Description
Chief Information Security Officer
Work Experience
COMPANY | POSITION HELD | DATES WORKED |
---|---|---|
HeiTech Services, Inc. | (Confidential) | 11/2006 - 7/2007 |
Education
SCHOOL | MAJOR | YEAR | DEGREE |
---|---|---|---|
UMBC | IFSM | 1999 | Master Degree |
Accomplishments
Highlights:
EM PANNAH, MS, MSc, CISSP, CISM, CAP, IAM, IEM 9839 Farm Pond Road Laurel, MD 20708-6002 Phones: 443-690-3955 (Cell), 301-617-0294 (Home) E-mail: ePannah@yahoo.com OBJECTIVES Protect asset; build strategies vision/planning, policy, procedures; ensure regulatory compliance; implement FISMA, OMB, GAO, FIPS, NIST 800, ISO, COBIT, common criteria, industry best practices; provide awareness, training; maintain accreditation; ensure confidentiality, integrity, availability, continuity of operation (COOP); minimize cost, risk, loss; and promote business. PROFESSIONAL CERTIFICATES CAP (Certification and Accreditation Professional), 2007 IAM (INFOSEC Assessment Methodology), 2007 IEM (INFOSEC Evaluation Methodology), 2007 CISM (Certified Information Security Manager), 2006 CISSP (Certified Information Systems Security Professional), 2004 MCSE (Microsoft Certified Systems Engineer), 1998 MCP+I (Microsoft Certified Professional + Internet), 1997 EDUCATION Student of Doctor of Management (Security), UMUC (to be completed by 2008, GPA 3.55/4.00) BS/MS in Information Systems management, University of Maryland (1993-1999, GPA 3.8/4.0) BSc/MSc in Botany, Zoology, Ecology, Chemistry, Dhaka University (1967-1973, 2nd Class) RELATED SKILLS • Experience in Federal, State, Corporate, Aviation, Hospital, Financial, and Education spaces • 35 years in IT regulatory compliance; program management; security; privacy; IT consulting • Strategic planning; enterprise architecture; SME; IT audit; teaching IT Security at university • FISMA, OMB, GAO, ISO, COBIT, FIPS, NIST 800, and industry best practices compliance • FIPS 199; NISP SP 800-18, 800-30, 800-34, 800-37, 800-47, 800-53, 800-60 implementation • IT Risk management; C&A; ST&E; POA&M; continuous monitoring; IV&V; Gap Analysis • System categorization; security controls; defense-in-depth; vulnerability scanning; hardening • Confidentiality, integrity, availability; access control; privacy/business impact analysis; PII • IT policy and procedures; secure networking and communication; configuration management • SSP; contingency planning, incident response; computer forensics; disaster recovery; COOP • TCP/IP, IPSec, Smart-Card, TLS, SSL, IDS, IPS, VPN, DNS, DHCP, firewalls, DMZ, PKI PROFESSIONAL MEMBERSHIP PMI (Project Management Institute) ISACA (Information Systems Audit and Control Association) ISC2 (International Information Systems Security Certification Consortium) FISSEA (Federal Information Systems Security Educators' Association) IATFF (Information Assurance Technical Framework Forum) WORK EXPERIENCE HeiTech Services, Inc. 8201 Corporate Drive, Landover, MD 20785 Duration: 11/2006 to 7/2007 Position: Chief Information Security Officer (HQ – Supporting Multiple Federal Projects) Responsibilities: Established IT security vision, strategic planning, governance; lead security teams; assured regulatory compliances, interdepartmental liaison, SME; implemented FISMA, OMB, GAO, NIST 800, FIPS security mandate; developed security policy, standard, procedures, system security plan, contingency plan, incident response and forensic plans, disaster recovery and continuity of operation plans; ensured IT security controls, privacy, industry best practices; coordinated awareness, training, certification and accreditation, ST&E, continuous monitoring; managed POA&M; conducted IV&V, gap analysis; risk management and minimization, problem resolution; scanned, analyzed, monitored vulnerabilities and security postures; instituted trusted networking, secure communication; participated in technical writing and business development. Dakota Consulting Inc., 9700 Lorain Avenue, Silver Spring, MD 20901 Duration: 03/2006 to 11/2006 Position: IT Security Subject Matter Expert (OPM and USDA/FSIS Projects) Responsibilities: Established regulatory compliance; implemented IT security mandates at OPM following FISMA, OMB, FIPS, and NIST SP guidelines; ensured