KPMG International Services Limited (KPMGI)
Associate Director, AppSec & Cloud Security Architect
GISG AppSec - October 2023 - Present
Cloud Security Architect supporting the planning, security quality assurance,
architecture design, risk assessments (including threat modeling and attack
surface analysis), and innovation for security services for the organization’s
global cloud enablement. Provide support to security and solutions teams with
architecture design and technical recommendations.
Responsible for understanding, researching, designing, and assessing security solutions, technical and reference architectures, and supporting security strategies tailored to business needs, with a focus towards Cloud Central services and Microsoft’s Office365.
Develop and contribute to service deliverables with a security focus on IaaS, PaaS, and SaaS services, emphasizing cloud technologies that requires partnership with organizational solution owners and project teams to deliver reliable and scalable security capabilities and strategies.
Align and translate business requirements into secure solutions, designs and reference architectures for applications and products that can be leveraged by all professionals across the global organization.
Subject Matter Expert on cloud technologies and security with responsibilities to facilitate knowledge transfer within the greater Cloud Central groups in the organization.
Promoter and guardian of global organizational and standard infrastructure services and solutions, while supporting audit processes for security and compliance strategies. An advocate for cybersecurity, responsible for creation and delivery of trainings and materials with a security viewpoint to help with solution building.
Associate Director, GISG Assessment Manager
GISG Security Management - October 2022 - October 2023
Security Engineer that managed the framework to perform and monitor execution of security and compliance assessments. Contributed to strategy and roadmap development for assessments, including the architecting, building, and managing the organization’s Information Security Boundaries Assessment Program. Contributed to any relevant technology solution implementation, maintenance and enhancements and oversee support resources. Managed the maintenance and enhancement of the framework, materials, process and procedures for the organization’s information security boundaries assessments.
Associate Director, Global Cloud Security Guardrails (GCSG) Assessments Manager
GISG Security Management - June 2022 - October 2022
Security Engineer that designed and managed the framework for, performing, automated monitoring and execution of assessments of cloud platforms against the organization’s Global Cloud Security Guardrails (GCSG) as well as overall risk treatment plan monitoring. Implement automated monitoring using the organization’s ServiceNow IRM for GCSG and cloud native tools of organizational Cloud Platforms (Azure, AWS, or GCP). Managed the maintenance and enhancement of the GCSG program framework, materials, process and procedures. Includes managing the GCSG Code Repository for distributing the automation code to the organization and final approval of code releases. Provided SME input to overall efforts for the GCSG automation (including deployment, monitoring and assessment).
Chief Information Officer (CIO) / Principal Consultant
10/2013 to 6/2022
Consulted in the development of solutions for GRC implementation, performed
and monitored execution of assessments of information systems against
multiple GRC frameworks as well as overall risk management. Performed gap
analysis and assessments across multiple frameworks. Provided guidance
for GRC Automation for Cloud Platforms (Azure, AWS, and GCP) using cloud
GRC frameworks included:
Federal Risk and Authorization Management Program (FedRAMP)
Federal Information Systems Management Act (FISMA)
National Institute of Standards and Technology (NIST) Risk Management. Framework (NIST RMF). National Institute of Standards and Technology (NIST) Cybersecurity
Framework (NIST CSF).
Center for Medicare & Medicaid Services (CMS) Minimum Acceptable Risk
Standards for Exchanges (MARS-E)
Health Information Portability and Accountability Act (HIPAA) Security Rule (HSR)
Department of Commerce Privacy Shield
Cloud Security Alliance (CSA)
International Organization for Standardization (ISO) 27000 Series
General Data Protection Regulation (GDPR)
Center for Internet Security (CIS) Benchmarks
Center for Internet Security (CIS) Critical Security Controls
Defense Information Systems Agency (DISA) Security Technical
Implementation Guide (STIGS)
Information Technology Infrastructure Library (ITIL)
Control Objectives for Information and Related Technologies (COBIT)
Payment Card Industry Data Security Standards (PCI-DSS)
IBM Watson Health
Compliance and Security Manager
12/2020 to 2/2022
Security Engineer responsible for providing customer facing technical leadership. Responsible for the security (vulnerability management, RBAC, LDAP, DBMS, networking) and compliance (NIST, HIPAA, SSAE16, MITA) aspects of the solution and communicate with technical and non-technical stakeholders. Support security and compliance requirements on new opportunities across the organization.
Participate in requirements and design sessions to ensure that solution architecture complies with all applicable State and Federal regulations. Support and maintain security policies/configuration for DBMS, applications, systems, etc in both on premise and cloud hosted solutions (e.g., encryption keys, access controls, separation of duties, database audit logging, Central Audit Logging/Monitoring, etc.).
Responsible for configuring, tuning, and review and of security logs (e.g., central systems logging, database logging) to reduce false positives and improve detection of anomalies. Perform vulnerability security scans of systems to help identify and correct infrastructure security issues found in servers and databases. Develop and maintain security plans, procedures, and other documentation.
