Alexias E. Steverson
Phone: 202-***-****
Email: ***********@*******.***
Education
Bachelor of Science in Computer Information Systems (CIS) from Clark Atlanta University
Accreditations
CompTIA Security + COMP001020619269
Years of Experience
10+ years
Technical Skills
Operating Systems: Windows 7, MS Windows 2000, MS Windows 2003\ 2008 \ 2012 Server
Administration: MS Windows 2003\ 2008\2012 Server Active Directory, VMware 5.0, IIS Web Server Verizon Cloud Amazon Cloud DOE Cloud
Software Packages: MS Office 2003 & 2007, Outlook 2003-2010, Adobe Acrobat Professional 5.0-10.0
Network Devices: Switches, Router, Hubs, Bridges, NICs, Cabling.
Network Architecture: LANs, WANs, Ethernet, Wireless LANs
Network Protocols: TCP/IP, IPX/SPX, PPP, SMTP, POP, HTTP, DNS, WINS, FTP
Hardware: Proficient at installation, integration, upgrade, troubleshooting and support Dell servers, HP server, Compaq server.
EXPERIENCE SUMMARY
Senior Information System Security Engineer proficient in developing security authorization packages using National Institutes Of Standards and Technology (NIST) Publications 800-53A, 800-53, 800-60, 800-30, 800-37, 800-137, FIPS 199, FIPS 200, OMB A-130 Appendix III. Vast knowledge of Federal Information Processing Standards (FIPS), System Security Plans (SSP), Security Assessment Plans (SAP), Plan of Action & Milestones (POA&M), Risk Assessments (Impact Analysis), and Contingency Plans. Lead Tester and Assessor that utilizes Security Risk Management skills and various security assessment tools to perform audits and reviews for Security Compliance, FISMA, A-123, SSAE 16, and Assessment and Authorization “A&A” (previously C&A). Develop and deliver solutions for establishing security policies and procedures, evaluating enterprise IT security practices, implementing security controls, and identifying and mitigating security risks.
CURRENT AND RELEVANT WORK EXPERIENCE
The Soter Group LLC
Department of Homeland Security (DHS) – Ballston, VA
Senior Technical Advisory for Capacity Building November 2018 - Present
Develop technical Cyberstat workshops material in support of Capacity Building Sub-Division’s mission and authority. Develop a baseline of current Federal agency cybersecurity diagnostics and monitoring capabilities and include methods to integrate CDM tools and related Capacity Building Sub-Division activities with current Federal agency capabilities. Documented technical cybersecurity service guidance in support of the Capacity Building Sub-Division’s mission and authority across the Federal Civilian Enterprise, identify risks, and recommend strategies and expected action to mitigate/address risk, improve organizational readiness, and improve overall risk management, including support of the Federal Cyber Risk Administrator (FCRA) and agency-specific risk management plans and actions. Develop Services Support Plans targeted at closing cybersecurity technical gaps, addressing DHS cybersecurity program and service adoption, and promoting a holistic cybersecurity approach. Created an adaptive performance model using the NIST CSF to better understand and manage cybersecurity risk across the federal enterprise as appropriate to Capacity Building Sub-Division’s mission and authority and in support of efforts including, but not limited to: FISMA 2.0 revamp; Cyberstat. Outlined technical recommendation for DHS federal enterprise risk management cycle that leverages existing budget processes within agencies, OMB, and Congress to achieve identified cybersecurity outcomes.
The Soter Group LLC
Department of Treasury - Washington, DC
Senior Security Analyst July 2018 – November 2018
Developed and documented a plan for Treasury and supporting Bureau to identify, categorize and prioritize designated
Treasury High Value Asset (HVA) pertaining the OMB Policy M-17-09: Management of Federal High Value Assets, OMB M
19-03 Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program and DHS Binding
Operational Directive (BOD) 18-02 Securing Federal High Value Assets. Develop and documented a plan to roll and assess
HVA overlay controls for Treasury and supporting Bureaus. Provided recommendation to ACIO/CS on how the HVA overlay
controls should be implemented in Treasury and supporting bureaus. Developed remediation plan and mitigation strategy to
track all risk or vulnerabilities from DHS RVA or SAR, third-party or self-assessment. Develop and documented a post-
assessment plan for third-party assessment. Conducted documentation reviews of DHS RVA/SAR assessment to identify
weakness and provide an overall report of all finding to Treasury ACIO/CIS. Developed an HVA refresh data call for
supporting bureaus to identify new HVA. Recommended additional criteria that should be added to HVA data call to assist in
identifying designated Treasury HVA.
