Risk Management Information Security
Resume:
Enterprise Security:
Vision, Strategy, and Programs:
Establishes the foundation for a secure environment through asset management, identity & access control, and security policy development.
Develops & implements information security strategies aligned with threat & vulnerability management, risk assessments, and configuration management.
Creates security artifacts and oversees the implementation of protective solutions.
Utilized AI-powered tools for vulnerability scanning and prioritization, streamlining the remediation process and improving overall security posture.
Leveraged machine learning algorithms to identify patterns and anomalies in network activity, enabling proactive threat detection and incident response.
Risk Management:
Develops and manages a comprehensive IT/Cyber Risk Management program.
Implements Disaster Recovery (DR), Business Continuity (BC), and Risk Management Framework (RMF) strategies.
Third Party Risk Management for vendors and business partners
Splunk to threat monitoring use cases for alerting, including conducting risk assessments on data sources for ingestion into root-cause determination.
Integrated Risk Management (IRM) with Security Incident and Management (SIEM)
Conducts DR testing, incident/event management, and oversees business resiliency efforts.
Performs information security risk assessments and provides mitigation recommendations.
Reviews and revises information security policies, standards, and best practices.
Cybersecurity incidents, investigations, and maintaining chain of custody when needed to support framework requirements.
Conducts business impact analysis to understand potential security risks.
Consulting and Client Management:
Acts as a trusted advisor, consulting with clients and eliciting requirements.
Leads client consultations and requirement elicitation meetings.
Defines project scope and delivers solutions that address overall needs.
Manages cyber hygiene, ensuring ongoing security best practices.
Provides timely and accurate contractual documentation.
Delivers project status reports and maintains engagement status dashboards.
Serves as a Security Subject Matter Expert (SME) for clients and stakeholders
Developed and implemented comprehensive GRC programs, encompassing asset management, identity & access control, risk assessments, security policy development, and disaster recovery/business continuity plans. Led and managed IT/Cyber Risk Management, including threat & vulnerability management, mitigation strategy development, and incident/event response processes. Ensured regulatory compliance (e.g., NIST, NIS2, ISO 27001:2022\9001, GDPR, HIPAA) by mapping security controls to requirements, conducting gap analyses, and recommending corrective actions. Provided expert guidance on GRC matters, serving as a Security Subject Matter Expert (SME) for internal teams and external partners. Maintained strong governance practices through project management, contractual documentation, and clear communication with stakeholders.
Skill
# Years Used
Last Used
Cyber Security Risk Assessments Audit and Remediation/ITIL with ITSM
10+
Present
Change Management/SDLC/Agile/SCRUM/JIRA
7+
Present
Cloud (AWS and Azure)
5+
Present
Exclusive: NIST 800-171 and CMMC FedRamp/ISO 27001/Cyber Essentials
6+
Present
CSAM/RSA Archer/ Logic Manager/Oracle ERM/XACTA/Splunk/LDRPS/O365/Paragon/ServiceNow/SMART/Windows Defender/
10+
Present
NIST SP800-171, NIST SP 800-88, and NIST SP800-53, NIST 800-60, NIST 800-30, FISMA, FIPS/199/200/140-2
10+
Present
Security Incident and Event Management (SIEM))/Cyber Kill Chain/OKTA
10+
Present
Governance, Risk and Compliance
10+
Present
Third Party Risk Regulatory entities – FFIEC (Title X), ISO, Interpol, European Banking Authority/Artificial Intelligence (AI)
2+
6/2018
IDS /IPS via internal and external checks for network NIST/DFARS/GDPR mandates/SAP HR Management
10+
Present
Risk Assessment and Management/ Third Party Risk Management (TPRM)
10+
Present
Project Management
10+
Present
ISO 27001 Assessment
·The Stage 1 Audit – Thorough documentation review, ensured adherence to ISO standards.
·The Stage 2 Audit – Verified the effectiveness of implemented controls (See SoA).
