Information Security Project Management
Resume:
HARLIS KEVIN FEIMSTER CISSP, ITIL
** ******* ******, **** *****, NJ 07028, 973-***-****, ad2na6@r.postjobfree.com
http://www.linkedin.com/in/hkevinfeimster
CYBERSECURITY, PRIVACY & IT COMPLIANCE MANAGEMENT PROFESSIONAL
PROFESSIONAL SUMMARY: Seasoned information security professional with over 20 years of proven experience with Levels1-3 Lines of Defenses (LoD), and Project Management. Skilled at Executive level operational and architectural risk. Strong ability to lead Information security operations, including SOC teams and compliance review of controls and security with respect to development of corporate policies, internal and industry standards and certifications to meet and exceed corporate goals and expectations. Demonstrably skilled in cloud security architectures such as Azure, AWS, IBM Cloud and Wipro Cloud. Extensive background in implementing SaaS, PaaS and internal solutions to enhance the business mission and objectives in compliance with NIST 800 control guidelines and frameworks to achieve industry certifications including CMMC, FedRAMP, FINRA, SOC1&2, FFIEC, SOX, PCI, ISO27001/27701 ISMS/PIMS. Adept at eGRC, including FAIR, Archer, MetricStream and ServiceNow GRC.
WORK EXPERIENCE:
PRI Global– Cybersecurity and Privacy Advisor (LoD-1) Federal Contractor 12/2020 – Current
Cybersecurity Accountable and responsible for the Application Security Review Board (SRB) and Consulted and Informed for Architecture Review Board (ARB) and Data Privacy Impact Assessment (DPIA).
Provided the oversight, coordination and reporting for peer reviewed applications seeking production deployment. Achieved 100% compliance for all SRB approved new and legacy applications with required deviations.
Lead assessments to identify baseline issues that require remediation to be compliant with Federal and Corporate policies, standards, and NIST 800-171 control guidelines for the Cybersecurity Maturity Model (CMMC) 3CPAO, and FedRamp audits.
Provided SRB for Cloud application approvals with respect to many baseline requirements, including approved architecture and dataflow, minimal supporting software and database requirements. The required ports and protocols. Encryption in transit and at rest, including validated encryption and cypher strength. System communications interconnections with corporate and cloud. Review of failures noted in STIG and CIS automated baseline, and vendor hardening guidance documentation. Build management deployments via vendor imaging or internally team managed. Security Identifiers, including service accounts. Roles and groups. Local security configurations and GPO managed. Conformance to DFN policies and standards. Enterprise Authentication (SSO) integration. MFA standard login and VPN process and methods of enforcing.
Assisted in SOC implementation for monitoring application and endpoint security, vulnerability, and virus management.
Assisted with building a comprehensive privacy program including policies and standards, procedures and guidelines, training and awareness, monitoring, and investigation. Coordinate with Legal on practices and procedures for reviewing marketing products, client-facing content, and materials for ensuring Compliance with Company policies
Advise on the business impact of global data protection laws and regulations on Company business priorities. Identify risks and gaps in processes and continuously improve the program to ensure compliance
Develop training and awareness campaigns to educate employees about privacy and data protection matters
Collaborated with legal and LoB stakeholders across multiple time zones to provide privacy guidance for initiatives that involve vendor and consumer information, including advising on privacy initiatives including dataflow mapping, and privacy by design training.
Assessed the implementation of ServiceNow in preparation to migrate from Archer eGRC.
Flight Centre Americas – Compliance and IT Risk Manager (LoD-2,3) – Montvale, NJ 12/2018 – 12/2020
Managed PCI and Privacy based Security Program. Redefined the security and privacy compliance strategy and vision with respect to booking of travel using credit cards and passports.
Implemented OneTrust vendor and privacy management tool, including security questionnaire, and Vendorpedia.
Completed Data Privacy Impact Assessment ("DPIA"), and provided responses to Data Subject Access Requests ("DSARs"), performed and re viewed data mapping and cross-border data transfer impact analysis review. Provided privacy guidance for initiatives that involve vendor management and consumer information, including advising on privacy’s retail and marketing initiatives in partnership with technology and LoBs, and B2B relationships. My efforts included. Interfaced with legal on privacy analysis in the event of a suspected security incident/privacy breach.
