Information Security Risk Management
Resume:
Othniel Alphonse
*******.********@*****.***
MSISM, CCISO, CISSP, HITRUST, AWS Masters-Solutions Architect, MS Azure Masters,
AI ethics and compliance
https://www.linkedin.com/in/othnielalphonse/
Objective:
Obtain a leadership role in Cloud Cybersecurity and/or Artificial Intelligence governance, risk & compliance for cloud environments has an Advisor/Analyst, Manager, Director, and/or VP/CISO role. Allowed to provide executive leadership to build programs in information security implementation, AI programs aligned with known security best practices, laws, and regulations. I am skilled at effectively standing up and managing an enterprise cybersecurity program, leading audits and assessments of internal security IT controls aligned with a security business charter. Involved with machine learning and behavioral analytics to identify and stop potential attacks using CrowdStrike’s platform. Oversee internal audits and support external audits through utilization of my 24 years of skills and experience in information systems risk, compliance and analysis across Federal, Health, and Technology markets I have competency in applying project management, KPIs, risk management frameworks, AI technology, business analysis, IT risk management, vendor management, security awareness, change management, compliance, and internal auditing capabilities for government and private organizations.
Education:
●Howard University - Washington D.C. - B.A., Business Administration and Computer Information Systems and Analysis (2004)
●Graduate School, USDA Certified Information Security Specialist to(2003)
●University of Fairfax, Masters of Science in Information Security Management (2010)
●University of Fairfax, Doctorate in Information Assurance/Cybersecurity (Expected Graduation 2025)
●CCISO, Certified Chief Information Security Officer training completion certification
●Currently enrolled in Microsoft Azure Master’s Program
●Completed AWS Master’s Program October 2023 (Linux Fundamentals, Python Scripting Certification Training, AWS Solutions Architect Certification Training Course, Migrating Applications to AWS Training, AWS SysOps Certification Training for Certified Administrators, AWS Developer Certification Training, AWS DevOps Engineer Certification Training)
●Generative Artificial Intelligence, AI ethics and compliance.
Certifications and Training:
●CISSP, Masters of Science Information Security Management, University of Fairfax 2017
●National Security Agency Information Security Specialist (ISSP) - Computer Forensics
●HITRUST Practitioner
●MyCSF tool Administrator
●Computer Forensic Analyst Certified
●Risk Framework Security Controls Assessor (23 years of experience)
●NIST 800-53(a), SA-4 Acquisitions
●NIST 800-171A-Assessing Security Requirements for Controlled Unclassified Information
●Executive Order 14028 “Improving the Nation’s Cybersecurity”
●M-23-16, Update to Memorandum M-22-18 Enhancing the Security of the Software Supply Chain through Secure Software Development Practices
●OMB M-22-18 Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.
●M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles
●National Security Memorandum/NSM-8 on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems
●M-22-05, Fiscal Year 2021-2022 Guidance on Federal Information Security and Privacy Management Requirements [PDF]
●M-22-01, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response [PDF]
●M-21-31 Improving the Federal Government%u2019s Investigative and Remediation Capabilities Related to Cybersecurity Incident