5 years
Present
EXPERIENCE:
CMMC Cyber Security Remediation Consultant/CMMC Program/Project Manager
Oxford International / Cobham Satcom – USA & Denmark (remote) (3/2022-present)
Establish a comprehensive hierarchy driven NIST 800-171 compliance program aligned with DFARS requirements, encompassing technical controls, personnel objectives, and compliance processes.
Spearheaded the implementation of a preventative maintenance program for critical equipment used in satellite manufacturing reducing downtime and associated production delays. Ensured regulatory compliance (e.g., NIST, NIS2, and ISO 27001:2022\9001, by mapping security controls to requirements, conducting gap analyses, and recommending corrective actions.
Assisted in identifying issues as a conflict with MS Windows Defender Exploit Guard to determine root cause for the Palo Alto Zero Day.
Optimized software license portfolio by negotiating renewals and identifying unused licenses, saving the company annually.
Identity and Access Management policy and procedure implementation.
Project Planning: Responsible for developing and overseeing CMMC compliance project plans, including defining scope, remediation timelines, budgets, and resource needs for NIST 800-171/CMMC compliance.
Risk Management: Identify and assess risks that may impact the CMMC certification process or the overall security posture protecting CUI and CTI.
ISO 27001 Stage 1 and Stage 2 assessment PoC via the Statement of Applicability
ITSM for all Configuration Management related changes and business activities. Logic Manager
Represent the IT CMMC implementation staff to Senior Management Team – Global.
Communication: Establish and maintain clear channels of communication between all stakeholders, including executive sponsors, project team members, auditors, and third-party vendors.
Compliance: Ensure that all activities associated with achieving CMMC certification are compliant with NIST, DFARS, FISMA, FedRamp and other frameworks including NIST 800-53 Rev5.
Documentation: Create and update project documentation, including project plans, risk management plans, incident response plans, compliance reports, presentations, including policies, procedures, and other required artifacts.
Ensure the successful implementation of the NIST 800-171/CMMC standards enterprise wide by leading and coordinating all activities associated with the certification process based on CUI.
Review and develop System Security Plans (SSP), Plans of Action and Milestones (POAM) confirm and update the SPRS score per the Defense Industrial Base
Guidance for the Global company-governance security policies, risk management, supply chain risk management, identity and access management, awareness and training, protective technologies including host configuration and patching, anti-malware, network security, and other preventative controls, logging, log monitoring, security cameras, and other detection controls, incident response, and recovery.
Develop and execute security compliance assessment work plans to evaluate security controls.
Liaise with business and corporate functions to capture and facilitate inclusion of their security governance and regulatory requirements and responsibilities and communicate existing security governance processes and controls.
Ensure that solutions are designed and implemented accurately, make informed decisions on build vs buy and provide guidance by continuously learning and improving skills to adapt to changing technologies.
Maintain security training and awareness requirements, curriculum and content, and communications. Supporting client questionnaires and audit requests and managing database of responses. Promote phishing exercises
Cyber Security Implementation Remediation Consultant
Grant Thornton (GT) Inc. / BayouTech Advantages Remote - (3/2021-03/2022)
Responsibility was to make sure GT adheres to the NIST 800-171 standards and provide a scorecard for PiT status. Ensured regulatory compliance (e.g., NIST, GDPR, and HIPAA by mapping security controls to requirements, conducting gap analyses, and recommending corrective actions.
ServiceNow-for CMDB, CI Mapping, Change Management, Dependency Mapping, Reporting and Analytics for ITSM domestic. TPRM Assessments working closely with the LISA.
Identity and Access Management policy and procedure implementation
ITSM for all Configuration Management related changes and business activities. ServiceNow was the tool and chief component.
JIRA used for project management and resource allocation.
RSA Archer admin responsible for maintaining the ISO and NIST 800-53 controls in use. Owner, responsible, and accountable parties were maintained, and responsibilities clarifies via swim-lane sessions.
