Associate Director, Global Information Security Group (GISG) Assessments Manager
KPMG International - 6/2022 to Present
KPMG International Services Limited (KPMGI), Global Technology & Knowledge, (GT&K), Global Information Security Group (GISG)
Design the framework for, perform and monitor execution of assessments, including KPMGI information security boundaries assessments. Contribute to strategy and roadmap development for assessments, including KPMGI information security boundaries assessments. Contribute to any relevant technology solution implementation, maintenance and enhancements and oversee support resources. Manage the maintenance and enhancement of the framework, materials, process and procedures for KPMGI information security boundaries assessments.
Designed the framework for, performing, automated monitoring and execution of assessments of cloud platforms against the KPMGI Global Cloud Security Guardrails (GCSG) as well as overall risk treatment plan monitoring. Implement automated monitoring using KPMGI ServiceNow IRM for GCSG and cloud native tools of KPMG Member Firm Cloud Platforms (Azure, AWS, or GCP). Managed the maintenance and enhancement of the GCSG program framework, materials, process and procedures. Includes managing the GCSG Code Repository for distributing the automation code to KPMG Member Firms and final approval of code releases. Provided SME input to overall efforts for the GCSG automation (including deployment, monitoring and assessment).
Chief Information Officer (CIO) / Principal Consultant
SynoTek, LLC - 10/2013 to 6/2022
Information Security, Governance, Risk, and Compliance (GRC), and Privacy Consultant.
Develops GRC/Security/Privacy solutions for implementation, monitoring, and execution of assessments of systems against multiple frameworks as well as overall risk management. We assist organizations in meeting compliance requirements by developing Compliance as Code for cloud environments to automate compliance enforcement through prevention (automatically enforce compliance), detection (alerting when non-compliance occurs), and remediation (making immediate changes when non-compliance occurs). We also help in integrating your GRC tools, such as ServiceNow, to automated compliance monitoring and assessment.
FedRAMP Advisory and Program Management and FISMA/NIST Liaison provide oversight, management, and visibility into the ongoing FedRAMP security and compliance efforts of your enterprise’s Continuous Monitoring Program.
Provide additional services as Virtual Chief Information Security Officer (vCISO), WiFi Site Surveys, and Corporate Engineer.
Compliance and Security Manager
IBM Watson Health - 12/2020 to 2/2022
IBM Watson Health is transforming healthcare by helping meet business and clinical needs with cloud, data, analytics, and artificial intelligence solutions.
Security and compliance manager responsible for providing customer facing technical leadership. Responsible for the security (vulnerability management, RBAC, LDAP, DBMS, networking) and compliance (NIST, HIPAA, SSAE16, MITA) aspects of the solution and communicate with technical and non-technical stakeholders. Support security and compliance requirements on new opportunities across the organization. Participate in requirements and design sessions to ensure that solution architecture complies with all applicable State and Federal regulations. Support and maintain security policies/configuration for DBMS, applications, systems, etc in both on premise and cloud hosted solutions (e.g., encryption keys, access controls, separation of duties, database audit logging, Central Audit Logging/Monitoring, etc.). Responsible for configuring, tuning, and review and of security logs (e.g., central systems logging, database logging) to reduce false positives and improve detection of anomalies. Perform vulnerability security scans of systems to help identify and correct infrastructure security issues found in servers and databases. Develop and maintain security plans, procedures, and other documentation. Investigate new platforms and tools throughout the industry and make recommendations for their use in current and future projects. Advise management through the creation of scorecards and reporting that display our risk profile and provide insight for decision making. Provide proactive analysis and options for systems and operations changes to implement regulatory requirements from CMS (Center for Medicaid Services) regarding the system. Contact customer when new CMS rules (draft and final) are released, organizing meetings to present the results and help to provide comments for CMS and propose solutions to implement the rules (controls) in the system.
