KEN HARLIN §
iamcisa@earthlink.net
Security
Architecture Experience Overview
Life Cycle
Enterprise Architecture and Framework, Guiding Principles & IT Governance
Standards (COBIT, TOGAF & UML) have been published § Security Architecture standards have been implemented using ISC2, ISO
27001(2), NIST 800-53r4, MITA3.0, SOX & COBIT IT Controls including FERC
& NERC CIP regulations § Auditable Internal Control Policy, Process and Procedures have been
initiated, documented, Agile and PMBOK project managed, implemented and
institutionalized to conform to CMS/HIPAA/HHS/CobiT/PCI regulation § Generated functional requirements from business requirements.
Provided Current State, Future State, GAP Analysis & Roadmaps for
Security Architecture § Provided Security Architecture in Agile and PMBOK SDLC Waterfall
Hybrid environment with Scrum process. Project Manager for Oil Refinery
Process Controllers in the US & Off Shore § Determined
Threat Model, threat matrix, vulnerabilities, risks & alternative
remediation controls § Provided Security Architecture for Healthcare MMIS and HIE CMS Audit
Compliance & RFP Initiative § Supported PCI
Assessment, Internal & External Audit § Facilitated
passing PCI Audit with virtually no open items § Security
Operations , Risk Assess and IT Security Bank Audits. I Architected Single
Sign On, Federated Identity Management, WS-Security § Application Security Architecture Guiding Principles, Appl. Security
Profiling for SOAP & REST web services applications. AWS and Eucalyptus
cloud technology.
CERTIFICATIONS:
Current:CISSP,
CCSK, CISA Lapse, ITIL, TOGAF & National Security Agency IAM, PMP
& Agile Training
Recent
Training: ISAM, TrustBuilder, Shibboleth, PMBOK, Agile,
JIRA, Confluence, Jive, CSA, AWS, ECUA
CONTRACTUAL
EXPERIENCE
Fortune 500 Consulting Firm –
Nov2014 to Present – Platform Health Enterprise Security Architect
·
Provided
the original and instantiated TOGAF based Health Enterprise Security
Architecture (HESA) and Framework (HESAF) for health care provider Medicaid
Management Information System (MMIS) per MITA 3.0 seven conditions and
standards, NIST 800-53 r4 standards, ISO 27002 and OWASP best practices.
Supported RFP security solutions and CMS assessments for states MMIS &
Health Information Exchange (HIE) initiatives. Supported Health Enterprise
CMS audit of material items CAP security architecture solutions. Supported
security architecture for IBM WebSEAL, TIM, TAM. ISAM & Portal to HTML5
platform migration. Supported WebSEAL protection of web URLs and URI for
conventional and REST web services. Designed Security Architecture Blueprints
for critical MMIS security components. Provide TOGAF consulting service &
HESA-Development Method. Own Health Enterprise Security Architecture.
Architected current, transitional & target architecture for EAI step-up
MFA authentication and eTAI SSO. Conducted Options & Impact on security
token protocols use of SAML, OAuth & JSON Web Token (JWT). Designed the
MITA 3.0 compliant TOGAF based Platform Health Enterprise Architecture and
Framework. Provided TOGAF certified support for CMS, MITA 3.0 Health Enterprise
in Agile environment with Scrum processes. Assess Health Enterprise cloud
security service per SAE-16 & Cloud Security Alliance CCM best practices.
Provide MMIS support in meeting NIST 800-53 r4 and CMS Moderate Plus
Safeguards. I provided NIST 800-53r4
Qualitative Security Assessment against SSA16, CSD and HIPAA standards in IBM
and customer Data Centers. I developed Process Maps, Process & Procedure
docs & assessed Use Case in IBM Blueworks for CMS Moderate Plus security
controls. I peer reviewed User Agile Stories in Version One, Use case process
in IBM Blueworks and Agile/PMBOK processes in Share Point, JIRA and
Confuence. Supported on-boarding of new Security Architects and Project
Coordinators in the PM Matrix.
MUFG
Union Bank – Jun2014 to Dec2014 – Cloud Application Security Architect
·
The MUFG
Bank of Tokyo and Union Bank merger made me responsible for Combined Intranet
Security.
I was Project Leader & Security Architect for
the Cross Coast Jive Cloud Application Security Assessment.
Coordinate Data Loss Prevention Expansion from
East Coast - West Coast during merger for cloud apps.
Coordinate User Recertification Cross Coast
Integration process, procedures and operational pain points.
Provided phase 1 of DLP Cross Coast Upgrade: DLP
Requirement Gathering and Analysis deliverable.
