IT Security Director Resume
LOG IN OR REGISTER TO CONTACT ME
This button will open the login/register page in a new tab. After logging in, come back to this page and refresh your browser.
Resume:
Executive Summary
IT Controls Officer with years of global experience in ensuring integrity, confidentiality, and availability of technology resources.
Demonstrated ability in reducing IT risk based on controls assessments/recommendations, ensuring corporate continuity based on
business contingency-disaster recovery planning and change management-control, ensuring regulatory compliance based on IT
audits/reviews and IT corporate governance (COSO), including SOX, GLBA, FFEIC, SEC, HIPAA, Privacy and Patriot Acts,
Treadway Commission. Demonstrated ability in identifying security control weaknesses/vulnerabilities, performing gap analysis,
assessing resultant risk/organizational impact. Demonstrated ability in project planning/execution/tracking/reporting/closure, and
developing a Risk Management Plan. Proven ability to asses audit compliance with technology related compliance regulations such
as SOX, FFEIC, GLBA, and HIPAA, by determining control weaknesses and recommending cost effective solutions to reduce risk
and improve business performance. Assessed technology related risk and controls\' effectiveness in support of SAS requirements
for external audit-attest functions. Planned/budgeted/ lead/managed technology related compliance audits/security reviews in
conjunction with operational/financial audits to ensure effectiveness of technology business controls.
Scoped/planned/managed/troubleshooted client-auditee engagements/ projects to complete satisfaction. Devised methodologies for
painless and effective knowledge transfer to business and technical SMEs. Assess mutable real-time data and application systems
with high-monetary value.
Expertise includes:
• Strategic & Tactical security planning & budgeting
• IT Security/Audit and Management
• Control risk & modeling analysis/assessments (SOX, SAS,
GLBA, FISMA, FFIEC, etc) to Risk Management Plan
• Security Awareness: IT Technical and Business views
• Identity, Profile & Access management - Data Security
• Policy and Procedures: assessment, development, standards,
frameworks: COBIT, ISO /, FISMA/NIST , ITIL,
CMMI/ISO
• Project Management and Corporate IT governance
• E-commerce and EDI controls
• Web Security - ., Websphere, OWASP
• Security Architecture-all layers: Networks, O/S and Applications
• Mentoring and Team building
• Vulnerability assessment with security packages & CAATs
• PCI DSS & Email Federal Compliance Regulations
• Business Analysis and translating processes into technical specs
• Diagramming systems and work flow processes and controls
Soft Skills, PM Skills, and SME Skills include:
• IT Gen\'l and Network Controls Audits, Application Controls Audits
• Change Control Management, Application Development, SDLC controls
• Day-to-day project leadership ensuring accurate planning, appropriate
staffing, schedule adherence, control budget and scope requirements
• Issue/risk management: Ensure adherence to control framework,
methodology, policies, and departmental standards
• Budgeting-financial: regarding cost/benefits and vendor negotiations,
resource staff management and work plan management
• Identity management controls and IT & security process enhancement,
metrics analysis
• Build positive relationships with key users/business line teams to
identify/resolve issues
• Engage wide range of people to influence strategic business/IT agenda
outcome
• Maintain high interactive communications regarding project with staff,
management, business partners
Recent Work Experience
Oct - present Beatrice Block Enterprises International, Inc. (aka BBEI Inc.), Tarrytown, NY
President/Partner/Principal - Information Technology Security & Compliance Consultant
Most Recent Assignment: Develop Security Awareness (SA) Education Program for Department of Education, City of NY
Scope out Feasibility/Project Plan based on population/audience/practical exposures and gap analysis, Work with DOE executives
and technical teams to isolate objectives and formulate practical framework for SA plan; Develop SA Framework for DOE based on
NIST guidelines and SA delivery to broad community of non-technical users using in-person/electronic/print media; Develop
materials for in-person/web-based training and populate SA database components; Develop Moodle (Web .) Framework and SA
website to accommodate SA Blog/Wiki modules; Work with DOE technicians to mount and implement SA Framework and education
system on server; Deliver finished product to DOE and NYC government executives and promote national distribution of NYC SA
paradigm.
