STEVEN G HERNANDEZ MBA, CISSP, CISA, CSSLP, SSCP, CAP, SECURITY+
United States Department of Health and Human Services Office of Inspector General
Chief Information Security Officer 2008 – Present
As the Chief Information Security Officer I am responsible for ensuring OIG's activities are FISMA compliant and conform with the Privacy Act of 1974. I lead a team of 15 federal and contract staff to ensure the enabling of OIG's mission using effective information assurance practices. I am responsible for ensuring the information and technology used by over 700 federal law enforcement agents, over 700 auditors and over 100 lawyers meets all federal, state and local requirements for CJIS, contingency planning, HIPAA, HITECH, ACA, and associated OMB and DHS policies. I am responsible for conveying the exposure risk of over 900 million dollars to executive management in a highly dynamic and rapidly evolving environment. From July 2008-September 2010 I was the training, compliance, policy and Certification and Accreditation manager for the OIG and OIG's Senior Official for Privacy. I was responsible for managing over 1 million dollars in contracts to support the OIG Information Assurance Mission. I provided subject matter expert opinions to system owners, business stakeholders and executives relating to information assurance. I ensured the compliance of OIG information systems with NIST, OMB, FISMA, US-CERT and applicable laws, regulations, guidance and standards. I authored policy, procedures, standards and guidance in accordance with NIST, OMB, FISMA and industry best practices to support the information assurance program. I managed a team contractors that perform independent assessment work, continuous monitoring and information assurance analysis. I spent over a year total as acting chief information security officer and had been instrumental in leading the IA team to better integration with other operational divisions and the department. As the OIG Senior Official for Privacy I was responsible for ensuring the information system privacy requirements from the privacy act are correctly applied to OIG's information systems. Additionally I was the point of contact for privacy risk assessments when a breach involves Personally Identifiable Information.
United States Department of Education
Supervisory Certification and Accreditation Manager 2007 – 2008
I led a team of 10 government and contract employees to ensure the compliance of the Department's information systems with OMB A-130, FISMA, NIST, and associated regulations. I led the development of certification and accreditation policy, standards, procedures, and guidelines for the department in accordance with NIST SP 800-37, 60, 18, 34, 64, 100, 53, 53A, 30, and associated OMB mandates and guidelines. I reviewed findings from assessments and continuous monitoring and recommended remediation strategies for 99.999% uptime operations in both unix, windows, ibm, and linux environments. I was a project manager for three different projects totalling over 2.5 million dollars of investment that represent a firm fixed price, a time and materials, and a system development contract. I was the lead for quarterly and annual FISMA reporting to OMB and congress. I was ultimately responsible to attest to the accuracy, timeliness and thoroughness of the Information Systems security posture, certification, accreditation and POA&M status. I was the Department's lead and project manager for the implementation of the OMB FISMA Reporting ISSLOB. I have worked closely with the Department of Justice to determine system requirements, funding, hosting, and security options for the CSAM suite. In preparation for CSAM, I led the department in defining NIST SP 800-53 rev 2 standards for the department. My team and I developed a work plan to complete 127 certifications and accreditations during the fiscal year. At the time of my departure the project was on schedule with a variance of less than 10%. I led the C&A Team's efforts to ensure integration of Certification and Accreditation in all aspects of the system development lifecycle. From system development to system acquisition certification and accreditation "gates" are now part of each process due to the work of the C&A team I led. My team and I also ensured that certification, accreditation, and information assurance controls were included in exhibit 300's and the Department’s exhibit 53 CPIC and budgeting processes. I was often called upon to be the acting CISO and Deputy CISO during absences. I worked closely with all information systems security officers to ensure incidents were properly reported as part of the continuous monitoring process and that the risk to the organization was determined when an incident was discovered. The vulnerability that caused the incident was added to the POA&M for remediation. I functioned as the CISO's representative on the Enterprise Architecture review board approving changes and ensuring documentation or denying changes and recommending secure solutions. I managed the workload and the staffing of my team. I approved all time off, and certified my teams' time along with other teams' as the need arises. I hired staff, interviewed candidates and also provided feedback and criticism as necessary.
Double L Inc, American Falls, ID, USA 2005 – 2007
Senior Information Technology Consultant
Functioned as the Information Technology integration and operations consultant. Primary responsibilities included the security and maintenance of a Windows 2003 Domain and server environment in a harsh industrial manufacturing environment. Developed product integration plans, data migration schedules, data backup schedules, and routine data integrity checks. Worked hand in hand with the web development and CRM development team to ensure a high availability and high accessibly hosting environment. Implemented remote access solutions for a global expanding company and consolidated aging IT infrastructure into a single VIOP/IP data service through a redundant interface. Briefed senior leadership regarding travel to asia and the threats they may encounter while abroad.
