Information Security Risk Management

Profile: Certified Information Security Professional with over 10 years of experience in cybersecurity, information security, and IT operations. Proven track record in implementing robust information security infrastructures and effectively balancing security initiatives with business operations and risk management. In-depth knowledge of the FISMA/NIST Risk Management Framework, as well as FedRAMP compliance. Experienced in establishing and maintaining system security monitoring, auditing, and evaluation based on industry standards. Strong understanding of networking protocols, database platforms, and cloud infrastructure. Seeking a full-time Cyber Security Specialist position to leverage critical thinking, problem-solving, research, and analytical skills acquired throughout my career.

EDUCATION

University of Cape Coast, Bachelor of science,Cape Coast, Ghana, 2009

University of Maryland University College (UMUC), Master of Cybersecurity – Technology, College Park, MD

CERTIFICATION

Certified CompTIA Advance Security Practitioner (CASP)

Certified Ethical Hacker (CEH)

Certified CompTIA Security+ Ce

Certified Amazon Web Services (AWS) Developer Associate

Certified Scrum Master (CSM) Professional

Certified Information Security Manager (CISM)

CISSP…..In progress

CLEARANCE:

Cleared

TECHNICAL SKILLS

oSecurity Authorization Document(s): Review & Update Solution Architecture Document (SAD), Hardware/Software Inventory List, Design Diagrams, Vendor Document (s), Secure Configuration Checklist (SCC), Vulnerability Scan Report, Security Test and Evaluation (ST&E), Business Continuity Plan (BCP) and Continuity of Operations (COOP),Configuration management plan, System Security Plan

oSecurity Guidance: National Institute of Standard and Technology (NIST) Special Publication IST 800-53,800-53A, NIST 800-37, etc.

oSecurity Assessment Management Tools: eMASS, XACTA IA,CSAM,RSA Archer RMPS,Splunk,WebInspect,AWS Inspector,STIGs

oISO/IEC 2700 Family – Information Security Management

oCloud Services: Amazon AWS, Microsoft Azure, etc.

oRisk assessment, Risk mitigation analysis and FedRAMP.

oExperience with creating, reviewing, and updating Plans of Action & Milestones (POA&M) for identified vulnerabilities

oActive Directory

oNetwork traffic monitoring

oPerform vulnerability scan using NESSUS as the scanning tool

oFacilitate meetings and presentations

oMonitor Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)

PROFESSIONAL EXPERIENCE

CVP,Corp Feb 2019-Present

ISSO-Lead

Led a team of four ISSOs through the Risk Management Framework (RMF) process, conducting peer-reviews on Authorization to Operate (ATO) processes and artifacts.

Assisted in the development of Cybersecurity documentation to support system certification in compliance with RMF and NIST standards.

Maintained and supported current Assess and Authorize (A&A) packages, ensuring ongoing system compliance.

Collaborated with system owners, government managers, and stakeholders to manage Cybersecurity requirements, ensuring alignment with A&A standards.

Reviewed system security scans, responded to vulnerability alerts, and addressed system vulnerabilities to ensure system integrity.

Proactively created and monitored Plans of Action & Milestones (POA&Ms), ensuring timely resolution of identified security weaknesses.

Drafted and managed Waivers and Risk Acceptance Memos to aid in effective risk management for systems.

Conducted annual assessments in compliance with HHS Information Security Performance Plan and ensured security authorization documentation was updated regularly.

Coordinated with Privacy, Records, and Information Governance divisions on compliance and regulatory requirements.

Performed system self-assessments as part of the Ongoing Authorization program, ensuring continued compliance.

Worked closely with Engineers and System Administrators to document data flows, system architecture, and create necessary diagrams and charts.

Facilitated tabletop exercises with key stakeholders to test system responses to potential security threats

Worked with established continuous monitoring practices for cloud environments, leveraging vulnerability assessments and security tools to maintain a strong security posture.

Worked alongside cloud engineers and system administrators to secure cloud infrastructure, focusing on secure configurations, data flow protection, and robust identity and access management controls

Supported federal compliance initiatives within cloud infrastructures, ensuring adherence to cloud-specific security standards and collaborating with the SCA teams to resolve any identified issues.

Conducted risk assessments for cloud-based systems, identifying and mitigating vulnerabilities specific to cloud architectures and implementing compensating controls as needed.

IPNS, Inc. July 2018 – Feb 2019

RMF ANALYST-SME

Developed Cybersecurity documentation, supporting system certification for compliance with RMF and NIST standards, and managed ongoing Assess and Authorize (A&A) packages.

Advised Information System Owners (ISOs), System Owners, and Program Managers on system security requirements, ensuring adherence to FISMA, OMB, and agency policies.

