|
OVERVIEW |
|
||||||||||||||||
|
|
Certified Professional with technical and project management
experience. Subject Matter
Expertise in Sarbanes-Oxley (SOX) Section 404, HIPAA, GLBA, ISO 17799, ISO
27001, NIST and PCI Security Standards IT Compliance and IT Security Assessment
/ Audit in Financial, Manufacturing, Utility, Law, and Defense industries. |
||||||||||||||||
|
|
|||||||||||||||||
|
CITIZENSHIP |
|
||||||||||||||||
|
|
|
||||||||||||||||
|
|
|||||||||||||||||
|
CERTIFICATION |
|
||||||||||||||||
|
|
• Certified Information Systems Security
Professional (CISSP) • Certified Information Systems Auditor
(CISA) • International Register of Certified
Auditor (IRCA) for ISO 27001 ISMS Audit (application in process) • Microsoft Certified Systems Engineer
(MCSE) |
||||||||||||||||
|
SUMMARY |
|
||||||||||||||||
|
|
• Helped
an exhibitor services firm achieving the Payment Card Industry (PCI) Security compliance by
identifying gaps, create security policy and procedures, enhance network
security, enhance security processes, and bridging the gaps. |
||||||||||||||||
|
|
•
Managed and Conducted IT
Security Assessment, IT Audit, Risk
Assessments, Business Continuity/Disaster Recovery Plan
(BCP/DRP) for several banks and credit unions according to
FDIC, OTS, OCC, FFIEC Information Security Guidelines, Gramm-Leach-Bliley Act
(GLBA), ISO 17799, and ISO 27001 |
||||||||||||||||
|
|
• Led IT
Security Assessment, Incident Response (CIRT), and Forensic Analysis
tasks for several major manufacturers, law firms, utility and non-profit
organizations |
||||||||||||||||
|
|
• Led HIPAA Security regulations compliance
assessment and Gap Analysis |
||||||||||||||||
|
|
•
Performed SOX 404 Compliance IT and Security Audit for Boeing,
Akamai, NSTAR, and MASSBANK. These
successful audit projects allowed clients to achieve SOX Compliance. Audit tasks include – IT Control
and Process Documentation, Design Effectiveness and Operating Effectiveness testing
against the Control Objectives, and documented issue and provided
recommendations for remediation. |
||||||||||||||||
|
|
•
Implemented Information Security Strategy, Systems Audit,
Global Sales Force Automation Application Development (full life-cycle), Database
Development and Administration for a Fortune 500 company |
||||||||||||||||
|
|
• Assessed, Designed and Implemented
strategy for securing offshore facility and communication |
||||||||||||||||
|
|
• Led
numerous projects in Networking, Database, System Integrations, Application
Development |
||||||||||||||||
|
|
• Published a commercial security and
networking software, SMAC (http://www.klcconsulting.net/smac.) SMAC is a MAC Address Modifying
Utility for Windows 2000, XP, and 2003 systems. |
||||||||||||||||
|
|
• Created WebDAV Scanner utility for
Windows environments. |
||||||||||||||||
|
|
•
Authored a virus analysis on the BotNet / mIRC
Virus/worm/Trojan and security best practices articles (http://www.klcconsulting.net/articles)
|
||||||||||||||||
|
|
|||||||||||||||||
|
|
|||||||||||||||||
|
EXPERIENCE |
|
||||||||||||||||
|
1/2006 – Present |
Fidelity
Investments (Contracting)
|
|
Marlboro, MA |
||||||||||||||
|
|
Senior Analyst Security Analyst (Technology Risk
Management)
|
||||||||||||||||
|
|
• Participating in database logging
solution and vendor evaluation by developing requirements. |
||||||||||||||||
|
|
• Participating in password management
solutions for share accounts. |
||||||||||||||||
|
|
• Led the Risk Assessment and
documentation of user access appropriate to roles (AATR) for two major applications
within Fidelity. |
||||||||||||||||
|
|
• Acted as Subject Matter Expert (SME)
for Oracle Database and Application related security assessments. |
||||||||||||||||
|
|
• Assisted the creation of a customized
AATR tool to help managers effectively evaluate and manage the access
assigned to users. |
||||||||||||||||
|
12/2002 – Present |
KLC
Consulting, Inc.
