AUDREY L. FLEMING
Lanham, MD **706
301-***-**** – Home or 240-***-**** – Cellular
*********@***.***
EXPERIENCE SUMMARY
• 28 years of Information Systems Security experience
• 28 years of software evaluation experience
• 28 years of information systems security risk assessment experience
• 28 years of Mainframe support
• 28 years of Security Policies and Procedures
• 16 years of Security Test & Evaluation (ST&E) experience
• 28 years of Security Awareness Training/Planning experience
• 15 years of Disaster Recovery Planning (DRP)/COOP
• 28 years of Technical Writing
• 7 years of Tivoli
• 2 years of Tivoli Access Management (TAM)
• 16 years of Oracle
• 4 years of TCP/IP
• 8 years of System Life Cycle Development documentation (SLCD)
• 8 years of Checkpoint (Firewalls)
• 8 years of Standard Operating Procedures documentation (SOP)
• 5 years of RISKA
• 5 years of RISK WATCH
• 2 years of Common Criteria Security Evaluation
• 3 years Clear Case
• 3 years Clear Quest
• 2 years Webhosting Risk Assessment/Analysis
• 3 years of H.E.A.T (CSC Vulnerability Scanning Tool)
• 7 years of UNIX/LAN WAN Mainframe risk assessment experience
• 2 years of Security Computer Incident Response (CIRT)
• 9 years National Institute Standards & Technology (NIST SP800 series)
• 9 years FIPS
• 10 years Privacy Information Act (PIA)
• 1 year HSPD-12
• 10 years FISMA
• 9 years OMB A-130
• 9 years NIST SP-800 Series
• Freedom of Information Act (FIOA)
• 15 years of NSA (Orange Book – Rainbow Series)
• 7 years of Internal Revenue Service’s Internal Revenue Manuals (IRM)
• 7 years of Internal Revenue Service’s Law Enforcement Manual (LEM)
• 1 year DHS 4300A Sensitive Security Guidelines
• 1 year DHS Risk Management System (RMS) Tool
• 1 year CBP 1400-05C Information Systems Security Policies and Procedures Handbook
EDUCATION
Information Systems, University of Maryland, College Park, MD
Business Marketing, Virginia Commonwealth University, Richmond, VA.
Business, Richmond Technical Institute, Richmond, VA.
Accounting, Smith Dale Massey Business College, Richmond, VA.
Presently hold a SECRET Clearance for the Department of Homeland Security- March, 2009
CERTIFICATION AND ACCREDITATION COURSES
• Certified Information Systems Security Professional (CISSP)
• Common Criteria Information Technology Security Evaluation
• INFOSEC Assessment Methodology (IAM) Certification
• Security Posture Assessment for DOD
• Risk Management Scenario Evaluation
• INFOSEC Assessment Process Evaluation
• DISTCAP Certification & Accreditation Process
• GISRA Certification & Accreditation (IATFF)
• Federal Information Systems Certification and Accreditation (FISCAM)
• Guidelines to Understanding OMB Circular A-130 & NIST Publications
• ISO 20000 Certification (July, 2006)
PROFESSIONAL EXPERIENCE
Sr. Information Systems Security Manager Jan 2009 – Present
Computer Sciences Corporation, Annapolis Junction, MD
• Assigned to DHS to manage development of documentation, and presentation of information system security education, awareness, and training activities for facility management, information system personnel, users and others, as appropriate.
• Oversees identification and documentation of unique local threats/vulnerabilities to information system.
• Manages coordination of the facility information system security program with other facility security programs.
• Oversees periodic self-inspections of the facility's information system program are conducted as part of the overall facility self-inspection program and that corrective action is taken for all identified findings and vulnerabilities.
• Manages development of facility procedures to govern marking, handling, controlling, removing, transporting, sanitizing, reusing, and destroying media and equipment containing classified information.
• Manages reports of information system security incidents. Follows up to ensure that proper protection or corrective measures have been taken when an incident/vulnerability has been discovered.
• Oversees implementation of vendor supplied authentication (password, account names) features or security relevant features.
• Oversees implementation of security features for the detection of malicious code, viruses, and intruders (hackers), as appropriate.
• Develops and implements specific and remote maintenance procedures based on requirements provided by the CSA.
• Oversees selection, hiring, training, and evaluation of employees to enhance their performance, development, and work product. Addresses performance issues and makes recommendations for personnel actions. Motivates and rewards employees including providing salary increases, bonuses and promotions within allocated budgets and company guidelines.
• Oversees preparation and recommendation of operating and personnel budgets for approval. Monitors spending for adherence to budget, recommends variances as necessary.
