Information Security Engineer
Resume:
DOUG JOHNSON
Lexington, KY *****
Mobile: 520-***-**** Alt: 859-***-****
Emails: ********@*****.*** *******@*******.***
---
PROFESSIONAL SUMMARY
Seasoned Information Security professional with 20+ years of experience in IAM, PAM, risk management, compliance, audit readiness, server hardening, vulnerability management, and enterprise security operations. Adept at identifying security risks, improving security posture, developing SOPs, automating processes, and simplifying complex workflows. Experienced in PCI, SOC1/SOC2, ISO 27001, NIST 80053, IAM/PAM, GRC, and enterprise reporting. Recognized for leadership, crossteam collaboration, and building strong, repeatable security processes.
---
CORE SKILLS
Data Analytics
Process Development
Risk Mitigation Strategies
Security Regulations Compliance
Critical Thinking
Audit Management
IAM / PAM / SSO
SOP Creation and Governance
Vulnerability Management (Tenable)
GRC (RSAM, Archer)
Automation (Excel, VBA, scripting)
Endpoint Security (AV, Encryption, EOL, Patch)
---
PROFESSIONAL EXPERIENCE
---
ConsultUSA / PNC Bank — Lexington, KY
Information Security Analyst 03/2024 – Present
Partnered with senior leaders and application owners to review identity compliance options and guide them through privileged ID management in CyberArk.
Oversaw onboarding of privileged accounts (Windows AD, DBS, Oracle) and password vaulting in CyberArk.
Developed weekly Tableaubased reporting for teams managing thousands of identities.
Ensured timely and accurate certification of Privileged Account Reviews.
Identified privileged accounts not properly onboarded and coordinated onboarding, deletion, or transfer to meet WIAM policy.
Validated privileged access approvals, ownership, and security controls prior to onboarding or remediation.
Drove remediation of noncompliant accounts by partnering with system administrators, application owners, and security leadership.
Produced documentation summarizing access gaps, remediation progress, and compliance status.
Supported audit and control validation activities through evidence gathering and process documentation.
Strengthened communication between security, engineering, and business teams to streamline privileged access workflows.
---
Beacon Hill — Lexington, KY
Senior Security Analyst (Contract) 05/2023 – 09/2023
Automated user access reviews, reducing review cycle time by 66% (three weeks to one week).
Ensured quarterly data preparation and user review compatibility with application teams.
Authored SOPs and user review guides.
Completed user reviews for critical applications on time and to audit satisfaction.
Trained nontechnical personnel to run future user reviews independently.
Delivered user review training to nontechnical staff.
Performed privileged access reviews, AD group governance, and user lifecycle validation.
Supported SOC2, ISO, PCI, and NIST compliance through evidence preparation and control documentation.
Developed access procedures and collaborated with application teams to ensure proper access controls.
---
Integrity Consulting — Lexington, KY
Identity & Access Management Specialist 03/2022 – 03/2023
Led creation of IAM processes including Access Recertification, Onboarding, Offboarding, Transfers, and Access Requests.
Built automation solutions to reduce manual workload and improve accuracy.
Received SailPoint IdentityNow admin training; supported implementation using Jira.
Supported SOC1, SOC2, and internal audits.
Developed and maintained four new SOPs for IAM tasks, reducing missed IDs by 10%.
Created and led quarterly privileged user review and recertification runbooks, improving resource allocation and analyst performance.
Coordinated IAM transformation project involving SSO and SailPoint IdentityNow, completing ahead of schedule.
Managed IAM risks and ensured timely closure using RSA Archer.
Designed Excel automation that saved two weeks of work per quarter and eliminated errors.
---
Conduent — Lexington, KY
Information Security Engineer III 03/2018 – 12/2021
Developed IAM compliance procedures, training materials, and trained IAM/PAM teams.
Created, reviewed, and updated SOPs to maintain compliance in a changing environment.
SME in RSAM GRC supporting vendor reviews, exceptions, risks, and workflow creation.
Developed executivelevel endpoint compliance reporting using ETS, SQL Manager, and Report Builder.
Collaborated with SCCM team to deploy security applications across the enterprise.
Managed endpoint security: vulnerability scans, Splunk alerts, AV, encryption, EOL, and configuration compliance.
Supported 30 business units to drive endpoint security and remediation.
Assessed compliance using Splunk, Critical Watch, Tenable, and SolarWinds; partnered with IT teams to drive remediation.
Led risk management process, evaluating and approving risks and exceptions in RSAM.
Collaborated with stakeholders and CRO to mitigate or eliminate risks.
