|
Department of
Homeland Security (DHS), Intelligence and Analysis (I&A)
Crystal Clear
Consulting, LLC/Alta IT Services, LLC
Washington, D.C.
Information
Systems Security Officer (ISSO)
May
2016 – Present
-
Ensure
security requirements and artifacts for their designated major application
or general support system are being maintained.
-
Ensure
requests for authorization and assessment of computer systems are completed
in accordance with published procedures.
-
Ensure
protective measures for physical security threats, e.g. deadbolt locks on
doors, placement of electrical wiring, etc., are in place.
-
Ensure
compliance with all Intelligence Community (IC) policies and guidance
concerning the use of commercial proprietary software, e.g., respecting
copyrights and obtaining site licenses.
-
Ensure
all required security artifacts (e.g., System Security Plan, and Security
Controls Traceability Matrix, etc.) for classified systems and networks are
updated continuously.
-
Ensure
all required security artifacts for Guest Systems and Standalone Systems
are kept on file and updated continuously.
-
Ensure
all new hardware, software and systems (to include standalone and guest
systems) introduced into the SCIF are recorded and updated in a
hardware/software inventory list. Make sure all new/updated inventory
lists are forwarded to the Security Control Assessor (SCA).
-
Ensure
risk assessments are completed to determine cost-effective and essential
safeguards.
-
Participate
in either a National Security System (NSS) Chief Information Security
Officer (CISO) or the DHS Headquarters (HQ) ISSO training course to satisfy
training requirements associated with the role of ISSO.
-
Assist
the NSS CISO with matters regarding oversight and compliance, and when
specifically directed by NSS CISO, distribute additional security awareness
information or training requirements to the user community as appropriate.
-
Participate
and provide required security documents for Annual Assessments/Continuous
Monitoring under the guidance of the Security Control Assessor (SCA).
-
Report
IT security incidents (including computer viruses) in accordance with
established procedures.
-
Report
security incidents not involving IT resources to the appropriate security
office and/or the DHS onsite Site Security Officer (SSO).
-
Provide
input to appropriate NSS CISO IT security personnel for preparation of
reports to higher authority concerning sensitive and/or national security
information systems.
Defense Manpower
Data Center (DMDC)
Crystal Clear
Consulting, LLC/Tier One Technologies
Alexandria, VA
Information
Assurance Lead
May
2014 – May 2016
-
Responsible
for sending out weekly Information Assurance Vulnerability Alerts (IAVAs)
and Information Assurance Vulnerability Bulletins (IAVBs) to the
development team. Work with the development team to figure out if any
IAVAs/IAVBs have impacts to the Joint Personnel Adjudication System
(JPAS). If any IAVAs/IAVBs affect JPAS, develop Plan of Action and
Milestones (POA&Ms) and submit a Change Request (CR) for the work that
needs to be completed to mitigate the vulnerability(s).
-
Attend
weekly JPAS Release Meetings. Inform management of any IAVAs/IAVBs
that have any impact to JPAS and if any need POA&Ms are required.
Make updates to release meeting notes and deliverable schedule.
-
Enter
Acknowledgements and First Report Numbers into the Information Assurance
Vulnerability Management (IAVM) Tracker on a weekly basis.
-
Update
the JPAS Information Assurance (IA) Combined and JPAS Monthly Vulnerability
Analysis Report (MVAR) on a monthly basis based on the IAVAs/IAVBs released
during that period and any IA controls changing.
-
Draft
and update the Personnel Security Applications (PSA) Personally
Identifiable Information (PII) Protection Policy and PSA Data Privacy
Policy for the year. Ensure that all team members read and understand
the PII Protection Policy and have signed off on the acknowledgment
form. Responsible for conducting PII protection training annually.
-
Responsible
for putting together the Risk Management Framework (RMF) documentation
package for accreditation.
-
In
charge of analyzing the vulnerabilities in the Assured Compliance
Assessment Solution (ACAS) and providing reports to management.
