Zena Angesom
***** *********** ****, ****** ******, MD 20904
***********@*****.***
Summary
A detail oriented and deliver driven with over 5+yrs experience in Information Security with focus on Federal Information Security Management Act (FISMA), NIST Cyber Security Risk
Management Framework (RMF), System Security Monitoring and Auditing, Risk
Assessments, Security Control Assessment (SCA) and Developing Security Policies, Procedures according to NIST Standards and guidelines, Practical understanding and application of the NIST Risk Management Framework
•In-depth knowledge of NIST Special Publications like NIST SP 800-53 rev3 and rev4, NIST SP 800-37, NIST SP 800-137, NIST 800-18, NIST SP 800-53a, NIST SP 800-34, with Superior capacity to solve complex problems.
•I work independently and with team on large-scale projects and thrive under pressure in fast-pace environments while directing multiple projects from concept to implementation.
•Experience with developing policies and procedures based on the respective NIST publication
•Monitor the system for vulnerabilities and threats
Clearance
•Active Secret clearance
Technical Skill and Tools
Operating Systems: -
Windows 95/98/NT/2000 and
Tools Utilized:
•ACAS/Nessus, Microsoft Office Suite (Word, Excel, PowerPoint, Outlook, Visio),
Enterprise Mission Assurance Support Service (eMASS)
Documents: -
•POA&M, CP, BIA, SAP, SAR, SSP etc
Education and Certification
•Master of Business Administration (MBA) Southern New Hampshire University, Manchester, NH, U.S.A.
•Master of Science in Community Economic Development Southern New Hampshire University, Manchester, NH, U.S.A.
•Bachelor of Science, Major Economics, Minor Statistics Umea University, Umea, Sweden.
•Security+ certification (COMPTIA)
•Certified Ethical Hacker (EC council)
Work Experience
SMS Data Product May 2022-Present
Information Assurance Security Specialist
Security control validation
Develop RMF A&A package documentation required for ATO submission
POA&M process and validation
Process Minor Request Modification
Prepare Security Control Assessor Memorandum Inter Service Agreement and Interim Authority to Test
Prepare Authority to Operate Memorandum for Inter Service Agreement and Interim Authority to Test
Reviewing and updating contingency plan
Reviewing and updating categorization table
Reviewing and updating e-authentication
Life Cycle Engineering, Inc. May 2019–May 2022
Risk Management Framework Specialist
Develop RMF A&A package documentation required for ATO-submission in accordance with DoD/NAVSEA directives, which includes the following components:
•System Categorization Form
•Information System Continuous Monitoring Strategy (ISCM)
•Security Plan (SP)
•Plan of Actions and Milestones (POA&M)
•Security Assessment Plan (SAP)
•Security Assessment Report (SAR)
•Risk Assessment Report (RAR)
•Security Authorization Package
•Package Endorsement Letters
Ensure RMF A&A package is submitted to the Certification Authority (CA) in sufficient time for its review and operational cybersecurity risk recommendation to obtain Designated
Accrediting Authority (DAA) authorization decision
•Follow the published Navy, NAVSEA Business Rules, and PIT Validation guidance when preparing C&A packages.
•Coordinate with the government-appointed Navy Validator throughout the C&A package creation and processing to ensure compliance with stated regulations to help ensure an efficient package-submission that results in ATO
•Develop and maintain a Plan of Action and Milestone (POA&M) for all IA-related tasks and deliverables in accordance with the Security Technical Implementation Guide (STIG)
•Develop Risk Assessment Reports (RARs) based on vulnerability test results, automated scan reviews, Assured Compliance Assessment Solution (ACAS) scans, and other DoD-mandated assessment-utilities.
•Document A&A-information in the A&A Package consistent with all other Packages, and ensure that there are no omissions
•Input reports in eMASS, or deliver in MS Office-products/Visio formats, as appropriate
DELTAAHTECH CONSULTING, MD March 2017 – May 2019
Cybersecurity Analyst
•Perform ongoing Assessment and Authorization projects in support of client security systems and ensuring quality control of A&A documents
•Document and finalize security Assessment Report (SAR) and Performing security assessment and continuous monitoring
•Extensive knowledge in NIST Publications SP 800-18, SP 800-30, SP 800-37 rev 1, SP 800-53 rev 4, SP 80053A, SP 800-60 and Federal Information Processing Standards (FIPS) - FIPS 199 and FIPS 200.
