Information Security Analyst
Resume:
KOJO KYEI BADU
********@*****.***
LAUREL, MARYLAND
Objective
Detailed knowledge of security tools, technologies and best practices, emphasizing FISMA and NIST Publications compliance. Over 9 years of experience in Risk Management Framework and vulnerability, specializing in providing guidance and supporting security assessments and continuous monitoring for government (FISMA & NIST). Perform Risk Assessments and compliance reviews to ensure the Confidentiality, Integrity and Availability of system resources. Organized, solutions-focused, deadline-focused, and work well independently, or as part of a team.
Education
University of Maryland, University College - Master of Science in Information Technology
University of Ghana - Bachelor of Arts in Political Science and Psychology
Certifications
CompTIA Security+ Certification
CISSP
Summary of Qualifications
Develop, review and update A&A artifacts (SSP, E-authentication, SAP, CMP, SAR, ST&E, CP, POA&M, PTA and PIA referencing appropriate NIST/FIPS Special Publications).
Develop and conduct SCA (Security Control Assessments) according to NIST SP 800- 53A.
Familiar with FISMA, NIST publications, including SP 800-60, SP 800- 53 rev5, SP 800-37, and FIPS 199.
Disaster Recovery
Experience with analysis of Nessus vulnerability Scans, BigFix, Web app CSAM, eMASS, and MS Office Suite tools
Ability to multi-task, work independently and as part of a team, with strong analytical and quantitative skills.
Effective interpersonal and verbal/written communication skills, recognized as a collaborative team player with a tireless work ethic, an aptitude for learning new skills, and an ability to multitask while remaining committed to providing quality work.
Proficient with SharePoint, ServiceNow, Archer
Experience
CHEROKEE FEDERAL NOVEMBER 2023 – PRESENT.
Information Systems Security Officer (ISSO)
Perform Vulnerability Assessments, making sure risks are assessed, evaluated and are mitigated to limit their impact on the information and information systems.
Create standard templates for required A&A documents, including Risk Assessments, Security Plans, Security Assessment Plans and Reports, Contingency Plans, and Security Authorization Packages.
Monitor and prepare required actions and documents pertaining to the A&A of the system throughout its lifecycle, to include security evaluation findings and residual risks.
Conduct comprehensive reviews of security authorization documents to ensure appropriate NIST security controls were used during the assessments and relevant to the Confidentiality, Integrity, and Availability of the systems.
Review SSPs and other A&A documents for all applications to determine if the organization’s mandated procedures and tasks are followed, such as using CSAM.
Analyze and update System Security Plans (SSP), Risk Assessments (RA), Privacy Threshold Assessments (PTA), Privacy Impact Assessments (PIA), Contingency Plans (CP), FIPS 199, Contingency Plan Tests (CPT), System Security Test and Evaluation (ST&E), Security Assessment Reports (SAR) and Plan of Actions and Milestones (POA&Ms).
Assist System Owners in preparing A&A packages for company’s IT systems, making sure that management, operational and technical security controls comply with security requirements per NIST SP 800-53rev4.
Designate systems and categorize its Confidentiality, Integrity and Availability (C.I.A) using FIPS 199 and NIST SP 800-60.
Conduct Self-Annual Assessments (NIST SP 800-53A).
Review and process Interconnection Security Agreements (ISAs), Policy Waivers, Approval to Test (ATT), and Interim Approval to Operate (IATO) documents.
MAXIMUM ATTAIN OCTOBER 2021 – NOVEMBER 2023.
Information Systems Security Officer (ISSO)
●Analyze and update System Security Plans (SSP), Risk Assessments (RA), Privacy Threshold Assessments (PTA), Privacy Impact Assessments (PIA), Contingency Plans (CP), FIPS 199, Contingency Plan Tests (CPT), System Security Test and Evaluation (ST&E), Security Assessment Reports (SAR) and Plan of Actions and Milestones (POA&Ms).