Chief Information Security Officer (CISO)
Collab9, LLC - 10/2016 to 09/2020
Senior-level executive for Collab9, LLC, a FedRAMP Authorized Unified Communications as a Service (UCaaS) solution provider that delivers a secure cloud-based communication solution that integrates voice, video, web conferencing, messaging, mobility, and customer care. Mission is to align business objectives with security initiatives, ensuring that information assets and technologies are adequately protected. I manage all of the aspects of the CISO role while using various information security frameworks and the globally accepted project management framework of PMI. I also have the role as being the Collab9 Privacy Officer. For our Collab9 Secure UC, FedRAMP Authorization Boundary and HIPAA environment I serve in the following additional roles: Senior Information Security Officer (SISO): Responsible for carrying out the Chief Information Officer’s security responsibilities; and serving as the primary liaison for the Chief Information Officer to the Federal Agency’s Authorizing Officials, Information System Owners (ISO), and Information System Security Officers. Information System Security Officer (ISSO): Responsible for ensuring the appropriate operational security posture is maintained for an information system, and as such works in close collaboration with the ISO. Serves as a principal advisor on all matters, technical and otherwise, involving the security of an information system. Serves as alternate Information System Security Engineer for performing vulnerability scans, monitoring alerts from IPS and SIEM, and audit log reviews. Information Security Architect (ISA): Responsible for ensuring the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture, including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes.
FedRAMP Continuous Monitoring Annual Assessment 2017
FedRAMP Continuous Monitoring Annual Assessment 2018
FedRAMP Continuous Monitoring Annual Assessment 2019
HIPAA Security Rule Assessment 2018
Gap Analysis FedRAMP Moderate to: CJIS, DoD IL5, IRS 1075
Information System Security Manager
Digital Management, Inc. - 05/2015 to 10/2016
Contractor for the U.S. Department of the Interior (DOI) Office of Chief Information Officer (OCIO)
Information System Security Officer (ISSO) for Department of Commerce (DoC), 6/201616 - 10/2016
Develop and maintain Continuous Monitoring Plan (CMP), perform activities as identified in the CMP.
Information System Security Line of Business (ISSLoB) Operations Manager, 7/15 - 10/2016
Direct Reports = 7 telecommuting staff
Managing a Federal government security program compliant to the NIST Risk Management Framework (RMF) and implementing the Project Management Institute, Inc. (PMI) Project Management Body of Knowledge (PMBOK) project management framework in order to provide consistent, comprehensive engagement deliverables.
Security Assessment and Authorization (SA&A) activities
Development and review of security documentation for OMB directed compliance to NIST and FISMA
Review of FedRAMP packages for Cloud Service Providers (CSP) and prepare results for briefing to the AO, Provide support for Cyber Security Assessment and Management System (CSAM), the client’s official FISMA reporting tool, to generate reports and review the compliance and consistency of federal government information systems.
IT Security Risk Management Lead, 5/15 - 7/15
Direct Reports = 10 telecommuting and on-site staff
Risk Management Lead and IT Security SME that managed a team of risk management/compliance personnel that performed the following: SA&A and Security Program Management, Security Metrics and Reporting, POA&M development and tracking, Interconnection Security Agreements (ISA) development and tracking, and Continuous Monitoring activities.
Program Manager / Senior Project Manager
SAIC - 03/2011 to 5/2015
Senior Project Manager, SAIC - Cyber, Cloud and Data Science - 3/2011 - 5/2015
Comprehensive Robust Information Security (CRIS) Project for USDA/Forest Service
Direct Reports = 10 teleworkers
Team Lead Policy and Governance / Risk Management Framework (RMF)
Team Lead Security Operations
Vulnerability Scanning and Auditing, Enterprise Security Metrics Reporting, and Centralized Account Management (CAM)
Served as IT Security SME and Task Lead in areas relevant to the project (includes OMB, DHS, NIST, FISMA, RMF, and Continuous Monitoring) for guidance and provided regular briefings of potential impact to the agency and drive enterprise wide planning and implementation. Managed an efficient and effective virtual teams for the completion of tasks compliant within federal standards and agency requirements (OMB, DHS, US-CERT, and others). Ensured problem resolution and customer satisfaction for individual delivery orders; provides supervisory, technical, and administrative direction for personnel performing tasks. Conducted training for security program policy and procedure. Established the use of SharePoint for documentation and Project Server w/ OLAP for management of the multiple projects.
Managed a virtual team to review, update, and deliver over 3,400 pages of security documentation, plus training material, within a 6 month project plan.
