Carnegie Mellon University - Tepper School of Business
CISO - Enterprise Security
Highly collaborative Information Security professional, passionate about security with a bias toward action, building trust through transparency and collaboration. Develop Enterprise-wide Data security strategy that supports the strategic plan. Including incident handling, security awareness programs and compliance initiatives. Security audits of programs and data. Security Incident Management and Vulnerability assessments that create a
CISO - Enterprise Security
Highly collaborative Information Security professional, passionate about security with a bias toward action, building trust through transparency and collaboration. Develop Enterprise-wide Data security strategy that supports the strategic plan. Including incident handling, security awareness programs and compliance initiatives. Security audits of programs and data. Security Incident Management and Vulnerability assessments that create a strong security posture to ensure overall information security and response program. Certified Information Systems Security Professional, (CISSP) Certified Information Security Manager, (CISM) and Certified Information Systems Auditor, (CISA).
Collaborative Enterprise Information Security | Information Assurance and Security | Risk Assessment process | DLP (Data Loss Prevention) - Data Fingerprinting information risk and information asset discovery | Patch Management | SSAE 16 SOC2 | FFIEC | HIPAA | HITECH Security reviews | Security Best Practices. Subject matter expert Information Security Risk Assessment, Security Architecture, Technical security Security incident response, Cybersecurity, Public and Private Cloud Security Risk Management, Security infrastructure by design, SEIM, and Cloud Service Provider Oversight.
Author – “Information Security: Risk Management of GLBA and Service Provider Oversight”. (Amazon e-Book).
Blog - http://true-it-risk-management.blogspot.com/
Information Assurance and Security Architect using EPIC EMR conducting risk assessment and security initiatives, and creating Security Policies. Collaborative approach to Control design and remediation. Information security awareness at executive and employee levels. Business Contingency Planning / DR, Information Assurance Governance subject matter expert.
Director Information Security @ From July 2015 to Present (4 months) Palo Alto, CaliforniaMember of The HIMSS Identity Management Task Force and HIMSS Risk Assessment Task Force @ I am a contributing member of the HIMSS Identity Management Task Force and of the HIMSS Risk Assessment Work Group. | Identity Driven Enterprise (Security) Architecture [IDEAs] subject matter expert From June 2014 to Present (1 year 5 months) Interim Chief Information Security Officer @ - Developed a risk based entity wide strategy for their HIPAA Information Security Compliance program - integrated with their EPIC EMR, that included guidance for their HIPAA Privacy Rule and Breach Notification Rule Compliance efforts.
- Created an action plan to achieve PCI 3.1 compliance. From November 2014 to May 2015 (7 months) Director of Information Security - CISO @ Developed, implemented, and maintained an Enterprise-wide information security program that defined Security infrastructure and an annual revised corresponding strategic plan and goals. Provided the design of and leadership for IT Security posture, including prioritizing and leading security and compliance initiatives and response program by implementing a portfolio of controls & safeguards and Information security awareness across IT Operations, IT Applications, Firewall and data. Directed and coordinated IT security operations (engineers, technical staff, and external resources) in the performance of security functions and provided oversight of external resources and service providers. Subject matter expert on HIPAA risk assessment and risk management programs, [Contributing member of the HIMSS Information Risk Assessment Task Force], Security Architecture, Security Information Event Management (SIEM) and Data Leak Prevention (DLP) technologies. From March 2012 to October 2014 (2 years 8 months) Alpharetta, GAVice President Information Security and Privacy - CISO @ VP Information Security | Privacy Officer | Dean, College of Compliance and Regulation, Seacoast National University. Developed and implemented an enterprise-wide information security program and security infrastructure that defined an information security awareness program and annual revised corresponding strategic plan and goals. Provided the design of an information security operations program and leadership for IT Security initiatives, including prioritizing and leading security and compliance initiatives, and implemented the use of a portfolio of controls & safeguards across IT Operations, IT Applications, Firewalls and data. Directed and coordinated IT security operations (engineers, technical staff, and external resources) in the performance of security functions and provided oversight of external resources and service providers. Subject matter expert on GLBA Privacy information risk assessment and risk management. Security Architecture, Security Information Event Management (SIEM) and Data Leak Prevention (DLP) technologies. Obtained Satisfactory or higher ratings from the regulators. From May 2010 to April 2012 (2 years) CEO and Founder @ Founded this Information Security and Risk management firm. Created enterprise-wide Risk Analysis and Management documents, Information risk and Security Architecture Design and Information Security Awareness programs for multiple firms, creating a strong security posture. Security audits - Cloud Computing and Vulnerability and Penetration testing for PCI, GLBA, HIPAA, and state privacy and identity theft programs. Subject Matter Expert Information Security risk assessments, (COSO & COBIT based). FFIEC compliance.
- Identified security control points for Oracle monitoring of network infrastructure security, (Defined Security infrastructure, Server and Firewall Configuration metrics, acceptable / failure definitions matrix and Application Separation of Duties, Access violation attempts etc.) that was used to create the GRC Security operations dashboard.