Investigate new platforms and tools throughout the industry and make recommendations for their use in current and future projects. Advise management through the creation of scorecards and reporting that display our risk profile and provide insight for decision making.
Provide proactive analysis and options for systems and operations changes to implement regulatory requirements from CMS (Center for Medicaid Services) regarding the system. Contact customer when new CMS rules (draft and final) are released, organizing meetings to present the results and help to provide comments for CMS and propose solutions to implement the rules (controls) in the system.
Chief Information Security Officer (CISO)
10/2016 to 09/2020
Senior-level executive for Collab9, LLC, a FedRAMP Authorized Unified Communications as a Service (UCaaS) solution provider that delivers a secure cloud-based communication solution that integrates voice, video, web conferencing, messaging, mobility, and customer care. Mission is to align business objectives with security initiatives, ensuring that information assets and technologies are adequately protected. I manage all of the aspects of the CISO role while using various information security frameworks and the globally accepted project management framework of PMI. I also have the role as being the Collab9 Privacy Officer.
For our Collab9 Secure UC, FedRAMP Authorization Boundary and HIPAA environment, I served in the following additional roles:
Senior Information Security Officer (SISO):
Responsible for carrying out the Chief Information Officer’s security responsibilities; and serving as the primary liaison for the Chief Information Officer to the Federal Agency’s Authorizing Officials, Information System Owners (ISO), and Information System Security Officers.
Information System Security Officer (ISSO):
Responsible for ensuring the appropriate operational security posture is maintained for an information system, and as such works in close collaboration with the ISO. Serves as a principal advisor on all matters, technical and otherwise, involving the security of an information system. Serves as alternate Information System Security Engineer for performing vulnerability scans, monitoring alerts from IPS and SIEM, and audit log reviews.
Information Security Architect (ISA):
Responsible for ensuring the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture, including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes.
FedRAMP Continuous Monitoring Annual Assessment 2017
FedRAMP Continuous Monitoring Annual Assessment 2018
FedRAMP Continuous Monitoring Annual Assessment 2019
HIPAA Security Rule Assessment 2018
Gap Analysis FedRAMP Moderate to: CJIS, DoD IL5, IRS 1075
Digital Management, Inc.
Information System Security Manager, Contractor for the U.S. Department of the Interior (DOI) Office of Chief Information Officer (OCIO)
05/2015 to 10/2016
Information System Security Officer (ISSO) for Department of Commerce (DoC), 6/201616 - 10/2016
Secuirty Engineer that developed and maintain Continuous Monitoring Plan (CMP), perform activities as identified in the CMP.
Information System Security Line of Business (ISSLoB) Operations Manager, 7/15 - 10/2016
Direct Reports = 7 telecommuting staff
Security Engineer that managed a Federal government security program compliant to the NIST Risk Management Framework (RMF) and implementing the Project Management Institute, Inc. (PMI) Project Management Body of Knowledge (PMBOK) project management framework in order to provide consistent, comprehensive engagement deliverables. Security Assessment and Authorization (SA&A) activities
Development and review of security documentation for OMB directed compliance to NIST and FISMA
Review of FedRAMP packages for Cloud Service Providers (CSP) and prepare results for briefing to the AO, Provide support for Cyber Security Assessment and Management System (CSAM), the client’s official FISMA reporting tool, to generate reports and review the compliance and consistency of federal government information systems.
IT Security Risk Management Lead, 5/15 - 7/15
Direct Reports = 10 telecommuting and on-site staff
Security Engineer that was the Risk Management Lead and IT Security SME that managed a team of risk management/compliance personnel that performed the following: SA&A and Security Program Management, Security Metrics and Reporting, POA&M development and tracking, Interconnection Security Agreements (ISA) development and tracking, and Continuous Monitoring activities.
Program Manager / Senior Project Manager
03/2011 to 5/2015
Senior Project Manager, SAIC - Cyber, Cloud and Data Science - 3/2011 - 5/2015
Comprehensive Robust Information Security (CRIS) Project for USDA/Forest Service
Direct Reports = 10 teleworkers
Team Lead Policy and Governance / Risk Management Framework (RMF)
Team Lead Security Operations
Vulnerability Scanning and Auditing, Enterprise Security Metrics Reporting, and Centralized Account Management (CAM) Security Engineer that served as IT Security SME and Task Lead in areas relevant to the project (includes OMB, DHS, NIST, FISMA, RMF, and Continuous Monitoring) for guidance and provided regular briefings of potential impact to the agency and drive enterprise wide planning and implementation. Managed an efficient and effective virtual teams for the completion of tasks compliant within federal standards and agency requirements (OMB, DHS, US-CERT, and others). Ensured problem resolution and customer satisfaction for individual delivery orders; provides supervisory, technical, and administrative direction for personnel performing tasks. Conducted training for security program policy and procedure. Established the use of SharePoint for documentation and Project Server w/ OLAP for management of the multiple projects. Managed a virtual team to review, update, and deliver over 3,400 pages of security documentation, plus training material, within a 6 month project plan.
