Sign in

Security Analyst Specialist

Gaithersburg, MD, 20877
July 14, 2021

Contact this candidate


Tariq Shah

**** ******** ***** **.

Gaithersburg, MD 20882



10+ Years of Diverse, Successful IT Security/ Management Experience

Proficient in Technical Writing, Risk Assessment and Risk Mitigation

CISSP in progress

Solution-oriented and versatile systems security professional. Accomplished in pre General Accounting Office and pre Office of the Inspector General compliance review cyber security vulnerabilities auditing. Authored and executed certification testing and evaluation methodology.


SP 800-61 Computer Security Incident Handling Guide

SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories

SP 800-53 Recommended Security Controls for Federal Information Systems

SP 800-53 A Guide for Assessing the Security Controls in Federal Information Systems

SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems,

SP 800-18 Guide for Developing Security Plans for Federal Information Systems

SP 800-30 Risk Management Guide for Information Technology Systems

SP 800-34 Contingency Planning Guide for Information Technology Systems



DataLock Consulting Group (GSA) – Washington D.C.

2019 - Present

Ensure system security measures comply with applicable government policies

Monitor configuration management changes and assess the impact of modifications and vulnerabilities for each system

Ensure that system security requirements are addressed throughout the project and system lifecycle

Ensure effective controls and processes are in place and working effectively to maintain a strong system security posture.

Perform vulnerability/risk assessment analyses to support Assessment & Authorization (A&A) activities

Develop, maintain, and facilitate the appropriate closure of POA&Ms and facilitate with the Agency-designated security Point of Contact (PoC)/ISSO any related remediation activities

FISMA Team Lead

KoAm/MindPoint Group (NTIS/DOC) – Alexandria, VA

2016 - 2018

Experienced in developing, executing, and analyzing manual security compliance tests; conducted security assessments and audits as well as non-technical analysis activities

Created assessment questionnaire and checklist addressing the requirements in the NIST SP 800-53 Rev 4 security controls for each component of an application (OS, Database, Firewalls, Switches..Etc.).

Collaborated closely with data owners, information system owners, and users of information systems and networks.

Identified the appropriate level of recommended remediation to security anomalies or integrity loopholes such as system weaknesses or vulnerabilities.

Developed specifications to ensure risk, compliance, and assurance efforts conform with security, resilience, and dependability requirements at the software application, system, and/or network environment level

Direct client interaction experience; working closely with clients to elicit assessment related documents and implementation, and consulting on current issues; reporting on assessment and related findings

Coordinated the mitigation of risks/issues discovered in the ST&E process, including Plan of Action and Milestone (POA&M) management; processed and analyzed information provided by a customer (e.g., system administrator, developer, security specialist), made determinations, and provided solutions.

In coordination with the Project Manager, defines security goals, tasks, scope and deliverables, defines plan of action, timelines and reports the status of, and any issues encountered in the execution of security activities

Developed and delivered plans, assessments, reports, and briefings to NTIS Information Director to support the development of security policies, processes, and forums specific to reporting and handling security activities.

Experience with working tasks assigned in an enterprise ticketing system (ServiceNow)

Sr. Information Sys Analyst

Business Integra (FAA) – Washington D.C.


Assisted System Owners in developing Security Authorization packages that are fully compliant with NIST SP 800-37 guidelines.

Reviewed and updated the system security categorization and risk assessment for each system annually or upon significant change.

Evaluated the implementation of the security controls as required by NIST SP 800-53/53A. Prepares the Security Authorization packages, using approved templates.

Conducted annual security controls effectiveness testing on a portion of the controls, document findings, advises and monitors remediation efforts on all systems.

Conducted risk assessments on systems and the customer network, and document in accordance with NIST SP 800-30, Risk Management Guide for Information Technology Systems. Review and update, if necessary, risk assessments when significant changes occur to the systems/network.

Certifying Agent

AceInfo Solutions/Syneren (NOAA)– Silver Spring, MD

2012 – 2013

Evaluated and assessed compliance with established information assurance policies and regulations.

Performed security assessments, review documentation, and support security analysts in a team of technically diverse personnel.

Conducted Privacy Impact Assessments (PIA)s of all Major, Minor and GSS systems

Ensured information systems maintain appropriate operational security posture consistent with NOAA and working in close collaboration with information system owners

Developed and ensuring compliance with security policies, standards, and procedures

Monitored information systems and operational environments; developing and updating security plans/requirements

Coordinated security-related activities with the Information System Security Officers (ISSO), Information System Owners

Sr. Security Analyst

ABK solutions/G&B (NIOA/NIH)– Bethesda, MD


Evaluated and assessed compliance with established information assurance policies and regulations.

Performed security assessments, review documentation, and support security analysts in a team of technically diverse personnel.

Conducted and documented risk and threat assessments.

Made recommendations implementing countermeasures, prepare required documentation for and coordinate with senior engineer.

