Craig Kantor

Experience

• 

  State of New Jersey

  Nov 2002 - Feb 2015

  DHS is the largest department in NJ state government. It has a $12 Billion annual budget, eight major divisions, and numerous administrative offices. DHS serves 25,000 employees, multiple extranet partners, and millions of consumers.• Maintained and expanded the Department's Information Security program, designed to meet both state and federal regulatory requirements using the ISO 27001-2 and NIST SP 800-18 frameworks.• Served as a leading member of the DHS Regulatory Compliance and Audit teams; HIPAA, FISMA, Hi-Tech, PCI-DSS.• Prepared required reports for DHS, State, and Federal regulatory authorities to ensure compliance.• Implemented ongoing risk assessment program; created methods for vulnerability detection/remediation.• Designed Incident Response & Reporting System to address DHS IT security events.• Monitored and reviewed systems for anomalies and took appropriate action as per the Incident Response Plan.• Investigated alleged policy violations and complaints. Reported findings to the State of NJ CISO and DHS CIO.• Provided technical and regulatory guidance to the Security Operations Business Unit and 8 divisional decentralized Security Officer Team units. • Prepared Security Operations annual budget, project plans, proposals and negotiated contracts with key vendors.• Created, maintained and reported on project plans, assignments, and project status reports.• Identified technology solutions and negotiated product purchase price and terms. • Implemented internal enterprise forensics and E-Discovery program.• I was responsible for final approval of firewall access requests and quarterly firewall assessments. Show less • Audit review and Risk assessments included a multi-phase, multi-year project in excess of $180 million whose scope was to consolidate multiple systems functionalities and allow integration with the Federal Medicaid Exchange. • Audit program components included reporting for; IRS Safeguards Review, Pub 1075 as required by the Affordable Care Act (ACA) of 2010, Center for Medicare and Medicaid Services (CMS) System Security Plan (SSP), IRS ACA Safeguard Security Report (SSR/SPR), Preliminary Findings Report (PFR) and Corrective Action Plan (CAP)• Participated in conducting Risk Management Assessments and Security Gap Analysis reporting. Show less • Charged with leading the Security Information and Event Management (SIEM) project to a functional conclusion. The project was successfully completed and turned over for administration.• Selected by CIO as sole project manager and technical lead for $15 Million DHS PC Refresh project; deployed 12,000 new workstations, 1000 laptops, 1200 new printers, and re-purposed 1500 older workstations to more than 55 locations in NJ, including state hospitals and a high security NJ State prison. • Delivered cost savings in excess of $1.5 million dollars through successful contract negotiations with vendor and refurbishing & re-purposing of existing workstations. • Managed the development of a standard Windows 7 image resulting in consolidation of services, support, and cost savings; coordinated stringent QA testing of the image by multiple technical. • Assembled and managed distributed teams of 60 NJ DHS and private vendor professionals for the project. • Developed and implemented cost efficient procedure for secure disposal of electronic media which became the official DHS’s electronic media disposal policy. • Served as the System Center Configuration Manager (SCCM) Project Manager; engineered and leveraged the department’s existing WSUS Patch Management environment; trained the system administrators throughout the Departments 8 divisions and delivered a robust patch management environment for daily operations. Show less As the only concurrent member of the Security Operations and Windows Infrastructure Business Units, I performed work which included design, engineer, administer & maintain the following systems:•Designed the Security Awareness Training E-learning self-hosted LMS producing an annual savings of $25,000. . •Administrated MPKI, SSL, and Managed PKI for SSL & Code Signing Certificate environments; documented and trained the user community on the use of SSL and PKI certificates.•Performed contract negotiations with the MPKI vendor resulting in a savings of $80,000 annually.•Conceived a solution allowing parties to be able to exchange sensitive files in a secure and convenient manner using a client – server secure file transfer environment (FTPS) system.•Engineered the Email Gateway environment through several product migrations which serviced approximately 25,000 user accounts. Gateway administration was done via various iterations of the Linux operating system.•Engineered Secure Webmail Delivery & Secure Email via TLS for confidentiality and regulatory compliance.•Implemented Security for Exchange Email using custom rule creation on backend Exchange email servers.•Engineered and administrated the Vulnerability Manager; responsible for regular scans, distribution of the scan results, remediation follow-up and reporting to upper management of the departments vulnerability disposition.•Engineered and administrated the Intrusion Detection and Prevention (IDS / IPS); review alerts and take action.•Virtualization Technologies environment administrator of VMWare and Microsoft Virtual Machine product suites, server build, configuration and troubleshooting.•Designed and engineered a distributed ePO and endpoint repository and reporting model.•Engineered and developed DHS’s WSUS Patch Management environment. Utilizing distributed repositories to minimize impact to the network. Show less

  • Senior Information Security Officer

    Jan 2011 - Feb 2015

  • Security Audit and Risk Assessment Team

    Jun 2010 - Feb 2015

  • Security Operation Project Manager

    Jan 2010 - Feb 2015

  • Security Engineer & Network Administrator

    Nov 2002 - Feb 2015
• 

  Merck

  Dec 2015 - Apr 2021

  Sr IT Risk Analyst – IT Risk Management & Security

  • Technical Risk Analyst for firewall rules need to create the network to support Merck divestiture Organon.• Lead Risk Analyst for Organon's first acquisition, Alydia Health.• Perform and lead critical Information Risk Management activities including risk assessments, emerging technology assessments, risk treatment as well as process improvement initiatives.• Perform Information Risk Management functions in collaboration with divisional stakeholders, their vendors and other 3rd party collaborators which includes working with the Information Technology organization and peer risk organizations (e.g. Privacy, Physical Security and Human Resources) to identify Merck Information Risks globally and to provide consultative services to assess and prioritize the treatment of identified risks.• Ensure compliance with corporate information security policies utilizing ISO27001, NIST cybersecurity framework and other industry standards.• Partner with global IT Risk Management and Security functions to perform IT security risk identification, prioritization and mitigation.• Contribute to enterprise wide risk mitigation programs, processes and technologies focusing effort on identification of the highest risks.• Serve as an expert on IT Security and Compliance policies.• Maintain current state awareness and understanding of internal and industry practices relative to IT security & compliance. Show less