Information Systems Compliance Analyst
Resume:
OBJECTIVE:
I am an experienced, dynamic, result-driven, and detailed oriented Information Security and Compliance Analyst in cybersecurity management / compliance and assessment / authorizations within with over 7 years’ experience in information systems control assessment following the Risk Management Framework (RMF), Cybersecurity Assessor and Compliance, Audit such as PCI-DSS, ISO 27001 and SOC. I have experience analyzing vulnerability scans using automated tools (Tenable Nessus), creating POA&Ms and ensuring that all necessary requirements for security operations are adequately documented and addressed.
CORE COMPETENCIES AND TECHNICAL PROFICIENCIES
NIST
Conduct Assessment and Authorization (A&A) process for Operational information systems and guide System Owners and ISSOs through the Authorization and Accreditation (A&A) process, ensuring that management; operational and technical controls for securing either sensitive Security Systems or IT Systems are in place and are followed according to federal guidelines (NIST 800-53).
PCI-DSS
Project managing the auditing process to acquire the PCI-DSS certification by assessing the data security control methods to ensure they meet the requirement to directly store and process cardholder data. PCI validation assessment documentation and annexes.
ISO 27001
ISO 27001 audit preparation such as preparing and creating ISO 27001 certifications document requirement (Statement of Applicability (SOA), and Multisite variance documentation.
Professional Experience
Security and Compliance Analyst
Teleperformance USA
September 2020 – Present
Lead the security and compliance team in performing annual external audit and facilitates clients and third party assessments and certification against PCI-DSS. ISO 27001, SOC and HITRUST.
Develop, update, and/or review RMF documentation to include Security Plans, Implementation Plans, Plans of Action and Milestones (POA&Ms), and Risk Assessment Reports
Work with engineering/architectural teams to assist with privacy assurance protocols.
Designs and establishes configuration management documentation. Review new security solutions designs and specifications to validate they are ready for existing security operations environment.
Collaborate with various teams in the organization to gather, organize and provide evidence for external audit purposes.
Performs technical liaison in support of the NIST 800-53 Security and Privacy Controls for Federal Information Systems
Serve as lead project manager for the organization’s external audit for ISO/PCI/SOC/HITRUST certification.
Works with CISO and security team to oversee and promote security controls and oversight during RFP stages for potential clients.
Perform due diligence and answer security assessment questionnaires for existing and potential clients.
Assist the security and audit teams in evaluating and improving the organization’s existing processes and procedure documentation and practices.
Ensure organization business processes, IT and operations align with client requirement and external standards such as PCI DSS, SOC, ISO, HIPAA and HITRST.
Collaborate on periodic internal and external audits and preparing reports and presentations on compliance-related topics.
Providing security awareness guidance on regulatory issues, company policies and procedures (e.g., Phishing, Anti-Bribery, Code of Ethics, clean desk policy and handling of PII and PHI, etc.)
Information Security Analyst –
Nationwide IT Services, Fairfax, VA
September 2018 – July 2020
Duties included:
Support the security standards and requirements relevant to the NIST Risk Management Framework (RMF)
Experienced with documenting and reviewing security plans (SP), contingency plans (CP), privacy impact assessments (PIA), and risk assessment (RA) documents per NIST 800 guidelines.
Performed data gathering techniques (e.g., questionnaires, interviews, and document reviews) and review logs for audits in preparation for assembling C&A/A&A packages.
Worked with Certification and Accreditation team to update the System Security Plan (SSP) and Plan of Actions and Milestones (POA&M)
Performed continuous monitoring of system activities to help maintain ongoing security assessment and effectiveness of selected security controls.
Developing and implementing relevant security policies and procedures required by assessment and authorization activities.
Overseeing the system’s information security posture on the application and sustainment of the security controls.
Supported client in creating memos for POA&M that past schedule completion date (SCD).
Conducted assessment of controls on Information Systems by interviewing, examining, and testing methods using NIST SP 800-53A as a guide.
