|
OVERVIEW |
|
||||||||||||
|
|
Certified Professional with technical and project management
experience. Subject Matter Expertise
in Sarbanes-Oxley (SOX) Section 404, HIPAA, GLBA, ISO 17799, ISO 27001, NIST and
PCI Security Standards IT Compliance and IT Security Assessment / Audit in
Financial, Manufacturing, Utility, Law, and Defense industries. |
||||||||||||
|
|
|||||||||||||
|
CITIZENSHIP |
|
||||||||||||
|
|
|
||||||||||||
|
|
|||||||||||||
|
CERTIFICATION |
|
||||||||||||
|
|
Certified Information Systems Security
Professional (CISSP) Certified Information Systems Auditor
(CISA) International Register of Certified Auditor
(IRCA) for ISO 27001 ISMS Audit (application in process) Microsoft Certified Systems Engineer (MCSE) |
||||||||||||
|
SUMMARY |
|
||||||||||||
|
|
Helped an
exhibitor services firm achieving the Payment Card Industry (PCI) Security compliance by
identifying gaps, create security policy and procedures, enhance network
security, enhance security processes, and bridging the gaps. |
||||||||||||
|
|
Managed and
Conducted IT Security Assessment, IT Audit, Risk Assessments, Business
Continuity/Disaster Recovery Plan (BCP/DRP) for several banks and credit
unions according to FDIC, OTS, OCC, FFIEC Information Security
Guidelines, Gramm-Leach-Bliley Act (GLBA), ISO 17799, and ISO 27001 |
||||||||||||
|
|
Led IT
Security Assessment, Incident Response (CIRT), and Forensic Analysis
tasks for several major manufacturers, law firms, utility and non-profit
organizations |
||||||||||||
|
|
Led HIPAA Security regulations compliance assessment and
Gap Analysis |
||||||||||||
|
|
Performed SOX
404 Compliance IT and Security Audit for Boeing, Akamai, NSTAR, and
MASSBANK. These successful audit
projects allowed clients to achieve SOX Compliance. Audit tasks include IT Control and
Process Documentation, Design Effectiveness and Operating Effectiveness testing against the
Control Objectives, and documented issue and provided recommendations for
remediation. |
||||||||||||
|
|
Implemented Information Security Strategy, Systems Audit,
Global Sales Force Automation Application Development (full life-cycle), Database Development and
Administration for a Fortune 500 company |
||||||||||||
|
|
Assessed, Designed and Implemented strategy for securing offshore
facility and communication |
||||||||||||
|
|
Led numerous
projects in Networking, Database, System Integrations, Application
Development |
||||||||||||
|
|
Published a commercial security and
networking software, SMAC (http://www.klcconsulting.net/smac.) SMAC is a MAC Address Modifying Utility for
Windows 2000, XP, and 2003 systems. |
||||||||||||
|
|
Created WebDAV Scanner utility for Windows
environments. |
||||||||||||
|
|
Authored
a virus analysis on the BotNet / mIRC
Virus/worm/Trojan and security best practices articles (http://www.klcconsulting.net/articles)
|
||||||||||||
|
|
|||||||||||||
|
|
|||||||||||||
|
EXPERIENCE |
|
||||||||||||
|
1/2006 Present |
Fidelity
Investments (Contracting)
|
|
Marlboro, MA |
||||||||||
|
|
Senior Analyst Security Analyst (Technology Risk
Management)
|
||||||||||||
|
|
Participating in database logging solution
and vendor evaluation by developing requirements. |
||||||||||||
|
|
Participating in password management
solutions for share accounts. |
||||||||||||
|
|
Led the Risk Assessment and documentation
of user access appropriate to roles (AATR) for two major applications within
Fidelity. |
||||||||||||
|
|
Acted as Subject Matter Expert (SME) for
Oracle Database and Application related security assessments. |
||||||||||||
|
|
Assisted the creation of a customized AATR
tool to help managers effectively evaluate and manage the access assigned to
users. |
||||||||||||
|
12/2002 Present |
KLC
Consulting, Inc.
|
|
|
||||||||||
|
|
Senior Security Consultant
|
||||||||||||
|
|
Co-Authoring SMAC network and
security utility to resolve challenges that Networking and Security
professionals are facing. SMAC is MAC
Address modifying utility for Windows 2000, XP and 2003 systems with over 500,000 users worldwide. Customers include Intel, HP, Cisco,
Siemens, |
||||||||||||
|
|
A Leading Exhibitor
Services Firm with Online Credit Card Processing
|
||||||||||||
|
|
Helped a exhibitor services firm to achieve
Payment Card Industry (PCI) Security
compliance by identifying gaps, create security policy and procedures,
enhance network security, enhance security processes, and bridging the gaps.