Information Systems Security Manager July 2008 – Jan 2009
Computer Sciences Corporation, Bethesda, MD
• Assigned to National Institute of Health (NIH) to develop and write Certification and Accreditation documentation. Performed ST&E independent evaluations, and conducted annual security reviews in accordance with Special Publication 800-53a, FIPS 199, FISMA, and other NIST guidance.
• Developed and tracked corrective actions for audit findings and managed the POA&M reporting process for the agency.
• Developed and tested disaster recovery / contingency plans and continuity of operation plans for IT systems.
• Developed, analyzed, and administered the entity-wide Security Planning using the existing documentation, industry standards and federal government legislation.
• Designed, implemented, documented, and evaluated government computer security programs.
• Developed government security policy documentation.
• Developed and documented Systems and Infrastructure Security Plans.
• Developed and evaluated plans, principles, and procedures for accomplishing customer IT security studies and provided professional analysis of methods and objectives.
Assisted in the collection and presentation of security documentation in response to audit requirements.
• Developed and analyzed IT security models, and maintained methodology to track Security Plans for each sensitive/critical major application and general support system within the organization.
• Evaluated and analyzed the critical technology processing needs of the related services.
Senior C&A Security Technical Team Lead
General Dynamics AIS, Fairfax, VA Sep 2007 –Jul 2008
• Assigned to United States Capitol Police responsible for coordinating the completion of security group related projects, including security program development (policy and procedures) and certification and accreditation tasks.
• Provided project management level guidance to security group members. Develop and write Information Assurance C&A Documentation such as: System Security Plans (SSP and SSAA), Security Concept of Operations (SCONOPS) documents, System Test and Evaluation Plans and Reports, Security White Papers, Risk Assessments, Vulnerability Reports, POA&M Reports, Security User Guides.
• Performed security engineering analysis, risk analysis, and vulnerability studies on systems and applications under development.
• Conducted network scans, Information Assurance tests, regression tests, and functional security software tests.
• Consulted with customer to identify and mitigate risks or flaws in designs and operational systems.
• Designed and provided guidance for security audit and monitoring functionality.
• Assessed and updated the government-furnished Disaster Recovery (DR) Plan
• Conducted semi-annual Disaster Recovery (DR) testing of existing DR IT infrastructure
and document DR test results \
• Provided an update of the disaster recovery (DR) strategy for the IT infrastructure
• Maintained existing equipment at COOP facilities for readiness including operational
setups for scenario activities \
• Participated in semi-annual COOP readiness exercises in accordance with pre established
standard operating procedures and within pre established service levels.
Senior C&A Security Technical Team Lead
Computer Sciences Corporation, Fairfax, VA May 2007 – Sep 2007
• Assigned to Veterans Affairs to provide daily analytical and program management support to senior level government executives.
• Responsible for overseeing event preparation and correspondence support for key industry events.
• Led the development of responses to congressional requests.
• Assisted in creation and modification of government credentialing and identity management policies (HSPD-12).
• Supported change/transformation efforts (i.e., Gap analysis, stakeholder interviews, situational reports, etc) for large federal government programs.
• Coordinated responses to technical specification and guidance documents related to credentialing and identity management.
• Provided statistical (descriptive) analysis as required.
• Provided ad hoc reporting to senior officials as required.
• Led projects as required.
Senior Information Security, Principal
CACI, Chantilly, VA Mar 2006 – May 2007
• Assigned to US Customs and Border Protection as expert consultant in all aspects of information security.
• Prepared in-depth studies and analyses.
• Performed independent work in support of a customer either on site or off site.
• Led C&A projects and provided expert level knowledge to IT systems security and related areas, such as IT systems vulnerability assessments, penetration testing, system security policies and procedures and security protective mechanisms (e.g. firewalls, IDS and VPN.) Documented, analyzed, registered reviews and submitted C&A packages in accordance with relevant C&A processes described in NIST and OMB documentation and client's specific requirements.
• Kept abreast with CMMI Level 3, Open Source Security Testing Methodology Manual (OSSTMM), penetration and vulnerability testing techniques and use of scanning tools such as NESSUS and RETINA in functionality.
• Provided guidance to less experienced systems personnel. Specific requirements include project level coordination of DCID6/3 C&A tasks; Penetration testing, scheduling and identification of resources for upcoming tasks, creation and review of C&A packages, scheduled submissions of all C&A deliverables including SSP, Risk Assessment and Risk Mitigation Plan, COOP, ST&E , FIPS 199, FISMA and others.
• Consulted with the head of Information Security, business development and infrastructure teams to assure application of security principles and mediation of risk associated with new technologies, operating platforms and application systems.