●M-21-30 Protecting Critical Software Through Enhanced Security Measures
●NIST SP800-18 Guide for Developing Security Plans for Federal Information Systems
●NIST SP800-30 Guide for Conducting Risk Assessment
●NIST SP800-53 Recommended Security Controls for Federal Information Systems
●NIST 800-37 Risk Management
●FISMA standards, implementation, accreditation
●FEDRAMP
●HIPAA
●Network vulnerability testing
●Intrusion detection system training
●Project Management
●DISA training
●DITSCAP training
●AWS Cloud Services/Products
●ISO 270001
●GDPR
●SOC 2 & 3 audits
●PCI DSS
●CCISO training
●ServiceNow GRC
●CIS Benchmarks
●Basic Linux
●Python
●AWS Solutions Architect
●MITRE ATT&CK / D3FEND
●Cloud Security- Completed AWS Masters, Solutions Artitect
●Currently enrolled in Microsoft Azure Masters program
●Working experience with Cloud Tools such as :
●AWS Inspector
●Guard Duty
●Macie
●WAF
●AES
●RSA
●PKI
●Microsoft Identity Access Management
●Microsoft Information Protection
●Data Protection Solutions
●Azure Security Center
●SSI/TLS
●IAM
●KMS
●VPC
●AWS S3
●CloudTrail
●CloudFormation
●Azure Sentinel
●Azure Key Vault
●AWS CloudTrail for Data Protection
Industry Clients Overview:
Federal
Role
Bank/Finance
Role
1.Department of Justice (DOJ)
Jr. IT Security Controls Consultant
14. Bank of America (Finance)
Senior Security Risk Advisor
2.Department Homeland Security (DHS)
Senior Security IT Controls Analyst
15. Deutsche Bank (Finance
Senior Security Risk Advisor
3.Department of Veteran Affairs
Security Administrator
16. Deloitte & Touche
Security Risk & Compliance Analyst
4.FAA
Security Analyst
17. LPL Financial
Senior Security Risk & Compliance Analyst
5.Oakland Ridge Nuclear Laboratory
Senior. Security Controls Assessor
Technology
6.Department of Commerce
Senior IT Security Controls Assessor
18. Amazon Web Services (AWS)
Senior Enterprise Risk Program Manager 2019
7.IRS
Senior IT Security Controls Assessor
19. Apptio Inc (CSP/SaaS provider)
Senior Government Cloud Manager (ISSO) 2022/2023
8.House of Representatives
Senior Security Risk Advisor
20. Lexus Nexus
Senior Risk Assessor
9.National Institutes of Health NIH
Senior Security Analyst
21. PegaSystems (CSP/SaaS provider))
Senior Security Risk & Compliance
10.Center for Medical Services (CMS)
Senior Security Analyst
11.State of Georgia
Senior IT Security Controls Assessor
12.Department of Interior (DOI)
Senior Security Consultant
13.US Coast Guard
Senior Security Analyst
Areas of Expertise Overview:
1.Reviewed acquisitions contracts, statements of work (SOWs), memorandum of understanding (MOU), service level agreements (SLAs)
2.Senior leader acting as an ISSO managing Government Community Cloud covering all Cloud Security, Risk & Compliance initiatives.
3.Senior Advisor, developed enterprise security program charters, policies and enforced policies via internal audit.
4.Senior manager leading teams of 5 or more and coordinating with Sales, Engineering, HR, Executive and Legal teams.
5.Conducted Risk Assessments (Qualitative & Quantitative (Fair Method)) and corporate maintained risk registries.
6.Assessed Cloud & On Prem infrastructures using NIST 800-53;CSF;FEDRAMP;STATERAMP;NIST 800-171; HITRUST; GDPR;ISO 27001; DOD IL4; DOD IL6
7.Advisor to CISO/Vp concerning security implementation, risk, compliance, risk acceptances.
8.Responsible for managing Risk/Finding mitigation projects
9.Managed 3rd party assessment programs.
10.Preparing & presenting reports to executive leadership.
11.Drafted & finalized FEDRAMP Authorize To Operate (ATO) packages.
12.Conducted full internal audits & external audits, interfacing with stakeholders.
