Safo Donkor

Phone: 703-***-**** Email: ad3c2u@r.postjobfree.com

Citizenship: US citizen, eligible for US Gov’t Clearance

Professional Summary / Objective:

A thought leader in Cyber Security, with over 7 years of experience in Information Assurance, Governance Risk & Compliance, and Organizational Leadership. Analytical problem solver with strong organizational and communication skills and ability to interact well at all levels. Seeking an Information assurance or Cyber security position in a growth-oriented organization with focus on FISMA, Risk Management Framework (RMF), FEDRAMP, PCI-DSS, system security monitoring and assessment, risk assessments, audit engagements, and testing information technology controls.

Education / Certifications:

ISACA

Certified Information Systems Auditor (CISA) – Active

CompTIA Security+ Ce – Active

University of Maryland Global Campus, Maryland

Master’s in supply chain management and Logistics

Kwame Nkrumah University of Science and Technology

Bachelor of Science in Business Management

Work Experience

NXT Partners (Maryland Department of IT)

Control Implementation Specialist January 2023 - June 2023

Creates, edits, and maintains cybersecurity compliance and implementation documentation for current and future applications.

Create and update policies, standards, and guidelines to address emerging security threats and regulatory changes.

Support internal peer review and quality assurance efforts, assemble documentation for audits and ensure that documentation is compliant with governance policies.

Design and implement security controls, procedures, and technical safeguards to ensure compliance across the organization.

Research and evaluate new documentation needed.

Develop documentation plans and timelines with the level of effort required.

Collaborate with platform analysts, project managers and subject matter experts to collect and interpret their input.

Develop and maintain an effective security compliance framework that aligns with organizational goals and objectives.

Utilize critical thinking skills to problem solve issues that arise.

Coordinate communication amongst all project team members

Collaborate with the Education Team in the design and development of training programs or project specific materials to support the workflows to be implemented.

Communicate project status amongst the team and up through project and department leadership.

Train end users on the proper use of the application

Develop best practices to be utilized for future implementations.

Ability IT Consultancy – FDM Group

Information Systems Security Officer (ISSO) Sep 2019 – Jan 2023

Ensure all Security Authorization documentation for assigned systems remain accurate and up to date on a continuous basis, including but not limited to accurate and valid lists of assets (hardware/software), accurate boundary diagrams, accurate ports, and protocols, etc.

Coordinate and facilitate Security Control Assessor (SCA) activities as required and directed by the Federal Government. For example:

Coordinate and support all Security Assessment interviews as required.

Ensure appropriate accounts and access is provided to the SCA team within a timely manner.

Load and maintain all supporting artifacts and information from these documents such as appropriate for assigned systems into the repositories.

Compile, write, update, finalize, produce, and support activities for IT Security Common Control Catalogs and related documentation including, but not limited to, Security Plans or other documents required.

Complete and maintain an up-to-date inventory of all system components to assigned systems.

Conduct Annual Assessment and Contingency Plan testing as required.

Provide additional FISMA support for Chief Financial Officer (CFO) designated systems as required.

Facilitate and assist with reviews and updates to POA&M content such as breakdown of milestones as required.

Manage, maintain, and track all assigned tasks and duties related to POA&Ms.

Complete WEAR documentation as required and also ensure they are approved at least 60 days prior to POA&M expiration.

Facilitate and provide continuous support for the WEAR program to include but not limited to analysis, creation, approval, status tracking, and overall management of WEARs in relation to System-Level and Program-Level POA&Ms in a format provided by the Government on a daily, weekly, monthly basis or as defined and directed by the Government.

Review Audit logs and alerts from SPLUNK on a daily/ weekly and monthly basis as required.

Review ISVM compliance in SPLUNK using the ISVM Vulnerability Report Dashboard.

Review Security Center (SC5) or Nessus and send critical, high, medium, and low vulnerabilities to support team for remediation plan.

Perform thorough review of SC5 and SPLUNK to determine authentication failures and review informational vulnerabilities that provide system information such as enabled ports etc.

Request renewal, creation, or revocation of SSL Certificates by working with system administrators or application teams.

Review and approve Change Requests (CR) via the ServiceNow (SNOW) tool.

Review and approve my Access Requests by ensuring a detailed business justification has been provided to include the user’s role and purpose of the account request.

Review ports and protocols to ensure that unnecessary ports are disabled.

Ability IT Consultancy – FDM Group

Cybersecurity Analyst July 2016 – Oct 2019

Risk Management Framework / A &A / Vulnerability Management

•Assist System Owner and ISSO in preparing Authorization Package, ensuring that all applicable security controls adhere to a formal and well-established security requirement referencing SP 800-53 rev4.

•Review and analyze Nessus vulnerability scan results and coordinate with system administrators/engineering teams with the remediation effort.

•In coordination with other team members, ensure that during the A&A process, the appropriate RMF launch steps are taken in the implementation of the Risk Management Framework (RMF) throughout the complete process cycle, from the system categorization step through to continuous monitoring.