Enhanced corporate policies based on GDPR, NIST 171, Cybersecurity framework and PCI DSS and security assessment and incident management; and Provide Application Secuity review, including DevOPS, Kubernetes and Docker, OWASP Top10.
Assessed behavior and trained via KNOWB4 based phishing campaigns. Lead project to assess, strategize, industry certify, and securely maintain the IT infrastructure.
Wipro Data Center & Cloud Services, CISO (LoD-1) - Leonia NJ 04/2016 – 12/2018
Strategically implemented global Information Security Program, including developing and ratifying corporate Policies and Standards based on NIST 171 and CMMC controls. Lead and achieved successful external certification audits including CMMC, SOC1, SOC2, ISO27001/2271, and PCI DSS software security assessment in support of customers’ annual PCI DSS, SOX, SOC2, HIPAA and FedRAMP audits in support of client’s annual audits.
Strategically completed global GDPR Privacy program, application security, vendor management processes with testing.
Implemented OneTrust and Vendorpedia; and ServiceNow GRC security and privacy management.
Managed team of 15, including ISA, operations supervisor and SOC team, snr architects and engineers, and analysts.
Provided CISO Archer eGRC based monthly quarterly and Compliance Metrics for Board reporting including current and emerging cybersecurity threats, trends, vulnerabilities, regulatory changes.
Implemented ServiceNow workflows and use-cases working with CIO to meet governance risk and requirements across US, Canada and Mexico. Prepared board IS reports and assisted with Board presentations.
Partnered with Level-2 Enterprise Risk team to develop RCSA for IT and application security quarterly testing. Remediated MRAs.
Implemented phishing campaigns and information security training with Human Resources.
RiskIT Management Services – Compliance and IT Risk Manager 08/2014 – 04/2016
Privacy PM Analyst assessed privacy program. Made recommendations to enhance governance, privacy by design, dataflow mapping, legal controller and processor agreements and policy.
PM auditor for Controls Assurance on internal and regulatory compliance audits including audit testing with respect to PCI, FFIEC ops handbook, NIST 800, HITRUST and FedRAMP. Significant focus on risk identification and assessments. Updates made to Archer eGRC, and business coordination.
JP Morgan Chase, Program Manager (LoD1) - Jersey City, NJ 07/2012–07/2014
Supervised team 10 to define and manage KPIs and KRIs, RTO and RPOs for business applications, including Asset, Change, Incident, Problem, BCP/ DR and Risk management teams.
Lead developers and IT risk, assessed applications and software vulnerability management. Provided oversight of code risk and their remediation through use of processes and procedures and AST code review tools. Remediated MRAs.
Delivered weekly Archer eGRC and monthly performance metric reporting to executive management and the board regarding application vulnerabilities global effort; and Provided Quarterly and Annual GRC metrics reporting and coordination for end of year SOX, FFIEC filings.
US Department of Transportation / Merchant Marine Academy – ISSO - Kings Point, NY 12/2009 –07/2012
As Security Officer (LoD1), defined long term strategy for FISMA and FedRAMP moderate controls to assure policies and procedures aligned with information protection and overall security strategy.
Implemented FISMA and Public safety systems Compliant NIST based security strategy focused of NIST 800 based cybersecurity framework. Coordinated penetration testing, vulnerability mgmt. and threat remediation.
Served as assistant Professor for Information Systems analysis and Design, and taught midshipmen cybersecurity. Participated with Red/Green operations assisting the midshipmen in security tools and configurations. Coordinated with NY and DC FBI Cyber-cell for training and cyber awareness month.
National Stock Exchange, New Jersey – Security Program Manager 06/2007–12/2008
Board reporting on state of NSX and Information Security remediation SEC remediation project.
Lead strategy and design for SaaS solutions for security services based on ISO27001. Assured the deployments of remote access and two-factor authentication, malware, and virus management. Managed IT risk and Controls MRAs.
Coordinated Business Continuity and Pandemic Planning for NSX, SRO and member broker-dealers for the wall Street based BCP/DR initiative working with SIFMA and member firms. Coordinated with NJ FBI Cyber-cell for cyber awareness month.
