GetHiredToday

IT Security Compliance Risk Governance

Posted on: 2017-09-04

MARILYN SOUSA

(719) 650-3161 | [email protected] | Littleton, CO

LinkedIn: www.linkedin.com/in/marilyn-sousa-cisa-crisc-cism 

------------

CAREER PROFILE:

As a consultant, I have progressively maintained and expanded my skillset and proficiencies by taking on various contract projects. Committed to these projects, to seeing them through to conclusion, I’ve worked in different cultures, adapted and gained knowledge.

Looking to take on a permanent role in Colorado; sit down long-term with a company where my vast experience can impact an organization and bring value.

 

SKILLS:

  • Experienced Senior level of regulatory requirements as an auditor; or as the person brought in to mitigate; or, to work with a client to bring a system to compliance standards. Includes security risk audit, scanning, security reports, policy development and writing.

 

  • Industry certified ISACA CSX, CISA, CRISC and CISM.

 

  • Track record of over 12 years’ contracting experience with NIST, SCADA, HIPAA, SIG7, SOC, PCI, PII, SOX and Best Practices; encompasses the understanding of current Risk Management Framework, DREAD and OWASP threat modeling, Data Privacy, ISO 27001/2 application controls - processes. Includes audits on internal networks and 3rd party associates.

 

  • Proficient and knowledgeable with network compliance testing, vulnerability assessments, identifying issues, security risk analysis, analyzing system requirements for internal audit and regulatory reporting, communication of issues. Adept in development and review of Information Technology security program strategy, policy and processes.

 

  • Background in network engineering for WAN, LAN, Telephony (ISP and video) and InfoSec. Military service veteran - U.S. Air Force.

  

CONTRACTING EXPERIENCE:  Projects completed for contract agencies for multiple projects.         

Project 1:  Denver, CO

Contract Consultant - Sr. Security & Compliance Project Manager to Kaiser Permanente

  • Contracted to Kaiser Permanente Infrastructure Management Group to schedule and implement assessments to the RACI model of compliance using NIST 800-66 for HIPAA and NIST 800-53 and NIST 800-53a for baseline assessments.
  • Provides advance compliance program consulting to focus on identified IT controls to align for governance of HIPAA, PHI, ePHI, PII, PCI, SOC, FDA and Best Practice.

Duration:  February 2017 - Present         

 

Project 2:  Denver, CO

Contract Consultant - Sr. Analyst Vendor Information Security Oversight to Charles Schwab

  • Contracted to Charles Schwab (Schwab Bank and Charles Schwab & Company) for Risk Management. Conducted complex vendor third party controls assessments; identified vendor gaps / deficiencies; ensured that applicable requirements were met for State and Federal Reserve regulations including NIST 800-53, PCI, SOC, ISO and Best Practices.
  • Served as the responsible subject matter expert on vendor cyber security risk to include leading risk identification, quantification, and management efforts.
  • Assessed remediation plans and non-compliance acceptances where Information Security standards compliance could not be achieved in the environment; and validated evidence from vendors before findings were closed. Tracked in RSA Archer.

Duration:  August 2016 - February 2017

 

Project 3:  Denver, CO

Contract Consultant - Sr. Security & Compliance Business Consultant to Kaiser Permanente

  • Contracted to Kaiser Permanente Technology Risk Management and HIPAA Security Program for risk profiling of applications and clinical devices for IT governance for HIPAA, PHI, ePHI, PII, PCI, SOC, SOX, FDA and Best Practice.
  • Performed IT security assessment to ensure consistency of internal controls to meet regulatory requirements for networks (Microsoft, IBM RACF, Cloud), Security Operations assets, Facility Operations assets and medical equipment with clients and vendors.
  • Gathered and documented risk & control assessment results, working as a liaison with business unit directors, managers and clients; provided security risk reports; conducted one-on-one meetings with the asset owners and performed quality assurance checks.

Duration:  April 2015 - August 2016

 

In Transition         

  • Completed contracted project. Moved to Denver, CO. Passed Cybersecurity certification. Collaborated with ISACA on their certification program for Cybersecurity Nexus (CSX) III.

Duration:  February 2015 - April 2015

 

Project 4:  Houston, TX

Contract Consultant - Third Party Global Cyber Security (GCS) Assessment to HP   

  • Contracted to Hewlett-Packard (HP) Global Cyber Security team to assess / identify supporting documents for security governance audits of vendors and business partners. Tracked assessments in the risk engine database, RSA Archer.
  • Reviewed and interpreted legal, regulatory and contractual compliance requirements across multiple industries focusing on Data & Network Security and Privacy, customer security and privacy schedules. Identified needed updates to existing contracts for gaps to support security compliance assessments.
  • Assessed, interpreted and summarized results to determine the associated security risk following the associated standards - SIG7, HIPPA, SOC, PCI, SOX, ISO/IEC 27001/2, NIST, Safe Harbor, EU Data Protection Directive and/or Best Practice.
  • Communicated best practices and risks to all parts of the business.

