GetHiredToday

IT Security & Compliance Audit

Posted on: 2018-04-25

MARILYN SOUSA

(719) 650-3161 | [email protected] | Colorado

LinkedIn: www.linkedin.com/in/marilyn-sousa-cisa-cism 

------------

CAREER PROFILE:

Looking to leverage my 10 years of Sr. Security Analyst and IT Cyber Security Regulatory Compliance Auditor. Experience and knowledge in security compliance and internal audit of networks and 3rd party associates for Health Care, Financial Institutions, Oil & Gas, Federal and Fortune 500 companies to industry standards.

Following standards of NIST, HIPAA, SCADA, SOC, PCI, PII, SOX, SSAE and Best Practices; encompasses the understanding of current Risk Management Framework, DREAD and OWASP threat modeling, Data Privacy, SIG7, ISO 27001/2 application controls - processes.

Progressively expanded my skill-set and proficiency by taking on various Contract projects. Committed to these projects with integrity – reliability; seeing them through as complete. Looking for a full-time role in south Denver or Colorado Springs, CO or a Remote position where my contracting experience and interpersonal skills can bring value.

 

KEY COMPETENCIES:

  • Industry certified through ISACA: CISA and CISM.

                                                         Areas of Expertise

• Business Continuity - Disaster Recovery

• Security Risk Assessment & Management

• Privacy

• Auditing & Assessing

• Policy Management & Compliance

• Security Operations

 

  • Proficient and knowledgeable with network compliance, identifying issues, vulnerability assessments, security risk analysis. Adept in development and review of audit reports, Information Technology security program strategy, policy and process documentation.  
  • Collaborates with management to improve internal controls and processes - preparing risk assessments, identifying audit areas, setting audit scopes and engagement of annual audits.   
  • Technical background in network engineering for WAN, LAN, Telephony (ISP and video) and InfoSec. Military service veteran - U.S. Air Force.

 

CONTRACT - PROJECT CONSULTING EXPERIENCE                                  June 2007 - Present

Projects completed for contract agencies for multiple projects.      

 

TechOne Staffing, Inc. – Greenwood Village, CO              (Contract work for Kaiser Permanente)

Sr. Security & Compliance Consultant                                        Duration:  Feb 2017 – Present

  • Schedule and implement IT security audits with system owners using NIST 800-66 for HIPAA and NIST 800-53, NIST 800-53a and NIST 800-37 for baseline assessments.
  • Provide advance compliance draft audit consulting to focus on NIST Controls to align for governance of HIPAA, HITRUST, PHI, ePHI, PII, PCI, SOC, FDA and Best Practice.
  • Define the boundaries of applications / infrastructure, network diagram reviews (Visio) and gathers evidence to support the identified NIST Controls are in compliance with IBM.

 

Randstad Technologies, LP – Lone Tree, CO                      (Contract work for Charles Schwab)           

Sr. Analyst Vendor Information Security Oversight               Duration:  Aug 2016 - Feb 2017

  • Conducted vendor third party financial control assessments - GRC; identified vendor gaps / deficiencies; ensured that applicable requirements were met for State and Federal Reserve regulations - NIST 800-53a & 800-37, PCI, SOC, ISO and Best Practices.
  • Responsible subject matter expert on financial services of vendor cyber security risk to include risk identification, quantification, and management efforts.Assessed (QA) remediation plans and non-compliance acceptances. Validated evidence from third parties to assist in closing identified findings. Tracked in RSA Archer.

 

Rose International - Greenwood Village, CO                    (Contract work for Kaiser Permanente)

Sr. Security & Compliance Business Consultant                  Duration:  April 2015 - Aug 2016

  • Risk profiling of clinical devices and applications for IT governance for HIPAA, PHI, ePHI, PII, PCI, SOC, SOX, FDA and Best Practice.
  • Performed IT security assessments of networks (IBM RACF, Cloud), Security Operations assets, Facility Operations assets and medical equipment with clients and vendors.
  • Gathered and documented assessment results; a liaison – Point Of Contact with business unit directors, managers and clients; conducted one-on-one meetings with the asset owners.

