Cyber Security Risk Management
Resume:
Benard Ambe Chumboh
***** ****** **** ** #*** BELTSVILLE MD 20705
**************@*****.***
I am a Cyber Security Professional with over 10 years IT experience seeking a job in an organization that will utilize my knowledge, skills, and experience in Assessing and implementing the Risk Management Framework on systems and maintaining their ATO.
BACHELOR’S IN COMPUTER SCIENCE. CURRENTLY PURSUING MASTER’S IN CYBERSECURITY FROM COLORADO STATE UNIVERSITY GLOBAL .
CERTIFICATIONS:
ComTIA Sec +, ACAS Certified, eMASS Certified, Endpoint Security Solution Certified.
AREAS OF EXPERTISE
Knowledgeable in NIST/FISMA requirements and DoD Instructions: NIST 800-37 rev 4/ 5, NIST 800-53 rev 4, NIST 800-53A, FIPS 199, FIPS 200, DoD Instruction 8510.01, ISO 27001, HIPPA.
Experience in SEC 501 (Advanced Security Essentials-Enterprise Defender).
Experienced in vulnerability management and compliance regulations.
Experienced in POA&M management.
Excellent communication and troubleshooting skills.
Experience performing all the steps of the RMF process.
Strong problem solving and analytical skills needed for effective product delivery.
Ability to adapt in a fast paced and time sensitive environment.
Ability to communicate well, both orally and through writing
Accurately completing project on time while meeting scope and budget
Efficient communication with teammate and management,
Abilities to lead teams successfully.
Extremely dependable in completing projects accurately and on time.
Team Leadership, Budget Planning, Business Process Analysis/Improvement
Regulatory Compliance, Marketing Strategy, Staff Training & Development/Empowerment
Nessus, ACAS by tenable, Nagios, SCAP, STIG viewer, Splunk, ServiceNow, Jira, ESS 201,301,501, Exacta and eMASS
PROFESSIONAL EXPERIENCE
GRAY TIER TECNOLOGIES JAN 2022 To Present.
2800 Eisenhower Ave, Suite 220, Alexandria, VA 22314.
Security Control Assessor-Representative (SCA-R), Cyber Compliance Branch (JP222) at the Pentagon VA.
I work as a subcontractor supporting the Joint Service Provider (JSP) and Defense Information System Agency (DISA) in their assessment and authorization decision process, Collaborating with ISSOs, ISSMs and Brach Chiefs.
I perform Control Validations and Risk Assessments for enterprise and enclave Assess and Authorized (A&A) and Assess Only (AO) packages for both NIPR and SIPR net, ranging from 12 to 15 systems. I conduct assessments for regular ATO packages, Extensions, Re-Categorizations and Change Requests.
Conduct security assessment on assigned systems to ensure FISMA compliance following NIST SP 800-53 rev 4, NIST 800-53A, and FIPS.
Collaborate with the ISSO to draft and manage POA&M for authorized systems with appropriate scheduled completion dates and track findings until closure.
Experience writing assessment reports, assessment plans, assessment procedures, assessment schedules to ensure that systems controls are assessed on time to obtain ATO's.
Coordinating with projects leads to planning time, prioritizing tasks, and using assigned resources.
I Collaborate with security teams, system owners, and stakeholders, providing briefings to leadership on security posture and risk exposure.
Review technical, operational and management security controls per the NIST 800-53A requirements.
Evaluating and/or creating System Security Plans (SSP), Contingency Disaster Recovery Plans (CDRP), Risk Assessment Reports (RAR), Security Assessment Reports (SAR) and Executive Summaries.
Experienced in assessing information system controls on various platforms and devices to include Windows, PLC, DCS, Linux, UNIX operating systems, Scada, Databases and Networks devices.
Automate my Risk Assessment and Authorization processes by using eMASS GRC tool.
I use Splunk in my environment during Risk assessments to get accurate data and compare with what I have on eMASS.
Kupono Government services- PMRF Kekaha Hawaii JAN 2021- JAN 2022
ISSO-Information System Security Officer.
Work very closely with system Owner to Categorize multiple systems, select, and implement security controls to address control requirements per NIST and FIPS requirements using eMASS GRC tool for automation.
Experience with SEC 501, securing enterprise environment against security threats.
Conduct ACAS scans for different FISMA systems, high, moderate, and low systems.
Review security STIGSs to categorize and track comments and share with other stakeholders, verify if servers and domain controllers have the updated versions, and participate in discussions related to the STIG.
Create and manage POA&Ms for identified system vulnerabilities and track findings to ensure that they are remediated and closured.
Experience reviewing security artifacts including, but not limited to, System Security Plans, inventories, screenshots of technical files, Scan data, requirement traceability matrices, control allocation tables, and security assessment reports.
Update cyber security policies to ensure compliance with FISMA, NIST and organizational requirements.
Experience writing assessment reports, assessment plans, assessment procedures, assessment schedules to ensure that systems controls are assessment on time to obtain ATO's.
Experience with Endpoint Security Solution (ESS) to protect endpoints such as laptops, mobile devices, and desktops from cybersecurity threats.
Knowledgeable in Network configurations, hardening the system by setting up firewalls, changing ports, deleting, and disabling unused accounts.