Collaborated with system administrators to resolve POA&Ms, creating and gathering artifacts such as mitigation memos, conducting interviews, and implementing compensating controls to validate security controls.

Created, reviewed, and updated System Security Plans (SSP), Security Assessment Reports (SAR), and POA&Ms for system accreditation.

Managed relationships for assigned systems, including contractor-owned and operated systems, ensuring compliance with agency security and privacy requirements.

Served as the primary IT security POC for assigned systems, overseeing their operation, maintenance, and disposal in compliance with security policies, including A&A.

Supported the development and maintenance of security documentation, including SSPs, Privacy Impact Assessments, Configuration Management Plans, Contingency Plans, FISMA assessments, and incident reports.

Conducted system self-assessments and annual assessments as part of the Ongoing Authorization program, ensuring systems meet security standards and compliance.

Facilitated tabletop exercises with stakeholders, assessing system responses to security incidents and validating controls.

Assessed vulnerabilities, implemented patches, and ensured security hardening across all levels of the system stack, ensuring timely remediation of identified weaknesses.

MANAV Consulting Group Inc. December 2015 – July 2018

Information System Security Officer (ISSO)

Acted as the focal point for categorizing Information Systems using FIPS-199, identifying information types and determining inherent risks, while ensuring appropriate security controls were developed.

Assisted in selecting security controls for systems to support Risk Management Framework (RMF) efforts, and played a key role in developing Contingency and Incident Response Plans to align with Business Continuity Plan (BCP) initiatives.

Collaborated with system administrators to resolve POA&Ms, gathered necessary artifacts such as mitigation memos, conducted interviews, and implemented compensating controls to validate security controls.

Leveraged the organization’s RMF process to review and ensure system and application documentation was accurate, up to date, and detailed enough to support Security Control Assessments and Validation. Successfully obtained an Authority to Operate (ATO) for two systems.

Documented and analyzed system changes, performed continuous monitoring, and adhered to the organization’s monitoring strategy for ongoing assessments.

Monitored and reviewed vulnerability and IA compliance testing, ensuring security measures identified by the IA Vulnerability Management (IAVM) program were implemented.

Supported and reviewed Nessus scans and IAVM reports weekly to manage and maintain the system's security posture.

Created, reviewed, and updated System Security Plans (SSP), Security Assessment Reports (SAR), and POA&Ms to maintain system accreditation.

Conducted vulnerability scans, performed risk assessments, and oversaw the implementation of vulnerability mitigation efforts.

Advised Information System Owners (ISOs), System Owners, and Program Managers on system security requirements, including FISMA regulations and NIST updates.

Daggers Group May 2012 – December 2015

Information Security Analyst

Advised Information System Owners (ISO), System Owners, and Program Managers on security requirements, including updates and changes to FISMA regulations and NIST documentation.

Interfaced with Certification and Accreditation (C&A) authorities to ensure compliance with national security policies and best practices across multiple projects.

Guided System Owners and ISSOs through the C&A process, ensuring smooth navigation and compliance with established security protocols.

Tested, assessed, and documented security control effectiveness by collecting evidence, conducting interviews, and evaluating records to determine control effectiveness.

Collaborated with system administrators to resolve POA&Ms, gathering artifacts, creating mitigation memos, residual risk memos, and corrective action plans to close out POA&Ms.

Conducted security assessment interviews, developed Security Assessment Reports (SAR), and completed Security Test and Evaluation (ST&E) questionnaires based on NIST SP 800-53A to maintain ATO.

Applied knowledge of Security Assessment & Authorization (SA&A) policies, guidelines, and regulations in IT system assessments and documentation.

Reviewed and maintained all assessment and A&A documentation, ensuring it was properly included in system security packages.

Ensured vulnerabilities and risks were mitigated efficiently in accordance with the organization's monitoring plan.

Created, reviewed, and updated System Security Plans (SSP), Security Assessment Reports (SAR), and POA&Ms to support system accreditation.

Managed POA&M processes for accuracy and currency, ensuring all actions were up to date.

Participated in planning, training, and preparation for contingency and disaster recovery operations, supporting organizational resilience.

Provided regular reporting on the status of information security programs to management and key stakeholders, ensuring transparency and accountability.

Conducted continuous monitoring activities to enforce client security policies and procedures, creating oversight processes for enhanced system security posture.

ADDITIONAL SKILLS

Information Assurance, IT Governance, Policy & Procedures Development, Information Security Compliance, Continuous Monitoring, Identity Assurance and Management, Threat Monitoring, Incident Response, Vulnerability Analysis, Contingency Planning, Disaster Recovery, Information Security Awareness Training, Assessment & Authorization, Privacy,Windows.

Contact this candidate