Other assignments included:
Specializing in Sarbanes-Oxley - SOX audits/monitoring, FFIEC, GLBA, HIPAA, FISMA, DPA , FSA#, Basel II, US
Patriot and US Privacy Acts, SAS (T&), PCI DSS. Clients include banks, brokerage, real estate, manufacturing, etc. (Provident
Bank, Instinet, CIT, SL Greene, Steve Madden, Amscan, Westcon, UPS, Fleet, Bank One, CitiGroup, Merrill Lynch, AIG, JPMChase).
Guide risk based analysis methodology of standardized processes to assess control effectiveness to deter ever-changing vulnerabilities
and threats. Worked on ITIL controls implementation in major financial institutions. Developed plan and schedule for audit/security
project execution; monitored progress to ensure timely project completion and fulfillment of objectives. Communicate project status
to participants and stakeholders in reports and formal presentations. Organized/Led meetings with participants/stakeholders to
collect/disseminate project status, tasks, resources, process structure for consensus and commitment to/for deliverables. Performed
independent audits and control -risk assessments for regulatory compliance and penalty avoidance. Identify,
evaluate, and recommend actions, strategies and solutions to ensure gap remediation and security of technology/business resources
and assets. Planned, created and completed all documentation for Sarbanes Oxley Testing/Reporting/Risk Initiative and
FFIEC/OCC/SEC review. Conducted quality audits/reviews to identify and document control activities of IS infrastructure,
applications, using Sarbanes Oxley risk-control matrix. Assured controls adequately addressed user provisioning, authentication and
authorization, integration touch points with other application systems, interfaces to external systems, and encryption. Identified
security risks for new technology, new products, or new relationships with external parties. Develop/Write security policies and
procedures to address vendor and application/infrastructure security risks - areas covered included logical security, systems and data
integrity. Assess security architecture and design/integrate data security model into business paradigm. Reviewed access
management including identity profiles for individuals and groups; revisions included vulnerability closure and efficiency
implementation. Ability to drive risk/controls assessments with quality analysis, quantitative data analytics; lead compliance controls
reviews and QA business/control processes present, conduct gap analysis and cost assessment, and ensure the remediation of security
vulnerabilities. Managed corrective actions and revision documentation, including improvement metrics reporting. Follow-up test
strategies/ methodologies, with ability to schedule activities. Review various applications (manufacturing, financial) and document
systems as simple as a change control database to systems as intricate as the data flow of the business process of an organization.
Work closely with IT, Audit and IS colleagues and the Sarbanes Oxley Teams, both internal and external. Liaise with technical teams,
end users, auditors and compliance personnel. Train, managed and mentored associates on various assignments including PCAOB
and HIPAA standards, SEC, OCC and FDICA regulations/requirements. Motivated teams by creating project cohesion and
promoting knowledge transfer. High technical aptitude and driven to remain on the cutting edge of new technology products,
concepts, and regulations. Perform strategic marketing and business development activities.
Feb - Oct Bank of China, USA, Inc., Americas Division, New York, New York
Head of IT Security - Director
Responsible for identifying and mitigating information security risk to the US Branches. Developed and maintained information
security policies (standards, procedures, and guidelines, data ownership and classification) to create an appropriate information
security framework for the US Branches. Identify and address information security exposures to accidental or intentional destruction,
disclosure, modification, or interruption of information that may cause serious financial and/or reputation losses to the US Branches.
Establish appropriate mechanism to protect branch information assets processed internally by the American Data Center, or
externally by vendors. Led the activities of the Information Security Department by performing the following specific duties.
* Propose security policies for approval by the Risk Management Committee of the BOC, with copies to the Head Office
Information Technology Department and Risk Management Department.
* Enforce established information security policies to ensure they are functioning as management intended. Such monitoring will
be performed in coordination with the Internal Audit Center and American Data Center.
* Perform annual security risk assessment to identify potential logical security risks to the US Branches, and develops action plans
to mitigate such risks. The security risk assessment report will be provided to the Chief Risk Officer and the Privacy Officer of the
Branch.
* Assess new application and/or technology infrastructure platform implementation to ensure Brach security policies and
standards are complied with.
* Report to the General Manager, Chief Risk Officer, Risk Management Committee, Internal Audit and the ADC on significant
security issues as they had surfaced.