QVC. – Jan 2014 to Apr2014 –
Enterprise Information Security Architect
·
I developed
the QVC Appl Security Architecture Guiding Principles. I proposed a Baseline,
Transitional & Target Application Security Architecture Framework in an
API Managed/ESB environment. I developed Appl Security Risk Assessment Self
Service Security Profiling Tool based on OWASP, ISO 27002, NIST 800.
Westfield Insurance. – Feb 2013
to Dec 2013 – Enterprise Information Security Architect
·
Security
Architected SSO Federated Identity Management Cross System Authentication
& ID propagation. Provided Options & Impact product evaluation for
Site Minder and IBM SAM/WebSeal/TFIM/IDI/STS. Security Architected WS-Security
Integration on Datapower gateway, Message Broker ESB for WebSphere
Applications including, Guidewire Claims Center, Filenet, Thunderhead etc.
Provided baseline XSA Project Charter and guidance on TOGAF Architecture
Process including Cost, Resource Estimation, Order of Magnitude, and Options
and Impact. I provided Enterprise Security Architecture services for Custody
Assessments to support the RFP process. Provided guidance on Data
Classification Security Control Matrix. Provided Security Architecture for
Enterprise Managed File Transfer system (Sterling & IPswitch), including
Options & Impact, RFP, Product Evaluation & SOAP WS-Security
transformation & Integration. I Provided WS-Security Training. Developed
TOGAF based Westfield Enterprise Security Architecture.
Amgen – August 2012 to August
2012 – Cloud Security Architecture Consultant
·
Architected
Off Network Cloud Proxy Security Services for Amgen Worldwide Global Space.
Provide vendor product evaluation Weighted Analysis for pre-RFP and Score
Card for Response to RFP. Provided RFP/SOW Functional, Technical and Cost
Requirements, including Cloud Proxy ISO27001/SSAE16 and Cloud Security
Alliance Requirements doc to Global Strategic Sourcing. Provide SaaS Services
evaluation.
Delta Products – June 2012 to
August 2012 – Vulnerability Assessment Consultant
·
Nessus
Vulnerability Assessment and Configuration Review on Routers, Switches,
Servers, Workstations, Wan Accelerators, VPN, FW. WAP and Voice Gateways on
site & remotely over SSL VPN Nessus 5.01 VM.
·
Installed
Nessus 5.01 on Physical Server and VMWare Virtual Machine to achieve SSL VPN
remote access.
Cast & Crew Entertainment
Services – Oct 2011 to May 2012 – Enterprise Security Engineer
·
Conducted
Cast & Crew PCI Assessment and provided mitigation/remediation
recommendations.
·
Developed
the Cast & Crew Enterprise Security Architecture Framework based on TOGAF
& ISM3.
·
Provided
Strategic, Tactical & Operational Security models including ISO 27001/2
Control Processes.
·
Provided
Portal Application Java based security solutions for Digital Signature and
Electronic Signatures.
·
Launched NIPS
Evaluation Project for Palo Alto NG Firewall, Tipping Point & Cisco
ASA5540 AIP SSM-20.
Hong Kong
Shanghai Bank Corp HSBC – May 2011 - Sep 2011 – Risk Management IT Security
Auditor
·
Engaged
Third Party Law Firms doing business with HSBC into a Security Assessment
Risk Management process per Office of the Comptroller of the Currency (OCC)
Laws & Regulations and the Federal Reserve.
·
Executed
ISO 27002 IT Security Audit to Law Firm Legal Partners, IT Security Team, HR
and Physical Facility Manager. Collected IT & HR Security Policies, Data
Process Flows and Response to Questionnaires.
·
Assessed
Responses to Questionnaire and supporting evidence, then Interviewed the Law
Firm Team to validate the attestation of claiming to meet the ISO 27002 based
security requirements and the submitted evidence. Used Archer Compliance
Process Manager to manage compliance and audit/assessment process. Provided
Recommendations for Remediation of Gaps. Published Security
Assessment/Audits.
·
Follow up
with Law firms to assess closure of Gaps to reduce the HSBC risk to HSBC and
its customers.
Bank of
America – Oct 2010 to May 2011 – Global Enterprise Vulnerability Security
Assessment Eng.
·
McAfee and
Qualys Vulnerability Assessment Scanning, Reporting, Remediation Security
Operations.
·
Composed
Auditable documentation: Process Map, Procedure, RACI, Management, &
Process documents.
·
Provided
Audit Remediation for all Audit items and help provide attestation for
evidence of audit closure.
·
Scan,
Reporting and Remediation in North & South America, Europe, Asia, Africa
and Middle East.
·
Scanned
nearly 2 million devices using over 100 McAfee and Qualys scanners deployed
worldwide.
