Information Security Manager
Resume:
Gregory Upham
ad4a7l@r.postjobfree.com
Information and Cyber Security Professional
I am a proven security professional with over 23 years of experience. This includes creating IT/Security policies, procedures and guidelines, developing training material for employee security awareness, performing penetration tests and vulnerability scans, and creating and monitoring global corporate SOCs. I have performed PCI-DSS audits and PA-DSS assessments, SOC 2 Type I & II reports and HITRUST audits. I have worked directly with developers to ensure secure programming best practice guidelines are met. I have led successful project teams for national technology initiatives. I have extensive experience with various SIEM products, IDS/IPS tools and applications, firewalls (hardware & software), web application scanners, and secure wireless technologies.
Professional Certifications & Organization Memberships
•CISM – Certified Information Security Manager (# 1323633)
•CISA – Certified Information Systems Auditor (# 15121005)
•MCSE – Microsoft Certified Systems Engineer (# 1328892)
•Security+ (COMP001020176395)
•Network+
•CISSP (under study)
•CRISC (under study)
•Member CSA (Cloud Security Alliance}
•Member ISACA (Information Systems Audit and Control Association)
InfoSec/IT Experience
Trustmarq Global Services – https://trustmarq.com Mar 2023 – present
oCISO - Office of CISO Security and Service Advisor
•Established enterprise-wide and business-aligned cyber security programs based on NIST Cyber Security Framework, ISO 27001, and SANS Critical Security Controls
•Provide strategic advisory and consulting services to empower a business-aligned and metrics-driven cybersecurity program to clients
•Performed application security assessment services including review of custom build applications at every stage of the development lifecycle.
T-Mobile – https://t-mobile.com Jan 2023 – Mar 2023
Senior Policy Analyst
•Responsible for working with technology teams, understanding their requirements, translating this into security policy, and updating the appropriate policy documents
•Manage cross-functional teams, drive policy updates, and manage important timelines
•Consult with management on organizational strategy and goals
BioSerenity – https://www.bioserenity.com/ Nov 2020 – Sep 2022
Information Security Manager
•Create and implement Information Security Management Program (ISMP) from the ground up, including writing, reviewing, and editing entire corporate library of policies (based on NIST CSF and HITRUST CSF)
•Create both the Risk Management and Third-Party Risk Management (TPRM) programs
•Lead monthly Security Management Group meetings to communicate to leadership the results of ongoing improvement of the Information Security Management Program, including goals achieved, roadblocks found and how to overcome them, and suggestions for future initiatives
•Meet with vendors and review/suggest products/offerings for needed security projects
•Create ISMP website (SharePoint) as a repository for all security and risk documentation as well as helpful cybersecurity links and resources for employees. Executive management decided to use the website as the company intranet
•Monitor, configure, and review all company cloud environments, including three AWS instances, Azure/MS365, Salesforce, and GCP
•Improve Salesforce’s Security Health Check rating to 98%
•Prepare company for HITRUST assessment
•Implement Security and Awareness Training for the US side of the company and make available for our French employees (all courses in French and Spanish)
•Create and hold tabletop exercises for both Incident Response and Business Continuity/Disaster Recovery
•Develop and implement security processes and procedures that both enhance security/reduce risk and reduce redundancy and ‘red tape’
•Create global BC/DR Plan and lead tabletop exercises
Aflac – https://www.aflac.com/ Mar 2020 – May 2020
Global Security Assurance Consultant
•Using NIST CSF/800-53, measure operating design, effectiveness, and efficiency of the Aflac Global Security program as well as the overall maturity level including subsidiaries
•Build and maintain the cybersecurity control library composed of global and regional controls aligned against NIST CSF and utilizing NIST 800-53 controls as a basis
•Perform quality review of requests for control test script changes across all regions
•Communicate to leadership the results of assurance testing and changes affecting Aflac's information security posture, while applying Aflac's risk tolerance and risk management approach in evaluating the security posture, and escalate matters of significance
Equifax – https://www.equifax.com/ July 2019 – Mar 2020
Senior Security Engineer
•Assist in FedRAMP compliance initiative to create and maintain the System Security Plan (SSP) and oversee continuous monitoring and reporting on Plans of Action and Milestones (POA&Ms)
•Perform internal controls testing for SOX/SOC2 compliance and certification initiatives, including financial applications, Windows/Linux/Unix operating systems, Oracle/Siebel/SQL Server databases, AWS/Google cloud technologies (SaaS and PaaS), as well as various network appliances and security tools
•Perform internal controls testing/audit (based on NIST CSF) for the global settlement consent with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S states and territories regarding the 2017 data breach. Testing included all web-facing applications, internal financial applications, mainframes, and all technologies using, transferring, or storing PII and consumer credit data
•Creating/updating Archer records for compliance and risk management
Meditology Services – https://www.meditologyservices.com/ July 2016 – Mar 2020
Senior Information Security Analyst – perform SOC 1/SOC 2 testing, HITRUST/HIPAA assessments, third-party vendor risk management and remediation, and client engagements with third-party vendors.