Citigroup, NY/NJ - IT Risk Program Manager (LoD-2) 02/1995 –06/2007
Program Managed function for FFIEC OCC compliance with SOX-404, GLBA (HIPAA) annual reporting. Achieved 100% successful internal audits annually.
Provided board reporting of risk and controls monthly and quarterly reporting.
Lead the development of the RCSA framework globally. Developed and executed testing effectiveness processes across global IT infrastructure. Focused on NIST 800 53A, control guidelines, SOX reporting of compliance with corporate policies and Standards. Assured compliance with PCI-DSS.
Defined and globally implemented the RCSA technical strategy including OWASP software security.
EDUCATION
The City University of New York
MS Information Systems – Graduate School of Engineering and Computer Sciences 1986
BS Industrial Psychology – School of Arts and Sciences 1984
Certifications: CISSP, ITIL, PCI DSS ISA, CCPA in process
AWARDS
BCP Crisis Management Award for my “follow the sun” coordination efforts during Storm Sandy 2013; and
Finalist in the 2008 Award for Excellence in Business Continuity and Information Security Convergence and Contribution to Enterprise Risk Management.
Pre-Audit Vulnerability and Risk Assessment Award from Citigroup CGTI.
Received ISSA Presidents Award.
My Hands-on skills:
Software security: GitHub, GitLab.
Productivity software: o365: MSOffice, OneDrive, SharePoint, Teams, Zoom, Skype; Certifications: CISSP, ITIL v4f. Working knowledge of CISA, CRISK, CCPA.
IT Operations: ServiceNow, SecOPs, Cybersecurity, IAM, Appsec, MSSP, Intel & IR. Service Mgmt: Incident, Problem, Change, Asset. GxP Storage
PM: Agile/Waterfall, SDLC,
DevOPS, including Kubernetes, Docker, OWASP Top10.
Security Mgmt.: CISO, ISSO, Tech skills, risk & threat management, SOC and incident management;
Cloud: Azure, AWS and QuickSite, IBM, Ensono/DCS; PaaS, SaaS-based IAM and SSO providers and protocols/software: Azure AD, OKTA, MFA, 2FA, SSO, Duo, SAML; DLP, RBAC, Trustwave; Qradar, SOC/SIEM, Metasploit, Qualysguard, Security & Compliance Center, advanced threat protection, Nmap, Appscan, and static and dynamic testing for OWASP top 10 Cloud Application Software Security, Digital Forensics, MDF, SQL, ORACLE, UNIX, LINUX, RBAC, MDM (Maas360, Meraki, AirWatch).
Operational Risk Guidelines, Frameworks, Global Regulatory Standards, Audit Certifications: SSAE-18 (SOC1) and SOC2, COSO, COBIT, Basel2, CMMC, NIST 800 171 NIST 800-53, ISO 27001 ISMS, ISO 22701 PIMs, PCI-DSS; CMMC; FedRAMP. Regulations: FINRA, FRB, NYDFS, FSI & 23 NYCRR 500, FFIEC Handbook, FFIEC, FDICIA, OCC, Dodd-Frank, Privacy and data protection: GDPR, OneTrust (vedorpedia), Binding Corp Rules, CCPA, LGPD, PIPEDA, CCPA, DPIA, DSRs, SOX 302/ 404, GLBA Rules (privacy, Safeguards, Pretexting); FedRAMP, FISMA, SIFMA; SEC, HITRUST, HIPAA, 501K filing. Resiliency: Crisis Mgmt, BCP/DR runbooks, COB, COOP. Legal Contract Reviews: MRA’s, MSA, ICA, DPA, DTA; M&A. eGRC: FAIR, ServiceNow GRC, MetricStream, Archer, RiskVision; in-house developed iCAPs. CISO Soft skills. Questionnaires; OneTrust; Cookie Bot. Google Tag Manager; KnowB4; ITIL V4 Service Mgmt: Incident, problem, change, release, and configuration management; vendor mgmt. Business Intelligence (BI): MS Excel (pivoting, VLOOKUP’s), MySQL, SQL Server, PostgreSQL, MS Access.
Contact this candidate