Robert Washington

CRISC, CISA, CISM

 forensics007@hotmail.com, Houston, TX (281) 451-7322

 

******** The building I'm working from blocks mobile signals, so I apologize that my phone time is limited. Email is the most efficient communication medium for me, as I should be able to answer any and all preliminary question to confirm that the role and my skill are a good fit. After we move forward in the process we can schedule time that I will dedicate to talk on the phone (basically when questions cannot simply be answered via email). Thanks for understanding.********

 

 

CERTIFICATIONS/ LICENSE HELD

Preparing for the Certified Ethical Hacker (CEH) and Certified Security Analyst (ECSA) certifications, leading to EC-Council Licensed Penetration Testing (LPT) credential (2016).
Certified in Risk and Information Systems Control	(CRISC)
Certified Information Systems Security Practitioner	(CISSP)
Certified Information Security Manager	(CISM)
Certified Information Systems Auditor	(CISA)
CheckPoint Certified Security Administrator	(CCSA)
(2) Cisco Certified Network and Design Professional- with Security and Voice Specialization	(CCDP, CCNP)
(2) Cisco Certified Network and Design Associate	(CCNA, CCDA)
(2) Microsoft’s Certified Systems Engineer and-MCP + Internet	(MCSE, MCP+I)
Comptia Computer Support Professional	(A+)

 

DEPARTMENT OF HOMELAND SECURITY, FEMA, SANS, CERT^® AND OTHER TRAINING

CERT®-Certified Computer Security Incident Handler certification program	(CERT-CSIH)
Comprehensive Cyber-terrorism Defense (Advance Penetration Testing)	(CCD)
Cyber-terrorism First Responder	(CFR)
Cybersecurity: Incident Handling and Response	(IHR)
Cybersecurity: Prevention, Deterrence, and Recovery	(PDR)
Certified Ethical Hacker certification training	(CEH)
Hacker Techniques, Exploits and Incident Handling (SANS Institute Ethical Hacking)
Computer Forensic Investigations and Incident Response (SANS Institute Digital Forensics)

 

 

SKILLS

Technology	Relevant Tools/ Applications
Risk/ Threat/ Vulnerability Management Security Tools	CoreImpact, SorceFire 3D IDS/ IPS, SNORT, Nessus, WireShark, Nmap, GFI LANguard, Cisco Secure MARS, ASA firewall, ACS, VPN, IPS/IDS, TripWire, VMWare, Altiris, FireEye ATP Suite, RSA ARCHER, RSA envision, ProofPoint Enterprise, BlueCoat Proxy, ServiceNow Ticketing, Symantec MSS, Prolexic DoS Defense Solution, Symantec AV and DLP, SSO, EnCase Cybersecurity, QuestOne Active Roles, Too many Open sourced tools to name
Operating Systems/ Applications	Cisco IOS, various Unix and Red Hat Linux. Microsoft Office, MySQL, MS SQL 6.5, Windows Client OS’s, Windows Server, Norton Ghost, Camtasia.
Industry Specific	Internal or external IT audit portals, risk assessment tracking, business process reengineering, Enterprise Resource Management (PeopleSoft, Banner), Engagement Risk Management (BP-RAT, RSA ARCHER, e-Advisor), Auditor Assistant.
Networking Hardware	Cisco PIX firewalls, Cisco Switches 1900 to 6500’s w/ (MSFC/RSM's), Cisco Routers up to 75xx series, WAN trunks, CSU/DSU's. PaloAlto Firewalls, Cabletron Routers.
Regulatory Compliance	FISMA, FFIEC, HIPAA, GLBA, FERPA, SoX, TAC 20x, PCI/DSS, SB 1386, CFAA, ECPA, PCI
Standards and Frameworks	CoBIT, ITIL, ISO 27000, ISO 31000, OWASP Top 10, SANS Top 20, FIPS 200 and NIST 800 series.
Industry Experience	Oil & Gas, Finance, Higher Education, Federal Government, State Government, Clinical Health Care, Big 4/5 Accounting, Fortune Top 10 – Mom & Pop.