Duration: July 2014 - February 2015

  

Project 5:  Houston, TX

Contract Consultant - Sr. IT & Cyber Security Consultant to Energy Transfer Inc. and INGAA   

  • Contracted to Energy Transfer Inc. to validate big three audit findings and assess their IT security policies and procedures posture for their oil and gas enterprise systems and automated industrial control systems (ICS / SCADA).
  • Managed the creation, enhancement, and adoption of information security policies and standards consistent with the needs of Energy Transfer’s business segments. Promoted practical information security risk assessments through a hybrid risk and standards-based approach for IT governance. (NIST 800-53 & 800-82, ISO/IEC 27001/2, PCI DSS, CSC SAN Top 20, INGAA).
  • Contracted to consult with INGAA (Interstate Natural Gas Association of America), defining how the NIST Cyber Security Framework would enhance their cyber security programs.

 Duration:  October 2013 - July 2014

 

Project 6:  Houston, TX

Contract Consultant - Sr. System IT Security Engineer to Space Center Houston (NASA)    

  • Sub-contracted to Raytheon at Space Center Houston (NASA). Managed and provided security compliance verification and implementation for the Neutral Buoyancy Laboratory and the Space Vehicle Mock-up Facility of the International Space Station (ISS) industrial control systems (ICS) that utilizes Rockwell Automation software following ICS SCADA controls in NIST 800-82 and 800-53a.
  • Developed, implemented and maintained IT security standards, procedures, policies and Risk Assessment Reports. Scheduled and performed quarterly vulnerability scans for continuous monitoring using McAfee Foundstone. Ensured security compliance activities to include data at rest for whole disk encryption, IT inventory, application health monitoring configuration documentation, patching and change management procedures.
  • Proactively collaborated with network engineers and system administrators on implementation of information security protocols and practical controls framework for the ever-changing regulatory requirements and client standards.

Duration: July 2012 - October 2013

 

In Transition    

  • Completed consulting project. Keeping up to date on the latest in IT Security. (Cloud computing, reviewing the newest revision NIST 800-53).

Duration:  April 2012 - July 2012 

 

Project 7:  Alexandria, VA

Contract Consultant - Sr. Network Security Engineer to Defense Health Headquarters (DHHQ) TRICARE

  • Sub-contracted to provide IT security compliance verification. Responsible for completing Security Compliance Testing (utilizing Nessus scans), Security Test Plans, Vulnerability Matrices, Accreditation Reports and Risk Assessment Reports in the support of the Defense Health Headquarters (DHHQ) TRICARE systems. Ensuring HIPAA, PCI DSS, DIACAP and FISMA / NIST requirements are met / identified.
  • Utilized the Defense Information Systems Agency (DISA) approved checklists. Reviewed (SRR) scripts and Production Gold Disk (PGD) scripts to assess servers, workstations and network equipment configuration for their compliance with regulatory standards.
  • Responsibilities included secure system engineering and development, system / security requirements analysis and secure system definition and development of Information Assurance specifications, policies, and procedures using technical and analytical skills.

Duration:  January 2012 - April 2012

 

Project 8:  Colorado Springs, CO

Contract Consultant - Sr. Information Assurance Engineer to U.S. Air Force Space Command (AFSPC)

  • Security advisor - IT support staff / network technical facilitator for the U.S. Air Force Space Command (AFSPC) Cyber Surety Division to provide Information Assurance (IA) guidance, clarification and governance direction to AF Wings and units.
  • Technical Subject Matter Expert (SME) tasked with reviewing and drafting guidance for both AFSPC and Air Force level guidance. Attended meetings and advised government officials on IT compliance with reference to IA from DoD and Federal regulations.

Duration:  September 2011 - January 2012

 

Project 9:  Colorado Springs, CO

Contract Consultant - Sr. Computer Security & Information Protection Specialist to The Boeing Company  

  • Sub-Contracted to The Boeing Company to evaluate, communicate and mitigate computing and information security risks for the Air Force 2SOPS GPS (Global Positioning System).
  • Developed governance policies and provided oversight for protection of IT computing security systems. Lead in the development - creation of information assurance materials and processes for disaster recovery plans, contingency plans and business continuity plans of the individual GPS systems - sites.
  • Interfaced with the appropriate government agencies, customers, and company personnel to facilitate implementation of protective mechanisms and to ensure understanding of and compliance with computing security requirements.

 Duration: September 2010 - September 2011

 

In Transition            

  • Government funding cut and slot was eliminated for last position. Moved back to Colorado. Studying for the CISM and CRISC. Keeping up to date on the latest NIST 800-53.

Duration:  June 2010 - September 2010

 

Project 10:  North Charleston, SC

Contract Consultant - Sr. Systems Analyst to Navy at the Space and Naval Warfare Systems Command (SPAWAR)

  • Sub-Contracted by SAIC to provide Information Assurance (IA) Certification and Accreditation (C&A) and Cross Domain Solution (CDS) support to the Navy at the Space and Naval Warfare Systems Command (SPAWAR).
  • Provided engineering, integration, technical and administration support consistent with IA, C&A and CDS activities for both ship and shore locations.

