Information Systems Security Officer
Resume:
Kunle Fasalojo
********@*****.***
Professional Summary
Information System Security Officer with experience in information assurance and cybersecurity project development and management Assessment and Authorization (A&A), Proven experience in enterprise security risk management, adept at assessing information systems implementing controls and identifying vulnerabilities through vulnerability management. Skilled in adhering to applicable regulatory standards and frameworks, Security Technical Implementation Guides (STIGs), NIST SP 800 series, FIPS 199/200, FISMA, PCI-DSS, HIPAA and Fed RAMP.
Key skills.
Federal Security Policies and Standards NIST 800 SP. FIBS 199/200, FISMA, HIPAA and Fed RAMP.
Perform assessments, develop system assessment report.
Risk Management Framework.
Develop Security authorization package (SSP SAR POA&M)
Review and update SA&A ATO package.
Artifacts review and analysis: Obtain IT control testing Security plans, SOP’s Systems, screenshots and configuration settings.
Review vulnerability scans and POA&M’s.
Effective communication with technical and non-technical stakeholders.
DoD 8570 IAT Level I/II Certifications
Certified Data Privacy Solutions Engineer (CDPSE)
Certified Information Systems Auditor (CISA)
Certified Information Security Manager (CISM)
Project Manager Professional (PMP)
EC Council Certified Ethical Hacker (CEH
CompTIA Sec + CASP
Experience:
Information System Security Officer AGT Alliance Consulting Group.
Department of Health Human Services CMS February 2024 – January2025
Worked closely and effectively with the SO/ISSM/ISSE on development and implementation programs through Agile management processes provide guidance, standards, and oversight to SCA teams as they work towards accreditation A&A process activities and related documentation such as systems concept of operations, system security design, implementation plans, operational procedures, and delivering information systems security education and awareness training.
Ensure compliance with agency policies, Federal Information Security Modernization Act (FISMA), National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, and other applicable security requirements.
Conduct security impact assessments for new systems, applications, and technology integrations.
Develop and maintain the System Security Plans (SSP), Security Assessment Reports (SAR), and Plan of Action & Milestones (POA&M). Security Authorization Packages (SAP).
Perform Continuous Monitoring (ConMon) activities, including vulnerability assessments, system reviews, security audits.
Monitor and report security incidents, ensuring compliance with agency reporting guidelines and procedures.
Identify artifacts and evidence for technical security controls testing for effectiveness of controls, as documented in the Security Requirements Traceability Matrix (SRTM) workbook.
Request vulnerability scan analysis findings to determine residual risk or false positives reports collaborating with stakeholders, and document specific findings and actionable recommendations in Plan of Actions & Milestones (POA&Ms).
Review System Security Plans (SSP), Risk Assessments, Information System Contingency Plans (ISCP), Back-up Standard Operating Procedures (SOP), Incident Response Plans (IRP), Configuration Management Plans, (CMP), Hardware/Software lists, Network Diagrams, Data Flows, System Change Requests for system assessment package SAP.
Managed external third-party audit engagements, working with system owners (SO), Information System Security Officers (ISSO), and Information System Security Managers (ISSM), and bridged audit rebuttals with external auditors including Accenture, EY, KPMG.
Conducted Information security and privacy awareness training programs for new employees.
Accomplishments:
Supported the Continuous Diagnostics and Mitigation (CDM) program by providing insightful incident response reporting for stakeholders and autonomously led program execution, creating documented project plans, setting clear expectations, and maintaining schedules.
Reported FISMA & OIG audit findings with data-driven insights.
Championed human behavior education for cybersecurity awareness training.
Information System Security Officer CenterPoint March 2022 – January 2024
Specialist Human Health Service Contractor FISMA Assessments & Authorization
Ensure organization systems and operational cybersecurity posture is maintained to provide confidentiality, integrity, and availability of information systems keep updated security documentations, such as SIA, SSP, POA&M, Configuration Management Plan, and Vulnerability Reports.
