PROFESSIONAL SUMMARY:

●Accomplished Cybersecurity and IS Audit Analyst with 16 years of progressive experience managing vulnerabilities and ensuring the organization's information security program is effectively managed, compliant with relevant regulations and standards, and aligned with business objectives and best practices in governance, risk, and compliance, resulting in a 25% decrease in security incidents and vulnerabilities.

●Initiate and coordinate vulnerability scans and penetration tests, identifying gaps, and remediating 75% of security weaknesses before they could be exploited.

●Develops information security, training and awareness initiatives that support the organization goals in vulnerability and technology perspectives and reduce internal vulnerabilities by 75%.

●Conducts thorough reviews of legal contracts and agreements to ensure compliance with information security and privacy requirements.

●Strong collaborative, influencing and interpersonal skills, curious to understand the business environment with high ethical standards, and operating with absolute discretion and trustworthiness.

COMPETENCIES:

IT Security Audit - perform IT audits and controls testing for several client applications covering planning, execution and reporting phases and other related activities including development of engagement of risk assessment.

Sr. Information Security Analyst- develop and implement an e-governance, risk & Compliance program, resulting in a 50% decrease in vulnerabilities related to infra components, COTS tools and applications.

Strong Leader - Strong understanding of the NIST Cybersecurity risk & compliance frameworks, to lead, plan, execute, monitor, control and oversee the execution and implementation of the frameworks, with the ability to develop policies and standards and effectively communicate executive level reports and Cybersecurity risk functions to executives.

Keen Business Acumen - develop effective relationships and very resourceful with an aptitude for productive teamwork and relationship building. Manage all aspects of communications, acting on securing necessary procurements and performing all aspects of quality management.

Solid Interpersonal Skills – strong and excellent communication skills with proven ability to maintain and create effective networks with all levels of IT staff and business management.

Subject Matter Expert - lead seamless transitions to reduce infrastructure footprint, increase reliability, and broaden capabilities with scalable, stable, and secure solutions.

PROFESSIONAL EXPERIENCE:

BCA Watson Rice LLP (Part Time Consulting)

08/2023 - Present IT Senior Security Specialist Lanham, MD

Duties:

Devise control testing for several client applications used for generating Financial Statements.

Prepares SOC2 Readiness Assessment Plan that outlines tasks, procedures, deliverables, and timelines.

Develops and documents accurate and complete work papers that adequately support audit findings and work performed and present those findings to Senior Audit Leadership and executive level stakeholders.

Identifies, analyze, and evaluate cloud security and privacy risks through vendor provided SOC2 analysis and other cloud security control documentation.

Evaluate highly complex processes, risks and controls and identify observations for improvement or compliance and advisory engagements in accordance with Agile project management methodology.

Informs, advises, and issue recommendations to management regarding regulatory compliance with respect to data protection laws and guidance.

Assists Audit Management by conducting risk assessments and developing audit programs and test procedures, disclosing any deficiencies observed during the audit.

Leads information technology, business assurance and advisory engagements to identify bottlenecks in projects critical path and help accelerate project completion prior to deadline.

Applies authoritative references as guidance that includes the AICPA SSAE 18, NIST Special Publications, and ISACA IT Assurance Framework (ITAF).

Identifies risks and process deficiencies of IT solutions and processes to ensure that major issues are identified and presents these issues for biweekly departmental production support meeting.

Accomplishment:

●By adhering to the Service Organization Control Type 2 (SOC2) requirements, I ensure, that third-party service providers store and process client data in a secure manner to minimize the risk of data breaches or privacy breaches by 75% in accordance with the organization’s IT policies and practices for compliance with regulatory and legal requirements.

●Develops and enforces the implementation of security policies, procedures, and best practices that will result in a 25% decrease in security incidents and vulnerabilities over time.

CDC - Centers for Disease Control (Global Health Center)

10/2022 – 08/2023 Information Technology Specialist Atlanta, GA

Duties:

Devised a comprehensive understanding of internal and external risk within complex areas through proactive communication with senior management.

Provided input to the Senior management to support development of a dynamic Internal Audit Plan for related risks, and execution of audit activities against the areas of highest risk.

