Posted on: 2009-02-20
Executive Summary IT Controls Officer with 25 years of global experience in ensuring integrity, confidentiality, and availability of technology resources. Demonstrated ability in reducing IT risk based on controls assessments/recommendations, ensuring corporate continuity based on business contingency-disaster recovery planning and change management-control, ensuring regulatory compliance based on IT audits/reviews and IT corporate governance (COSO), including SOX, GLBA, FFEIC, SEC, HIPAA, Privacy and Patriot Acts, Treadway Commission. Demonstrated ability in identifying security control weaknesses/vulnerabilities, performing gap analysis, assessing resultant risk/organizational impact. Demonstrated ability in project planning/execution/tracking/reporting/closure, and developing a Risk Management Plan. Proven ability to asses audit compliance with technology related compliance regulations such as SOX, FFEIC, GLBA, and HIPAA, by determining control weaknesses and recommending cost effective solutions to reduce risk and improve business performance. Assessed technology related risk and controls\' effectiveness in support of SAS 65 requirements for external audit-attest functions. Planned/budgeted/ lead/managed technology related compliance audits/security reviews in conjunction with operational/financial audits to ensure effectiveness of technology business controls. Scoped/planned/managed/troubleshooted client-auditee engagements/ projects to complete satisfaction. Devised methodologies for painless and effective knowledge transfer to business and technical SMEs. Assess mutable real-time data and application systems with high-monetary value. Expertise includes: • Strategic & Tactical security planning & budgeting • IT Security/Audit and Management • Control risk & modeling analysis/assessments (SOX, SAS70, GLBA, FISMA, FFIEC, etc) to Risk Management Plan • Security Awareness: IT Technical and Business views • Identity, Profile & Access management - Data Security • Policy and Procedures: assessment, development, standards, frameworks: COBIT, ISO 17799/27001, FISMA/NIST 800, ITIL, CMMI/ISO15504 • Project Management and Corporate IT governance • E-commerce and EDI controls • Web Security - 2.0, Websphere, OWASP • Security Architecture-all layers: Networks, O/S and Applications • Mentoring and Team building • Vulnerability assessment with security packages & CAATs • PCI DSS & Email Federal Compliance Regulations • Business Analysis and translating processes into technical specs • Diagramming systems and work flow processes and controls Soft Skills, PM Skills, and SME Skills include: • IT Gen\'l and Network Controls Audits, Application Controls Audits • Change Control Management, Application Development, SDLC controls • Day-to-day project leadership ensuring accurate planning, appropriate staffing, schedule adherence, control budget and scope requirements • Issue/risk management: Ensure adherence to control framework, methodology, policies, and departmental standards • Budgeting-financial: regarding cost/benefits and vendor negotiations, resource staff management and work plan management • Identity management controls and IT & security process enhancement, metrics analysis • Build positive relationships with key users/business line teams to identify/resolve issues • Engage wide range of people to influence strategic business/IT agenda outcome • Maintain high interactive communications regarding project with staff, management, business partners Recent Work Experience Oct 2003 - present Beatrice Block Enterprises International, Inc. (aka BBEI Inc.), Tarrytown, NY President/Partner/Principal - Information Technology Security & Compliance Consultant Most Recent Assignment: Develop Security Awareness (SA) Education Program for Department of Education, City of NY Scope out Feasibility/Project Plan based on population/audience/practical exposures and gap analysis, Work with DOE executives and technical teams to isolate objectives and formulate practical framework for SA plan; Develop SA Framework for DOE based on NIST guidelines and SA delivery to broad community of non-technical users using in-person/electronic/print media; Develop materials for in-person/web-based training and populate SA database components; Develop Moodle (Web 2.0) Framework and SA website to accommodate SA Blog/Wiki modules; Work with DOE technicians to mount and implement SA Framework and education system on server; Deliver finished product to DOE and NYC government executives and promote national distribution of NYC SA paradigm. Other assignments included: Specializing in Sarbanes-Oxley 2002- SOX 404 audits/monitoring, FFIEC, GLBA, HIPAA, FISMA, DPA 1988, FSA#198, Basel II, US Patriot and US Privacy Acts, SAS 70 (T1&2), PCI DSS. Clients include banks, brokerage, real estate, manufacturing, etc. (Provident Bank, Instinet, CIT, SL Greene, Steve Madden, Amscan, Westcon, UPS, Fleet, Bank One, CitiGroup, Merrill Lynch, AIG, JPMChase). Guide risk based analysis methodology of standardized processes to assess control effectiveness to deter ever-changing vulnerabilities and threats. Worked on ITIL controls implementation in major financial institutions. Developed plan and schedule for audit/security