Carrollton, Texas, United States
Twenty years IT Security, Application Security/Testing and Corporate Security combined with ten years of Law Enforcement investigations. Conducted application security testing using WebInspect and Fortify. Managed each step of the SDLC process with developers. Managed the remediation process of securing vulnerabilities while working with technical and non-technical teams, management and stakeholders to ensure policy compliance. Conducted training seminars for large and small groups. Expanded the IT Security Department for a telecommunications company. Developed and implemented the IT Security Policy and Procedures. Created a Security Task Force that encompassed members across the Enterprise to ensure policy compliance, Sarbanes-Oxley, virus protection, change management and Encryption. Conducted internal and external investigations to include security breaches, fraud and Civil and Criminal violations. Experience in computer forensics to recover data from information systems. Built a case management system that served as the database for all corporate investigations. Proficient in public speaking, excellent verbal and written communication skills.
A member of the Global Information Security team responsible for remediation assessments for third party vendors providing services to Bank of America with a large number of findings. • Drive remediation of issues identified through information security and business continuity assessments of third parties providing services to the bank. • Analyze the assessment packages and associated findings issued by the Assessment team to understand and recommend controls that will address the findings and be acceptable to the vendors and their IT environments. • Work with third party vendors who have 40 or higher findings in their annual assessment to determine if mitigating and compensating controls are present to close findings. • Validate vendor appropriate implementation of information security controls and supporting documentation to close open findings. • Manage and prioritize responsibilities while monitoring timelines to ensure findings are closed by the mandated date. • Present findings to the Downgrade Committee to lower the risk rating when appropriate. • WebEx with vendors and in-house experts to further define more difficult findings bringing to successful remediation. • Work with BISO’s when submitting Enhanced Remediation Plans (ERP) for approval to extend due dates. • Attend weekly meetings to keep internal management appraised of progress. • Manage multiple assessments simultaneously. • Responsible for tracking and documenting in Rsam all technical evidence received for each open finding. • A broad knowledge of information security principles to include Information Security Controls (Infrastructure Security, Access Management, Physical Security, Application Security, etc.), IT Compliance, Change Management and Enterprise Risk Management. • Comfortable in delivering messages across a wide spectrum of individuals having varying degrees of technical understanding.
Responsible for developing business processes within the Vulnerability Management Team and external entities. Liaison to Risk & Governance teams, application owners, system owners, and leadership. • Run WebInspect/Fortify scans against web applications prior to their release to production that encompasses both static and dynamic scanning. • Train developers and application teams on using the Fortify on Demand (FoD) tool for application security scans. • Tracking the remediation process, reporting and communication of vulnerabilities within policy timelines. • Work with developers through the SDLC process providing guidance, driving projects and managing release cycles. • Instrumental in making recommendations to the various teams within IT Security and department managers who have a role in Vulnerability Management. • Close interaction with Risk Management to ensure compliance with application security standards, processes and testing. • Build relationships and processes with Management, Development Teams, Operation Teams, and Compliance Teams for Vulnerability Management. • Liaison for Vulnerability Management services to Cyber Security Analysis and Response Center (CSARC) teams, IT Security, auditors and in-house partners. • Assisted in policy writing and developing processes and procedures for application scanning. • Point of contact between third party vendors and internal departments. • Agile training and participation. • Experience with Brinqa and Sonatype. • Disaster Recovery Training. • Working knowledge of NIST, ISO, PCI and SOX • Member of the OWASP Dallas Chapter