 

 

 

 

 

SUMMARY

 

Over twenty years of increasingly responsible military and civilian Information Security experience solving business and technical problems through the application of advanced technology in networking, security, systems and resource management. Designed and implemented Comprehensive Information Security Programs from the ground up based on industry standards and frameworks of CoBIT, ISO 31000, FIPS 200, ITIL, PCI-DSS and NIST 800. Experience leading organizations to Information Safeguard Regulatory Compliance, using Industry Standards and Frameworks. Compliance leadership included hands-on implementation of policies, strategic plans, procedures, risk, threat, vulnerability assessments and penetration test to expert recommendations for mitigation plans for regulatory requirements listed in ISO, FFIEC, HIPAA, PCI, FERPA, TAC 202 and more.  Recognized for using strong analytical and problem solving skills for superior and effective communication at multiple levels of organizational hierarchy. Throughout career have had an abundance of Technical and Business exposure on projects for Fortune 100 Corporations to Federal Agencies. Drafted several GISRA reports for Federal Agencies including security assessments according to FISMA requirements. Throughout career as direct hire and self-employed statutory employee have had an abundance of professional exposure on projects for Fortune 100 companies to small information service providers such as:

 

Total Network Solutions (TNS), ThruPoint Inc., G. E. Consultants, ARC Inc., Houston Chronicle, Enron Broadband Systems, Accenture Consulting, Computer Science Corporation (CSC), Raytheon, Lehman Brothers, Sprint, TSU, TriLink Services, Hearst Publishing, Synthesis Technologies, Court Services and Offender Supervision Agency (CSOSA), Department of Justice, Estee Lauder, University of Houston, SHAPE Community Center, Boys and Girls Club of America, Triad Resources, Gartner Research, SunGard, Tidewater Offshore Service, BP Energy, MasTech, KPMG, Cisco, EMC², VMWare, VCE, Northern Trust, Robert Half Technology, Protiviti, NBA, AIG and more.

 

 

Computer Security Incident Handling/ Management and Global-SOC Subject Matter Expertise

Lead the development several Corporate and Government organization’s Computer Security Incident Handling/ Management capabilities (building and improving). As Information Security SME responsibilities included CSIRT/ Incident Management/ . Integrated Cyber Defense teams for Global SOC operations and stand-a-lone Incident Handling operations with the following functions:

·   Cyber Threat Intelligence

·   Computer Security Incident Response Team (CSIRT)

·   Global Security Operations Center (SOC) Monitoring

·   Cyber War Games (scenario based Incident Response)

·   Red and Blue Team Leader

 

 

Primary tools, personally used and trained others to use proficiently on a daily bases in the efforts mentioned above:

 

·               Q-Radar ·               Tripwire TLC ·               RSA enVision ·               RSA Archer ·               FireEye Central Management CMS 7300 Series ·               FireEye Network Security NX Series ·               FireEye Email Security Email MPS 8400 series ·               FireEye Malware Analysis MAS 5400 Series ·               ProofPoint Enterprise Email Threat Protection ·               BlueCoat Proxy Servers ·               BlueCoat WebPulse Site Review

·               VirusTotals ·               Palo Alto Firewalls ·               Cisco ASA Firewalls ·               SeviceNow Service Management Ticketing System ·               Symantec Managed Security Services (limited ) ·               Prolexic DoS and DDoS Defense Solution (limited ) ·               EnCase Cybersecurity (limited ) ·               Dell's ActiveRoles server (formerly Quest One Active Roles ·               Full Active Directory Forest ·               Wireshark ·               Nmap

 

 

 

Computer Security Incident Handling/ Management is a component of the bigger functional Assurance programs that I have regularly had to develop and manage from scratch. Often times I have had to train organizations insourced and outsourced Technical Professionals to maintain integrated Computer Security Incident Handling/ Management operations through knowledge transfer and mentoring. Led these functions for the Financial, Higher Education, State/ Federal Government and Oil and Gas and Sports Entertainment sectors. As an Information Security SME consultant I have performed based on client needs at the Sr. Engineering (technical) to Executive (management) levels in these functions.