 

In Transition                                                                               Duration:  Feb 2015 - April 2015                                                                                 

  • Completed contracted project. Moved to Denver, CO. Passed Cybersecurity certification. Collaborated with ISACA on their certification program for Cybersecurity Nexus (CSX) III.

 

InSight Global - Houston, TX                                                (Contract work for Hewlett-Packard)

Third Party Global Cyber Security (GCS) Assessment           Duration: July 2014 - Feb 2015

  • Annual audit of supporting documents - papers for security governance compliance of vendors and business partners. Tracked assessments in the RSA Archer for HP Global.
  • Reviewed regulatory requirements and contractual compliance requirements across multiple industries for Data & Network Security and Privacy. Identified updates to contracts for gaps to assess.
  • Assessed to the associated security risk standards - SIG7, NIST 800-53a & 800-37, GRC, HIPPA, SOC, PCI, SOX, ISO/IEC 27001/2, Safe Harbor, EU Data Protection Directive of GDPR - General Data Protection Regulation Security Compliance and/or Best Practice.

 

W-Industries (CSE ICON) - Houston, TX            (Contract work for Energy Transfer and INGAA)

Sr. IT & Cyber Security Consultant                                           Duration:  Oct 2013 - July 2014

  • Contracted to Energy Transfer Inc. to validate big three external audit findings and assess their IT security policies and procedures posture for their oil and gas enterprise systems and automated industrial control systems (ICS / SCADA). Collaborated with external auditors.
  • Oversaw the creation - draft, enhancement, and adoption of information security policies and standards with the needs of business segments. (NIST 800-53, 800-82 & 800-37, ISO/IEC 27001/2, PCI DSS, CSC SANS Top 20 – CIS Critical Security Controls, INGAA).
  • Contracted to consult with INGAA (Interstate Natural Gas Association of America), defining how the NIST Cyber Security Framework would enhance their cyber security programs.

 

MRI Technologies - Clear Lake City, TX        (Contract work for Space Center Houston (NASA))

Sr. System IT Security Engineer                                                Duration: July 2012 - Oct 2013

  • Sub-contracted to Raytheon at NASA. Provided security compliance verification and implementation for the Neutral Buoyancy Laboratory and the Space Vehicle Mock-up Facility of the International Space Station (ISS) industrial control systems (ICS) that utilizes Rockwell Automation software following ICS SCADA controls in NIST 800-82 and 800-53a.
  • Implemented and maintained IT security procedures, policies and risk reports. Scheduled and performed quarterly vulnerability scans for continuous monitoring using McAfee Foundstone. Ensured security compliance activities, IT inventory and change management.

 

In Transition                                                                              Duration:  April 2012 - July 2012

  • Completed contract consulting project. Keeping up to date on the latest in IT Security. (Cloud computing, reviewing the newest revision NIST 800-53).

 

Brandon Technology Consulting - Alexandria, VA (Contract work for Defense Health HQ-DHHQ)

Sr. Network Security Engineer                                                   Duration:  Jan 2012 - April 2012

  • Implemented IT Security Test Plans, Security Compliance Testing (Nessus scans), Risk Assessment Reports and Accreditation Reports of the DHHQ TRICARE systems. Ensuring HIPAA, PCI DSS, DIACAP and FISMA / NIST requirements are identified and met.
  • Utilized the Defense Information Systems Agency (DISA) approved checklists. Reviewed scans of servers, workstations and network equipment configurations.

 

NCI Information Systems - Col Springs, CO  (Contract work for U.S. Air Force Space Command)         

Sr. Information Assurance Engineer                                         Duration:  Sept 2011 - Jan 2012

  • Security advisor - IT network support staff; director level - provided Information Assurance (IA) guidance and clarification direction to AF Wings and units.
  • Technical Subject Matter Expert (SME) tasked with reviewing and drafting operational guidance. Advised government officials on IT compliance to DoD and Federal regulations.