Duration:  April 2010 – June 2010

 

Project 11:  North Charleston, SC

Contract Consultant - Sr. Systems Security Engineer to VA, NSF and IRS

  • Contracted to accomplished NIST and PCI DSS (Payment Card Industry Data Security Standard) compliance verification audits for the US Department of Veterans Affairs.
  • Reviewed monthly risk assessment reports for the senior executive team quantifying and verifying action plans to remediate identified risks; and, evaluated compliance closures for the Information Security Manager of audits performed for the NSF (National Science Foundation) Antarctica project.
  • Developed guidance documents for POA&Ms, Security Planning, policy/standards and presented to upper management at NSF in Arlington, VA.

Duration:  December 2009 - April 2010

 

Project 12:  Lakewood, CO

Contract Consultant - Sr. C&A Security Analyst to Department of Interior (DOI)

  • Contracted to the Department of Interior’s (DOI) National Business Center Division (NBC) for FISMA / NIST 800-53a auditing, FIPS 199 assessment and InfoSec direction by identifying unique system characteristics, interviewing key organizational personnel (technical, administrative and executive); composed documentation (security categorizations, risk assessments, contingency planning, etc.); and, mapped technical requirements to prescribed security controls, policies and practices.
  • Conducted in-depth technical reviews of new and existing IT systems (Windows, UNIX, RACF) to identify the appropriate mitigation strategies required to meet compliance with policy and industry guidelines for the DOI and the Department of Transportation (DOT). Performed security analysis on multi-tiered systems according to vulnerability and risk.

Duration:  December 2008 - December 2009

 

Project 13:  Colorado Springs, CO

Contract Consultant - Sr. Systems Security Engineer to Joint National Integration Center (JNIC) and Missile Defense Agency

  • Contracted to Northrop Grumman Mission Systems to provide technical expertise in Information Assurance at the Joint National Integration Center (JNIC) and Missile Defense Agency for IT security compliance with classified / unclassified systems.
  • Responsibilities included providing technical security engineering support for complex software, hardware, and network systems; executed security tests and evaluations; vulnerability assessments and audits; and, risk mitigation and analysis of security threats.
  • Worked closely with other IT groups in ensuring the security administration and protection of information assets including data, systems, databases, networks, and other resources.
  • Supported the government in preparation of C&A documentation; ran RETINA scans and DISA Gold Disk; reviewed ArcSight logs; recommended computer security requirements of local area and wide area networks.

Duration:  December 2007 - December 2008

 

Project 14:  Lakewood, CO

Contract Consultant - Sr. Systems Security Engineer to Department of Interior (DOI)

  • Sub-Contracted to G&B Solutions to provide the Department of Interior’s (DOI) National Business Center Division with FISMA / NIST auditing, assessment and INFOSEC direction.
  • Developed System Security Plans (SSPs), Risk Assessments, and Asset Valuations. Proficient in information security concepts and application security “best practices”. Responsibilities included ensuring compliance with security standards and procedures.
  • Developed and executed IT Security documentation along with vulnerability testing. Conducted C&A security test and evaluations for the DOI. Performed FIPS 199 and NIST security standards-compliant statistical security analysis on a multi-tiered system according to vulnerability, risk, security features, and technical areas.

Duration:  June 2007 - December 2007

 

Project 15:  Colorado Springs, CO

Contract Consultant - Sr. Systems Security Engineer / Assistant Lead to Joint National Integration Center (JNIC) and Missile Defense Agency

  • Contracted to be accountable for coordination of system security engineering related projects and tasks. Provided technical expertise in Information Assurance (IA) for the Missile Defense Agency and Joint National Integration Center for security compliance support and cross domain information solutions of networks to meet set requirements. Ensured IT and R&D follows established information security policies and procedures.
  • Conducted system-level design reviews and risk management assessments. Assisted with computer security engineering for classified / unclassified networks; planning and implementation by reviewing and developing program documentation, ran RETINA scans for compliance certifications. Recommended security mitigation.

Duration:  March 2004 - June 2007

  

CERTIFICATIONS & EDUCATION: 

  • ISACA Cybersecurity Nexus (CSX)   2015
  • Certified in Risk and Information Systems Control (CRISC)   2011
  • Certified Information Security Manager (CISM)   2011
  • Certified Information Systems Auditor (CISA) 2010
  • Security+ Certified 2006
  • Auditing and Monitoring Windows 2003 Server 2006
  • Certified Multimedia Design Networks Specialist 2000
  • State-of-The Art Program – Frame Relay, Fast Packet and ATM & ISDN   1996
  • A.A., General Studies, University of Maryland 1992
  • A.A.S., Electronic Systems Technology, Community College of the Air Force 1990

  

TECHNICAL TRAINING:

  • CISSP Boot Camp 2011
  • Cyber Security Assessment Management (CSAM) 2009
  • SANS System Forensics, Investigation & Response Course 2005
  • eEye Retina REM Administrator CBT Course   2005
  • SANS Intrusion Detection Course    2004

 

...