13.Lead project manager responsible for tracking and monitoring projects involving multiple teams
14.On Prem to Cloud Migrations
15.Contingency Test Planning/Disaster Recovery
16.AWS/Azure/GCP Cloud Security Controls/DevSecOps, ConMon Manager
Recent Technical Experience Overview:
1.On Prem to Cloud migrations (Datalink)
2.ConMOn Scans (Host, Containers)
3.AWS Console Admin (Access Review/Audit logs)
4.AWS CloudWatch
5.SIEM Tools- AlienVault; Splunk
6.Symantec DLP
7.Endpoint Protection
8.HP Fortify/Agile/SDLC experience
9.Big Query
10.Monday Project Mgmt
11.Jira experience
12.ServiceNOW
13.Slack Teams
14.Confluence
Additional Technical Skills:
●Software – AWS Workdocs, AWS eQuip, AWS Projects, AWS Security Hub, Confluence, Redlock.io, Splunk, IP360, Alienvault, SIEM tools, DBProtect, Spiceworks, SharePoint 2010/2007; MS Access, MS Project, SQL Server, MS Office, MS Visio, Symantec Endpoint Antivirus, MS Anti- Spyware; Windows OS {all versions}, MAC OS X, ClearCase, Adobe Acrobat, Filezilla, Remedy, Nessus/Retina port scanner
●Hardware - Mac, PC, Network Printers, Laptops, Desktops
●Platforms - Office 365, Windows NT, Active Directory, UNIX/LINUX, Sybase, UDB, Mainframe, CentreOS
●Other - Computer Forensics, CIS, NIST, ISO 27001, ITIL, SOC2/3, Sarbanes-Oxley, Cobit, CCNA training, Network Administrator training, Database Training, Systems Analysis Training, Mainframe Administrator, Configuration Management
Professional Work Experience:
Acacia Center for Justice February 2024-August 2024
Director of Security Risk & Compliance
●Prepared and submitted Authorization to Operate FedRAMP documentation to Department of Justice
●Acquired three-year ATO from Department of Justice (DOJ).
●Responsible for maintaining DOJ ATO security requirements.
●Responsible for maintaining HHS ATO security requirements.
●Ensured FEDRAMP requirements are met for NIH data within out Cloud boundary.
●Applied the FAIR risk assessment framework to quantify cybersecurity risks, enabling data-driven decision-making for risk mitigation.
●Managed Information Security Manager’s daily tasks.
●Developed business continuity plans based on ISO 20005 guidelines, ensuring the organization is prepared for IT service disruptions.
●Implemented vendor security program for over 500 Law Service Providers (LSPs) on behalf of Acacia and DOJ.
●Implemented RMF processes to ensure compliance with NIST guidelines, enhancing the security posture of the organization’s IT systems.
●Implemented enterprise security policies aligned with FedRAMP, NIST 800-53 rev 5.
●Responsible for implementing corporate incident response plan and capability.
●Responsible for implementing corporate cloud contingency plan.
●Responsible for implementing RA-5 vulnerability scanning and ConMon processes.
●Conducted risk assessments using RMF, identifying potential vulnerabilities and recommending mitigation strategies to reduce system risk.
●Responsible for implementing FedRAMP security governance for a AWS Cloud “Covered Information System” and Microsoft Azure Corporate environments
●Managed corporate security awareness training.
●Implemented ISO 20005-compliant disaster recovery protocols, reducing downtime and minimizing operational risk during incidents.
●Conducted FAIR analysis to evaluate the financial impact of identified risks, helping prioritize investments in cybersecurity controls.
●Managed corporate phishing exercises and reporting.
●Responsible for drafting, implementing, & updating Cloud System Security Plan.
Wipro Inc December 2023 - February 2024
Cybersecurity Advisor
●Cloud ATO process
●Cloud Security Training (Microsoft Azure)
Akima Inc. September 2023 - December 2023
Cybersecurity Advisor
(Department of Education)
●Advise Department of Education CISO
●IT Contract & Acquisitions reviews
Completed AWS Cloud Masters Program May 2023 - September 2023
Sabbactical Feb 2023 - May 2023
Apptio Software Company June 2022 - Feb 2023
Senior Federal GovCloud ISSO
(VA, DHS, DOD, NAVY, AIRFORCE)
●Reviewed 3rd party supplier/MSP acquisition contracts for security requirements and regulatory compliance.
●Review & approved third party supplier contracts working directly with our Govcloud environment.
●Reviewed and service level agreements (SLAs) for internal policy compliance and audit enforcement.
●Lead responsible for maintaining Apptio GovCloud FedRamp P-ATO.
●Lead responsible for responding to questions, concerns, comments from the JAB.