* Liaise with external auditors, regulators, applicable vendors and clients, and professional organizations on existing and emerging
security issues.
* Coordinate with Human Resources, Branch departments, Internal Audit and ADC on security awareness training. Ensure that the
Branch sponsored training conforms to the existing security policies and standards.
* Performed functional management of the Information Security Department.
* Planned new employee security awareness orientation to foster positive attitude toward bank goals.
* Supervise team and administer staff project program, development, performance evaluation and bonus sharing at the end of
each year.
* Understand, comply with and monitor the activities, if necessary, of all applicable laws and regulations regarding anti-money
laundering, Bank Secrecy Act, currency transaction reporting and suspicious activity reporting as well as email monitoring.
Supervised two non-supervisory employees (Information Security Officers and Administrator) along with mentoring and evaluation of
development. Responsible for the overall directions, coordination, and evaluation of the Information Security Department. Carries out
supervisory responsibilities in accordance with the organization\'s policies and applicable laws, including but not limited to GLB, FISMA,
DPA , FFEIC, FSA#, SOX , PCI DSS, etc. Responsibilities included interviewing, hiring, and training employees; planning,
assigning and directing work; appraising performance; rewarding and disciplining employees; addressing complaints and resolving
problems.
Dec - June Fleet Brokerage & Wealth Management, Division of Fleet Bank Financial Corporation,
New York, New York
Senior Manager of IT Security & Risk - Global Technology Services
• Performed control assessments to verify the validity (identification, authentication, and certification) of users and resources based on
quantitative data analytics. Performed information security gap analysis, including network security gap analysis for IT controls, both
general and logical IT controls. Performed risk assessments and evaluated inherent risk levels in the technological infrastructure vertically
from basic networks (including LANs and VPNs) and operating systems to applications and application development standards (especially
eCommerce applications and architecture), including the CRM software used: Siebel. Maintained risk events for CIRT.
• Determined whether network interconnections were vulnerable to attack from without or invasion from within, including assessing IDS,
TCP/IP exposures, SSL, Kerberos, PKI, smart cards. Presented corrective actions to technology units.
• Developed, assessed and continually improved IT security and compliance, including compliance review programs, documentation
standards and all related policies and procedures.
• Provided consistent policy interpretation to business units. Promoted awareness of policies and standards, revisions and developments.
Determined technology security framework of the organization and devised plan for implementation, including process improvement tactical
plans. Advised developers via participation in an architecture committee about necessary controls to be included in development.
• Researched, developed and wrote security controls policies and standards for various technological platforms including LDAP, DNS,
firewalls.
• Defined, planned and managed control self assessment of technology infrastructure, including outsourced segments. Identify, escalate and
track non-compliance issues until resolution is achieved; followed COBIT, ITIL, and ISO methodologies, i.e. ISO . Contributed
original security documentation to the corporate security policy framework. Provided security requirements to define architecture and
provide guidelines to select technologies that ensure systems are protected from unauthorized modification.
• Guided auditors, reviewers, and evaluators, both internal and external, to areas that need assessment and review for adequacy in relation to
current standards. Focused recommendations for executive management and Board review. Ability to collaborate with various personnel
including users, business sponsors to expedite security project process and monitor progress. Trained personnel in quantitative data
analytics.
• Worked with business units to draft Risk Assessments and Business Contingency Plans. Worked with Lines of Business to determine
application security methodology for development. Worked with technology groups to identify and validate security exposures and to
incorporate/implement patches and security related enhancements to networks, servers and applications.
• Promoted strategic sourcing practices. Worked with IT management to draft strategic plans for deployment of information security
technologies and enhance existing systems. Procured, evaluated and retained vendors and consultants for products and services, based on
responses to RFI, RFP, presentations, references, and evidence of prior work performed. Planned schedules and budgets to coordinate and
track activities related to the implementation of strategic initiatives/objectives. Developed security performance metrics for SLAs presented
as part of vendor negotiations.
• Developed/maintained business level security incident reporting process. Developed methodology to ensure integrity and pro-actively
respond to forgers, denial-of-service attacks, threat analysis; verify appropriate network countermeasures to attack techniques. Address
business continuity infrastructure issues with appropriate technology groups. Worked with vendors to conduct periodic security penetration
tests, studies, and corrective action (Veritect, TrueSecure).