Provided team members with appropriate and adequate on-the-job training and professional development opportunities as well as consultative advice on team-wide training initiatives.

Adopted the risk management framework and designed, implemented, and improved the department’s cloud information security (FedRamp) and privacy compliance program based on applicable policies, federal laws, and regulations.

Led teams in execution of assurance and advisory engagements as part of the cybersecurity team, management process and the IT project intake process.

Assessed all delivered services against all relevant Service Level Agreements (SLAs) and customer satisfaction requirements and led reviews of the consumption of services, performance & compliance of operational controls.

Worked with application support team to manage the application Change Advisory Board (CAB) and developed training modules to help train CAB members in roles and responsibilities.

Maintained Configuration Control Baseline documentation and worked with Application Managers to manage Configuration Control Board (CCB) Meetings that included scheduled meetings, set up agendas, provided reference documents, and maintained public folders and SharePoint Sites.

Scheduled and conducted Lessons Learned meetings after change implementation and maintained and tracked Lessons Learned database, including improvement recommendations. Ensured that recommended changes were included and shared with appropriate stakeholders.

Identified organizational initiatives that impact the risk profile of the organization or Internal Audit entities and recommended approaches for audit involvement.

Represented Internal Audit in initiatives of moderate complexity and timely execution of related continuous auditing activities within moderately complex areas.

Accomplishment:

●Developed and implemented a security awareness training program, that resulted in a 50% decrease in security incidents caused by employee error.

●Conducted regular vulnerability scans and penetration tests, identifying, and remediating 75% of security weaknesses before they could be exploited.

Department of Health & Human Services

C-HIT, LLC - Enterprise Portal Services Project (EPS):

04/2021 – 10/2022 Senior Information Security Specialist Columbia, MD

Duties:

Worked with outside vendors on a broad range of specific technology controls and information security programs, policies, and standards, and made recommendations to direct management, related to services, product agreements and comprehensive or large project initiatives.

Coordinated the activities of various business units and vendors as part of the Project Team to develop and implement a Project Management Plan for each project that provides an appropriate level of detail.

Conducted regular project status meetings, and provided regular reports on the Project Status for all projects and demonstrated the continual assessment and mitigation of potential risks to project success.

Ensured that projects are defined, monitored, and implemented in a structured, consistent manner that promotes predictability and quality of outcomes so that projects are completed on time and within scope and budget.

Utilized the NIST framework to identify, protect, detect, respond, and recover from all malicious activities, including devices, networks, cloud (AWS/FedRamp), applications, data, and users.

Communicated valuable metrics to senior leadership, including timely visibility of security incidents, vulnerabilities, and issues.

Worked with DevSecOps team to perform application code reviews and provided enterprise security expertise to application/system development teams.

Accomplishment:

Monitored and analyzed security events and logs, identified, and responded to 95% of security alerts and notifications quickly.

Investigated and remediated a security breach, reducing the impact on the organization by 80% and preventing further damage.

Department of Health & Human Services

C-HIT, LLC - Identity Management Project (IDM):

08/2019 – 03/2021 Senior Information Security Specialist Columbia, MD

Duties:

Worked closely with the Chief Security Architect, to document high level business and functional requirements necessary to evaluate proposed projects and track project decisions on a backlog list.

Conducted gap analysis between identified requirements and requirements of existing IDM supported systems and determined the level of effort necessary to have existing systems meet these stakeholder requirements.

Utilized automated security tools to conduct security vulnerability assessments of systems and networked devices to facilitate risk-based decision making and determined if the proposed project aligns with IDM project strategic plans.

Completed a project intake analysis report that included results and outlined possible solutions, and risks associated with each IDM solution for review approval and prioritization by all stakeholders.

Developed and maintained a thorough knowledge of Risk Management with an emphasis on the interplay between various capabilities as well as their enterprise-wide impact.

Communicated program controls, metrics, and assessment results confidentially, professionally, and effectively, in both written and verbal formats, with business, technical, and third-party stakeholders.

Collaborated with specialized areas of risk, and control assessments and prepared high quality risk assessment reporting for senior executives and Risk Committees as required.

