1. Carlasha M. Jenkins,
Carlasha23@gmail.com
Bowie, MD
570-242-3692
CRISC, CEH
QUALIFICATION SUMMARY
Ms. Jenkins is a professional consultant with more than 15 years’ experience in information
technology and information security processes within the Civil and Federal government,
including experience as Information Systems Security Officer and Task Lead, implementing
policies associated with standards and procedures. In addition to the implementation of guidance
meeting the legislative and practical requirements associated with the use of IT solutions in a
Federal and Civil environment. Developing and creating security postures by supporting and
providing team management risk identifying complex business and technology verification
addressing cybersecurity encounters.
SKILLSSUPPORT
Security Tools: AppDective, Appscan, AMP, Websense, Fortify, Nessus and SCCM
Desktop Applications: Microsoft Office Suite – Word, Excel, PowerPoint, and Outlook
Software Development: Java, JBoss, Oracle, Apache, and etc.
Operating Systems: Microsoft Windows, Unix/Linux
PROFESSIONAL EXPERIENCE AND ACCOMPLISHMENTS
SeNet International Corporation, Fairfax, VA April 2014 to Present
Senior InfoSec Engineer
As a Senior InfoSec Engineer responsible for the gathering and leading clients through Risk
Management Framework - Security Assessment and Authorization (A&A) information
system evolutions and compiles reporting following NIST 800 guidelines, including;
Security Test and Evaluations (ST&Es), Contingency Plans (CPs), System Security Plans
(SSPs), and Risk Assessments (RA).
Independently and assessing security control and technical vulnerability testing achieving
compliance by valuation of client information systems, in accordance with, NIST 800-series
guidelines.
Educating and exhibiting with the clients in conducting NIST 800-53 rev 4 interviews and
examinations.
Presenting A&A efforts for several agencies in the areas of Risk Management Framework
steps along with risk management, contingency planning, incident response, disaster
recovery, and vulnerability assessment.
Draft policies for department-wide security programs covering the wide range of National
Institute of Standards and Technology (NIST) Special Publications.
Bureau of Indian Affairs (BIA)
Department of Interior
As the Senior InfoSec Engineer responsible for the gathering and organizing of technical
information on the agencies current information assurance products and security programs.
2. 2
Analyze current security architecture through technical reviews and customer interviews.
Collaborate with other engineers to design and develop new security architecture for the
customer to meet security requirements. Assisting and demonstrating business process with the
identifying of information protection needs for systems and networks. Provide recommendations
on the development, implementation, assessment, and monitoring of security guidelines. Support
the scheduled Office of Inspector General (OIG) audits and compliance by providing
coordination and guidance with the agency and System Owners. Provide necessary leadership,
execution and support of compliance activities related to Federal Information Technology
security mandates including but not limited to: FISMA, FISCAM, Presidential Directives and
Public Law, Office of Management Budget (OMB).
Maintain and manage the required systems security documentation in the Cyber Security
Assessment and Management of (CSAM) system
Manage and track Plan of Miles Stones (POA&M) compliance, responses and status
Coordinate data collection, analysis and reporting for IT Security Data Calls and FOIA
Requests
Develop and create the Continuous Monitoring Plan following the NIST 800-137 guidelines
Assess the CSP Supplied security assessment package reflecting a cloud system using the
FedRamp Security Assessment Framework
Provide technical and security insights overseeing and coordinating all information
management and IT support requirements.
Support the information management objectives consisting of all matters concerned with the
planning, design, development, installation, and implementation of information management
architectures, policies, procedures, systems and applications
Coordinate with senior representatives within the agency organization addressing program
goals, milestones, resources, and risks
Verify security requirements in accordance with applicable cyber security policies and
defined system requirements.
Analyze and identify the Access control and Configuration requirements for identity
management and authentication systems SIEM (Security Incident and Event Monitoring)
products and solutions requirements and testing of security mitigating risk
Network Specialty Group September 2012 to April 2014
Senior Consultant, Information Security Engineer
As an Information Security Engineer implementing guidance on creating the A&A package for
the Office of Inspector General at the Department of Commerce. Developed and applied level
skill base knowledge for remediation to the Computer Incident Responses by assessing the
vulnerability reports and scanning for remediation using Appscan, Nessus and Fortify. Assist
with IT security related laws, policies, procedures, methods and practices and creating the
development of documentation for all NIST 800-53 r4 first control, standard policy and
procedure. Recommend mitigation for vulnerabilities by understanding of risk and using CVSS
scoring to appropriately classify vulnerabilities. Coordinate with federal recipients with respects
to Security Awareness Training, Security Risk Assessments (SRA), Security Impact
Assessments (SIA), Control Impact Assessments (CIA), and Control Risk Assessments (CRA).