Participate in planning and management of all phases of the Risk Management Framework (RMF) Security Assessment and Authorization (SAA) process.
Advise system owners on all matters, technical and otherwise, involving the security of assigned IT systems.
In coordination with SO team, develop standard operating procedures in accordance with security control requirements.
Perform continuous monitoring of implemented security controls to ensure that security controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the cybersecurity requirements for assigned IT systems. Conduct continuous monitoring activities to:
oMaintenance of current ATO
oConducting periodic system self-assessments
oConducting periodic scans
oConducting log reviews
Ensured proper sanitization of media prior to disposal.
Collaborated with technical teams to mitigate security control deficiencies and scan vulnerabilities for assigned IT systems.
Assess the cybersecurity impact of changes to assigned IT systems and document findings in a security impact analysis (SIA) report.
Conducted assessments of security controls, identify weaknesses and track remediation activities in POA&M.
Managed the plan of action and milestone (POA&M) process for designated IT systems to provide timely detection, identification and alerting of non-compliance issues. In coordination with System Owner staff, create POA&Ms or remediation plans for vulnerabilities identified during risk assessments, audits, inspections.
Delivered information systems security education and awareness.
Accomplishments
Lead gap analysis for NIST 800-53 Rev 4 and NIST 800-53 Rev 5
Managed POAM backlog activities, transitioning to risk-based assessments to avoid overdue ATO extensions.
Implemented key initiatives to automate the assessment process and documentation management using SIEM, Jira, SharePoint, and RSA Archer. Additionally, managed thirty-five agencies and contractor-owned systems, successfully conducting ATOs within the required time limit.
Information System Security Officer OptumServe Technology Sept 2020– March 2022
OnePI Dept of Human Health Services Centers for Medicare & Medicaid
Develop, update, and/or review RMF documentation to include the System Security Plan (SSP), Security Control Traceability Matrix (SCTM), Plan of Action and Milestone (POA&M), Risk Assessment Report (RAR), and Security Assessment Plan (SAP).
Performed System Assessment & Authorization (SA&A) as part of NIST SP 800-37 Risk Management Framework (RMF) system and application accreditation.
Prepared Vulnerability Scanning test plans, coordinate testing, and conduct scans using Nessus.
Evaluated assigned information systems’ security control compliance with the federal requirements and the client’s monitoring strategy.
Coordinated agency to achieve and maintain the information systems’ compliance and authorization to operate (ATO).
Performed annual assessments to ensure compliance with the client’s policies and standards.
Ensured systems are operated, maintained, and disposed of in accordance with policies outlined in the approved security authorization package.
Served as a member of the Configuration Control Board (CCB) to ensure configuration management for Cybersecurity-relevant software, hardware, and firmware is maintained and documented.
Ensured information system security requirement are addressed during all phases of information systems lifecycle.
Established audit trails, to ensure reviewed audit logs in accordance agency components and policies.
Generated and interpret documentation needed to address the items detailed within the GRC tool.
Collaborated and worked within a team environment to provide technical guidance to adhere to regulatory cybersecurity industry best practices and the agency’s monitoring strategy.
Analyzed identified vulnerabilities and potential exploitation, effectively present results and guidance derived from scans to system owners and stakeholders.
Supported the integration/testing, operations, and maintenance of systems security assessments.
Developed, updates, and maintained internal Standard Operating Procedures SOPs for all internal agency owned and external contractor owned systems.
Development and delivering information systems security education and awareness.
Accomplishments
Lead team’s kickoff meetings of assigned assessment engagements.
Manage and ensure assessments are effectively executed.
Provide technical guidance to team to ensure requested SSPs, associated Policies and artifacts are available for assessments.
Information System Security Officer (ISSO)
Optum Serve Technology Services (OSTS) / Quality Software Services Inc. (QSSI) Oct 2018- Aug 2020
Served as the Information Systems Security Officer (ISSO) for assigned agency and contractor owned systems.
