GetHiredToday

IT Security Compliance Assessment and/or Risk Governance - CISA CISM CRISC

Posted on: 2017-08-21

MARILYN SOUSA

(719) 650-3161 | [email protected] | Littleton, CO

LinkedIn: www.linkedin.com/in/marilyn-sousa-cisa-crisc-cism

------------

CAREER PROFILE:

  • Senior level experienced with regulatory requirements as an auditor; or as the person brought in to mitigate; or, to work with a client to bring a system to compliance standards. Includes security risk audit, scanning, security reports, policy development and writing.
  • Track record of over 12 years’ experience with NIST, SCADA, HIPAA, PCI, and SOX and encompasses the understanding of current Risk Management Framework, DREAD & OWASP threat modeling, Data Privacy, ISO 27001/2 application controls and processes.
  • Security and network consulting to include network compliance testing, vulnerability assessments, security risk analysis, security education and communication of issues.
  • Proficient and knowledgeable with security compliance tasks of identifying issues, recommending appropriate action implementation and review of information security program strategy, policy and processes. Adept in analyzing system requirements.
  • Experienced security consultant (looking for a direct hire position that can utilize my vast experience) with a background in network engineering for WAN, LAN, Telephony (ISP and video) and InfoSec. Prior military service - U.S. Air Force.
  • Industry certified ISACA CSX, CISA, CRISC and CISM.

  

PROFESSIONAL EXPERIENCE:                 

Sr. Security & Compliance Project Manager Consultant

TechOne Staffing, Inc. – Denver, CO                                                       February 2017 – Present

  • Contracted consultant to Kaiser Permanente in their Infrastructure Management Group to implement assessments to the RACI model of compliance using NIST 800-66 for HIPAA and NIST 800-53 and NIST 800-53a for baseline assessments.
  • Provides advance compliance program consulting to focus on identified IT controls to align for governance of HIPAA, PHI, ePHI, PII, PCI, SOX, FDA and Best Practice.

 

Sr Analyst – Vendor Information Security Oversight Consultant

Randstad USA – Denver, CO                                                             August 2016 – January 2017

  • Contracted for 6 months to Charles Schwab (Schwab Bank and Charles Schwab & Company) as a consultant for Information Security Risk Management. A key supporter in vendor third party controls assessment review, vendor selection input, vendor deficiency identification and management, vendor cyber incident management and vendor relationship Information Security oversight program to meet State and Federal Reserve legislation and regulations to include NIST 800-53, PCI, SOX, ISO and Best Practices.
  • Served as the responsible subject matter expert on vendor cyber security risk to include leading risk identification, quantification, and management efforts.
  • Identified deficiencies and vulnerabilities with vendors; escalated issues associated with vendors as needed; assessed remediation plans and non-compliance acceptances where Information Security standards compliance could not be achieved; and validated evidence from vendors before findings were closed.

 

Sr. Security & Compliance Business Consultant

Rose International – Denver, CO                                                            April 2015 – August 2016

  • Contracted consultant to Kaiser Permanente to their Technology Risk Management and HIPAA Security Program for risk profiling of applications and clinical devices for IT governance for HIPAA, PHI, ePHI, PII, PCI, SOX, FDA and Best Practice.
  • Performed IT security assessments/audits to meet company regulatory requirements for applications (Microsoft, IBM RACF, Cloud), Security Operations assets, Facility
  • Operations assets and medical clinical equipment with customer and vendors.
  • Gathered and documented risk & control assessment results, working as a liaison with business unit directors, managers and clients; provide security risk reports; conducted one-on-one meetings with the asset owners and performed quality assurance checks.

 

In Transition                                                                                        February 2015 – April 2015

  • Completed consulting sub-contract and moved to the Greater Denver, CO area. Completed next Cybersecurity certification. Also collaborated with ISACA on their certification program for Cybersecurity Nexus (CSX) III.

 

Third Party Global Cyber Security (GCS) Assessment Consultant

InSight Global – Houston, TX                                                               July 2014 – February 2015

  • Contracted consultant to work with Hewlett-Packard (HP) Global Cyber Security team to
  • identify and gather supporting artifacts / documents for third party cyber security governance audits (vendors and business partners) that desired to or currently did business with HP.
  • To understand and interpret Legal, Regulatory and contractual compliance requirements across multiple industries and regions focusing on Data & Network Security and Privacy, customer security and privacy schedules. Supported contract negotiation activities.
  • Assess, interpret and summarize results of data gathering efforts to determine the associated security risk of the third party supplier following the associated standards - SIG7, HIPPA, PCI, SOX, ISO/IEC 27001/2, NIST, Safe Harbor, EU Data Protection Directive and/or Best Practice – that were applicable to the Supplier (Vendor) and HP.
  • Managed metrics and tracked assessments in the risk engine database, RSA Archer.