Defense Threat
Reduction Agency
(DTRA)
Kforce,
Inc.
Fort Belvoir,
VA
Senior
Information Assurance Engineer
March
2014-May 2014
- Reviewed IA
directives, created agency action plans, disseminated the information to
all responsible parties, and tracked all tasks to completion.
- Assisted with
maintaining and managing the Vulnerability Management System (VMS) at the
enterprise level. Tracked and reported agency compliance within VMS
such as reporting compliancy numbers, first report numbers, and POA&M
numbers for the agency.
- Assisted with
reviewing all system Plans of Action and Milestones (POA&Ms) and DAA
Risk Acceptances (DRAs) and task assignments in VMS.
Defense Threat
Reduction Agency (DTRA)
Maden
Technologies
Fort Belvoir,
VA
Mid Security Test
and Evaluation Engineer
March
2013 – February 2014
-
Delivered
technical review and analysis of Agency’s Certification and Accreditation
documentation and make recommendations for “at risk” findings.
Recommended the best practice(s) for mitigating vulnerabilities.
Developed Technical Security Reviews (TSRs) for all “at risk” findings.
-
Supported
the Agency’s Certification and Accreditation process by identifying
technical security requirements/controls for its systems/enclaves.
-
Supported
the Agency’s Change Control Board (CCB) and Engineering Review Board (ERB)
with technical cyber security analysis and recommendations.
- Provided Agency
Wide Information Assurance Vulnerability Management (IAVM); situational
awareness; and near “real time” system/enclave IAVM compliancy dashboards
and reports.
- Maintained and
updated the Agency TSR Data Repository.
- Created and presented
compliancy and risk presentations on a weekly basis.
- Continuously
assessed the Agency’s security posture using Agency IAVM tool sets.
- Performed risk
analysis and vulnerability assessments for Agency systems.
- Performed monthly
discovery and compliance scans of Agency systems.
- Conducted onsite
security audits to assess the overall security posture of various
systems/locations within the Agency.
- Developed and
maintained System Test and Evaluation (ST&E) and Vulnerability
Management System (VMS) training for the Agency.
- Maintained a
comprehensive list of all IP ranges (public and private) for all Agency
systems.
- Maintained a
comprehensive list of all IT assets for the agency.
- Provided
Information Assurance (IA) Subject Matter Expertise in the review,
interpretation, and recommendation in response to IA directives, alerts,
and requirements.
- Recommended
action plans regarding the applicability of IA requirements, and for
compliance to IA requirements based on industry best practices.
- Administered and
maintained Agency IAVM mailing list and tracking system, reviewed all
system Plans of Action and Milestones (POA&Ms) and DAA Risk Acceptances
(DRAs) and tasks to completion in VMS.
- Reviewed and
maintained Agency’s exception list.
- Maintained and
managed VMS at the enterprise level. Tracked and reported agency
compliance within VMS such as reporting compliancy numbers, first report numbers,
and POA&M numbers for the agency.
- Reviewed and
provided guidance for all pertinent DoD, IC, DOE, and Federal IA and IS
security requirements. Created policies, procedures, briefings, and
guidance as required.
- Developed, maintained,
and provided VMS training to all system owners and VMS users as needed.
- Collaborated with
Subject Matter Experts to develop, coordinate, and publish any pertinent IA
procedure and compliance documents.
- Drafted
recommendations for intra- and inter- agency coordination.
- Reviewed and
recommend the approval of IA related POA&Ms and DRAs based on current
cyber security risks against Agency Operational Mission requirements.
781st Military
Intelligence (MI) Battalion
(BN)
In support of the National Security
Agency
(NSA)
Fort Meade, MD
Computer Network
Defense Analyst
January 2012 – March 2013
- Used information
collected from a variety of computer network defense and SIGINT (signals
intelligence) resources to identify, analyze, and report events that occur
on digital networks.
