Profiles search
Theophilus Offei
Principal Cybersecurity Specialist at Mesa Associates, Inc
Baltimore, MD, United States
Details
Experience:
• Responsible for helping grow cybersecurity operations at multiple U.S. locations.
• Conducting regular cybersecurity audits for both best practices and Critical Infrastructure
Protection (NERC CIP) requirements.
• Responsible for documenting Policies and procedures documentation from the scratch around the
NIST 800-53 framework, NIST Cybersecurity framework, and NERC CIP regulations
• Collaborating regularly with internal teams as well as outside consultants, vendors, contractors,
and assessment teams on various projects to restructure the information security unit.
• Monitoring of systems, networks, and data for indicators of suspicious activity.
• Using various security tools and methods to deploy the countermeasures necessary to mitigate
any threats and vulnerabilities, and provide real-time status reports on any open incidents, current
vulnerabilities, and overall cybersecurity posture.
• Establishing metrics and provide scheduled reports. Based on my security knowledge, I produce
policies, procedures, and other documentation.
• Assisting with implementation of mature security processes and workflow management for
incident identification, triage, response, and remediation.
• Acting as a subject matter expert (SME), I enhance organizational threat and vulnerability
awareness by providing cybersecurity training to employees and providing security help desk
support.
• Passionate about ensuring that everyone across our organization understands the trade-off
between risk and return
• Educating decision-makers on the cybersecurity risks that new technologies, applications, or
systems might introduce.
• Regularly, I assess and inventory our current technology assets.
• Evaluating and recommending security products, services. and procedures to enhance our
productivity and effectiveness.
2020 : Present
Mesa Associates, Inc
Principal Cybersecurity Specialist
• Responsible for the support over IT Controls Assurance for National Grid’s IT Supply Chain and evaluation of supplier risks in relation to services provided.
• Responsible for supplier evaluations, identify control deficiencies to ensure compliance with NERC CIP-013 and other industry regulations and internal controls; recommending improvements in internal control structure; conducting independent assessments of third parties.
• Responsible for the implementation of CMMC compliance measures or NIST 800-171 DFARS Standards.
• Define and manage the organization’s implementation of the NIST Risk Management Framework (RMF) using the NIST SP 800-53 Rev.4
• Provide ongoing support, advice, and challenge for the 1st line of defense.
• Build knowledge of, establish, and maintain good working relationships with IT, Security, Commercial, Procurement, Legal and supplier sponsors.
• Manage assurance profiles for a complex environment of suppliers providing services to National Grid.
• Develop and plan control assessments across information system assets, people, processes, and technologies.
• Execute clearly written test plans based on control objectives in a repeatable manner.
• Complete assurance records by documenting assessments and findings, clearly articulating test methodology and steps taken.
• Review work done by other members of the team as part of defined QA processes.
• Communicate and discuss findings with auditees; documenting results remediation plans within the Archer GRC tool.
• Facilitate root cause analysis, finding remediation, and consult on action plans based on risks to close out findings.
• Ensures that risks are accurately articulated, and appropriate business and IT approval is sought where risks are being accepted or exceptions are being granted.
• working with within Technology Risk and Security teams to evolve the risk universe and control framework to address identified weaknesses and emerging threats.
2019 : 2020
National Grid
Senior Controls Analyst, Supply Chain Risk
Schedule, plan, and participate in internal auditing in accordance with HIPAA, NIST, and PCI
standards
• Perform security assessments; design reviews; and provide guidance on new technologies for
the customers.
• Develop POA&M (Plan of Action & Milestones) document to take corrective actions resulting
from ST&E (System Test & Evaluation)
• Perform Assessment and Authorization (A&A) documentation in compliance with company
standards
• Perform Security Categorization (FIPS 199 and NIST SP 800-60 vol 2), Privacy Threshold
Analysis (PTA), e-Authentication with business owners and selected stakeholders
• Author or coordinate the development of other required system security plans : Configuration
management (CM), Contingency Plan (CP), Continuity of Operations (COOP), Disaster
Recovery Plan (DR) and Incident Response Plan (IRP).
