Al Guevara Email & Phone Number

Tampa, Florida, US

• Perform audit testing of Service and Organization Controls (SOC) - SOC 1/SSAE 18, SOC 2, and SOC 3, as well as HIPAA/HITECH on client information systems and processes
• Assess organization's controls related to financial reporting and/or data security
• Understand client's business processes and impact of those processes on financial reporting or data integrity
• Identify risks associated with processes and determine how well controls mitigate those risks
• Evaluate the design and operating effectiveness of Internal Controls over Financial Reporting (ICFR), Information Technology General Controls (ITGCs), Trust Services Criteria (TSC), HIPAA Security and Privacy Rules
• Provide guidance to organizations in improving their security controls and achieving compliance with industry standards and regulatory requirements

• Conduct Business Development initiatives to provide specialized services in the areas of Cybersecurity, Data Privacy, Governance, Risk and Compliance (GRC), Audit, and Internal Controls
• Implement and enhance security frameworks – NIST SP800-53, SP800-66 and related, NIST CSF, FISMA, ISO 27001 | 27002, AICPA SOC 1 | SOC 2 Type 1 / Type 2
• Implement and enhance HIPAA controls, HHS Security and Privacy Rules – Protected Health Information (PHI), Personally Identifiable Information (PII), Personal Health Record (PHR), Electronic Health Record (EHR); Breach.

• Supported business implementations to provide cost effective, secure, intelligent, and innovative software applications to various industries and consumers all over the world
• Advised on application platform Privacy, Cybersecurity, and Compliance for specialized cloud-based applications and technical services - assessed and addressed requirements for applicable standards and regulations.
• Managed global business development, technical marketing, and affiliate partnerships
• Program-Managed and facilitated all initiatives, activities, and deliverables pertaining to implementation of relevant controls to reduce risk and maintain compliance

Santa Clara, California, US

• Created and Led team to establish, implement, and manage the Avail Security, Privacy and Compliance Program
• Led all cross-functional teams and activities related to Cybersecurity and Information Risk Management within medical device systems and services engineering, and corporate infrastructure
• Enhanced and maintained the integrity of Avail's security and control frameworks and standards, including NIST CSF, ISMS | ISO/IEC 27001: 2013, AICPA SOC 2 Type 2, OWASP Top 10, etc.
• Coordinated and performed security controls assessments and audits, relevant to compliance readiness for HIPAA/HITECH, ISO 27001 Clauses and Annex A Controls, AICPA SOC 2 Trust Services Criteria, and corporate compliance
• Provided Information Security, Cybersecurity, Privacy, Governance, Risk and Compliance consultation and guidance to Leadership and all key business units, including Product, Engineering, IT, DevOps, HR, Operations.
• Established liaison with Health Information Sharing and Analysis Center (H-ISAC) for vital physical and cyber threat intelligence, early warning advisories, information sharing and best practices

Redwood City, CA, US

• Built out, executed, and led the Proteus Privacy and Security Program, initially focused on HIPAA compliance
• Implemented Risk Management and Cybersecurity strategies within biomedical engineering to improve the reliability and security of data protection projects, spanning medical devices and advanced digital medicine.
• Performed Security Risk Assessments to Product components and IT enterprise, relevant to HIPAA / HITECH Security and Privacy Laws, California Privacy Laws, FDA requirements, and corporate compliance
• Managed a diverse team inclusive of cross-functional contributors, including security administrators, analysts and IT professionals; Interfaced closely with Legal and Compliance
• Acted as a key liaison between upper-level management, IT, developers/programmers, risk assessment staff and auditors
• Ensured compliance among staff, business associates and vendors

San Francisco, CA, US

• Implemented the enterprise-wide Data Security Compliance Program
• Performed Security Risk Assessments to UCSF enterprise and sub-organizations/control points - data security policies, procedures and practices, applications and system components, relevant to HIPAA Security and Privacy.
• Performed all activities related to Information Risk Management, including planning, assessments, analysis, remediation, and controls validation
• Provided Governance, Risk and Compliance guidance to all control point organizations - Advised on remediation activities required for mitigation of compliance risk, as well as data loss risk