●Aligned organizational risk management practices with ISO 20005, ensuring a structured and compliant approach to information security management.
●Responsible for writing up risk findings, recommend remediations, and draft risk acceptances and report directly to the CISO.
●Senior lead advisor for security impact assessments (SIA) for Apptio GovCloud.
●Senior lead advisor on all Significant Change Request (SCRs) to Apptio GovCloud.
●Collaborated with cross-functional teams to apply RMF in developing security plans, ensuring consistent and standardized risk management practices.
●Scoping for Apptio GovCloud “uplift” from Moderate to IL4 security baseline.
●Perform Moderate to IL4 gap analysis.
●Collaborate with ConMon to ensure vulnerabilities are remediated in a timely manner and meet FedRamp thresholds.
●Lead SSP updates/revisions to include SCRs, and technological changes/updates.
●Conducted risk assessments in accordance with ISO 20005 standards, identifying potential vulnerabilities in business continuity and IT systems.
●Developed risk management strategy for Apptio GovCloud.
●Managing security & compliance team daily tasks around information assurance, i.e. security documentation, jira ticketing approval, vulnerability remediations for Apptio GovCloud, and general security & compliance advisory.
●Collaborated with Products & Engineering to ensure vulnerabilities thresholds are not exceeded.
●Collaborated with stakeholders to implement the FAIR model, enabling more accurate assessments of risk likelihood and potential loss exposure.
●Collaborated with the Information Security team to ensure security monitoring and response/incident mechanisms are operating as intended.
●Managed all security access reviews and IAM processes.
●Responsible for drafting and enforcing IAM policies.
●Communicated cyber security risks, trends, threats from 3rd party sources to ensure Apptio internal threat modeling is continuously updated and security mechanisms configured as needed.
●Collaborate with the Apptio GovCloud stakeholders to ensure all security controls are in place and meet Apptio security policies.
●Worked with Apptio Sales to train personnel on FedRamp GovCloud space advise on sales/advertising strategy.
●Developed FAIR-based risk scenarios to evaluate potential security threats, providing actionable insights for improving risk posture.
●Developed and maintained system security plans (SSPs) in accordance with RMF, aligning with federal and organizational security requirements
●Managed FedRAMP Annual Assessments.
●Managed team of two contractors and 3PAO advisor.
oManaged project tickets and provided input for ServiceNOW implementation project.
Kratos Defense Supporting Amazon Web Services May 2021 to May 2022
Senior Security Risk & Compliance
(AMAZON WEB SERVICES)
●Senior lead advisor for security impact assessments for AWS Cloud Features/Services.
●Project managed AWS features FedRamp approval process.
●Developed risk management strategy for U.S. Government Security & Compliance (UGSC) team responsible for providing oversight and guidance on FedRamp authorizations for AWS Services and Features
●Developed risk registry for UGSC team.
●Collaborated with AWS Service teams.
●Provided weekly status updates with the AWS Global Engineering and Architecture Readiness (GEAR) team.
●Conducted regular audits to ensure alignment with ISO 20005 standards, maintaining compliance and improving the organization's resilience to IT failures.
●Performed continuous monitoring and control assessments as part of the RMF lifecycle, ensuring ongoing compliance with security policies.
●Prioritized Features assessments and coordinated yearly roadmap with AWS services teams, GEAR, and vulnerability management (VM) onboarding teams to ensure features met JAB security requirements for U.S Federal clients.
●Developed FedRamp Security Impact Assessments (SIAs) for 3PAO reviews.
●Reviewed 3PAO attestations and provided features authorization packages to the JAB.
●Advised and improved overall features assessments, tracking, and workflow processes.
●Maintain internal AWS features status and wiki page.
Avertium Inc, Atlanta, GA Aug 2020 to April 31 2021
Enterprise Consultant, Security Controls Assessor
(ORNL, Lexus Nexus)
●Reviewed supplier contracts for regulatory and security policy compliance.
●Advised and developed FedRAMP readiness and risk assessment for Deputy CISO at Lexus Nexus for On Prem migration to a cloud environment.