• Conduct Systems Risk Assessment through Risk Analysis, assessed the various Assets within
the systems boundaries and rigorously identifying all the possible vulnerabilities that exist
within the system.
• Developed the audit plan and performed the General Computer Controls testing of Information
Security, Business Continuity Planning, and Relationship with Outsourced Vendors.
• Performing Vulnerability scanning using Nessus
• Ensure all security-related incidents are documented and reported to the ISSM and Security
Officer
• Perform systems security audit on a weekly basis to detect unauthorized activities and ensure
systems maintain security compliance.
• Perform Security Control Assessment (SCA) according to NIST SP 800-53A
• Document and conform to processes related to security monitoring, patching and incident
response
• Manage the organization’s RMF continuous monitoring tool and complete specific control
activities,
• Maintain security by monitoring and ensuring compliance to standards, policies, and
procedures; conducting incident response analyses; developing and conducting training
programs.
2016 : 2019
Montefiore Health System
Information Security Analyst
Guided System Owners and ISSOs through the Certification and Accreditation (C&A) process,
ensuring that management; operational and technical controls for securing either sensitive
Security Systems or IT Systems are in place and are followed according to federal guidelines
(NIST 800-53).
• Applied security risk assessment methodology to system development, including threat model
development, vulnerability assessments and resulting security risk analysis
Provided support and guidance through the phases of FISMA C&A, including monitoring of
the C&A artifacts compliance, annual self-assessment (NIST SP 800-53A guidelines) and
quarterly self-assessment completion using NIST SP 800-26 guidelines.
• Created or updated the System Security Plan and conducted an Annual Self-Assessment.
• Applied knowledge of C&A policies, guidelines, and regulations in the assessment of IT
systems and the documentation and preparation of related documents
• Executed vulnerability assessment and vulnerability scanning tools such as Acas, Metasploit,
on a challenging and complex systems-wide information assurance/ system security
environment requiring analysis of user, operational, policy, regulatory, and resource demands
• Assesses and mitigates system security threats/risks throughout the program life cycle;
determines/analyzes and decomposes security requirements at the level of detail that can be
implemented and tested; reviews and monitors security designs in hardware, software, data, and
procedures,
• Worked with C&A team members and senior representatives to establish and define programs,
resources, schedules, and risks.
• Developed Test Plans, testing procedures and documented test results and exceptions.
• Conducted the IT Risk Assessment and documented the controls.
2013 : 2016
Arch Systems, LLC
Information Systems Security Officer (ISSO)
Responsible for assuring the implementation of the Centers for Medicare & Medicaid Services (CMS) security controls for all systems.
• Assess security controls for various systems using an automation procedure called the Adaptive Capability Test (ACT)
• Assess mainframe systems for security compliance.
• Assist in process improvement and automation for the assessment methodology.
• Conduct evaluations of information system components, management, and design, focusing on information security aspects and accreditation according to the NIST Risk Management Framework.
• Document control reviews and findings on time and as they occur according to client requirements.
• Utilize various information system inspection tools to audit systems, analyze potential vulnerabilities and identify mitigation approaches.
• Review program documentation such as Risk Assessments, Security Plans, and Contingency Plans.
• Conduct ongoing assessments of contractor facilities as needed to ensure compliance with security requirements and tailoring requirements, as needed.
• Other project support, as needed.
2012 : 2013
Cyberrisk Beyond Solutions
Third-Party Independent Security Security Control Assessor
• Conducting regular cybersecurity audits for both best practices and Critical Infrastructure
Protection (NERC CIP) requirements.
• Responsible for documenting Policies and procedures documentation from the scratch around the
NIST 800-53 framework, NIST Cybersecurity framework, and NERC CIP regulations
• Collaborating regularly with internal teams as well as outside consultants, vendors, contractors,
and assessment teams on various projects to restructure the information security unit.
