Information Security Project Management

eric salveggio

Certified Identity Governance Expert (CIGE)

Certified Identity and Security Technologist (CIST)

Certified Information Security Specialist (CISS)

**********@*****.*** 307-***-****

CORE KNOWLEDGE & SPECIALIZED SKILLS

Security Consultant Project Management Administration and team lead capabilities Audit/Implementation and monitoring of 27001, NIST, FISMA, HIPAA, FINRA, SEC, FERPA and others Cybersecurity Strategy IoT Security Comprehend and able to implement regulations for privacy, security, and compliance Vulnerability Management Threat Modeling Risk Management Training and Presentations Perfect Translation of Client Needs Perform and Develop IRP, BIA, COOP, DR, SSP and others Develop and monitor best practices and baseline security controls Ability to align team behaviors, talents and priorities to conquer all challenges Conflict Solving

Professional Summary

M.Jur with focus in Cyber Law and Policy from Texas A&M School of Law (2021-2023)

Masters Degree in Information Assurance from Norwich University (2002-2004)

30+ years of cyber and physical security experience providing sound expertise:

●Project Management for corporate, international, and military IT projects

●Cybersecurity Strategy, Architect and Analysis functions

●Auditor, Trainer and SME of, GRC, IAM, IRM, NIST, FIPS, FedRAMP, ISO 27001, ISO 17799, ISA/IEC 6244, CMMC, Department of Defense (DOD) requirements, FISMA, FISCAM, HIPPA/HITECH, SOX, SOC2 for Veterans Administration and Municipality, GDPR for international medical company, CCPA, and others

●Third-Party Risk, Business and IT Operations management and assessments

●Identifying, evaluating and reporting on legal and regulatory, IT, and information security, cybersecurity risk to information assets, while supporting and advancing business objectives

●Development of SOPs and Procedures for Information Security, Cybersecurity, Cloud Security, IoT Security, Infrastructure Security, Product Security, Defensive Engineering, and Identity and Access Management

●Evaluation and design of security reference architecture for medical devices using BT, Wi-Fi, 5G and AI enhanced applications

●Information Security Officer (ISO) duties within medical, industry and government positions

●Health Insurance Portability and Accountability Act (HIPAA) Officer duties

●Vulnerability Management, Risk Assessment, and Physical Security duties

●Comprehensive understanding of Corporate 100 thru 500 logistics and challenges

●Ability to communicate with Senior Management & work in a fast-paced environment

●Deep knowledge of security models for Cerner, Access Management, Privileged Access, Supply Chain Management

●Threat mitigation using layered defense strategies, creation of cyber and physical security policies, administration, maintenance, consultation and helping develop long-term strategies

●Documentation development to include policies, procedures, threat and control matrices

●Expert in coordinating and partnering with multiple peers, stakeholders, SMEs and applicable personnel

●Multitasking abilities accomplish one or more moderate to significantly complex projects

●Tracking process exceptions: identifying, defining, establishing, and implementing improvement areas and training

●Assist or create procedures in creating controls and audit schedules to continuously monitor compliance

●Provide detailed reports for ongoing projects

●Excellent communication, analytical and problem-solving skills

Held Tier IV Hi-BI clearance 6/15 – 7/23

Member American Bar Association

Member Underwriter Laboratory’s UL 2900 Standards Technical Panel

Member IoT Security Foundation

Liaison for IoT Security Foundation and FIDO

Planning Committee member for 2023 Barcelona Cybersecurity Congress

Adjunct professor and Advisory Board member of Cyber Security, Cyber Forensics and International and US Cyber Law at Casper College, Casper, WY

Builds and fosters team collaboration and unity, even in cross-functional environments. Raises bar of standards and expectations of peers and others engaged in projects or initiatives

Stay current on cyber threats and mitigation techniques through contacts within the Federal Bureau of Investigation (FBI) as a secure InfraGard member and other agencies, and training others on same

PhD Candidate, Nova Southeastern University, Information Systems/Security

Honors and Affiliations

Ph.D. course work resulted in topics being taught at FBI’s InfraGard meetings

Recognized for work within cyber security education field by Stonesoft Corporation

Nominated for 2013 IT Leadership Award for work performed while ISO at Wyoming Medical Center during 2012

Nominated in 2005 for Southeast IT Security Professional of the Year, being the only educator nominated out of a field of 200