|
|
|
||||||||||||||
|
|
Senior Security Consultant
|
||||||||||||||||
|
|
• Co-Authoring SMAC network and
security utility to resolve challenges that Networking and Security
professionals are facing. SMAC is
MAC Address modifying utility for Windows 2000, XP and 2003 systems with over
500,000 users worldwide. Customers include Intel, HP, Cisco,
Siemens, |
||||||||||||||||
|
|
A Leading Exhibitor
Services Firm with Online Credit Card Processing
|
||||||||||||||||
|
|
• Helped a exhibitor services firm to
achieve Payment Card Industry (PCI)
Security compliance by identifying gaps, create security policy and
procedures, enhance network security, enhance security processes, and
bridging the gaps.
|
||||||||||||||||
|
|
ITT Technical
Institute:: SME for Risk Management, Security, Audit, and e-Commerce Security
Courses
|
||||||||||||||||
|
|
• Provided Subject Matter Expertise
advise to support the development of Information Security curriculum that is
designed to achieve the credential of
NSA’s National Centers of
Academic Excellence in Information Assurance Education (CAEIAE) Program |
||||||||||||||||
|
|
• Scoped and reviewed the course
objectives to ensure required goals are achieves |
||||||||||||||||
|
|
• Evaluated the content of courseware
and provide recommendations to ensure the contents are meeting the current
security industry trend and meeting course objectives. |
||||||||||||||||
|
|
Multiple IT Security Assessment and Forensics Projects for
Law, Manufacturer, Retail, Banking Industries
|
||||||||||||||||
|
|
• Conducting Incident Response /
Handling for several organizations suspect system compromises. |
||||||||||||||||
|
|
• Lead a External Penetration Testing
project for a major law firm.
This test included latest exploits, information gathering, Social
Engineering, vulnerability scanning tools, i.e. Nessus, Vigilante, nmap and
etc. |
||||||||||||||||
|
|
• Lead several Web Application
Security Assessments and Penetration Testings for e-business applications
for a major manufacturer.
Application Security testing is based on the industry recognized OWASP
methodology. |
||||||||||||||||
|
|
• Managing Application Security
Assessment and Penetration Testing, Network Penetration Testing,
Wireless LAN Security, and Network Audit/Assessment and Network
Vulnerability Testing for several financial institutions, and companies
in the manufacturing and utility industries. Tools include: NMAP,
Nessus, Vigilante, Snort, TCPDump, Windump, Hping, Ethereal, Microsoft
Baseline Analyzer, HFNetChk, CISecurity Security Benchmark Tools,
IdeaHamster’s OSSTMM, OWASP, External Information Gathering (NS
Records, Whois, UseNet), NetCat, L0ght, John the Ripper, Vulnerability and
Exploits from Public Domains and IRC (Neworder.box.sk,
packetstormsecurity.com, securityfocus.com), IDS, Social Engineering, Web,
FTP, Telnet, common open source and commercial security tools. |
||||||||||||||||
|
|
• Performing Virus / Worm / Trojan
Analysis |
||||||||||||||||
|
|
Unified Federal Credit Union:: Managing Information Security
Assessment Consultant
|
||||||||||||||||
|
|
• Helped identify the scope of the
Information Security Assessment according to the business objectives,
services, and National Credit Union Association (NCUA) Information Security
Guidelines |
||||||||||||||||
|
|
• Assessed the policies and procedures
for adequacy to meet the desired Information Security requirements |
||||||||||||||||
|
|
• Managed the vulnerability assessment,
desktop security audit, network infrastructure assessment, Intrusion
Detection strategy and planning, Disaster Recovery and Business Continuity
planning, Vendor Contract Assessments, Insurance regarding to Cyber Security,
Email Security, and Anti-Virus protection software assessment |
||||||||||||||||
|
|
CIGNA Health Plan::
IT Security Consultant under HIPAA Security
|
||||||||||||||||
|
|
• Participated as a member of the
off-shore outsourcing vendor security assessment team, and evaluated the
risks of off-shoring for each in-house applications |
||||||||||||||||
|
|
• Built a Application Risk Analysis Tool
to determine the risk of off-shoring application and/or database |
||||||||||||||||
|
|
• Implemented signature of the Intrusion Detection Systems (IDS)
designed to enhance the network security between the US Corporate Headquarters
and the off-shore facilities |
||||||||||||||||
|
|
Sacred Heart Southern