• Revised and augmented the COBIT security framework with ISO and ITIL components to provide a comprehensive security standards
environment for the Fleet Securities organization, including developing a strategic plan with tactical milestones and a reasonable timeframe
with contingencies built in, and the human resource organization for implementation. Documented and codified security standards,
guidelines, policies, procedures and practices for the organization in general. Participated in the development, implementation and consistent
improvement of IT and network management including change management, configuration management, problem management, and security
management.
• Performed gap analysis for policy and standards compliance regarding risk management, security operations, business continuity and
disaster recovery. Focused on access path based on profile privileges; recommended revisions in identity and access management.
Sept - Dec Jefferson Wells International, New York, New York
Consultant
Worked on various projects from IT Security, Audit, Project Management, Policy Development, etc., for various firms in the Greater NY Area
including brokerage, banking, advertising, insurance, etc. Assisted in practice development for the IT audit and assurance area including
internal audit outsourcing. Supported marketing and business development functions by scoping project and planning deliverables. Assisted
management with ideas for developing new service offerings and marketing materials. Supported client development activities including
proposals and presentations. Maintained strong positive client relationships evidenced by return and new business activities. Managed/
supervised/mentored IT auditors on various assignments. Performed all kinds of general and logical IT controls audits.
Dec - June Industrial Bank of Japan, New York, NY
Consultant, Information Security Officer reporting to CIO - Systems Department, Americas Division
Directed the implementation of security controls for financial systems coming on line (OMR, ACBS, URBIS) as requested by the business unit
managers, systems groups, and vendors. Provide, where necessary, design specs and flows for program, object, or data security controls.
Reviewed the systems\' analysis and design specs, and implementation process for optimum security and business efficacy. Trained, supervised
and evaluated new security officer.
• Developed Bank\'s Data Security Policies and Procedures including near term and long term targets.
• Re-engineered the data security processes for more efficient business and systems processing. Reviewed access abilities of technologists,
business personnel and systems; recommended revisions based on codified profiles, business groupings and least privilege.
• Developed security control guidelines, policies and procedures for all systems including new systems in production and implementation.
• Established guidelines and parameters used to assess risks to mission critical data used by corporate business units to minimize losses as the
result of deficiencies in security, data processing and transmission controls.
• Monitored compliance with security guidelines, policies and procedures to ascertain effectiveness and identify additions or modifications of
those guidelines. Gathered data for key risk and control indicators with statistics for Management Compliance Reporting
• Verified the presence of access, data, and physical security as well as transmission/network security prior to systems conversions. Ensured
the validity of computing resources and users including identification, authentication and certification.
• Evaluated and reported on the development, implementation and security compliance to senior management, project consultants, and the
audit group. Additional reporting on deficiencies and control methods to curtail security shortfalls were made to IS audit.
• Coordinated with developers and testers to create a secure User Acceptance Test environment regarding user access control for new
distributed client/server systems, networks and applications.
• Certified controlled access of users and objects to protect resources including systems, networks, applications and data. Collaborated with
corporate audit to devise username naming convention for new systems in implementation process.
• Designed a paperless security administration system for implementation by systems technical staff and subsequent security officer.
• Worked with IT Auditors to ensure appropriate general and logical IT controls were in place and properly reviewed.
Feb - July Citibank, New York, NY
Vice President, Corporate Audit/Technical Support, Security and Research
• Performed Risk Assessments and Threat Analysis for bank regarding global IT environments. Determined how the organization was
vulnerable to unauthorized access, alteration of data, disclosure, and disruption and denial of service. Assessed priorities in terms of time
frames, resources available, materiality, and urgency. Negotiated balance of security controls with line management with recommended
solutions. Performed penetration tests and investigated weaknesses. Analyzed results through risk assessment algorithms developed for
particular business circumstances. Communicated risk requirements to overseas teams.
• Knowledge of all production services functions including system/security administration, change control and management, output
management, data transfer/data import/data transformation/data reconciliation (database and data warehouse technology), compliance
measurement, business contingency planning/disaster recovery testing and improvement, and appropriate controls included in developed
and implemented systems.
