Over three years' experience in Security Assessments using Certification & Accreditation (C&A) processes, NIST 800 Series, NIST Risk Management Framework, Federal Information Processing Standards (FIPS) and Federal Information System Act (FISMA )requirements. Excellent written and verbal communication skills with the ability to communicate with colleagues at varying levels of technical expertise. Standards and Area of Specializations FISMA, NIST SP 800 Series, FIPS 199 & 200, SSP, POA&M, HIPAA, Risk Management Framework, Security Assessment & Authorization (SA&A), Windows, MS Excel, MS, Word, MS PowerPoint, Remedy, Certification and Accreditation, General Computer Controls, Application control, and Compliance Testing, Vulnerability Scans, Risk Assessment, Policies and Procedures, Implementation. Experience in Network Administration Principles, VPN Concentrator
08/2015 to 10/2017
Information Security AnalystPratt Health System － Frederick, MD
Conducted Security Assessment on Low and moderate systems using NIST Framework.
Ensured that all routers where secured with proper password authentication Assessed risks, identified mitigation requirements and developed recommendations.
Promoted awareness of security issues among management and ensure sound security principles were reflected in the organization's visions and goals.
Contributed in the creation of SA&A assessment packages with the responsibility of gathering information from system owners applying data to the appropriate templates and attending meetings in support of the effort.
Developed, reviewed and updated Information Security System Policies, System Security Plans and Risk Assessment Report in accordance with NIST, FISMA, OMB App.
III A-130 and industry best security practices Responsible for assessing the management, operational, and technical security controls implemented on an information system via security assessment and authorization (SA&A) methods Applied appropriate information security control for Federal Information System based on NIST 800-37 rev1, SP 800-53 rev 4, SP 800-53A, FIPS 199 and FIPS 200 Conducted systems and network vulnerability scans in order to identify and remediate potential risks.
Developed and analyzed security policies, procedures and technical standards including corporate compliance, security training, and end-user awareness Medical applications systems, and networks to ensure the integrity, availability, and confidentiality of information Ensured that personnel accessing systems complied with HIPAA (Health Insurance Portability and Accountability Act.
Ensured that systems security measures are taken to protect Personal Identifiable Information (PII) Enhanced and optimized the existing log monitoring and analysis process to identify, scope, track, and report on potential security incidents, unauthorized configuration changes, and policy violations.
07/2015 to 07/2015
IT Risk AnalystHewlett Packard Enterprise － Houston, TX
Documented and Review System security plans (SPP), Contingency plans (CP), Contingency plan Tests (CPT), Privacy Impact Assessments (PIA), and risk assessment (RA) documents per NIST 800 guidelines Performed Vulnerabilities scanning using Nessus to scan network systems to ensure that network systems are secured Ensured correct and updated information is documented in the System Security Plans (SSP) in accordance with NIST.
Drafted Security Assessment Reports (SAR) and Security Requirements Traceability Matrix (SRTM) to identify security controls that were tested and examined following assessments efforts.
Run targeted vulnerability, baseline and credential scans on the network using Nessus.
Facilitated in the remediation of critical findings from generated reports Nessus scans.
Collaborated with ISSO (Information System Security Officer) in scheduling kick-off meeting and rules of communication using Microsoft outlook, skype and excel spreadsheet.
Assisted with investigations of security events (e.g., unauthorized access, non- compliance with company policies, fraud, service exploitation, etc.) to determine malfunctions, breaches, and remediation steps.
Drafted initial Security Categorization Document (SCD) to provide system categorization level (utilizing FIPS 199 & NIST SP 800-60).
Drafted initial POA&Ms by collecting and documenting security artifacts to validate the implementation of security controls.