Mercy Barnes

Coordinate kick-off meetings with system owners to identify assessment scope, system boundary, and information system category; leveraged artifacts to conduct assessment and reduce compliance issues

• Led FIPS 199 process in which security categorization takes place, and select technical, operational, and managerial controls using NIST SP 800-60 guidelines.
• Assist in the documentation of System Security Plans, Risk Assessment Plans, Continuity of Operations Plans, Incident Response Plans, and Security Test and Evaluation (ST&E) standards.
• Establish internal control procedures by examining reports, records, documentation, and operating practices.
• Support assessors, system owners, and engineers in developing, categorizing, implementing, assessing, and monitoring security controls.
• Ensure security awareness and training materials are regularly reviewed and updated required.
• Planned and led POA&M teams to remediate system vulnerabilities and prepare authorization packages for ATO (Authorization to Operate).
• Conduct security risk assessment methodology for system development.

• Collaborated with system stakeholders to develop and maintain security documentation required for Authority to Operate (ATO) approval.
• Supported the tracking, reporting and remediation of agency Plan of Action and Milestone (POA&Ms).
• Performed incident response, defined by FISMA, in support of all security incidents related to customer information or information system.
• Assessed effectiveness of subset of implemented controls on ongoing basis to inform AO's decisions regarding continued use and operation of system.
• Led in development of Privacy Threshold Analysis (PTA) and Privacy Impact Analysis (PIA) by using NIST privacy handbook and working closely with Information System Officers (ISSO's) System Owners (SO) and information owners (IO).
• Assisted Security Assessment and Authorization (SA&A) activities, by preparing the complete ATO package for the authorization official to make accreditation decisions.
• Reviewed and Updated System Security Plans using NIST 800-18 as guide.
• Developed, tested and implemented security policies, plans and procedures for organizational protection.

• Coordinate process control remediation for PCI, NIST, and ITGC standards and attend annual training to keep aware of IT Control changes and requirements, communicate changes to Management team and support changes to processes to remain compliant.
• Ensured all IT activities are closely aligned with business objectives while ensuring information security policies programs and systems are compliant with business and legal/regulatory requirements.
• Managed and coordinate risk assessment and compliance efforts.
• Conducted 3rd party security assessments, track, and follow-up on issues, report out results to management team.
• Provided regular reports to IT Director, Management and company regarding status of IT Compliance with group.
• Facilitated monthly and quarterly report reconciliations between trustees and Third-party Administrator.
• Monitored metrics that measure IT and information security framework.
• Worked with process owners as well as security administration team to ensure all reviews are done in timely basis, all changes are processed, and all activity is documented in secure repository.
• Participated in IT Audit Remediation meetings with Senior Management monthly.

• Handled customer inquiries, complaints, billing questions and payment extension/service requests.

• Maintained good working relationship with clients to enhance customer satisfaction.
• Provided accurate and appropriate information.
• Commended for initiative, enthusiasm, tenacity, persuasiveness, intense customer focus and dependability in performance evaluations.