ANIL P. VARMA, CI SM , CI S S P , C EH , SE A
Phone: 571-269-6501
Executive Summary
A seasoned IT professional with a combined 20+ years delivering cyber security solutions along with software
development for government and corporate projects. Strong leader of effective, cross-functional technical teams
across all phases of project lifecycle. Defines Information Security Policies, Standards and Guidelines. Expertise in
NIST Special Publications, FISMA, FIPS, FedRAMP, DODD, OMB, DISA STIGS. Familiarity with standards and
frameworks such as ISO27001, COBIT, ITIL, SOX and PCI-DSS. Delivers in insightful needs assessments, and negotiates
cost-saving vendor agreements. Cultivates fine-tuned project teams meeting timelines and budget constraints. Defines
breakthrough technology options to meet organization’s security needs, standards, and long-term strategies.
Possesses extensive knowledge of security design patterns, principles, best practices, and methodologies in prominent
technologies including Mobile, Cloud Computing, and SOA.
Areas of Expertise
§ Identity and Access Management
§ Risk Management Framework
§ Cloud Security
§ Accreditation & Authorization
§ Secure Software Development Lifecycle
§ Enterprise Mobile Security
§ Web Application Security
§ Control Assessment
§ Vulnerability Assessment
§ Continuous Monitoring
SECURITY TOOLS
§ OPERTATING SYSTEMS: Kali Linux, BackTrack, SELinux, Parrot Security, Samurai WTF, Tails
§ WEB APPLICATION FIREWALL: Akamai Kona WAF, Trustwave WebDefend, Imperva SecureSpan
§ SOA FIREWALL: CA API Management, SOA Software API Gateway
§ SIEM: McAfee Nitro ESM, Database Event Monitor, Log Manager, Event Receiver and Advanced Correlation Engine
§ DATA MASKING: Dataguise DgSecure, Informatica SDM, Compuware TDM
§ IDENTITY MANAGEMENT: Avoco Trust Platform, IBM Tivoli Federated IDM, OpenID, CA SiteMinder, Ping Identity
§ WEB ASSESSMENT TOOLS: HP WebInspect, IBM AppScan Enterprise, AppDetective Pro, BurpProxy Pro, SoapUI
Pro, MetaSploit, Nikto, SkipFish, sqlmap, Havij, Acunetix WVS
§ NETWORK ASSESSMENT TOOLS: Nessus, NMap, WireShark, TCPDump, Snort, Aircrack-NG, Kismet, NetStumbler
§ MOBILE SECURITY TOOLS: Good Technologies, FixMo, MobileIron, Samsung KNOX, Thursby PKard Pro,
Biometrics Associates baiMobile
§ FORENSICS TOOLS: Encase, Maltego, Helix
§ PRIVACY TOOLS: TrueCrypt, BoxCryptor, SpiderOak, BitLocker, GnuPG, PGP, TOR, VPN, Linux UKS
§ VIRTUALIZATION: VmWare ESXi, Workstation, Player, vSphere, Oracle VirtualBox
Security Clearance: DOD Secret (Inactive), IRS Public Trust, DHS Public Trust, USDA Public Trust
Professional Experience
UNITED STATES DEPARTMENT OF AGRICULTURE (USDA), WASHINGTON, D.C.
2013 – PRESENT
ENTERPRISE SECURITY ARCHITECT/SECURITY DELIVERY MANAGER
Coordinate information security activities to meet program and organization goals. Manage project lifecycles for
security initiatives, including conceptualizing, planning, implementing, and progress monitoring. Provide various
security reports to executive management. Engage with clients and assess high-level security programs to determine
needs, identify business drivers, gather regulatory requirements, and develop project scope, sequence, and costeffective
controls. Define baseline security requirements, security architecture, and engineering guidelines and
standards.
§ Privacy Management
§ Vendor Management
§ Federal Standards
§ Regulatory Compliance
§ Emerging Technologies
Email: anil_varma@hotmail.com
ANIL P. VARMA
Resume, Page 2
§ Policies, Regulations and Standards: Possess advanced knowledge of
industry standards and mandates
including FedRAMP, FISMA, OMB, FIPS, NIST 800 and 500 series, and Cloud Reference Architecture CSA-TSI.
§ Enterprise Security Services: Lead high-impact security initiatives creating enterprise services for Data
Masking, SOA Firewall, Web Application Firewall, Vulnerability Assessment, Continuous Monitoring and Static
Code Analysis.
§ Cloud Security: Compared and evaluated various private, public cloud technologies and tools from technical,
functional and financial feasibility standpoint. Provided senior architectural leadership to all phases of the Cloud
Program, including the Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Cloud Application
Architecture subprograms. Provided Security architecture thought leadership assessing or building out cloud
service provider environment that meets security, compliance and privacy requirements for USDA’s CDSI
program to implement solutions in PegaGov cloud, AWS and Akamai cloud based WAF.