●Drafted FedRamp compliant system security plan for Deputy CISO at Lexisnexis.
●Lead FedRamp internaudit for Oakland Ridge Nuclear Laboratory (ORNL).
●Developed roadmap for AWS Cloud ATO.
●Drafted a security assessment plan.
●Conducted technical assessment interviews.
●Mapped Control Review items to NIST 800-53; 37;137.
●Drafted and finalized Lexisnexis system security plan (SSPs), contingency plans (CP).
●Drafted and finalized security assessment reporting, risk exposure tables, and executive summaries.
●Lead two-week ISO 27001 compliance assessment.
●Lead FedRamp readiness assessment.
Amazon Web Services (AWS), Seattle, WA Sept 2019 to Jan 2020
Enterprise Risk Management (ERM), Program Manager
●Key AWS Enterprise Risk Management member responsible for assessing risk related to information security and data protection.
●Developed a roadmap for standing up a new AWS Enterprise Risk Management Program.
●Project manager for the risk assessment team.
●Developed AWS Third Party Risk assessment questionnaire.
●Evaluated and assessed enterprise risks across the global AWS operations.
●Drafted AWS Enterprise Risk Management policy.
●Drafted the AWS Third party risk management policy.
●Developed AWS third party risk framework.
●Coordinated risk assessment interviews with AWS risk owners and stakeholders across the enterprise.
●Remediated AWS asset management risk concerns relating to GDPR.
●Assessed risks relating to AWS general ledger and Spending and Transaction policy.
●Completed training for AWS Security HUB.
●Completed training for integrating security findings from AWS Guard Duty and commercial SIEM tools to AWS Security Hub.
●Applied FAIR method for evaluation of AWS corporate risks.
●Developed ERM tool for initial risk scoring of AWS corporate risks.
●Reviewed ERM Implementation Plan.
●Responsible for ERM reporting from AWS Risk registry to upper management.
●Responsible for maintaining AWS risk registry and risk mitigation.
SJL Solutions Inc Boston (Short-term) March 2019 to July 2020
Senior Information Security Specialist
●Performed HITRUST self-assessment on MS Azure environment.
●Reviewed cloud implementation security documentation.
●Wrote control implementations descriptions based on documentation review.
●Administered HITRUST MyCSF tool, providing user permissions.
●Drafted security policies based on gap analysis to reflect required security domains.
●Managed HITRUST Assessment via MyCSF tool for entire cloud implementation.
●Provided HITRUST Assessment reporting and results to client including findings report.
●Collected technical artifacts to validate risk assessment results.
●Managed security implementation descriptions for access management controls via Active Directory.
●Performed SOC 2 audits for clients.
LPL Financial, San Diego, CA Nov 2018 to Jan 2019
Cloud Risk & Security Analyst
●Provided executive cloud risk assessment report to VP of Technology Risk.
●Performed cloud security risk assessment baselined against NIST 800-53
●Project managed two cloud risk assessments for Director of Risk Management for AWS Landing Zone
●Drafted and finalized 14 security policies aligned with NIST 800-53 requirements.
●Assesses risk of landing zone for 2 mobile applications.
●Developed Corrections Action Plans based upon risk assessment findings
●Interviewed stakeholders within the Enterprise Operations, Info Sec, and Application Development team.
●Recommended Multi factor Authentication be implemented on a network system component.
●Ensured data encryption is applied to data at rest and data in transit
●Performed SOC 2 audits.
●Ensured Endpoint protection was implemented via CrowdStrike/Windows Defender.
●Ensured CyberArk was implemented for privileged access to AWS/Azure environments.
●Ensured Email scanning was implemented via ProofPoint.
●Ensured code scanning via Veracode.
●Ensured certificate life cycle management was implemented via Venafi.
●Ensured vulnerability mgmt. was implemented via Nexpose/Splunk.
●Ensured firewalls were configured properly via Palo Alto.
●Ensure server configuration followed CIS hardening baselines.