•Participate in Change Control Board (CCB) and Continuous Diagnostic and Mitigation (CDM) briefings/meetings with all client/system senior management.

•Conducts RMF first step kick off meeting, initial risk assessment and categorization of information security system into Low, Moderate and High system centered on Confidentiality, Integrity and Availability (CIA) of the information type referencing FIPS-199, NIST 800-60 and NIST 800-30.

•Prepare and produce e-authentication artifact identifying the appropriate authentication mechanism based on risk level (single, two-factor or multifactor) referencing SP 800-63.

•Select and draft security control baseline in accordance with SP 800-53 rev 4 and FIPS 200.

•Develop security authorization (A&A) documentation including system security plan (SSP), Security Control Test and Evaluation (SCT&E), Security Assessment Report (SAR), Contingency Plan (CP) and other artifacts required for the ATO package.

•Develop system level configuration management plan template by leveraging NIST SP 800-128 to assist CM team that are responsible for the creation of system configuration baseline and change management process.

•Initiate, update, coordinate and track the patching and remediation of security weaknesses as they are documented in the Plan of Actions and Milestones (POA&M).

•Update, retrieve and upload all necessary authorization related documentation into Cyber Security Assessment Management (CSAM) using approved templates and procedures.

•Review FedRAMP package (SAR, SSP and POAM) and compare cloud service provider package to the organization’s requirements and identify any gap.

•Create and develop security documents and relevant artifacts to support FedRAMP complaints.

•Conduct systems Risk Assessment through Risk Analysis assessed the various assets within the systems authorizing boundaries and rigorously identified all possible vulnerabilities that exist within the system.

•Ensure, document, and maintain Configuration Management (CM) for security relevant IS software, hardware, and firmware for all assigned systems.

•Biweekly, run system level scans using Nessus and coordinate remediation of new findings with system admins.

Ability IT Consultancy – FDM Group

Security Control Assessor March 2013 – June 2015

Risk Management and Information Assurance / Security Control Testing and Evaluation

•Ensured proper system categorization using NIST 800-60 and FIPS 199; implement appropriate security controls for information system based on NIST 800-53 rev 4 and FIPS 200.

•Conducted an initial assessment meeting with stakeholders to discuss assessment scope, rules of engagement (ROE), resource requirements and timeline for the assessment.

•Developed a Security Assessment Plan (SAP) which documents the purpose and scope of the assessment and the assessment activities to be performed.

•Performed assessment using the Interview Examine and Test (I, E, &T) methodology and document result using the security requirements traceability matrix (SRTM).

•Developed a Security Assessment Report (SAR) in the completion of the Security Test and Evaluation (ST&E) questionnaire using NIST SP 800-53A required to maintain Authorization to Operate (ATO), the Risk Assessment, System Security Plans, and System Categorization.

•Initiated a Plan of Action and Milestone (POA&M) with the identified weaknesses based on the findings and recommendations from the SAR.

•Developed recommendations for authorizations and submitted the security authorization package to the AO.

•Reviewed, maintained, and ensured all assessment and authorization (A&A) documentation is updated.

•Performed information security risk assessments and assisted with the internal auditing of information security processes. Assessed threats, risks, and vulnerabilities from emerging security issues and identified mitigation requirements.

•Conducted post assessment meeting with clients to discuss SAR and POA&M.

•Analyzed results from vulnerability scanning tools such as Nessus.

•Conducted pre-assessment meeting with clients to discuss assessment scope, rules of engagement (ROE), resource requirements and timeline for the assessment.

•Reviewed, examined, and tested controls to provide assurance that applicable security controls are implemented correctly within the organization.

•Assisted ISSO's to create and manage POA&Ms for identified system vulnerabilities and track findings to ensure that they are remediated and closured.

•Managed temporary ATO's due to unforeseen contingencies realized during assessments leading to the creation of open POA&M's to track and remediate critical and high vulnerabilities before a 3-year ATO can be granted.

•Conducted post assessment meeting with clients to discuss SAR and POA&M.

•Worked closely with engineers to make sure all identified vulnerabilities are mitigated post SCA.

Standards/ Controls/ Framework Software /Hardware /Platform: Audit and Accountability, ITIL, ISO 17799, Certification and Accreditation, Application control Testing, Compliance Testing, Vulnerability Scans, Risk Assessment, Change Management, Configuration Management, Contingency Planning; Policies and Procedures, Implementation; Incident Response, Media Protection, Physical Security, Computer operations, Environmental Security, Network Security, System Security, Personnel Security, OMB Circular A-123 Appendix A, NIST 800-53, FIPS, FISMA, FIPS-199, FedRAMP, CSAM, Nessus, WebInspect, Windows; FIPS-199, SORN, E-AUTH., PTA,PIA, RA, SSP, CP, CPT, ST&E, SAR, POA&M, ATO, ISA, MOU, Remedy, Power Point, Visio, Word, SharePoint, Excel.

Contact this candidate