Peningo Systems, Inc.
Candidate: PEN-002



Contact info:  For information on this candidate please email us at  
info@peningo.com                           



Overview

Has architected, reviewed, engineered, deployed and upgraded enterprise wide implementations of
Identity Management, Access Management, Compliance and Security Technologies. These solutions
enable organizations to efficiently manage:

1        Security and entitlement's information about their employees, customers, business partners and
service  providers within the extended enterprise model.

2        Maintain user authentication and authorization run time environment and create logs on user  
security and resource accesses.

3        Manage the run time Confidentiality, Integrity and Availability aspects of Enterprise Business   
Applications.

4        Generate reports for compliance with governing bodies.

5        Recover applications and business processes from server / site outage and data center loss.

These solutions are built by integrating the following set of web enabled, J2EE technologies that are
connected to legacy platforms like Active Directory, Mainframe and UNIX systems and business
applications:

1        Tivoli Identity Manager (TIM) – utilizes Extended-Enterprise model for people relationships with
the organizations, Security Policy, Procedures and Standards for application entitlement's, to
create/update/suspend/restore/delete  user accounts and entitlement's across managed user stores
such as LDAP, Databases, Desktop Management Systems (AD, NT, Novell), UNIX Servers (AIX, HP/UX,
Solaris), Mainframe (RACF, ACF2) Email Systems (Exchange, Lotus Notes), Databases (Oracle, DB2),
Secure Id Tokens, and application specific user records (VSAM, Text Files, etc). Have installed and
configured TIM agents for LDAP, Windows 2000, Active Directory, Solaris, HP/UNIX, Oracle and SYBASE
databases, AS/400, RACF and ACF2.

2        Tivoli Access Manager (TAM) – Validates user credentials upon system login, manage
credentialed user sessions, determine user access to application resources, log access and generate
necessary application required data when the user traverses across application portfolio. TAM utilizes
the credentialing and access rules defined in the policy server. It has secure connections to the user
stores. Protected application traffic is intercepted using Web-Seals. TAM comes in following flavors:
-        TAM – BI – controls access to MQ Applications
-        TAM – OS – secures users signing on the UNIX systems.
-        TAM – secures eCommerce applications including J2EE applications.

3        Websphere – provides a technology platform to host J2EE applications. The major components
are:
-        Deployment Manager: stores definitions to provide a runtime clustered environment for
hosting mission critical applications.
-        Application Server: hosts applications and manages the assigned runtime system resources
like memory size, process allocation, message queues, data sources and connections, etc.
-        MQ System: creates queues for internal status of the Websphere processes. These enable
Websphere to store the state of each unit of work in execution and recover from the
previous point.
-        HTTP Service: establishes the communications to and from the WebSphere systems.
-       HTTP Plug-in: generates the code to be distributed across linked Web-Servers.
-        Portal Server: hosts the application front end and provides entry into the WebSphere
Application Server and the applications.
-        JAVA: is the programming language of choice for developing J2EE applications.
-       Web Services: Websphere has implemented J2EE standards for the Services Oriented
Architecture. These standards isolate applications from back end processes and enables
robust application management.

4        Tivoli Federated Identity Manager – establishes security credentials across multiple web
domains. These domains are within a business organization or across business partners.

5        Tivoli Directory Integrator – connects different data repositories and allows data movement
between these connected resources.

6        Tivoli Directory Server – stores information about people, accounts and system rules needed by
the Identity Manager and Access Manager. The technology part includes, installation,
configuration, master-server replication for high availability, extending schema for custom
attributes, monitoring, backup and restore.

7        Custom Applications: created JAVA applications to customize the solutions to the client
requirements and install them on WebSphere. Also used java script to customize the internal
workings of Tivoli software.

8        Have implemented CA Site Minder product for Web access controls.These controls enabled
employees to self-service their benefits from the human resources portal.

These solutions have enabled clients meet SEC compliance, SOX compliance, improvise IT Security,
Audit Reporting and organizational efficiencies.