project execution; monitored progress to ensure timely project completion and fulfillment of objectives. Communicate project status to participants and stakeholders in reports and formal presentations. Organized/Led meetings with participants/stakeholders to collect/disseminate project status, tasks, resources, process structure for consensus and commitment to/for deliverables. Performed independent audits and control -risk assessments for regulatory compliance and penalty avoidance. Identify, evaluate, and recommend actions, strategies and solutions to ensure gap remediation and security of technology/business resources and assets. Planned, created and completed all documentation for Sarbanes Oxley Testing/Reporting/Risk Initiative and FFIEC/OCC/SEC review. Conducted quality audits/reviews to identify and document control activities of IS infrastructure, applications, using Sarbanes Oxley risk-control matrix. Assured controls adequately addressed user provisioning, authentication and authorization, integration touch points with other application systems, interfaces to external systems, and encryption. Identified security risks for new technology, new products, or new relationships with external parties. Develop/Write security policies and procedures to address vendor and application/infrastructure security risks - areas covered included logical security, systems and data integrity. Assess security architecture and design/integrate data security model into business paradigm. Reviewed access management including identity profiles for individuals and groups; revisions included vulnerability closure and efficiency implementation. Ability to drive risk/controls assessments with quality analysis, quantitative data analytics; lead compliance controls reviews and QA business/control processes present, conduct gap analysis and cost assessment, and ensure the remediation of security vulnerabilities. Managed corrective actions and revision documentation, including improvement metrics reporting. Follow-up test strategies/ methodologies, with ability to schedule activities. Review various applications (manufacturing, financial) and document systems as simple as a change control database to systems as intricate as the data flow of the business process of an organization. Work closely with IT, Audit and IS colleagues and the Sarbanes Oxley Teams, both internal and external. Liaise with technical teams, end users, auditors and compliance personnel. Train, managed and mentored associates on various assignments including PCAOB and HIPAA standards, SEC, OCC and FDICA regulations/requirements. Motivated teams by creating project cohesion and promoting knowledge transfer. High technical aptitude and driven to remain on the cutting edge of new technology products, concepts, and regulations. Perform strategic marketing and business development activities. Feb 2007 - Oct 2007 Bank of China, USA, Inc., Americas Division, New York, New York Head of IT Security - Director Responsible for identifying and mitigating information security risk to the US Branches. Developed and maintained information security policies (standards, procedures, and guidelines, data ownership and classification) to create an appropriate information security framework for the US Branches. Identify and address information security exposures to accidental or intentional destruction, disclosure, modification, or interruption of information that may cause serious financial and/or reputation losses to the US Branches. Establish appropriate mechanism to protect branch information assets processed internally by the American Data Center, or externally by vendors. Led the activities of the Information Security Department by performing the following specific duties. * Propose security policies for approval by the Risk Management Committee of the BOC, with copies to the Head Office Information Technology Department and Risk Management Department. * Enforce established information security policies to ensure they are functioning as management intended. Such monitoring will be performed in coordination with the Internal Audit Center and American Data Center. * Perform annual security risk assessment to identify potential logical security risks to the US Branches, and develops action plans to mitigate such risks. The security risk assessment report will be provided to the Chief Risk Officer and the Privacy Officer of the Branch. * Assess new application and/or technology infrastructure platform implementation to ensure Brach security policies and standards are complied with. * Report to the General Manager, Chief Risk Officer, Risk Management Committee, Internal Audit and the ADC on significant security issues as they had surfaced. * Liaise with external auditors, regulators, applicable vendors and clients, and professional organizations on existing and emerging security issues. * Coordinate with Human Resources, Branch departments, Internal Audit and ADC on security awareness training. Ensure that the Branch sponsored training conforms to the existing security policies and standards. * Performed functional management of the Information Security Department. * Planned new employee security awareness orientation to foster positive attitude