Develop and execute activities related to end-to-end Vulnerability Assessments on applications including activities to ensure VAs are scheduled, executed, and remediate if findings are identified. Proactively monitor, manage and report on execution of deliverables. • Manages the Vulnerability Assessment Testing Process for Citi Retail Services to include Compliance VA’s, and Project Vulnerability Assessment Test requests for applications before being pushed to production. • Single point of contact during the Monthly Releases for VA Testing within stringent and tight timelines with the business units for application scanning. • Conduct meetings and conference calls with IT Project Managers, Project Teams, TISO, BISO, outside VA vendors and internal testers during the specified timelines of the Monthly Release. • Organize and monitor the remediation process and efforts to fix all vulnerability findings using technology resources discovered in the VA Test. • Open and monitor Archer Requests for VA tests on applications. • Assist with developing Correction Action Plans and Remediation Exceptions to ensure compliance timeframes. • Provide Vulnerability Assessment and Security Training to new hires, team members, project teams, IT Project Managers and Business Representatives. • Ability to work effectively with a global, virtual team. • Manages and prioritizes multiple projects. • Translates between technical and non-technical people. • Proven ability to resolve conflicts. Awards: 2013 & 2014 Excellence in Technology, Citi Stars 2014 and Galaxy of Thanks 2014
Responsible for building the Vulnerability Assessment Program, Application Security Scans and Information Security Awareness Training. • Conducted application security scans using WebInspect. • Worked with application teams across the Business Units to fix the vulnerabilities and developing a Remediation Plan for long-term solutions. • Maintained the tracking database of all vulnerability scans. • Created Powerpoint presentations detailing “How To" instructions for training. • Researched security alerts and vulnerabilities of new software before introduction into Raytheon's environment. • Assisted in the selection of the training software for IT Security Awareness Training and tailoring it to reflect Raytheon statistics, incidences and Policy requirements. • Accomplished the rollout of the IT Security Awareness Training to the entire company nationally and internationally. • Conducted monthly Sarbanes-Oxley audit of the IT Security Department working with internal and external auditors. • Worked with Governance and Risk Management inputting monthly audits in the Certus database for certification and IT Control functions. • Trained and certified as a Six Sigma Specialist 2006: Received a Department of Defense Security Clearance Awards: • “CIO Excellence in Information Technology” – Highest honor bestowed on employees by demonstrating exceptional use of information technology with broad business impact, achieved outstanding performance and demonstrated Raytheon values. Less than 1% of all employees receive this award. • “IT Solutions Award in Growth” - Raytheon IT employees are nominated by their peers and leaders. • “Individual Achievement Award” – Top Customer Satisfaction rating for the first half of 2010 with a 99% quality rating and the highest number of surveys returned. Continued to receive the most and highest ratings in 2010 – 2011. • “Interdependence 2009 Awards” – Nominated and a runner-up in the category of Personalize Truth, Share, Trust.
Responsible for the planning, development and expansion of XO’s IT Security Department. • Protected network and information assets by representing security interests on system development teams to ensure compliance with corporate security policies. • Managed network security devices and systems for e-mail and Content Filtering software ensuring proper website blocking, running reports, interpreting employee usage and gathering employee activity information. • Extensive hands-on experience in forensic recovery of electronic evidence gathering from IT systems. • Planned, coordinated and conducted investigations corporate wide relating to criminal and civil violations committed against the corporation, employees or customers involving conflicts of interest, fraud, thefts, embezzlement and unauthorized communication interception. • Developed the procedures and methodologies for properly retrieving and processing evidence gathered from IT systems for preservation of the data on secluded servers with security controls for storage to comply with care, custody and control requirements for introduction as court evidence. • Provided support for the Legal Department and Human Resources by collecting and processing litigation intelligence with electronic evidence in investigations of improprieties by employees and outside parties. • Created and deployed a case management system to include report writing, tracking and maintaining an investigative database. • Implemented the IT Security Policy and Procedures updating it annually. • Built the Subpoena Unit for handling, researching and processing incoming subpoenas from all levels of Law Enforcement. • Responsible for planning the IT Security Capital budget and maintaining yearly expenses. Awards: Won the “eXtreme Award” for developing, documenting and implementing secure processes, procedures and requirements for outside vendor access to XO’s network while limiting exposure and opportunities for fraudulent behavior.