Develop contingency plans (Disaster Recovery or Business Continuation Plans for information
technology systems.
Web application testing using penetration testing methodology and prior experience with
programming in one or more server-side technologies such as Java, JBoss, Oracle,
Unix/Linux, windows based, apache and etc.
3. 3
Implementation of NIST 800-53 rev 4 Controls, creating System Security Plan for Office of
Inspector General Defining milestones and deliverable, monitoring activities, and evaluating
and reporting on accomplishments and oral and written communication techniques.
Ensure Vulnerabilities were mitigated and remediation by performing monthly, quarterly and
weekly vulnerability scan results of assigned systems, assets. Create quarterly Plan of
Milestones for the department.
Provide expert technical advice, guidance, and recommendations to management and other
technical specialists on critical IT issues.
Support the tools for incident response, Symantec Endpoint Protection, Nessus and Fortify
scanning tool.
Deliver analysis and reporting to the development teams prior to a release in order to identify
and correct the security flaws before the release.
Coordinate and Mitigate Incident Responses with DOC-CIRT, apply incident response
practices and procedures (identification, containment, remediation/eradication and recovery)
to coordinate and manage Cyber security incidents by providing direction, recommendations
and guidance to system, application, and network administrators on proper procedures to
contain incidents, allowing for the collection of information necessary to properly investigate
the cause of the incident.
Produce Standard Operating Procedures for Incident Response by preparing lessons learned.
Perform vulnerability testing on, applications, and networks to identify security vulnerability
and weaknesses Review, analyze and develop vulnerability tests plans, and prepare reports
documenting test results and recommended remediation and mitigation actions.
Construct a new Incident Response form. Provide professional consultation to the senior
management within the Chief Information Officer concerning the A&A packages and
Authorize to Operate and the accessibility of Cyber security tools. Coordinate experience
with IP networks, security architecture design, and related security technologies including
platform hardening, encryption, IPsec, PKI, VPNs, firewalls, proxy services, DNS, e-mail,
and access-lists.
Coordinate and elaborate experience implementing and administering security solutions in
support of enterprise information security objectives including Security Information and
Event Management (SIEM).
Booz Allen Hamilton, McLean, Virginia August 2010 to August 2012
Senior Consultant, Information Security Engineer
As the Information Systems Security Officer (ISSO) implementing regulations and policies
interconnected with the requirements of the IT security environment. My task amalgamated
security incident reports, operating instructions, technical vulnerability reports, and contingency
plans. I deliver information assurance requirements for National Aeronautics and Space
Administration (NASA), Internal Revenue Service (IRS), Census Bureau, and Amtrak Corporate
Security Police Department (APD). Working directly with the Directors, Project Managers and
the technical area leads to consolidate A&A processes. I facilitate direct collaboration on A&A
regulations using NIST guidelines and controls. I demonstrate knowledge of FISMA
requirements, NIST 800-53A, agency requirements, and technical specifications in creating
A&A documentation, thereby applying the guidance to meet the legislative and practical
requirements associated within the Federal and Civil background. I was responsible for the
execution and development of revising system-specific/hybrid security controls and standard
procedures based on NIST guidance and FedRAMP controls. Develop and maintain system
security documents. Provide internal controls, risk management, and technical leadership and
support to ensure effective IT security practices are incorporated into networks, applications, and
data of financial systems.
4. 4
Ensure appropriate steps were taken to implement information security requirements for IT
systems throughout their life cycle, from the requirements definition phase through disposal.
Perform monthly vulnerability scan results of assign systems and assess the OWASP reports.
Utilized scanning tools such as AppDective, Appscan, AMP, Fortify and Nessus
Web application testing using penetration testing methodology and prior experience with
programming in one or more server-side technologies such as Java, JBoss, Oracle,
Unix/Linux, windows based, apache and etc.
Deliver analysis and reporting to the development teams prior to a release in order to identify
and correct the security flaws before the release.