• Responsible for and managed all aspects of IT audits including: preparing technology audit plans, training IT and financial auditors and
preparing white paper reports for Senior Management for all kinds of audits and reviews, especially general and logical IT controls.
• Performed all kinds of corporate requisite audits including Data Center reviews, operating system reviews and network reviews including
LANS, WANS, VPN, and leased lines, as well as firewall deployment. Reviewed firewall deployment of features and architecture.
Reviewed operating system features and deployment. Reviewed application systems implementation and maintenance, including change
control process as implemented independently at different sites/divisions.
• Reviewed and evaluated the security of numerous in-house client/server systems, mainframe systems, small department networks, etc. as
well as the security of multi-platform computer systems, applications and vendor software, including systems analysis, design, architecture
and implementation. Advised developers directly about proper application &/or system controls to be part of development.
• Coordinated and participated in integrated financial audit projects, which involved UNIX, WNT operating systems, database/data
warehouse design, service level agreements, integrated audits: L/C and check processing, application development and implementation.
• Responsible for reviews of security services and security architecture including authentication, authorization, access control, end-to-end
security, non-repudiation of services, common layer APIs, public key technology. Evaluated security software, including network filters to
prevent intrusions.
• Re-engineered the IT audit work flow and standardized audit support tools. Developed best of breed methodologies for various audits and
communicated audit methodologies to global audit groups.
• Utilized enterprise management software to flush out exposures in operating systems on clients and servers, and other components of the
Bank\'s network infrastructure and architecture, including Cisco and Apache routers, LANs and VPNs.
• Performed security troubleshooting and designed security solutions for multiple environments/platforms. Analyzed and recommended the
use of security products or alternative actions when security was inadequate.
• Evaluated security vulnerabilities, assessed their risks and developed means to close/lessen their impact, including network intrusions,
operating system holes, file permission issues, spoof countermeasures. Wrote procedure recommendations for password guidelines,
password policy, token passwords, security/system administrator permission levels, patch analysis for security lock down, virus prevention
and recovery, restricting access to critical services.
• Worked with system technicians to establish a security assessment program in the high profile environments for various financial/banking
products/processes (e.g. check processing, securities tracking, etc.), including threat analysis, intrusion detection, attack response, and risk
management. Result, became Subject Matter Expert in Unix flavors and Oracle , .
• Monitored and reviewed access violations and other security breaches within the organization. Worked with legal staff to investigate
intrusions and break-ins to ascertain the manner of entry into proprietary systems. Collaborated with legal staff to determine level of
susceptibility of the Bank\'s computers to external and internal attacks. Analyzed access abilities and vulnerabilities; recommended revised
business and technology groupings with concomitant identity and access privileges based on \"need-to-know/do\"
• Developed strategic/tactical plans and directed the implementation of a common Information Security process for client/server platforms, i.e.
UNIX, WNT, and NOVELL.
• Wrote security policies, procedures and Bank standards to provide cross platform protection and a network framework to measure security
compliance for host operating systems such as UNIX (SunOS, Solaris, HP/UX, AIX), and WNT on a TCP/IP network. Highlighted
concerns with sendmail.
• Participated in recruiting, training and mentoring staff, as well as evaluating performance and planning professional team development.
• Communicated with various levels of management status of audit execution and collaborated on efficient closure of issues.
Prior Work Experience
Feb - Feb Government: TBTA and School Construction Authority, Queens, New York
Supervisor - EDP Audit
Dec - Feb Security Pacific, New York, New York
EDP Audit Supervisor, Bank Officer
July - Nov UBAF Arab American Bank, New York, New York
EDP Audit Manager, Bank Officer
Mar - July Coopers & Lybrand, New York, New York
Project Leader, Technical Instructor, IT Staff Auditor
Sept - Mar Merrill Lynch Capital Markets, New York, New York
Programmer Analyst, Technical Writer
Prior to New York City Board of Education, Lehman College and Bank Administration
Institute, English Instructor
Other Accomplishments
Adjunct Professor, EDP Audit courses at NYU Wagner Graduate School
Developed out of core Graduate courses for Wagner School of Public Administration, provided curriculum for Graduate Professional
Certificate of Information Systems Auditing and Security
Adjunct Professor for English courses at Lehman College and the American Institute of Banking
Associations
IIA, ISACA (Board of Directors, Secretary, Treasurer, and Editor for NY Metropolitan Chapter newsletter), ISSA, CSI, APBM
Presentations and Published Works
Book Authored: Windows NT, Guidelines for Security, Audit and Control - .
