Gabriel Young

Gabriel Young

Summary

A CISSP with extensive experience in security and privacy; designing, testing and deploying holistic programs to enhance both business posture and compliance. Detailed experience in the "business" of security by applying security models and best practices to business requirements and defining the best "bottom line" defense in depth, solutions. Specific areas of expertise include HIPAA/HITECH, GLBA, NIST/FIPS C&A, DITSCAP/DIACAP, EU and UK Data Privacy and Security Architecture design, testing and deployment. Certifications include: CISSP SANS - GCFA CCNP CCSA / CCSE

Areas of Expertise

Privacy, Security and Compliance in heavily regulated environments including both testing and evaluations and design and development of secure architectures. Specific expertise includes: HIPAA, HITECH, GLBA and Federal Standards / HITRUST, NIST, FIPS, FISMA, ISO17799 / 27001 / 27002 / NSA Information Security Assessment Methodology (ISAM) (Formerly IAM / IEM) / GIAC Incident Handling, Forensic Response and Legal Issues / Identity Management, LDAP, PKI, Risk Assessment profiling

Objective

A career oriented Information Security position that will leverage my management, technical and business skills in improving company performance and bottom line business objectives.

Work History

Work History
Jan 2009 - Present

Security Analyst

BlueCross BlueShield Montana

Accountable directly to the CIO and Board of Directors, and working within the Information Systems and Compliance groups, accountable for technical and policy controls to secure corporate resources and PHI in compliance with state and federal regulations, including HIPAA and HITECH with an emphasis on the HITRUST Framework, AS/NZS 4360 (ISO31000:2009) and ISO 27001 / 27002 and ISO 31000:2009. Specific responsibilities include: Technical security architecture reviews and recommendations Security assessments of current and proposed solutions Policy and Process documentation Development of comprehensive risk assessment methodology and mitigation program Participate and lead investigations and incident response Disaster Recovery planning and testing Vendor negotiations Project and Program management of security initiatives

2005 - 2009

Principal - Information Security and Information Assurance

Privately Held Information Technology Consulting Firm

Working with federal and private sector clients in financial services, healthcare and other highly regulated settings, consult, design, implement and manage secure network solutions, including: Develop and implement secure, defense-in-depth, architectures to secure corporate resources, data and information; including vendor testing and selection, Configure, staff matrix, participate in and lead CERT and Security Round tables, Develop awareness and training programs, briefings and daily / weekly / monthly status and tracking reports to manage current and emerging threats, Single Sign On and Public Key Infrastructure Solutions(LDAP and Certificate Services), especially remote access and trusted authentication, including Federated Identity Management and beta projects for secure remote authentication, OS Hardening (MS, Sun, Unix, ZOS/OS 390) and DB Security (Oracle, Access, SQL, DB2 and Terradata), Policy audits and accreditation (C&A) involving Sarbanes-Oxley (SoX), HIPAA, and GLBA, Extensive experience in best practices with NIST, FIPS, SA/CSS and ISO standards, including ISO17799 (BS7799), ISO/IEC 17799:2005, ISO/IEC 27001, and IDS/IPS (Cisco, ISS(IBM), Snort, Dragon, TripWire), Anti-Virus and Mail Security solutions

1997 - 2004

Consultant, Principal, SME - Security

BT

As a security consultant and later, SME for compliance and assessment issues, work with a series of clients to implement industry standard and leading edge comprehensive IT Security programs, including: Plan, lead and conduct assessments on network infrastructure, applications, disaster recovery and continuity planning, design, test and deploy architectures and infrastructure including OS hardening, network infrastructure, application integrity and holistic security paradigms, Conduct awareness and training programs, and develop security briefing papers, reports and systems for clients, Implement HIPAA compliance program for a major client, including technology controls and access management in both a clinical and extended campus setting, Deploy wireless and RF security features for a multi-state, multi-billion dollar revenue client, Use Cisco, Netscreen, Sidewinder, Firewall-1 firewalls, ISS and Cisco IDS/IPS, and Participate in CERT, Incident Response, Disaster Recovery, e-Discovery and Forensics as required.

1989 - 1997

Information Systems Operations

United States Army

Manage personnel and information system assets and Internet Protocol (IP) Local Area Networks (LANs)and Wide Area Networks (WANs). Performs system integration. Develop software installation plans. Conducts systems analysis, design, development, implementation, and acceptance testing. Performs systems administration and LAN/WAN administration; manage training of personnel in the installation, operation, and administration of intranets, and video teleconferencing systems. Career highlights included:

Successfully led project teams of up to 100 personnel and budgets in excess of $10 Million (US).

Deployed and managed Computer Emergency Response Teams at the command and national level.

Led the forensic and response capability supporting investigations and prosecutions of computer incidents.

Design team lead for standardized Internet gateway architectures.

Education

Education
Sep 2001 - May 2003

MSc

Royal Holloway College, University of London
1990 - 1997

BA / BS

Columbia Union

Double Major

Honors in both Majors

Cumulative GPA 3.97

Skills

Skills

Information Security

Privacy, Security and Compliance in heavily regulated environments including both testing and evaluations and design and development of secure architectures. Specific expertise includes: HIPAA, HITECH, GLBA and Federal Standards / HITRUST, NIST, FIPS, FISMA, ISO17799 / 27001 / 27002 / NSA Information Security Assessment Methodology (ISAM) (Formerly IAM / IEM) / GIAC Incident Handling, Forensic Response and Legal Issues / Identity Management, LDAP, PKI, Risk Assessment profiling

Certifications

Certifications

GIAC Certified Forensic Analyst

SANS Institute

Cisco Certified Network Professional

Cisco Systems

Certified Information Systems Security Professional

ISC2

Top Secret/SCI