 

Yoh, Inc. - Colorado Springs, CO                                    (Contract work for The Boeing Company)

Sr. Computer Security & Information Protection Specialist   Duration: Sept 2010 - Sept 2011

  • Provided oversight for protection of confidential information on IT computer systems. Developed consistent policies and processes of disaster recovery plans and business continuity plans of the individual GPS (Global Positioning System) sites.
  • Interfaced with the appropriate government agencies, customers, and company personnel to facilitate implementation of protective mechanisms and to ensure the understanding of.

 

In Transition                                                                               Duration:  June 2010 - Sept 2010

  • Government funding cut and contract slot was eliminated for last position. Moved back to Colorado. Studying for the CISM and CRISC. Keeping up to date on the latest NIST 800-53.

 

Yoh, Inc. - North Charleston, SC (Contract work for Space & Naval Warfare Systems Command)

Sr. Systems Analyst                                                                  Duration:  April 2010 – June 2010

  • Sub-Contracted to SAIC to provide Information Assurance Certification and Accreditation (C&A) and Cross Domain Solution (CDS) support to the Navy at SPAWAR.
  • Provided engineering, integration, technical and administration support for both ship and shore locations. Review of Visio network designs.

 

 

Booz Allen Hamilton - North Charleston, SC                   (Contract work for the VA, NSF and IRS)

Sr. Systems Security Engineer                                                  Duration:  Dec 2009 - April 2010

  • Accomplished NIST and PCI DSS (Payment Card Industry Data Security Standard) compliance verification audits for the US Department of Veterans Affairs (VA).
  • Reviewed risk assessment reports for senior executive team quantifying and verifying action plans to remediate identified risks; evaluated compliance closures for upper management of audits performed for the National Science Foundation (NSF) Antarctica.

 

G&B Solutions - Lakewood, CO                            (Contract work for Department of Interior (DOI))

Sr. C&A Security Analyst                                                            Duration:  Dec 2008 - Dec 2009

  • FISMA / NIST 800-53a auditing, FIPS 199 & NIST 800-37, SSAE internal control assessment; interviewed key organizational personnel (technical, administrative and executive); update reporting of eMASS state; composed quality documentation (risk assessments, contingency planning, etc.) for presentations.
  • Conducted in-depth technical reviews of new and existing IT systems (Windows, UNIX, RACF) for compliance with policy and industry guidelines for the DOI and the Department of Transportation (DOT) for ongoing monitoring of IT security controls.

 

Boecore - Schriever AFB, CO                           (Contract work for to the Missile Defense Agency)

Sr. Systems Security Engineer                                                   Duration:  Dec 2007 - Dec 2008

  • Contracted to Northrop Grumman Mission Systems to provide technical IT Security expertise in Information Assurance (IA) for systems compliance support safeguarding associated classified and unclassified systems.
  • Provided technical security engineering support for complex software, hardware, network systems; design, develop, and execute security tests and evaluations (ST&E) of annual audit plan, vulnerability assessments and audits; risk mitigation and analysis of security threats.

 

CERTIFICATIONS & EDUCATION: 

  • ISACA Cybersecurity Nexus (CSX)   2015
  • ISACA Certified Information Security Manager (CISM)   2011
  • ISACA Certified Information Systems Auditor (CISA) 2010
  • CompTIA Security+ 2006
  • Auditing and Monitoring Windows 2003 Server 2006
  • Certified Multimedia Design Networks Specialist 2000 
  • A.A., General Studies, University of Maryland 1992
  • A.A.S., Electronic Systems Technology, Community College of the Air Force 1990

 

TECHNICAL TRAINING:

  • CISSP Boot Camp 2011
  • Cyber Security Assessment Management (CSAM) 2009
  • SANS System Forensics, Investigation & Response Course 2005
  • eEye Retina REM Administrator CBT Course   2005
  • SANS Intrusion Detection Course    2004

...