Tariq Shah
Gaithersburg, MD 20882
adnqi1@r.postjobfree.com
INFORMATION TECHNOLOGY SECURITY PROFESSIONAL
10+ Years of Diverse, Successful IT Security/ Management Experience
Proficient in Technical Writing, Risk Assessment and Risk Mitigation
CISSP in progress
Solution-oriented and versatile systems security professional. Accomplished in pre General Accounting Office and pre Office of the Inspector General compliance review cyber security vulnerabilities auditing. Authored and executed certification testing and evaluation methodology.
TECHNICAL KNOWLEDGE
SP 800-61 Computer Security Incident Handling Guide
SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories
SP 800-53 Recommended Security Controls for Federal Information Systems
SP 800-53 A Guide for Assessing the Security Controls in Federal Information Systems
SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems,
SP 800-18 Guide for Developing Security Plans for Federal Information Systems
SP 800-30 Risk Management Guide for Information Technology Systems
SP 800-34 Contingency Planning Guide for Information Technology Systems
PROFESSIONAL EXPERIENCE
ISSO
DataLock Consulting Group (GSA) – Washington D.C.
2019 - Present
Ensure system security measures comply with applicable government policies
Monitor configuration management changes and assess the impact of modifications and vulnerabilities for each system
Ensure that system security requirements are addressed throughout the project and system lifecycle
Ensure effective controls and processes are in place and working effectively to maintain a strong system security posture.
Perform vulnerability/risk assessment analyses to support Assessment & Authorization (A&A) activities
Develop, maintain, and facilitate the appropriate closure of POA&Ms and facilitate with the Agency-designated security Point of Contact (PoC)/ISSO any related remediation activities
FISMA Team Lead
KoAm/MindPoint Group (NTIS/DOC) – Alexandria, VA
2016 - 2018
Experienced in developing, executing, and analyzing manual security compliance tests; conducted security assessments and audits as well as non-technical analysis activities
Created assessment questionnaire and checklist addressing the requirements in the NIST SP 800-53 Rev 4 security controls for each component of an application (OS, Database, Firewalls, Switches..Etc.).
Collaborated closely with data owners, information system owners, and users of information systems and networks.
Identified the appropriate level of recommended remediation to security anomalies or integrity loopholes such as system weaknesses or vulnerabilities.
Developed specifications to ensure risk, compliance, and assurance efforts conform with security, resilience, and dependability requirements at the software application, system, and/or network environment level
Direct client interaction experience; working closely with clients to elicit assessment related documents and implementation, and consulting on current issues; reporting on assessment and related findings
Coordinated the mitigation of risks/issues discovered in the ST&E process, including Plan of Action and Milestone (POA&M) management; processed and analyzed information provided by a customer (e.g., system administrator, developer, security specialist), made determinations, and provided solutions.
In coordination with the Project Manager, defines security goals, tasks, scope and deliverables, defines plan of action, timelines and reports the status of, and any issues encountered in the execution of security activities
Developed and delivered plans, assessments, reports, and briefings to NTIS Information Director to support the development of security policies, processes, and forums specific to reporting and handling security activities.
Experience with working tasks assigned in an enterprise ticketing system (ServiceNow)
Sr. Information Sys Analyst
Business Integra (FAA) – Washington D.C.
2015
Assisted System Owners in developing Security Authorization packages that are fully compliant with NIST SP 800-37 guidelines.
Reviewed and updated the system security categorization and risk assessment for each system annually or upon significant change.
Evaluated the implementation of the security controls as required by NIST SP 800-53/53A. Prepares the Security Authorization packages, using approved templates.
Conducted annual security controls effectiveness testing on a portion of the controls, document findings, advises and monitors remediation efforts on all systems.
Conducted risk assessments on systems and the customer network, and document in accordance with NIST SP 800-30, Risk Management Guide for Information Technology Systems. Review and update, if necessary, risk assessments when significant changes occur to the systems/network.
Certifying Agent
AceInfo Solutions/Syneren (NOAA)– Silver Spring, MD
2012 – 2013
Evaluated and assessed compliance with established information assurance policies and regulations.
Performed security assessments, review documentation, and support security analysts in a team of technically diverse personnel.
Conducted Privacy Impact Assessments (PIA)s of all Major, Minor and GSS systems
Ensured information systems maintain appropriate operational security posture consistent with NOAA and working in close collaboration with information system owners
Developed and ensuring compliance with security policies, standards, and procedures
Monitored information systems and operational environments; developing and updating security plans/requirements
Coordinated security-related activities with the Information System Security Officers (ISSO), Information System Owners
Sr. Security Analyst
ABK solutions/G&B (NIOA/NIH)– Bethesda, MD
2011
Evaluated and assessed compliance with established information assurance policies and regulations.
Performed security assessments, review documentation, and support security analysts in a team of technically diverse personnel.
Conducted and documented risk and threat assessments.
