LORI YE

Email: adhrm3@r.postjobfree.com Mobile: 646-***-****

EXECUTIVE SUMMARY:

Information Technology professional with more than 14 years of hands-on experience in information security, compliance, auditing, and risk management. Rare combination of a broad IT background, hands-on experience, and risk-based mindset. A refiner and executor focused on results and ready to help out wherever needed. Strong analytical and problem-solving skills with the ability to structure problems, evaluate options and make strategic recommendations. Excellent communication and collaboration skills with proven track record for working across all levels of an organization, in teams and as an individual contributor. Keen on providing excellent customer service and helping others. Resourceful, adept at multi-tasking, eager and quick learner, and hard-working. Self-motivated and details-oriented. CERTIFICATIONS:

• Certified Information Systems Security Professional (CISSP) since 2005

• GIAC Certified Incident Handler (GCIH) since 2017

• Certified Cloud Security Professional (CCSP) since 2017

• CISSP-ISSMP: Information Systems Security Management Professional since 2017

• GIAC Web Application Penetration Tester (GWAPT) since 2019

• GIAC Cloud Security Automation (GCSA) since 2020

• Certified Information Security Manager (CISM) 2014-2018

• Certified in Risk and Information Systems Control (CRISC) 2015-2018 EXPERIENCE:

Providence St. Joseph Health, Torrance, CA September 2018 – Present Principal IS Security Engineer, Security Operations

• Lead development of biomedical device security program.

• Lead and work on projects as assigned, such as firewall rule cleanup and FireMon deployment.

• Act as an escalation point for user requests and troubleshoot accordingly; design, implement, cleanup firewall rules.

• Windows 2003 remediation: analyze server traffic to identify lower-risk servers for which Internet access may be blocked.

• Regulations: HIPAA

• Technologies/Tools: Palo Alto Networks firewalls, Panorama; QRadar OSI Systems, Hawthorne, CA February 2017 – May 2018 Senior Manager, Information Security

• Led and managed implementation of fundamental security controls in development of security program. Worked with other leaders in IT group to formulate and implement solutions.

• Engineering:

o Provided security requirements for systems and various projects. Led engineer in developing requirements for security systems & tools.

o Architecture Reviews: Evaluated design of on-premises and cloud deployments and provide recommendations to ensure compliance with security policies and standards, as part of the release management process. o Performed risk assessments of existing security controls. Identified gaps and manage risk management method, including remediation, in conjunction with business unit.

• Operations:

o Vulnerability Management: Hands-on with vulnerability scanning and reporting. Oversaw onboarding of device and application scanning, vulnerability reporting & risk analysis, and development & implementation of risk treatment plans. Determined reporting process. Stakeholder and contributor to development of patch management process. o Incident response: Second-level responder: triaged security events and incidents centered around firewalls, user endpoints, servers, web applications, and email protection. Drove required corrective actions. Oversaw event handling and ensured security events were handled timely and appropriately. Established Security Incident Response Plan. Managed security incident response process. Heavy focus on investigations at network and application layers. o Formed Security Operations Center (SOC) Team. Oversaw training and act as second-level trainer. Set direction for processes and procedures.

o Managed the onboarding of Managed Security Service Provider (MSSP) for log monitoring. Liaised with MSSP contacts to tune log analysis.

• Governance:

o Vendor Management: Evaluated vendors for data confidentiality, integrity, availability, privacy, and cloud tenancy controls.

o Cloud Governance: Drafted security controls for AWS implementations. o Risk Register: Working with other teams, documented risks in a register, including threats to the business and risk treatment.

o Exception Management: Revised and facilitated the security exceptions/waiver submission process and acted as a review and approver.

o Security Awareness Training: Managed the deployment of an online training program. Coverage included data security, email hygiene, strong passwords, insider threat, and safer web browsing. o Reported metrics to CIO and rest of IT leadership team.

• Regulations/Frameworks/Standards: PCI, NIST 800-171, NIST 800-53

• Technologies/Tools: Qualys; SAML; AWS; M365; Azure; Fortigate UTM; FortiAnalyzer; Symantec Endpoint Protection (SEP) Motion Picture Industry Pension & Health Plans, Studio City, CA November 2015 – February 2017 Senior Manager, IT Security (Full-time)

• Working closely with IT operations and applications teams, business units, and vendors/partners, managed IT security projects, initiatives and issue resolution, including: controls & corrective action plan development and implementation; identification and protection of EPHI & other sensitive data; SFTP migration; access management & reviews; security monitoring, evaluation; deployment and maintenance of security tools.

• Developed security strategy and program based on business objectives & risk, best practices and regulatory requirements, including EPHI data protection requirements as part of HIPAA Security Rule. Components included an enterprise security architecture, privileged access management, breach detection capabilities, next-generation endpoint detection & response systems. Identified & communicated security and compliance risks, issues, initiatives, metrics, and corrective actions to other members of IT leadership, CIO, IT and business units.

• Implemented and drove risk management program, including performing NIST CyberSecurity Framework and HIPAA security risk assessments

• Vulnerability & Patch Management: Managed Qualys system, patched Windows systems. Provided biweekly vulnerability metrics.