United States Department of Agriculture, Washington, DC, USA
Cyber Security IT Specialist (Policy/Planning) 2006 - 2007
Crucial member of the risk-based policy management development initiative. Primary member of the certification and accreditation program alignment with NIST, OMB, and FISMA requirements. Developed cyber security presentations and reports for the ACIO, Director of Policy and FISMA compliance, and the Deputy ACIO. Reported and presented at agency wide functions about the programs and processes occurring within USDA. Worked with the CFO's office to review Exhibit 300's for security and also for OMB A-123 compliance. Worked individually with sub-agencies to bring them into compliance with USDA, FISMA, OMB and NIST requirements. Analyzed business processes and programs within the Cyber Security department, performed feasibility analysis, and determined available options for program strategy alignment for the ACIO, deputy ACIO and director of Policy and FISMA compliance. Performed policy gap analysis. Reviewed departmental policy for correlation with federal guidelines including NIST, FISMA, Executive Orders, Presidential Directives, OMB Circulars, FIPS guidelines and Public Laws. Recommended remedies for partially or non-compliant policy. Worked with the Information Systems Security Line of Business (ISSLOB) to determine if the Department of Justice CSAM suite is appropriate for USDA FISMA requirements. Extremely familiar with USDA and DOJ C&A practices, software, processes and methodologies.
Camas International, Pocatello, ID, USA 1999-2005
Senior Security Analyst
Formulated comprehensive risk assessments of the company's operations and reported directly the president and CEO of the company. Provided information assurance research, reporting and investigation for the executive board and president of the company. Provided planning and support for IT security, email, local and wide area networking, telecommunications, Internet connectivity and maintenance necessary to carry out the mission of Camas. Led the implementation of corporate security programs designed to anticipate, assess, and minimize system vulnerabilities; e.g., intrusion detection or access authentication programs; coordinated the implementation of security programs across platforms; and established vulnerability reporting criteria. Developed long-range corporate plans for IT security systems that anticipate, identify, evaluate, and minimize risks associated with IT systems vulnerabilities. Performed capital planning and investment analysis with project management. Implemented higher-level security requirements such as those resulting from laws, regulations, or corporate directives; integrated security programs across disciplines and defined the scope and level of detail for security plans and policies to the security program. Reviewed and evaluated corporate security incident response policies; identified the need for changes based on new security technologies, threats or vulnerabilities; tested and implemented new policies; and instituted measures to ensure awareness and compliance. Installed and maintained Ethernet infrastructure backbone for facilities. Formulated security and accountability plans to ensure data integrity, security, and accessibility. Investigated all suspicious external network activity. Evaluated traffic logs from routers and firewalls. Wrote evaluations for new projects and did cost effectiveness analysis on proposals to determine feasibility of projects. Developed and maintained the physical security plan for the company's manufacturing facility.
Idaho State University
Pocatello, ID, United States
Masters Of Business Administration in Computer Information Systems and Information Assurance
Emphasis in risk management, philosophy, organizational behavior and performance management 2007
Bachelors of Business Administration in Computer Information Systems 2005
Emphasis in information security, philosophy and investment.
Associate of Applied Science in Electronic Systems 2001
Emphasis in RF, electromagnetic studies, microcontrollers, foundry operations, and analog theory.
Certificate of Technology in Lasers and Electro Optics 2001
Emphasis in high voltage power supplies, applied chemistry, and optical interferometers.
Computer Information Systems Student of the Year 2005
Certified Information Systems Security Professional (CISSP)
Certification and Accreditation Professional (CAP)
Systems Security Certified Practitioner (SSCP)
Committee on National Security Systems (CNSS)
NSTISSI-4011 (National Training Standard for Information Systems Security (INFOSEC) Professionals)
CNSSI-4012 (National Information Assurance Training Standard for Senior Systems Managers)
CNSSI-4013 (National Information Assurance Training Standard For System Administrators (SA))
CNSSI-4014 (Information Assurance Training Standard for Information Systems Security Officers)
NSTISSI-4015 (National Training Standard for Systems Certifiers)
CNSSI-4016 (National Information Assurance Training Standard For Risk Analysts)
Certified Secure Software Lifecycle Professional (CSSLP)
Certified Information Systems Auditor (CISA)
Contracting Officer's Technical Representative (COTR/COR)
National Information Assurance Training and Education Center, Pocatello, ID, USA
Affiliate Faculty 2007-Present
Lecture on risk management, the NIST risk management framework, information assurance, cloud computing and trusted computing.
George Washington University, Washington, DC, USA
Guest Lecturer 2012-Present
Lecture on the role of the Chief Information Security Officer in the US Federal Government and the function of the risk executive role.
California State University, San Bernardino, CA, USA 2011-Present
Guest Lecturer Lecture on the intersection of information assurance and “Big Data.” Also lecture on risk management, certification, accreditation and OMB policies.
PUBLICATIONS AND PAPERS:
Official (ISC)2 Guide to the CISSP CBK, Third Edition
Lead Editor and Author 2013
Official (ISC)2 Guide to the ISSAP CBK, Second Edition
Technical Editor 2013
Improving Information Assurance Risk Analysis Models for Small and Medium Sized Organizations: A Research Agenda. 2008 Author
National Capital Region (ISC)2 Chapter
The Cyber Corps Alumni Association Board of Directors Board Member 2009-2012
(ISC)2 Volunteer Exam Writer for CAP, SSCP and CISSP 2007-Present
(ISC)2 Government Advisory Board member 2012-Present
(ISC)2 Executive Writer’s Bureau member 2012-Present
(ISC)2 National Capital Chapter Guest Speaker 2013-Present
United States Scholarship for Service Mentor 2010-Present