Information Security Risk Management
Resume:
FLAVIUS DACOSTA ***********@*****.***
PROFESSIONAL SUMMARY
Information Security Professional with 7+ years of experience developing and updating System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR), Plan of Action and Milestone (POAM), Authority to Operate (ATO) and Business Continuity Plan (BCP). Strong understanding of and experience in the NIST Risk Management Framework (RMF), including: NIST SP 800-37 FIPS 199, NIST SP 800-60, FIPS 200, NIST SP 800-53, NIST SP 800-53A, the Security Assessment and Authorization process.
Experience assessing security controls based on NIST SP 800-53A guidelines and methods, ISO 27001, GLBA, GDPR, GRC, SOX, Payment Card Industry (PCI) Data Security Standard (DSS) and HIPPA.
Software Technologies:
MS Office suite, Power Point, Excel, Access, Windows, E-Authentication, G Suite, SCA, CSAM, ProcessUnity.
PROFESSIONAL EXPERIENCE
Information Security Analyst
GTech Designs. Baltimore, MD. May 2021 – Present
• Applied experience in audit, security and regulatory frameworks including NIST Risk Management Framework (RMF), NIST SP 800-53A, ISO 27001, GLBA, GDPR, GRC, SOX, PCI, HIPPA, States Privacy Regulation and FFIEC while reviewing third party controls.
• Lead current risk assessments, continual risk assessments, risk metrics and visualizations and produced assessment reports that explain risks to business line stakeholders and third-party vendors.
• Assisted in Governance Risk and Compliance (GRC) program’s design, process re-engineering or enhancements and tool and technology implementations as applicable.
• Assisted in the coordination and maintenance of the Company’s’ governance-related initiatives.
• Provides Business Units and Stakeholders with mitigating security controls (anti-virus, IPS/IDS, DLP, web and network proxies, URL content filtering, multi-factor authentication, SSL VPN's) and how they work in an overall defense in depth risk assessment methodology.
• Utilized Splunk to collect, search and correlate data to support risk base analysis.
• Utilized Splunk as a tool for drilled down detailed analysis and validation of suspicious activities.
• Experienced in evaluating and recommending Data Loss Prevention Technologies for web, email and other common protocols.
• Provided SME assistant for Data loss prevention software that detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use (endpoint actions), in motion (network traffic), and at rest (data storage).
• Assisted in the identification of duplicative, missing or outdated documentation and coordinated with policy owners to ensure that only current documents are accessible via the intranet site.
• Helped track and manage training on policies and procedures. Assisted in the development of a compliance universe and help track compliance-related activities that mitigate identified risks.
• Lend governance-related support to other departments and management initiatives as necessary
• Worked directly with key business stakeholders on a regular scheduled basis to facilitate risk analysis and risk management processes, identifying acceptable levels of risk and establish roles and responsibilities with regards to risk management.
• Advised business stakeholders on security testing methodologies and processes and Recommends information assurance/security solutions to support customers’ requirements.
• Evaluated IT threats and vulnerabilities to determine whether additional safeguards are needed. FLAVIUS DACOSTA Page 2
• Independently develop a variety of Accreditations deliverables including: Infrastructure Security Plans, E-Authentication, Risk Analysis, Privacy Impact Assessments, Annual Assessments, Contingency Plans, Incident Response Plans, etc. INFORMATION SECURITY ANALYST
Barn Allen Technologies Inc Rockville, MD, 2017 – 2021
• Develop, review, and update information system Security Policies, System security Plans, and Security baselines in accordance with NIST, FISMA, OMB App. III A-130 and industry best security practices.
• Apply appropriate information security control for Federal Information System based on NIST 800-37 rev1, SP 800- 53/53A, FIPS 199, FIPS 200 and OMBA A-130 Appendix III.
• Perform Federal Information Security Management Act (FISMA) audit reviews using NIST 800-37 rev 1
• Develop and Review System Security Plans (SSP) interfacing with system owners and engineers and system administrators.
• Participate in firm wide and other department projects / initiatives as a GRC representative / subject matter expert to provide GRC guidance and interpretation of rules, regulations, risks, and best practices. Create and implement policies, procedures, training and communication of the new policies and procedures to support these projects
• Ensure all POA&M actions are completed and tested in a timely manner to meet agency deadlines.
• Analyze security reports for security vulnerabilities.