Meditology Projects and Staff Augmentation Engagements:
Piedmont Healthcare – https://www.piedmont.org/ Feb 2018 – Jan 2019
Information Security Risk Analyst
•Leveraged NIST 800-37r2 (RMF) and 800-30r1 (Guide to Risk Assessments) to establish foundation for IS risk management team – created risk assessment templates, procedures/processes, and baselines
•Perform qualitative analysis for risk assessments of medical devices, software, hardware, and third-party vendors; utilized NIST 800-53r4, NIST RMF (800-37r2), NIST CSF, and HITRUST CSF
•Execute risk assessment program, perform research, interviews, and analyze findings to produce actionable reports
•Perform risk assessments that assisted Merger & Acquisition activities for new hospital onboarding
•Contract reviews – BAAs, MSA, SLAs - ensured organization’s data security was effectively covered and represented
•Assist in establishing foundation for organization’s GRC program
•Gather and submit evidence for internal and external audits, including PCI-DSS, third-party vendor, cloud service provider and HIPAA/HITRUST audits
•Create process and training documentation for Risk Management team
•Led senior management’s ‘Policy Review Committee’
•Authored ‘Policy Review Committee Charter’
•Managed ‘new policy’ project, from creation-to-review-to-publishing, ensuring policies aligned with HIPAA, PCI-DSS, and information security best practices
•Collaborated with Legal, Compliance, HR, and Privacy departments on policy content and structure
CollabIP – https://tethr.com/ Jan 2018 – Feb 2018
Information Security Consultant
•Reviewed PCI-DSS assessment performed by client's QSA
•Assisted in updating PCI-DSS environment
•Assisted cloud vendor client with PCI-DSS assessment
•Worked with QSA to gather evidence for client’s PCI-DSS assessment
•Created Information Security Policies for cloud vendor
•Produce final report for client
CenterLight Healthcare – https://www.centerlighthealthcare.org July 2016 – Aug 2017
Information Security Consultant
•Design, create, and administer the Security Operations Center (SOC)
•Configure and administer SIEM (SolarWinds LEM), security e-mail gateway Clearswift, enterprise anti-virus suite (McAfee ePo), multi-factor authentication trusted access platform (DUO)
•Administer Cisco Security Manager, Cisco Cloud Web Security (ScanSafe), and Cisco Prime Infrastructure
•Conduct annual firewall risk assessment
•Conduct annual wireless security risk assessment with external auditor
•3rd level support of security related incidents
MiMedix (for Pyramid Consulting) – http://www.pyramidci.com/ June 2016 – July 2016
Information Security Consultant
•Create needed IT/Information Security policies, and edit/update existing/outdated policies and procedures
Georgia Department of Human Services (DHS) – https://dhs.georgia.gov/ Jan 2016 – May 2016
Information Security Analyst
•Review, edit, & update existing/outdated policies and procedures
•Assist in preparation and execution of an IRS Safeguard Security Review (audit) – all Federal Tax Information (FTI) data is protected; meet requirements for IRC 6301 using IRS Publication 1075 and NIST 800-53 v4 and FedRAMP/FISMA
•Creation/submission of compliance documentation: SSR, SRR, CAP, POA&M, Inspections, etc.
•Controls testing and auditing (CMS/IRS/DOAA audits)
•Assist in planning, directing, and coordinating agency activities related to info security
•Assist in developing and enforcing the organization’s security policies, standards, and guidelines, security awareness, security information portion of the business continuity and disaster recovery plans, and all industry and government compliance issues
•Assist in incorporating the design, deployment, management, control, and updating of platform and user specific security policies on a diverse range of internal hardware platforms supporting various software and operating systems
•Conduct risk management analysis to identify areas of risk and to develop security measures to prevent losses
•Work with business owners, IT managers, staff, and vendors in order to provide timely and efficient IT coordination of security services to meet agency needs
•Communicate with senior execs through oral and written reports and presentations
•Develop and implement IT system security plans, projects and initiatives
•Developed application security and risk analysis checklist and procedures
•Incorporate security into the SDLC process for new and existing application initiatives
The Royal Bank of Scotland – www.rbs.com March 2014 – Jan 2015
IT Security Analyst III
•Internal security auditor for International Banking using both the COBIT 5 framework and ISO 27001 set of standards
•IT/IS controls testing for SOX/PCI-DSS Compliance
•IT/IS security controls testing
•Quarterly reviews with senior management on the state of information and IT security
•Documenting of audit tests, evidence, and results
•Updating audit test plans and procedures
•SME for networking and security related issues
•Work with Sr VPs/Directors, application owners/managers to resolve security issues affecting their domains and business units
•Review all security policy documentation
•Review and make recommendations for Business Continuity/Disaster Recovery procedures
Xerox Services (formerly ACS) – services.xerox.com Oct 2007 – March 2014
Senior System Administrator/Systems Developer Senior Specialist
•Support multiple airport parking systems throughout the US and Canada
•Project leader for PCI audit preparation and certification
•Conduct internal PCI/PA-DSS audit of web application and network
•Work with IBM external auditor on PA-DSS certification for web application and supporting network
•Create QA use cases and testing procedures for multiple projects
•Assist with third party IT forensics teams to determine cause of breaches at customer sites (our applications were never compromised or cause of a breach)
•Responsible for ISO 9001 compliance for our team’s IT systems
•Primary system administrator for airport parking revenue systems
•-Work directly with clients and third-party vendors on various airport projects
•Responsible for PCI-DSS security and compliance for multiple clients – successfully passed two PA-DSS certifications on first external audit review
•Support and QA for multiple concurrent client projects
•Track projects, defects, issues using JIRA
•Penetration testing of web applications and related servers/networks
•Write training and technical documents for various procedures within our group
•Train team members on security and compliance issues
•Use of Oracle and SQL Server queries and database manipulation
•Evaluate various 3rd party cloud vendors (MS Azure, Amazon Web Services, etc.)
