Sara Loveless is an experienced information security professional seeking a new opportunity. She has 15 years of experience in IT and 10 years in information security management. Currently, she is a Senior IT Risk Analyst at Devon Energy, where she oversees their IT risk management program and has implemented various initiatives that improved security awareness, reduced risks and incidents, and ensured regulatory compliance. Prior to Devon Energy, she held information security roles at DISA and Computer System Designers, where she also demonstrated success in ensuring compliance and improving security practices.

1. S. Loveless 1
Sara L. Loveless
360 Candice Dr. NW, Piedmont, OK 73078 | (405) 326-2245 | sara.l.loveless@gmail.com
PROFESSIONAL PROFILE
 Highly-skilled information security professional with 15 years of experience in information technology, and 10
years of information security/IT risk management experience.
 Passionate advocate for user engagement as a primary means to develop a “security culture” across the
enterprise.
 Program Lead for Devon Energy’s IT Risk Management program, responsible for overseeing program/process
execution encompassing 6,500 end-users, 3,200 mobile devices, and 12,500 endpoints.
 Hands-on experience with system administration for Oracle databases, SQL databases, Windows
servers/workstations, and non-Windows servers.
 Audit liaison for SOX, HIPAA, and PCI audits.
 Well-versed in COBIT v5 and NIST.
PROFESSIONAL EXPERIENCE
DEVON ENERGY, Oklahoma City, OK
Senior IT Risk Analyst, Dec 2013 - present
 Produced a 65% reduction in successful phishes and a 110% increase in the reporting of suspicious emails
following the implementation of routine end-user phishing exercises with follow-up training for recipients.
 Doubled voluntary attendance of information security awareness training over the last two years, with 100%
positive feedback from attendees. These sessions target end-users, and use custom-developed training
materials that are revised annually.
 Program Lead for Devon’s IT Risk Management program, overseeing the execution and continued development
of the program. This role encompasses the continual assessment of program processes and procedures to
ensure consistency and correctness in the risk registry, application/system risk assessments, SOX/PCI/HIPAA
compliance, and asset vulnerability management.
 Reduced the average time for risk assessment completion by two business days through streamlining and
standardizing the risk assessment process. These process revisions also ensure uniformity and
comprehensiveness for each risk assessment.
 Realized a 15% reduction in risk through the design and implementation of legal risk assessment functionality
in Devon’s GRC tool (RSAM). This tool allows Devon’s legal department to quantify risks to Devon data presented
by partner firms.
 Reduced incident documentation time by 35% following the design and implementation of Incident Response
documentation capability within RSAM. This new capability also ensures standardization of documentation of
each incident, as well as ensuring compliance with established incident handling procedures.
 Implemented and deployed Devon’s annual risk appetite survey, designed to measure the risk for appetite of
both the business units and IT. This survey is also used to ensure that overall IT risk is within tolerances of the
business unit.
 Performed annual review/revisions for all IT policies, procedures, and guidelines to ensure that all published
documentation reflects current technology standards, scope, and implementation practices, as well as current
business practices.
 Engaged with business owners and technical support personnel to ensure the completeness and accuracy of
disaster recovery documentation and testing.
 Partnered with Human Resources and Environmental Health and Safety to ensure that data handling practices
comply with HIPAA and PII requirements.
 Engaged with internal and external auditors to ensure SOX and PCI compliance annually. No deficiencies have
been noted for PCI or SOX in the last two years.

2. S. Loveless 2
DEFENSE INFORMATION SYSTEMS AGENCY (DISA), Tinker AFB, OK
Information Assurance Manager/Security Manager, Nov 2009 – Dec 2013
 Ensured that DISA Oklahoma City was 100% compliant with U.S. Cyber Command (CYBERCOM) vulnerability
monitoring requirements for 2012-2013 while serving as Technical Lead for IA Compliance Team,.
 Oversaw system compliance with all applicable Department of Defense (DoD) and DISA security requirements
across enterprise systems, including 4,500+ servers.
 Oversaw and ensured that newly constructed classified processing areas complied with all DoD requirements;
ensured that access control systems were properly configured.
 Served as the local project manager for the DISA Records Management/NARA Compliance Project. This project
was nominated for the 2013 DISA Excellence Award.
 Provided ongoing education and guidance regarding logical and physical security awareness to staff and
visitors/customers. This included identifying and remediating knowledge gaps regarding policies and
procedures, and providing annual training and education for internal personnel regarding security awareness.
 Provided expert guidance in the form of policies, guides and standard operating procedures (SOPs) during all
phases of planning and implementation, to include System Security Plans (SSPs), production approval processes,
guidance regarding DoD directives and requirements, wireless use policies and other policies/documents as
required.
 Project lead for DECC accreditation project, including the development of all accreditation documentation. This
documentation included a complete rewrite of the DISA Oklahoma City SSP and development of the DISA
Oklahoma City S.A. Guide. The quality of our accreditation materials resulted in the issuance of a three-year
accreditation certification.
 Reduced onboarding of new employees and contractors by 75% by streamlining the personnel security
processing procedures for DECC Oklahoma City. The onboarding process was converted from an entirely paper-
based process to digitally signed personnel documentation. This effort allowed DECC Oklahoma City to dispose
of thousands of printed pages of personnel files, and dramatically improved employee privacy and security by
storing employee security data in a secure database.
 Received multiple performance awards for individual contributions within DISA during 2010, 2011, and 2012.
COMPUTER SYSTEM DESIGNERS, Tinker AFB, OK
Senior DBA/Information Assurance Officer, Oct 2003 – Nov 2009
 Ensured 100% compliance with all DoD/DISA policies related to database implementation and management.
 Provided expert guidance and interpretation for customers and DISA DBAs regarding required DoD/DISA
policies and security requirements.
 Reviewed and documented processes and procedures for database auditing and finding remediation.
 Communicated security vulnerabilities and risks to customers on behalf of DISA DBAs and negotiated
remediation plans.
 Received Outstanding Performer Awards for customer service on multiple projects.
KERR-MCGEE CORPORATION, Oklahoma City, OK
IT Risk Analyst, Jun 2000 – Aug 2003
 Served as Change Control Manager for Oracle databases across the enterprise. Modifications to the patch
deployment and testing process resulted in a 75% reduction for implementation time.
 Achieved 100% compliance with Service Level Agreements as part of the technical support team for
Oracle/Novistar applications.
 Served as project lead for KMG Customer Management project. This project resulted in a 90% reduction in
application account creation.

3. S. Loveless 3
EDUCATION
SOUTHERN NAZARENE UNIVERSITY, Bethany, OK
Bachelor of Science, Network Management
 Graduated: August 2000
WESTERN GOVERNORS UNIVERSITY, Salt Lake City, UT
Masters of Business Administration, Information Technology Management
 Projected Graduation: August 2016
PROFESSIONAL CERTIFICATIONS AND MEMBERSHIPS
 ISC(2) Certified Information Systems Security Professional (CISSP)
 GIAC Certified Incident Handler (GCIH)
 GIAC Systems and Network Auditor (GSNA)
 GIAC Critical Controls Certification (GCCC)
 INFRAGARD Member since 2014
 ISACA Member since 2013