Security Data
Resume:
| |RONY HAY |
|Summary |As a Senior Information Security architecture specialist I |
| |applied my knowledge experience and expertise of business |
| |information systems to create a reference model for architecture|
| |including Security Policies, enforcement & compliance, Data |
| |Protection Secure design & implementation, Risk assessments, |
| |Threat Modeling, Security services, Directory Services, and |
| |security management. I also applied knowledge of security |
| |architecture to develop security framework that meet the |
| |business requirements for modularity, scalability, components |
| |re-use, and interoperability both internally and externally. |
| |Within my responsibilities I build and sustain relationships |
| |with stakeholders who I assist in deploying and embedding |
| |security programs and compliance in the company's business |
| |information systems I also performed role as an internal |
| |consultant developers to strengthen security competency and |
| |capabilities. I develop a level of empathy for people and |
| |initiatives that have inherent risk but can be secured with the |
| |right security intervention. |
| |I Initiate and developed Identity Management system using |
| |role-based access-control framework addressing the requirements |
| |of all layers of the enterprise, from the inception through data|
| |aggregation data resolution and adoption. This also included |
| |user-interface, apply provisioning using Business Role, guidance|
| |to application teams through successful implementation. |
| |As System Analyst I have a full life cycle of a project in the |
| |following areas: Define business solution, Improvement of |
| |business methodologies, System Analysis, dB Design, Data |
| |Architecture, and Data modeling. in-depth experience in |
| |Banking, Accounting & financial applications, Health care, |
| |Portfolio management, Identity Management RBAC, User |
| |Authentication & Authorization method, and Simulation programs.|
| | |
|Employment |MEDCO |
|Record | |
|09/2003 - |In 2003 I join the Global Security group as Data and Security |
|current |Architecture specialist. In this role I performed several key |
| |functions within the Global Security group. This includes building |
|Senior |security competencies across people, processes, and technology. As|
|Information |a key member of the Global Security Group, I assist in supporting |
|Security |the long term cyber security strategy, define and implemented from |
|Architect |the ground up Medco policies and developed the plans for |
| |implementing key security components of that strategy. Experience |
| |in the design and oversight of projects that are designed to |
| |implement technical and administrative controls necessary to meet |
| |compliance and Information Security best practices such as, HIPAA, |
| |ISO17799 and NIST 800-53. |
| |As a Senior Security architecture specialist I serve as an internal|
| |information security specialist to the organization I applied my |
| |knowledge experience and expertise of business information systems |
| |to create a reference model for architecture including Security |
| |Policies, Security services, Directory Services, and security |
| |management. I also applied knowledge of security architecture to |
| |develop security framework that meet the business requirements for |
| |modularity, scalability, component re-use, and interoperability |
| |both internally and externally. |
| |Within my responsibilities I build and sustain relationships with |
| |stakeholders who I assist in deploying and embedding security |
| |programs and compliance in the company's business information |
| |systems I also Performed role as an internal consultant developers |
| |to strengthen security competency and capabilities. Develop a level|
| |of empathy for people and initiatives that have inherent risk but |
| |can be secured with the right security intervention. |
| | |
| |As security specialist I outlined the groundwork for projects that |
| |include the following tasks: |
| | |
| |Develop, document, implement, and communicate an enterprise-wide |
| |information security strategy and policies |
| |Develop, implement and monitor security controls, processes, and |
| |policies as a result of analysis, research, and recommendations |
| |Develop integrated security structure that enables a threat, risk, |
| |and protection architecture across multiple enterprise level |
| |operating platforms |
| |Guide security incident response efforts and perform resolution to |
| |current or potential threats, incidents, or vulnerabilities |
| |Provide expertise and security direction to engineering teams to |
| |eliminate and mitigate security issues |
| |Identify and implement infrastructure protection goals and |
| |objectives consistent with the enterprise security strategy |
| |Act as a point of contact for any security and compliance efforts |
| |(PCI, SOX, and HIPAA) as they relate to technology |
| |Work with external and internal resources to perform security |
| |assessments and audits of application and infrastructure portfolio |
| | |
| |Provide my knowledge experience & expertise to develop and |
| |implement training and awareness programs |
| |Develop and implement SDLC specifically to address security |
| |requirements/review life cycle |
| |The following are key projects that I was leading: |
| | |
| |PUMA - Privilege User Monitoring & Alerting. In this project I was |
| |responsible for researching, identify and selecting software for |