Focus areas:
1        Architecture: we shall document and understand business objectives and translate them into
technical specifications.
2        Systems engineering: we shall install and configure the technical components of the solution and
ensure communications across all systems. Additionally, we will also implement the technical
specifications to deliver the architecture features.
3        System Provisioning: implement the desired features so the client can reap the benefits from the
solution.
4        Compliance and audit: have reviewed the processes, technology implementations and operations
against the industry benchmarks to determine gaps and remediation.
5        Solutions upgrade: upgrade technology components and business processes to exploit current
solution capabilities.
6        Education and knowledge transfer: train and educate technical, administrative and support
personnel to maintain the entire business solution.

Technologies
Identity Management:        

IBM Tivoli Identity Manager and Tivoli Directory Integrator with Adapters/Agents for Notes, NT,
AD, RACF, ACF2, AS/400, LDAP, Solaris, Oracle, Sybase, DB2, RSA Clear Trust and SQL Server

Access Management:        

CA SiteMinder, IBM Tivoli Access Manager, Web Seals, LDAP, Access, DB2 and Active Directory

Application Management:        

IBM Websphere Application Server, Deployment Manager, Message Queue System (MQ), HTTP Servers
and Websphere based applications such as Portal Servers, LDAP Administrators

Data Management:        

IBM LDAP, LDAP Administration, DB2 Administration, IBM Directory Integrator (IDI)

Access Control Systems        

RACF, Top Secret, ACF2, Tivoli Access Manager, Site Minder, Vanguard Administrator Suite, RSA
KEON, RSA ACE

Programming Languages        

SAS, C++, COBOL, Java, Java Scripts, Shell Scripts and REXX

Data Stores        

IBM LDAP, SUN LDAP, DB2, ORACLE, SYBASE, SQL Server

IT Technology        

IBM Mainframes (Z/OS), UNIX (AIX, Solaris, HP-UX), NT, Networking, eCommerce, J2EE, Websphere, HTTP
Server, Client-Server, System Management Applications (BMC Patrol, Omegamon), Middleware (MQ,
Shadow from Neon Systems) and Business Financial Applications

Industry         Insurance, Banking, Brokerage, Retail, Distribution and Manufacturing
Standards         Sarbanes-Oxley Act, HIPAA, CFR21, BS7799, SEC regulations, ISO17799, FDIC, NCSC

Education        

MS Computer and Information Systems,

BS Mechanical Engineering

Personal        United States Citizen since 1991
References        will be furnished upon request.

EXPERIENCE                Self employed (6 years); Big 4 (3 years); IBM (5 years); Bank of America  (3 years);

1999 – Present                

Information Technology Security Consultant,

Client work

7/03 - Present                Identity Management Consultant, USA

Multiple Projects

Assist clients to implement Tivoli Identity Manager to solve their business problems. A typical identity
management solution entails the following:

•        Solution Architecture that describes in detail the system workings in support of the business
objectives. These business objectives include compliance requirements, business processes,
management metrics and solution scope.
•        Led engineering effort to install the Identity Management Solution infrastructure that includes
DB2, LDAP, Directory Integrator, Websphere Application Server, LDAP Administration Tools, Websphere
Portal Server, Tivoli Identity Manager, and Agents of Tivoli Identity Manager for AD, NT, W2K, RACF,
ACF2, Lotus Notes, Exchange, Peregrine and AS/400. Also configured above solutions to optimize
system performance.
•        Led engineering effort to install the Access Management Solution infrastructure that includes
Websphere Deployment Manager, WebSphere Application Server Tivoli Access Manager. Created
secured connections between TAM and user repository in LDAP and RACF, RSA Ace Server. Installed
and configured web-seals on WebSphere Application Servers hosting business applications.
•        Configured the above technologies to the technical specifications needed for the business
objectives.  Many configurations required data manipulation within LDAP since it stores all application
data.
•        Upgraded existing identity management solutions by:
•        Reviewing the solution including customizations
•        Upgrading the system components
•        Re-architecting the solution for the new business requirements and new technology features and
•        Upgrading / implementing business processes.
•        Reviews for Compliance, Audit and operations improvements: review software implementations,
architectures and processes to determine strengths and weaknesses and recommend remediation
methods to strengthen the solutions.
•        Audit Findings and Responses: reviewed external/internal audit findings and helped IT support
craft responses to the audit finding.
•        Advised the clients or proof of concept on the following technologies:
•        Federated Identity Management
•        POC TAM / OS for single sign on across UNIX Server farms for Server Support personnel.
•        Application development for security standards
•        Application development utilizing SOA architecture in WebSphere
•        Co-existence between .NET and WebSphere Web Services systems.