|
||||||||||||
|
|
ITT Technical
Institute:: SME for Risk Management, Security, Audit, and e-Commerce Security
Courses
|
||||||||||||
|
|
Provided Subject Matter Expertise advise to
support the development of Information Security curriculum that is designed
to achieve the credential of
NSAs National Centers of Academic
Excellence in Information Assurance Education (CAEIAE) Program |
||||||||||||
|
|
Scoped and reviewed the course objectives
to ensure required goals are achieves |
||||||||||||
|
|
Evaluated the content of courseware and
provide recommendations to ensure the contents are meeting the current
security industry trend and meeting course objectives. |
||||||||||||
|
|
Multiple IT Security Assessment and Forensics Projects for
Law, Manufacturer, Retail, Banking Industries
|
||||||||||||
|
|
Conducting Incident Response / Handling
for several organizations suspect system compromises. |
||||||||||||
|
|
Lead a External Penetration Testing project
for a major law firm. This test
included latest exploits, information gathering, Social Engineering,
vulnerability scanning tools, i.e. Nessus, Vigilante, nmap and etc. |
||||||||||||
|
|
Lead several Web Application Security
Assessments and Penetration Testings for e-business applications for a
major manufacturer. Application
Security testing is based on the industry recognized OWASP
methodology. |
||||||||||||
|
|
Managing Application Security Assessment
and Penetration Testing, Network Penetration Testing, Wireless LAN
Security, and Network Audit/Assessment and Network Vulnerability
Testing for several financial institutions, and companies in the
manufacturing and utility industries. Tools include: NMAP,
Nessus, Vigilante, Snort, TCPDump, Windump, Hping, Ethereal, Microsoft
Baseline Analyzer, HFNetChk, CISecurity Security Benchmark Tools,
IdeaHamsters OSSTMM, OWASP, External Information Gathering (NS Records,
Whois, UseNet), NetCat, L0ght, John the Ripper, Vulnerability and Exploits
from Public Domains and IRC (Neworder.box.sk, packetstormsecurity.com,
securityfocus.com), IDS, Social Engineering, Web, FTP, Telnet, common open
source and commercial security tools. |
||||||||||||
|
|
Performing Virus / Worm / Trojan Analysis |
||||||||||||
|
|
Unified Federal Credit Union:: Managing Information Security Assessment
Consultant
|
||||||||||||
|
|
Helped identify the scope of the
Information Security Assessment according to the business objectives,
services, and National Credit Union Association (NCUA) Information Security
Guidelines |
||||||||||||
|
|
Assessed the policies and procedures for
adequacy to meet the desired Information Security requirements |
||||||||||||
|
|
Managed the vulnerability assessment,
desktop security audit, network infrastructure assessment, Intrusion
Detection strategy and planning, Disaster Recovery and Business Continuity
planning, Vendor Contract Assessments, Insurance regarding to Cyber Security,
Email Security, and Anti-Virus protection software assessment |
||||||||||||
|
|
CIGNA Health Plan::
IT Security Consultant under HIPAA Security
|
||||||||||||
|
|
Participated as a member of the off-shore
outsourcing vendor security assessment team, and evaluated the risks of
off-shoring for each in-house applications |
||||||||||||
|
|
Built a Application Risk Analysis Tool to
determine the risk of off-shoring application and/or database |
||||||||||||
|
|
Implemented signature of the Intrusion Detection Systems (IDS)
designed to enhance the network security between the US Corporate Headquarters
and the off-shore facilities |
||||||||||||
|
|
Sacred Heart Southern
|
||||||||||||
|
|
Conducted HIPAA Security Compliance
Assessment for the health plan against the HIPAA Security Final Rules on
the area of Administrative, Technical and Physical security |
||||||||||||
|
|
Documented gaps and present recommendations
to the senior management to achieve HIPAA compliance |
||||||||||||
|
|
|
||||||||||||
|
|
Led the IT Security Architecture and Web
Application Security assessments based on the ISO17799 and best practices |
||||||||||||
|
|
Identified issues and provide
recommendations to enhance the IT security |
||||||||||||
|
|
Developed a 3-year roadmap with
prioritization of tasks to guide the senior management to achieve the firms
IT Security goals |
||||||||||||
|
|
Financial Services IT Security Assessment / Audit |
||||||||||||
|
|
Performed IT Security Assessment under GLBA, NCUA, FDIC, OCC, OTS, FFIEC
guidelines for Savings Banks, Co-op Banks, Credit Unions, Mortgage Co. |
||||||||||||
|
|
Evaluated the IT Security Programs,
Policies and Procedures and identify gaps based on the abided government
regulations |
||||||||||||
|
|
Provided Recommendations to resolve and
issues / gaps, and to comply with the regulations |
