OVERVIEW

 

 

Certified Professional with technical and project management experience.  Subject Matter Expertise in Sarbanes-Oxley (SOX) Section 404, HIPAA, GLBA, ISO 17799, ISO 27001, NIST and PCI Security Standards IT Compliance and IT Security Assessment / Audit in Financial, Manufacturing, Utility, Law, and Defense industries.

 

CITIZENSHIP

 

 

USA

 

CERTIFICATION

 

 

•  Certified Information Systems Security Professional (CISSP)

•  Certified Information Systems Auditor (CISA)

•  International Register of Certified Auditor (IRCA) for ISO 27001 ISMS Audit (application in process)

•  Microsoft Certified Systems Engineer (MCSE)

SUMMARY

 

 

•  Helped an exhibitor services firm achieving the Payment Card Industry (PCI) Security compliance by identifying gaps, create security policy and procedures, enhance network security, enhance security processes, and bridging the gaps.

 

•  Managed and Conducted IT Security Assessment, IT Audit, Risk Assessments, Business Continuity/Disaster Recovery Plan (BCP/DRP) for several banks and credit unions according to FDIC, OTS, OCC, FFIEC Information Security Guidelines, Gramm-Leach-Bliley Act (GLBA), ISO 17799, and ISO 27001

 

•  Led IT Security Assessment, Incident Response (CIRT), and Forensic Analysis tasks for several major manufacturers, law firms, utility and non-profit organizations

 

•  Led HIPAA Security regulations compliance assessment and Gap Analysis

 

•  Performed SOX 404 Compliance IT and Security Audit for Boeing, Akamai, NSTAR, and MASSBANK.  These successful audit projects allowed clients to achieve SOX Compliance.  Audit tasks include – IT Control and Process Documentation, Design Effectiveness and  Operating Effectiveness testing against the Control Objectives, and documented issue and provided recommendations for remediation.

 

•  Implemented Information Security Strategy, Systems Audit, Global Sales Force Automation Application Development  (full life-cycle), Database Development and Administration for a Fortune 500 company

 

•  Assessed, Designed and Implemented strategy for securing offshore facility and communication

 

•  Led numerous projects in Networking, Database, System Integrations, Application Development

 

•  Published a commercial security and networking software, SMAC (http://www.klcconsulting.net/smac.)  SMAC is a MAC Address Modifying Utility for Windows 2000, XP, and 2003 systems.

 

•  Created WebDAV Scanner utility for Windows environments.

 

•  Authored a virus analysis on the BotNet / mIRC Virus/worm/Trojan and security best practices articles (http://www.klcconsulting.net/articles)

 

 

EXPERIENCE

 

1/2006  – Present

Fidelity Investments (Contracting)

 

Marlboro, MA

 

Senior Analyst Security Analyst (Technology Risk Management)

 

•  Participating in database logging solution and vendor evaluation by developing requirements.

 

•  Participating in password management solutions for share accounts.

 

•  Led the Risk Assessment and documentation of user access appropriate to roles (AATR) for two major applications within Fidelity.

 

•  Acted as Subject Matter Expert (SME) for Oracle Database and Application related security assessments.

 

•  Assisted the creation of a customized AATR tool to help managers effectively evaluate and manage the access assigned to users.

12/2002  – Present

KLC Consulting, Inc.

 

Holden, MA

 

Senior Security Consultant

 

•  Co-Authoring SMAC network and security utility to resolve challenges that Networking and Security professionals are facing.  SMAC is MAC Address modifying utility for Windows 2000, XP and 2003 systems with over 500,000 users worldwide.  Customers include Intel, HP, Cisco, Siemens, ABB, US Gov.

 

A Leading Exhibitor Services Firm with Online Credit Card Processing

 

•  Helped a exhibitor services firm to achieve Payment Card Industry (PCI) Security compliance by identifying gaps, create security policy and procedures, enhance network security, enhance security processes, and bridging the gaps.

 

ITT Technical Institute:: SME for Risk Management, Security, Audit, and e-Commerce Security Courses

 

•  Provided Subject Matter Expertise advise to support the development of Information Security curriculum that is designed to achieve the credential of NSA’s National Centers of Academic Excellence in Information Assurance Education (CAEIAE) Program

 

•  Scoped and reviewed the course objectives to ensure required goals are achieves

 

•  Evaluated the content of courseware and provide recommendations to ensure the contents are meeting the current security industry trend and meeting course objectives.