Sacramento, California, US

• Performed Security Risk Analysis to Sutter Health business unit and vendor applications and system components, relevant to HIPAA Security and Privacy compliance, including the HITECH Meaningful Use (MU) program
• Assessed control design and effectiveness by conducting interviews, walk-throughs, and examining processes and technical documentation
• Developed and validated recommended Corrective Action Plans as a result of assessment findings and gaps identified
• Provided Governance, Risk and Compliance guidance and support to regions and affiliates - Advised business units on remediation activities required for mitigation of risks
• Tracked, organized, analyzed and reported on assessment data and findings, as well as remediation efforts and progress
• Provided consulting and recommendations to business unit Subject Matter Experts and management on action plans and deliverables to ensure control requirements are met

• Provided specialized services in the areas of Security, Privacy, Risk, Audit, Internal Controls, Fraud Detection/Prevention, Business Continuity, Project Management, Governance and Compliance - mostly for mid-size and.
• Owned and managed consulting firm specializing in IT Security, Auditing, Risk Management, Governance, Compliance - Internal Controls, ISO 27001:2013, SOC 2 Type 1 / Type 2, HIPAA/HITECH - PHI, PII, PHR, EHR, Meaningful.
• Strong focus on Life Sciences, Healthcare, Financial, Technology, and Service companies – Provided comprehensive Security and Risk Services, as well as Security Engineering to various clients, including SUTTER HEALTH.
• Managed and led corporate cybersecurity, privacy, governance, risk and compliance projects, including Assessments, Implementations and Remediations
• Contracted with State Government Agencies to provide comprehensive Risk Analysis, Business Impact Assessments, and Security Remediations, in support of the agency’s Continuity of Operations and Continuity of Government.

Oakland, California, US

• Provided advanced Compliance program management with emphasis on HIPAA Control Self-Assessment activities
• Maintained in-depth understanding of the broad regulatory landscape impacting KP business areas – Remained current with emerging regulatory sentiments as well as solution trends in the marketplace
• Assessed the impact of laws and regulations on KP systems and technology – Worked with other risk organizations to shape organizational control policies and standards
• Managed large scale risk/security assessment studies and projects to validate and remediate perceived risks – Performed interviews, documented design assessments, and conducted walkthroughs of key controls (both new.
• Led cross-functional remediation teams in developing processes using requirements gathered from clients and engineering – Coordinated and managed Corrective Action Plan activities
• Designed sustainment strategies and measurement systems to ensure that Compliance requirements can continue to be maintained over time

Waterloo, ON, CA

• (formerly Recommind)
• Enhanced and completed company’s Business Continuity Plan (BCP) for Hosting Services Operations
• Created Pandemic Plan for Hosting Services Operations, later to be incorporated into Corporate BCP
• Project-Managed and facilitated all meetings, timelines, tasks and activities pertaining to Business Continuity Planning
• Worked with key IT and Security management personnel in order to: o Analyze, review and map Information Security Policies, Processes and Controls to BCP o Incorporate IT and key processes into BCP Recovery of critical.

Oakland, California, US

• Performed Security Risk Assessments and Remediation projects for the HIPAA Application Security Program (HASP)
• Focused on Infrastructure components of the HITECH ARRA Meaningful Use (MU) program initiative in order to meet deliverables in securing over $750 Million in stimulus funds, as well as increase HIPAA Security and.
• Partnered with business units, Security and IT groups to assess in-scope databases, host servers, network devices, and other infrastructure components as required
• Coordinated with Project Managers and Program Managers to identify and develop assessment and solution options
• Tracked, organized, analyzed and reported on assessment data and findings, as well as remediation efforts
• Provided consulting to business unit Subject Matter Experts, analysts, liasons and management

Woodland Hills, California, US

• Performed Security implementation and Remediation projects for the Department of Defense (DoD) TRICARE – Military Health System
• Provided Program and Project Management of tasks and deliverables on $7 Billion contract for secure Health Care Delivery systems, in order to reduce risk and meet government security compliance requirements pertaining.
• Maintained Information Assurance (IA) and DoD Information Assurance Certification and Accreditation Process (DIACAP) Compliance on all new and existing DoD-interfaced information systems and data
• Coordinated with Information Assurance Officer and security staff on implementation and steady-state initiatives
• Coordinated with DoD auditors on government compliance security assessments and certification issues
• Tracked and reported on information security projects and deliverables

Sacramento, CA, US

• Performed a comprehensive organizational Risk Analysis of DMV's information assets
• Evaluated and updated DMV's Business Impact Assessment (BIA), in support of DMV'sContinuity of Operations and Continuity of Government (COOP/COG) Plan
• Identified and prioritized DMV's critical Information Technology (IT) applications, basedupon the BIA and COOP/COG Plan
• Analyzed DMV's information assets for security and risk, including determination of ITVulnerabilities and associated risks with processes and technologies
• Advised on development of a cost-effective approach for managing identified risks
• Performed assessment methodology consistent with applicable DMV, state InformationSecurity Office, federal and industry standards and regulations, including: o SAM section 5305.1 o National Institute of Standards and.