Create controls based on who, what, when, where and how as the premise for control compliance and maintenance in Aurora
Monitor Splunk reports and suggest actions based on daily reports –(SEM)
Customize and tailor NIST controls in Archer for ownership (RACI), compliance and updating.
Create security policies Government and Public Sector based on CUI, CTI, FCI or other confidential data that is processed, stored, or transmitted based on NIST, DoD and DFARS requirements.
Participate on IT and Business stakeholder calls to guide end users through the control requirements detailed in our framework and the assessment process within the GRC solution.
CMMC compliance based on the output from Microsoft Office 365 and Compliance Manager in addition the Government Community Cloud (GCC) High on Azure Government to certify FedRamp Compliance.
Risk Assessments to attain gap analysis. Remediation is based on criticality and other factors.
Cyber Essentials certification and compliance for the United Kingdom and European Union
Essential that CUI is stored in Azure’s FedRamp compliant section of their datacenter.
Prepare internal and external reporting. Facilitate and coordinate with system stakeholders on the preparation of comprehensive reporting for all necessary risk committees, boards, and other stakeholders.
Create, update, and enforce information security policy.
Support vulnerability management operations through documentation and reporting of findings to leadership.
Senior Cyber Security Remediation Lead Analyst/Project/Program Manager
EAGLE-PICHER Technologies LLC, St. Louis, MO (09/2018 to March 2021)
Develop and implement a comprehensive NIST 800-171/CMMC security program that aligns with the DoD requirements and DFARS mandates.
ITSM for all Configuration Management related changes and business activities. ServiceNow was the tool and chief component. Ensured regulatory compliance (e.g., NIST, NIS2, and ISO 27001:2022\9001, by mapping security controls to requirements, conducting gap analyses, and recommending corrective actions. Cyber Essentials for compliance for Lockheed Marten UK.
FedRamp compliance establishment for storage
Identity and Access Management policy and procedure implementation . TPRM Assessments working closely with the LISA.
Managerial: Promoted two IT team members to lead positions based on performance and potential. Increased employee engagement by implementing new team-building activities and recognition programs.
Developed and implemented corrective action plans to address security incidents and expectations.
ServiceNow for ticketing and notifications.
Developing and implementing policies and procedures to mitigate risks and vulnerabilities to the CUI and other sensitive information reporting directly to the CIO.
Managing the program's budget, resources, and schedules to ensure that all security requirements are met on time and within budget.
Provide regular reports to senior and executive management on the program's progress, compliance status, and any emerging threats or vulnerabilities. This would include but not be limited POAM status, vendor agreements, flow-downs, etc.
Ensuring that all employees and contractors are trained and educated on the organization's security policies and procedures.
Collaborating with IT teams to ensure that all systems and applications are configured and maintained in compliance with NIST 800-171, DFARS/CMMC 2.0 security requirements.
Continuously monitoring and improving the program to ensure that it remains effective and aligned with the organization's goals and objectives. Responsible for Risk Assessments to attain gap analysis. Remediation is based on criticality and other factors.
Develop policies, plans and procedures IAW Defense Federal Acquisition Regulation Supplement (DFARS) 252-***-****, Safeguarding Covered Defense Information and Cyber Incident Reporting and Cyber Maturity Model Certification (CMMC).
Perform risk analysis and reporting on DFARs, NIST, RMF, and NISPOM compliance.
Audit information systems according to NIST SP 800-30, 800-171, CMMC and 800-53 and DFARs frameworks.
Assess requirements for compliance with government regulations and prepare documentation and policy requirements.
Recommend and develop mitigation to facilitate continued research despite exceptions from traditional security controls.
Review and develop System Security Plans (SSPs), POAMS as well as necessary supporting artifacts. Support incident response and remediation efforts.
Facilitate the Plan of Actions and Milestones (POA&M) program to ensure customer systems have accurately and fully provided information for POA&M activities to include valid remediation of findings.
Cyber Essentials certification and compliance for the United Kingdom and European Union.