Made recommendations implementing countermeasures, prepare required documentation for and coordinate with senior engineer.
Developed and provided test plans and vulnerability reports to a team of Security Analysts according to, NIH, Federal, and other Information Assurance (IA) related requirements.
Provided technical vulnerability assessment of Systems, using NIST or other approved processes to include: using both automated vulnerability assessment tools (Nessus, NMap, AppDetective, WebInspect) as well as manual testing scripts.
Sr. Information Security Analyst
StrongBridge/ECS (GNMA/ HUD) – Fairfax, VA
2010 – 2011
Led the execution of IT (network, system, communication) security assessments and the data gathering, assembly, and submission of the C&A packages.
Certification Agent for C&A of MA and GSS; performed ST&E for MA and GSS; identified, reviewed, and documented ST&E artifacts for acceptance; completed ST&E Detailed Reports and Findings Reports;
Conducted data center assessments for all service contractors containing GinneMae data. (Bank of America, PNC Bank, LoanCare)
Reviewed phase one artifacts to ensure compliance with FISMA as well as HUD 2400.25, utilized NIST SP 800-53 rev 3
Mapped findings from Nessus vulnerability scans to NIST SP 800-53 rev 3.
Analyzed effectiveness of information security technical controls designed to mitigate vulnerabilities and threats in various system life cycle stages.
Provided guidance on security threats, technology, standards, and practices being applied in other government and commercial enterprises in order to evolve the client’s information security program to adapt to changing threats and technology advances.
Performed security reviews, evaluations, risk assessments, and monitoring on a regular basis to ensure security exceptions and violations are identified and addressed in a timely manner.
Information System Security Officer
Knowledge Consulting Group (TSA)– Reston, VA
2009 – 2010
Provided technical services for the support of integrated security systems and solutions, including strategic design. Computer Security Incident Response Capability (CSIRC) Support, FISMA Management, Certification and Accreditation (C&A), Security Engineering, Security Architecture Design, Security Awareness and Training, Protection of Personally Identifiable Information (PII), System of Records Notices (SORNs) or Privacy Impact Assessment (PIA)
Ensured that management, operational and technical controls for securing customer IT systems are in place and followed
Supported Certification and Accreditation activities by developing the overall System Security Document and the Information Systems Security Plan with the System and Data Owners
Developed system-specific security safeguards and local operating procedures that are based on relevant guidelines and regulations. (DHS 4300a, DHS 4300b and NIST SP)
Provided IT security consulting to system owners as to the other security documents (security incident reports, equipment/software inventories, operating instructions, technical vulnerability reports, contingency plans, etc.).
Facilitated and participated in certification & accreditation, compliance reviews, architecture reviews, training, plan of action & milestone resolution, request for change and reports on program status.
Assisted in the conduct of risk and vulnerability assessments of planned and installed information systems to identify vulnerabilities, risks, and protection needs.
Sending documented weekly reports to the Office of CIO regarding attacks and vulnerabilities.
Participated in Change Control Board processes and ensuring that changes meet security specifications.
C&A Analyst
Indus Corp (IRS)– McLean, VA
2007 – 2009
Supported Certification/Accreditation for implementation of Major Applications and General support Systems for the IRS
Analyzed information security systems; created security deliverables following National Institute of Standards & Technology Special Publication requirements.
Trained end users in safeguarding personal identifiable information.
Used MITS Cybersecurity to assess and conduct C&A packages.
Conducted and coordinated working sessions regarding the BSM, SSP and ITCP at the IRS.
Created network security concepts and risks. Business continuity and disaster recovery planning (recovery plan, restoration activities).
Responsible for ITCP (Contingency Planning) and appendices A through Z, action items as well as working sessions.
Recertified several systems on track with doing at least 8 C&A packages annually
Briefed clients in regards to the ITCP, SSP and SAR (Security Assessment Report).
Used NIST SP 800-34 as a guideline for the ITCP.
Coordinated with site system engineers to conduct Security Test and Evaluation (ST&E).
Developed and executed information assurance processes relating to: certification and accreditation, system security engineering, system development, integration, and evaluation.
Served as liaison between team and various business units and government employees.
TECHNICAL SKILLS
Windows 2003/08/NT, MAC OS X, UNIX, LINUX, BackTrack 4, MS Word, MS Excel, MS PowerPoint, MS Visio, MS Access, DHCP, DNS
NMap/Zenmap, Nessus, ISS, DISA Gold, WebInspect, GFI Languard, Ethereal, Sniffer Pro, BackTrack, Nikto, Kismet, NetStumbler, Cain & Abel
MITS CyberSecurity, NIST SP 800 series, DCID 6/3, 8500.1, 8500.2, DHS 4300 series, HUD 2400
KEY COMPETENCIES
Risk Assessment
Information Assurance
Security Analysis
Risk Mitigation
Technical Writing
Technical Support
Motivation/Training
Leadership/Team Building
Task Analysis
Strategic Development
Problem Resolution
Administrative Process