Technical Architect and Developer in Roseville, CA, United States

• Created cloud computing operational procedures.
• Developed from reviewing current operating procedures and making appropriate changes.
• Reviewed cloud architecture diagrams.
• Managed SaaS and IaaS projects, including Office 365, SharePoint Online, Service Now, and security remediation projects designed to leverage newer technology while mitigating security vulnerabilities.

SPECIFIC PROJECTS
• Converted an Oracle database to AWS Aurora PostgreSQL (within the AWS environment). This project reduced licensing costs, created dynamic scalability, and increased operation efficiency by reducing maintenance and utilizing the latest hardware and software.
• Created an AWS Disaster Recovery Connection for AWS services.
• Built an Enterprise Content Management (ECM) system in AWS.
• Developed security remediation projects such as the creation of a management reporting application and the replacement of a legacy computer telephony system with AWS Connect.

I was tasked with establishing a security assessment and training program in an environment with out-of-date software and hardware and over 39,000 vulnerabilities. I used NIST 800-37/53 as a basis for the assessment. The client did not see the value based on the perceived amount of time needed to establish an assessment around the NIST standard. I had numerous meetings extolling the benefits of the NIST standard, and the client finally relented. Two years later, the organization was required to have SOC audits. Because of the assessment built around NIST, we succeeded in passing the audits.

Upon entry into the project, there were over 39,000 vulnerabilities. Many of the server patching levels were more than two years old. Out-of-date software and hardware, where patching is no longer available, contributed to this total. Still, a significant percentage included missing patching for the current system and application software. There were systems missing patching as far back as 2002.

I developed a plan with the goal of an N-1 patching level. We ultimately moved to monthly windows patching and quarterly Linux and bi-annual HPUX patching.
• Removed Windows 2003 and SQL 2000 servers and replaced them with a cloud application.
• Upgraded over 124 windows 2008 servers.
• Upgraded old AIX servers.
• Reduced the number of vulnerabilities in the ecosystem.
• Developed a patching plan, which required coordination with the project team.
• Established Security Awareness Training for the organization.
• Participated in SOC1 and SOC2, NIST 800-53 audits, including prep activities designed to ensure compliance.
• Managed annual review of security and disaster recovery plans.

When I started a new position, I came in the middle of a data center move. Initial waves were problematic, with issues relating to testing and support. I worked with the engineering team to develop a process to preview the dance cards and set up dedicated support after each wave. The process included checkpoints to quickly identify potential issues, including missing or incomplete test scripts and inadequate resources to support the respective waves. This helped the remaining waves to be implemented without significant issues. I also identified a lack of architecture diagrams and diagrams that were out-of-date for the ecosystem. I led the effort to update all the diagrams and developed a process to keep the documentation updated. As part of the effort, I developed job aids and provided training on the new process. The customer was highly appreciative of my efforts in this project.

Upon entry into a new position, the organization’s disaster recovery testing efforts were highly problematic. During the annual disaster testing efforts, the organization consistently missed the Recovery Time Objective (RTO). In many cases, the organization could not start the applications during the drill. I worked with the operations teams to identify the significant issues, which happened to be replication issues. I instituted changes in the configuration change process to ensure changes in the infrastructure are replicated in the disaster recovery environment. This effort required coordination between several teams, including operations, admin, and the external disaster revoery team. Progress was immediately noticed after this effort. Although the RTO was missed during the first drill following the changes, all applications were successfully started. During the next drill, the RTO was missed by 36 minutes.

I developed a security awareness course for the organization with placards and signage to enforce critical topics. I worked with senior management to get their buy-in for the course while also getting their feedback on its content, delivery methods, and overall logistics. The content and structure for the training program were derived from various sources, including the National Institute of Standards and Technology (800-16, 800-50), KnowB4.com, HHS.gov, and other key providers. I also included content that was specific to the organization. The efforts represented a collaborative effort between several departments within the organization, including legal, HR, marketing, operations, and the executives. In addition to developing and producing the course, I also conducted the training sessions for the 80-member staff.

I spearheaded the design and development of technical solutions for modernization projects, including REAL ID and eCommerce projects. As part of the effort, I managed the enterprise architectural design, development, and implementation of the windows, web, and mobile information systems. I developed a service-oriented architecture (SOA) approach that promoted reusable components used across the ecosystem. I also developed and implemented application-level security controls for the applications within the ecosystem.

I served as a vCISO for a major hospital, where I performed security assessment activities on the organization's ecosystem. I leveraged NIST 800-37 and 800-53 publications as an assessment toolset. The assessment finding identified 17 projects needed to mitigate security issues within the ecosystem and build a robust security architecture. These projects included issues found in the technical, administrative, and physical controls categories. A roadmap for implementing these projects was created to ensure critical issues were mitigated in a timely manner.