2004                        Senior Solution Architect
Helped clients to develop and deploy IBM Tivoli Identity Management Solutions. The activities are
listed above.

11/03 – 03/04                Security Consultant
Corporate Security Group

•        Restructured RACF Group Tree – for the Business Objectives
•        Analyzed .NET Security Framework – for migrating COM and Visual Applications.
•        Analyzed Security Infrastructure – for mergers and acquisitions.
•        Assisted in defining the proof of concept for web access controls using SiteMinder

05/01 – 05/03                
HIPAA Privacy and Security Consultant
Data Security Group,

•        Developing Security Architecture blueprint for Role Based Access Administration utilizing Tivoli
Identity Manager (TIM) {formerly eNrole access 360}.
•        Defined scope of role based access administration across TIM Managed platforms.
•        Applied TIM agent to RACF, ORACLE and NT.
•        Defined the authorities of TIM agent on the managed platforms.
•        Established procedures for the data flows between identity owners and TIM.
•        Defined services and processes of TIM for password reset, id creation and id deletion processes.
•        Assisted in evaluating and implementing HIPAA Compliance for business transactions and data
systems.
•        Evaluated the impact of HIPAA Compliance to IT configurations, security processes and user
access.
•        Assisted in the development of HIPAA Compliance Model.
•        Analyzed and modified information technology security definitions and user access to meet the
HIPAA compliance.
•        Certified that the system definitions and user accesses complied with HIPAA Guidelines.
•        Information Security Processes:
•        Implemented procedures to remove access of inactive user accounts.
•        Removed redundant processes to improve operational efficiencies.
•        Defined and implemented security interface between SIEBEL, Inventory Control System, Pont of
Sale, Data Warehouse and RACF.
•        Supported administration of user definitions and accesses across mainframe, MQ, RSA Secure Id
token, enRole, SYBASE, and ORACLE.
•                
04/00 – 05/01                
Enterprise Architecture,

•        Assist the client in developing an information security strategy for the eCommerce suite of
applications. The following issues were resolved:
•        Definition of eCommerce common security services.
•        Integration between the eCommerce and non-eCommerce applications.
•        Assist the client in software product acquisition from a set of competing vendors, IBM Directory
Services and I-Planet Directory Services, specifically,
•        Conducted feature comparison between competing vendor products.
•        Developed a model implementation for each of the competing suite of products.
•        Evaluated and recommended the product suite most applicable for the client requirements.
•        Created business model for implementing the solution and internal accounting of associated
finances.
•        Implemented Site Minder MetLife – Human Resource portal that allowed employees to review
their benefits. The design considerations were:
•        Integration between RACF and LDAP to use mainframe id and password scheme.
•        Performance measures were defined and services were monitored by Tivoli.
•        Minimize change management workload for the solution.
•        Site and network failure redundancy were built into the solution.
•        Developed the Security Architecture for eCommerce infrastructure.
•        Integration between the eCommerce and non-eCommerce applications.

08/99 - 03/00                


•        Upgrading the information security infrastructure for a major insurance institution. This work
included:
•        Upgrade OS/390 Security Server database to Release 2 Version 8 from Release 2 Version 5.
•        Upgraded Vanguard RACF Administrator and Vanguard Security Reporter.
•        Implemented OS/390 Secureway Security Server system wide options.
•        Modified policies, standards and operating procedures as applicable.
•        Supported the security and controls for cyber life project.
•        Supported the profile definitions to integrate security definitions with the accounting systems.
•        Secure the interfaces between mainframe and non-mainframe systems for file transfers.
•        Managed implementation of UNIX services and Websphere on OS/390.
•        Security controls for MQ Series, DB2 and CICS systems.
•        Managed security support for Y2K remediation.
•        Validating implementation of new technologies and solutions e.g. TIVOLI, multi-platform password
synchronization, end user password reset issues.
•        Resolved issues from non-standard user implementations.

1998 - 1999                
Manager, eSecurity Services, New York.