• Monitoring of systems, networks, and data for indicators of suspicious activity.
• Using various security tools and methods to deploy the countermeasures necessary to mitigate
any threats and vulnerabilities, and provide real-time status reports on any open incidents, current
vulnerabilities, and overall cybersecurity posture.
• Establishing metrics and provide scheduled reports. Based on my security knowledge, I produce
policies, procedures, and other documentation.
• Assisting with implementation of mature security processes and workflow management for
incident identification, triage, response, and remediation.
• Acting as a subject matter expert (SME), I enhance organizational threat and vulnerability
awareness by providing cybersecurity training to employees and providing security help desk
support.
• Passionate about ensuring that everyone across our organization understands the trade-off
between risk and return
• Educating decision-makers on the cybersecurity risks that new technologies, applications, or
systems might introduce.
• Regularly, I assess and inventory our current technology assets.
• Evaluating and recommending security products, services. and procedures to enhance our
productivity and effectiveness.
2020 : Present
Mesa Associates, Inc
Principal Cybersecurity Specialist
• Responsible for the support over IT Controls Assurance for National Grid’s IT Supply Chain and evaluation of supplier risks in relation to services provided.
• Responsible for supplier evaluations, identify control deficiencies to ensure compliance with NERC CIP-013 and other industry regulations and internal controls; recommending improvements in internal control structure; conducting independent assessments of third parties.
• Responsible for the implementation of CMMC compliance measures or NIST 800-171 DFARS Standards.
• Define and manage the organization’s implementation of the NIST Risk Management Framework (RMF) using the NIST SP 800-53 Rev.4
• Provide ongoing support, advice, and challenge for the 1st line of defense.
• Build knowledge of, establish, and maintain good working relationships with IT, Security, Commercial, Procurement, Legal and supplier sponsors.
• Manage assurance profiles for a complex environment of suppliers providing services to National Grid.
• Develop and plan control assessments across information system assets, people, processes, and technologies.
• Execute clearly written test plans based on control objectives in a repeatable manner.
• Complete assurance records by documenting assessments and findings, clearly articulating test methodology and steps taken.
• Review work done by other members of the team as part of defined QA processes.
• Communicate and discuss findings with auditees; documenting results remediation plans within the Archer GRC tool.
• Facilitate root cause analysis, finding remediation, and consult on action plans based on risks to close out findings.
• Ensures that risks are accurately articulated, and appropriate business and IT approval is sought where risks are being accepted or exceptions are being granted.
• working with within Technology Risk and Security teams to evolve the risk universe and control framework to address identified weaknesses and emerging threats.
2019 : 2020
National Grid
Senior Controls Analyst, Supply Chain Risk
Schedule, plan, and participate in internal auditing in accordance with HIPAA, NIST, and PCI
standards
• Perform security assessments; design reviews; and provide guidance on new technologies for
the customers.
• Develop POA&M (Plan of Action & Milestones) document to take corrective actions resulting
from ST&E (System Test & Evaluation)
• Perform Assessment and Authorization (A&A) documentation in compliance with company
standards
• Perform Security Categorization (FIPS 199 and NIST SP 800-60 vol 2), Privacy Threshold
Analysis (PTA), e-Authentication with business owners and selected stakeholders
• Author or coordinate the development of other required system security plans : Configuration
management (CM), Contingency Plan (CP), Continuity of Operations (COOP), Disaster
Recovery Plan (DR) and Incident Response Plan (IRP).
• Conduct Systems Risk Assessment through Risk Analysis, assessed the various Assets within
the systems boundaries and rigorously identifying all the possible vulnerabilities that exist
within the system.
• Developed the audit plan and performed the General Computer Controls testing of Information
Security, Business Continuity Planning, and Relationship with Outsourced Vendors.