HUMANTOUCH, LLC
Securities and Exchange Commission (SEC) – Washington, DC
Lead SA&A Tester/ Assessor November 2015 – July 2018
Leads a team of penetration testers and vulnerability assessors; oversees penetration testing activities for the agency’s public facing website and critical information systems and components. Documents all findings in a Penetration Test Report (PTR), indicating possible risk or associated attack vectors and corrective actions to prevent a successful attack. Develops, reviews, and provides recommendations for security policies and procedures, as well as, audit and compliance documentation. Support cybersecurity programs and projects, to include program initiatives, policy enforcement and IT cybersecurity awareness. Conduct system security evaluations, audits & reviews, and risk & vulnerability assessments for information systems to identify vulnerabilities and protection needs. Research and identify available technologies and standards to meet customer requirements; identify functional-and security-related features to find opportunities for new capability developments to exploit or mitigate cyberspace vulnerabilities. Review and update remediation of POA&Ms in the organization's Cyber Security Assessment and Management repository, Archer. Maintain a minor application assessment calendar to manage and track assessment upcoming schedules. Work with system administrators and conduct penetration testing to resolve POA&Ms, gathering artifacts and creating mitigation memos and corrective action plans to assist in the closure of the POA&Ms. Conduct NMAP scans on network-based, host-based, database, web, and source code. Identify vulnerability weakness and document the weakness as POA&Ms as part of the SA&A ATO package. Evaluate the implementation of information security controls for Federal Information Systems based on NIST 800-37 rev1, SP 800-53 rev4, FIPS 199, FIPS 200 and OMB A-130 Appendix III. Manage vulnerabilities with the aid of Wireshark, Retina, Nessus Security Center and Qualys vulnerability scanners to detect potential risks on single or multiple assets across the enterprise network. Develop, review, and update all security documentation required to obtain system ATO, including providing support throughout the continuous monitoring phase.
HGS ENGINEERING
Department of Defense (DOD) – Fort McNair, DC
Deputy Cybersecurity Program Manager May 2015 – November 2015
Completed and maintained Interconnection Security Agreements (ISAs) for any connections outside of the USCIS network boundary. Completed and maintained any required Memorandum of Agreement/Understanding (MOA/MOU) or copies of these agreements applicable to a system. Ensured security controls were considered throughout system development. Ensured systems were properly patched and hardened according to USCIS/DHS requirements. Provided POA&M support to include technical evaluation and validation of corrective actions taken to satisfy risk mitigation plans for security weaknesses or reduce the risk to an acceptable level. Conducted security scans using tenable to identify security weaknesses such as vulnerabilities, non-compliant configuration settings, missing or ineffective control implementations, audit findings, or other security issues identified for formal tracking of corrective actions. Conducted compliance audit scans using Nessus on all operational systems ensuring configuration setting compliance with federal baseline standards, DOE security baseline standards, and applicable industry best practices. Assisted in the development of audit configuration files to scan production environments at regular intervals in accordance with the DOE scan policy. Conducted ad hoc audits to identify specific settings found to be non-compliant. Documented audit findings in configuration audit or vulnerability management reports (POA&Ms). Reviewed Audit Logs on a weekly basis using Splunk and recorded the findings in an Audit Log Review Tracker.
FEDERATED IT
Department of Defense (DoD) Consolidated Adjudications Facility (CAF) – Fort Meade, MD
Senior Systems Administrator September 2013 – May 2015
Worked with Windows and UNIX network administration teams to complete vulnerability and patch management assessments and implementation releases. Recommended and provided approvals for network security policies, standards and protocols to prevent unauthorized use, modification and destruction of the organization information. Utilized Nessus Security Center 4 (SC4) vulnerability scanning tool to ensure compliance objectives were met while providing mitigation strategies and guidance for discovered vulnerabilities. Performed enterprise wide vulnerability assessment on the VA systems and developed Plan of Action and Milestones (POA&M). Developed Security Assessment Reports (SAR) detailing the results of the assessment. Assisted ISSOs in reviewing and submitting artifacts to justify POA&M closures. Conducted quality assurance tests of hardware and software deployed on the network. Evaluated and recommend solutions to mitigate system vulnerabilities to reduce risk. Led the development of a technical solution by translating the business needs into technical requirements for a cloud environment. Identified gaps, strategic impacts, and risk in the technical solution and provided technical support within the cloud environment. Performed FEDRAMP security control assessments for new cloud-ready applications.
