Mabel Tsahey-Okraku

● Responsible for creating security policies and maintaining existing Information Security System documentation.
● Provide remediations to FISMA Audits and Office of the Inspector General (OIG) findings.
● Created detailed reports outlining findings from security scans and risk assessments and presented findings to senior management for
review and approval of remediation plans.
● Monitored compliance with industry frameworks such as FISMA/FEDRAMP, FISCAM,HIPAA and the like.
● Conducted security Assessment and Authorizations (SA&A) for High and Moderate Systems and worked with System Owners within the
NIH to create security documentation and prepare systems to undergo SA&A to obtain a three (3) year ATO.
● Responsible for conducting Phishing campaigns for the entire National Institute of Health (NIH) monthly and reporting all results to various
Institutes and Centers (IC's) to test security awareness amongst all NIH users
● Flagged high-risk users who failed phishing campaigns and provided additional training.
● Leveraged PhishMe and ProofPoint to develop training contents for NIH's Annual Refresher and Compliance Trainings.
● Researched emerging threats, vulnerabilities, exploits and malware trends
● Develop waivers, write up policies, socialize new Executive orders and directives, and baseline Plan of Action and Milestones (POA&MS)
as needed.
● Act as the central authority through which all Risk Acceptances were funneled, reviewing them diligently for compliance with internal and
external policy standards.
● Conduct security assessments, vulnerability testing, and penetration testing to identify potential threats and ensure robust cybersecurity
measures are taken.
● Scheduled and facilitated Risk Management Framework (RMF) Kick-off meetings and working group sessions with system teams and
stakeholders to gather information and obtain artifacts for annual system audits.
● Leveraged NIST 800-171 to develop use cases for developing an assessment methodology to obtain CMMC Certified Third-Party
Assessor Organization (C3PAO) status for the Guidehouse Advisory team.
● Serve as subject Matter Expert (SME) on key legislations, such as the Federal Information Security Modernization Act (FISMA), and other
federal cyber frameworks.

● Conducted Tabletop Disaster Recovery Testing with appropriate stakeholders by developing scenarios and developing Lessons learned
for the organizations leveraging NIST 800-34.
● Developed security artifacts such as System Security Plans (SSP), Standard Operating Procedures (SOPs), Contingency Plans (CP),
Configuration Management Plans (CMP) and POA&MS, ideating with clients' contractual requirements.
● Developed and implemented plans for various initiatives, including annual disaster recovery plan testing and field review systems.
● Monitored and maintained client-specific POA&MS, and supported remediation activities pertaining to High Value Assets (HVA) within the
environment.
● Advised senior management on mitigating system vulnerabilities and recommended compensating controls by serving as a trusted advisor
on system security issues, and provided bespoke suggestions.
● Developed and implemented policies and procedures to ensure compliance with applicable laws, regulations, standards, and best
practices.
● Conducted internal audits to identify areas of non-compliance and recommend corrective actions.
● Developed risk assessments to evaluate potential impact of new initiatives or processes.
● Designed systems to track compliance performance metrics across the organization.
● Facilitated meetings between stakeholders including executive leadership, legal counsel, department heads., to discuss compliance
matters.

● Led a team of four (4) security assessors by providing support to the department's high-value assets and FISMA audits.
● Led the Security Assessment of the Department's high-value assets and FISMA audits, ensuring compliance with NIST and DOE security
requirements.
● Ensured compliance with NIST and DOE security requirements through continuous monitoring and conducting of annual Security
Assessments and Security Impact Assessments.
● Managed and oversaw the monthly patching schedule and ensured that ISSOs were up to date on reporting all identified vulnerabilities.
● Maintained awareness and knowledge of evolving security and risk management standards, and communicated and applied relevant
changes to existing processes.
● Utilized Archer GRC as a risk management tool to document, update, and track POA&Ms from start to completion. Archer served as the
artifact repository for system documentation, such as SSP, ATO Memos,Risk Assessment etc.
● Monitored security systems for threats or unauthorized access attempts, and took necessary steps to address potential issues.
● Performed risk assessments of existing IT infrastructure to identify areas of vulnerability and develop mitigation plans.
● Reviewed web , infrastructural scan reports and penetration tests and worked closely with the cyber operations team to identify security
flaws and remediate vulnerabilities adequately.
● Analyzed logs from various data sources to detect suspicious activity or anomalies.
● Evaluated third-party software solutions for their ability to enhance organizational security posture before purchase and implementation.
● Developed disaster recovery plans in case of a major breach or attack on the organization's IT infrastructure.

● Served as Team Lead and managed multiple projects to meet project milestones and schedules, using best practices to analyze and
interpret NOAA and departmental security requirements, and developed technical implementation guidance.
● Performed SA&A for moderate and high system compliant with FISMA/NIST Standards leveraging NIST SP 800-53/53A
● Led vulnerability management activities to identify, analyze, and prioritize vulnerabilities, assess risks, report remediation activities, and
ensure that the existing information security controls were adequate.
● Reviewed system-level documentation to ensure system security requirements by incorporating the RMF.
● Participated in the development and review of a System Security Plan (SSP) by leveraging NIST 800-53.
● Coordinated with appropriate personnel to run vulnerability scans on a regular basis to ensure timely remediation actions.
● Facilitated requirement gathering sessions, documented, and validated requirements with stakeholders as they relate to current
environments and future trends.
● Reviewed, analyzed, and researched scan findings, and coordinated remediation efforts in a timely manner.
● Liaised with the audit team to investigate and respond to financial and/or IG audits.
● Performed IT risk assessments and documented the system security key controls.
● Conducted periodic reviews of access privileges to ensure compliance with established policy and regulations.
● Reviewed and updated system documentations such as SSP, ST&E, Risk Assessment (RA), Privacy Impact Assessment (PIA), and
POA&Ms.
● Performed vulnerability assessments on systems using automated tools and manual methods.
● Provided technical guidance in areas such as access control, cryptography, authentication protocols, and other information security topics.

• Client: Indian Health Services (IHS)

• Client: Small Business Administration (SBA)

• Client:Indian Health Services