• Performing Vulnerability scanning using Nessus
• Ensure all security-related incidents are documented and reported to the ISSM and Security
Officer
• Perform systems security audit on a weekly basis to detect unauthorized activities and ensure
systems maintain security compliance.
• Perform Security Control Assessment (SCA) according to NIST SP 800-53A
• Document and conform to processes related to security monitoring, patching and incident
response
• Manage the organization’s RMF continuous monitoring tool and complete specific control
activities,
• Maintain security by monitoring and ensuring compliance to standards, policies, and
procedures; conducting incident response analyses; developing and conducting training
programs.
2016 : 2019
Montefiore Health System
Information Security Analyst
Guided System Owners and ISSOs through the Certification and Accreditation (C&A) process,
ensuring that management; operational and technical controls for securing either sensitive
Security Systems or IT Systems are in place and are followed according to federal guidelines
(NIST 800-53).
• Applied security risk assessment methodology to system development, including threat model
development, vulnerability assessments and resulting security risk analysis
Provided support and guidance through the phases of FISMA C&A, including monitoring of
the C&A artifacts compliance, annual self-assessment (NIST SP 800-53A guidelines) and
quarterly self-assessment completion using NIST SP 800-26 guidelines.
• Created or updated the System Security Plan and conducted an Annual Self-Assessment.
• Applied knowledge of C&A policies, guidelines, and regulations in the assessment of IT
systems and the documentation and preparation of related documents
• Executed vulnerability assessment and vulnerability scanning tools such as Acas, Metasploit,
on a challenging and complex systems-wide information assurance/ system security
environment requiring analysis of user, operational, policy, regulatory, and resource demands
• Assesses and mitigates system security threats/risks throughout the program life cycle;
determines/analyzes and decomposes security requirements at the level of detail that can be
implemented and tested; reviews and monitors security designs in hardware, software, data, and
procedures,
• Worked with C&A team members and senior representatives to establish and define programs,
resources, schedules, and risks.
• Developed Test Plans, testing procedures and documented test results and exceptions.
• Conducted the IT Risk Assessment and documented the controls.
2013 : 2016
Arch Systems, LLC
Information Systems Security Officer (ISSO)
Responsible for assuring the implementation of the Centers for Medicare & Medicaid Services (CMS) security controls for all systems.
• Assess security controls for various systems using an automation procedure called the Adaptive Capability Test (ACT)
• Assess mainframe systems for security compliance.
• Assist in process improvement and automation for the assessment methodology.
• Conduct evaluations of information system components, management, and design, focusing on information security aspects and accreditation according to the NIST Risk Management Framework.
• Document control reviews and findings on time and as they occur according to client requirements.
• Utilize various information system inspection tools to audit systems, analyze potential vulnerabilities and identify mitigation approaches.
• Review program documentation such as Risk Assessments, Security Plans, and Contingency Plans.
• Conduct ongoing assessments of contractor facilities as needed to ensure compliance with security requirements and tailoring requirements, as needed.
• Other project support, as needed.
2012 : 2013
Cyberrisk Beyond Solutions
Third-Party Independent Security Security Control Assessor
Company:
Mesa Associates, Inc
About
I am a well-experienced Cybersecurity professional with over 10 years of experience in Performing Assessment & Authorization (A&A), as part of the NIST SP 800-37 Risk Management Framework (RMF) system and application authorization. I have worked in different capacities for different federal agencies either as an Information systems Security Officer (ISSO) or Third-Party Independent Security Control Assessor. Working in the federal domain, I helped several organizations take their systems through the assessment and authorization process to secure them an ATO either through the FISMA or FedRAMP authorization process using the NIST SP 800-53 Rev.4 Minimum Security Baseline Controls.
I am currently the Principal Cybersecurity Specialist for Mesa Associates Inc. an engineering company specialized in power generation in the utility industry. I am responsible for developing and managing the cyber security program at multiple U.S. locations and driving all industry compliance efforts including NERC CIP regulation.
Profile Photo