Sr. IT & Cyber Security Consultant

CSE ICON, Inc. (W-Industries, Inc.) – Houston, TX                                October 2013 – July 2014

  • Contracted consultant to Energy Transfer Inc. to validate big three audit findings, evaluate the IT and cyber security (policy, procedures, utilize CSET) of their oil and gas enterprise systems and automated industrial control systems (ICS / SCADA). Managed and developed a hybrid risk and standards-based approach for IT governance (NIST 800-53 & 800-82, ISO/IEC 27001/2, PCI DSS, CSC SAN Top 20, INGAA) policies and procedures.
  • Contracted to consult with INGAA (Interstate Natural Gas Association of America) on defining how the NIST Cyber Security Framework (CSF) will enhance their current cyber security programs. Skilled at defining frameworks, strategic plans, processes, policies and procedures for meeting IT & Cyber Security requirements. Recognizes what will fulfill requirements for internal audit and assists in efforts to develop these requirements.

 

Sr. System IT Security Engineer

MRI Technologies – Houston, TX                                                            July 2012 – October 2013

  • Sub-contracted consultant to Raytheon as their IT security representative. Managed and provided security compliance verification and implementation for the Neutral Buoyancy Laboratory and the Space Vehicle Mock-up Facility of the International Space Station (ISS) industrial control systems (ICS) that utilizes Rockwell Automation software following ICS SCADA controls in NIST 800-82 and 800-53 at Space Center Houston (NASA).
  • Developed, implemented and maintained information technology security standards and procedures. Scheduled and performed quarterly continuous monitoring using McAfee Foundstone vulnerability scans. Ensured compliance activities to include laptop and CPU data at rest whole disk encryption, IT inventory, configuration documentation, application health monitoring, patching and change management procedures.
  • Maintained documentation required for compliance – System Security Plans (SSP), Risk Assessment Reports, Contingency Plans, POA&Ms in compliance with NIST 800-53a.
  •  

In Transition                                                                                               April 2012 – July 2012 

  • Completed consulting sub-contract. In transition. Keeping up to date on the latest in IT Security - (Cloud computing, reviewing the newest revision NIST 800-53).

 

Sr. Network Security Engineer

Brandon Technology Consulting, Inc. – Alexandria, VA                          January 2012 – April 2012

  • Sub-contracted as a consultant to provide IT security compliance verification. Responsible for completing Security Compliance Testing (utilizing Nessus scans), Security Test Plans, Vulnerability Matrices, Accreditation Reports and Risk Assessment Reports in the support of the Defense Health Headquarters (DHHQ) TRICARE systems. Ensuring HIPAA, PCI DSS, DIACAP and FISMA / NIST requirements are met / identified.
  • Utilized the Defense Information Systems Agency (DISA) approved checklists. Reviewed (SRR) scripts and Production Gold Disk (PGD) scripts used to assess servers, workstations and network equipment for their compliance with regulatory standards.
  • Responsibilities included secure system engineering and development, system / security requirements analysis and secure system definition and development of Information Assurance specifications, policies, and procedures using technical and analytical skills.

 

Sr. Information Assurance Engineer

NCI Information Systems, Inc. – Colorado Springs, CO               September 2011 – January 2012

  • Security advisor – IT support staff / network technical facilitator for the U.S. Air Force Space Command (AFSPC) Cyber Surety Division to provide Information Assurance (IA) guidance, clarification and governance direction to AF Wings and units, as well as to the Air Force designated authorizing authority.
  • Technical Subject Matter Expert (SME) consultant tasked with reviewing and drafting guidance for both AFSPC and Air Force level guidance. Attended meetings and advised government on IT compliance with reference to IA from DoD and Federal regulations.

 

Sr. Computer Security & Information Protection Specialist

Yoh Inc. – Colorado Springs, CO                                           September 2010 – September 2011

  • Sub-Contracted to The Boeing Company (consecutive 3 and 9 month sub-contracts) as a consultant to evaluate, communicate and mitigate computing and information security risks for the Air Force 2SOPS GPS (Global Positioning System) systems.
  • Developed governance policies and provided oversight for protection of IT computing security systems. Participated in the development of information assurance materials and processes for disaster recovery and contingency plans for the individual GPS systems.
  • Interfaced with the appropriate government agencies, customers, and company personnel in order to facilitate implementation of protective mechanisms and to ensure understanding of and compliance with computing security requirements.

 

In Transition                                                                                   June 2010 – September 2010 

  • Government funding cut for last position. In transition. Moved back to Colorado. Studying for the CISM and CRISC. Keeping up to date on the latest NIST 800-53.

 

Sr. Systems Analyst

Yoh IT, Inc - North Charleston, SC                                                               April 2010 – June 2010  

 (Government funding cut and slot was eliminated)

  • Sub-Contracted to SAIC as a consultant to provide Information Assurance (IA) Certification and Accreditation (C&A) and Cross Domain Solution (CDS) support to the Navy at the Space and Naval Warfare Systems Command (SPAWAR).
  • Provided engineering, integration, technical and administration support consistent with IA, C&A and CDS activities for both ship and shore locations.