• Developed and implemented security architectures for identity management, authentication, access control, authorization and accounting systems that meet requirements for security, performance, and integration.
• Assisted in implementation and ongoing review of information security program strategy, policy, and processes; provide operational oversight for information security team activities.
Senior Security Engineer (Part-Time)
M-Cubed, Silver Spring, MD Jun 2006 – Aug 2006
• Assigned to Financial Management Services (FMS) in the leadership skills in delivering IA services to the client.
• Motivated, educated and developed junior team members to become the best IA consultants possible.
• Performed as a primary client relationship interface.
• Developed a mature client relationship to ensure client satisfaction.
• Led the delivery of C&A services in accordance with existing security policies and directives.
• Performed IA analysis, security requirements development, risk assessments, vulnerability analyses, network auditing, vulnerability scanning, and security test and evaluation and provided analysis to support IA policy development.
• Used government regulations, including the NIST 800 series, FIPS 199,OMB-130, FISMA, and Common Criteria and experience with various technologies, including networks, applications, and operating systems, to provide expert guidance on resilient process and engineering improvement.
• Created and maintained all SAP users across system landscape.
• Prepared security reports and provide security information as needed during audits and an ongoing basis.
• Created and updated documentation for systems and system procedures.
• Created and executed testing and deployment plans.
• Ensured timely resolutions of second-level help desk cases.
• Adhered to Corporate, departmental, and team policies and procedures.
Senior Lead Analyst/ Assistant PM
Computer Sciences Corporation, Lanham, MD Aug 2005 – Mar 2006
• Managed a three person Security Team in conducting Certification and Accreditation Processes based on NIST Pub standard for the Dept. of Nuclear Regulatory Commission Office.
• Researched security best practices to advise IT Security Officer of recommended IT security trends.
• Developed security policies, procedures and standards based on NIST special publications and in response to OIG audit recommendations.
• Maintained a process for planning, implementing, evaluating, and documenting deficiencies in security policies, procedures and standards.
• Developed and reviewed security documentation in support of Certification and Accreditation of information systems.
• Conducted risk assessments of planned and operational information systems to identify vulnerabilities, risks and security controls needed.
• Developed contingency plans and disaster recovery procedures.
• Analyzed new regulations and NIST Special Publications to advise IT Security Officer and Branch Chief of required modifications to security program.
• Analyzed audit findings and advised IT Security Officer of recommendations for closure.
• Conducted annual security self-assessments of Information systems using NIST Special Publication 800-27.
• Conducted Monthly Password cracking test and reporting.
• Maintained and developed POAMS.
• Provided Computer and Network Security Assistance as required.
• Completed monthly reports such as Configuration Management and It Security Training.
• Implemented and tested Firewall system on all systems and laptops.
• Utilized knowledge and skills of security legislation, OMB regulations and Bulletins, NIST publications, FIPS, FISMA, ISO/IEC 17799 series, NIACAP pertaining to security guidelines for information technology systems.
• Utilized Software development and integration techniques, tools, and methodologies.
• Analyzed systems requirements and design specifications.
• Developed and translated detailed design into computer software.
• Prepared required documentation, including project plans, software program, and user documentation.
• Developed Systems guides, Test Plans, modified code based on feedback from requirements analysis.
• Conducted software impact analysis and reported results to RA.
• Developed and documented implementation plans.
Certification & Accreditation Team Lead
Lockheed Martin, Lanham, MD Jan 2005 – Aug 2005
• Assigned to CMS office of the CISO to lead vulnerability management, network traffic monitoring and event correlation, log analysis, risk management, information security policy development and review.
• Led the certification and accreditation activities, audit support, network and systems security architectural reviews, and risk assessments.
• Evaluated and recommended the acquisition of IT security tools, and monitored the information security industry to keep the CMS CISO apprised of newly evolving information security topics and technologies.
• Monitored security advisory groups and vulnerability databases for alerts, patch updates and preventative measures.
Senior Computer Scientist
Computer Sciences Corporation, Lanham, MD Sep 2002 – Jan 2005
• Assigned to the Internal Revenue Service’s (IRS) Modernization Project to perform system life cycle security analysis to include design, development, evaluation, risk management, and testing of secure information systems.
• Coordinated with senior representatives to establish and define programs, resources, schedules, and risks.
• Provided Independent Verification & Validation (IV&V) testing applied expertise to highly sensitive government systems and networks requiring specialized security features and procedures.
• Deployed testing of mainframes, Webhosting, UNIX and Win2K, LAN/WAN systems that included security system patching.
• Configured security software tools to assist to tailor the parameters of TCP/IP to the specific applications requirements and environment of the IRS.
