Information Security Risk Management
Resume:
NORMAN STARKS
Bowie, Md
************@*******.***
VETERAN SENIOR CYBER ENGINEER
Results-driven IT professional with 15+ years’ experience working in cybersecurity and information assurance. Notable success planning projects, performing analyses, and implementing security initiatives. CompTIA Security+ certified with a bachelor’s degree in information technology. Adept providing comprehensive network designs or security frameworks and highly skilled working with network security, risk management, and multiple forms of antivirus software. Senior Cyber Engineer specializing in object-oriented analysis and design. Retired Information System Technician. Supported the information security audit and third-party assessment initiatives during planning, execution, and remediation phases, as well as coordinating and tracking remediation activities.Liaison between the audit/assessment teams and Information Security management. Served as a technical, leader and trainer of many. 20 years as a advisor to multiple people in multiple divisions to incorporate one mission. Trainer of senior personnel to understand the mission requirements to complete the task.
AREAS OF EXPERTISE
Endpoint & Network Security
Designing Security Controls
Symantec Endpoint Protection
Risk Mitigation
Wireshark Software
FISMA, HIPAA and NIST
Microsoft Hyper-V Server
Security Reporting Monitoring
Developing Security Plans
Data & Host Security
Troubleshooting Systems
Cryptography & PKI
Privacy Threat Assessment
Python, JAVA, HTML
TCP/IP, VPN’s, DNS, DHCP
Identity & Risk Management
Third party assessment
Nessus, Retina, Tenable
EDUCATION & CERTIFICATIONS
Bachelor of Science in Information Technology Stratford University Falls Church, VA 2020 Graduate
Information Security Analyst Program ACI Learning Jacksonville, FL 2020 Graduate
Certifications: CompTIA Security+, EC-Council Certified Ethical Hacker (CEH)
In Progress: EC-Council CND &, CRISC
PROFESSIONAL EXPERIENCE
Lead Information Security System Engineer (ISSE) ITC Concept Baltimore, MD 2024 – Present
The Lead ISSE Analyst undertake an agile approach to provide proper Risk Management Framework (RMF) activities and ensure executives can make effective cyber decisions. Key responsibilities include:
Lead a team of skilled ISSE Analysts.
Creating new documentation and updating existing documentation with the input from appropriate stakeholders utilizing SSA’s GRC tool following the appropriate steps in the Risk Management Framework. Desired artifacts include but are not limited to: Federal Information Processing Standards (FISP) 199, Business Impact Analysis (BIA), Information System Contingency Plan (ISCP), Configuration Management (CMP), and System Security Plan (SSP).
Work with stakeholders to understand and sign ATO documentation.
Supporting the ISSO to develop a standardized and detailed methodology to transition from NIST SP 800-53 Rev.4 to NIST SP 800-53 Rev.5 FOR COMPLIANCE, identifying dependencies and prioritizing transition efforts.
Train ISSO team on acceleration tool use and project plan expectations.
Provide guidance outlining Common Control Provider (CCP) qualifications for what should be a CCP qualification and assist ISSO team and stakeholders in updating.
Identify CCP gaps and overlaps, while clarifying qualifications for what should be a CCP.
Update documentation to allow non-security personnel better understanding of control Inheritance selection.
Expand ISSO toolset and capabilities to keep system stakeholders engaged during the ATO process.
Escalate issues or decisions such as overdue POAMS, upcoming assessments, and major security changes.
Provide ISSO program refinement by recommending areas for standardization to ensure ISSO quality of services and approach for supporting stakeholders is predictable and measurable while reducing the number of single points of failure.
Independent Security Consultant Bowie, MD 2022 – 2024
Support Security risk management, Support NIST, ISO standards in private sector. Utilized the Risk Management Framework six steps in accordance with the NIST Publications.
Pinpoints vulnerabilities in computer Systems, networks, and software programs.
Information and Technology risk taxonomy development and implementation, including development of risk appetite, key risk indicators and key performance indicators
Experience developing an enterprise risk reporting capability, and ability to coordinate information technology risk status and updates to management and Board of Directors Audit Committee
Senior Information Security Analyst Risk and Control Lead Mathematica Bowie, MD 2021 – 2022
Support Information and Technology risk taxonomy development and implementation, including development of risk appetite, key risk indicators and key performance indicators
Experience developing an enterprise risk reporting capability, and ability to coordinate information technology risk status and updates to management and Board of Directors Audit Committee
Experience leading information and technology audits and testing of security controls for design and effectiveness and coordinate third party security assessment, such as SOC2 and client-specific assessments Lead Mathematica SOC2 certification for two years
Experience facilitating, risk and control, serve as system admin for input and documenting IT processes, risks, and controls in GRC tool Auditboard
Experience developing and documenting security incident reporting process and procedures. Leading providing substantial support to the development and delivery of information and technology risk training material.
