Post Job Free
Sign in

Security Controls Risk Management

Location:
Worcester, MA
Posted:
August 17, 2025

Contact this candidate

Resume:

ROCKY ACHEAMPONG-SULLEY

Security Controls Assessor

**********.****@*****.*** 774-***-****

Summary of Qualifications

With over 7 years of experience, I am skilled in assessing and evaluating operational security designs. Analyzing and mitigating risks for commercial PAAS, SAAS and application system entities by using frameworks that include NIST-800 Publication, Risk Management Framework (RMF), Information Assurance, System Monitoring, regulatory compliance and loss mitigation. Knowledge areas include FISMA compliance- [categorization through continuous monitoring] and other commercial frameworks including COBIT and FEDRAMP. The knowledge of industry standards and ability to meet milestone deadlines make me a valuable addition to any organization focused on staying on top of information security matters.

Technical Skills

● Protocols & IP: BGP, OSPF, RCP, Frame Relay, DNS,

● APIs & Networks: IP, LAN, WAN, ISP, AWS, SD-WAN, VXLAN, Cisco Firewalls

● Operating Systems: Windows 7, 10; Unix; Mac OS; Android OS

● Languages: SQL,HTML

● Software: Azure; Word Press; Microsoft: Visio, Word, Excel, PowerPoint, Outlook, Access, Jira, Servicenow, GRC tool(EMASS), Logic Gate, Archer, Servicenow

● Project Management: Slack, Microsoft Teams, Splunk Work Experience

Maveris

Security Controls Assessor Lead,

August 2024-Present

Manage security controls assessments including kickoff, submission of deliverables, final report, and executive briefing;

Conduct controls assessments of existing security measures and identify areas for improvement Lead assessment interviews, testing, and coordinate evidence requests; Conduct audits to ensure that security controls are implemented correctly and operating effectively; Establish policies and procedures based on industry standards and compliance objectives; Perform security risk assessments of new technologies and third party vendors to determine potential impact on security;

Monitor and evaluate a system's compliance with security, resilience, and dependability requirements; Perform security reviews and identify security gaps in architecture resulting in recommendations for inclusion in the risk management strategy;

Perform security risk analysis whenever an application or system undergoes a major change; Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks;

Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations; Produce quality deliverables in a timely fashion;

Prepare metrics and reports for management on the status of IT Compliance objectives; Produce documentation and diagrams as needed;

Represent the Information Security Team by participating directly with projects and provide guidance, requirements and documentation for security related purposes when requested; Evaluate, document and maintain standards, processes and procedures relative to security and privacy; Provide insightful recommendations to improve security posture. Maveris

Security Controls Assessor, February 16, 2023 - Present

● Assessment and Authorization (A&A) of Federal information systems

● Development of system security plans and other required cyber security documentation for new and existing information systems

● Conduct independent comprehensive assessments of the management, operational, and technical security controls

● Assessment of control enhancements employed within, or inherited by information technology (IT) systems, to determine the overall effectiveness of the controls (as defined in NIST SP 800-37)

● Perform and evaluate continuous monitoring of Information Technology (IT) assets

● Develop risk assessments including evaluation of mitigation strategies and residual risk

● Perform other duties as assigned

Vanderbilt University Medical Center

Cyber security Analyst, February 2022- December

2023

● Integral part of the Assessments and Authorizations process to include A&A, documentation, reporting and analysis requirements.

● Conduct kick-off meetings and interview meeting with the System Owner, ISSO, Sys Admins and various stakeholders.

● In depth knowledge of NIST 800-137, 37, 30, 34, 53,, FISMA, and reviewing SA&A/C&A to validate security control effectiveness.

● Develop observation, security vulnerabilities and mitigation strategies.

● Lead Security Control Assessments (SCAs).

● Knowledge of FISMA and RMF process and its compliance using NIST publications and standards.

● Reviewed Privacy Threshold Analyses (PTA), Privacy Impact Assessment (PIA) and (SORN) AND SSP.

● Experience performing FedRAMP assessments, compliance and validation.

● Develop and conduct ST&E (Security Test and Evaluation) according to NIST SP 800-53A and perform on-site security testing and reviewing vulnerability scan results.

● Conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST SP 800-37).

● Plans and conducts security authorization reviews and assurance case development for initial installation of systems and networks.

● Reviews authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network.

● Verifies that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.

● Develops security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).

● Performs security reviews and identifies security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy.

● Performs risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.

Pingwind Inc./ Gen 3

Security Controls Assessor, January 2022- November 20, 2022

● Assessment and Authorization (A&A) of Federal information systems

● Development of system security plans and other required cyber security documentation for new and existing information systems

● Conduct independent comprehensive assessments of the management, operational, and technical security controls

● Assessment of control enhancements employed within, or inherited by information technology (IT) systems, to determine the overall effectiveness of the controls (as defined in NIST SP 800-37)

● Perform and evaluate continuous monitoring of Information Technology (IT) assets

● Develop risk assessments including evaluation of mitigation strategies and residual risk

● Perform other duties as assigned

DIGITAL FEDERAL CREDIT UNION

Security Analyst, December 2017- January 2022

● Maintained client's information security governance, risk and compliance activities to align with the NIST Risk Management Framework (RMF)

● Performed Contingency Plan Test and Training to ensure systems' recoverability as defined in IT systems security requirements

● Submitted report of risk/audit analysis. Plan, execute and report on IT system vulnerability root causes and mitigation recommendations

● Conducted IT controls risk assessments that included reviewing organizational policies, standards and procedures and provided advice on their adequacy, accuracy and compliance with the Payment Card Industry Data Security Standard, PCI DSS

● Working knowledge of Windows OS, MS Office, Vulnerability Assessment tools

(Nessus) McAfee Virus Scan Enterprise, Share Point, Excel, Nessus, Nmap, wireshark, Archer.

● Experience in conducting updates to system security plan (SSP), developing system assessment report (SAR) and documentation of assessment results by creation of requirement traceability matrix (RTM).

● Worked with team members to examine and assess security systems and develop required documentations in compliance with FISMA requirements. Education/Certifications/Clearance

EDUCATION:

Kwame Nkrumah University –Kumasi, GH (2014)

B.S. in Computer Information Science

Concentration in Cyber Security

Key Coursework:

● Applied Project Management

● Cloud Solutions

● Networking

● Linux Administration

● Service Desk Fundamentals

● Enterprise Risk Assessment &

Mitigation

● Ethical Hacking

● Advanced Defense

and Countermeasures

● Storage Area Networks and

Disaster Recovery

● Vulnerability and Data leak

management

CERTIFICATIONS:

● CISM

● CompTIA Security +

● MS Fundamentals

Clearance Level: Public Trust II



Contact this candidate