David Alston Email and Phone Number

• Collaborate with the CareFirst BlueCross BlueShield Cyber Security and IT Operations teams on developing and implementing data protection and DLP solutions based on NIST and HIPAA guidelines.• Provide project and technical guidance on deploying data protection tools such as Microsoft Purview Information Protection and Netwrix StealthAudit to ensure compliance with HIPAA and other relevant regulatory standards.• Manage project planning throughout design/implementation phases for data access controls that include determining sensitive data standards, searching file systems, creating custom workflows and reports, and access limitation.• Develop and implement data protection solutions and controls, such as data access governance, data classification, data discovery, DLP, and IRM, that align with CareFirst business, technology, and regulatory drivers to improve security posture and reduce risk exposure of sensitive data across cloud and on-premise environments. • Establish and revise security standards and technical criteria for data security and compliance requirements such as data classification and secure data transfer in line with HIPAA, FIPS, and NIST security/privacy guidance to enhance management of confidential data across cloud and on-premise environments.• Perform reviews/assessments of third-party DLP, data protection and cybersecurity training vendors and solution providers.• Assist with the development of CareFirst's role-based / targeted cybersecurity training program, including drafting workforce communications, creating targeted cybersecurity training plans, and evaluating third-party vendors.

• Led projects related to risk assessments of internal technology processes, current and emerging risks, and evaluation of design and implementation of existing and target state controls.• Provided guidance and recommendations regarding existing and target state on-premise and cloud-based technology solutions.• Advised management and technology stakeholders on risk-related matters to technology programs and activities, including documenting and evaluating IT processes, risks, and controls.• Assisted security and infrastructure teams with establishing and adhering to new and existing technology processes, procedures, and standards.

• Evaluated Nessus compliance and vulnerability scan findings for AWS cloud-hosted applications; coordinated with stakeholders to address and remediate vulnerability scan findings.• Acted as the point of contact between IT project teams throughout the security assessment lifecycle, including organizing security assessment-related artifacts, developing, and maintaining system security documentation, reviewing results of the security assessment.• Coordinated with system stakeholders to remediate Corrective Actions and Plan of Action and Milestones (POA&Ms) of security vulnerabilities, and weaknesses identified through vulnerability scans and/or security assessments.

• Trusted risk advisor to Fannie Mae management on matters related to technology and information security programs and activities.• Executed risk assessments related to subsets of internal technology and information security processes, including assessing design, effectiveness, and implementation of existing and target state control environments.• Implemented IT/security dashboards and metrics (e.g., Key Risk Indicators, Key Performance Indicators) for cyber/information security and technology processes, platforms, and applications.• Assisted stakeholders with identifying and evaluating existing and emerging risks and corresponding technology and security controls.• Addressed IT and Cybersecurity risk events which caused an adverse impact on the availability or quality of IT/security related services, which included performing root cause analyses, specifying reputational, financial, or technical impact, identifying control gaps, and corrective actions.

• Privacy Engineering Subject Matter Expert (SME) assigned to the TSA Secure Flight program.• Ensured compliance with privacy controls and data governance requirements, including internal directives, Privacy Impact Assessments, System of Record Notices (SORNs), data retention schedules, and uses of data throughout the Data Lifecycle.• Reviewed formal information sharing agreements, e.g., Memorandums of Understanding (MOUs), regarding shared data elements, information sharing purposes, and retention periods.

• Designed and integrated cyber security solutions and proposed design recommendations and strategies, consisting of Identity and Access Management (IAM) and Network Data Loss Prevention (NDLP), into SEC enterprise infrastructure and processes.• Architected IAM and NDLP system design, production implementation strategies and use cases, including researching applicable information security standards and system architecture, identifying integration issues and risk, and scoping technical and logical system boundaries.• Performed analysis of vulnerability management systems which directly addressed systemic issues within the operational security domain, determined contributing factors to the varying outputs of the vulnerability management systems, and provided recommendations on achievable enterprise-wide solutions.

• Provided guidance on implementing security controls in accordance with FISMA, NIST SP 800-53 and other applicable NIST publications.• Analyzed vulnerability and compliance scan reports to assess the security posture of FDA systems.• Responsible for the management and execution of Plan of Action and Milestones (POA&Ms), including remediating or mitigating weakness findings.