Created user stories, and developed business processes in order to support the enforcement of safeguarding measures for CUI at alternate work sites to ensure sensitive data was secure and compliant with NIST 800-171.
Essential that CUI is stored in Azure’s FedRamp compliant section of their datacenter (Workspace 1/ Bitglass)
The maintenance of all CMMC related System Security Plans (SSP) and other related and critical artifacts.
Assist with appropriate and necessary risk-related communications and training to risk stakeholders.
Lead the Defense Federal Acquisition Regulation Supplement (DFARS) compliance initiative re: incident management, security controls assessment (SCA), change and risk management. The output was self-attestation.
Initial DFARS / NIST 800-171 self-attestation under BayouTech Advantages
Cyber Security Remediation Operations Consultant
CAPGEMINI – (BENCH) (07/2018 to 08/2018)
Developed and coordinated Governance, Risk and Compliance program with client’s Cyber Security initiatives at the senior level. Responsible for working with senior managers and executive sponsors within client organizations to define, classify and mitigate vulnerabilities and assess client-specific and sector-specific business risks, meet GRC-defined mandates (e.g., GDPR, PCI, HIPAA, GLBA, FISMA, ISO 27k, etc.) and other security compliance directives.
Third Party Risk Manager/ Cyber Project Manager
CITI BANK /THE ASHLAR GROUP, MASTERCARD / KESHEV, MO (05/2017 to 06/2018)
Worked closely with Lead Information Security Assessor (LISA) to identify and assess third party risk, maintain Third Party Risk Management Policy, and oversee program initiatives.
Manage the ongoing third-party risk management for vendors’ program which includes an integrated risk-based approach for assessing and mitigating the risk of new and existing third parties/vendors for Europe, Asia, Africa, and Brazil.
ITSM for all Configuration Management related changes and business activities. ServiceNow was the tool and chief component.
Implementing and adhering to Binding Corporate Rules (BCR), its privacy policies (GDPR), standards and procedures in accordance with the country’s privacy/confidentiality laws, regulations and industry best practices and standards – ISO, PCI, GDPR, NIST SOC2. Ensured regulatory compliance (e.g., GDPR by mapping security controls to requirements, conducting gap analyses, and recommending corrective actions.
Monitor and update third party risk management framework to respond and adhere to new and existing regulatory guidelines and initiative that primarily were derived from GDPR, FFIEC or NIST.
Worked closely with the Quality Assurance team to coordinate and fulfill the third-party assessment questionnaires (TPAQ) with an emphasis on corrective action plans (CAP) for the Incident Management Log (IML).
Deputy Team Lead DR/Project Manager
FARMS SERVICES ADMINISTRATION / ZOLON TECH, Kansas City, MO (06/2016 to 04/2017)
Coordinate and help deliver third party risk education and training programs for the business units.
SMART-Developed automated workflows for incident response and risk assessment using SMART. This was the repository for maintaining all certification and accreditation artifacts.
Defined and implemented a roadmap of improvements within the guidelines and framework of NIST 800-53, 34, 84, FISMA and A-123 to the Business Resiliency/DR posture. Monitored, managed, and controlled the Contingency Plan environment using CSAM and SharePoint as the repositories. Ensured all service level agreements (SLAs) pertaining to business continuity and system recovery are met to provide consistent service to respective system functions.
ITSM for all Configuration Management related changes and business activities. CSAM was the tool and chief component.
Identity and Access Management policy and procedure implementation
Led efforts to effectively identify risks, partner to develop remediation approaches and controls, ensure remediation plans are executed and validated.
Managed a team of specialized employees (engineers, tech writer, security analysts and project manager).
Developed and implemented Site Recovery Manager to the USDA.
Resolved conflict and was the liaison between FSA, the Office of Management and Budget (OMB) and the contracting agent.
Global Information Systems Lead Analyst/Project Manager/Product Owner
CATERPILLAR-LANCESOFT, Peoria, IL (08/2014 to 06/2016)
Make certain that the most current version/image was stored in the AWS cloud. This image was used to recover the critical systems, tools, and appliances via Site Recovery Manager (SRM).