Program Manager, SAIC - Federal Civilian Customer Group - 11/2012 - 2/2014
Direct Reports = 57 on-site staff at multiple locations
Department of the Interior / Interior Business Center- IT Data Center, Systems Operation and Administration (SOA), Data Center Operations, Network Services, Database, Storage and Backup, System Software Administration, Applications Development and Administration and Enterprise Services
Department of Defense (DoD), Chemical Weapons Depot IT Support
GSA Accounting Office, Accounting and Financial Support
Program Monanger that managed the implementation of specific government contracts. Planned, coordinated, and managed the actions taken by the organization to acquire and execute a specific piece of business competitively. Integrated all functions and activities necessary to perform the program to meet the client requirements. Planned and implemented actions by the program team to define and implement technical baseline and meet quality requirements for program services. Directed project team personnel, manage cost and schedule, ensure contract compliance, and serve as principal customer interface. Primary interface with client, project managers, task and functional leaders, subcontractors, support personnel, and other stakeholders.
Aquila Business Services, LLC
Chief Information Officer (CIO)
4/2009 to 12/2012
Managed System Security Provider, Private Off-Site Cloud Provider, LMS provider, and Corporate Engineering.
Managed all aspects of IT management and IT security for the company and its clients. Included LMS design and administration and incident response. Responsible for maintaining compliance of Federal and state requirements and industry best practices. Managed ongoing security assessments and testing, audit management and reviews for the company and its clients. Core competencies provided: Governance, Risk Management, and Compliance (GRC), security engineering, security testing, continuity planning, audit management and reviews, IT security control management, cloud service provider (Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS)), and Learning Management Systems (LMS).
G&B Solutions, Inc.
IT Security Analyst
7/2008 to 3/2011
Information Technology Security Analyst for United States Department of the Interior (DOI), National Business Center (NBC)
Security Analyst that Worked within broad objectives to ensure the DOI Certification & Accreditation (C&A) program was successful and in compliance with departmental standards and NIST Special Publication (SP), 800 series guidance. Managed IT security projects that assessed and documented the security posture of systems through interviews, document validation, and security control testing. Reviewed and ensured that the system documents .were current and accurate. Interviewed system owners, developers, technical staff, to ensure their understanding of applicable IT standards and policies were correct. Created and maintained project plans and schedules, develop status reports, and maintain project tracking spreadsheets. Performed gap analysis of current policies, practices, procedures, Security Technical Implementation Guides (STIG) as they relate to federal standards and regulations. Performed crosswalk analysis of NIST SP 800-53, Rev 3 and the HIPAA Security Rule as documented in the NIST SP 800-66, Rev 1. Performed annual Internal Control Reviews (ICR) and Security Impact Assessments (SIA). Performed security walk through assessments and assisted with penetration testing. Security Point of Contact (SPOC) for entire DOI/NBC Enterprise during United States Computer Emergency Readiness Team (USCert) briefings briefed system Points of Contacts (POC) on any vulnerability items, technical issues, and recommended mitigation. Identified as Security Compliance Coordinator and Audit Liaison for the financial system with over 8,000 users during FISCAM audits, FISMA audits, Office of the Inspector General (OIG) and A-123 reviews with a reduction of audit/testing findings by 45%. Managed Plan of Action & Milestones (POA&M) and reduced identified security vulnerabilities by 85% within 6 months. Maintained records and updated repositories within departmental guidelines and which utilized Cyber Security Assessment and Management (CSAM). Created multiple tools for aid and automation in performing various tasks that are used by the organization for managing their security posture and automatic reporting included Nessus vulnerability scan reports.
Audit Liaison during FISCAM
Audit Liaison during FISCAM audits, FISMA audits, Office of the Inspector General (OIG) and A-123 reviews with 100% on time deliverables and reduction of audit/testing findings by 45%
Security Compliance Coordinator
Security Compliance Coordinator for federal government financial IT system with over 8,000 users and 3 deployments including virtualization
Security Point of Contact
Security Point of Contact (SPOC) for entire Federal Enterprise during United States Computer Emergency Readiness Team (USCert) briefings for Microsoft vulnerabilities. Created multiple tools
Created multiple tools for aid and automation in performing various tasks that are used by the organization. The tools were used for Nessus vulnerability scan reports, Cyber Security Assessment and Management (CSAM) report generation, and Internal Control Review (ICR) templates for automatic reporting of summaries
Managed Plan of Action and Milestone (POA&M)
Managed Plan of Action and Milestone (POA&M) process and reduced identified security vulnerabilities by 85% within 6 months