Dallas, TX, US

Supported Internal Auditing, Testing, and Remediation projects for annual audit initiatives, including Sarbanes-Oxley §404 - OS and Database platforms included OS/400, AS/400, Windows, and DB2: Applications included company's proprietary Copart Auction Systems.

Oakland, California, US

• Provided program-wide compliance solutions design support to promote Regulatory Compliance with:
• HIPAA privacy - Protected Health Information (PHI) mandates: HIPAA Privacy Rule - 45 CFR Section 164.502(b), and 164.514(d)
• Kaiser Permanente Minimum Necessary policy, and related National and Regional policies
• State and Federal laws (where KP operates)

New York, NY, US

• Part of Risk Advisory Group, performing engagement as External Auditor to major financial client
• Performed IT General Controls and IT Application Controls auditing and testing in support of Sarbanes-Oxley §404 - Internal Control Over Financial Reporting (ICOFR), and Financial Statement compliance requirements for.
• Determined Risks to critical financial data systems and infrastructure components, relevant to the financial reporting process
• Engaged the client’s control owners at SVP, VP, Director, and Manager levels, security managers, and relevant personnel, in order to perform walk-throughs, interviews, and testing, relevant to the in-scope control areas
• Created Test Plans, and Scripts for security testing of IT General Controls and IT Application Controls on Key Financial (SOx-significant) Applications
• Documented Test results – Substantiated all findings with complete work paper documents, including Effective and Ineffective controls, observations, and recommended action plans

Santa Clara, California, US

Supported Internal Auditing, Testing, and Remediation projects for Financial Reporting, including Sarbanes-Oxley §404 - OS, Web, and Database platforms included Windows, Unix, IIS, Oracle, SQL, Sybase.

New York, NY, US

Supported Internal Auditing, Testing, and Remediation projects for Financial Reporting and Fraud, including Sarbanes-Oxley §404 - OS and Database platforms included Windows, Unix, Oracle, Sybase, as well as key financial applications.

San Francisco, California, US

Supported Internal Auditing, Testing, and Security Remediation projects for Financial Reporting and Fraud, including Sarbanes-Oxley §404 - IT General Controls in the Prescriptive areas encompassing OS and Database platforms, including Windows, Unix, AS-400, Oracle, Sybase, as well as COBIT process areas.

West Sacramento, CA, US

Created audit plans for Infrastructure Web Servers in support of HIPAA and state security directives - mapped Internal Controls to Security Policies and provided remediation and maintenance plans.

Irving, Texas, US

Assessed Internal Controls for the corporate WinTel Infrastructure - identified gaps and provided remediation plans, implemented ongoing infrastructure controls maintenance in support of HIPAA and in preparation for Sarbanes-Oxley §404 security compliance initiatives.

San Francisco, California, US

Assessed Internal Controls for the corporate WinTel Infrastructure - identified gaps and provided remediation plans, implemented ongoing infrastructure controls maintenance in accordance with federal banking standards and security compliance initiatives.

Bellevue, WA, US

(formerly Sprint, formerly Sprint Paranet) Provided consulting services, security assessments, systems integration, and project management to fortune 1000 clients, including MONTGOMERY ASSET MANAGEMENT, WELLS FARGO BANK, and SPRINT (corporate).

San Ramon, CA, US

• Provided full systems engineering, security, and support for enterprise servers consisting of NT and Netware platforms - installation, configuration, upgrade, troubleshooting and maintenance of server hardware and.
• Diagnosed and resolved LAN/WAN infrastructure network problems, including router hardware andsoftware problems as well as analyzed protocol packet problems
• Configured Compaq Insight Manager (CIM), Novell ManageWise, and other network management tools to provide automated notifications to Network Support Center and system support personnel via use of SNMP and ICMP utilities

Communication Technology

Cryptologic Communications, Cryptology - Information Warfare