GetHiredToday

IT Security Compliance

Posted on: 2018-01-17

 

LinkedIn: www.linkedin.com/in/marilyn-sousa-cisa-crisc-cism 

------------

CAREER PROFILE:

Track record of over 9 years’ of IT and Cyber Security Consultant. Experience to include security compliance and audits on internal networks and 3rd party associates.

Progressively expanded my skillset and proficiencies by taking on various projects. Committed to these projects with integrity – reliability seeing them through. Looking for a direct hire or contract to hire position with a company where my experience can impact an organization and bring value.

 

SKILLS & EXPERTISE:

  • Industry certified through ISACA: CISA, CRISC and CISM.

                                                         Areas of Expertise

• Business Continuity - Disaster Recovery

• Security Risk Assessment & Management

• Privacy

• Security Architecture & Engineering

• Policy Management & Compliance

• Security Program Management

• Security Operations

• Auditing & Assessing

 

  • Proficient and knowledgeable with network compliance testing, identifying issues, vulnerability assessments, security risk analysis, analyzing requirements for internal audit and regulatory reporting, and communication of issues. Adept in development and review of Information Technology security program strategy, policy and processes.  
  • Following standards of NIST, SCADA, HIPAA, SIG7, SOC, PCI, PII, SOX and Best Practices; encompasses the understanding of current Risk Management Framework, DREAD and OWASP threat modeling, Data Privacy, ISO 27001/2 application controls - processes.
  • Background in network engineering for WAN, LAN, Telephony (ISP and video) and InfoSec. Military service veteran - U.S. Air Force.

 

CONSULTING EXPERIENCE:  Projects completed for contract agencies for multiple projects.           

Project 1:  TechOne Staffing, Inc – Greenwood Village, CO

Contract Consultant - Sr. Security & Compliance Consultant to Kaiser Permanente

  • Schedule and implement assessments with system owners using NIST 800-66 for HIPAA and NIST 800-53, NIST 800-53a and NIST 800-37 for baseline assessments.
  • Provide advance compliance program consulting to focus on identified NIST Controls to align for governance of HIPAA, PHI, ePHI, PII, PCI, SOC, FDA and Best Practice.
  • Define the boundaries of applications / infrastructure, network diagram reviews (Visio) and gathers evidence to support the identified NIST Controls are in compliance with IBM.

Duration:  February 2017 – Present

Project 2:  Randstad Technologies, LP – Lone Tree, CO

Contract Consultant - Sr. Analyst Vendor Information Security Oversight to Charles Schwab

  • Conducted vendor third party control assessments; identified vendor gaps / deficiencies; ensured that applicable requirements were met for State and Federal Reserve regulations - NIST 800-53a & 800-37, PCI, SOC, ISO and Best Practices.
  • Responsible subject matter expert on vendor cyber security risk to include leading risk identification, quantification, and management efforts.
  • Assessed remediation plans and non-compliance acceptances. Validated evidence from vendors before findings were closed. Tracked in RSA Archer.

Duration:  August 2016 - February 2017

 

Project 3:  Rose International - Greenwood Village, CO

Contract Consultant - Sr. Security & Compliance Business Consultant to Kaiser Permanente

  • Risk profiling of clinical devices and applications for IT governance for HIPAA, PHI, ePHI, PII, PCI, SOC, SOX, FDA and Best Practice.
  • Performed IT security assessments of networks (IBM RACF, Cloud), Security Operations assets, Facility Operations assets and medical equipment with clients and vendors.
  • Gathered and documented risk & control assessment results; working as a liaison with business unit directors, managers and clients; provided security risk reports; conducted one-on-one meetings with the asset owners and performed quality assurance checks.

Duration:  April 2015 - August 2016

 

In Transition         

  • Completed contracted project. Moved to Denver, CO. Passed Cybersecurity certification. Collaborated with ISACA on their certification program for Cybersecurity Nexus (CSX) III.