security controls following FIPS 199, FIPS 200, NIST 800-18, 800-26, 800-30, 800-34, 800-37, 800-53, 800-60; developed IT security policy and procedures, system security plan (SSP), contingency and disaster recovery plan; participated in certification and accreditation (C&A) process; ensured POA&M resolutions. Reviewed IT security policy and procedures; evaluated security control matrix; performed IV&V and gap analysis; updated C&A documents; and recommended awareness and training at USDA. Project Performance Corporation, 1760 Old Meadow Road, 4th Floor, McLean, VA 22102 Duration: 07/2005 to 01/2006 Position: Principal Analyst, Information Security and Privacy (Department of Interior Project) Responsibilities: Analyzed, audited, tested, and recommended solutions on DOI cyber security documents and point-of-contact for organizational and sub-contractors’ activities; performed risk assessment and gap analysis; coordinated role-based training; tracked, documented, and reported resolutions in POA&M deficiencies; developed certification and accreditation (C&A) guide, IT contingency and disaster recovery plans. Worked with the Director of IT Security and Privacy department in IT regulatory compliance, risk management details, SSP, security control matrix; security engineering and communications; opportunity monitoring; and business development. OnPoint Corporation, 1515 N. Courthouse St., Suite 310, Arlington, VA 22201 Duration: 11/2004 to 07/2005 Position: IA Project Manager and Business Systems Analyst (USDA C&A/IV&V Project) Responsibilities: Point-of-contact; analyzed system security plan (SSP), security test and evaluation (ST&E), plan of action and milestones (POA&M), IT contingency plan, incident response plan, trusted facility manual (TFM), security features user guide (SFUG), systems control compliance matrix, security self-assessment, and privacy impact analysis; conducted independent verification and validation (IV&V), gap analysis, and risk assessment of USDA GSS and MA; conducted IV&V, gap analysis, and risk assessment of Maryland State voting systems documents; and participated in certification and accreditation (C&A) process at NIH. Avineon Inc., 4825 Mark Center Drive, Suite 700, Alexandria, VA 22311 Duration: 08/2004 to 10/2004 Position: Information Security Analyst (United States Mint Project, Department of the Treasury) Responsibilities: Worked with Certification and Accreditation team; performed risk assessment; analyzed system security plan (SSP), IT contingency plan (CP), and plan of action and milestone (POA&M); drafted Standard Operating Procedures; analyzed/recommended role based training. University of Maryland University College, CMIT, 3501 University Blvd., Adelphi, MD 20783 Duration: 09/2000 to present Position: Adjunct Assistant Professor, Computer Technology Department Responsibilities: Author and content expert of Network+ curriculum; teaching face-to-face and online classes on Windows Operating Systems, Network Infrastructures, and IT Security Design. Taught, guided, and evaluated techniques in enterprise architecture, secure communications and networking, TCP/IP, IPSec, SSL, TLS, SSH, Kerberos, single-sign-on, IDS/IPS, VPN, PKI, PIV, DMZ, DNS, DHCP, smart-card, routers, firewalls, vulnerability scanning, hardening, defense-in-depth; designing and implementing IT security; SSP; risk management; access control; security categorization; security control matrix; C&A; ST&E; POA&M; business and privacy impact analysis; IV&V; gap analysis; cryptography; IT contingency planning (CP); incident response; computer forensic; disaster recovery; COOP. Analyzed FISMA, OMB, GAO, HIPAA, GLBA, SOX mandates; FIPS, ISO, COBIT standards; and NIACAP, DIACAP, NIST SP-800 guidelines. Cambridge Associates, Inc., 4100 N. Fairfax Drive, Suite 1300, Arlington, VA 22203 Duration: 03/2000 to 04/2002 Position: Project Manager, Business Software Development Responsibilities: Assessed organizational risks; planned, analyzed, designed, programmed, QA tested, integrated, implemented, and maintained (SDLC) financial application software and tools for the business development division; and was responsible for industry best practices, awareness and training, change