FEDERATED IT
Department of Energy (DOE) – Washington, DC
Cyber Security Analyst May 2012 – May 2015
Interviewed staff in order to understand the processes used to measure and influence the performance of their information security program. Conducted technical interviews with personnel at NNSA Site Offices and Plants in regards to implementation of NIST 800-53 r4 controls. Conducted vulnerability assessments and scans using Tenable Nessus. Tracked project performance and critical path, created and maintained briefings and status reports to senior management. Assisted in developing policies for use of new technologies and upgrades to existing systems. Performed Nessus active vulnerability scans and compliance checks to validate the integrity of application and operating system configuration baselines. Evaluated and recommend solutions to mitigate system vulnerabilities to reduce risk. Developed a risk-based approach to security based on an analysis of threats and risks, cost and mission effectiveness, data sensitivity and organizational impact of loss or compromise. Performed strategic alignment of risk management decisions with critical missions and business functions consistent with organizational goals and objectives.
L3 TECHNOLOGIES
Department Of Defense (DoD) – Baghdad, Iraq
Database Manager/System Administrator/Information Management Office November 2007 – May 2012
Conducted independent certification and accreditation assessments for new systems. Conducted vulnerability scanning against systems to determine technical vulnerabilities. Provided risk level determinations based on analysis of results and risks identified. Provided detailed vulnerability statements, risk statements, and associated NIST control recommendations. Ensured risks and vulnerabilities were effectively implemented in accordance with NIST control requirements. Provided high-level approaches and recommendations for mitigating identified risks. Developed a NIST common control library as the baseline for all information systems in operation.
BAE SYSTEMS
Defense Intelligence Agency (DIA) – Washington, DC
Senior Help Desk Systems Administrator October 2006 – November 2008
Initial point of contact within a 24/7 work environment, providing IT services for over 80,000 customers worldwide at the NE CONUS DoD IIS Customer Service Center for Top Secret, Secret, and Unclassified systems spanning over five different networks. Worked with Windows and UNIX network administration teams to complete vulnerability and patch management assessments and implementation releases. Recommended and provided approvals for network security policies, standards and protocols to prevent unauthorized use, modification and destruction of the organization information. Maintained diligent and accurate call records by providing problem reporting, tracking and resolution services to internal and external users and customers. Documented customer related problems via Siebel Action Request System for referral to appropriate support personnel when resolution not possible at Tier 1. Analyzed recorded incidents to proactively resolve issues and provide standard solutions for use by service desk personnel and customers immediately or as follow-up. Proactively trained and assessed call center personnel on techniques, processes and procedures.
UNITED STATES NAVY
Washington, DC
Oracle Database Administrator and Tier 1 Systems Administrator July 2004 – October 2006
Developed security baseline controls and test plans to assess implemented security controls. Conducted security control assessments to validate the adequacy of management, operational, privacy, and technical security controls implemented. Developed detailed SARs with results of the assessment along with POA&M reports. Developed risk assessment reports that identified threats and vulnerabilities applicable to assigned systems. Provided administrative support to officers and enlisted personnel. Performed program management activities to include: support for multiple applications, network security, internal communications, programming, technical/administration support, and follow-up correspondence. Improved data entry process and quality control procedures that improved customer satisfaction throughout the Department of Defense. Wrote procedures used to standardize departmental operations and train personnel.
UNITED STATES NAVY
Washington, DC
COMSEC Equipment Specialist (EKMS) October 1999 – October 2006
Information systems consultant with the Navy, Marine Corps, Coast Guard, Air Force, and Department of Defense. Responsible for configuring, programming, and providing secure telephone and facsimile equipment to domestic and foreign field offices.
UNITED STATES NAVY
Manama, Bahrain
Red Switch System (Tech Control) Supervisor October 1997 – October 1999
Supervised and managed technical control center for telecommunication and communications media. Conducted day to day maintenance to prevent system outage or downtown. Performed assigned mission organizational level maintenance and repair of Intelligence Systems. Responsible for the configuration, maintenance, security, upgrade and operation of unclassified and classified fleet/shore circuits to include Domain Name Systems (DNS), Firewalls, Mail Servers, Cisco Routers and Switches.