toward bank goals. * Supervise team and administer staff project program, development, performance evaluation and bonus sharing at the end of each year. * Understand, comply with and monitor the activities, if necessary, of all applicable laws and regulations regarding anti-money laundering, Bank Secrecy Act, currency transaction reporting and suspicious activity reporting as well as email monitoring. Supervised two non-supervisory employees (Information Security Officers and Administrator) along with mentoring and evaluation of development. Responsible for the overall directions, coordination, and evaluation of the Information Security Department. Carries out supervisory responsibilities in accordance with the organization\'s policies and applicable laws, including but not limited to GLB, FISMA, DPA 1988, FFEIC, FSA#198, SOX 404, PCI DSS, etc. Responsibilities included interviewing, hiring, and training employees; planning, assigning and directing work; appraising performance; rewarding and disciplining employees; addressing complaints and resolving problems. Dec 2000 - June 2003 Fleet Brokerage & Wealth Management, Division of Fleet Bank Financial Corporation, New York, New York Senior Manager of IT Security & Risk - Global Technology Services • Performed control assessments to verify the validity (identification, authentication, and certification) of users and resources based on quantitative data analytics. Performed information security gap analysis, including network security gap analysis for IT controls, both general and logical IT controls. Performed risk assessments and evaluated inherent risk levels in the technological infrastructure vertically from basic networks (including LANs and VPNs) and operating systems to applications and application development standards (especially eCommerce applications and architecture), including the CRM software used: Siebel. Maintained risk events for CIRT. • Determined whether network interconnections were vulnerable to attack from without or invasion from within, including assessing IDS, TCP/IP exposures, SSL, Kerberos, PKI, smart cards. Presented corrective actions to technology units. • Developed, assessed and continually improved IT security and compliance, including compliance review programs, documentation standards and all related policies and procedures. • Provided consistent policy interpretation to business units. Promoted awareness of policies and standards, revisions and developments. Determined technology security framework of the organization and devised plan for implementation, including process improvement tactical plans. Advised developers via participation in an architecture committee about necessary controls to be included in development. • Researched, developed and wrote security controls policies and standards for various technological platforms including LDAP, DNS, firewalls. • Defined, planned and managed control self assessment of technology infrastructure, including outsourced segments. Identify, escalate and track non-compliance issues until resolution is achieved; followed COBIT, ITIL, and ISO methodologies, i.e. ISO 17799. Contributed original security documentation to the corporate security policy framework. Provided security requirements to define architecture and provide guidelines to select technologies that ensure systems are protected from unauthorized modification. • Guided auditors, reviewers, and evaluators, both internal and external, to areas that need assessment and review for adequacy in relation to current standards. Focused recommendations for executive management and Board review. Ability to collaborate with various personnel including users, business sponsors to expedite security project process and monitor progress. Trained personnel in quantitative data analytics. • Worked with business units to draft Risk Assessments and Business Contingency Plans. Worked with Lines of Business to determine application security methodology for development. Worked with technology groups to identify and validate security exposures and to incorporate/implement patches and security related enhancements to networks, servers and applications. • Promoted strategic sourcing practices. Worked with IT management to draft strategic plans for deployment of information security technologies and enhance existing systems. Procured, evaluated and retained vendors and consultants for products and services, based on responses to RFI, RFP, presentations, references, and evidence of prior work performed. Planned schedules and budgets to coordinate and track activities related to the implementation of strategic initiatives/objectives. Developed security performance metrics for SLAs presented as part of vendor negotiations. • Developed/maintained business level security incident reporting process. Developed methodology to ensure integrity and pro-actively respond to forgers, denial-of-service attacks, threat analysis; verify appropriate network countermeasures to attack techniques. Address business continuity infrastructure issues with appropriate technology groups. Worked with vendors to conduct periodic security penetration tests, studies, and corrective action (Veritect, TrueSecure). • Revised and augmented the COBIT