks and develop new cybersecurity and privacy standards.

Ms. Burgess is experienced in implementing standards, auditing, performing assessments, audit remediation as well as and managing efforts such as: New York MMIS Information Security and Privacy Officer, Medicaid programs such as State Level Registry (SLR), Provider, Member/Third Party Liability (TPL), PBM, EPIC and Financials, ACA, MECT, MITA requirements, HIPPA, Information Security and Privacy controls, HITECH, NIST 800-53 v4, 800-53A, Incident Response, NIST 800-30, NIST SP 800-37, MARS-E 2.0, OWASP, PCI, CMMC, NIST SP800-171, ICD 503, HL7, ICD 10, FIPS 140-2, FIPS 199, PMI PMBOK, Agile and Sprint methods, test planning and automation, generating SSP’s, Information Assurance, ISO 27001/2, SANS CIS20 Critical Controls, SOC1/2 audits, NIST 800-171, ISO 9001, Capability Maturity Model Integration (CMMI), FISMA, Health Information Trust Alliance (HITRUST), Sarbanes-Oxley, ISO 27001/2, FedRAMP, VDI, RMF, DIACAP, C&A, Quality Assurance, DISA STIGs, FARS, SDLC, POA&M's,Information Technology Infrastructure Library (ITIL), EU Privacy, Cloud Services, CMS Seven Standards, data analytics, PCI DSS, disaster recovery, Control Objectives for Information Technology (COBIT), DOD 8510, Earned Value, Proposal Responses, ISO 12207 Standard for Software Life Cycle Processes as well as ISO 15288 for System Life Cycle Processes.

Ms. Burgess received the Quality Assurance Institute’s (QAI) Lifetime Achievement Award for overall contributions to the Information Technology profession, she Keynotes at industry conferences and was the subject of a feature article in Computerworld. Susan co-authored, with Mr. William Perry the past CEO of QAI, the Quantitative Software Testing Assessment Rating (Q*STAR) methodology for measuring the effectiveness of all phases of Testing. Served as a Trainer, Examiner, Team Leader and Mentor for the US Senate and Maryland Performance Excellence Awards and the Malcom Baldrige Award.

PROFESSIONAL EXPERIENCE

Burgess Consulting Laurel, MD September 2017 – Present

Principal Consultant / Information Security and Privacy Officer

Providing clients with consulting expertise implementing standards and models such as CMMI DEV/ SVC, SCAMPI Appraisals, IS0 20000, ITIL, ISO 9001, ISO 27001 / 27002, FISMA and ISO 14001 as well as CMMC.

Helping clients develop processes and procedures for Governance, Risk and Compliance (GRC), to align with their business goals while managing risks as well as meeting applicable industry and government regulations.

Worked with client team to perform verification and validation activities to assure all requirements are met as well as assuring adequate test coverage by automation or manual testing, error handling, regression and stress testing is addressed.

Helped client to develop a test strategy, policy and test cases based on best practices as defined in ISO 29119.

Developed a comprehensive NIST 80-53 Rev. 4/5 System Security Plan (SSP) to assess the Contractor’s compliance, including all CMS and HIPAA requirements, as well as establishing internal security controls which included: risk assessments; configuration management, security policies; system and communications protection; personnel security; awareness and training; physical media/environmental protection; contingency planning; intrusion detection; maintenance; system and information integrity; incident response; identification and authentication; access control; annual compliance audit.

Created Quality Control Plans, User Acceptance Test (UAT) Plans, Project Management Plans, System Security Plans (SSP), Disaster Recovery, Continuity of Operations Plans, and Quality Assurance Surveillance Plans and acquisition documentation.

Worked as a Subject Matter Expert at Honeywell Government Systems to write proposals, support various internal audits as well as process improvement activities.

Performed IV&V assessments and testing for a Health Care Exchange (HIX) and Medicaid Management Information System (MMIS).