- Planned,
constructed, supported, and executed testing and evaluation activities of
cyber capabilities.
- Conducted
malicious software analysis to identify signatures associated with
intrusion sets.
- Identified
weaknesses in government systems and created a characterization of
adversary capabilities.
- Performed
in-depth analysis and recommend defensive and proactive measures to thwart
potential and malicious activity or inappropriate use by any internal or
external entities.
- Used various
Windows and Linux command line tools to gather information about
systems. Used this information to determine if the system has been
compromised.
- Unwrapped and
installed virtual machines (VMs) and add them to network domains.
Department of Defense Education Activity
(DoDEA)
Dan Sources, Inc.
/Excentium,
Inc.
Arlington, VA
Information
Assurance Engineer
May 2011 – January 2012
- In charge of
heading up the certification and accreditation (C&A)/DoD Information
Assurance Certification and Accreditation Process (DIACAP) for all DoDEA
Headquarters (HQ) applications.
- Built Information
Assurance (IA) policies and processes that were previously outdated or
never implemented such as Acceptable Use Policy (AUP), Privileged Access
Agreement (PAA), Virtual Private Network (VPN) policy, Portable Electronic
Device (PED) policy, and IA training.
- Assisted with
assigning Information Assurance Vulnerability Assessments (IAVAs) to DoDEA
field units and entering status into the DISA Vulnerability Management
System (VMS). Built an automated task assignment system for reporting
IAVAs on the SharePoint Portal.
- Assisted with
making sure that the McAfee Host Based Security System (HBSS) dashboards
are configured for efficient monitoring of hosts. Assigned deployment
tasks and built tags for organization trees. Built queries and
reports. Monitored HBSS dashboards.
- Ran penetration
tests with CoreImpact software to check for vulnerabilities and to exploit
those vulnerabilities.
Army Training Support Center (ATSC)
Fort Eustis,
VA
Information
Assurance Manager (IAM)
May 2009 – May 2011
- Managed the
entire Information Assurance Program for the Army Training Support Center
(ATSC) to include Certification and Accreditation (C&A), Software
Assurance, Information Assurance (IA) Training, Awareness, and
Certification, Information Assurance Vulnerability Management (IAVM), and
Configuration Management (CM).
- Responsible for
ensuring that all systems on the network went through the proper DoD
Information Assurance Certification and Accreditation Process (DIACAP) and
that they all had an Authority to Operate (ATO).
- Ensured that all
agency applications and systems had an approved Certificate of
Networthiness (CoN).
- Attended weekly
Change Control Board (CCB) to ensure that any IT security issues were
addressed.
- Responsible for
running Information Assurance Vulnerability Assessment (IAVA) scans using
the Retina and/or STAT program on all systems within the accreditation
boundary to ensure that there were no weaknesses present for hackers to
exploit. Ensured that all vulnerabilities were mitigated by the due
date. Drafted Plan of Action and Milestones (POA&Ms) for any
vulnerabilities that could not be corrected by the due date.
- Ensured that all
system documentation including Security Plans, Contingency Plans,
Contingency of Operations (COOP), Disaster Recovery Plan (DRP), System
Security Plan (SSP), Visitor Policy, Storage Policy, etc. were drafted and
kept current. Ensure documents were stored in a secure location safe
from natural or man-made disasters. Made sure copies of these plans
are kept off-site. Responsible for employee awareness of these plans
and ensured that Disaster Recover and Contingency plans were tested and
annual drills conducted.
- Ensured that all
security and contingency testing was completed for all systems.
- Kept track of all
users’ Information Assurance (IA) Training in the Army Training and
Certification Tracking System (ATCTS) and ensured that all IA staff were
compliant with training and certification requirements in DoD 8570.01-M.
Army Training Support Center (ATSC)
Fort Eustis, VA
Information
Technology Specialist
September 2004 – May 2009
- Researched new
technology and stayed abreast of current technology trends.