Book Authored: UnixWare, Security, Audit and Control, IT Auditing - Basic Concepts -,
- proprietary for Citibank, NA
Presentations:
For ISACA scheduled - \"Developing a Security Awareness Framework and Program\" -
For ISSA and ISACA - \"Data Warehousing - Security and Control\" - May
For IIA - \"EDI - Security, Control and Audit\" - Feb & Sept
For ISACA - \"Data Warehousing - Security, Control and Audit\" - Oct
For ISSA - \"Windows NT - Security, Control and Audit\" - June
For ISACA - \"E-mail - Security, Audit and Control\" - Nov , Feb
For Micro Managers Assoc. - \"Security in a Networking Environment\" - Oct
For EDPAA - \"Developing Command Procedures for Auditing DEC VAX/VMS\" - July
Numerous articles written
Ranging from Telecommunications, Data Communications, Data Warehousing, Email, Win NT,
WinK, Unix, YK vulnerabilities, etc., published in a range of technical magazines and
professional newsletters.
Platforms and Operating/Network Systems, Programming Languages, Control Frameworks
IBM/MVS, DEC VAX/VMS, Unix - HP/UX, Solaris, AIX, SCO, Linux, Novell NetWare, Windows
, Windows NT, Windows XP, AS/; Sybase, Oracle, PRISM Data Warehousing; Cisco, IPv
and v; Cobol, Fortran, Assembler, C, Tal, VMS, SQL; COSO, COBIT, ISO/, ITIL
Education City College of New York, BA, Liberal Arts
Baruch College of City University of New York, Professional Certificate in Computer
Programming
Hunter College of City University of New York, Post Graduate Work, almost Masters - Liberal
Arts
Certificates CISA - , CISSP - , CISM - , CIA - , CBM - , candidate: CGEIT, MBCP,
PMP
Courses, Seminars, Conferences Attended & Completed
• UNIX and C programming -
• ISSA Conferences: ,
• MVS Security Administration -
• Client/Server Security Concepts -
• Audit of RACF and ACF -
• Sun Solaris System Administration -
• Novell NetWare System Admin -
• IIA Security and Audit Conferences: , , ,
• Risk Assessment and Security Procedures Documentation -
• Microsoft Windows NT Server System Administration . -
• ISACA Security Conferences: , , , , ,
, , , , Intn\'l
• Microsoft Windows NT Server System Administration . -
• Microsoft TCP/IP Administration and Security -
• HP/UX System Administration -
• Data Warehouse Conference - ,
• HP/UX Networking Concepts -
• Numerous other day technical workshops and seminars
SOX and Other Projects - , , - As BBE Inc, Block-Linder Inc, and Jefferson-Wells, Inc.
JPMC project summary - subcontractor to Ajilon and Genesis, Responsibilities:
st Project - months - Used ITIL process guidelines to measure and improve business efficiency and effectiveness. Prioritized areas for improvement
based on risk and exposure. Developed execution plan to address and implement quick hip improvements and institutionalize the change through
targeted metrics and reporting. Ensured consistent and repeatable practices, processes and procedures are defined and in place across the data center
technologies and global technology infrastructures. Base lined current processes, practices and procedures and establish aggregated metrics and key
performance indicators across the technology environment. Implemented day-to-day service execution minimum standards. Looked for best practice/
standardization opportunities. Worked on developing quality processes. Performed process analysis, establish activities, and project plans for execution.
I have over years experience with similar process-oriented functions, e.g. COBIT, etc.; have excellent communication and organization skills; have
proven ability to prioritize tasks and manage escalated issues to resolution.
nd Project - months - Assisted the Risk and Controls areas to gain information about logical user, system and data access controls and whether
controls guidelines were being followed.
Citigroup - Logical Access project; Gabelli Asset Management Corp. - Sox & Reviews
CIT Corporation - subcontractor to JWI month
PeopleSoft Access Security Review and SOX re-performance. Assisted IAD in due diligence of SOX compliance review and selectively re-performed
tests for validity, accuracy, and completeness.