| |database security software that delivers solution for preventing |
| |information leaks from dBs (DB2, Oracle, Teradata,SQL Server) and |
| |ensuring the integrity of enterprise data (Mainframe, UNIX, SUSE |
| |and windows platforms) I conducted several PoCs (Imperva, Secerno, |
| |and IBM-Guardium) in this process I worked with Medco's attorney |
| |and with the selected vendor to finalize the contract, negotiated |
| |SOWs with the selected vendors (IBM) and implemented the product on|
| |various platforms). this process includes the following steps: |
| | |
| |Define the Guardium Network topology |
| |Configure Guardium base on the enterprises predefine plan |
| |(Privileged User, CAS, VA, PCI etc.) |
| |Capacity planning based on dB transactions' volume |
| |Validate functional and performance tests to ensure customer |
| |requirements are met |
| |Define Policies and refinements for each platform based on |
| |requirements |
| |Develop and Fine-tuning reports tailored to each of platform's |
| |requirements |
| |Work with DBAs to setup rules that help to identify abnormal |
| |pattern of access. |
| |Review of security exceptions (SQL errors, failed logins, etc.) |
| |with diagnostics and recommended actions |
| |Define Data Archiving, Data Purging and backup procedures for |
| |Guardium appliances |
| |Setup compliance workflow process |
| |Review of user roles, security, and system usage |
| |Guardium SIEM Integration with ArcSight (using Syslog) |
| |Integrated Risk Management Analysis (IRMA) - This project was |
| |initiated and developed by me from the ground up. I was responsible|
| |for the definition of all information security practices including |
| |Risk assessments planning, design, and implementation. Also |
| |coordinate and implement all security policies and procedures |
| |(implemented set of rules based on ISO17799) necessary to ensure |
| |the safety of all corporate Electronic Information Assets (EIA) and|
| |ensures that the user community understands and adheres to |
| |necessary procedures to maintain security. IRMA also included |
| |Threat Modeling component that allows security specialists to |
| |systematically identify threat that are most likely affects the |
| |system or the enterprise based risk and the potential data lose. |
| |This process includes the following steps: Create DFD, Decompose |
| |the system, Identify the threats, Document the threats, Rate the |
| |threats and potential data lose. |
| |Identity Management (idM) - In this project I designed and |
| |implemented the Enterprise Corporate Directory based on a |
| |comprehensive strategy that establishes the direction for directory|
| |services designed specifically to support disparate systems and |
| |platforms. The Directory services were built around Active |
| |Directory to provide a centralized platform for User Identity, User|
| |Authentication and User Authorization via Roles. This solution also|
| |includes support for OS and Web servers for Windows and Non-windows|
| |platforms. |
| | |
| |My role also include analysis, design and developing core |
| |infrastructure for the Identity Management, data modeling, |
| |processes modeling and data flow, physical topology, technical |
| |Architecture and functional decomposition diagram. |
| |Other Responsibilities |
| | |
| |Work with applications' developer as a security architect to make |
| |sure application is developed with security in mind. (Using RBAC, |
| |protect data at rest and in-transit) |
| |Initiate and Design the Authentication and Authorization Service |
| |(AAS/AD) using Active Directory and IBM Data Power in an effort to |
| |achieve Single-Sign-On (SSO) |
| |Consolidate, streamline and develop enterprise processes to obtain |
| |immediate efficiencies such as New Hire, Termination and Transfer |
| |process (Using IBM Tivoli) |
| |Develop and implement enterprise Roll Based Access Control based on|
| |RBAC conceptual design |
| |Develop security processes and responsibilities based on the EIA |
| |ownership framework. |
| |Develop and implement Electronic Information Asset (EIA) |
| |registration process |
| |Develop Medco Security Policies base on HIPPA security Requirements|
| | |
| | |
| |Possessing Global Information Assurance Certification (GSEC) - Gold|
| |certification (CISSP+) for Information System Security |
| |Professional, reflecting the qualifications of information systems |
| |security practitioners. |
|02/1998 - |Working as Data Administrator/Senior Information Engineer under the|
|09/2003 |Information Planning group umbrella. As a DA I am responsible for |
|Data |the definition, organization, supervision, and protection of data |
|Administrator/|in order to provide good quality, shareable, and accessible data |
|Data Modeling |throughout the enterprise. I organized established and implemented |
|Senior |policies and procedures to support the missions of the Data |
|Information |Administration. To achieve the DA goals I interacted politically, |
|Engineer |diplomatically, and tactfully to sell, market, arbitrated and |
| |negotiate with upper management the Data Administration position to|
| |implement changes necessary to achieve a viable Data Administration|
| |program. Additionally, I organized & coordinated with Database |
| |Administrators, data custodians, managers, end users, project |
| |managers, and application developers by providing education and |
| |technical support, reviewing feedback and developing good working |
| |relationships. |
| |My responsibilities as Data Administrators include the following: |