security framework with ISO and ITIL components to provide a comprehensive security standards environment for the Fleet Securities organization, including developing a strategic plan with tactical milestones and a reasonable timeframe with contingencies built in, and the human resource organization for implementation. Documented and codified security standards, guidelines, policies, procedures and practices for the organization in general. Participated in the development, implementation and consistent improvement of IT and network management including change management, configuration management, problem management, and security management. • Performed gap analysis for policy and standards compliance regarding risk management, security operations, business continuity and disaster recovery. Focused on access path based on profile privileges; recommended revisions in identity and access management. Sept 1999 - Dec 2000 Jefferson Wells International, New York, New York Consultant Worked on various projects from IT Security, Audit, Project Management, Policy Development, etc., for various firms in the Greater NY Area including brokerage, banking, advertising, insurance, etc. Assisted in practice development for the IT audit and assurance area including internal audit outsourcing. Supported marketing and business development functions by scoping project and planning deliverables. Assisted management with ideas for developing new service offerings and marketing materials. Supported client development activities including proposals and presentations. Maintained strong positive client relationships evidenced by return and new business activities. Managed/ supervised/mentored IT auditors on various assignments. Performed all kinds of general and logical IT controls audits. Dec 1998 - June 1999 Industrial Bank of Japan, New York, NY Consultant, Information Security Officer reporting to CIO - Systems Department, Americas Division Directed the implementation of security controls for financial systems coming on line (OMR, ACBS, URBIS) as requested by the business unit managers, systems groups, and vendors. Provide, where necessary, design specs and flows for program, object, or data security controls. Reviewed the systems\' analysis and design specs, and implementation process for optimum security and business efficacy. Trained, supervised and evaluated new security officer. • Developed Bank\'s Data Security Policies and Procedures including near term and long term targets. • Re-engineered the data security processes for more efficient business and systems processing. Reviewed access abilities of technologists, business personnel and systems; recommended revisions based on codified profiles, business groupings and least privilege. • Developed security control guidelines, policies and procedures for all systems including new systems in production and implementation. • Established guidelines and parameters used to assess risks to mission critical data used by corporate business units to minimize losses as the result of deficiencies in security, data processing and transmission controls. • Monitored compliance with security guidelines, policies and procedures to ascertain effectiveness and identify additions or modifications of those guidelines. Gathered data for key risk and control indicators with statistics for Management Compliance Reporting • Verified the presence of access, data, and physical security as well as transmission/network security prior to systems conversions. Ensured the validity of computing resources and users including identification, authentication and certification. • Evaluated and reported on the development, implementation and security compliance to senior management, project consultants, and the audit group. Additional reporting on deficiencies and control methods to curtail security shortfalls were made to IS audit. • Coordinated with developers and testers to create a secure User Acceptance Test environment regarding user access control for new distributed client/server systems, networks and applications. • Certified controlled access of users and objects to protect resources including systems, networks, applications and data. Collaborated with corporate audit to devise username naming convention for new systems in implementation process. • Designed a paperless security administration system for implementation by systems technical staff and subsequent security officer. • Worked with IT Auditors to ensure appropriate general and logical IT controls were in place and properly reviewed. Feb 1992 - July 1998 Citibank, New York, NY Vice President, Corporate Audit/Technical Support, Security and Research • Performed Risk Assessments and Threat Analysis for bank regarding global IT environments. Determined how the organization was vulnerable to unauthorized access, alteration of data, disclosure, and disruption and denial of service. Assessed priorities in terms of time frames, resources available, materiality, and urgency. Negotiated balance of security controls with line management with recommended solutions. Performed penetration tests and investigated weaknesses. Analyzed results through risk assessment algorithms developed for particular business circumstances. Communicated