|
||||||||||||||||
|
|
• Conducted HIPAA Security Compliance
Assessment for the health plan against the HIPAA Security Final Rules on
the area of Administrative, Technical and Physical security |
||||||||||||||||
|
|
• Documented gaps and present
recommendations to the senior management to achieve HIPAA compliance |
||||||||||||||||
|
|
|
||||||||||||||||
|
|
• Led the IT Security Architecture and
Web Application Security assessments based on the ISO17799 and best practices |
||||||||||||||||
|
|
• Identified issues and provide
recommendations to enhance the IT security |
||||||||||||||||
|
|
• Developed a 3-year roadmap with
prioritization of tasks to guide the senior management to achieve the
firm’s IT Security goals |
||||||||||||||||
|
|
Financial Services IT Security Assessment / Audit |
||||||||||||||||
|
|
• Performed IT Security Assessment under GLBA, NCUA, FDIC, OCC, OTS, FFIEC
guidelines for Savings Banks, Co-op Banks, Credit Unions, Mortgage Co. |
||||||||||||||||
|
|
• Evaluated the IT Security Programs,
Policies and Procedures and identify gaps based on the abided government
regulations |
||||||||||||||||
|
|
• Provided Recommendations to resolve
and issues / gaps, and to comply with the regulations |
||||||||||||||||
|
|
• Developed Business Continuity /
Disaster Recovery Plans for several regional banks |
||||||||||||||||
|
|
Akamai::
Sarbanes-Oxley(SOX) 404 IT Audit Project Consultant
|
||||||||||||||||
|
|
• Assisted the completion of the year
two cycle for Sarbanes Oxley 404 General Computing Controls (GCC) |
||||||||||||||||
|
|
• Performed (GCC) Audit testing on
Control Activities in Information Security, Change, Configuration, management
on Business Applications, Computer Operations, Network Enginerring, System
Administrations of significant financial systems |
||||||||||||||||
|
|
• Interfaced with the External SOX
Auditor to negotiate agreeable processes, issues, and controls |
||||||||||||||||
|
|
• Interviewed with control performers,
provided recommendations on the design of the IT controls, and documented
control activities and processes based on the COBIT framework |
||||||||||||||||
|
|
• Performed Operating Effectiveness
testing, documented the issues identified and provided recommendation on
mitigating controls and/or remediation |
||||||||||||||||
|
|
Boeing::
Sarbanes-Oxley(SOX) 404 IT Audit Project
|
||||||||||||||||
|
|
• Successfully completed the cycle for
Sarbanes Oxley 404, and was given a Certificate of Achievement by the Vice
President and Corporate Controller of Boeing |
||||||||||||||||
|
|
• Interviewed with control performers
and documented control activities and processes |
||||||||||||||||
|
|
• Performed General Computing Controls
(GCC) Audit on Control Activities against the defined Control Objectives in Information
Security, Change, Configuration, management on Applications and Database of
significant financial systems |
||||||||||||||||
|
|
• Performed Design Effectiveness and
Operating Effectiveness testing, documented the issues found and provide
recommendation on mitigating controls and/or remediation |
||||||||||||||||
|
|
• Interface with the External SOX
Auditor to negotiate agreeable processes, issues, and controls |
||||||||||||||||
|
|
• Developed SOX Risk Analysis Tools to
determine the overall Application and Database Risk Profiles, which was used
to justify the mitigating controls and audit trail requirements |
||||||||||||||||
|
|
• Assisted the management to complete
the year-end SOX sign-off process |
||||||||||||||||
|
|
• Assisted in SOX Audit documentation
and process improvement |
||||||||||||||||
|
|
NSTAR Electric and Gas:: Sarbanes-Oxley (SOX) 404 IT Audit
Project
|
||||||||||||||||
|
|
• Performed General Computing Controls
(GCC) Audit on Control Activities against the defined Control Objectives in
the Security management on the Financial Systems, IT infrastructure, networking
and security devices |
||||||||||||||||
|
|
• Documented issues and provided
recommendations to address the findings, then perform re-testing of controls |
||||||||||||||||
|
|
|
|
|
||||||||||||||
|
4/2000
– 11/2002 |
The
Amaral Group, LLC
|
|
|
||||||||||||||
|
|
Managing
Consultant – Information Security
|
||||||||||||||||
|
|
• Conducted Penetration Testing,
Network Audit/Assessment and Network Vulnerability Testing for
several banks to ensure secure network.