- Ensured that all
automation orders were processed in a timely manner and that they complied
with US Army standards, DA, and DoD mandates. Approved orders when
necessary. Managed maintenance, billing, and processing of
orders for all mobile communication equipment such as cellular phones,
BlackBerrys, and pagers in the organization. Prepared timely and accurate automation acquisition advice/answers
to ATSC managers/ procurement requestors.
- As the Telephone
Control Officer (TCO) for the Army Training Support Center, coordinated
with ATSC directorates and supported activities to develop, acquire, and
maintain efficient telephone systems, instruments, and data line support to
meet mission requirements. Programmed and troubleshot Norstar
telephone system and set up telephone and voicemail for new entrants into
the agency.
- Assisted in
preparing System Security Accreditation Agreements (SSAAs) for mission
systems using the DoD Information Assurance Certification and Accreditation
Process (DIACAP). Assisted in transitioning mission systems
accredited using DoD Information Technology Security Certification and Accreditation
Process (DITSCAP) to DIACAP. Ensured that all systems requiring
accreditation followed all Management Information Systems (MIS) policies
and procedures.
- Responsible for
writing the System Security Accreditation Agreement (SSAA) for the Army
Training Support Center Network (ATSCNET) which resulted in an Authority to
Operate through August 2009 under the DITSCAP process. The SSAA
included network topologies and all documents related to aspects of system
security and network security for ATSCNET.
- Ensured that all
ATSC systems were entered in their entirety into the Army Portfolio
Management System (APMS) database. Acted as an APMS administrator for
ATSC and assisted co-workers with updating their systems and entering new
data required for data calls.
- Programmed and
designed the Microsoft SharePoint Portal customized for ATSC telephone
support using Microsoft InfoPath and XML.
- Acted as an
Acceptor in the Wide Area Work Flow (WAWF) System to ensure that all payments
for contracts were processed in a timely manner through DFAS.
- Assisted with
writing Statement of Work (SOW) and all documents related to the Automation
Support Contract we have in place for hiring support for our mission
servers. Ensured that the contract had all the correct waivers and
justifications for processing it through the approval chains and
contracting activity.
- Developed a
phased plan for moving all ATSC's IT requirements involving phone and
network connectivity, networked equipment, video teleconferencing systems
(VTCs), PC moves, conference room design, cable television, telephone
programming, etc. over to new buildings for partial organization
move. Acted as liaison between ATSC and Department of Information Management
(DOIM) and all vendors involved for IT requirements related to the
move. Served as the Project Manager for ATSC directorates for all IT
requirements related to the move. Implemented a phased approach to
moving organization's IT requirements over to new buildings.
- Acted as the
Information Management Officer (IMO) in his absence which involved making
IT decisions for the organization and delegating tasks to employees.
Army Training Support Center
(ATSC)
Fort Eustis, VA
Program Assistant
March 2004 – September 2004
- Prepared charts,
graphs, and narrative information for reports and studies from material
provided by higher level employees. Developed plans, timelines, and
milestone charts for various projects. Prepared and designed briefs
utilizing graphic software.
- Entered, edited,
and extracted various data and information from automated systems.
- Assisted in
conducting complex studies, economic analyses, and assessments involving
training support issues with long-range focus.
Army Training Support Center
(ATSC)
Fort Eustis, VA
Student Trainee
(Information Technology)
December 2002 – March 2004
-
Installed
Common Access Card reader hardware and software on each user’s computers for encryption and decryption of e-mail.
-
Created
and maintained programs using C# in Visual Studio .NET.
-
Installed
Operating Systems over network, including partitioning and converting FAT
to NTFS using Norton Symantec Ghost Software.
-
Responded
to troubleshooting calls such as faulty printers, PC hardware/software
issues, and network connectivity problems. Prepared
computers to be connected to the network and set-up user accounts.
-
Researched
software to ensure that software complies with organization’s mission and
vision. Tested software
such as collaboration environments to ensure proper functionality on the
network.
|