Application support for tripwire, research and understand all aspects up tripwire and troubleshooting as well as find other ways to automate practices. Would help other teams within cyber security as well for any projects dealing with Nessus tools vulnerability management, risk and compliance in NERC standards.
Risk and Control Lead provide technical expertise and trainer for all employees for constant cyber Hygiene
Senior Cyber Security Engineer ACI Federal Bowie, MD 2020 – 2021
Served as Connectivity Manager to connect PPSM for Cerner to the VA, DHA, and a host of other non-DOD sites; utilized jazz data base to monitor the status of PPSM.
Analyzed information security and information assurance requirements; performed a variety of routine project tasks that applied to specialized IA problems, including integrating electronic processes or methodologies to resolve system problems.
Applied analytical and systematic approaches to troubleshoot problems of workflow, organization, and planning.
Supported security engineering personnel during the planning, design, development, testing, demonstration, and integration of information systems.
Developed Cyber Security Standards on NIST Frameworks and insured their proper implementation to reduce the risk of vulnerability to IT assets.
Senior Security Engineer Solers, Inc. Arlington, VA 2018 – 2020
Served as the Senior Level Security Engineer responsible for ensuring adherence to NIST SP 800-53 Rev 4 security controls for a NOAA radio frequency interference monitoring system that was considered a Major Application with a High Impact Rating.
Senior Cyber Security Analyst Data System Analysts, Inc. Fairfax, VA 2016 – 2018
Worked for the Environmental Protection Agency (EPA) and served as Task Lead for 10 employees. Provided guidance of 128 systems and maintained their Authorization to Operate.
Managed the package review process for the EPA and coached all Information System owners.
Coordinated reviews, origination of all documentations, implementation of IA controls, Privacy reviews, and entry to maintain or acquire Authority to Operate.
Leading a SOC team for cyber incidence and compliance towards PCI DSS, NIST framework.
Utilized the Risk Management Framework six steps in accordance with the NIST Publications.
Reviewed cyber security policies, guidance, and procedures; provide comments and recommendations.
Information Cyber Security Analyst TM3 Solutions Alexandria, VA 2014 – 2016
Served as C&A Lead for 15 persons at NAVSEA Headquarters; provided guidance for all C&A efforts to include validating IA control measure network architecture, vulnerability scanning, and penetration testing.
Upgrade security systems by monitoring security environment; identifying security gaps; evaluating and implementing enhancements
Serve as NIST 800-53 IA Controls examiner; provided detailed reports including data analyses of tests, scans, and assessments, mitigations, and appropriate escalation of identified risks and vulnerabilities.
Ensured that all IA controls were validated with the process of identifying and responding to risk. Utilized RSA to evaluate risk levels and tolerances.
Security Action Officer Hewlett-Packard Falls Church, VA 2010– 2013
Utilized XACTA to handle all Marine DIACAP packages; consolidated and distributed weekly metric reports to HP leaders and government teams.
Facilitated weekly Certification Solution Review (CSR) meetings for HP Engineers, Project Managers, PMW130 personnel, Government Certification Authority, and DAA workers.
Acted as Subject Matter Expert interfacing with HP Engineering and Program Managers; provided new solutions and government accreditation requirements based on the latest STIGs
Verify solution testing requirements and testing results and reviewed processes with USN and DIACAP solution submissions.
Senior System Staff Analyst ManTech SRS Technologies, Inc. Herndon, VA 2006– 2010
Provided Information Assurance (IA) support within the Department of the Navy (DON) Information Technology environment at Norfolk Naval Shipyard (NNSY).
Developed and reviewed Certification and Accreditation (C&A) documentation per Department of Defense (DOD) Information Technology Security Certification and Accreditation Process (DITSCAP).
Gained a master level knowledge of DIACAP, Retina Security Scanner, DOD STIG’s, DISA Gold Disk, IAVA, and patch managements systems, and OCRS; penetration testing included Firewalls and IDS.
Evaluated and tested information systems and networks to determine compliance with IA requirements
Worked with IA requirements defined by Public Laws, National DOD, and DON Guidance (e.g., Federal Information Security Management Act (FISMA), DoDD 8500.1, DoDI 8500.s, DoDI 5200.40 (DITSCAP).
Contact this candidate