FDIC, OCC, OTS guidelines and GLBA are followed in these engagements |
||||||||||||||||
|
|
• Led Information Security Audit and
Vulnerability Testing for several major companies and law firms base on business
requirements, industry best practices, ISO17799, and Standard Audit
methodologies |
||||||||||||||||
|
|
• Managed several multi-sites Network
Security and infrastructure including Firewall, VPN, Anti-Virus,
Backup/Restore Strategy, Routers, Switches, and Preventative Maintenance
Support project for a major non-profit organization |
||||||||||||||||
|
|
• Led research and study on ISO17799
Standard for Information Security Best Practices Audit Program |
||||||||||||||||
|
|
• Led a Server Security and Data
Conversion project for Massachusetts Institute of Technology (MIT) Sloan
School., LFM-SDM department |
||||||||||||||||
|
|
• Performed SQL Server Security Audit,
Database Administration, and Performance Tuning for a leading
architecture firm at |
||||||||||||||||
|
|
• Assisted a major paper e-marketplace
in auditing Change Management Process, designing and implementing a Secure
Interwoven Teamsite for content management and Configuration/Release
Management solution; integrated e-marketplace to Rational ClearQuest
for Change/Request Management using Oracle, SQL Server, VBScript, Perl,
Visual Basic, Unix, NT, Interwoven Teamsite and Rational ClearQuest |
||||||||||||||||
|
|
• Provided SQL Server DBA Support for
major manufacturer and transportation companies |
||||||||||||||||
|
|
• Managed a Change Request Management
System Development project for a leading media company |
||||||||||||||||
|
|
|||||||||||||||||
|
12/1997
– 6/2001 |
Compaq
Computer Corporation
|
|
Marlboro, MA |
||||||||||||||
|
|
Independent
Lead Consultant - Trilogy Project
|
||||||||||||||||
|
|
• Coordinated and developed the Information
Security strategy, Network Infrastructure for multi-nation development,
testing and production environment, NT servers, Windows 2000 servers, SQL,
Web, FTP, Middleware, Data Warehousing servers, and Quote Repository servers |
||||||||||||||||
|
|
• Jointly led a Global Sales Force
Automation application security and development for Quotes and
Configuration, developed in multi-language and multi-currency that supported
22 countries including Asia, |
||||||||||||||||
|
|
• Involved in the Full SDLC for
the software implementation from Application Security, Business
Requirements gathering, Business Analysis, Software Development, Software
Quality Assurance (SQA), User Acceptance Testing, Release and Maintenance |
||||||||||||||||
|
|
• Developed Web-based Quotes tracking
system, which increased the efficiency for the field sales representatives to
communicate with customers |
||||||||||||||||
|
|
• Conducted application development and
training for geographical program managers from around the world |
||||||||||||||||
|
|
• Led weekly global conference call for
geographical program managers to address issues and concerns, and to
coordinate the large-scale development effort |
||||||||||||||||
|
|
• Developed automated software-testing
solution using Rational SQA Suite and Robot |
||||||||||||||||
|
|
• Managed monthly application support,
build, release and version control |
||||||||||||||||
|
|
|||||||||||||||||
|
10/1996
– 11/1997 |
PriceWaterhouseCoopers,
LLP
|
|
|
||||||||||||||
|
|
Senior
IT Consultant
|
||||||||||||||||
|
|
• Assisted maintenance and security of a
Human Resource Oracle database for a leading photo equipment company |
||||||||||||||||
|
|
• Created a secure financial data
warehouse in SQL Server for a leading financial institution for mutual fund
intra-day tracking and calculations.