risk requirements to overseas teams. • Knowledge of all production services functions including system/security administration, change control and management, output management, data transfer/data import/data transformation/data reconciliation (database and data warehouse technology), compliance measurement, business contingency planning/disaster recovery testing and improvement, and appropriate controls included in developed and implemented systems. • Responsible for and managed all aspects of IT audits including: preparing technology audit plans, training IT and financial auditors and preparing white paper reports for Senior Management for all kinds of audits and reviews, especially general and logical IT controls. • Performed all kinds of corporate requisite audits including Data Center reviews, operating system reviews and network reviews including LANS, WANS, VPN, and leased lines, as well as firewall deployment. Reviewed firewall deployment of features and architecture. Reviewed operating system features and deployment. Reviewed application systems implementation and maintenance, including change control process as implemented independently at different sites/divisions. • Reviewed and evaluated the security of numerous in-house client/server systems, mainframe systems, small department networks, etc. as well as the security of multi-platform computer systems, applications and vendor software, including systems analysis, design, architecture and implementation. Advised developers directly about proper application &/or system controls to be part of development. • Coordinated and participated in integrated financial audit projects, which involved UNIX, WNT operating systems, database/data warehouse design, service level agreements, integrated audits: L/C and check processing, application development and implementation. • Responsible for reviews of security services and security architecture including authentication, authorization, access control, end-to-end security, non-repudiation of services, common layer APIs, public key technology. Evaluated security software, including network filters to prevent intrusions. • Re-engineered the IT audit work flow and standardized audit support tools. Developed best of breed methodologies for various audits and communicated audit methodologies to global audit groups. • Utilized enterprise management software to flush out exposures in operating systems on clients and servers, and other components of the Bank\'s network infrastructure and architecture, including Cisco and Apache routers, LANs and VPNs. • Performed security troubleshooting and designed security solutions for multiple environments/platforms. Analyzed and recommended the use of security products or alternative actions when security was inadequate. • Evaluated security vulnerabilities, assessed their risks and developed means to close/lessen their impact, including network intrusions, operating system holes, file permission issues, spoof countermeasures. Wrote procedure recommendations for password guidelines, password policy, token passwords, security/system administrator permission levels, patch analysis for security lock down, virus prevention and recovery, restricting access to critical services. • Worked with system technicians to establish a security assessment program in the high profile environments for various financial/banking products/processes (e.g. check processing, securities tracking, etc.), including threat analysis, intrusion detection, attack response, and risk management. Result, became Subject Matter Expert in Unix flavors and Oracle 7, 8. • Monitored and reviewed access violations and other security breaches within the organization. Worked with legal staff to investigate intrusions and break-ins to ascertain the manner of entry into proprietary systems. Collaborated with legal staff to determine level of susceptibility of the Bank\'s computers to external and internal attacks. Analyzed access abilities and vulnerabilities; recommended revised business and technology groupings with concomitant identity and access privileges based on \"need-to-know/do\" • Developed strategic/tactical plans and directed the implementation of a common Information Security process for client/server platforms, i.e. UNIX, WNT, and NOVELL. • Wrote security policies, procedures and Bank standards to provide cross platform protection and a network framework to measure security compliance for host operating systems such as UNIX (SunOS, Solaris, HP/UX, AIX), and WNT on a TCP/IP network. Highlighted concerns with sendmail. • Participated in recruiting, training and mentoring staff, as well as evaluating performance and planning professional team development. • Communicated with various levels of management status of audit execution and collaborated on efficient closure of issues. Prior Work Experience Feb 1990 - Feb 1992 Government: TBTA and School Construction Authority, Queens, New York Supervisor - EDP Audit Dec 1988 - Feb 1990 Security Pacific, New York, New York EDP Audit Supervisor, Bank Officer July 1986 - Nov 1988 UBAF Arab American Bank, New York, New York EDP Audit Manager, Bank Officer Mar 1985 - July 1986 Coopers & Lybrand, New York, New York Project Leader, Technical