SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
Roger Sloan Resume
1. Roger A. Sloan, CISSP, CISA
5119 Lakewood Drive • Gibsonia, PA 15044 • (h) 724-443-1704 • (c) 724-991-0250
sloan0717@gmail.com
Qualified By
Experience in the areas of:
Security compliance
Information security
Information technologyaudit
Security awareness
Security strategy and tactics
Sarbanes-Oxleycompliance
HIPAA compliance
Risk assessment
Policies andprocedures
Budgeting
Project management
Staff management
Management& board reporting
DR and BCP planning
Vendor security oversight
Contract management
System implementations
Special Projects
Professional Experience
Federal Home Loan Bank of Pittsburgh, Pittsburgh, PA 2007 - 2016
Director, Information Security (April 2008 – July 2016)
Define the Bank’s securitystrategy and tactical security plans ensuring alignmentwith Bank-wide goals and
strategies. (Developed the Bank’s securityprogram from its infancy, working closelywith IT, business unitand
executive management,as well as the board.)
Define the Bank’s securitypolicies,standards and procedures. This includes the Bank Security Policy, Security
ManagementPolicy, Information Security Standards,Information Classification and Data Handling Standards,
Security Architecture Control Standards, Cloud Computing Policy,Security IncidentResponse Procedure,etc.
Implementappropriate procedures to ensure compliance with securitypolicies and standards.Directthe definition
and implementation ofcompliance monitoring processes,including the definition ofkey metrics. Directthe Bank’s
internal vulnerabilitymanagementprogram,automated policycompliance program and social engineering
assessmentprogram.
Direct the Bank’s critical data discovery and inventory process,which provides focus for implementation ofcontrols
and allocation of resources.
Ensure compliance with applicable regulations and regulatoryguidance to ensure safe and sound business
practices.(i.e. HIPAA compliance assessment,Federal Financial Institutions Examination Council cyber security
assessment,Federal Housing Finance Agency securitybulletins gap analysis,etc.)
Develop and implementprocedures and reports to keep managementand the board informed aboutthe Bank’s
security program and compliance with policies.Share relevantinformation aboutthe Bank’s securityprogram with
managementand the board through presentations and reports.
Lead efforts to identify and complete required actions to address compliance violations and analyze currentsecurity
practices and implementimprovements where appropriate.
Direct the Bank’s securityawareness training program and ensure training occurs as required bypolicy.
ConductBank-wide securityrisk assessmentactivities.
Direct the Bank’s securityincidentresponse process.
Direct the analysis ofprojectrequests to define priorities and resource requirements,develop appropriate justification
for supplementing existing resources,and allocate resources to address business needs.Identify external bu siness
partners to supplementexisting staffand improve the efficiency and effectiveness of the department.
Oversee projects to assure compliance with plans and participate in decisions regarding modifications or
enhancements to the security, technologyor operating environment,which supportthe Bank’s business
requirements. Assess and documentthe design ofsecuritycontrols for each significantsystem implementation
projectand provide sign-offprior to production implementation.
2. Roger A. Sloan Page Two
Direct the Bank’s use ofindependentthird parties for security services,including network vulnerabilityand
penetration assessments,social engineering assessments,securityrisk and maturity assessments, and security
information and event management(SIEM) services.Negotiate and manage all associated contract
Manage securityreviews and oversightof critical third parties and cloud service providers used by the Bank.
Respond to member/customer requests for information regarding the Bank’s securitycontrol environmentand
susceptibilityto specific cyber threats.(Developed an internal SSAE16-like documentto satisfy such requests,
creating efficiencies and costsavings for the Bank.)
Direct the Bank’s business continuityplanning program to ensure the Bank can successfullyrecover in the event of a
business interruption.Directthe definition of testing schedules and all as pects ofBCP testing exercises.
(Responsibilities recentlymigrated to IT Technical Services to enable sole focus on information security.)
Exercise the usual authority of a manager including personnel decisions regarding hiring,training and development,
assigning work,performance management,salaryactions,and initiating corrective actions and terminations,as well
as establishing and monitoring adherence to a departmental budget.
Audit Manager (July 2007 – March 2008)
Manage the IT audit function, including conducting enterprise-wide risk assessments,preparing the IT audit
plan and managing relationships and engagements with Bank managementand external auditors.
Incorporate IT controls into application/business process audits and train non-ITaudit staff on how to conduct
such reviews.
Integrate Internal Audit, SOX and independentthird party audit requirements into a single integrated auditprogram
and approach creating efficiencies.
Conductsecurity, application,and general computer control reviews.
Duquesne Light Company, Pittsburgh, PA 1995 - 2007
Manager, Audit Services -IT (1998 - 2007) and Audit Coordinator (1995 - 1998)
Manage the IT audit function, including conducting enterprise-wide risk assessments,preparing the IT audit plan and
managing relationships and engagements with Companymanagementand external auditors.
Oversee and train auditstaff, as well as manage third party co-sourcing engagements (Introduced co-sourcing within
Audit Services)
Conductsecurity, application,and general computer control reviews.
Lead the ongoing implementation ofcontinuous auditing/monitoring within the Audit Services Departmentand
throughoutthe Company.
Participate in system developmentprojects to ensure controls are addressed.
Lead special projects and investigations as directed by executive management and provide "consulting'' type
services to business units to help ensure business objectives are metand controls are implemented (i.e.Cyber
Security,Y2K,Rate case refund/surcharge,etc.).
Manage and perform all Sarbanes-Oxley Section 404 IT compliance activities, including scoping, testing,
documentation, external audit coordination, etc. D evelop a database for recording and tracking all Sarbanes-
Oxley issues and assistin developing the approach, methodology, and standards for the Company's overall
Sarbanes-Oxleyproject.
The Western Pennsylvania Hospital, Pittsburgh, PA 1993 - 1995
EDP Auditor
Responsible for developing the IT Audit function, including developing the auditapproach and work programs,
conducting IT audits,participating in system developmentprojects,issuing final reports and clearing audit
findings.
3. Roger A. Sloan Page Three
Allegheny General Hospital, Pittsburgh, PA 1990 - 1993
Coordinator, IS Security
Develop, maintain, and testBusiness RecoveryPlans and negotiate recovery contracts
Administer information security
Develop policies and procedures dealing with information security,computer viruses,software copyrights,etc.
Coordinate IT audit activities
Conduct security reviews of ancillary departments
Select and implement information securityand business recovery software
Maintain physical securityfor the data center
Integra Financial Corporation, Pittsburgh, PA 1986 - 1990
Data Security Analyst/Manager (1988 - 1990)
Maintain CICS andapplication security for northern banks
Establish corporate data securitypolicyand procedures
Initiate development of Business Recovery Plan
Staff Auditor/EDPAuditor I & II (1986 - 1988)
Develop and maintain auditprograms and software
Conduct IT audits and participate in system development projects
Train branch auditstaff
Tools and Technologies
Qualys, ProofPoint, Symantec Endpoint Protection, Palo Alto (with WildFire), ThreatSim (Wombat Security),
RSA SecureID tokens, AirWatch, OneLogin (SAML), CyberArk, Solutionary (SIEM), Cisco network, VMware,
Citrix (virtual desktop and remote access), Windows, Active Directory, Solaris, Linux, Oracle, SQL Server,
B2B e-commerce
Professional Development
Certified Information Systems Security Professional (CISSP)
Certified InformationSystems Auditor (CISA)
Information Systems Audit & Control Association (ISACA) member and past Pittsburgh Chapter President
Education
Bachelor of Science, Management Information Systems (Accounting Minor)
Indiana University of Pennsylvania