·
Monitor
Scan Performance before and after upgrades and provided performance tuning as
required.
·
Owned
Vulnerability Security Operations for one of several global environments and
backup for others.
·
Enterprise
Manager and Console Appliance admin for FS850, FS1000 appliances and
Distributed System.
·
Enterprise
Manager & SQL Server Manager Studio Express Reporting and Remediation
monitoring.
·
Developed
Graphical Analytics for Tracking and Trending of vulnerability metrics in the
Global space.
·
Used Wire
Shark on proxy and other Infrastructure servers to remediate connectivity
across domains.
·
Provided
Endpoint Security Governance and metrics for Americas, Asia, Africa, Europe
& Middle East.
·
Enterprise
Policy Orchestrator - ePO reporting and metrics management to IT and
Corporate Dashboard.
·
Report
Vulnerability and Endpoint metrics to CISO for global risk and audit
attestation.
Sempra
Utilities – May 2010 – Advanced Meter Infrastructure Security Assessment
Engineer
·
Support
Smart Meter, Smart Sync, Meter Data Management System CIS, CRM, DW & OCE
SOA projects.
·
Key IT
Initiatives: Advanced Meter Infrastructure using Service Oriented
Architecture Web Services for Legacy Systems, WS Gateway, Head End &
wireless GPS/CDMA 12.922 meter services plus ZigBee HAN.
·
Provided
OS, Web and Application Scan, Security Assessment, Remediation Solution &
Risk Assessment.
LA Department of Health
Services – Aug 2008 to Jan 2010 – Cyber Security Assessment Engineer
·
Provided
Cyber CSI Forensics Analysis service process and procedures. Project Manage
Cyber CSI Services
·
Responsible
for Staff Utilization & Tracking Workbook Report Design & Security
Operations Charter
·
Found Stone
Vulnerability Assessment for Security Operations, Process, Procedure docs and
maintenance
·
App
Detective Database Vulnerability Assessments for Security Operations,
maintenance & support.
·
Web Inspect
Web Server Vulnerability Assessment Process, Procedure docs, Operations &
maintenance
·
Used Splunk,
RSA Envision, Kiwi and MARS for Security Assessment ,Syslog Correlation &
Monitoring
·
Responsible
for Tipping Point Network Intrusion Prevention System (NIPS) monitoring and
Assessment
·
Cisco
Security Agent Host Intrusion Prevention System (HIPS), Process, Procedures
doc & Operations
·
Cisco
Intrusion Detection System Manager Express and Cisco IDS Device Manager
Process & Procedure
Hyatt Corp. – Mar 2008 to Aug
2008 – Credit Card PCI Compliance & Identity Management PM
·
Provided
PCI Access Control, Identity Management Tech Project Management & PCI
Audit Consulting
·
Project
Charter, Scope, TCO, PCI Audit Approach, Property Management, Reservation,
People-Soft & ADP Integration of ID Access Management for PCI Compliance
to meet PCI Access Control Requirements.
Acxiom – Dec 2006 to Feb 2008,
Security Architect – Credit Card Systems – Full Time Employment
·
Implemented
PCI Audit Compliance Program & supporting Security Architecture Auditable
docs.
·
Supported
NIDS/IPS, HIDS, CP Firewall & Fire Pass VPN for PCI v1.1 CIP & ROC
requirements.
·
Facilitate
PEPSCO Approved Penetration Test for Credit Card Systems PCI scoped
environment.
·
Enforced
SAS70 Compliance & Provided System Architecture Blueprints &
System Security Plans.
Honeywell Oil Refinery – Aug
2005 to Nov 2006 - Security Architect Project Manager
·
Support Pix
and Checkpoint Firewall migrations. Implement Monitoring & Auditing of
all firewalls
·
Designed
Cisco ASA5520 adaptive security appliance Web VPN & firewall to support
Share Point
·
Provided
Threat Assessment, including threats, vulnerabilities, risk and likely-hood
of occurrence
·
Evaluated
alternative security remediation and compensatory safeguards and controls for
threats
·
Project Manager,
Process Control Security Remediation - Network Segmentation firewall
initiative
·
Responsible
for Project Charter, Project Plan, Project Risk, Key Stakeholder Matrix, etc.