Advised clients on implementation of Information Technology Solutions that include programming,
software configurations, system implementation, systems analysis, business processes and
operations.  Well-versed in Risk Management, Business Continuity Planning and production system
controls. Major projects successfully completed are:
•        Analyzed and recommended systems and operational changes for enterprise wide general ledger
system for a major insurance company.
•        Developed and implemented role based access on RACF for five thousand users in a large
division of an insurance company.
•        For a major bank, developed the software configuration standards and operating procedures for
data center outsourcing agreement.
•        Conducted system penetration study on the TCP/IP implementation for the OS/390 system. For
each system configuration deficiency, a solution was designed and consulted on implementation.
•        Reviewed the OS/390 configuration, operations and TCP/IP network configuration for a leading
entertainment company.
•        Developed or reviewed audit methodology and programs for NT, MVS, RACF, ACF2, UNIX, TCP/IP
and TOP SECRET for Ernst & Young Auditors. These programs were written to support General Control
Reviews and SAS/70 reports.
•        Completed Y2K program analysis to assure that it is complete and appropriate.
•        Spoke on RACF SETROPTS Command and Single Sign On at Security EXPO 98 at Denver, Colorado.
•        Studied Security solutions for Web based eCommerce applications. This included Netegrity
Siteminder; Encommerce getAccess and Securesoft access server.
•        Application security control requirements for FDIC, SEC, HIPPAA and FDA compliance.
•        Developed business proposals in the range of $50K and $2M.
•        Marketed services of Ernst & Young to perspective clients.


1996 - 1997                
Consultant, Information Security and Risk Management.

Advised clients about the business risk from the computer systems and operations and the solutions
to mitigate the risks.  Established security architecture and implemented system and operational
controls that addressed the client issues.  Major projects completed are:
•        Developed and implemented Production Control Procedures, Systems Development Methodology
and Data Security Operations for a major Railroad Association.
•        Analyzed the computer systems of a major computer service provider and identified significant
business risks.  This analysis was done to support SAS 70 reports.
•        General controls review of the mainframe and UNIX servers of a major financial institution.  
Identified the weaknesses on the system and the recommendations to resolve the issues.
•        Trained Internal Auditors of a major retailer on Information System Risks and the methodology to
assess the system implementation.
•        Conducted a security penetration study on the operations of an auto credit company to identify
exposures to the business operations.
•        Reviewed Data Center operations and Systems implementation for Federal Government Agencies
to support financial statements.
•        Marketed Price Waterhouse services to perspective clients.
•        Managed project team of fifteen individuals for access definition.

1993-1996                
Data Security Officer

Managed multiple software system projects for Enterprise Data Security Department that encompassed
Systems Analysis, Automation of operations, Management of workflow, System Audit and reporting.  
Also developed and deployed customized software extensions to meet business objectives.
Responsible for proper protection of Information assets on all computing platforms.
•        Developed information security standards, end user access standards, data security services,
procedures and process measurements.
•        Re-structured security database to ensure system’s integrity, efficient administration and
maintenance, adequate segregation of duties and minimal operational risks.
•        Developed and implemented Information Technology Security awareness program.
•         Analyzed and implemented business applications to ensure secured systems, with clear
segregation of duties and minimal operational risks.
•        Defined & established interfaces between different platforms and mainframe accessed databases
to establish integrity between multiple applications user id across multiple platforms.
•        Developed custom software for reporting real time business data to executive management.
•         Support Help Desk.

1988-1993                
Senior Associate Programmer                                        1990-1993

Responsible for modifications to system code, completion of development projects and technical
support to the customers for the Resource Access Control Facility.
•        Led RACF Worldwide Technical Support Team.
•        Designed, developed and tested code for RACF functions.
•        Advised IBM education and systems development groups on RACF functions.
•        Conducted classes at national and international business conferences.
•        Managed SDLC Process project that involved thirty individuals.

Associate Programmer                                                1988-1990
Responsible for completion of software development projects.
•         Developed MVS System Authorization Facility Interface that enables operating system to
communicate with information security products.
•         Wrote programs to ensure RACF certification to NCSC B1 Level.
•        Trained IBM Marketing, MVS Technical Support Team and RACF Technical Support Team on MVS
and RACF functions.
Back to Peningo Sample Resumes