- Zero data breach events for all Security Architecture clients.
- Achieved no material weaknesses for SOX clients, and automated 90% of SOX testing.
- Created Information risk management process that included:
• Risk analysis and management, identification of information risk
• Information Security training and response program
• Information Security Awareness program
• Off-site access and use of ePHI from remote locations;
• Storage of electronic Protected Health Information on portable devices and media;
• Disposal of equipment containing electronic Protected Health Information;
• Business associate agreements and contracts;
• Data encryption;
• Virus protection;
• Technical safeguards in place to protect information assets and electronic Protected Health Information; and
• Monitoring of access to electronic Protected Health Information. From 2006 to 2012 (6 years) SAS 70 - SSAE16 SOC2 System Description and Internal Control Design @ Created an enterprise-wide SAS70 II, /SOC2 Type II Information Security operations and Control design and process, including Information Risk Analysis and Assessment. Established a SOC2 control process that obtains unqualified opinions and a strong security posture. From 2006 to 2012 (6 years) Director Information Security @ Managing Director - IT Security | Audit Services
Managing Director, IT Security and Audit Services (May 2003 – June 2006)
Directed, planned, and managed all aspects of the IT Security and Audit practice for the New York and Florida office. Audit effort included Firewall Internet Vulnerability testing, COBIT based SOX 404 reviews for over 40 firms. Third Party Controls, SAS 70’s (Type II), IT General controls, / entity level control reviews. Managed a staff of fifteen to twenty (15 to 20) professionals. RACF, AS/400, Windows NT, Oracle GRC Migration. FFIEC Guidance expert, Achieved Regulatory compliance with FRB, FDIC, OCC for all clients. From 2000 to 2006 (6 years) Director | Information Security Audit @ VP | IT Auditor
Vice President and Project Manager, Year 2000 Project (Y2K) - February 1998 – April 2000
Managed the Y2K project for the Bank. Liaison between Information Technology and Management to scope, and verify the functionality of the Bank’s computer systems for the Y2K transition. Managed multiple Bank departments (clients) needs and projects, integrating Y2K and regulatory concerns simultaneously.
Vice President and Information Technology Auditor - December 1997 – January 1998
Directed the Information Technology Audit program for bank operations in the Americas (North and South America), including annual audit scope, planning, staffing and presenting audit reports to the Audit Committee. From 1997 to 2000 (3 years) Information Security @ Senior IT Auditor
Together with the IT Audi team at Bank of Tokyo, we implemented a risk assessment methodology that was used to focus the Internal Audit department's efforts and address higher risk areas first, and as a basis for the annual audit planning effort. From 1996 to 1997 (1 year) Information Security | Information Technology Auditor @ Senior Technology Auditor
Responsible for audits of front, middle and back operations, including derivative trading (CAPS, Floors, Swaps and Options), futures and options. Conducted Information Technology and Assurance audits of wire transfer and out-trading. Established data mining program using ACL From 1993 to 1994 (1 year) Information Security | Information Technology Audit @ Assistant Treasurer
Assistant Treasurer (formerly titled Information Technology Auditor Officer)
Responsible for audits/reviews in private banking, futures/options, and third party software, (McCormick & Dodge) accounts payable, payroll, and general ledger. Performed additional third party reviews on mortgage-backed securities vendor, (Cantor Fitzgerald) and Global Custody, using Dyatron’s International Information Security Processing System From 1989 to 1993 (4 years) Information Security | EDP Audit @ Senior IT Auditor
Manager EDP Auditing (UA-14)
Created a global Technology Audit Department from scratch for NAVRESSO. Received a Citation for excellence from the GAO From 1985 to 1989 (4 years)
Executive and Continuing Professional Education - Effective RIsk Communication - @ Harvard School of Public HealthManagement @ Carnegie Mellon University - Tepper School of Business From 1981 to 1982 Corporate Governance @ Tulane University From 2007 to 2007 Bachelors, Economics and Bachelors Psychology @ University of California, Santa Cruz From 1975 to 1978 Frederick CISSP is skilled in: IT Risk, PCI DSS, IT Governance, CISA, Cyber Security, Information Security..., FFIEC, Information Assurance, Supply Chain Security, Cloud Computing, Business Continuity, Service Provider..., Enterprise Risk..., HIPAA, SAS70, CISM, CRISC, Policy Writing, Data Privacy, Data Leakage, EHR, Identity Management, DLP, SSAE 16, HITECH, Information Technology..., Social Media, Social Networking, SOC2, RFID applications, RTLS, RFID+, Security, Information Technology, ICD-10, CISSP, Risk Analysis, Network Security, ISO 27001, Risk Assessment, Risk Management, Vulnerability Management, Computer Security, Program Management, COBIT, Security Architecture..., Auditing, Business, Management, Information
Looking for a different
Get an email address for anyone on LinkedIn with the ContactOut Chrome extension