Technical editor with Pearson Education, and Thomason Publishing for the following areas of course material: cyber forensics, cyber security, and operating systems

Research

Ph.D. research - Course project results in blending of Institute of Asset Management (IAM), Information Services Office (ISO), and NIST standards creating new, unique auditing procedures, as well as becoming part of non-classified side of a DOD cyber warfare project

Teaching

(Current) Classroom and online adjunct instructor for Casper College in computer forensics (to include Encase), network security, International and US Cyber law

(Previous) Online Instructor in Business Management Information System (BMIS) courses for Liberty University

(Previous) Online instructor in auditing, business continuity, and Disaster Recovery for Norwich University

Publications

Co-author of three chapters for Computer Security Handbook, Wiley Publishing, 5th (2009), and 6th (2014) editions

Author of “Your (un)reasonable expectations for privacy’, 2004, ACM Ubiquity online

Accomplishments

Outstanding leadership and client relations escalated total student body count to a consistent 8-10% rate of growth during tenure as IT Director at Virginia College in Birmingham, AL

Information Security experience helped create three accredited Information Security degree programs for Virginia College

Consultant in IT Security and Auditing for Dynetics Corporation

During tenure as ISO at Wyoming Medical Center, an externally conducted cyber security assessment by CynergisTek revealed an over 50% increase in HIPAA and HITECH compliance efforts within a nine-month period during 2011 (22% to 76%)

Work experience creates position as Principal Security Analyst at Armavel, LLC, on contract to Veterans Administration

Memberships

Association for Computing Machinery (ACM)

Institute of Electrical and Electronics Engineers (IEEE)

Information Systems Audit and Control Association (ISACA)

Information Systems Security Association (ISSA)

Educational Achievements

Masters of Jurisprudence, Cyber Law, Texas A&M School of Law, 2023

Doctorate of Philosophy coursework, Information Systems focusing on Information Security, NSU 2010

Master of Science, Information Assurance, Norwich University, Summa Cum Laude, June 2004

Bachelor of Science, Management Information Systems, Virginia College, Summa Cum Laude, 2002

Certifications

American College of Forensic Examiners: Certified in Homeland Security (CHS®-III)

Cisco Certified Network Associate (CCNA) Trained

Chauncey: Certified Technical Trainer (now CompTia CTT+)

CompTIA: A+, Network+, Security+

Computer Associates: eTrust Security Suite trained

Embry-Riddle Aeronautical University: Aviation Maintenance Technology (AMT) Certificate

Microsoft Certified Professional + Internet (MCP+I)

Microsoft Certified Systems Engineer (MCSE)

Planet 3 Wireless: Certified Wireless Network Administrator (CWNA)

Wireless, ISO 17799, National Security Telecommunications and Information Systems Security Instruction (NSTISSI) 4011 and 4013 certificates

Professional Work History

Cybersecurity Strategist and Consultant

Trustthink, LLC

3930 Utah St Ste 1

San Diego, CA 92104-2939

03/2024 – 07/2024

Contracted for a four-month, as needed period to work with team leads as cybersecurity consultant on GRC, privacy and security requirements to obtain FDA 510(k) clearance for a new medical device. Device transmits via Bluetooth to a controller and screen in the operating room for doctors for viewing.

Sr Cybersecurity Strategist and Policy Writer

K2Share

1005 University Dr East

College Station, TX 77840

11/2023 – 2/2024 40 hr work week minimum

Contracted to work with Dept. of Transportation CISO to improve cybersecurity policies, advise on audit findings and provide cyberlaw and cybersecurity insight for compliance with regulatory requirements.

Technical Consultant and Contract Proposal Writer

Gen3 Technology Consulting, LLC

101 Lakeforest Blvd, Ste 380, Gaithersburg, MD 20877

08/2023 – 12/2024 work as required

On call to review and take lead on writing sections for various contract proposals using all previous experience and education. Supports and assists in (now two successful) HACS SIN testing. Contract proposals consist of entities such as Treasury/IRS (won, 2/24), OIG, FAA and others. Primary concentration is on GRC, HIPAA, NIST, regulations, law and high-level technical needs.

