Federal Home Loan Mortgage Corporation (Freddie Mac)

• Information Security Governance: Developed self service audit portal that linked key services provided by group, developed supporting process documentation, created controls and documentation portal and implemented optimization initiatives to improve service delivery.

• Information Security Standards: Led the creation of an information security policies and standards program that aligned with internationally recognized best practices. Built policies and standards working collaboratively with business units, IT and other key groups to develop organizationally aligned requirements. Creating training plans, communications plans and processes to support long term maintenance of standards.

• Information Security Controls: Developed processes to identify control thresholds, testing procedures and reporting for information security controls. The metrics were then reported to executive management and business units.

• Information Security Metrics: Organization revamped all information security metrics reported to executive leadership, removing focus on activities completed to actionable, executive level information that directly led to more informed risk decisions.

• Enterprise Risk Assessment: Led effort to evaluate information security risk across organization using ISO 27001 aligned standards to set baseline for organization and identify key risks.

Ernst and Young
Patch and Vulnerability management - provided direction on implementation organizational wide patching including action oriented metrics, scalable and repeatable reporting and validation and team support.

Information Security Audit - provided subject matter expertise for client information security audit meetings.

Ally Financial
Incident Response and Threat Intelligence: Led the creation of a security threat intelligence program and improvement in computer security incident response program. This resulted in decreased response times to security vulnerabilities and the response times and tracking of remediation dramatically.

Security Operations: Hired 90% of team after reorganization due to geographical change. Achieved total migration of people, documentation and processes within nine months, supporting multiple technologies, including multiple Intrusion Detection Systems (IDS), Data Loss Prevention (DLP), Anti-virus, Vulnerability Scanning, Security Incident and Event Management (SIEM), Firewalls, Database Access Monitoring and other security tools with no disruption of services or capabilities. Developed a program to identify services, supporting processes and supporting technologies and created documentation for processes, increasing operational efficiency across the team.

Information Security Metrics: Completely revamped teams information security metrics reported to executive leadership, removing focus on activities completed to actionable, executive level information that directly led to more informed risk decisions. Metrics are now actionable and understandable by executive leadership.

Patching: Implemented a collaborative approach to partnering with IT organization in the remediation of vulnerabilities. Removed focus on reporting vulnerabilities and focused on actionable activities, including patching and other activities. This directly resulted in substantial reductions in unpatched/under patched systems and significantly decreasing vulnerability assessment findings.

Cetera Financial Group
Created and implemented information security risk management program for risk prioritization, presentation and tracking.

Implemented multiple information security controls and improved existing controls.

Achieved Microsoft's Federal Information Security Management Act (FISMA) Authority To Operate (ATO) for Business Productivity Online Suite-Federal (also known as Office365.)

Directly led and managed the team that successfully managed the ISO 27001 certification process for Microsoft Online Services.

The Standard
Business Continuity Project: Re-implemented company wide business continuity program based on simplicity and rapid recovery using internationally recognized standards. Recognized by business leaders and executive management as a significant transformation in direction and relevance of program in a short period of time. This resulted in an alignment of the business continuity program that was easily understood by executives and the individuals participating in recovery operations. These efforts directly led to a substantial increase in recoverability while reducing overall operational costs.

Security Assurance Projects: Lead multiple projects for the implementation of enterprise wide security controls such as email encryption, laptop encryption, vulnerability management program and other enterprise wide initiatives all while reducing employee impact of controls.

Information Security Policies and Standards Project: Created ISO 17799 compliant policies and standards, ratified by executive management. The policies were later migrated to be ISO 27001 compliant after the updated standard was released. The policies met corporate objectives and stood up to multiple external and internal audits while effectively translating management’s requirements throughout the organization in an effective and simple method.

Information Security Integration: Integrated Information Security with key business and IT partners including Legal, Quality Assurance, IT Infrastructure and business units. These relationships resulted in multiple collaborations on budgets and control implementations.

Information Security Risk: Managed the creation of an Information Security and IT risk program used by multiple groups within the organization to prioritize, assess and track risks. This program was later adopted for entire IT organization and used to quantify risk and prioritize business goals and influence budget decisions among executive management.

Information Security Services Development: Implemented multiple service models covering risk management, business consulting, technical controls and security awareness components. These service models allowed for more efficient operations of the Information security program while maintaining effectiveness allowing for more efficient use of resources.

Fifth Third Bank
Vulnerability Management Project:  Served as Program Owner for the $1.3 million Bancorp Vulnerability Management program for all phases of the IT Project Life Cycle. Defined business requirements, oversaw procurement and managed the deployment of the supporting technologies and processes. 

Information Security Group Project:  Created an Information Security Application Security Group to support all security platforms used within the organization including an Information Security Application review process.

Enterprise Security Policies Project:  Initiated, developed and implemented consistent enterprise-wide security policies. Created ISO 17799/BS 7799-2 compliant policies, ratified by executive management in less than five months, all with no budget and no additional staff. 

Incident Response Program:  Led efforts to establish an Incident Response Program within Information Security. Expanded scope to include the entire organization in unified Incident Response communications process including Marketing, Legal, Compliance and other business units.

Change Management Project:  Developed a Change Management system using Tripwire, Remedy Action Request System and other tools, reducing unscheduled downtime by 95%. The process was featured in The Visible Ops Handbook (ISBN: 0975568604) as best in class Information Technology Infrastructure Library-like approaches. Presented results of the Change Management process to corporate security professionals worldwide. 

Security Policies Project:  Developed and implemented multiple security policies for a major corporate Network Operations Center, covering all aspects of physical, network and data security in compliance with ISO 17799/BS 7799-2. Scope included 600 Solaris Unix and Windows based computers, and numerous Linux servers and workstations. 

Procedures and Policies Project:  Coordinated and led 11 geographically-separated security professionals in implementation of Information Security procedures and policies nationwide. Managed security activities for all sites including division incident response and recovery operations. Served as a member of the corporate Incident Response Team, with 70,000 employees. 

Backup System Project:  Set up and maintained a two terabyte a week backup system, using NetBackup Datacenter on Unix with over 50 Unix, Windows and Linux servers. Reduced backup costs by $30,000 per year through reorganization, maximizing backup availability and recovery times. Directly increased backup snapshot and recovery success rate from below 60% to 100% within six months.

24-hour Network Support Project:  Planned and developed a 24-hour Network Operations Support Group, supporting proprietary technology for all divisions, 5 million endpoints and 11 locations nationwide. Hired the 16-member team and provided training on Unix and proprietary technologies. 

Operations Support Group Project:  Saved more than $10,000 from implementation of an Operations Support Group focused on numerous cost-saving training and deployment programs. Implemented a Web-based Trouble Database and streamlined multiple overlapping, redundant processes. 

United States Marine Corps
Implemented and coordinated physical and network security policies as well as provided technical assistance and training to users of network resources. Reduced training costs by $40,000, while maintaining quality, through online training initiatives.