• Managed IT Security systems. Assessed gaps, and researched, evaluated and recommended security solutions.

• Incident Response: Coordinated response to information security incidents by working with IT and business groups; triaged incidents, determined root cause of incidents, worked with stakeholders to develop and implemented correction actions; formulated incident response reports; escalated incidents where needed.

• Provided security awareness and training, including frequent training for IT staff and threat of the insider to MPI.

• Provided leadership, mentoring, support and training to Security team (2 engineers). Led engineers in developing requirements for security systems & tools.

• Regulations/Frameworks: HIPAA, NIST, ITIL

• Technologies/Tools: CyberArk; Cisco ASA with FirePOWER; Imperva WAF; Splunk (POC); SecureAuth; Qualys, BeyondTrust Retina; Varonis; CrowdStrike Falcon; ForcePoint (WebSense) web gateway; Symantec Endpoint Protection (SEP); Cisco AnyConnect; SecureAuth MFA

AT&T/DIRECTV, El Segundo, CA

Principal Analyst, Security (Full-time) August 2015 – October 2015 Engineer, IT Security (contract with Kforce, Inc.) October 2014 – August 2015

• Designed and implemented process to identify sensitive data stored and transmitted in DIRECTV systems. Wrote an interim tool to discover data in Perl. Worked closely with various stakeholders to analyze, classify and document data elements and data flows. Implemented data classification policy. Assessed compliance with security controls and identified risks. Hands-on analysis of database access rights and audit logs.

• Working with IT and business units, managed and coordinated the investigation of compliance and security risks & issues to ensure data protection policies were integrated with business processes.

• Performed internal risk assessments. Developed, tracked and facilitated execution of remediation plans. Analyzed and documented compliance exceptions through risk documentation & waiver process, including risk, compensating controls and remediation steps.

• Working in cross-functional project teams and as a stakeholder in the systems development life cycle, analyzed project requirements and architecture designs, identified and assessed risks, determined and communicated required PCI & private data controls, recommended solutions to mitigate risks, and reported issues to management

• Performed third-party vendor risk assessments with respect to their information security policies and procedures, and documented gaps and issues.

• Regulations/Frameworks: PCI, SOX, SSAE 16

• Technology Types: Governance, risk and compliance (GRC); structured data classification Sheppard Mullin Richter & Hampton LLP, Los Angeles, CA March 2014 – September 2014 Systems Security Engineer (Full-time)

• Managed vulnerability assessments and remediation: identified, analyzed, tracked, and monitored threats and vulnerabilities; worked with IT teams to ensure systems are compliant with security policies, to remediate vulnerabilities and perform patch management; reduced number of vulnerabilities by more than 65% in 3 months

• Identified, evaluated and communicated state of security controls and control deficiencies as per regulatory and client requirements and best practices. Performed HIPAA risk assessment to evaluate compliance with the Security Rule and determined risk treatment options. Responded to client audits regarding compliance with their security controls.

• Researched, evaluated/compared and recommended new security solutions to respond to security risks. Worked with vendors to perform POCs and implement security systems.

• Technologies/Tools: Rapid7; CyberArk; Symantec DLP; LogRhythm

• Regulations/Frameworks: HIPAA, NIST 800-30

Advancive Technology Solutions, Los Angeles, CA (now part of Optiv) Manager/Solutions Architect (Full-time) January 2013 – March 2014 Senior Engineer (Full-time) December 2010 – December 2012

• Managed projects to design and execute enterprise-wide identity governance and administration (IGA) software implementations on-time, on-budget, and from start-to-finish, while working closely with various stakeholders. Tasks included: gathering business and technical requirements from stakeholders; designing highly-customized solutions; coordinating with client project teams to execute design; testing; training end-users; documenting design and operations guides; triage. Was hands-on throughout engagements. Managed small teams of 2 people.

• Developed Perl scripts to compare production firewall policies to enterprise standard policies and massage data files from various data sources. Developed ETL workflows to sanitize and standardize data.

• Recommended security policies, standards, guidelines, and practices to implement security & access controls

• Mentored and trained engineers; screened job candidates

• Technologies/Tools: Aveksa (sold to RSA); SiteMinder; SQL query tools Ernst & Young, Shrewsbury, NJ March – October 2010 IT Auditor (contract with Computech Resources International, Inc.)

• Centers for Medicare and Medicaid Services (CMS) Fiscal Year 2010 CFO Audit: Managed 3 contractor site audits and performed IT general control reviews at CMS Headquarters and contractor sites. Summary of pre-2010 experience:

Brown Brothers Harriman & Co., Senior Analyst, Information Security Assurance 2007-2009 Ernst & Young, Senior Consultant, Security & Technology Solutions 2004-2007 Lockheed Martin, Database Administrator 2003-2004

University of Pennsylvania Law School, System Administrator 2002-2003 EDUCATION:

University of Pennsylvania, School of Engineering and Applied Science Bachelor of Applied Science, Computer Science, December 2001 New York University, Leonard N. Stern School of Business Master of Business Administration, January 2010

U.S. Citizen

Contact this candidate