●Assist System Owners in preparing A&A packages for organizations’ IT systems, making sure that management, operational and technical security controls comply with security requirements per NIST SP 800-53rev4.
●Designate systems and categorize its Confidentiality, Integrity and Availability (C.I.A) using FIPS 199 and NIST SP 800-60.
●Conduct Self-Annual Assessments (NIST SP 800- 53A).
●Perform Vulnerability Assessments, making sure risks are assessed, evaluated and are mitigated to limit their impact on the information and information systems.
●Create standard templates for required A&A documents, including Risk Assessments, Security Plans, Security Assessment Plans and Reports, Contingency Plans, and Security Authorization Packages.
●Monitor and prepare required actions and documents pertaining to the A&A of the system throughout its lifecycle, to include security evaluation findings and residual risks.
●Conduct comprehensive reviews of security authorization documents to ensure appropriate NIST security controls were used during the assessments and relevant to the Confidentiality, Integrity, and Availability of the systems.
●Participated in Compliance Review Board (CRB) weekly meetings to discuss concurrence statuses of PIA documents created for various information systems.
●Review SSPs and other A&A documents for all applications to determine if the organization’s mandated procedures and tasks are followed, such as using CSAM.
●Review and process Interconnection Security Agreements (ISAs), Policy Waivers, Approval to Test (ATT), and Interim Approval to Operate (IATO) documents.
●Familiar with vulnerability scanning and GRC/IA tools (Nessus and CSAM).
VARIQ INC
MAY 2018- OCTOBER 2021
Security Control Assessor
●As an Assessor, focused on RMF phase 4 (Assessing security controls)
●Effectively engaged in preparing for assessments, conducting assessments, and communicating assessment results.
●Coordinated, participated and attended weekly forums for security advice and updates.
●Created Security Assessment Plans (SAP) to document assessment schedules, control families to be assessed, control tools and personnel, client’s approval for assessment, assessment approach and scope, and Rules of Engagement (ROE) if vulnerability scanning was involved.
●Used the implementation section of the System Security Plan (SSP) in addressing how each control was implemented (frequency of performing the controls, control types and status) as part of my interview answers during the Security Testing and Evaluation (ST&E) documentation.
●Determined assessment method (examining policies and procedures, interviewing personnel and testing technical controls), using NIST SP 800-53A as a guide.
●Created Risk Traceability Matrix (RTM) in which to document assessment results (pass/fail).
●Prepared Security Assessment Reports (SAR) in which all the weaknesses are reported.
●Created Plans of Action and Milestones (POA&Ms) to trace corrective action and resolve weaknesses and findings.
●Set up and participate in the Assessment Kick-Off meetings.
●Determined threat sources and applied security controls to reduce risk impact.
●Used POA&M tracking tools like CSAM (Cyber Security Assessment and Management), and/or an Excel spreadsheet to make sure the POA&M is not in delayed status.
CONDUENT JUNE 2011 – MAY 2018.
Compliance Analyst
Reviewed all third-party vendors before onboarding to make sure they aligned with organizational security and data protection measures.
Served as the point of contact for audit and risk management inquiries about Service Transition's controls and activities.
Prepared reports and presentations for leaders, managers, analysts, and engineers.
Performed annual reassessment risk reviews for all existing 3rd party vendors or service providers to make sure they are still in compliance with organizational security requirements.
Assisted with identifying and remediating any control deficiencies or findings.
Collaborated with different departments, such as Supply Chain, Privacy (Legal) to review redlines on contracts and manage information security controls.
Ensured the third-party adherence to contractual regulatory compliance to minimize the risk of fines and reputational harm.
Reviewed and updated information on 3rd party security policies, processes, and data flow.
Identified improvement opportunities, control enhancements, and developed meaningful reporting metrics to senior levels of management.
Ensured audit and risk requests are communicated to appropriate personnel, such as subject matter experts, and track progress of responses.
Developed, recommended and documented adjustments to workflow to streamline processes.
REFERENCES AVAILABLE UPON REQUEST
Contact this candidate