 

 

Assessment/ Audit/ Ethical Hacking/ Penetration Testing

Held the strategic title of Information Security Subject Matter Expert (SME) over the past 15+ years. Have lead Red Team (Tiger team) engagements chartered to Ethically Hack and Penetrate the Information Protection Defenses ("white hat hacking") of various organizations in the SME role. Tasks included Penetration and Vulnerability testing guided by OSWASP TOP 10 for Web based Applications SANS 20 Critical/ CoBit and NIST Security Control Objectives for Risk, Threats assessing/ modeling and Incident Response. All testing and assessments were performed on Servers, Thick/Thin Clients and Retail POS systems. Ultimately all tests lead to a final assessment of Information Protection in all forms (hard-copy print, digitally transferred, processed and stored). Assessments allowed for the development of (POAM) Plans of Action and Milestones, Strategic Planning, Regulatory Compliance and Systems Certification. Utilizing assessment results Delivered world-class IT, Risk, Governance, Security expert advice. Assessments performed for Federal and State regulated industries to include, but not limited to Banks regulated by PCI-DSS, FFIEC and GBLA to Healthcare organizations obligated to HIPAA and State institutions following TAC 202.

 

Developed proprietary testing (manual and automated) and assessment techniques and methodologies based Industry Standard and frameworks and best practice over decades in the field.

Using a specialized toolkit of commercial and open source utilities, able to conduct social engineering and intelligence discovery, analysis, reporting and post assessment sanitation. At times limited resources mandated scaled-down analysis such as: simple security investigations and root-cause analysis stemming from misconfiguration, infrastructure design reviews, and compliance issues, with a requirement to defend all findings. Provide Subject Matter Expertise in testing routers, switches, firewalls, Windows and Linux servers, workstations, Web applications and databases systems in LAN, internet, intranet, wireless and virtual environments. 

 

 

Strategic Documentation and Deliverables

Extensive oral and written communication skills for technical to executive reports and presentations such as, Zero-day Exploit findings to Compliance Memos. Developed organizations Strategic documents Library covering all “bread and butter”, Policy, Standards, Guidelines, Procedures and POAM’s. Interact with and brief the client as required throughout the engagement, and with extra urgency when material risks are discovered that need immediate attention. 

 

Technical writing experience developing Assessment Rules of Engagements (RoE), Scope of Works, Test Plans, Standard Operating Procedures (SOP), Risk Mitigation Action Plans, among others. Extensive research ability used to provide recommendations and knowledge transfer to client for hardening defenses and continuous improvement. 

 

Directed technical support staff to identifying, recommend and implement risk mitigation strategies safeguards. Coordinates efforts to assure compliance with assessment findings including root cause analysis strategy sessions. Lead Computer Security Incident Response teams to prevent additional loss and to obtain and preserve forensic evidence. Developed Information Protection Awareness Programs with training curriculum and Systematic distribution of security notices and alerts.

 

 

 

EXPERIENCE

NeTTanium Inc. (SunGard, BP Energy, KPMG, Cisco, EMC², VMWare, VCE, Northern Trust,

                             Robert Half Technology, Protiviti, NBA, AIG) HOUSTON, TX JUNE 2002 - current

 

COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)/ GLOBAL SECURITY OPERATIONS CENTER (GSOC) SME

 

Sr. IT AUDIT/ ATTESTATION RISK CONSULTANT (Big 4 Consulting firm solution provider)
Lead the charge to plan and execute the day-to-day activities of IT audit engagements for clients, including system development, SSAE 16 readiness assessments and platform reviews within Oil & Gas support industries. Evaluate the design and effectiveness of technology controls and related risk throughout the business cycle. Identify and communicate findings to senior management and clients utilizing publication quality level writing. Help identify performance improvement opportunities for the organization by documenting newly developed processes and procedures that increased efficiency, reporting capability and enhanced risk culture.

 

Oil & Gas RISK (THREAT) GOVERNANCE CONSULTANT (IT & Security Subject Matter Expert)
Functioned as Information Risk Management SME for a Corporation in the highly regulated energy industry. Developed and recommended risk management initiatives from Standards for Central risk registry to risk review and validation that regularly influenced the wider Risk agenda. Regularly utilized strong leadership skills and in-depth knowledge in Infrastructure and Digital Security to interface and network with various International Risk Leaders.

 

In the role of Risk Subject Matter Expert developed, trained and advised Risk Leaders in their development of internal risk management reports for senior management (e.g., Quarterly Performance Reviews, Main Board Audit Committee, Risk Management Report, Dashboards and Scorecards with Heat maps etc.). Engaged and advised various levels of management on how to understand and address complex IT and business risk issues. Developed strategies and guidelines for Risk Management/ Process oversight. Supported Risk Champions, facilitating Information and Strategy forums and Risk Culture change programs.
 