management, monitoring and evaluation, patch management, continuity of operation (COOP), management reporting, customer satisfaction, documentation, and budget. Environmental Health and Safety, UMAB, 714 W. Lombard St., Baltimore, MD 21201 Duration: 05/1991 to 01/2000 Position: Systems Analyst, Database Engineer, Network Administrator, Analyst Programmer Responsibilities: Performed risk analysis; initiated, analyzed, designed, programmed, QA tested, validated, integrated, deployed, managed, and maintained (SDLC) 12 database applications in the Environmental Health and Occupational Safety areas; developed Enrolment, Placement, and Training Systems for School of Social Work students; was responsible for database engineering, network administration, user’s support, awareness, training, information assurance, and privacy. Johns Hopkins University, International Health, 615 N. Wolfe Street, Baltimore, MD 21205 Duration: 6/1990 to 04/1991 Position: Database Developer, Vaccine Testing Unit Responsibilities: Developed three database applications for the vaccine trial, vaccine testing, and health care projects; performed need analysis, systems design, programming, integration, deployment, maintenance, IT contingencies, disaster recovery, and business continuity. Cholera Hospital: ICDDRB, Centre for Health and Population Research, Bangladesh Duration: 6/1985 to 06/1990 Position: Archive Manager, Senior Data Management Officer, Project Manager Responsibilities: Analyzed, designed, developed, deployed, and managed 7 database projects for hospitals, diagnostic and research laboratories, and vaccine trial programs; archived hospital and laboratory data and live specimen; was responsible for strategic planning, business development, budget, interdepartmental liaison, business process reengineering, contingency planning, incident handling, emergency preparedness, disaster recovery, COOP, documentation, and reporting; and managed cost recovery, data collection, validation, privacy, integrity, processing, and helpdesk. Civil Aviation Authority, Operations and Management Division, Dhaka, Bangladesh Duration: 2/1974 to 06/1985 Position: Data Processing Officer, Security Officer, Procurement and Supply Officer Responsibilities: Directed IT programs; lead IT teams; served as security officer and COTR; supervised stock controls, procurement, storage, and supply; developed database applications (SDLC) for air traffic management, aircraft inspections, passenger movement, toll collections, stock control, procurement and supply management, HR, payroll management, accounts, and asset management; was responsible for corporate IT vision and strategic planning, IT policies and guidelines, regulatory affairs, recruitment, training, team-building, budget, audits, disposal, inter-departmental liaisons, and business development. Bakshiganj KU Degree College, 1 College Road, Bakshiganj, Bangladesh Duration: 09/1972 to 02/1974 Position: Faculty in Biology; and Director of Security, Dormitories, Sports, and Development Responsibilities: Taught biology classes, guided laboratory projects, evaluated student progress, managed security of the complex, directed indoor and outdoor games/sports, moderated debates, supervised dormitories, and coordinated fund raising efforts from businesses and open-markets.Companies I like:
Any IT Security and Technology company
Keywords
Responsibilities
Established IT security vision, strategic planning, governance; lead security teams; assured regulatory compliances, interdepartmental liaison, SME; implemented FISMA, OMB, GAO, NIST 800, FIPS security mandate; developed security policy, standard, procedures, system security plan, contingency plan, incident response and forensic plans, disaster recovery and continuity of operation plans; ensured IT security controls, privacy, industry best practices; coordinated awareness, training, certification and accreditation, ST&E, continuous monitoring; managed POA&M; conducted IV&V, gap analysis; risk management and minimization, problem resolution; scanned, analyzed, monitored vulnerabilities and security postures; instituted trusted networking, secure communication; participated in technical writing and business development.