INTERIM - CHIEF HEALTH INFORMATION SECURITY OFFICER
INTERIM - CHIEF HEALTH INFORMATION SECURITY OFFICER November 2014 to CurrentVANDERBILT UNIVERSITY MEDICAL CENTER － NASHVILLE, TNInformation security and cyber risk leader. Establishing a formal cyber risk program, the information security and cyber risk organizational structure, and enhancing the information security program. Reviewing, revising, and consolidating information security policies and procedures. Reviewing new applications and services to evaluate cyber risk and providing recommendations for moving forward.
SPECIALIST MASTER January 2013 to CurrentCYBER RISK SERVICES － SEATTLE, WADemonstrated subject matter expert in information technology, risk assessment and management, information security, privacy, compliance, internal audit, project management, and organizational design. Experienced communicator at all levels. Knowledgeable expert in local, state, federal, and international security, privacy, information protection, and auditing requirements and standards (i.e, Sarbanes-Oxley (SOX), Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health act (HITECH), Gramm-Leach-Bliley Act (GLBA), Family Educational Rights and Privacy Act (FERPA), Federal Information Security Management Act (FISMA)). Frequently conduct on-the-job training for junior staff members regarding methodologies, requirements, and standards. * Clients have included a large international laboratory (bio-pharma), multiple academic institutions, multiple health care organizations and systems, a health plan provider, a bank, a large food and beverage company, and a financial investment company. * Project components have included risk assessment and management, regulatory gap analysis, outsourced services assessments, program design, organization design, program development and implementation, service assessment, and vulnerability assessment. * Frameworks used have included frameworks developed by the International Organization for Standardization (ISO), National Institute for Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), Health Information Trust Alliance (HITRUST), as well as self developed and Deloitte developed frameworks.
DIRECTOR OF INFORMATION TECHNOLOGY November 2010 to December 2013TACOMA COMMUNITY COLLEGE － TACOMA BREMERTON, WAPrimary instructor of an online Network Security course. * Taught an online course in Network Information Security. * Provide guidance to students that are just learning the basics of compliance and information security. Information technology leader at a regional medical center. Responsible for the day-to-day operations of the systems, infrastructure, and support staff ensuring the delivery quality healthcare. Rounded clinical areas and participated in the patient experience program to improve information technology and organizational processes. Developed an information technology strategy that strongly integrated with the business strategy, clearly identified the current strengths and weaknesses, and provided a clear path to correct the weaknesses while improving on the strengths. * During a six month period analyzed the operations of the information technology department, developed and implemented change, release, and configuration management programs, developed the standardized technology documentation program, streamlined end user processes, and improved communications between information technology and the rest of the organization resulting in more efficient operations and a drastic reduction in the number of unplanned downtimes despite an increase in the number of changes to new systems and implementation of multiple new systems. * Redesigned the help desk and desktop support teams to flex to meet call volume and provide personnel service on site reducing customer complaints about calls not being answered and customer demand for in person support. This duel approach actually reduced the number of calls to the help desk and improved operational efficiency by finding and detecting smaller technology irritants before they became larger issues. Improved personnel efficiency by providing a variety of work and reducing idle time for the help desk and desktop support staff.
MANAGER April 2007 to June 2011INFORMATION SECURITY SERVICES － TACOMA, WAInformation security leader for a multi-region health care system. The sole individual with full-time responsibility for information security, privacy, compliance, and technology audits. Provided guidance, direction, and planning to technologists, engineers, and application analysts in a matrixed organization. Built strong relationships with the Compliance, Internal Audit, Legal, Risk, Human Resources, Physical Security and Clinical leadership throughout the organization. Recognized subject matter expert in HIPAA/HITECH, SOX, PCI-DSS, and privacy laws. * Developed and implemented the Information Lifecycle, Identity Management, and Payment Card Industry Data Security Standards (PCI-DSS) initiatives. Coordinated with corporate leadership conducted training and communication sessions throughout the organization. Lead a joint operational and technical implementation team. ◦ Implementation of Information Lifecycle was completed with an unfunded initiative that was completed in 9 months. ◦ Identity management was an ongoing initiative with a $1,300,000 tool and a $250,000 project budget that was being implemented application by application. Implemented in two applications including the operating system and database levels in the first 3 months. ◦ PCI-DSS implementation was done by in internal team and took 6 months to complete the project. The project was completed 6 months ahead of schedule with a savings of $4.5 million dollars under a bid issued by a reputable auditing and consulting agency. * Redesigned the information security program to include regulatory requirements from HIPAA, HITECH, SOX, PCI, and other state and federal privacy laws. The program included a 3-5 year strategy, a roadmap, updated information security policies, a security awareness and training program, monitoring and tracking tools, and validation of controls. The program increased organizational awareness and reduced the audit findings on the annual financial audit from a high of 11 critical findings to zero critical and medium findings in two years. * Implemented technical security controls for compliance with PCI requirements including: virtual and physical network segmentation, data loss prevention (DLP), and security incident and event monitoring (SIEM). * Acting interim manager of the service desk for 9 months while the organization searched for a new service desk manager. During that period, the workflows were reviewed and revised, the call tree was restructured, and service levels were set with internal teams. Based on those changes, call handling was increased by 20% while reducing staffing by 5%. All staff reductions were accomplished via promotion or reassignment to other technology teams. * Implemented an IT Controls program that ensured regulatory requirements and industry best practices were monitored and maintained with management oversight. This program was responsible for clearly documenting the daily processes, streamlining workflows, and reducing the chokepoints and points of failure.