Conduent (Formerly Xerox State Healthcare ) Albany, New York May 2015 to August 2017

Information Security and Privacy Officer (ISO)

Formerly, the Information Security and Privacy Officer (ISO) for the New York Medicaid Management System (NYMMIS) contract. The NYMMIS security and privacy controls are based on the Center for Medicare and Medicaid (CMS) Moderate plus requirements and are based on NIST 800-53 Rev.4, HIPPA Security and Privacy Rules, ACA, FIPS 140-2, HITECH, ITIL, RMF, FIPS 199 and 200, CIS, FISMA, OWASP, FedRAMP, Health Information Trust Alliance (HITRUST), CMS as well as compliance with the NYS Office of Information Technology Services (ITS) standards. The NYS Medicaid project includes components such as State Level Registry (SLR), Provider, Member/Third Party Liability (TPL), PBM, EPIC, Financials as well as MECT and MITA requirements.

As the ISO, I provided oversight for a large matrixed team of subcontractors, teaming partners and off shore software developers that was broken down by functionality so that people who ran the data center, wrote the procedures or the code did not audit or test the security or privacy controls. I worked closely with the PMO to monitor and address project risks, schedule slippage, addressing any incidents, generate POAM’s for remediation activities due to non-compliance findings from in house audits, legal or contracts or third party Registrars or Assessors.

Developed the Security, Privacy and Confidentiality Plan (SPCP) based on NIST 800-53 Rev.4 and associated controls to protect the Confidentiality, Integrity, and Availability (CIA) of Protected Health Information (PHI) and Personally Identifiable Information (PII) to assure data was encrypted during transmittal, at rest, in process, and archival for all NYMMIS Medicaid information. As the ISO, typical responsibilities included:

Regularly presented security and privacy audit and assessment findings, risk areas, incidents, data breach status and required remediations to senior management at the State of New York and Xerox and our teaming partners.

Oversaw compliance to the SPCP by all teaming partners, Cloud Services and Data Centers.

Inplemented policies, procedures and processes for security and privacy for entire contract.

Worked with NYS client to conduct the Privacy Impact Assessment (PIA) required by CMS.

Developed Interconnection Security Agreements (ISA) to assure secure encrypted data transfer of PHI/PII.

Responsible for Incident Response, Root Cause Analysis and remediation to reduce the risk of it happening again, Unauthorized Exposure and Breach management and reporting.

Worked with Corporate Xerox attorneys to address incidents and non-compliance by teaming partners.

Developed a Security and Privacy Requirements Traceability Matrix used for management reporting purposes.

Compliance auditing of the teaming partners and data centers for the security and privacy controls.

Created Corrective Action Plans (CAP) to address incidents, risks, breaches as well as audit findings.

Developed POA&Ms, performed risk assessments as well as compensating security controls to protect PHI/PII.

Served as the Point of Contact (POC) for all Third Party Audits for SOX and SOC 2, ISO 27001/2, ISO 9001 and SSAE 16/18 as well as any remediation activities as well as reporting results to Senior Management and the Client.

Assured adherence to Security and Privacy Service Level Agreements (SLA).

Reviewed Vulnerability scans as well as NIST 800-37 and NIST 30 Risk Assessments.

Overseeing IDS, SIEM, Multifactor Authentication, Identity Assurance, Penetration Testing at Data Centers.

Participated in Agile Sprints, User Stories and Test Case generation for functional requirements.

Developed and conducted training on security, privacy, incident response and safety.

Involved in disaster recovery, CMS certification documentation requirements as well as COOP for NYMMIS.

Responsible for the physical security of staff at various NYMMIS site facilities.

Burgess Consulting Laurel, MD April 2012 – May 2015

President/Principal Consultant

Provided consulting activities implementing standards and models such as CMMI DEV/ SVC, SCAMPI Appraisals, IS0 20000, ITIL, ISO 9001, ISO 27001 and ISO 14001.

