Barbara Asiedu

Experience

• 

  PRiME Associates LLC

  Nov 2012 - May 2014

  Junior Security Controls Analyst

  Operated Risk Management Framework using NIST 800 - 37 as Confidential guide and FIPS 199 asConfidential guide to categorize information systems.• Classified Information Systems using the RMF processes to ensure system Confidentiality, Integrity,and Availability.• Selected security controls using NIST 800-53 as guidance based on system security categorization.• Most of my current projects are focused on RMF phase 4 (Assessing security controls)• Effectively engaged in the assessment processing & preparing for assessment, conducting theassessment, communicating assessment results, and maintaining the assessment findings forremediation• Coordinated, participated and attended weekly Confidential forums for security advice and updates.• Utilized the (SSP) System Security Plan's implementation section to address how each control isimplemented (frequency of performing the controls, control types, and status).• Created SAP (to document assessment schedules, control families to be assessed, control tools andpersonnel, client's approval for assessment, assessment approach and scope, ROE if vulnerabilityscanning is involved).• Determined assessment method (examining policies and procedures, interviewing personnel, andtesting technical controls), using NIST 800-53A as a guide.• Prepared Security Assessment Reports (SAR) in which all the weaknesses are reported.• Created Plans of Action and Milestones to trace corrective action and resolve weaknesses andfindings.• Reviewed Confidential & Confidential package items.• Set- up and participated in the Assessment Kick-up meetings per NIST SP 800-53A.• Prepared Confidential package documents (SSP, SAR, POAM reports, and Confidential package) toenable the Authorizing officer to make risk-based decisions to sign the Authorization to Operate.• Ensured that controls are implemented correctly, functioning as intended, and producing the rightresults. Show less

• 

  Crestwood Technologies

  Jul 2014 - Mar 2017

  Security Controls Assessor

  Performs comprehensive A&A tasks including package development, security control analysis, riskassessments, contingency planning, security test & evaluation, risk mitigation analysis, andtechnology assessments.• Utilizes applicable NIST and FIPS standards and guidance documents to register and completeaccreditation packages in the DISA eMASS system.• Leads the RMF accreditation lifecycle for assigned systems from cradle to grave, managingstakeholder engagement, lifecycle progression, schedule development, accreditation package review,submission, and validation.• Maintains and supports current and ongoing A&A packages to ensure uninterrupted delivery ofinformation technology systems for the organization.• Creates, manages, and maintains setup documentation and security policies for compliance andaccreditation purposes for all programs, including Privacy Impact Analysis, SOPs, Policies,Procedures, Plans, etc.• Reports on assessment process status, participates in Independent Verification & Validation (IV&V)activities, conducts/oversees IV&V testing as required, and assists system certifiers duringevaluations.• Develops and maintains organizational cybersecurity templates, policies, and procedures.• Assists in leading training sessions provided by the division to the greater organization and preparingrelated training materials.• Comprehensive understanding of DoD/DHA IT Security and IA policies, directives, and publications;and shall maintain awareness of relevant cyber-related policy issues.• Comprehensive understanding of federal security regulatory requirements and security frameworks,including RMF, NIST SP 800-series, FISMA, FIPS, FedRAMP, etc.• Prepares weekly status reports and maintains consistent communication with the customer regardingthe status of activities, risks, issues, blockers, and needed support Show less

• 

  National Grid

  Apr 2017 - Nov 2019

  RMF Compliance Analyst

  Guided System Owners and ISSOs through the Certification and Accreditation (C&A) process,ensuring that management; operational and technical controls for securing either sensitive SecuritySystems or IT Systems are in place and are followed according to federal guidelines (NIST 800-53).• Applied security risk assessment methodology to system development, including threat modeldevelopment, vulnerability assessments, and resulting security risk analysisProvided support and guidance through the phases of FISMA C&A, including monitoring of the C&Aartifacts compliance, annual self-assessment (NIST SP 800-53A guidelines), and quarterly selfassessment completion using NIST SP 800-26 guidelines.• Created or updated the System Security Plan and conducted an Annual Self-Assessment.• Applied knowledge of C&A policies, guidelines, and regulations in the assessment of IT systems andthe documentation and preparation of related documents• Executed vulnerability assessment and vulnerability scanning tools such as ACAS, and Metasploit, ona challenging and complex systems-wide information assurance/ system securityenvironment requiring analysis of user, operational, policy, regulatory, and resource demands• Assesses and mitigates system security threats/risks throughout the program life cycle; determines/analyzes and decomposes security requirements at the level of detail that can be implemented andtested; reviews and monitors security designs in hardware, software, data, and procedures,• Worked with C&A team members and senior representatives to establish and define programs,resources, schedules, and risks.• Developed Test Plans, and testing procedures and documented test results and exceptions. Show less

• 

  Cyberrisk Beyond Solution Inc.