Program Manager, SAIC - Federal Civilian Customer Group - 11/2012 - 2/2014
Direct Reports = 57 on-site staff at multiple locations
Department of the Interior / Interior Business Center- IT Data Center, Systems Operation and Administration (SOA), Data Center Operations, Network Services, Database, Storage and Backup, System Software Administration, Applications Development and Administration and Enterprise Services
Department of Defense (DoD), Chemical Weapons Depot IT Support GSA Accounting Office, Accounting and Financial Support Managed the implementation of specific government contracts. Planned, coordinated, and managed the actions taken by the organization to acquire and execute a specific piece of business competitively. Integrated all functions and activities necessary to perform the program to meet the client requirements. Planned and implemented actions by the program team to define and implement technical baseline and meet quality requirements for program services. Directed project team personnel, manage cost and schedule, ensure contract compliance, and serve as principal customer interface. Primary interface with client, project managers, task and functional leaders, subcontractors, support personnel, and other stakeholders.
Chief Information Officer (CIO)
Aquila Business Services, LLC - 4/2009 to 12/2012
Managed System Security Provider, Private Off-Site Cloud Provider, LMS provider, and Corporate Engineering.
Managed all aspects of IT management and IT security for the company and its clients. Included LMS design and administration and incident response. Responsible for maintaining compliance of Federal and state requirements and industry best practices. Managed ongoing security assessments and testing, audit management and reviews for the company and its clients. Core competencies provided: Governance, Risk Management, and Compliance (GRC), security engineering, security testing, continuity planning, audit management and reviews, IT security control management, cloud service provider (Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS)), and Learning Management Systems (LMS).
IT Security Analyst
G&B Solutions, Inc - - 7/2008 to 3/2011
Information Technology Security Analyst for United States Department of the Interior (DOI), National Business Center (NBC) Worked within broad objectives to ensure the DOI Certification & Accreditation (C&A) program was successful and in compliance with departmental standards and NIST Special Publication (SP), 800 series guidance. Managed IT security projects that assessed and documented the security posture of systems through interviews, document validation, and security control testing. Reviewed and ensured that the system documents .were current and accurate. Interviewed system owners, developers, technical staff, to ensure their understanding of applicable IT standards and policies were correct. Created and maintained project plans and schedules, develop status reports, and maintain project tracking spreadsheets. Performed gap analysis of current policies, practices, procedures, Security Technical Implementation Guides (STIG) as they relate to federal standards and regulations. Performed crosswalk analysis of NIST SP 800-53, Rev 3 and the HIPAA Security Rule as documented in the NIST SP 800-66, Rev 1. Performed annual Internal Control Reviews (ICR) and Security Impact Assessments (SIA). Performed security walk through assessments and assisted with penetration testing. Security Point of Contact (SPOC) for entire DOI/NBC Enterprise during United States Computer Emergency Readiness Team (USCert) briefings briefed system Points of Contacts (POC) on any vulnerability items, technical issues, and recommended mitigation. Identified as Security Compliance Coordinator and Audit Liaison for the financial system with over 8,000 users during FISCAM audits, FISMA audits, Office of the Inspector General (OIG) and A-123 reviews with a reduction of audit/testing findings by 45%. Managed Plan of Action & Milestones (POA&M) and reduced identified security vulnerabilities by 85% within 6 months. Maintained records and updated repositories within departmental guidelines and which utilized Cyber Security Assessment and Management (CSAM). Created multiple tools for aid and automation in performing various tasks that are used by the organization for managing their security posture and automatic reporting included Nessus vulnerability scan reports. Audit Liaison during FISCAM Audit Liaison during FISCAM audits, FISMA audits, Office of the Inspector General (OIG) and A-123 reviews with 100% on time deliverables and reduction of audit/testing findings by 45%. Security Compliance Coordinator Security Compliance Coordinator for federal government financial IT system with over 8,000 users and 3 deployments including virtualization. Security Point of Contact Security Point of Contact (SPOC) for entire Federal Enterprise during United States Computer Emergency Readiness Team (USCert) briefings for Microsoft vulnerabilities. Created multiple tools Created multiple tools for aid and automation in performing various tasks that are used by the organization. The tools were used for Nessus vulnerability scan reports, Cyber Security Assessment and Management (CSAM) report generation, and Internal Control Review (ICR) templates for automatic reporting of summaries. Managed Plan of Action and Milestone (POA&M) Managed Plan of Action and Milestone (POA&M) process and reduced identified security vulnerabilities by 85% within 6 months.