AIG Corporation - subcontractor to JWI months
Participated in SOX reviews: ) open item left by previous IT auditor. Had to trouble shoot and finish project on time including draft report. ) IT SOX
review performed in < weeks: also entailed following up after previous IT auditor, closing all open items and generating a draft report.
Amscan Manufacturing and Distribution - subcontractor to Apprimus month
Strategice Security review and knowledge transfer/training for various senior/executive management. Reviewed access requirements for users and
assisted CIO in determining whether Citrix or SSL VPN are good for their environment. Also extricated requirements for IPS/IDS system. Helped the
CIO get a handle on the security architecture by developing a set of data flow diagrams to help isolate the security needs and where the security
infrastructure needs fortification. Isolated gaps in the architecture and worked with the ISO to prepare for a SOX audit. Developed project plan; worked
with client personnel to define objectives, scope, deliverables; estimated resource needs to meet project requirements; designed security process
improvements with recommendations for implementation; ensured information collected and documented accurately reflected circumstance status.
Organized meetings with various work teams to collect and disseminate project information. Worked effectively with IT group/personnel, vendors, and
other related members to ensure successful completion/resolution of project.
Westcon Networking Corporation - subcontractor to PNET month
Strategic Security review and knowledge transfer/training for various senior/executive management. Reviewed security architecture in place, initiated
policy-procedure framework for security. Interviewed multiple discipline management personnel as part of security review. Suggested enhancements for
ISO choice appropriate to a global international organization. Initiated training for mid-level project manager for Information Security Officer
position.
Designed and scoped project phases and steps to completion.
Steve Madden Manufacturing - subcontractor to Geller & Associates, months
Reviewed prior audits performed. Reviewed prior SOX work performed. Reviewed compliance questionnaires, wrote tests and evaluated results of tests
of controls, summarized issues into control sheets per COSO and recommended remediation steps for exposures or failed controls. Worked with CIO to
conform to compliance requirements and guided development of an ongoing program of compliance review. Developed project plan; worked with CIO,
CFO and external auditor to define objectives, scope, deliverables; estimated resource needs to meet SOX project requirements; designed security
process
improvements with recommendations for implementation to close gaps found; ensured information collected and documented accurately reflected
circumstance status. Organized meetings with various personnel to collect and disseminate project information. Worked effectively with IT personnel,
vendors, and other related members, i.e. financial, to ensure successful completion/resolution of SOX project. Trained/mentored CIO in applicable
COBIT standards.
SL Green Real Estate - subcontractor, months
Reviewed the Test plan and revised and rewrote the tests of controls to conform to SOX requirements. Performed SOX IT tests of controls and summarized
issues into controls sheets per COSO and recommended remediation steps for exposures or failed controls.
Provident Bank - subcontractor, months
Reviewed compliance questionnaires, wrote tests and evaluated results of tests of controls, summarized issues into control sheets per COSO and
recommended remediation steps for exposures or failed controls. Worked with Risk VP to develop policies and procedures and processes to fulfill the
remediation effort
and eliminate weaknesses.
UPS - subcontractor to Tekmark, months
Reviewed compliance questionnaires, diagrammed processes, isolated exposures/risks, located controls, wrote tests and evaluated results of tests of
controls - which became the standard for all subsequent consulting work done, summarized issues into control sheets per COSO and recommended
remediation steps for exposures or failed controls.
Instinet - subcontractor to JWI, months
Diagrammed processes, isolated exposures/risks, located controls, wrote tests and evaluated results of tests of controls, summarized issues into control
sheets per COSO and recommended remediation steps for exposures or failed controls.
Finley Jewelers - subcontractor to CSI, project manager months
Managed the review process for: compliance questionnaires, diagrammed processes; isolated exposures/risks, located controls; managed the design
of tests and evaluation of test results of controls - which became the standard for all subsequent consulting work done; reviewed comments/work of staff
who summarized issues into control sheets per COSO and recommended remediation steps for exposures or failed controls.
Note: As part of project execution: manage project scope to fit requirements; provide weekly project updates for leadership team/personnel - both written
and verbal; inform project partners on issues uncovered; identify risks and suggest mitigation recommendations.