●Ensured Redlock.io compliance tool is configured on the cloud environment.
TDI, Washington DC March 2018 to July 31 2018
Senior Information Security Specialist
(House of Representatives)
●Developed SAR for government clients.
●Developed SSP for Microsoft Azure Cloud solution for government clients.
●Drafted and finalized 14 security policies aligned with NIST 800-53 requirements.
●Managed drafting of security policies aligned with 800-171 requirements.
●Conducted CIS audit for commercial clients.
●Wrote up access control policies and assisted with Microsoft Azure MFA configurations.
Alqimi Inc, Washington DC (Short-term) March 2018 to July 2018
Senior Information Security Specialist
●Performed HITRUST assessment on AWS Cloud solution.
●Administered HITRUST MyCSF tool, providing user permissions.
●Reviewed cloud implementation security documentation.
●Managed HITRUST Assessment via MyCSF tool for entire cloud implementation.
●Provided HITRUST Assessment reporting and results to client including findings report.
●Managed security implementation descriptions for access management controls via Active Directory.
●Performed SOC 2 audits.
Optum/QSSI, Tysons Corner June 2013 to 12/2017
Lead Senior Security Specialist
(NIH, CMS, VA)
●Performed IT security support function to the Office of the CISO regarding risk management, internal audits, policy development, project support.
●Responsible for implementing access control policies for management of user accounts.
●Project lead on multiple corporate security control assessments (SCA) on general support systems (GSS)/major applications (MA).
●Developed DAR for Symantec DLP solution.
●Worked with Symantec DLP reps to align network infrastructure with product offering.
●Acted a project coordinator between Symantec DLP rep and QSSI.
●Drafted Corporate Vendor Management Policy.
●Drafted vendor management procedure.
●Developed vendor security assessment questionnaires and business reqs.
●Drafted Sharepoint Administration Policy.
●Supported IT audits for corporate projects for CMS, DSH.
●Working experience with CMS CFACTS audit tool.
●Managed and mitigated POAMs and CP test for ACA exchange systems.
●Developed SSPs, RAs, CPs, POAMs for applications/systems.
●Coordinated infrastructure vulnerability scans using IP360, nCircle CCM, DB protect.
●Responsible for POAM mitigation on corporate GSS systems.
●Provided NIH Proposal QSSI Technical documentation.
●Provided Contingency Plan training to IT staff.
●Reviewed security policies and mapped to NIST standards and HIPAA standards.
●Performed security control assessment on major financial applications (Deltek CostPoint).
●Created risk determination methodology for the Chief Information Security Officer (CISO).
●Identified technical common controls for enterprise adaptation.
●Reviewed Incident Response Plans.
●Reviewed Facilities Management Plans.
●Obtained HITRUST assessor certification/HITRUST Tool experience.
●Provided project plans and goal setting for corporate internal audits.
●Drafted business development initiative plans for acquiring new business.
●Developed Mobile Security, Mobile Code, and Incident Response policies.
●Employed XLC methodologies.
●Monitored firewall configurations for best security practices
●Implemented OpenFISMA for corporate audit needs.
●Drafted Master Corporate Security Plans.
●Regularly reported to the CISO overall corporate infrastructure security status.
●Developed privileged access management policies for organization corporations.
●Developed and advised on Identity Access Management policies and baseline configurations for enterprise implementation.
TekSystems (supporting Bank of America), August 2011-January 2013
Alexandria, VA
Enterprise Risk Specialist Consultant
Global Information Security Team
•Performed security policy reviews and recommendations for technology devices/applications employed at BOA systems.
•Information Security SME on multiple technical policy documents.
•Supported daily activities of the VP, Senior Architect Enterprise Information Security.
•Drafted security control guidelines and practices for BOA Global Information Security (GIS) team.
•Provided new technology recommendations to business units.
•Provided security input on multiple new technologies for baseline implementation.
•Monitored and provided security input within a major mobile payment project at BOA.
•Provided weekly updates on mobile payment projects to the entire global information security (GIS) team at BOA.
Contact this candidate