• Responsible for ensuring that Security Authorization documents, System Security Plan, Security assessment plan, Plan of Action and Milestones (POA&M), Contingency planning and artifacts are maintained and updated in accordance with NIST guidelines.
• Develop and update System Security Plan, Security Assessment Report, Plan of Action and Milestone (POA&M).
• Expose to vulnerability scanning and assessment tools such as, GRC and CSAM, Nessus, HP WebIspect.
• Exposure and understanding of GRC tool and technology implementation, risk assessments, risk metrics and dash- boarding
• Develop and conducted ST&E (Security Test and Evaluation) according to NIST SP 800-53A.
• Familiar with NIST Publications SP 800-18, SP 800-30, SP 800-37 rev 1 SP 800-53 rev 4, SP 800-53A, SP 800-60 and Federal Information Processing Standards (FIPS)-FIPS 199 and FIPS 200.
• Monitor controls post authorization to ensure continuous compliance with the security requirements.
• Ensure that IT computers and supporting infrastructures are validated and qualified according to IT policies, procedures, and standards.
IT Security Analyst
SokoniTech LLC, Bethesda, for Barn Allen Technologies Inc, MD April 2016 – Oct 2017
Conducted Assessment and Accreditation (A&A) and performed all continuous monitoring functions and assist in maintaining Systems Authorization to Operate (ATO).
Audited the compliance of security plans, contingency plans, POA&M tracking, end-user training, continuous monitoring based on the National Institute of Standards and Technology (NIST) Security Publications.
Conducted FISMA-based security risk assessments for various government contracting organizations and application systems - including interviews, tests and inspections; produced assessment reports and recommendations; conducted out-briefings.
Audited and provided guidance of security program that includes Governance (A&A, Continuous Monitoring, FISMA, NIST, DOC and NOAA policies and procedures).
Used risk management techniques to develop and complete risk assessments based on NIST standards to ensure IA design sufficiently mitigates IA risk.
Developed and conducted security tests and evaluations based on NIST 800-53/53A. Uploaded and organized artifacts into the CSAM system.
Strong documentation and communication (written and verbal) skills. FLAVIUS DACOSTA Page 3
Installer II
Merchant Link, Silver Spring, MD May 2013 to February 2016
• Transactions testing to ensure transactions are processing over the Merchant Link gateway correctly.
• Scheduling and completing the payment module installation and configuration on point-of-sale and property management systems for new sites
• Installation for all change of service orders when a merchant changes processors or needs other account updates.
• Perform the full installation or change of service using remote access software
• Configure to ensure all processor and payment information, merchant IDs and settings are configured.
• Batch Settlement Verification to validate that settlement batches are successfully clearing through the Merchant Link gateway to the acquirer
• Technical support specialist.
• Test authorizations and settlements are sent and traced in real time. CREDENTIALS
Education
University of Maryland Global Campus (UMGC)
TBD
Candidate for Bachelor of Arts in Business Management GPA: 3.74 / 4.0, Dean's List.
CERTIFICATIONS
• CompTIA Security+ CE Certification 03/2021
• AWS Certified Cloud Practitioner 04/2021
• AWS Certified Solution Architect –Associate 04/2021
• US Citizen
TRAINING
• IT Auditing and GRC Bootcamp 2025
• Data Security Training January 2021
• Certification and Accreditation Document Review training, March 2015
• Information Assurance Awareness training, April 2016
• Information Systems Security Awareness training 2018
• CISSP training, Cybersecurity Training Center October 2014 SKILLS AND ATTRIBUTES
• Perform security event and incident correlation using information gathered from a variety of sources within the enterprise.
• Perform cyber incident triage to include determining scope, urgency, and potential impact; identify the specific vulnerability and make recommendations which enable expeditious remediation.
• Track cyber actions from initial detection through final resolution.
• Perform cyber engineering trend analysis and reporting.
• Detail-oriented, decisive, dedicated, committed, and inspirational.
• Accepts challenges, team player, open-minded, creative, honesty, confident
• Possesses leadership, supervision, delegation, team building, decision making, operation management, workplace safety, and cross-cultural communication skills
FLAVIUS DACOSTA Page 4
• Superior oral and written communication skills, desires a dynamic team environment
• Excellent customer service skills, and dedicated to achieving breakthrough results in establishing, retaining and deepening customer relationships, and creating a quality experience.
Contact this candidate