ADJUNCT FACULTY - EVALUATOR June 2012 to January 2013WESTERN GOVERNORS UNIVERSITY － SALT LAKE CITY, UTEvaluating graduate and undergraduate level student papers in the subject areas of business administration, information technology, and information security.
SUBJECT MATTER EXPERT September 2010 to November 2012CYBERLAW － BALTIMORE, MDContracted subject matter expert in the field of Cyberlaw. Developed course and testing materials for various universities and businesses.
MANAGER January 2005 to April 2007INFORMATION SECURITY ENGINEERING － MOUNTLAKE TERRACE, WAProvided strategic and tactical leadership and direction for the Information Security Engineering and Administration teams comprised of over 20 engineers, analysts, and technicians. The members of these teams provided consulting, training, design, development, implementation, and maintenance for the information security and regulatory requirement aspects of every technology process and program. * Developed a process to ensure that third parties connecting to the network or using company information maintained a security posture at or above the contracted standard. Reduced risks associated with third parties and provided opportunities to learn from other organization's information security practices. * Developed an engineering skills matrix to map the knowledge, skills and abilities of the engineers. Providing project managers with multiple points of contact and eliminating delays in project completion. * Integrated the Information Security Administration team with the Service Desk to provide first call resolution of information security access issues and accurate documentation of information security issues in the issues tracking system. Reduced the time to resolve access issues from one business day to 3 hours, improving customer satisfaction and work productivity throughout the organization.
SENIOR MANAGER, INFORMATION TECHNOLOGY October 1984 to October 2004UNITED STATES NAVY － SILVERDALE, WA
Hand selected as the first information technology leader for the Pacific Trident Submarine fleet. Lead more than 60 technicians and managed the technology infrastructure of 8 Trident Submarines and 3 support commands.
Developed and published the first information technology policies which integrated the requirements of 15 disparate policies from oversight commands. * Developed and implemented an asset tracking program to provide up to the minute reporting of the technology assets within the Trident submarine fleet. This program was responsible for accounting for over $21,000,000 in technology assets held by the Pacific Trident Submarine fleet and support commands and improved the ability of each command to inventory, track, and audit the assets they were accountable for. * Installed, implemented, and integrated some of the first personal computers, Novell and Windows servers, coax and fiber optic networks, and eternal interfaces via satellite and fiber-optics greatly improving the productivity, communications, and integration of the Pacific Trident Submarine fleet.
MBA : MBAUniversity of Washington* Masters of Business Administration (MBA), University of Washington
Bachelors of Science : Computer ScienceChapman University* Bachelors of Science in Computer Science (BSCS), Chapman University
October 1984 to October 2004NAVYUNITED STATES NAVY October 1984 to October 2004 Hand selected as the first information technology leader for the Pacific Trident Submarine fleet. Lead more than 60 technicians and managed the technology infrastructure of 8 Trident Submarines and 3 support commands. Developed and published the first information technology policies which integrated the requirements of 15 disparate policies from oversight commands. * Developed and implemented an asset tracking program to provide up to the minute reporting of the technology assets within the Trident submarine fleet. This program was responsible for accounting for over $21,000,000 in technology assets held by the Pacific Trident Submarine fleet and support commands and improved the ability of each command to inventory, track, and audit the assets they were accountable for. * Installed, implemented, and integrated some of the first personal computers, Novell and Windows servers, coax and fiber optic networks, and eternal interfaces via satellite and fiber-optics greatly improving the productivity, communications, and integration of the Pacific Trident Submarine fleet.
Certified Information Systems Security Professional (CISSP), August 2006 to Present HIPAA Certified Information Systems Security Professional CISSP
Frameworks used have included frameworks developed by the International Organization for Standardization (ISO), National Institute for Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT), Health Information Trust Alliance (HITRUST), as well as self developed and Deloitte developed frameworks
Audit, Accountable For, Accounting, Coax, Fiber Optic, For Accounting, Integration, Integrator, Inventory, Novell, Optics, Ordering Points To Identify The Clustering Structure, Technology Infrastructure, Information Security, Security, Training, Subject Matter Expert, Auditing, Hipaa, Internal Audit, Payment Card Industry, Pci, Sarbanes Oxley, Sarbanes-oxley (sox), Sox, Service Desk, Security Policies, Audits, Best Practices, Budget, Data Loss Prevention, Database, Dlp, Documenting, Financial Audit, Human Resources, Identity Management, Loss Prevention, Million, Segmentation, Siem, Staffing, Documentation, Instructor, Network Security, Clients, Cobit, Federal Information Security Management Act, Fisma, Frameworks, Gap Analysis, Glba, Health Insurance Portability And Accountability Act, International Organization For Standardization, Iso, Laboratory, Nist, Project Management, Risk Assessment, Sarbanes-oxley, Vulnerability Assessment, Access, Blue Cross, Maintenance, Satisfaction, Security Administration, Security Engineering, Security Practices, Testing, Change Management, Configuration Management, Healthcare, Help Desk, Increase, Operations, Rest, Certified Information Systems Security Professional, Cissp, Systems Security, Org Development, Organizational Development, Process Improvement, Program Management, Risk Management, Thought Leadership, Trading, Masters Of Business Administration, Mba