•Conduct risk assessments and collaborate with clients to provide recommendations regarding critical infrastructure, network security operations and Continuous Monitoring processes.
•Extensive knowledge in Categorizing Information Systems (using FIPS 199 as a guide).
•Update and revise System security Plans, Contingency Plans and Plan of Action & Milestone
•Documenting NIST 800-53 security control compliance findings within Requirements Traceability Matrixes (RTMs) and Security Assessment Reports (SARs).
•Ability to execute Security Assessments and develop and deliver supporting documentation within aggressive timelines. Perform full and partial assessments. (Yearly and every 3 years).
•Experience executing Step 4 (Security Assessment) of the NIST Risk Management Framework (RMF).
•Helped in reviewing Contingency Plans (CP), Incident Response Plans (IRP), and other tasks and specific security documentation when the ISSO needed help.
•Perform vulnerabilities scan analysis and monitor continuously using NIST 800-137 as a guide with the aid of Nessus.
•Develop to Continuity of Operations (COOP) and Disaster Recovery (DR) operations and conduct evaluation of COOP and DR during annual incident response training.
•Supported security tests and evaluations (ST&Es).
•Provide security support and evaluation to development teams in order to integrate information assurance/security throughout the System Life Cycle Development of major and minor application releases.
•Created and tracked POA&Ms related items.
•Monitor the system for vulnerabilities and threats including patch management, weak password settings, and unnecessary services not disabled, weak configuration from default settings.
BRIGHTWAY PROFESSIONAL & Associates, MD Dec 2015 – Feb 2017
Cybersecurity Analyst
•Reviewed and updated Security Assessment Plans (SAPs), Security Assessment
Reports (SARs), and Plan of Action and Milestone (POA&M) Reports
•Prepared and assembled Authorization package including authorization letter and submitted to the Authorizing Official (AO) for Approval of system operation
•Train users on risks, social engineering, security controls and best practices to ensure security and safety of assets.
•Performed vulnerability scanning with the support of Nessus scanning tool.
•Assisted in Updated IT security policies, procedures, standards, and guidelines per the respective department and federal requirements.
•Performed risk assessments, reviewed and updated, Plans of Action and Milestones (POA&M), Security Control Assessments, and specific security documentation. (SA&A) Security Assessment and Authorization using NIST SP 800-53 rev4/FIPS 200 (Security Controls), NIST SP 800-53A rev4.
•Monitored controls post authorization to ensure constant compliance with the security requirements.
•Conducted internal and external security audits. Established plans and protocols to protect information systems against unauthorized access, modification and/or destruction.
•Provided written and verbal reports of audit findings as well as interpreted audit results against defined criteria.
•Performed and analysed vulnerability scan reports and worked with stakeholders to establish plans for sustainable resolution.
•Collected all evidence and artifacts that supported remediation activities and saved them for audit purposes.
•Performed security control assessment of all assigned systems, developed test plans and assessment reports in support of system authorization.
•Assisted in providing guidance and support to the development of Plan of Action and Milestones (POA&M) as well as validation testing of POA&Ms.
•Worked with management to ensure security recommendations complied with company procedures and performed security impact analyses of proposed changes.
World Bank, IFC, Environmental Washington, DC June 2008- Nov 2015
Data Quality Analyst/ Reporting Analyst
•Data Quality Analyst/ Reporting Analyst /Consultant,
•World Bank, IFC, Environmental, Social & Governance June 2003- JULY 2010 Created Ad –hoc reports for the Business Users in SSRS and Excel.
•Provided statistical analyses support
•Provided recommendation on standardizing and analyzing survey responses
•Initiated and lead; High Risk projects in Environmental, Social and Governance Departments based on financial, economic, environmental & social performance, private sector development impacts by region, department and category using Microsoft Excel and SSRS.
•Analyzed portfolio data from IFC Management Information System in the context of environmental and social issues and present results for discussion and inclusion in the Monthly Performance Report
•Conducted portfolio reviews and analyzed International Financial Intermediary data for country team management on periodic basis
•Conducted benchmarking analysis of Environmental and Social Risk Rating system
(ESRR) of IFC against other International Financial Institutions, including IDB, EBRD,
IEB and NIB. Present findings result with management along with future enhancement recommendations