·
Architected
security remediation project Cost Models for all Oil Refineries in US and Off
Shore
·
Project
deliverables on time, on cost. The Quality, Security and Fiduciary
requirements were measured and met based on Effectiveness, Efficiency,
Confidentiality, Integrity, Availability, Reliability, & Compliance
Jacksonville Energy Authority –
Jul 2004 to Jul 2005 – Enterprise Security Architect
·
Responsible
for Enterprise Security Architecture Framework, Baseline and IT Governance
·
Provided
Current & Future State GAP Analysis for System & Enterprise Security
Plan based on COBIT, ISO 17779, ISC2, OMB, FERC and NERC regulations,
standards & best practice
·
Provided
preplanning, SDLC phased work-plans including FY05 cost and capacity planning
·
Provided
Requirements Based Access Control and provided CobiT Audit Compliance
Strategy
·
Provided
Enterprise. Security Blueprints & Security Architecture for Credit Card
Systems
·
Designed
Enterprise Wide Application Security N-Tiered Multi-Layered Threat Model
·
I Published
JEA Standards: IT Governance (COBIT), Enterprise Architecture (TOGAF),UML
·
Architect
of the Original JEA Enterprise Architecture Framework and Guiding Principles
State Farm Insurance – Jul 2003
to Jul 2004, Lead Security Analyst – Code Assurance - Full Time Employ.
·
Integrated
security into the software development life cycle & code review process.
·
Published
Code Assurance security guidance and patterns for Input Validation, Least
Privilege, Secure Default & Role Based Access Control security
principles. RBAC process map in Visio.
·
Initiated,
documented and integrated security validation test procedures for software
Test Center.
McDonalds Corporate H.Q.
– Jul 2002 to Jul 2003 - Security Architect
·
Designed
world class scalable and redundant SSL Accelerator and Content Services
Switch architecture to terminate thousands of concurrent SSL sessions for
load balanced web services portal. Provided all security services and
documentation: Global Security Architecture, Security Plan, Incident &
Response Policy, SiteMinder Access Control Security Assessment, Global Data
Center Physical Security.
GlobalNet
– Apr 2001 to Jun 2002
Security
Architect
·
Support
Multiple Company security, router, Internet ,and Web Services requirements
·
Provide
Project Management for Voice over IP, Firewall and SNORT IDS
T-Mobile/Voice
Stream Wireless – Sep 2000 to Mar 2001
Security
Consult & Global Security Project Leader
·
Planned
Risk Assessment program as a component of “Process Improvement”
·
Provided
Organizational Criticality Matrix and Level I, II and III Vulnerability
Assessments
·
Provided
Weighted Analysis for Perimeter Firewall System using PIX, Check Point FW
& Net screen
·
Secured
Perimeter, Cisco 7140 VPN routers, LDAP, RADIUS, WAP, DNS, SQL Servers &
Nokia 650 GPRS
·
Designed
Carrier Class Firewall/VPN. Audited security processes & Positively
Impacted Security Posture
SBC – Jan 2000 to Oct 2000
Security
Consultant
·
Implemented
Firewalls VPN and IDS security, including Cisco PIX, HP, ISS IDS
on Nokia NT & Unix.
·
Provided
HIPAA Security Assessment, GAP Analysis and Client presentations for Major
Hospitals
EMC - Boston – Jul 1999 to Jan 2000
Firewall
Security Consultant
·
Provided
Check Point Firewall/VPN Implementation & Support. Managed Firewall
Security Policies.
·
Generated
Security Baseline Documentation for using ISS Inc. Internet Security Scanner.
·
Provided
Level I, II and III Security Assessments/Audits using ISS, Cyber-Cop and
Retina scans.
Chicago Public Schools – Aug
1998 to Jul 1999
Security
Engineer – Network Design
·
Support
OSPF, FW-1/VPN-1 HA, Security Policies, Procedures, Metrics, Audit &
Monitoring.
·
Designed
Check Point FW/VPN system to support 600 schools for City of Chicago.
TECHNICAL
SKILLS
|
Project
Management
|
PMO Tools:
MS Project, Dashboard, Score Card, Project Charter, TMAP
|
|
PCI
Compliance Project Manager: Identity Access Management/Access Control Audit
& Integration
|
|
Security
Project Manager: Process Control Security Remediation - Oil Refineries US
& Off Shore, Blue Works
|
|
Security
Project Manager: SSO/Identity Management for Global Portal Design &
Implement, Confluence
|
|
Security
Team Project Leader: Assessment & design of wireless carrier security
infrastructure , JIRA
|
|
Project
Control: Portfolio Process, Six Sigma TMAP, NSA-IAM, Risk Assessment,
Guiding Principles
|
|
Project
Manager: Cyber Crime Scene Investigation Services, Security Operations
Staff Utilization & Tracking
|
|
Security Documentation
Published:
|
Security
Architecture Document for Credit Card Sys.