Supported client in creating SOP (Standards Operating Procedures) as part of POA&M remediation.
Developed NIST-compliant vulnerability assessments, technical documentation, and Plans of Action and Milestone (POA&M), and address system weaknesses.
Documented and review system security plan (SSP), security assessment report (SAR), security plan of action and milestone (POA&M)
Information Systems Security Analyst
Digital Global Connectors, Washington, DC
July 2017– June 2018
Duties included:
Worked with Certification and Accreditation team; performed risk assessment; updated System Security Plan (SSP), contingency plan (CP), Privacy Impact Assessment (PIA), and Plan of Actions and Milestones (POA&M)
Performed data gathering techniques (e.g., questionnaires, interviews, and document reviews) in preparation for assembling C&A/A&A packages.
Updated Plan of Action & Milestones (POA&M) and Risk Assessment based on findings assessed through monthly updates.
Conducting assessment of controls on Information Systems by interviewing, examining, and testing methods using NIST SP 800-53A as a guide.
Creating, updating, and reviewing System Security Plans using NIST 800-18, Contingency Plans using NIST 800-34, Incident Reports using NIST 800-61
Provided guidance and training to the system owner and ISSO on the validation process.
Performed security categorization (FIPS 199), review and ensure privacy impact assessment (PIA) document after a positive PTA is created.
Document and finalize Security Assessment Report (SAR) and communicate consolidated risk management activities and deliverables calendar.
Assisting in conducting the Security Control Assessment meeting (SCA) Kick-off Meeting and populate the Requirements Traceability Matrix (RTM) according to NIST SP 800-53A.
Developed and conduct ST&E (Security Test and Evaluation) according NIST SP 800-53A and perform on-site security testing using vulnerability scanning tools such as Nessus.
Risk and Compliance Analyst
CVS Health Systems, Annapolis, MD
September 2015 to May 2017
Duties included:
Ensuring the management and protection of patient health data for clients and customers.
Management of Protected Health Information in accordance with HIPAA.
Conducts control risk assessment and review company’s policies, standards, procedures, and guidelines.
Help with staff education and training on HIPAA and E-PHI.
Prepare and review HIPAA security compliance reports, audit findings and track remediation activities to ensure corrective actions are planned and proper implementation.
Review technical control and provide implementation response to ensure system is currently meeting necessary regulatory requirements.
Review Technical, Operational and Management Security Controls and provided implementation responses as to if/how the Systems are currently meeting the requirements.
EDUCATION&CERTIFICATIONS
Bachelor of Science (B.S.), Cybersecurity Management and Policy - University of Maryland Global Campus
Associate Degree in Cyber Security – Montgomery college - Germantown, MD
Bachelor of Arts, Communications and Media Studies - University of Ghana – GIJ, Ghana
CERTIFICATIONS AND TRAINING
CompTIA Security+
Certified Information Security Manager (CISM) – In progress
Securing the Cloud: Mastering FedRAMP Authorization Boundaries
Auditing Serverless Architecture on AWS
Vendor Risk Management Summit
Compliance in the Cloud: FedRAMP and StateRAMP Updates
The New Realities of Managing Cyber Risk
Understanding the Intersection of ESG & Cybersecurity
PCI DSS Version 4 System transitioning and updates.
Technical Skills:
Software: MS Office (Word, Excel, Outlook, Access, PowerPoint
Assured Compliance Assessment Solution (ACAS), RMF, FISMA, FedRAMP, NIST 800-53, NIST 800-37, Microsoft Office 2010/2013, Splunk,
Security Technologies: Network Security Scanner; Nessus Vulnerability Scanning, IDS/IPS
Operating Systems: Unix-Based Systems (Linux); Windows
Networking: LANs, VPNs, Routers, Firewalls, TCP/IP
Service Now and Service Desk Ticketing System
REFERENCES: Available upon request
Contact this candidate