Performed IV&V assessments and testing for Maryland Health Care Exchange (HIX) using HIPAA, HHS, EDI, CMS, and MITA

Created Quality Control Plans, User Acceptance Test (UAT) Plans, Project Management Plans, System Security Plans (SSP), Disaster Recovery, Continuity of Operations Plans, and Quality Assurance Surveillance Plans and acquisition documentation.

Assessed requirements for testability, executed test plans for mobile applications, generated manual and QTP/ALM test cases, created risk-based testing strategies, functional and requirements testing, generated operational scenarios for end-to-end testing, Software as a Service, Agile Sprints, and managing product backlog.

Developed policies, procedures, and security controls in accordance with NIST 800-53: Security and Privacy Controls for Federal Information Systems and Organizations to include all phases of the SDLC.

Developed a comprehensive System Security Plan (SSP) to assess the Contractor’s compliance, including all CMS and HIPAA requirements, as well as establishing internal security controls which included: risk assessments; configuration management, security policies; system and communications protection; personnel security; awareness and training; physical/media/environmental protection; contingency planning; intrusion detection; maintenance; system and information integrity; incident response; identification and authentication; access control; annual compliance audit and Federal Information Security Management Act (FISMA) evaluation, plan of action and milestones; identifying vulnerabilities, accountability and audits; certification assessment and criteria for collection, storage, access, and destruction of information assets.

Utilized CMS MITA Framework 3.0 and Seven Standards to implement security and privacy principles as guidelines for system enhancements across the entire SDLC for the development and testing of several HMO’s and PPO’s

Developed HIPAA Privacy and Security training briefings for project team and assured compliance via project assessments and vendor audits.

Worked as a Subject Matter Expert at Honeywell Government Systems, now KBRWyle, to support various proposals and internal audits.

NTT Data (formerly Keane Federal Systems) McLean, VA 12/2006 – 04/2012

Senior Director, Quality Management

Formerly, the Senior Director, Quality Management responsible for the project management and technical oversight of the Independent Verification and Validation (IV&V) practice including staffing as well as profit and loss. Responsible for overseeing implementation of ISO 9001:2008 and CMMI Level 3 for Development as well as CMMI for Services efforts for the company. In addition, responsible for developing proposal responses and technical solutions for the government and public sector client in the areas of quality, testing, IV&V, process improvement and configuration management. Interfaced with our off-shore staff in India providing technical support across various time zones.

Created the Keane IV&V for Information Technology (KIVVIT) methodology that was cited in a GAO report as being an effective methodology on the large DHS CBP project.

Managed an IV&V geographically dispersed team of 30 people who performed internal ISO 9001, ISO 14001 and CMMI audits, on site client testing. Yearly staff Performance Appraisals were done to provide feedback to the employees and determine training needs and opportunities for growth,

Supported numerous federal government and Department of Homeland Security (DHS) clients such as the Federal Emergency Management Agency (FEMA), Department of the Interior (DOI) and Customs and Border Protection (CBP) Secure Border Initiative as a subject matter expert in testing, metrics, quality, configuration management and business process re-engineering. Acted as IV&V Program Manager to approve invoices, generating weekly status reports, monthly program reviews, hiring staff as well as interfacing directing with the customer. Susan was also involved in doing an IV&V end-to-end assessment of the DHS United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program to determine the overall status of the project for the government.

Supported a Federal Bureau of Investigation (FBI) contract in Washington, DC. as the Quality Manager for the Security Management Information System (SMIS) responsible for establishing processes and procedures to assure quality for integration of over forty new and legacy applications. Other duties include project management oversight of software development and integration efforts; system acceptance testing, risk management assessments; earned value analyses; process and product auditing; requirements analysis; and configuration management. Responsible for assuring contract compliance to standards such as CMMI and the FBI’s Information Technology Life Cycle Management Directive (LCMD).

Catalyst IT Services Baltimore, MD 9/2006 - 11/2006

Vice President of Quality Assurance

Formerly, the Vice President of Quality Assurance for a very small business, responsible for the testing and quality assurance practice including profit and loss; customer satisfaction, business development, requirements analysis as well as testing of software development projects across platforms specifically for Service Oriented Architecture (SOA).