§ Risk Assessment: Lead team for internal audits, vulnerability assessment, Continuous Monitoring and POA&M
management using CSAM. C&A packages such as System Security Plans, Configuration Management Plans,
Contingency Plans, Risk Assessment Reports, Privacy Impact Assessments, Security Assessment Reports, etc.
§ Collaboration: Collaborated with NRCS Enterprise Architecture and Governance team to define Secure SDLC,
artifacts, templates, checkpoints, stage gates and CCB to ensure applications are delivered with built-in security
and privacy that adhere to information assurance and compliance needs.
§ Relationship Building: Cultivate strong, positive relationships with all internal and external stakeholders
including clients, vendors, team members, and executives.
2011-2013
§ Leadership: Manage IT Security implementation teams and mentor junior team members.
BOOZ ALLEN HAMILTON, HERNDON, VA
INFORMATION SECURITY MANAGER
Manage project lifecycle for multiple client and investment endeavors. Develop white papers and coordinate team
developing related executive presentations. Supervise cross-functional technical teams of infrastructure personnel
and software developers and testers. Analyze requirements and develop project-specific best practices and guidelines.
§ Security Project Management: Responsible for all aspects of the project management lifecycle and ensuring
conformance to requisite reporting, tracking, and escalation processes to ensure an on-time, on-budget, and
successful completion of projects
§ SDLC Leadership: Spearhead development of Enterprise Mobility Lifecycle (EMLC) within the Secure Mobility
Investment in compliance with Mission Systems Engineering processes, best practices, and regulatory guidelines:
DODD 8100.2 & 8420.01, NIST 800-53,800-37, FISMA guidelines, and ITIL v3.
§ Compliance: Lead accreditation testing and remediation phase. Oversee ICD 503 compliance, DISA STIG
implementation; author the System Security Plan, Security Controls Traceability Matrix, and Security Test Plan
documents.
§ Projects: Cross-domain Shared Service Framework project for DIA, CAC-enablement for Arlington National
Cemetery (ANC) website, iMonitor mobile app for iOS and Android to facilitate Continuous Monitoring for
Enterprise Mobility, Security Architecture for Navy Health Organization Health Metrics application,
TrustMarket: an NSTIC solution for pilot investment project for Veteran’s Administration; and Network, Mobile
and Web Application Vulnerability Assessments for various clients such as DIA, Navy and ANC.
FANNIEMAE, HERNDON, VA
2003 – 2011
SECURITY ARCHITECT, 2006-2011
Lead enterprise-wide, secure development of software assets. Assess security threats, identify requirements, and
integrate controls into SDLC. Implement security controls and tracking tools and activities to support projects and
initiatives. Evaluate security controls, identify Enterprise Security Architecture gaps, and develop recommendations
to advance Enterprise Security capabilities. Ensure compliance with corporate policies and regulatory guidelines.
Develop performance metrics and traceability maps to determine architecture effectiveness.
§ Collaboration: Play an active role in Central Program Office-initiated Application Security Center of Expertise to
develop corporation-wide Security Best Practices and Threat Risk Modeling guidelines.
§ Strategic Planning: Create strategic software security roadmap and security architecture to encompass and
sequence security initiatives implementation.
§ Secure Development: Implement enterprise Application Security repository to host reusable secure code,
implemented best practices for static code analysis and Vulnerability Assessment as part of Agile development.
Educated development community on OWASP Top 10 and SANS 25 application security best practices.
SENIOR ARCHITECT & DEVELOPER, 2003-2006
ANIL P. VARMA
Resume, Page 3
Define and maintain architectural frameworks, patterns, standards, processes, and guidelines for business, systems,
and data architecture. Identify data entities, core and support technology, subject areas, and business functions that
transcend organizational and functional boundaries. .
§ Project Lifecycle Management: Oversee multiple concurrent projects, ensuring adherence to technical
requirements, timely delivery, stakeholder interests and architectural vision.
Projects: Worked on several projects such as Enterprise Service Bus based on Tibco and Synchrony,
Multifamily Integration System based on WLI and WebServices; Disclosures, CESIR and Commitment &
Delivery based on J2EE, WebServices and XML.
§ Mentoring: Mentor team members in Agile/Scrum development process and provide other IT expertise.
MCI, INC., LEAD SENIOR DEVELOPER, TULSA, OK
NELCO SYSTEMS, LTD., SOFTWARE ENGINEER: REAL TIME SCADA, BOMBAY, INDIA
DATASOFT SOFTWARE SERVICES, SYSTEMS ANALYST: ACCOUNTING SOFTWARE, BOMBAY, INDIA
Education & Training
Master of Science, Computer Science, Bombay University, Bombay, India
Certified Information Security Manager (CISM)
Certified Ethical Hacker (CEH)
Sun Certified Enterprise Architect: J2EE Technologies
Certified Information Systems Security Professional (CISSP)
Akamai WAF Certification
Sun Certified Java Programmer
Affiliations
International Information Systems Security Certification Consortium, (ISC)2
Electronic Commerce Council, EC-Council
Information Systems Audit and Control Association, ISACA
1995-2003
1993-1994
1992-1993