  Jan 2020 - Sept 2022

  Assessment and Authorization Specialist

  Directed assessment remediation, validation, and collation of security artifacts to ensure successfulimplementation of security and privacy controls.• Served as a subject matter expert (SME) for HIPAA and NIST control requirements.• Provided an assessment as a subject matter expert (SME) to determine the company's compliancewith NIST 800-53 and detailed knowledge of NIST Special Publication (SP) 800-18, 800-30, 800-37,800-39, 800-53, 800-53A, 800-60, Etc.• Developed and documented FISMA testing template and provided information assurance directivesand guidance to programs in various system development life cycle (SDLC) phases to meet Federalsecurity requirements (NIST, DoDI 8500.2, DCID6/3) as required by OMB Circular A-130 and FISMAcertification process.• Created, Compile, and Complete Authorization Packages to include the System Security Plans,CAAT Files, SARs, and SOP.• Created (RTM) Risk Traceable Matrixes in which Pass/fail assessment results were documented.• Worked with Security assessment team Conducted assessment on Management, operational andtechnical Controls.• Determined security categorization using NIST 800-60 as an information guide.• Selected security controls using NIST 800-53 as guidance based on system security categorization.• Prepared Security Assessment Reports (SAR) in which all the weaknesses are reported.• Accessed Security Controls selected. Show less

• 

  SMX

  Oct 2020 - Jan 2023

  Risk Management Framework Analyst

  • Performing comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an Army Information Technology (IT) system to determine the overall effectiveness of the controls in accordance with NIST 800-53.• Working with customers to provide recommendations for protecting networks, workstations, servers, and IT assets while conducting audits to ensure information systems security policies and procedures are implemented as defined in security plans and best practices.• Review RMF Packages for completeness and technical accuracy for assigned customer• Assess documented designs for compliance with NIST 800-53 and DOD-related policies for on- premise and cloud-based solutions• Reviews assessment documentation and support systems through all steps of the RMF process• Review and develop security artifacts to support the IA program including System Security Plans (SSP), Security Assessment Reports (SAR), Risk Assessment Reports (RAR), Security Control Traceability Matrix (SCTM), Plan of Action and Milestones (POA&M), System Design and Installation Procedures, System User Guides, Privileged User Guides, Security Test Procedures, and other documents as needed Show less

• 

  Crown Health Systems

  Feb 2023 - now

  Third Party Risk Analyst,

  • Perform complex information security risk assessments of current and prospective third-party business and technology providers to assess their control structure and alignment to regulatory, federal/state guidelines and information security bank requirements and partner with internal stakeholders to assess the cyber risk the third party presents to the Company.• Partner with internal business units and third parties to inventory all services, status, performance, and cyber risk assessments.• Direction and program support for a small team of third-party cybersecurity analysts.• Complete a cyber risk assessment detailing third party’s service inherent risk(s), strengths of cyber risk scores, along with any cyber risk control gaps presenting elevated risk to the company.• Coordinate and drive cyber risk findings using formalized reviews, exception reporting, and cyber risk acceptance reporting with the support to management.• Oversee and confirm the resolution of any cyber risk gaps identified during the cyber risk assessment process.• Maintain a very strong knowledge of the regulatory cyber risk requirements to ensure that each third party meets those requirements.• Must be able to competently interpret and apply the requirements independently to mitigate cyber risk to the company.• Contribute to various departmental projects related to third party management activities. This could be as a project lead or supportive role to an existing project.• Collaborate across various operational and enterprise risk lines of business to ensure all third-party cyber review processes are being met.• Collaborate with the third-party cybersecurity analysts and TPRM team regarding onboarding and offboarding of new and existing 3rd party cyber risk review assessments.• Perform annual audit of vendors to ensure cyber risk is within risk tolerance for the company.• Establish and mature continuous monitoring for the company’s vendor. Show less