Signal Solutions, now General Dynamics Network Systems Fairfax, VA 4/2001 - 5/2006

Director, Process and Quality Assurance

(Acquisition History - formerly Veridian Information Technology Systems- position Vice President of Quality Assurance, and formerly The SIGNAL Corporation – position Vice President of Quality Assurance)

Formerly, the Director of Process and Quality Assurance at Signal Solutions, Inc., a General Dynamics Network Systems Company where she oversaw the corporate ISO 9001:2000 registered Quality Management System (QMS), the ISO 14001 – Environmental Management System registered and OHSAS 18001 compliant Health and Safety program. Responsible for: managing quality processes and procedures; setting metrics; conducting management reviews; setting quality objectives; root call analyses; oversaw quality assurance for projects; internal compliance audits; managing departmental budgets and resources; oversaw recycling efforts; software testing; customer satisfaction; facilitating process improvement; cost estimation for new work; implementing risk management and mitigation; conducting trend and root cause analyses as well as resolving corrective actions.

Served as the Point if Contact (POC) for the Registrar for ISO 9001 and ISO14001 and the CMMI Lead Appraiser for contract negotiation’s, audit planning and Site Visits. Frequently presented ISO 9001, CMMI and ITIL audit findings with recommendations for process improvements to executive management.

Additionally, contributed to proposals, supported projects, and internal programs such as the Software Engineering Institute (SEI) Capability Maturity Model Integration (CMMI) and Information Technology Infrastructure Library (ITIL) initiatives as well as being certified in quality, testing, program management, and process improvement. Frequently interfaced with top management and staff from other divisions of the company.

Served as the Program Manager for a CMMI Level 2 certification attained in nine months as well as being responsible for Process and Product Quality Assurance (PPQA) audits and process improvement for ISO 9001 for the company.

Information Technology Business Group, Inc. Rockville, MD 5/95 – 4/2001

Managing Director of I.T.B.G., a Small, Disadvantaged, Woman-Owned consulting business. Responsibilities include overseeing and directing all projects, supporting new business development, assuring customer satisfaction, and interviewing and approving new hires into the division as well as supporting working on various consulting assignments as outlined below.

At Amtrak, Susan led the System and User Acceptance testing for the Amtrak Food and Beverage Point of Sale system. The testing included all aspects of on-board service including: all functionality of the POS devices, end to end testing to include testing of all interfaces to legacy systems, on-board terminal functionality, reporting, and POS functions.

Worked with Ann Taylor Inc., a leading fashion retailer going to on-line shopping to perform project assessment and to assess the testing required. She subsequently assumed responsibility for system integration effort and test management for acceptance testing for their website and PCI transactions..

Served as the Quality Manager on the Departmental Grants Management System (DGMS) at Department of Housing and Urban Development (HUD) responsible for testing the system including designing and developing test processes, plans, cases, procedures and scenarios for testing requirements, stress, verifying the user guide, threads, load, capacity, interfaces with other systems, performance under key operational conditions with Oracle access and the data repository. At the Office of Real Estate Management (OREMS, responsible for leading a team to develop exemplar models for IT initiatives in support of Clinger-Cohen, OMB and Raines Rules. Created models of effective Business Cases, Project Plans and Work Breakdown Structures (WBS) for activity based costing.

Susan was the acting Director of Quality Assurance for 24/7 Media, Inc., an Internet Services provider located in Alexandria, VA responsible for developing a quality assurance infrastructure and a Y2K Remediation Plan reporting directly to the CIO to establish processes and procedures for on-line pop-up advertisements.