| |Evaluate new application proposals to determine feasibility and |
| |identify the potential for sharing existing data. Also help to |
| |identify and prioritize new hardware and software requirements. |
| |Promote education of all managers and users in the general concepts|
| |and responsibilities of successful data administration. |
| |Coordinate management and user participation to develop the |
| |information models, diagrams that contribute to the data |
| |architecture. |
| |Maintain the documentation of all components of the data |
| |architecture (conceptual, logical and physical models) through a |
| |central data/model repository (Erwin/Model Mart). |
| |Defined, promoted and develop policies on data-related activities |
| |such as data integrity, data security, data inventory, data |
| |standards, data sharing and data repository. |
| |Assist Database Administration with developing technical procedures|
| |such as change control, impact analysis, integrity checks, etc., |
| |for preserving the integrity and security of the data resources. |
| |Define the Metamodel that reflects the enterprise needs (business |
| |community and developers) from Meta-Data Repository. |
| |Define the requirements for Business Process Re-engineer tool (BPR)|
| |that will be able to share information and interact with the data |
| |modeling tool and the Meta-Data repository, using known notation, |
| |such as IDEF0, IDEF3, DFD, Use Case. |
| |ERNEST & YOUNG |
|11/1997-02/199|As Data Administrator, I was part of a Data Warehouse initiative |
|8 |group designed to build a Data Support System for Ernest & Young. |
|Business |My role was to set up technology directions and to build the |
|Analyst |foundation for Data Warehousing Initiative. My areas of |
|Data |responsibility included: |
|Administrator |Evaluate Meta-data Repository tool including capturing Business |
|(Consultant) |Rules (Rochade, Platinum) |
| |Evaluate Data Transformation/Data Extraction Tool (Informatica, |
| |Sagent) |
| |Evaluate Case tools for Data modeling & design, that include |
| |Business Process reengineering (BPR), Entity Relation Diagram |
| |(ERD), Data Repository, Configuration & Change Management. |
| |Developed an overall approach for implementing the architecture |
| |incrementally, so that quick results could be gained while building|
| |the foundation for the future. Created a Data Administration group |
| |to support the firm's application development. Developed standards |
| |and practices involving gathering data requirements database |
| |development & implementation. |
| |CITY OF NEW YORK GOVERNMENT |
|2/1996 - |In charge of developing various systems in the area of Payments, |
|11/1997 |Real Estate & building Management Complaint & repair System. I was |
|Business |responsible for the re-engineering and analysis which define the |
|Analyst |requirements and business rules to implement paperless office, |
|(Consultant) |system architectures Data Modeling, Process Modeling Using Erwin, |
| |LBMS as case tool in Multi C/S environment, Using Power Builder as |
| |development tool MS SQL Server and Oracle as relational Database. |
| |In addition I was responsible for market research and evaluation of|
| |"off the shelf" software packages to be incorporated with the new |
| |develop system, such as Mapping system (GIS), Scheduler. This |
| |position include defining the framework, timetable and resources of|
| |the project using MS Project, Configuration management, version |
| |control, Changes & modification control and GUI standards. |
| |CITIBANK FOREIGN EXCHANGE DEPARTMENT |
|10/1995 - |Working on Global TRESTEL Project. Responsible for implementing the|
|2/1996 |new version of FX software for Toronto office. This includes |
|Business |re-engineering, analysis & design based on the software & Hardware |
|Analyst |requirements, defining of the milestones and timetable. I also |
|(Consultant) |set-up and instituted Configuration Management, standards and |
| |guidelines for Developing and Testing In order to monitor other |
| |global development for the same product,. |
| |DIGITAL EQUIPMENT CORPORATION |
|6/1995 - |I was a Project Leader in Re-engineering and code conversion |
|9/1995 |project for DEC customer. This includes defining the framework, |
|Business |timetable and resources of the project using MS Project, defining |
|Analyst |the environment, the tools and the approach in which the project |
|(Consultant) |will be developed. In this project, I set-up and instituted |
| |Configuration Management, standards and guidelines for developing |
| |and testing. I also have an extensive part in programming and |
| |reprogramming. The project was developed on Alpha computer using |
| |OPEN VMS. |
| |Developing Language : COBOL, DECFORM |
| |Additional employment information will be provided upon request |
|Education |2004 GIAC Gold (CISSP+) - Global Information System Security |
| |Professional - SANS institute |
|Leadership |1981 Information systems & Systems Analysis Israel Institute of |
|classes |Productivity |
| |1976-1979 Biology, Tel Aviv University |
| |1974-1975 Computer science & programming, Management College |
| | |
| |Project management |
| |Building Effective Communication Skills |
| |Facilitating for Results |
| |Influencing Win-Win Outcomes |
| |Charting Your Course |
| |Write to the Top |
| |Oral Presentation Skills |
| |Diversity Program |
| |Covey Time Management |
| |Merck Medco 101 |
|Publication |Building RBAC in Heterogeneous environment - A Methodical Approach |
|Email Address |****.***@*****.*** |
Contact this candidate