|
|
.NET/WebSphere/VB
Guidance & Patterns:
Input
Validation, Least Privilege & Secure Default
|
System
Security Plan for PCI Audit and Compliance
|
|
Assessment:
Sarbanes-Oxley Internal Control
|
|
Architect:
SSO – WebSEAL, TFIM, ISAM, STS
|
Procedures:
Security Event Log & Monitoring
|
|
Response To
RFP, Usecase:Blueworks, Version One
|
Security GAP
Analysis – COBIT, ISO 27002, OMB. OCC
|
|
Vulnerability
Assessments: Process Maps, Process Doc, Procedure Doc & RACI auditable
documentation
|
|
Weighted
Analysis – Palo Alto NG, Check Point FW, Cisco ASA, Cisco NIPS, 2FA, Cloud
Services, EUCA
|
|
.NET/WebSphere
Input Validation Threat Model & Least Privilege Role Based Security
Model
|
|
Standards
Published: Enterprise Security Standards Doc, PCI Compliant System Security
Plan
|
|
Standards
Published: Enterprise Architecture (TOGAF), IT Governance (COBIT) &
Modeling (UML)
|
|
Org
Criticality Matrix,Shibboleth IdP, SP,SAML
|
Enterprise & System
Security Plan - COBIT
|
|
McAfee
Vulnerability Assessment Security Operations Process & Procedure
document, OAuth, SAML
|
|
Web Inspect
Web Server & Services Vulnerability Security Operations Process &
Procedure document
|
|
App
Detective Application Vulnerability Assessment Security Operations Process
& Procedure document
|
|
Tipping
Point Network Intrusion Detection Security Operations Process &
Procedure document
|
|
Cisco
Security Agent Host Intrusion Detection Security Operations Process &
Procedure document
|
|
Cyber Crime
Scene Investigation Security Services Process & Procedure doc., Cloud
Vendor Assessment
|
|
Security
Operations PMO Project Management Process and Procedure & Security
Operations Charter
|
|
Firewall Experience: Designed
|
|
Palo
Alto NG, Check Point FW- NG/AI, NGX, SPLAT
|
Cisco Pix
515E, ASA5520, Cisco Pix Logs
|
|
NetScreen
5,10,25,50,100,208 & 1000 Carrier Class
|
Linux –
Check Point Secure Platform
|
|
Nokia IPSO
(Open BSD Based) Platform
|
Nokia,
Voyager, Lynx, carrier class wireless
|
|
Virtual
Private Networks (VPN):
|
ASA5520 Web
VPN, Fire Pass Remote VPN
|
|
Cisco 3030
VPN concentrator & Cisco IOS VPN
|
Cisco Pix,
Cisco 7140 VPN router
|
|
Intrusion Detection System (IDS):
|
|
Palo Alto
NG, Cisco ASA5540 AIP NIPS, Tipping Point
|
McAfee
IPS/HIDS Cisco IPS Mang. Express IME
|
|
Host Based Security:
|
|
Norton &
McAfee Virus Detection, McAfee DLP
|
Cloud
Security, SLA & Contract Compliance
|
|
Cisco
Security Agent (CSA) , Tripwire IDS, OpenSsh
|
OS
Hardening, Check Point Secure Client
|
|
Scanners: Logging, Monitoring & Audit
|
|
ISS, Nessus,
Rapid7, Burp Suite & Cyber-Cop Scanner
|
Web Inspect
–Enterprise Assessment, Snare, Kiwi
|
|
McAfee/Qualys
, ArcSight SIEM, RSA Envision Syslog
|
Enterprise
Policy Orchestrator: ePO, AuditCon
|
|
PKI, SSO and
Access Control:
|
App Detective – Appl. Vulnerability
Assessment
|
|
SSO:
Site-Minder, TFIM, WebSeal, ISAM, STS
|
LDAP, Active Directory , WebLogic, Oracle
AS
|
|
SecureIT
TrustBuilder Keytool, OpenSSL
|
Digital Certs – Client Side & Server
Side
|
|
Teaching: Northern IL Univ, DeVry, Triton College, Harold Washington
College
|
|
Math,
Security Architecture, Cisco Router, Project Mang.
|
Check Point
Firewall, Unix, HTML Web Des.
|
|
|
|
|
|
EDUCATION
|
Northern Illinois University
|
Bachelor of Science
|
Electrical Engineering
|
|
Northern Illinois University
|
Master of Science
|
Electrical Engineering, 21 hrs.
|
|
Midwest College of Eng. & De-Paul
|
Master of Science
|
Computer Engineering, 16 Hrs
|
References
available upon request***Secret Clearance Previously Held***
Ken Harlin ● 630-877-8903 ● iamcisa@earthlink.net
● Carson CA. ● Page 1
of 5