Jessica Castello
Laurel,MD
Summary
Information Security Professional with broad experience in identifying, assessing and providing recommendations for mitigating organizational risk using NIST Special Publication 800-30, 800-53r4, 800-37. Skillful in preparing Authorization Package – SSP, SAR and POAM.
Overview
5
5
years of professional experience
Work History
Information Security Analyst
Harkcon Inc
Fredericksburg, VA
08.2022 - Current
- Reviewing, maintaining, and ensuring all Assessments and Authorizations (A&A) documentation are included in system security package.
- Ensure Implementation of appropriate security control for Information System based on NIST Special Publication 800-53 rev 4, FIPS 200, and System Categorization using NIST 800-60, and FIPS 199.
- Review and update remediation on (POAMs), in organization's Cyber Security Assessment and Management (CSAM) system. Work with system administrators to resolve POAMs, gathering artifacts and creating mitigation memos, residual risk memos and corrective action plans to assist in the closure of the POA&M.
- Perform vulnerability and baseline scans, using tools such as Tenable Nessus, CIS-CAT, Retina Vulnerability scanner, analysis scan results and document findings in POA&M.
- Collaborate with system administrators to remediate (POA&Ms) findings. Ensure vulnerabilities and risks are efficiently mitigated in accordance with the organization continuous monitoring Plan.
- Monitor controls post authorization to ensure continuous compliance with the security requirements.
- Identify new, maintain and disposal of information system inventory in accordance with established policies and procedures, ensure accurate configuration management and property accountability.
- Modify and maintain procedures, operational process document, change control document, operational checklist, detailed system specifications and procedures.
- Develop training materials for employees on data protection.
- Conducted security assessment interviews to determine the Security posture of the System and to develop a Security Assessment Report (SAR) in the completion of the Security Test and Evaluation (ST&E) questionnaire using NIST SP 800-53A required to maintain Company Authorization To Operate (ATO), the Risk Assessment, System Security Plans, and System Categorization.
- Performed information security risk assessments and assist with the internal auditing of information security processes. Assessed threats, risks, and vulnerabilities from emerging security issues and also identified mitigation requirements.
- Exposed to Vulnerability scanning and assessment tools such as Retina, Nessus and CSAM.
- Performed Security Assessment (Assessment and Authorization (A&A)) on moderate information systems as part of an active third-party assessment organization in accordance with National Institute of Standards.
- Complete comprehensive test plans for identified security controls following NIST 800-53, FedRAMP guidance, and/or agency-specific guidance.
- Responsible for performing security control compliance reviews, tracking, and continuous monitoring of assessment packages.
- Advise and assist with the Lifecycle Assessment and Authorization (A&A) process and developing a Security Assessment Report (SAR).
- Monitor and track projects in the assessment test queue.
- Maintain a document repository where A&A project documentation is stored.
- Record/register actions concerning project approvals to operate.
- Read and analyze SSPs and develop understanding of systems and applications into security test plans. Coordinate A&A actions and system testing with appropriate security personnel.
- Develop risk assessment reports.
- Assemble and submit C&A packages to Principal Accreditation Authority/Designated Accreditation Authority.
- Review IA Compliance Validation Tests and Reports.
- Responsible for execution, review and interpretation of automated vulnerability scans utilizing industry standard tools.
Information Security/Compliance Analyst
CE2 Corporation
Pleasanton, CA
10.2020 - 08.2022
- Participate in client interviews to determine the security posture of the System.
- Supported the Information Assurance (IA) team to conduct risk assessments, documentation for Security Control Assessment, vulnerability testing and scanning.
- Prepare and submit Security Assessment Plan (SAP) for approval.
- Conducted initial assessment, and performed continuous monitoring of security control post assessment.
- Worked with System Owner to develop and perform periodic testing of contingency and disaster recovery plan.
- Develop and update Security Plan, Plan of Action and Milestones (POA&M).
- Monitor controls post authorization to ensure continuous compliance with the security requirements.
- Prepare and update the Security Assessment Report (SAR)
- Analyze and perform technical and non-technical security risk assessments of computer and network systems via network scans, interviews, documentation review and walk-through of both new and existing federal information systems for FISMA compliance using NIST guidelines and controls.
- Knowledge of IT security architecture and design (firewalls, Intrusion Detection Systems (IDS), Virtual Private Networking (VPN), Security Monitoring Tools and Intrusion Prevention Systems (IPS).
- Conduct Risk Assessment on all system changes.
- Re-assess remediated controls for effectiveness.
Information Security Analyst
Perspecta
Arlington , VA
02.2019 - 03.2020
- Performed assessment of information systems, based upon the Risk Management Framework (RMF)
- Conducted security testing and security control assessments on federal applications and general support systems to ensure compliance with the NIST SP 800-53 Rev. 4, NIST 800-37 Rev.1, and agency-specific requirements.
- Evaluate Authorization packages and make authorization recommendations.
- Review and compile the security control implementations, test results, Security Assessment Reports (SARs), Plan of Action and Milestones (POA&M), risk acceptance recommendations, and risk mitigation strategies to support the recommendation for client risk acceptance authorization decisions.
- Analyze results from vulnerability scanning tools such as Nessus, HP WebInspect, QualysGuard, AppDetective, and Burp Suite.
- Experienced reviewing/updating SSP’s
- Created, monitored, and updated the status of Plan of Action & Milestones (POA&Ms) to ensure weaknesses are resolved in accordance to their scheduled completion dates.
- Performed annual assessments in accordance with guidance.
- Performed reviews and update security authorization documents as needed, but at least annually.
- Support system self-assessments as part of an ongoing Authorization program Interface with User Agency representatives and management to answer questions, conduct audits, provide feedback.
- Updated, implement and maintain procedures and SOPs.
- Perform assessment of information systems, based upon the Risk Management Framework (RMF)
- Conduct security testing and security control assessments on federal applications and general support systems to ensure compliance with the NIST SP 800-53 Rev. 4, NIST 800-37 Rev.1, and agency-specific requirements.
- Review and compile the security control implementations, test results, Security Assessment Reports (SARs), Plan of Action and Milestones (POA&M), risk acceptance recommendations, and risk mitigation strategies to support the recommendation for client risk acceptance authorization decisions.
Education
High School Diploma -
Largo High School
Upper Marlboro, MD06-2005
Skills
Active Top Secret Clearance
Technical Skills and Abilities
Proficient in Microsoft Office Application Suite, Linux Images, SharePoint, Adobe Pro, Adobe Photoshop Adobe Flash, MS Office Suite, Microsoft Excel, Power Point, eDrug, EOPF, ABIS, NBIS, USAStaffing, USAccess, and Microsoft Publisher.
Timeline
Information Security Analyst
Harkcon Inc
08.2022 - Current
Information Security/Compliance Analyst
CE2 Corporation
10.2020 - 08.2022
Information Security Analyst
Perspecta
02.2019 - 03.2020
High School Diploma -
Largo High School