Developed and provided test plans and vulnerability reports to a team of Security Analysts according to, NIH, Federal, and other Information Assurance (IA) related requirements.

Provided technical vulnerability assessment of Systems, using NIST or other approved processes to include: using both automated vulnerability assessment tools (Nessus, NMap, AppDetective, WebInspect) as well as manual testing scripts.

Sr. Information Security Analyst

StrongBridge/ECS (GNMA/ HUD) – Fairfax, VA

2010 – 2011

Led the execution of IT (network, system, communication) security assessments and the data gathering, assembly, and submission of the C&A packages.

Certification Agent for C&A of MA and GSS; performed ST&E for MA and GSS; identified, reviewed, and documented ST&E artifacts for acceptance; completed ST&E Detailed Reports and Findings Reports;

Conducted data center assessments for all service contractors containing GinneMae data. (Bank of America, PNC Bank, LoanCare)

Reviewed phase one artifacts to ensure compliance with FISMA as well as HUD 2400.25, utilized NIST SP 800-53 rev 3

Mapped findings from Nessus vulnerability scans to NIST SP 800-53 rev 3.

Analyzed effectiveness of information security technical controls designed to mitigate vulnerabilities and threats in various system life cycle stages.

Provided guidance on security threats, technology, standards, and practices being applied in other government and commercial enterprises in order to evolve the client’s information security program to adapt to changing threats and technology advances.

Performed security reviews, evaluations, risk assessments, and monitoring on a regular basis to ensure security exceptions and violations are identified and addressed in a timely manner.

Information System Security Officer

Knowledge Consulting Group (TSA)– Reston, VA

2009 – 2010

Provided technical services for the support of integrated security systems and solutions, including strategic design. Computer Security Incident Response Capability (CSIRC) Support, FISMA Management, Certification and Accreditation (C&A), Security Engineering, Security Architecture Design, Security Awareness and Training, Protection of Personally Identifiable Information (PII), System of Records Notices (SORNs) or Privacy Impact Assessment (PIA)

Ensured that management, operational and technical controls for securing customer IT systems are in place and followed

Supported Certification and Accreditation activities by developing the overall System Security Document and the Information Systems Security Plan with the System and Data Owners

Developed system-specific security safeguards and local operating procedures that are based on relevant guidelines and regulations. (DHS 4300a, DHS 4300b and NIST SP)

Provided IT security consulting to system owners as to the other security documents (security incident reports, equipment/software inventories, operating instructions, technical vulnerability reports, contingency plans, etc.).

Facilitated and participated in certification & accreditation, compliance reviews, architecture reviews, training, plan of action & milestone resolution, request for change and reports on program status.

Assisted in the conduct of risk and vulnerability assessments of planned and installed information systems to identify vulnerabilities, risks, and protection needs.

Sending documented weekly reports to the Office of CIO regarding attacks and vulnerabilities.

Participated in Change Control Board processes and ensuring that changes meet security specifications.

C&A Analyst

Indus Corp (IRS)– McLean, VA

2007 – 2009

Supported Certification/Accreditation for implementation of Major Applications and General support Systems for the IRS

Analyzed information security systems; created security deliverables following National Institute of Standards & Technology Special Publication requirements.

Trained end users in safeguarding personal identifiable information.

Used MITS Cybersecurity to assess and conduct C&A packages.

Conducted and coordinated working sessions regarding the BSM, SSP and ITCP at the IRS.

Created network security concepts and risks. Business continuity and disaster recovery planning (recovery plan, restoration activities).

Responsible for ITCP (Contingency Planning) and appendices A through Z, action items as well as working sessions.

Recertified several systems on track with doing at least 8 C&A packages annually

Briefed clients in regards to the ITCP, SSP and SAR (Security Assessment Report).

Used NIST SP 800-34 as a guideline for the ITCP.

Coordinated with site system engineers to conduct Security Test and Evaluation (ST&E).

Developed and executed information assurance processes relating to: certification and accreditation, system security engineering, system development, integration, and evaluation.

Served as liaison between team and various business units and government employees.


Windows 2003/08/NT, MAC OS X, UNIX, LINUX, BackTrack 4, MS Word, MS Excel, MS PowerPoint, MS Visio, MS Access, DHCP, DNS

NMap/Zenmap, Nessus, ISS, DISA Gold, WebInspect, GFI Languard, Ethereal, Sniffer Pro, BackTrack, Nikto, Kismet, NetStumbler, Cain & Abel

MITS CyberSecurity, NIST SP 800 series, DCID 6/3, 8500.1, 8500.2, DHS 4300 series, HUD 2400


Risk Assessment

Information Assurance

Security Analysis

Risk Mitigation

Technical Writing

Technical Support


Leadership/Team Building

Task Analysis

Strategic Development

Problem Resolution

Administrative Process

Contact this candidate