First Investor Financial Services – www.fifsg.com March 2006 – Sept 2007
Senior System Administrator
•Create all corporate IT policies and document existing procedures
•Install/configure variety of HP/IBM servers, workstations and laptops
•Responsible for network and database security
•Responsible for backups and disaster recovery
•Report to COO & IT Director on security and network issues
•Install/maintain Cisco routers/switches network
•Mentor desktop support team (act as level 2 support)
•Developed corporate security, audit and IT policy and procedure documents
•Test new applications for compatibility with legacy financial systems
•Install and configure Barracuda e-mail security appliance
NationsBuilders Insurance Services – www.nbis.com Feb 2005 – March 2006
Network Manager/Security Manager
•Worked with senior management team on producing a secure, best-in-class network for both employees and customers
•Lead meetings with executive management on the state of IT and Information security for entire organization
•Install and configure a variety of Dell PowerEdge servers, workstations and laptops
•Installed and configured Cisco wireless network
•Installed and configured SQL Server Reporting Services
•Strong emphasis on planning and documentation
•Responsible for virus protection on all servers/workstations
•Monitor logs for servers, applications, network devices
•Test disaster recovery strategy annually – offsite datacenter for emergency business continuity (warm site testing) to ensure business continuity
Alliance of Professionals and Consultants – www.apc-services.com June 2004 – Feb 2005
Computer Engineer Technical Lead
•Project team lead for computer technicians on wide variety of banking and medical projects nationwide, repairing/replacing motherboards, imaging hard drives, replacing computers in hospitals, schools, local governments, and businesses
Prosero (formerly FacilityPro.com) – www.prosero.net Sept 2000 – May 2004
System/Security Administrator – Network support and corporate website administration
•Installed & configured Dell PowerEdge and WebApp servers with Windows NT Server & Windows 2000 Server
•Installed & configured MS SMS 2.0 for network management
•Installed & configured MS SUS for auto updates of patches/fixes
•Responsible for disaster recovery implementation and testing
•Configure and test backups; install and set up tape drives; store tapes offsite
•Edit & update corporate website, IIS, & JRun administration
•Installed & configured various Linux servers (Mandrake, RedHat)
•Exchange 5.5 & SQL Server 7.0 administration
•Installed & configured DNS, WINS, & DHCP
•Supported Windows 98, 2000, & XP Pro desktops/laptops
•Installed & configured Netscape LDAP Server (iPlanet Directory Server)
•Admin for contract management software - Contract Manager (CMSI)
Intranet Webmaster
•Designed GUI and administrated corporate Intranet on IIS, which was used to submit PTO, communicate with CEO, and access corporate documents
•Installed/configured and secured IIS 5.0, including FTP
•Configured test intranet weblog on Linux (Redhat) using Apache WebServer
Spire Inc. – www.spire-inc.com June 1999 – Sept 2000
Lead System Administrator – Responsible for both network & end-user support
•Completely reorganized software catalog & licensing
•Collaborated with executive management on securing and expanding network infrastructure as company grew by over 100% in 2000
•Upgraded Exchange 5.0 to 5.5; prepared 5.5 for 2000 upgrade
•Installed & configured Active Directory on Windows 2000 servers
•Educated users on e-mail viruses – blocked 2 potential infections from e-mail attachments
•Reconfigured ArcServeIT data backup correctly (no working backups for months prior to my employment)
•Installed & configured Compaq Prosignia Servers with Windows 2000 Server
•Installed & configured DDNS, DHCP, & VPN on Windows 2000 servers
•Train network support personnel to assist in providing network support for organization
Education
Master of Information Technology (MIT)
American Intercontinental University - Atlanta, GA
Bachelor of Business Administration (BBA) – International Business
Minor: Economics
University of Georgia – Athens, GA
Other Work Experience
Domestic:
Manager: T’s Parkside Bar & Grille – Marietta, GA
•Responsible for 10+ kitchen employees (hiring, training, reviews)
•Reduced food-cost, dry goods-cost, labor-cost
•Received excellent Health Inspection ratings
Manager: Ernie’s Steakhouse – Marietta, GA
•Responsible for 7+ kitchen employees
•Known for quick problem-solving under stressful conditions
•Mediated employee conflicts
Contact this candidate