Responsible for working with the development teams for every release during the build
process
Recommend mitigation for vulnerabilities by understanding of risk and using CVSS scoring
to appropriately classify vulnerabilities
Create Security Assessment Reports (SAR) and implement Privacy Impact Assessments
(PIA).
Employ the guidelines of NIST SP 800-60 Volume I & II and FIPS 199 & 200.
Provide professional consultation to the senior management within the Chief Information
Officer (CIO) concerning the A&A packages and Authorize to Operate (ATO) and the
accessibility of Cyber security tools.
Produce deliverables ranging from Security System Plans (SSP), Business Continuity Plans
(CP), Security Test and Evaluation (ST&E) Plans, and ensure they are consistent with NIST
standards and guidance.
Recommend and perform Continuous Monitoring using NIST SP 800-37 guidelines.
Ensure compliance with other directives such as Office Management Budget (OMB) Circular
A-130 - Management of Federal Information Resources and Executive Orders.
Northrop Grumman, Atlanta, GA October 2004 to May 2010
Information Security Engineer
As Government Task Lead, providing A&A process support for information security clients.
Accomplish and manage accounts using network rights. In doings so, arranged and prepared
instructions on the guidance for Standard Operating Procedures (SOPs) for commercial over the
shelf enterprise applications. System accesses were safeguarded in accordance with the security
requirements of the network. Deliver analysis and reporting to the development teams prior to a
release in order to identify and correct the security flaws before the release.
Conduct system A&A by managing the processes including risk assessments
recommendations for application design, security tests and evaluation of guidelines,
processes from the NIST SP 800 series, including SP 800-30, Risk Management Guide for
Information Technology Systems; SP 800-34, Contingency Planning Guide for Information
Technology Systems, SP 800-37, Guide for the Security Certification and Accreditation of
Federal Information Systems; SP 800- 53A, Recommended Security Controls for Federal
Information Systems; and SP 800-60 Volume II, Appendices to Guide for Mapping Types of
Information and Information Systems to Security Categories.
Assist developers and programmers in mitigating vulnerabilities discovered during
development of potential violations of security vulnerability scans or penetration testing.
Conducted vulnerability scanning and assessment for the enterprise applications using IBM
Watchfire.
Recommend mitigation for vulnerabilities by understanding of risk and using CVSS scoring
to appropriately classify vulnerabilities
Monitor, test, and support any patterns that were in noncompliance by taking technical action
to help minimize security risk and insider threats. Assist CDC senior management
5. 5
concerning their FISMA responsibilities, including implementation of controls described in
NIST 800-53A
Manage requests for Change Management for Business and Technical Stewards determining
their systems attainability by evaluating changes to their system.
Assist the Business Steward with developing and maintaining SSP. Evaluate COTS software
for installation on the CDC network. Familiar with Independent Validation & Verification
(IV&V).
Arrange CDC forensic techniques for incident response by utilizing the SSP.
Proactively assist in the security architecture, design and risk remediation activities such as
PO&AM, Risk Assessments including ST&E processes.
EDUCATION
Associates, Applied Science in Business Management, City University of New York Borough of
Manhattan Community College, New York, NY
B.S., Management Information Systems, State University of New York College at Old
Westbury, New York, NY
M.S., Management Information Security Systems, Colorado Technical University, Colorado
Springs, CO
AWARDS
Outstanding Excellence for team - March 2008
Received this award from CCID, Center for Disease Control and Preventions this is an individual
security team Award.
Certificate of Commendation - September 2015
In recognition of Ms. Jenkins, support to the information System program at the Department of
Interior Affairs, Bureau of Indian Affairs, with their Authority to Operate package and process.
Carlasha traveled to Denver on short notice and demonstrated outstanding leadership in her
ability to keep the staff motivated and focused while providing outstanding recommendations.
Her intimate knowledge, insight and upbeat attitude was instrumental in completing the
documentation. Carlasha's hard work, patience and willingness to go above and beyond
significantly improved the relationship with the customer. Thank you for your exceptional work.
CERTIFICATIONS AND TRAINING
Certified in Risk and Information Systems Control (CRISC)
Certified Ethical Hacker (CEH)
Certification in Security Certificate and Accreditation – Graduate level
Certification in Information System Security Management – Graduate Level
Certification in Information Systems Security – Graduate Level