 

Multiple IT Security Assessment and Forensics Projects for Law, Manufacturer, Retail, Banking Industries

 

•  Conducting Incident Response / Handling for several organizations suspect system compromises.

 

•  Lead a External Penetration Testing project for a major law firm.  This test included latest exploits, information gathering, Social Engineering, vulnerability scanning tools, i.e. Nessus, Vigilante, nmap and etc.

 

•  Lead several Web Application Security Assessments and Penetration Testings for e-business applications for a major manufacturer.  Application Security testing is based on the industry recognized OWASP methodology.

 

•  Managing Application Security Assessment and Penetration Testing, Network Penetration Testing, Wireless LAN Security, and Network Audit/Assessment and Network Vulnerability Testing for several financial institutions, and companies in the manufacturing and utility industries.   Tools include: NMAP, Nessus, Vigilante, Snort, TCPDump, Windump, Hping, Ethereal, Microsoft Baseline Analyzer, HFNetChk, CISecurity Security Benchmark Tools, IdeaHamster’s OSSTMM, OWASP, External Information Gathering (NS Records, Whois, UseNet), NetCat, L0ght, John the Ripper, Vulnerability and Exploits from Public Domains and IRC (Neworder.box.sk, packetstormsecurity.com, securityfocus.com), IDS, Social Engineering, Web, FTP, Telnet, common open source and commercial security tools.

 

•  Performing Virus / Worm / Trojan Analysis

 

Unified Federal Credit Union::  Managing Information Security Assessment Consultant

 

•  Helped identify the scope of the Information Security Assessment according to the business objectives, services, and National Credit Union Association (NCUA) Information Security Guidelines

 

•  Assessed the policies and procedures for adequacy to meet the desired Information Security requirements

 

•  Managed the vulnerability assessment, desktop security audit, network infrastructure assessment, Intrusion Detection strategy and planning, Disaster Recovery and Business Continuity planning, Vendor Contract Assessments, Insurance regarding to Cyber Security, Email Security, and Anti-Virus protection software assessment

 

CIGNA Health Plan::  IT Security Consultant under HIPAA Security

 

•  Participated as a member of the off-shore outsourcing vendor security assessment team, and evaluated the risks of off-shoring for each in-house applications

 

•  Built a Application Risk Analysis Tool to determine the risk of off-shoring application and/or database

 

•  Implemented signature of  the Intrusion Detection Systems (IDS) designed to enhance the network security between the US Corporate Headquarters and the off-shore facilities

 

Sacred Heart Southern Mission::  HIPAA Security Compliance Assessment

 

•  Conducted HIPAA Security Compliance Assessment for the health plan against the HIPAA Security Final Rules on the area of Administrative, Technical and Physical security

 

•  Documented gaps and present recommendations to the senior management to achieve HIPAA compliance

 

Cumberland Farms / Gulf Oil:: IT Security Architecture Assessment

 

•  Led the IT Security Architecture and Web Application Security assessments based on the ISO17799 and best practices

 

•  Identified issues and provide recommendations to enhance the IT security

 

•  Developed a 3-year roadmap with prioritization of tasks to guide the senior management to achieve the firm’s IT Security goals

 

Financial Services IT Security Assessment / Audit

 

•  Performed IT Security Assessment under GLBA, NCUA, FDIC, OCC, OTS, FFIEC guidelines for Savings Banks, Co-op Banks, Credit Unions, Mortgage Co.

 

•  Evaluated the IT Security Programs, Policies and Procedures and identify gaps based on the abided government regulations

 

•  Provided Recommendations to resolve and issues / gaps, and to comply with the regulations

 

•  Developed Business Continuity / Disaster Recovery Plans for several regional banks

 

Akamai::  Sarbanes-Oxley(SOX) 404 IT Audit Project Consultant

 

•  Assisted the completion of the year two cycle for Sarbanes Oxley 404 General Computing Controls (GCC)

 

•  Performed (GCC) Audit testing on Control Activities in Information Security, Change, Configuration, management on Business Applications, Computer Operations, Network Enginerring, System Administrations of significant financial systems

 

•  Interfaced with the External SOX Auditor to negotiate agreeable processes, issues, and controls

 

•  Interviewed with control performers, provided recommendations on the design of the IT controls, and documented control activities and processes based on the COBIT framework

 

•  Performed Operating Effectiveness testing, documented the issues identified and provided recommendation on mitigating controls and/or remediation

 

Boeing::  Sarbanes-Oxley(SOX) 404 IT Audit Project

 