||||||||||||
|
|
Developed Business Continuity / Disaster
Recovery Plans for several regional banks |
||||||||||||
|
|
Akamai::
Sarbanes-Oxley(SOX) 404 IT Audit Project Consultant
|
||||||||||||
|
|
Assisted the completion of the year two cycle
for Sarbanes Oxley 404 General Computing Controls (GCC) |
||||||||||||
|
|
Performed (GCC) Audit testing on Control
Activities in Information Security, Change, Configuration, management on
Business Applications, Computer Operations, Network Enginerring, System
Administrations of significant financial systems |
||||||||||||
|
|
Interfaced with the External SOX Auditor to
negotiate agreeable processes, issues, and controls |
||||||||||||
|
|
Interviewed with control performers,
provided recommendations on the design of the IT controls, and documented
control activities and processes based on the COBIT framework |
||||||||||||
|
|
Performed Operating Effectiveness testing,
documented the issues identified and provided recommendation on mitigating
controls and/or remediation |
||||||||||||
|
|
Boeing::
Sarbanes-Oxley(SOX) 404 IT Audit Project
|
||||||||||||
|
|
Successfully completed the cycle for
Sarbanes Oxley 404, and was given a Certificate of Achievement by the Vice
President and Corporate Controller of Boeing |
||||||||||||
|
|
Interviewed with control performers and
documented control activities and processes |
||||||||||||
|
|
Performed General Computing Controls (GCC)
Audit on Control Activities against the defined Control Objectives in Information
Security, Change, Configuration, management on Applications and Database of
significant financial systems |
||||||||||||
|
|
Performed Design Effectiveness and
Operating Effectiveness testing, documented the issues found and provide
recommendation on mitigating controls and/or remediation |
||||||||||||
|
|
Interface with the External SOX Auditor to
negotiate agreeable processes, issues, and controls |
||||||||||||
|
|
Developed SOX Risk Analysis Tools to
determine the overall Application and Database Risk Profiles, which was used
to justify the mitigating controls and audit trail requirements |
||||||||||||
|
|
Assisted the management to complete the
year-end SOX sign-off process |
||||||||||||
|
|
Assisted in SOX Audit documentation and
process improvement |
||||||||||||
|
|
NSTAR Electric and Gas:: Sarbanes-Oxley (SOX) 404 IT Audit
Project
|
||||||||||||
|
|
Performed General Computing Controls (GCC)
Audit on Control Activities against the defined Control Objectives in the
Security management on the Financial Systems, IT infrastructure, networking
and security devices |
||||||||||||
|
|
Documented issues and provided
recommendations to address the findings, then perform re-testing of controls |
||||||||||||
|
|
|
|
|
||||||||||
|
4/2000
11/2002 |
The
Amaral Group, LLC
|
|
|
||||||||||
|
|
Managing
Consultant Information Security
|
||||||||||||
|
|
Conducted Penetration Testing, Network Audit/Assessment and Network
Vulnerability Testing for several banks to ensure secure network. FDIC, OCC, OTS guidelines and GLBA are followed
in these engagements |
||||||||||||
|
|
Led Information Security Audit and Vulnerability Testing for several
major companies and law firms base on business requirements, industry best
practices, ISO17799, and Standard Audit methodologies |
||||||||||||
|
|
Managed several multi-sites Network Security and infrastructure
including Firewall, VPN, Anti-Virus, Backup/Restore Strategy, Routers,
Switches, and Preventative Maintenance Support project for a major non-profit
organization |
||||||||||||
|
|
Led research and study on ISO17799 Standard for Information Security
Best Practices Audit Program |
||||||||||||
|
|
Led a Server Security and Data Conversion project for Massachusetts
Institute of Technology (MIT) Sloan School., LFM-SDM department |
||||||||||||
|
|
Performed SQL Server Security Audit, Database
Administration, and Performance Tuning for a leading architecture
firm at |
||||||||||||
|
|
Assisted a major paper e-marketplace in auditing Change Management Process,
designing and implementing a Secure Interwoven Teamsite for
content management and Configuration/Release Management solution; integrated
e-marketplace to Rational ClearQuest for Change/Request Management
using Oracle, SQL Server, VBScript, Perl, Visual Basic, Unix, NT,
Interwoven Teamsite and Rational ClearQuest |
||||||||||||
|
|
Provided SQL Server DBA Support for major manufacturer and
transportation companies |
||||||||||||
|
|
Managed a Change Request Management System Development project for a
leading media company |
||||||||||||
|
|
|||||||||||||
|
12/1997
6/2001 |
Compaq
Computer Corporation
|
|
Marlboro, MA |
||||||||||
|
|
Independent
Lead Consultant - Trilogy Project
|
||||||||||||
|
|