International GRC Consultant

General Prognostics

Self, 3441 E. 18th St, Casper, WY 82609

10/22 – 01/23 Work as required

Contracted to help start up medical company General Prognostics (GPx) out of Barcelona, Spain. Duties are to 1) Help GPx achieve HIPAA compliance; 2) Help in FDA certification process, 3) Help achieve GDPR and ISO 27001 compliance to bring product back to EU/UK. Current status is HIPAA compliance guidelines are in company’s hands for implementation.

Sr Enterprise Security Analyst and Architect

Armavel, LLC 2715 64th Ave NE, Tacoma, WA 98422

06/20 – 07/23 40 hr work week

Lead a team in assessing, designing and provide guidance on implementation IoT, Medical Device and Cloud security reference infrastructure for the Veterans Administration at Enterprise Security Architecture, VACO. Work includes creating new suggested baseline security controls, boundary security controls, infrastructure design/policy and architecture for medical IoT devices, research for all IP-enabled devices, and other assignments as required. Technology includes Wi-Fi 5, 6 and 6e, 5G, Bluetooth and AI-enhanced applications. Created two DevSecOps courses on Container Secrets Management and Container Creation and Management. Intended audience is 1600 VA developers. Creation of first ever Mitre ATT&CK matrix specifically tailored to medical devices. All baselines are audited for GRC, IAM and IRM compliance according to VA, Regulatory and Industry standards to include FISMA, RMF and CSF compliance. Collaborated heavily with Cloud, Wireless, DevSecOps and Medical Device risk Management teams.

Information Security Consultant

CynergisTek (now part of Clearwater)

11940 Jollyville Rd, #300-N, Austin, Tx 78759

12/19 – 06/20 40 hr work week

Contracted to Sutter Health, California. Acting as Information Security Consultant to include GRC, IAM and IRM compliance within the entire Bay Area for 60 hospitals and over 200 affiliates. Acts as the face of the Sr Information Security Officer for the Bay area with all authority. Duties include privacy and information security rounding, training of new privacy and information security analysts, giving security and auditing advice on biomedical and IT devices and architecture that will allow better compliance and security for CCPA and HIPAA regulations. Daily reports logged in local tool and sent to local ISO via email. Investigations performed of IT security anomalies consisting of items such as erroneous logins, GPO settings, and other duties as assigned.

Azure Cloud Security Administrator/Consultant

KForce

1150 Assembly Drive, Suite 500, Tampa, FL 33607

05/19-10/19 40 hr work week

Subcontracted to Power School remotely fulfilling the duties of updates, security and patching for over 8,000 Virtual and on-prem servers using Azure Security Center, IBM BigFix, Qualys, JIT (Just In Time) and several other tools. Provides consultation on Saviynt for Cloud Governance. Provides security expertise and GRC, IAM and IRM consultation for audit, policy, federal regulations for international and US requirements (GDPR, CCPA, HIPAA, PCI/DSS, FERPA GLBA, and SOX based on NIST SP800-53 and ISO 27001), incidents and remediation as they arise. With the aid of senior Microsoft analysts, helped solve two Active Directory issues – one which had been plaguing the company for almost three years, the other was a break in communications between an on prem data base server cluster and a new one in Azure. Multifactor Authentication, IAM, and AADS issues, requirements and remediation taken care of. Performed triage on 6 remote servers to ensure they were clear of ransomware.

Tier 4 Sr Security Analyst

MicroSystems Automation Group (MSAG)

2785 Hartland Rd Unit B, Falls Church, Virginia, 22043

06/2015-05/2019 40 hr work week

Ranked by peers and leaders among top 10 lead ASMR CRISP contractors for 2016

●Specifically supported the Federal Aviation Administration (FAA) Office of Airports (ARP) with the development of long terms strategies to improve the Agency response to cyber threats, GRC requirements, and optimize mitigation strategies. Responsible for analyzing COOPs (Continuity of Operations Planning), improving the Agency processes, audit existing practices and identify gaps. The role included the task of reviewing Cyber Security Tools utilized by the FAA, network topologies, intrusion detection systems (IDS), Public Key Infrastructure, and assessing the security strength of ARP’s network

For Veterans Administration:

●GRC Team lead performing remote audit, policies, procedures reviews, and security consultation for (then) Region 1.

●Complete revamp of 17 Standard Operating Procedures (SOPs) based upon NIST-800-53r4. Standardized comments and evidence for audit purposes. Project completed 6 months ahead of schedule.