Instructor, IT Staff Auditor Sept 1983 - Mar 1985 Merrill Lynch Capital Markets, New York, New York Programmer Analyst, Technical Writer Prior to 1983 New York City Board of Education, Lehman College and Bank Administration Institute, English Instructor Other Accomplishments Adjunct Professor, EDP Audit courses at NYU Wagner Graduate School Developed 3 out of 4 core Graduate courses for Wagner School of Public Administration, provided curriculum for Graduate Professional Certificate of Information Systems Auditing and Security Adjunct Professor for English courses at Lehman College and the American Institute of Banking Associations IIA, ISACA (Board of Directors, Secretary, Treasurer, and Editor for NY Metropolitan Chapter newsletter), ISSA, CSI, APBM Presentations and Published Works Book Authored: Windows NT, Guidelines for Security, Audit and Control - 1994. Book Authored: UnixWare, Security, Audit and Control, IT Auditing - Basic Concepts -1993, 1995 - proprietary for Citibank, NA Presentations: For ISACA scheduled - \"Developing a Security Awareness Framework and Program\" - 2008 For ISSA and ISACA - \"Data Warehousing - Security and Control\" - May 1999 For IIA - \"EDI - Security, Control and Audit\" - Feb & Sept 1996 For ISACA - \"Data Warehousing - Security, Control and Audit\" - Oct 1996 For ISSA - \"Windows NT - Security, Control and Audit\" - June 1995 For ISACA - \"E-mail - Security, Audit and Control\" - Nov 1994, Feb 1995 For Micro Managers Assoc. - \"Security in a Networking Environment\" - Oct 1994 For EDPAA - \"Developing Command Procedures for Auditing DEC VAX/VMS\" - July 1990 Numerous articles written Ranging from Telecommunications, Data Communications, Data Warehousing, Email, Win NT, Win2K, Unix, Y2K vulnerabilities, etc., published in a range of technical magazines and professional newsletters. Platforms and Operating/Network Systems, Programming Languages, Control Frameworks IBM/MVS, DEC VAX/VMS, Unix - HP/UX, Solaris, AIX, SCO, Linux, Novell NetWare, Windows 95, Windows NT, Windows XP, AS/400; Sybase, Oracle, PRISM Data Warehousing; Cisco, IPv4 and v6; Cobol, Fortran, Assembler, C, Tal, VMS, SQL; COSO, COBIT, ISO17799/27000, ITIL Education City College of New York, BA, Liberal Arts Baruch College of City University of New York, Professional Certificate in Computer Programming Hunter College of City University of New York, Post Graduate Work, almost Masters - Liberal Arts Certificates CISA - 1986, CISSP - 2001, CISM - 2003, CIA - 2005, CBM - 2001, candidate: CGEIT, MBCP, PMP Courses, Seminars, Conferences Attended & Completed • UNIX and C programming - 1984 • ISSA Conferences: 1995, 1999 • MVS Security Administration - 1985 • Client/Server Security Concepts - 1993 • Audit of RACF and ACF2 - 1985 • Sun Solaris System Administration - 1992 • Novell NetWare System Admin - 1990 • IIA Security and Audit Conferences: 1990, 1994, 1995, 2002 • Risk Assessment and Security Procedures Documentation - 1990 • Microsoft Windows NT Server System Administration 3.51 - 1994 • ISACA Security Conferences: 1986, 1987, 1988, 1990, 1992, 1994, 1996, 1999, 2002, Intn\'l 2008 • Microsoft Windows NT Server System Administration 4.0 - 1996 • Microsoft TCP/IP Administration and Security - 1996 • HP/UX System Administration - 1993 • Data Warehouse Conference - 1996, 1998 • HP/UX Networking Concepts - 1993 • Numerous other 1 day technical workshops and seminars SOX and Other Projects - 2004, 2005, 2006 - As BBE Inc, Block-Linder Inc, and Jefferson-Wells, Inc. JPMC project summary - subcontractor to Ajilon and Genesis10, Responsibilities: 1st Project - 4 months - Used ITIL process guidelines to measure and improve business efficiency and effectiveness. Prioritized areas for improvement based on risk and exposure. Developed execution plan to address and implement quick hip improvements and institutionalize the change through targeted metrics and reporting. Ensured consistent and repeatable practices, processes and procedures are defined and in place across the data center technologies and global technology infrastructures. Base lined current processes, practices and procedures and establish aggregated metrics and key performance indicators across the technology environment. Implemented day-to-day service execution minimum standards. Looked for best practice/ standardization opportunities. Worked on developing quality processes. Performed process analysis, establish activities, and project plans for execution. I have over 10 years experience with similar process-oriented functions, e.g. COBIT, etc.; have excellent communication and organization skills; have proven ability to prioritize tasks and manage escalated issues to resolution. 2nd Project - 5 months - Assisted the Risk and Controls areas to gain information about logical user, system and data access controls and whether controls guidelines were being followed. Citigroup - Logical Access project; Gabelli Asset Management Corp. - Sox 404 & 409 Reviews CIT Corporation - subcontractor to JWI 1 month PeopleSoft Access Security Review and SOX re-performance. Assisted IAD in due diligence of SOX compliance review and selectively re-performed tests for validity, accuracy, and completeness. AIG Corporation - subcontractor to JWI 2 months Participated in 2 SOX reviews: 1) open item left by previous IT auditor. Had to trouble shoot and finish project on time including draft report. 