• Tested application software (i.e., such as, Tivoli Access Management (TAM) before it was moved into production.
• Maintained, researched and wrote system documentation for Enterprise Life Cycle (ELC).
• Set up the test environment according to the requirements being addressed; coordinating with developers to track changes to the design and/or functionality of the system and made preparation for testing such as conducting Test Readiness Reviews, writing test plan, writing test cases, writing and executing test scripts, and, at the end of testing, writing the test report; monitor requirement changes and update accordingly, and developed requirements trace ability metrics.
• Worked for IT&D, testing systems such as CADE, IFS single sign-on, MEF single sign-on, EFTU, various component upgrades, Employee Registration.
• Worked with the C&A team assisting in the preparation of C&A documentation.
Senior Subject Matter Expert
Computer Sciences Corporation, Camp Springs, MD Apr 2002 – Sep 2002
• Team Lead for Compliance Level Reviews for General Support Systems and Major Applications of the Information Technology at the Department of Commerce (DOC) and its Operating Units (OU), NOAA, Census Bureau, and PTO. Compliance Level Reviews are consistent of entity wide program security plan and system level compliance review through various methodologies and technical approaches.
• Approaches include: risk assessments (using Risk Watch) review of network architectures of operating unit, Network penetration testing, Social Engineering, Certification and Accreditation (C&A) of new/existing systems, Security reviews and corrective actions, System Development Life Cycle (SDLC), Audits of logs and processes, Physical and logical Access Control (AC), Development and implementation of security policy, Network Incident detection and reporting, Security awareness training, System Quality Assurance, and assist with Network contingency plans.
Senior Information Technology Security Analyst
General Dynamics, Inc., Fairfax, VA Jul 2001 – Apr 2002
• Designed, developed, and implemented new security programs, security policies and procedures, and related operations to ensure Federal Highway Administration (FHWA) compliance with Government-wide information system security standards, regulations, and protocols, including NIST, OMB-A130, Clinger Cohen, and the Government Information Security Reform Act (GISRA).
• Conducted risk assessments on General Support Systems and Major Application (i.e., mainframe, Solaris, and UNIX). Before the initial risk assessment, wrote the work plan for all operating systems/applications that are to be certified.
• After the risk assessment(s) had been conducted, wrote the certification documentation, which included the risk assessment report, the information systems security plan, the risk mitigation report, the disaster recovery plan, the configuration management plan, the privacy impact assessment plan, and the continuity of operations plan.
• Once these documents were written and approved by the Security Program Office to meet the C&A process, conducted a Security Test and Evaluation (ST&E) for the operating system/application.
• Met with the customer’s Designated Approving Authority (DAA) to finalize the C&A process, while gathering information to conduct other risk assessments.
• Responded to OIG Audit reports of systems that met and did not meet C&A requirements.
Lead Computer Security Analyst
ITT Information Systems, Washington, DC Apr 2001 – Jul 2001
• Responsible for the Certification & Accreditation of the Federal Aviation Administration (FAA) Program.
• Conducted risk assessments at various locations on General Support Systems and Major Applications.
• After the initial risk assessments, wrote the certification & accreditation documentation to meet the GISRA, NIST and OMB A-130.
• Assisted in the research of the FAA’s individual functional areas to determine which are critical, essential, and desirable and how each could be transitioned during times of crisis.
• Assisted in formulating recommendations for alternate facility locations and in the development of BC/DR plans and procedures.
Senior Computer Scientist/Evaluator
Computer Sciences Corporation, Annapolis Junction, MD Jan 2001 – Apr 2001
• Applied the Common Criteria for Information Technology Security Evaluations (CC) to perform evaluations of, and prepare evidence for the evaluation of products and systems.
• Provided the Evaluator for BMC (Patrol 3.4 for UNIX/Windows 2000) and Argus Pit Bull Foundation 3.0 on Solaris 7/SPARC.
• Responsible for all aspects of conducting the evaluation of Patrol Firewalls, prepared the Security Target against which it was evaluated, analyzed, designed, installed, security documentation and prepared the Final Evaluation Report (FER).
• Responsible for management of multiple Software Baselines using the Rational suite of configuration management tools (Clear Case, Clear Quest).
• Developed management reports on the status of Software configurations and change requests.
• Prepared for and facilitated the conduct of Engineering Review Boards/Configuration Control Boards.
• Checks in developer managed baseline code, creates baselines and conducts software builds in UNIX and Windows environments.
• Developed/tailored CM processes/procedures as needed and trains and monitors engineering compliance with approved processes and procedures.