Supported the development and maintenance of cybersecurity documentation, including System Security Plans (SSPs), Risk Assessments, and POA&Ms.
Coordinated and collaborate with technical and operations teams to ensure security controls are implemented effectively.
Collaborated with Security control assessors in achieving and sustaining ATOs for systems by working closely with northern-based cybersecurity and compliance teams.
Conducted continuous monitoring activities, vulnerability management, and incident response support.
Maintained all applicable security policies, procedures, SOP’s, and tools to sustain for annual ATO re-assessments.
Delivered information systems security education and awareness.
Information Security Analyst QSSInc. Program One Integrity CMS (QSSI) June 2013 – Sept 2018
Ensured secure operation of agency's information systems collaborated with internal and external assessors to enhance information security measures are in compliance with security policies and practices as outlined in NIST Publication 800-53 agency Classified Information Security Program, and agency directives Information Technology Systems Security.
Worked closely with system owners to validate and authorize user accounts, ensuring that access is granted only to eligible individuals with a genuine need for the system.
Maintained generate and updated various security documentation, including.
oFederal Information Processing Standard Publication 199 (FIPS 199) forms,
oSystem Security Plans (SSPs),
oContingency Plans, Configuration Management Plans,
oIncident Response Plans, Plan of Actions & Milestones (POA&M),
oBusiness Impact Analyses (BIA), Privacy Impact Assessments (PIA),
oSystem-level policy and procedure documentation,
oSystem component inventory records.
Managed incident handling of agency security incidents according to Computer Security Incident Handling Guide. Ensured that audit trails are regularly reviewed and retained for specified durations as defined in the SSP.
Managed agency data calls promptly responding to requests from the Office of Inspector General (OIG) or Contracting Officer Representatives (COR), by providing the necessary security artifacts and information.
Managed annual tabletop exercises and participated in annual Contingency and Incident Response Plan testing and documenting lessons-learned in activities.
Conducted monthly ConMon meetings to continuously monitor activities with agency government Point of Contact in discussing monthly vulnerabilities and remediation plans.
Frameworks Technology & Tools
Regulatory & Privacy Compliance Frameworks: NIST CSF, ISO 27001, CIS, NIST 800-37, NIST 800:53Rev5, DAFRS, PCI DSS, HITECH, HIPPA, GDRP, HITRUST, NIST 800;171, MITRE-ATT&CK, CMMC, Cybersecurity Framework and NIST Privacy Framework.
ISO/IEC 20000, ISO 9000, ISO 27001:2013, ISO22301. and ISO 20000-1:2018, SOC2, COBIT, COSO. Cloud, FedRAMP. Security Technical Implementation Guides (STIGs) and Security Content Automation Protocol (SCAP) Compliance Checker (SCC)
Splunk Cloud, CrowdStrike, Check Point, Synack, and Zscaler.
GRC, Inventory & Change Control: Archer, ServiceNow, Qualys, Burp, cSam, Nessus, Jira, Kanban.
Microsoft Office 365 Word, Excel, PowerPoint, Visio, and Teams
Education
Bachelor of Arts Economics & Politics School of Business Lancaster University, Lancaster University United Kingdom UK.
Master of Engineering, Cybersecurity Engineering Policy & Compliance, George Washington University. Schl of Engineering & Applied Sciences.
DoD 8570 IAT Level I/II Certifications
Certified Data Privacy Solutions Engineer (CDPSE)
Certified Information Systems Auditor (CISA)
Certified Information Security Manager (CISM)
Project Manager Professional (PMP)
EC Council Certified Ethical Hacker (CEH
LinkedIn Link
Acronyms
CIO - Chief Information Officer
CISO - Chief Information Security Officer
CDO - Chief Data Officer
SCA - Security Control Assessor
ISSO - Information System Security Officer
ISSE - Chief Information System Security Officer
ISSM - Information System Security Manager
*All these roles are referred to as stakeholders in this resume.
Contact this candidate