This project also included data migration from Access and Excel data
into the data warehouse, creating analysis reports using Crystal Reports,
Visual Basic programming for heavy financial calculations |
||||||||||||||||
|
|
• Developed a web-based application for
Food Broker Industry. This
application improved the efficiency of the field sales representatives and
allowed the company to obtain the most up-to-date information, and
significantly reduced the operating cost. The technologies utilized in this
project included SQL Server, ActiveX, Visual Basic, VBScript, JavaScript,
IIS, |
||||||||||||||||
|
|
• Improved the performance and presence
of the website for a leading real estate company, and the real estate
property search speed improved 500% |
||||||||||||||||
|
|
• Assisted the PriceWaterhouseCoopers
Consulting Internet website development in the area of Quality Assurance,
which included bug tracking, change management, and load testing |
||||||||||||||||
|
|
|||||||||||||||||
|
2/1995
– 9/1996 |
American
Management Systems, Inc
|
|
|
||||||||||||||
|
|
Software
Development Consultant
|
||||||||||||||||
|
|
• Developed the Environmental and
Natural Resources Management System (ENRMS) for |
||||||||||||||||
|
|
• Developed a prototype Pen-Based
(Handheld) super heavy-duty computer for the |
||||||||||||||||
|
|
• Trained junior programmers on software
and database development best practices |
||||||||||||||||
|
|
|||||||||||||||||
|
6/1991
– 2/1995 |
K
& H Quality Computers, Inc
|
|
|
||||||||||||||
|
|
Founder
|
||||||||||||||||
|
|
• Strategize cost effective marketing
plans to maximize profit and repeat business |
||||||||||||||||
|
|
• Sold home and business personal computers
state-wide with technical support |
||||||||||||||||
|
|
• Provided technical consulting on the
hardware and software of IBM Compatible systems |
||||||||||||||||
|
|
• Developed Internet Relay Chat (IRC)
user manual for mainframe for students at the |
||||||||||||||||
|
|
• Managed Sales and Marketing efforts
for expanding the revenue |
||||||||||||||||
|
|
|||||||||||||||||
|
EDUCATION |
|
||||||||||||||||
|
|
|
|
|
||||||||||||||
|
|
B.S. Electrical Engineering
|
||||||||||||||||
|
|
|||||||||||||||||
|
SKILLS |
|
||||||||||||||||
|
|
Information
Security:
|
• Information Security and IT Governance
(COBIT)
• ISO 17799, 27001 Standards
• Security Assessment / Audit • Network Vulnerability Assessment • Incident Response / Investigation
• Computer Forensic Analysis • Virus Analysis • Network Defense - Firewall, VPN, Router, Switches, Security Architecture, including Cisco, NetScreen,
Checkpoint, SonicWall
• Web & Client/Server Application
Security, OWASP testing methodology
• OSSTMM security testing
methodology (Ideahamster)
• Intrusion Detection System, Intrusion
Prevention System
• Disaster
Recovery /
Business Continuity Plan Strategy and
Development
• Security
Vulnerability Assessment and Penetration
Testing • Information Security Policy Best
Practice based on NIST, ISO 17799, GAO • Anti-Virus,
Anti-Spam, Anti-Phishing |
|
||||||||||||||
|
|
|||||||||||||||||
|
|
Security Regulations:
|
|
< | ||||||||||||||