 

Sr. Consultant - Systems Security Engineer

BAH, Inc. - North Charleston, SC                                                        December 2009 – April 2010

  • Accomplished NIST and PCI DSS (Payment Card Industry Data Security Standard) compliance verification for the US Department of Veterans Affairs system hosted at Terremark - Verizon Cloud services.
  • Reviewed and provided input on compliance closures for the Information Security Manager of assessments performed for the NSF (National Science Foundation) Antarctica project. Developed guidance documents for POA&Ms, Security Planning, policy/standards and presented to upper management at NSF in Arlington, VA.

 

Sr. C&A Security Analyst

G&B Solutions, Inc. - Lakewood, CO                             December 2008 – December 2009

  • Contracted to provide the Department of Interior’s (DOI) National Business Center Division (NBC) with FISMA / NIST 800-53 auditing, FIPS 199 assessment and InfoSec direction by identifying unique system characteristics, interviewing key organizational personnel (technical, administrative and executive), composed documentation (security categorizations, risk assessments, contingency planning, etc.), and mapped technical requirements to prescribed security controls, policies and practices.
  • Conducted in-depth technical reviews of new and existing IT systems (Windows, UNIX, RACF) in order to identify the appropriate mitigation strategies required to bring these systems into compliance with policy and industry guidelines for the DOI and the Department of Transportation (DOT). Performed security analysis on multi-tiered systems according to vulnerability, risk, security features, and technical areas.

 

Sr. Systems Security Engineer

Boecore, Inc. – Colorado Springs, CO                                       December 2007 – December 2008  

(Funding cut and slot was eliminated)

  • Contracted consultant to Northrop Grumman Mission Systems to provide technical expertise in Information Assurance at the Joint National Integration Center (JNIC) and Missile Defense Agency for IT security compliance with classified / unclassified systems.
  • Responsibilities included providing technical security engineering support for complex software, hardware, network intelligence systems.
  • Supported the government in preparation of C&A documentation; ran RETINA scans and DISA Gold Disk; reviewed ArcSight logs; recommended computer security requirements of local area and wide area networks.

  

Sr. Systems Security Engineer

Hire Return - Lakewood, CO                                                               June 2007 – December 2007

  • Sub-Contracted (six months) to G&B Solutions as a consultant to provide the Department of Interior’s (DOI) National Business Center Division with FISMA / NIST auditing. assessment and INFOSEC direction for multiple systems (Windows, UNIX, RACF).
  • Development of System Security Plans (SSPs), Risk Assessments, and Asset Valuations. Proficient in information security concepts and application security “best practices”. Responsibilities included ensuring compliance with security standards and procedures.
  • Development and execution of C&A, ST&E and SSP documentation along with vulnerability testing. Conducted C&A security test and evaluations for the DOI. Performed FIPS 199 and NIST security standards-compliant statistical security analysis on a multi-tiered system according to vulnerability, risk, security features, and technical areas.

 

Sr. Systems Security Engineer / Assistant Lead

Northrop Grumman Mission Systems – Colorado Springs, CO                 March 2004 – June 2007

  • Responsible for coordination of system security engineering related projects and tasks. Provided technical expertise in Information Assurance (IA) for the Missile Defense Agency and Joint National Integration Center for security compliance support and cross domain information solutions for networks to meet regulatory requirements.
  • Provided technical security engineering knowledge and support for complex software, hardware, network systems; designed, developed and executed security tests and evaluations (ST&E), vulnerability assessments and audits; accomplished risk mitigation, analysis of security threats and current trends. Recommended security mitigation.
  • Conducted system-level design reviews and risk management assessments. Assisted with computer security engineering for classified / unclassified networks; planning and implementation by reviewing and developing program documentation, ran Internet Security Scanner (ISS) and RETINA scans for compliance certifications.

  

CERTIFICATIONS & EDUCATION: 

  • Studying for the CPIT - Certified Information Privacy              
  • ISACA Cybersecurity Nexus (CSX)  2015
  • Certified in Risk and Information Systems Control (CRISC)   2011
  • Certified Information Security Manager (CISM)   2011
  • Certified Information Systems Auditor (CISA) 2010
  • Security+ Certified 2006
  • Auditing and Monitoring Windows 2003 Server 2006
  • Certified Multimedia Design Networks Specialist 2000
  • State-of-The Art Program – Frame Relay, Fast Packet and ATM & ISDN   1996
  • A.A., General Studies, University of Maryland 1992
  • A.A.S., Electronic Systems Technology, Community College of the Air Force 1990

  

TECHNICAL TRAINING:

  • CISSP Boot Camp 2011
  • Cyber Security Assessment Management (CSAM) 2009
  • SANS System Forensics, Investigation & Response Course 2005
  • eEye Retina REM Administrator CBT Course   2005
  • SANS Intrusion Detection Course    2004