Coordinated and developed the Information Security strategy, Network
Infrastructure for multi-nation development, testing and
production environment, NT servers, Windows 2000 servers, SQL, Web, FTP,
Middleware, Data Warehousing servers, and Quote Repository servers |
||||||||||||
|
|
Jointly led a Global Sales Force Automation application security
and development for Quotes and Configuration, developed in multi-language
and multi-currency that supported 22 countries including Asia, |
||||||||||||
|
|
Involved in the Full SDLC for the software implementation from Application
Security, Business Requirements gathering, Business Analysis, Software
Development, Software Quality Assurance (SQA), User Acceptance
Testing, Release and Maintenance |
||||||||||||
|
|
Developed Web-based Quotes tracking system, which increased the
efficiency for the field sales representatives to communicate with customers |
||||||||||||
|
|
Conducted application development and training for geographical
program managers from around the world |
||||||||||||
|
|
Led weekly global conference call for geographical program managers to
address issues and concerns, and to coordinate the large-scale development
effort |
||||||||||||
|
|
Developed automated software-testing solution using Rational SQA Suite
and Robot |
||||||||||||
|
|
Managed monthly application support, build, release and version
control |
||||||||||||
|
|
|||||||||||||
|
10/1996
11/1997 |
PriceWaterhouseCoopers,
LLP
|
|
|
||||||||||
|
|
Senior
IT Consultant
|
||||||||||||
|
|
Assisted maintenance and security of a Human Resource Oracle database
for a leading photo equipment company |
||||||||||||
|
|
Created a secure financial data warehouse in SQL Server for a leading
financial institution for mutual fund intra-day tracking and calculations. This project also included data migration
from Access and Excel data into the data warehouse, creating analysis reports
using Crystal Reports, Visual Basic programming for heavy financial
calculations |
||||||||||||
|
|
Developed a web-based application for Food Broker Industry. This application improved the efficiency of
the field sales representatives and allowed the company to obtain the most
up-to-date information, and significantly reduced the operating cost. The technologies utilized in this project
included SQL Server, ActiveX, Visual Basic, VBScript, JavaScript, IIS, |
||||||||||||
|
|
Improved the performance and presence of the website for a leading
real estate company, and the real estate property search speed improved 500% |
||||||||||||
|
|
Assisted the PriceWaterhouseCoopers Consulting Internet website
development in the area of Quality Assurance, which included bug tracking,
change management, and load testing |
||||||||||||
|
|
|||||||||||||
|
2/1995
9/1996 |
American
Management Systems, Inc
|
|
|
||||||||||
|
|
Software
Development Consultant
|
||||||||||||
|
|
Developed the Environmental and Natural Resources Management System
(ENRMS) for |
||||||||||||
|
|
Developed a prototype Pen-Based (Handheld) super heavy-duty computer for
the |
||||||||||||
|
|
Trained junior programmers on software and database development best
practices |
||||||||||||
|
|
|||||||||||||
|
6/1991
2/1995 |
K
& H Quality Computers, Inc
|
|
|
||||||||||
|
|
Founder
|
||||||||||||
|
|
Strategize cost effective marketing plans to maximize profit and
repeat business |
||||||||||||
|
|
Sold home and business personal computers state-wide with technical
support |
||||||||||||
|
|
Provided technical consulting on the hardware and software of IBM
Compatible systems |
||||||||||||
|
|
Developed Internet Relay Chat (IRC) user manual for mainframe for
students at the |
||||||||||||
|
|
Managed Sales and Marketing efforts for expanding the revenue |
||||||||||||
|
|
|||||||||||||
|
EDUCATION |
|
||||||||||||
|
|
|
|
|
||||||||||
|
|
B.S. Electrical Engineering
|
||||||||||||
|
|
|||||||||||||
|
SKILLS |
|
||||||||||||
|
|
Information
Security:
|
Information Security and IT Governance (COBIT)
ISO 17799, 27001 Standards
Security Assessment / Audit Network Vulnerability Assessment
Incident Response / Investigation
Computer Forensic Analysis Virus Analysis
Network Defense - Firewall, VPN, Router,
Switches, Security Architecture,
including Cisco, NetScreen, Checkpoint, SonicWall
Web & Client/Server Application
Security, OWASP testing methodology
OSSTMM security testing
methodology (Ideahamster)
Intrusion Detection System, Intrusion
Prevention System
Disaster
Recovery /
Business Continuity Plan Strategy and
Development
Security
Vulnerability Assessment and Penetration
Testing Information Security Policy Best Practice
based on NIST, ISO 17799, GAO Anti-Virus,
Anti-Spam, Anti-Phishing |
|
||||||||||
|
|
|||||||||||||
|
|
Security Regulations:
|
| |||||||||||