Duration:  February 2015 - April 2015

 

Project 4:  InSight Global - Houston, TX

Contract Consultant - Third Party Global Cyber Security (GCS) Assessment to HP   

  • Assessed supporting documents for security governance audits of vendors and business partners. Tracked assessments in the RSA Archer for Hewlett-Packard (HP) Global.
  • Reviewed and interpreted legal, regulatory and contractual compliance requirements across multiple industries focusing on Data & Network Security and Privacy, customer security and privacy schedules. Identified needed updates to existing contracts for gaps to assess.
  • Assessed to the associated security risk standards - SIG7, HIPPA, SOC, PCI, SOX, ISO/IEC 27001/2, NIST 800-53a & 800-37, Safe Harbor, EU Data Protection Directive and/or Best Practice.
  • Communicated best practices and risks to all parts of the business.

Duration: July 2014 - February 2015

 

Project 5:  W-Industries (CSE ICON) - Houston, TX

Contract Consultant - Sr. IT & Cyber Security Consultant to Energy Transfer Inc. and INGAA   

  • Contracted to Energy Transfer Inc. to validate big three audit findings and assess their IT security policies and procedures posture for their oil and gas enterprise systems and automated industrial control systems (ICS / SCADA).
  • Managed the creation, enhancement, and adoption of information security policies and standards consistent with the needs of Energy Transfer’s business segments. Promoted practical information security risk assessments through a hybrid risk and standards-based approach for IT governance. (NIST 800-53, 800-82 & 800-37, ISO/IEC 27001/2, PCI DSS, CSC SAN Top 20, INGAA).
  • Contracted to consult with INGAA (Interstate Natural Gas Association of America), defining how the NIST Cyber Security Framework would enhance their cyber security programs.

 

 Duration:  October 2013 - July 2014

 

Project 6:  MRI Technologies - Clear Lake City, TX

Contract Consultant - Sr. System IT Security Engineer to Space Center Houston (NASA)    

  • Sub-contracted to Raytheon at NASA. Managed and provided security compliance verification and implementation for the Neutral Buoyancy Laboratory and the Space Vehicle Mock-up Facility of the International Space Station (ISS) industrial control systems (ICS) that utilizes Rockwell Automation software following ICS SCADA controls in NIST 800-82 and 800-53a.
  • Developed, implemented and maintained IT security procedures, policies and risk reports. Scheduled and performed quarterly vulnerability scans for continuous monitoring using McAfee Foundstone. Ensured security compliance activities to include data at rest for whole disk encryption, IT inventory, application health monitoring configuration documentation, patching and change management procedures.
  • Proactively collaborated with network engineers and system administrators implementing information security protocols and regulatory requirements.

Duration: July 2012 - October 2013

 

In Transition    

  • Completed consulting project. Keeping up to date on the latest in IT Security. (Cloud computing, reviewing the newest revision NIST 800-53).

Duration:  April 2012 - July 2012

 

Project 7:  Brandon Technology Consulting - Alexandria, VA

Contract Consultant - Sr. Network Security Engineer to Defense Health Headquarters (DHHQ)

  • Implemented IT Security Test Plans, Security Compliance Testing (Nessus scans), Risk Assessment Reports and Accreditation Reports of the DHHQ TRICARE systems. Ensuring HIPAA, PCI DSS, DIACAP and FISMA / NIST requirements are identified and met.
  • Utilized the Defense Information Systems Agency (DISA) approved checklists. Reviewed (SRR) scripts and Production Gold Disk (PGD) scripts to assess servers, workstations and network equipment configurations.

Duration:  January 2012 - April 2012

 

Project 8:  NCI Information Systems - Colorado Springs, CO

Contract Consultant - Sr. Information Assurance Engineer to U.S. Air Force Space Command  

  • Security advisor - IT network support staff - to provide Information Assurance (IA) guidance and clarification direction to AF Wings and units.
  • Technical Subject Matter Expert (SME) tasked with reviewing and drafting guidance for both AFSPC and Air Force level guidance. Attended meetings and advised government officials on IT compliance with reference to IA from DoD and Federal regulations.