•  Successfully completed the cycle for Sarbanes Oxley 404, and was given a Certificate of Achievement by the Vice President and Corporate Controller of Boeing

 

•  Interviewed with control performers and documented control activities and processes

 

•  Performed General Computing Controls (GCC) Audit on Control Activities against the defined Control Objectives in Information Security, Change, Configuration, management on Applications and Database of significant financial systems

 

•  Performed Design Effectiveness and Operating Effectiveness testing, documented the issues found and provide recommendation on mitigating controls and/or remediation

 

•  Interface with the External SOX Auditor to negotiate agreeable processes, issues, and controls

 

•  Developed SOX Risk Analysis Tools to determine the overall Application and Database Risk Profiles, which was used to justify the mitigating controls and audit trail requirements

 

•  Assisted the management to complete the year-end SOX sign-off process

 

•  Assisted in SOX Audit documentation and process improvement

 

NSTAR Electric and Gas:: Sarbanes-Oxley (SOX) 404 IT Audit Project

 

•  Performed General Computing Controls (GCC) Audit on Control Activities against the defined Control Objectives in the Security management on the Financial Systems, IT infrastructure, networking and security devices

 

•  Documented issues and provided recommendations to address the findings, then perform re-testing of controls

 

 

 

 

4/2000 – 11/2002

The Amaral Group, LLC

 

Acton, MA

 

Managing Consultant – Information Security

 

•  Conducted Penetration Testing, Network Audit/Assessment and Network Vulnerability Testing for several banks to ensure secure network.  FDIC, OCC, OTS guidelines and GLBA are followed in these engagements

 

•  Led Information Security Audit and Vulnerability Testing for several major companies and law firms base on business requirements, industry best practices, ISO17799, and Standard Audit methodologies

 

•  Managed several multi-sites Network Security and infrastructure including Firewall, VPN, Anti-Virus, Backup/Restore Strategy, Routers, Switches, and Preventative Maintenance Support project for a major non-profit organization

 

•  Led research and study on ISO17799 Standard for Information Security Best Practices Audit Program

 

•  Led a Server Security and Data Conversion project for Massachusetts Institute of Technology (MIT) Sloan School., LFM-SDM department

 

•  Performed SQL Server Security Audit, Database Administration, and Performance Tuning for a leading architecture firm at Boston

 

•  Assisted a major paper e-marketplace in auditing Change Management Process, designing and implementing a Secure Interwoven Teamsite for content management and Configuration/Release Management solution; integrated e-marketplace to Rational ClearQuest for Change/Request Management using Oracle, SQL Server, VBScript, Perl, Visual Basic, Unix, NT, Interwoven Teamsite and Rational ClearQuest

 

•  Provided SQL Server DBA Support for major manufacturer and transportation companies

 

•  Managed a Change Request Management System Development project for a leading media company

 

12/1997 – 6/2001

Compaq Computer Corporation

 

Marlboro, MA

 

Independent Lead Consultant - Trilogy Project

 

•  Coordinated and developed the Information Security strategy, Network Infrastructure for multi-nation development, testing and production environment, NT servers, Windows 2000 servers, SQL, Web, FTP, Middleware, Data Warehousing servers, and Quote Repository servers

 

•  Jointly led a Global Sales Force Automation application security and development for Quotes and Configuration, developed in multi-language and multi-currency that supported 22 countries including Asia, Japan, North America, and Europe, for over 3000 sales representatives.  This application reduced the time for the quoting and configuration process from 2 business day down to 2 minutes or less.  The application dramatically reduced the cost and it generated over 3 billion dollars of revenue worldwide

 

•  Involved in the Full SDLC for the software implementation from Application Security, Business Requirements gathering, Business Analysis, Software Development, Software Quality Assurance (SQA), User Acceptance Testing, Release and Maintenance

 

•  Developed Web-based Quotes tracking system, which increased the efficiency for the field sales representatives to communicate with customers

 

•  Conducted application development and training for geographical program managers from around the world

 

•  Led weekly global conference call for geographical program managers to address issues and concerns, and to coordinate the large-scale development effort

 

•  Developed automated software-testing solution using Rational SQA Suite and Robot

 

•  Managed monthly application support, build, release and version control

 

10/1996 – 11/1997

PriceWaterhouseCoopers, LLP

 

Burlington, MA

 

Senior IT Consultant

 

•  Assisted maintenance and security of a Human Resource Oracle database for a leading photo equipment company

 