2) IT SOX review performed in < 3 weeks: also entailed following up after previous IT auditor, closing all open items and generating a draft report. Amscan Manufacturing and Distribution - subcontractor to Apprimus 1 month Strategice Security review and knowledge transfer/training for various senior/executive management. Reviewed access requirements for users and assisted CIO in determining whether Citrix or SSL VPN are good for their environment. Also extricated requirements for IPS/IDS system. Helped the CIO get a handle on the security architecture by developing a set of data flow diagrams to help isolate the security needs and where the security infrastructure needs fortification. Isolated gaps in the architecture and worked with the ISO to prepare for a SOX audit. Developed project plan; worked with client personnel to define objectives, scope, deliverables; estimated resource needs to meet project requirements; designed security process improvements with recommendations for implementation; ensured information collected and documented accurately reflected circumstance status. Organized meetings with various work teams to collect and disseminate project information. Worked effectively with IT group/personnel, vendors, and other related members to ensure successful completion/resolution of project. Westcon Networking Corporation - subcontractor to PNET 1 month Strategic Security review and knowledge transfer/training for various senior/executive management. Reviewed security architecture in place, initiated policy-procedure framework for security. Interviewed multiple discipline management personnel as part of security review. Suggested enhancements for ISO 17799 choice appropriate to a global international organization. Initiated training for mid-level project manager for Information Security Officer position. Designed and scoped project phases and steps to completion. Steve Madden Manufacturing - subcontractor to Geller & Associates, 3 months Reviewed prior audits performed. Reviewed prior SOX work performed. Reviewed compliance questionnaires, wrote tests and evaluated results of tests of controls, summarized issues into control sheets per COSO and recommended remediation steps for exposures or failed controls. Worked with CIO to conform to compliance requirements and guided development of an ongoing program of compliance review. Developed project plan; worked with CIO, CFO and external auditor to define objectives, scope, deliverables; estimated resource needs to meet SOX project requirements; designed security process improvements with recommendations for implementation to close gaps found; ensured information collected and documented accurately reflected circumstance status. Organized meetings with various personnel to collect and disseminate project information. Worked effectively with IT personnel, vendors, and other related members, i.e. financial, to ensure successful completion/resolution of SOX project. Trained/mentored CIO in applicable COBIT standards. SL Green Real Estate - subcontractor, 2 months Reviewed the Test plan and revised and rewrote the tests of controls to conform to SOX requirements. Performed SOX IT tests of controls and summarized issues into controls sheets per COSO and recommended remediation steps for exposures or failed controls. Provident Bank - subcontractor, 2 months Reviewed compliance questionnaires, wrote tests and evaluated results of tests of controls, summarized issues into control sheets per COSO and recommended remediation steps for exposures or failed controls. Worked with Risk VP to develop policies and procedures and processes to fulfill the remediation effort and eliminate weaknesses. UPS - subcontractor to Tekmark, 2 months Reviewed compliance questionnaires, diagrammed processes, isolated exposures/risks, located controls, wrote tests and evaluated results of tests of controls - which became the standard for all subsequent consulting work done, summarized issues into control sheets per COSO and recommended remediation steps for exposures or failed controls. Instinet - subcontractor to JWI, 2 months Diagrammed processes, isolated exposures/risks, located controls, wrote tests and evaluated results of tests of controls, summarized issues into control sheets per COSO and recommended remediation steps for exposures or failed controls. Finley Jewelers - subcontractor to CSI, project manager 3 months Managed the review process for: compliance questionnaires, diagrammed processes; isolated exposures/risks, located controls; managed the design of tests and evaluation of test results of controls - which became the standard for all subsequent consulting work done; reviewed comments/work of staff who summarized issues into control sheets per COSO and recommended remediation steps for exposures or failed controls. Note: As part of project execution: manage project scope to fit requirements; provide weekly project updates for leadership team/personnel - both written and verbal; inform project partners on issues uncovered; identify risks and suggest mitigation recommendations.