Duration:  September 2011 - January 2012

 

Project 9:  Yoh, Inc - Colorado Springs, CO

Contract Consultant - Sr. Computer Security & Information Protection Specialist to Boeing   

  • Evaluated, communicated and mitigated computing and information security risks for the Air Force 2SOPS GPS (Global Positioning System).
  • Provided oversight for protection of IT computing security systems. Developed governance policies and processes of disaster recovery plans and business continuity plans of the individual GPS systems - sites.
  • Interfaced with the appropriate government agencies, customers, and company personnel to facilitate implementation of protective mechanisms and to ensure the understanding of.

 Duration: September 2010 - September 2011

 

In Transition            

  • Government funding cut and slot was eliminated for last position. Moved back to Colorado. Studying for the CISM and CRISC. Keeping up to date on the latest NIST 800-53.

Duration:  June 2010 - September 2010

 

Project 10:  Yoh, Inc - North Charleston, SC

Contract Consultant - Sr. Systems Analyst to Space and Naval Warfare Systems Command

  • Sub-Contracted to SAIC to provide Information Assurance (IA) Certification and Accreditation (C&A) and Cross Domain Solution (CDS) support to the Navy at the Space and Naval Warfare Systems Command (SPAWAR).
  • Provided engineering, integration, technical and administration support consistent with IA, C&A and CDS activities for both ship and shore locations. Review of Visio network designs.

Duration:  April 2010 – June 2010

 

Project 11:  Booz Allen Hamilton - North Charleston, SC

Contract Consultant - Sr. Systems Security Engineer to VA, NSF and IRS

  • Accomplished NIST and PCI DSS (Payment Card Industry Data Security Standard) compliance verification audits for the US Department of Veterans Affairs (VA).
  • Reviewed risk assessment reports for senior executive team quantifying and verifying action plans to remediate identified risks; evaluated compliance closures for upper management of audits performed for the National Science Foundation (NSF) Antarctica.

Duration:  December 2009 - April 2010

 

Project 12:  G&B Solutions - Lakewood, CO

Contract Consultant - Sr. C&A Security Analyst to Department of Interior (DOI)

  • FISMA / NIST 800-53a auditing, FIPS 199 & NIST 800-37 assessment and InfoSec direction by identifying unique system characteristics, interviewing key organizational personnel (technical, administrative and executive); updated eMASS state; composed documentation (risk assessments, contingency planning, etc.); and, mapped technical requirements to prescribed security controls, policies and practices.
  • Conducted in-depth technical reviews of new and existing IT systems (Windows, UNIX, RACF) to identify the appropriate mitigation strategies for compliance with policy and industry guidelines for the DOI and the Department of Transportation (DOT). Performed security analysis on multi-tiered systems according to vulnerability and risk.

Duration:  December 2008 - December 2009

 

CERTIFICATIONS & EDUCATION: 

  • ISACA Cybersecurity Nexus (CSX)   2015
  • Certified in Risk and Information Systems Control (CRISC)   2011
  • Certified Information Security Manager (CISM)   2011
  • Certified Information Systems Auditor (CISA) 2010
  • Security+ Certified 2006
  • Auditing and Monitoring Windows 2003 Server 2006
  • Certified Multimedia Design Networks Specialist 2000
  • A.A., General Studies, University of Maryland 1992
  • A.A.S., Electronic Systems Technology, Community College of the Air Force 1990

 

TECHNICAL TRAINING:

  • CISSP Boot Camp 2011
  • Cyber Security Assessment Management (CSAM) 2009
  • SANS System Forensics, Investigation & Response Course 2005
  • eEye Retina REM Administrator CBT Course   2005
  • SANS Intrusion Detection Course    2004

...