Splunk helps me in documenting Incident Response (IR) and submit System Change Request (SCRs), and Network Service Request (NSRs). I use Splunk to get detailed logs and reporting during an incident investigation.
Conduct security assessment on assigned systems to ensure FISMA compliance following NIST SP 800-53 rev 4, NIST 800-53A, and FIPS.
SCAP to assess the security compliance of computer systems, software, and configurations.
Experience creating baselines manually using COTS vendor recommendations.
Fobeteh Consulting LLC MD FEB 2018-JAN 2021
Information System Security Officer. ISSO
Open and close POA&MS for identified vulnerabilities. Create ATO packages for multiple systems like the SSP, SAR and POA&MS.
Select security controls based on the category of the system from NIST 800 53 control Catalog, write implementation statements to address control requirements.
Manage temporary ATO’s due to unforeseen contingencies realized during assessments leading to the creation of open POA&Ms to track and remediate critical and high vulnerabilities before a 3-year ATO can be granted.
Work as a team with co-workers to ensure that deliverables are completed with the highest quality and submitted on time as required by FISMA.
Conduct ACAS scans for different FISMA systems, high, moderate, and low systems.
Review security STIGSs to categorize and track comments and share with other stakeholders, verify if servers and domain controllers have the updated versions, and participate in discussions related to the STIG.
I use Splunk for continuous monitoring of system logs, event, and activities. This helps me identify potential risks as they emerge, such as anomalies, suspicious activities, or system vulnerabilities.
Collect, analyze, and put together security event data from sources to have a comprehensive view of the security posture of the organization using McAfee Enterprise Security and Splunk.
SCAP to assess the security compliance of computer systems, software, and configurations.
Draft tickets using ServiceNow and Jira for events that are suspicious or not compliant to the SOC team to analyze further.
Review A&A package items using NIST guidance for FISMA compliance such as the System FIPS 199 Categorization, e-Authentication Assessment, PTA, PIA, Contingency Plan (CP) and Contingency Plan Test (CPT).
Draft and review security artifacts including, but not limited to, System Security Plans, inventories, security control traceability matrices, control allocation tables and security assessment reports
Experience writing assessment reports, assessment plans, assessment procedures, assessment schedules to ensure that systems controls are assessment on time to obtain ATO's.
Perform system risk management following the NIST risk management framework. Conducts regular assessments of assigned systems to ensure renewal of systems ATO.
Utilize Zero Trust Security to strengthen identification and authentication process.
Experience with IAM systems.
Tar Technologies LLC DC JUNE 2016 - FEB 2018
Security Control Assessor
Schedule assessment kick-off meetings, and Security Control Interview meetings with the ISSO, System Owners and stakeholders.
Conduct security assessment on assigned systems to ensure FISMA compliance following NIST SP 800-53 rev 4, NIST 800-53A, and FIPS.
Evaluate security controls on information system platforms that include Windows, Linux, UNIX, Databases and Networks
Draft and review security artifacts including, but not limited to, System Security Plans, inventories, security control traceability matrices, control allocation tables and security assessment reports.
Experience managing extended ATO’s due to exceptions and waivers ignited by open POA&M’s.
Evaluating and/or creating System Security Plans (SSP), Contingency Disaster Recovery Plans (CDRP), Risk Assessment Reports (RAR), Security Assessment Reports (SAR) and Executive Summaries.
SCAP to assess the security compliance of computer systems, software, and configurations.
Upload SAR into eMASS to support the authorization decision.
Creates Requirement Traceability Matrix (RTM) and documents whether controls assessed passed or failed using NIST SP 800-53A as a guide.
Support higher level employees in research, examinations, investigations, audits, and inspections of security controls for compliance to NIST SP 800 series.
Review work of peers to ensure timeliness and quality of work. Support the work of other employees.
Create common SharePoint on Jira where stakeholders and engineers can upload documents to validate controls and other requirements.
Acethia LLC Brookeville MD JAN 2014 - JUNE 2016
Information security Analyst.
Thoroughly read and review information system documents like System Security Plans (SSP), Security Assessment Reports (SAR) and Executive Summaries to ensure FISMA compliance.
Worked in a cross functional environment assisting teams in identifying and removing any impediments and roadblocks that disrupts the progress of their work and assisting teams move from waterfall to Agile. I also assisted teams.
Experience in time planning, prioritizing tasks, and managing resources to ensure effective delivery of resources.
Work with a team of assessors to ensure that Technical, Operational, and Management security controls correctly implemented, operating as intended, and meeting security requirements.
Continuous monitoring strategy, assist with help desk managing tickets using ServiceNow.
Collaborate with the assessment teams to create and finalize Security Assessment Reports (SAR) and give recommendations to ISSO on how to mitigate or remediate reported weaknesses and vulnerabilities.
Experience utilizing PCI DSS guide on systems that store credit card information by defining how personal information such as credit card is stored.
Experience with Active Directory
Worked as a LINUX System Administrator Monitoring Network traffic and Storage using the Nagios open-source tool. I also install and configure the DNS server for forward and reverse lookup. Review logfiles using splunk.
Knowledgeable in active directory creating users accounts and groups.
REFERENCES AVAILABLE UPON REQUEST
Contact this candidate