• Conducted pre-delivery baseline reviews, and configuration audits.
Principal Computer Security Engineer/Technical Team Leader
Computer Sciences Corporation, Hanover, MD Jul 1999 – Jan 2001
• Assigned to the IRS TAMIS Project, responsible for conducting risk assessments of IRS mainframes, applications, for all platforms, i.e., UNIX, LAN/WAN, Mainframe (RACF/Vanguard), etc. that store and/or process Sensitive But Unclassified (SBU) data including taxpayer data and IRS employee data.
• As Team Leader, communicated with the COTR’s and POC’s for scheduling and conducting risk assessments.
• Communicated with POCs for risk assessment documentation that has been submitted and make any necessary changes to the documents.
• Kept abreast of Industry’s Best Practices, computer security (COMPUSEC), communications security (COMSEC) IRM Publications and other federal documents in addition to physical, personnel, and information security to determine compliance with Federal (e.g. Department of Treasury, Internal Revenue Service’s (IRS), and federal documents) requirements and guidelines.
• Conducted risk assessments, prepare technical documentation required for system and application certifications.
• Provided guidance and technical assistance to other risk assessors regarding required certification documentation.
• Visited IRS Computing Centers in various locations to do Risk Assessments on hardware and software.
• Responsible for the documentation of findings and recommendations after the initial Risk Assessment.
• Wrote Risk Assessments, Computer Security Plans, Privacy Impact Assessments, Disaster Recovery Plans, System of Records Notices, Technical Contingency Planning, Trusted Facility Manuals, Security Features Users Guides and Configuration Management Plans for all platforms/applications.
Information Systems Security Manager
M-Cubed Information Systems - Rockville, MD Aug 1998 – Jul 1999
• Contractor for the United States Treasury Department (FMS) to perform a variety of complex project tasks applied to specialized technology problems.
• Performed tasks that involved integration of electronic processes to resolve system problems.
• Performed tasks that related to INFOSEC technology requirement problems.
• Analyzed information security requirements.
• Applied analytical and systematic approaches in the resolution of problems of workflow, organization, and planning.
• Directed (or assisted) system engineers in the application of INFOSEC principles to the solution of secure system design problems.
• Demonstrated experience with INFOSEC products and systems.
• Wrote Security Policies and Procedures, conducted security awareness training and was responsible for Accreditation/Certification, Security Testing and Evaluations (ST&E) on all platforms.
• Was responsible for the management of the day-to-day administration of Top Secret and RACF (Vanguard) on the OS/390, UNIX and Internet security, also gave users access to secure-id cards.
• Supported SAP clients across the system landscape including sandbox, development testing and production clients for SAP R/3, APO, and BW.
• Database and system administration for SAP R/3 and BW environments on AS400 / DB2 platform, and Windows NT / SQL Server for the SAP APO environments.
• Administered users and SAP security authorizations.
• Managed and administer correction and transport process (CTS).
• Monitored and tuned system to meet business-processing expectations.
• Proactively advise IT management on system sizing, performance, security, and system administration procedures.
• Worked collaboratively with business analysts and technical developers to support the business users' system availability, performance, and functionality requirements.
• Managed a team of four Systems Security Engineers.
Senior INFOSEC Systems Engineer
Enterprise Information Services - Chantilly, VA Apr 1998 – Aug 1998
• Supported Internal Revenue Service’s (IRS) ISC.Tivoli Identity Manager (TIM) by conducting Risk Assessments on platforms and applications at various IRS locations.
• Responsible for writing documents to meet IRS Accreditation Certification. (See above documents written for the IRS at Computer Sciences Corporationoration).
• Also, responsible for security awareness seminars and working directly with the Principal Accrediting Authority (PAA) Office to review certification documents submitted via EIS and other consultants.
Information Systems Security Administrator
Computer Sciences Corporation, Richmond, VA Nov 1997 – Mar 1998
• Responsible for the day-to-day security administration of Top Secret and RACF.
• Also was responsible for Y2K security administration in a test environment.
• Wrote specialized programs in SAS in order to generate various Top-Secret and RACF audit reports.
Lead INFOSEC Systems Engineer
Professional Software Engineering Corporation, Roslyn, VA Nov 1996 – Nov 1997
• Supported Defense Information Systems Agency (DISA) in the Accreditation Certification of software and hardware.
• Wrote DITSCAP C&A documents while updating the Security Policies and Procedures Manual.
• Supported The Department of State responsible for the Security Administration using ACF2, training, writing and administering policies and procedures for all platforms and technical writing, penetration testing, and writing certification & accreditation documentation for software and hardware.
REFERENCES FURNISHED UPON REQUEST