●SME: FISMA audit on RTLS (Real Time Location Service) system, Risk Based Decision memo SOP and review/approval process, National Authority To Operate (ATO) Tiger Team - 113 ‘trouble’ systems obtained ATO. Trained team members on proper audit procedures and evidence.

●Coordinating schedules/workflows for all other contractors, Issuing training/clarification emails

●Liaison for ASMR, SMD, and the Regional Director on weekly reports and updates

●Coordinating with three Regions’ Facility Chief Information Officer’s (CIO’s) and Information Security Officers (ISO’s) for review of documentation for final approval/signature at Regional level

●Created Privacy SOP using NIST SP 800-52r4

●Medical Device Protection Program (MDPP). Acted as Cyber Security Strategy Team Lead, Auditing, GRC and Cyber Security SME, Liaison to VA. Continuing updates to cyber security Strategy paper. Detailed current, future and proposed cyber security strategies for the VA’s BioMed devices and networks including Cloud and IoT. White papers on trends, strategies and suggestions for reciprocity, boundary controls and others written.

●Developed Vulnerability Management process for medical, Special Purpose System and IoT devices

●SME, IoT CRADA for UL2900 series, helping MDISS revamp their MDRAP (Medical Device Risk Assessment Platform) to include Cloud and IoT.

●Lead contractor and SME (along with 9 Ablevets and Amida-Tech remote contractors) to an Enterprise Project Management Office (EPMO) project writing NIST 800-53r4 into an Agile-style formatted Security Epics, Sub-Epics and User Stories for the VA’s mandated IBM Rational Collaborative Application Lifecycle Management toolset and repositories for OI&T information technology projects, and future ATO certifications. Never-before attempted effort well received at the 2016 National PM Symposium held in Virginia. Project enables an enterprise level Security implementation tool supporting Agile Sprint Management, Architecture Design, Product Construction, Change Management, Configuration Management, Requirements Management, Test Management, and Risk/Issue Management. Application shown and taught to dozens of VA project teams, the top 15 Project ISO’s, and has the full support of the Office of Information Security. Tools developed within this project have been adapted for use within other VA divisions.

●IBM Project went VA wide with an official Field Service Security Bulletin (#342). Has full backing of OIS, OIT and all high level VA ISOs. Project is now part of VA CISO’s BESAFE initiative in helping the VA strengthen its cyber security posture.

●Acted as lead Cybersecurity advisor to VA PM’s for new, updated, and Cloud projects, showing how to use and apply new IBM Security User Stories for ATO and GRC requirements, and advising on evidence.

●Tasked with adopting FedRAMP requirements into IBM Rational Project, help train all VA Project/Program managers and Project ISO’s on project’s use.

Asked to actively participate in the following groups: Multi-Agency Privacy and Security Tiger Team (Information Interoperability Technical Package (I2TP)), Engility SRSC, IAM, ICAM, and HIDS

Information Technology Manager/ISO

Town of Mills, WY

12/2013 to 03/2015 40+ hr work week

Groundbreaking position—Infrastructure of Mills, Wyoming, previously outsourced (GS-15 equivalent)

Managed entire infrastructure, security, and websites of town’s fire department, police, public works, and library networks. Implemented set of cyber policies and procedures for computer use, where none existed based upon NIST SP800-53r5.

Sole person responsible for full infrastructure, security, GRC, IAM and IRM compliance of Town of Mills. New website built in first 90 days. Revamped entire firehouse and Town Hall’s infrastructure’s upgrading to Windows 7 Professional and Server 2012. Installed onsite backup systems

Configured police station’s WatchGuard® car video systems, firewalls, routers, and switches. Resolved Virtual Private Network (VPN) problems plaguing town’s emergency services for over a year

Mapped, recorded, and created manuals of entire infrastructure –with exception of user names, passwords, and Internet Protocol (IP) addresses (no previous infrastructure information was available)

Relocated town’s main database to new server; upgraded to Microsoft® SQL Server™

IT Director / ISO

Rocky Mountain Communications

414 S Elm St, Casper, WY 82601

02/2012 to 02/2013 40 hr work week

Subsidiary of Rocky Mountain Oilfield

Disaster recovery (DR), overall maintenance of network (wired and wireless), security, 100 users Kerio Voice over IP (VoIP) and email system, and Dell® storage area network (SAN) storage units

Cambium (Motorola) radio configuration and documentation for Oilfield customers. SAP manager and trainer. Created policies and procedures for standardization, and security of systems