Accomplishment:

●Configured and maintained security tools and systems, resulting in a 30% increase in system reliability and availability.

● Developed and implemented security policies, procedures, and best practices, that resulted in a 25% decrease in security incidents and breaches.

Department of Homeland Security (DHS) – (Unisys Federal - Federal Contracts)

09/2008 – 08/2019 Information Systems Security Officer (ISSO) Arlington, VA

Duties:

Managed all security requirements as defined by the CSPO Assessment and Authorization Process, NIST -SP-800-53/A/B/FISMA/FIPS-140-2 and related Federal Government directives.

Defined, developed, implemented, and managed standards, policies, procedures, and solutions that mitigated risk and maximized security, service availability, efficiency, and effectiveness.

Worked with system stakeholders to document all requirements for approved projects and systems.

Assisted in planning and performing required project-level reviews, reports, maintenance, and control of associated records and managed Project Management Contracts as necessary.

Worked with business units to align Project Management processes, documents, and systems, and supported the training and development of Project Management skills throughout the DHS IT.

Performed due diligence with third party vendors to ensure compliance with organization requirements.

Managed the quality and timely delivery of applicable risk and control program activities such as business continuity planning and preparedness, business impact analysis, exercises, and overall exercise strategy, and testing of controls.

Facilitated education and training to the organization on cybersecurity procedures and controls.

Accomplishment:

●Collaboratively developed a security architecture and design, that resulted in a 20% increase in system security and resilience.

●Researched and evaluated emerging security threats and vulnerabilities, and provided recommendations for mitigation and prevention that were implemented.

●Developed on-going technology risk reporting, and defined risk metrics to regularly measure control effectiveness that reduced organizations level of risk exposure and vulnerabilities by 25%.

SKILLS & CORE COMPETENCIES:

• Security awareness training • Risk assessment and mitigation

• Vulnerability scanning • Penetration Testing

• Security event monitoring and analysis • Incident response and remediation

• Security tool configuration and maintenance • Security policy development and implementation

• Cross-functional collaboration • Cloud Security

Experience & Knowledge of Electronic Health Record and Case management systems; implementing security solutions for cloud-based systems, including IAM, IGA governance, network security, data protection, and compliance.

Experience & Knowledge of IT technologies (e.g., Cloud Computing, Operational Technology, Network Architectures, Software Development, Operating Systems, Databases, COTS Applications, Datalake) and related processes, controls, and risks.

Experience with Cloud Security (AWS/FedRamp/HIPAA/HITRUST), NIST CSF assessment and implementation (Segregation of Duties analysis) and ISO Standards (ISO/IEC 27001/GDPR/SOX), and SOC2 Compliance.

EDUCATION/TRAINING/CERTIFICATIONS:

Johns Hopkins University, Baltimore, MD

Master of Science Degree - Information Systems and Telecommunications

Graduate Certificate, Information Security & Risk Management

Strayer University, Washington, DC

Bachelor of Science Degree - Business Administration

ISC2 Certification and Accreditation Professional (CAP) (DoDI 8570.01-M IAM Level II)

CompTIA Security+ CE Certification (DoDI 8570.01-M IAT Level II)

Certified Information Systems Security Professional (CISSP)–Expected Completion Date – June 2024

INFORMATION ASSURANCE TOOLS:

RMF processes using GRC RSA Archer; eMASS; Datalake; Trusted Agent FISMA (TAFT); NIH Cyber Security Assessment Tool (NCAT); Cyber Security Assessment and Management (CSAM) Tools; XACTA (IACS) 360 IA Manager; Agiliance Risk Vision (RV); CMS FISMA Assessment Controls Tracking System (CFACTS); & Jira; SharePoint; Service Now; Confluence; Agile framework such as Scrum; MS Office:

PROFESSIONAL DEVELOPMENT ACTIVITIES:

I lead and perform research work on security projects related to Governance, Risk and Compliance.

I do weekly presentations to management on the security posture of the systems I manage.

I coordinate courses on Security Awareness and training and Risk Management annually.

I attend seminars and training courses for professional development.

Contact this candidate