SAP Human Capital Management -Recovery and reconstitution.
RSA Archer Product Owner – managed the implementation from concept to delivery as well as the customization to meet the Cat requirements for disaster recovery, controls, and control compliance. Made sure the Cat needs were met from prioritized features, feedback, and communication with stakeholders.
Established VMware to automate the transfer of virtual machines to AWS cloud. Via SRM with the existing vSphere software was used to operate as an extension of vCenter server.
ITSM for all Configuration Management related changes and business activities. ServiceNow was the tool and chief component.
Facilitate and lead the process to manage, monitor and report global business operations risks. Provide for methods to perform various risk, compliance, and control assessment and self-assessment processes. Liaise with the risk and control owners on a regular basis. Assist with the development and improvement of management reporting.
Provided governance and guidance for all applications, infrastructure components, facilities, and resources with regards to disaster recovery. Responsible for coordinating and ensuring disaster recovery plans are developed accurately and maintained, leading small- and large-scale disaster recovery tests, managing DR documentation, and collecting and analyzing metrics that identify the performance of Business Resiliency. In addition, managed relationships with multiple infrastructure teams and lead/drive disaster recovery lifecycle activities with them.
ITSM – CMDB Project Management
BLUE CROSS BLUE SHIELD/BAYOU TECH ADVANTAGES, Baton Rouge, LA (09/2013 to 08/2014)
Implemented Service Now as the CMDR tool to support IT planning, security, compliance, and auditing. The CMDB bolsters the relationship between components of a system and tracks configurations based on configuration items (CI) and dependencies.
PM for data-center merger.
Agile CMDB implementation via ITSM establishing the configuration management database. Scrum facilitator to breakdown manageable sprints
Used Kanban to visualize the workflow and identify bottlenecks and reduce waste.
Senior Information Assurance Analyst/Cyber Security Analyst Consultant
Veterans Administration (VA) – Solutions Made Simple, Austin, TX (11/2011 to 08/2013)
Through MS Project kept stakeholders abreast via presentations, developed and updated C&A security artifacts such as security plans, contingency plans, risk assessments, privacy impact assessments, incident response plans, configuration management plans, configurations checklists, and interconnection security agreements. Ensured regulatory compliance (e.g., NIST, NIS2, by mapping security controls to requirements, conducting gap analyses, and recommending corrective actions.
Enterprise Management Framework (EMF) Product Owner – Managed the construction, implementation of EMF from concept to delivery as well as the customization to meet the OMB requirements for disaster recovery, controls, and control compliance. Made sure the EMF needs were met from prioritized features, feedback, and communication with stakeholders.
Identity and Access Management policy and procedure implementation
Adhered to the Software Development Life Cycle in attaining the ATO and ATC for various systems and their interdependencies.
Conducted audits on artifacts to ensure they meet all applicable FISMA, NIST, VA, and COCO criteria,
DHS-APEX-NASA STENNIS SPACE CENTER, MS (01/2011 to 08/2011)
Senior Certification and Accreditation Analyst/Security Analyst-G-12
ADAPTIVE SOLUTION, St. Louis University, MO (03/2010 TO 06/2010)
QA Senior Security Analyst-Project Manager Consultant
RD – IMTAS/USDA, St. Louis, MO (04/2007 to 07/2009)
DR Team Lead/Project Manager
Hiring, onboarding, performance management, coaching, development, disciplinary action, and termination
https://*********@********.***/
EDUCATION:
Master of Business Administration, eBusiness, University of Phoenix
Bachelor of Science, Business Administration/Economics, Southern University of LA, Baton Rouge, LA
CERTIFICATIONS:
CBCP – Disaster Recovery International
CSP- Cyber Security Professional-VA
CISM - Pending
Sec-TIC CIU Technology
CRISC – Pending
Cloud Governance Principles – Cybrary
Contact this candidate