Managed Access Control Lists (ACLs), virtual local area networks (VLANs) and IDS tools. Company provides Internet communication to oil fields and devices for oil companies covering Wyoming, Colorado, and the Dakotas

ISO / HIPAA Officer

Wyoming Medical Center

1233 E 2nd St, Casper, WY 82601

12/2010 to 01/2012 40 hr work week

Groundbreaking position—ISO and Privacy Officer for 1200 personnel, 250 bed, Level 2 trauma center for city of Casper, WY (GS-14 equivalent)

Member of state Health Information Exchange (HIE) Board for HIPAA and Health Information Technology for Economic and Clinical Health (HITECH) security consulting. Responsible for patient privacy, cyber security, business continuity, DR processes, policies complying with state and federal regulations for both

in-house and outlying physicians using the center’s portal, and training of personnel

Served on the Compliance, Data Governance, and Computerized Provider Order Entry (CPOE) Upgrade Boards. Team member for Cerner contracts negotiations

Web Security Officer for ongoing Cerner installation. Instrumental in setting up first Fairwarning auditing device in Wyoming hospitals.

Achieved 52% improvement in HIPAA compliance methods and security measures within first eight months in position using FISMA methodologies

Information Technology Security Auditor

BBVA Compass Bank (now PNC Bank)

3060 Wilson Rd SW, Birmingham, AL 35221

11/2008 to 11/2010 40+ hr work week

Performed audits of telecommunications, financial systems, business continuity, DR, and infrastructure systems for all BBVA Compass Banks in the United States and Puerto Rico to ensure GRC and regulatory compliance. Compliance and security audits based upon FFIEC, ISO 27001, NIST SP-800-53r4 and other standards.

IT Security Consultant

Private

Alabama, Varied

09/2006 to 10/2008 40+ hr work week

Created network design and analysis in wired, wireless, and mixed environments; satellite communication setup for home and medium-sized businesses

Helped create long-term cyber security strategies for a subsidiary of Reynolds Aluminum

Acted as project manager, IT architect, and personnel manager for Complete Computer Systems, Inc.

Performed network design, implementation, analysis, and troubleshooting in both wired and wireless environments for homes, small businesses, and corporations

Set up secure Internet transmissions for doctors’ offices and companies such as Red Diamond, BCBS, and IRS

Set up satellite Internet systems for homes and small businesses

Performed cyber security audits according to NIST, Identity and Access Management (IAM), ISO17799, DITSCAP and other venues for homes and small businesses such as BCBS Chattanooga

Well-versed in Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLB), HIPPA, SOX, and other governmental requirements

Minor cyber recovery work performed for two court cases

Instructor / Director / Chief Security Officer

Virginia College, 488 Palisades Blvd., Birmingham, Alabama 35209 205-***-****

03/1999 to 09/2006 40+ hr work week

Offered IT Director position within six months of hire

Tasked by CEO to open two brand new campuses; on ground in Jackson, MS, and online in Birmingham, AL; both empty shells to start; in black within first year.

Designed, implemented, and maintained all networks and phone systems from ground zero to turnkey

Set up and maintained coursework in management information systems (MIS) and cyber security to include supplies, logistics, and an advisory board. Interviewed, hired, and trained instructors

Performed interaction and produced reports with C-level personnel on projects, future programs, current and future needs for IT and security

Success of on ground, out-of-state school resulted in IT Department President requesting my return to chair- main campus IT Department in 2000

ISO for main, and outlying campuses to include GRC compliance

Chief research and development (R&D) officer for course development, text selections

Instructor in project management, networking and cyber security

Accredited program development at Bachelor and Master degree levels in network security for on-ground and online formats

First school in area to develop biometrics, cyber security, and wireless courses

Introduced ground-breaking programs for the area and the state. School received Letter of Recommendation/Congratulations from Alabama Congressman, Arturo Davis, for being leaders in cyber security arena for the state – one-year (minimum) ahead of competition

Master’s program attracted the attention of Computer Associates wishing to partner with the school. Received unofficial nod of approval from the (2005) Secret Service IT Director after a visit in D.C.

Partnership with Computer Associates resulted in opportunity to attend CA’s security suite of classes: Access Control, Forensics, and Audit and Control Center, with private lessons and tutoring from creator of Silent Runner (CA’s forensic program)

Contact this candidate