•  Created a secure financial data warehouse in SQL Server for a leading financial institution for mutual fund intra-day tracking and calculations.  This project also included data migration from Access and Excel data into the data warehouse, creating analysis reports using Crystal Reports, Visual Basic programming for heavy financial calculations

 

•  Developed a web-based application for Food Broker Industry.  This application improved the efficiency of the field sales representatives and allowed the company to obtain the most up-to-date information, and significantly reduced the operating cost.  The technologies utilized in this project included SQL Server, ActiveX, Visual Basic, VBScript, JavaScript, IIS, ADO, ADC, Frontpage, Visual Interdev

 

•  Improved the performance and presence of the website for a leading real estate company, and the real estate property search speed improved 500%

 

•  Assisted the PriceWaterhouseCoopers Consulting Internet website development in the area of Quality Assurance, which included bug tracking, change management, and load testing

 

2/1995 – 9/1996

American Management Systems, Inc

 

Fairfax, VA

 

Software Development Consultant

 

•  Developed the Environmental and Natural Resources Management System (ENRMS) for Patuxent River Naval Air Warfare Center.  This system tracked environmental conditions, waste managements, and all other environmental related events at the base.  It improved the environmental manageability for the Public Works department at the base.  The technologies included Visual Basic, Microsoft Access, Visual dBASE, API

 

•  Developed a prototype Pen-Based (Handheld) super heavy-duty computer for the Patuxant River Naval Air Warfare Center to track bird migration path to prevent collisions with fighter jets.  The technologies included Visual Basic, MS Windows for Pen-Computing, MS Access, Wireless file transfer, Laplink

 

•  Trained junior programmers on software and database development best practices

 

6/1991 – 2/1995

K & H Quality Computers, Inc

 

Willington, CT

 

Founder

 

•  Strategize cost effective marketing plans to maximize profit and repeat business

 

•  Sold home and business personal computers state-wide with technical support

 

•  Provided technical consulting on the hardware and software of IBM Compatible systems

 

•  Developed Internet Relay Chat (IRC) user manual for mainframe for students at the University of Connecticut.  This development received the front-page acknowledgement on the University Newspaper

 

•  Managed Sales and Marketing efforts for expanding the revenue

 

EDUCATION

 

 

University of Connecticut

 

Storrs, CT

 

B.S. Electrical Engineering

 

SKILLS

 

 

Information Security:

•  Information Security and IT Governance (COBIT)

•  ISO 17799, 27001 Standards

•  Security Assessment / Audit

•  Network Vulnerability Assessment

•  Incident Response / Investigation

•  Computer Forensic Analysis

•  Virus Analysis

•  Network Defense - Firewall, VPN, Router, Switches, Security Architecture, including Cisco, NetScreen, Checkpoint, SonicWall

•  Web & Client/Server Application Security, OWASP testing methodology

•  OSSTMM security testing methodology (Ideahamster)

•  Intrusion Detection System, Intrusion Prevention System

•  Disaster Recovery / Business Continuity Plan Strategy and Development

•  Security Vulnerability Assessment and Penetration Testing

•  Information Security Policy Best Practice based on NIST, ISO 17799, GAO

•  Anti-Virus, Anti-Spam, Anti-Phishing

 

 

 

Security Regulations:

•  GLBA

•  FDIC

•  HIPAA

•  FFIEC

•  Sarbanes-Oxley (SOX)

•  NCUA, OTS, OCC Rules

•  PCI Security Standards

•  FDA’s 21 CFR Part 11

 

 

 

Networking:

TCP/IP, Wireless 802.11a/b/g, Exchange Server, Terminal Services, Citrix, physical wiring technology, Router, Switch, Network Design, Firewall

 

 

 

Database:

Oracle, MS SQL Server, Filemaker Pro, MySQL, MS Access, Database Development and Administration, Data Conversion, Data Migration, ADO, ODBC

 

 

 

Program Language:

Visual Basic, XML, VBScript, JavaScript, ASP, ActiveX, Perl, HTML, PL/SQL, TSQL, Crystal Report, VBA

 

 

 

Operating System:

NT / Windows 2000, XP, 2003, Unix, Linux

 

 

 

Foreign Language:

Fluent in Taiwanese and Chinese (Mandarin)

 

 

PROF. SOCIETY

 

 

Active Member of Information Systems Security Association (ISSA)

Active Member of International Systems Audit and Control Association (ISACA)

Active Member of International Association of Privacy Professionals (IAPP)