Worked as the System Acceptance and IV & V Lead for the Department of Commerce, Bureau of the Census Program in Bowie, MD. Responsible for the staffing, establishment of teams and performance of IV&V, System Acceptance and Requirements Verification Testing for the Data Capture and Imaging System supporting the Year 2000 Decennial Census. Duties included: Technical Lead for Independent Verification and Validation (IV&V), System Acceptance Test (SAT) and Requirements Verification Test (RVT) and CMMI Level 3 audits.

Supported Computer Sciences Corporation (CSC) corporate MIS department in establishing test plans and scenarios, developing test schedules, supervising testing the software components as well as performing risk assessments in the implementation of the Labor Cost Distribution (LCD) system that interfaces with SAP R3 product and legacy systems.

Worked as the Task Order Project Manager (TOPM) and Subject Matter Expert with the Defensive Investigative Service (DIS) to develop a comprehensive Configuration Management (CM) system to support all DIS locations across the country. Developed a comprehensive CM strategy including processes that encompassed software, hardware, and documentation change control management.

Supported the Federal Aviation Administration (FAA) William J. Hughes Technical Center in Atlantic City, NJ to assess the FAA test methodology to implement improvements in configuration management and testing.

Worked on the IRS Document Processing System (DPS) Client-Server project at Lockheed Martin Federal Systems to digitally image tax returns for storage and retrieval of data. As Senior Test Engineer, responsible for requirements analysis and verification, preparing test plans and procedures, developing testing metrics to assess progress, McCabe complexity analyses, and system level, performance, and user testing.

Aeronautical Radio, Inc. (ARINC) Annapolis, MD 10/1989 – 05/1995

As Principal Quality Planning Analyst, responsible for overall Quality Management functions of the ARINC Data Network Service (ADNS), a distributed packet switching network that serves the airlines and related industries. The responsibilities include evaluations, assessments, audit inspections, corrective actions, as well as risk and value analyses of the deliverables to assure compliance to appropriate standards. These duties included participation in design reviews, code walkthroughs, requirements evaluations, vendor quality audits, testing, documentation assessments, as well as functional and physical configuration audits.

EDUCATION:

M. B. A. in Management Frostburg State University

B. S. Ceramic Engineering Alfred University

PAST CLEARANCES:

Department of Defense (DOD) – Top Secret Clearance with SSBI. Previously held clearances at DHS Customs and Border Protection (CBP) - DHS Suitability, Federal Emergency Management Agency (FEMA), internal revenue Service (IRS), Department of the Interior (DOI), DOE – “L” as well as a Federal Bureau of Investigation (FBI) SCI and a CI polygraph.

CERTIFICATIONS:

Project Management Professional (PMP)

Certified Secure Software Lifecycle Professional (CSSLP)

ISO 9001 Quality Management System (QMS) Lead Auditor

ISO 14001 Environmental Health and Safety Lead Auditor

Certified Software Project Manager (CSPM)

Certified Software Test Manager (CSTM).and Certified Software Test Engineer (CSTE)

Certified Software Quality Manager (CSQM) and Certified Software Quality Analyst (CSQA)

Certified Quantitative Software Process Engineer (CQSPE)

CMMI Appraisal Team Member

Certified Software Process Engineer (CSPE)

Certified Software Business Analyst (CSBA)

Certified Quality Examiner (CQE)

Certified Senior Examiner of Software Testing (CSEST)

Certified Software Process Improvement Capability Determination (SPICE) Assessor (CSA)

PROFESSIONAL MEMBERSHIPS:

Project Management Institute (PMI)

International Information Systems Security Certification Consortium, Inc, (ISC)

Information Technology Service Management Forum (itSMF)

Elected Senior Member of IEEE

Member of IEEE Computer Society Standards Committee

Department of Homeland Security (DHS) Software Assurance Forum (SwA)

US Technical Advisory Group (USTAG)

Quality Assurance Institute (QAI)

Senior Member - American Society for Quality (ASQ)

President, Quality Assurance Association of Maryland (QAAM)

National Association of Female Executives (NAFE)

Cambridge Who’s Who Registry of Executives, Professionals and Entrepreneurs

Contact this candidate