INFORMATION SECURITY CHIEF (Subject Matter Expert)
Tasked with developing institution wide Comprehensive Information Assurance (Security) program to support laws and local regulations ground up. Review documentation, business practices, and technical operations to render status of the institutions Information Security Posture. Design and developed Information Security Strategic plan to bring the organization into compliance with Federal and State laws and regulation with regards to securing the information resources. Implementation of Information Security measures using project management POAM tracking in strategic phases based on industry best practices and methodologies guided by NIST, DoD, SANS, ISO 31000, ISC2 and other standards organizations. Developed institutional Computer Security Incident Response Team (CSIRT). Functional tasks include IT audits, training, policy development/ compliance, testing and evaluations, continuity of operations, risk management & analysis, intrusion prevention/ detection/ containment/ recovery/ testing and many other functions of security.

 

DIRECTOR OF INFORMATION SECURITY/ IT AUDIT MANAGER

Managed information resources and technology for major projects. Proactively researched emerging technologies to anticipate misconfigured designs and malicious threats. Designed network and computer security test labs and prototypes for special projects. Other day to day tasks included incident response, Information Security; design, implementation, maintenance and disaster recovery. Developed and implemented budgets, schedules, system automation, security plans and risk analyses. Created policies, procedures, and workflows, performance appraisal with full transfer of knowledge. Authored corporate security manuals, policies, and many IT and Information Security courses. Led Company’s Computer Security Incident Response Team (CSIRT). Directed the implementation of technical countermeasures against existing and emerging threats to mission-critical networks and systems of Federal Agencies'.

 

 

DC & Co. (ARC, ThruPoint, BUTLER INT’L) WASHINGTON, DC JAN 1998 - JUNE 2002

       INFORMATION SECURITY ARCHITECT/ MANAGING CONSULTANT, MID-ATLANTIC

Managed corporate consulting resources and client engagements. Worked with account executives to manage and win sales opportunities. Worked closely with Executive Officers for revenue forecasting, consultant billable burn-rate reporting, engagement management and corporate technical strategy for Corporate and Federal clients.  Performed assessments that consisted of security risk, vulnerability, threats and networks. Mentored and trained junior and senior level consultants to attain various IT certifications CCIE's, CISSP's, CISA’s, CCSA's, CCSE's, etc. 

 

       SECURITY SOLUTIONS ENGINEER, NOC MANAGER, Network Engineer

As professional services team member, consulted as security solutions engineer, with pre- and post-sales support to manage the implementation, design, and development of cutting edge security solutions across international borders. Held various positions from directing teams to implementation of physical security, Internet security, penetration testing, risk assessment, re-engineering secure network designs, and computer security incident response. Duties involved many facets of secure LAN/WAN administration, POAM and troubleshooting to name a few.

 

 

US ARMY, CONTROL CENTER - FT. HOOD, TX/ GERMANY/ BOSNIAAUG. 1994 - JAN. 1998

      COMMUNICATIONS SECURITY (COMSEC) SPECIALIST

Managed a team that regularly assisted Special Forces Officers with risk assessments and evaluations of transmitted information and systems. Developed, interpreted, and implemented secure communications and cryptographic keys along with handling policies for ground and wireless communication environments. Responsibilities included maintenance of secure communications to ensure compliance with US Army, DoD and NSA cryptographic security directives. Developed Standard Operating Procedure (SOP) documentation for Tactical Squadron operations and secure handling of DoD encryption keys. 

 

 

EDUCATION/ HONORS/ PROFESSIONAL  

Master’s in Business Administration, University of Houston, (June 2017)

Bachelor of Science in Computer Information Technology (Security), University of Maryland.

Associate of Applied Science in Business-Real Estate, Houston Community College

Won US Army Green to Gold academic scholarship with Honorable Discharge.

(Volunteer) at Boys and Girls Club/ SHAPE community center, SC/ TX 1987- Present.

Security Clearance: Secret, since 1994, (inactive) Department of Defense

International Information Systems Security Certification Consortium (ISC)²

Information Systems Audit and Control Association (ISACA)