Administered identity management for 12,000 users; identified 6,000 obsolete identities, improving security and future review efficiency.
Investigated and remediated enterprisewide endpoint noncompliance, increasing encryption compliance by 40%.
Mentored new team members to improve performance and consistency.
---
Xerox — Lexington, KY
Information Security Manager 03/2015 – 03/2018
Led internal and external audits including PCI, SOC2, Customer Assessments, and Internal Security Assessments.
Prepared business unit managers for audits; collected, organized, and presented evidence.
Hosted auditors onsite, scheduled SME interviews, and ensured timely artifact exchange.
Performed Internal Security Assessments identifying endpoint health and patching issues; developed remediation plans.
Oversaw Tenable vulnerability scans and created remediation action plans.
Ensured patches were applied across affected servers.
Identified gaps in security controls and remediated through process improvements, education, and IT collaboration.
Worked with global teams to remediate discovered gaps.
Initiated and developed endpoint compliance reporting for the CISO.
Assisted in ISO 27001 certification for 5 data centers.
Conducted NIST 80053 compliance assessments and partnered with IT teams on remediation.
Created metrics reports using AV, patch, and inventory data to drive process improvements.
Automated privileged access review steps using Excel VBA, earning companywide recognition and monetary award.
Directed sitewide security awareness program and managed security risks across business units.
Acted as SME for Privileged Access Management.
Designed security solutions to reduce endpoint cyberrisk, resulting in new KPIs and a 15% reduction in noncompliance.
Trained new security engineers to maintain security controls.
---
IBM — Lexington, KY
Information Security Advisor 02/2014 – 02/2015
Managed IT projects for Delivery Project Executive.
Oversaw IAM support for accuracy and timeliness.
Analyzed PCI data for irregular activity.
Automated PCI analysis, saving 2 hours weekly.
Tracked 110,000 privileges for annual revalidation.
Health Check process owner and SME for HIP tool development.
---
IBM — Tucson, AZ & Lexington, KY
Staff Analyst 01/2008 – 01/2014
Represented IBM Health Check process to corporate and external auditors.
Developed and delivered System Access Control and Patch education.
Identified KPIs to enforce security standards.
Built Excel automation tools saving 100–300 hours quarterly.
Created executivelevel metrics and critical issues reporting.
Performed RCAs to improve process execution.
SME for development of the Health Inspection Portal (HIP).
Developed interfaces and reports for security tools to secure servers and workstations.
Developed guidelines and interfaces for Americaswide audit improvement tools.
Enforced Least privilege by applying access restrictions to sensitive operating system resources and preventing conflicting privilege combinations.
---
IBM — Tucson, AZ
Security Program Manager 01/2006 – 01/2008
Developed processes to strengthen weak security controls including OS access authorization.
Coauthored and owned IBM Health Check process.
Managed security projects including data collection and reporting for 100 accounts.
Automated reporting for Security SelfAssessment Workbook for 100+ accounts.
SME for ITCS104 and GSD331 controls.
Led server hardening initiatives.
---
IBM — Tucson, AZ
Delivery Compliance Administrator 01/2005 – 01/2006
Managed security controls for 5 accounts including hardening, patching, vulnerability scanning, and audit defense.
Performed RCAs and managed remediation of internal security issues in CIRATS.
Liaison between IBM and internal/external auditors.
Reviewed, configured, and ran system access controls tools.
---
H.L. Yoh Company (Contracted to IBM) — Tucson, AZ
Windows Administrator 10/2002 – 01/2005
Developed Health Check (hardening) process for 20 IBM accounts.
Hardened servers, performed patching, change management, and hardware support.
Performed afterhours patch changes and AV/security updates.
Developed patching processes for the Windows team.
Used batch scripting to deploy security scripts to servers.
---
Siemens Medical Solutions — Pittsburgh, PA
Network Engineer 01/1998 – 08/2002
Planned, implemented, and executed backup plan for Children’s Hospital of Pittsburgh.
Member of the disaster recovery team.
Supported multiple departments’ infrastructure and software.
Led hospitalwide device upgrades and rollout of 100+ PCs.
Provided direct support to HR and Emergency Room departments.
---
EDUCATION
Bachelor of Science, Library and Information Science — University of Pittsburgh (1995)
Microsoft Power BI 3day Training for Data Analytics — 2021
---
CERTIFICATIONS
CISSP — ISC2
CISA — ISACA
CIAM — Identity Management Institute
Network+
Certified Novell Engineer (CNE)
ZENworks Desktop Management
Contact this candidate