SUMMARY:

• Quality driven IT Compliance Risk Analyst with six years experience familiar with reviewing and testing for IT Compliance against Internal Policies, Regulatory Requirements, and Industry Standards. My various experience includes Managing information technology risk in Data, Applications, Data, Logical and Physical Access Controls, Policy s, Procedures and Standards, etc. Very motivated with an energetic mindset.

PROFESSIONAL EXPERIENCE:

Confidential

Third Party Risk Advisory/IT Compliance Analyst

Responsibilities:

• Obtain evidence of a documented and updated information technology policies and standards.
• Test and review the adequacy of systems and applications controls
• Review the adequacy of key ITGC controls such as access control, change management, audit logging, segregation of duties among others and collaborate with information technology SMEs for timely remediation
• Manage IT Risk register to ensure update to leadership and tracking of remediation status
• Assist in investigations and be the point person regarding security incidents involving consultants and clients.
• Aid in the development and communicate data security incident details to leadership, staff, partners, clients and stakeholders.
• Partner with TGS and ensure the security scope is accurate for the all solutions deployed by TGS and that the solution is effective such as secure file transfer, ISO 27001 and/or SSAE16 and information security for certain contractors and internal employees.
• Promote and oversee strategic security relationships between the organization and clients, including government and commercial clients.
• Participate as a member of the organization security team in governance processes of the organization’s security strategies.
• Maintain up - to-date detailed knowledge of the IT security industry including awareness of new or revised security solutions, improved security processes and the development of new attacks and threat vectors.
• Review all related materials regarding information security to evaluate in terms of best practices for consultants
• Participate in contract review/negotiations on information security requirements with multiple business units.
• Develop and implement an effective strategy/process for addressing customers’ IT security and controls concerns
• Establish and develop relationships with various members of the business (i.e., legal, sales, business leaders) and quickly become knowledgeable about the respective IT environment, controls and processes that impact business operations
• Effectively and efficiently complete third party risk assessments provided by our customers.
• Collaborate with other key stakeholders such as IT Security, IT Risk and Business units to ensure applicable controls are in place before granting vendor access to data, applications and systems of the organization
• Advise the business on the selection, planning, execution and, if necessary, remediation of a third party (i.e. SOC2, HITRUST).
• Work with internal and customer legal counsel to align on mutually agreeable legal security and controls language to protect both organizations.
• Effectively communicate identified gaps and planned remediation procedures to application owners and various members of leadership.
• Understand when issues need to be escalated and/or communicated to Cardinal Health leadership.
• Identify, establish, and report on key performance indicators to track customer third party risk management trending as this space continues to expand.
• Support periodic Policy & Standard refresh activities including providing input into program expansion and governance.
• Interpret information security policies, standards and control requirements as necessary to all levels of management.
• Perform information technology risk and control assessments in information technology environment, systems, data, applications, etc. and verify it is in compliance within industry standards and regulatory requirements.
• Review policies, standards and procedures and verify they are documented and updated on an annual basis, and they are in compliance with industry best practices and regulatory requirements
• Create a control framework for efficient and proactive management of IT risk in the technology environment and fulfillment of regulatory requirements through control mapping
• Ensure that all users have their own unique ID and that there are no shared ID’s such as Root, Superuser, etc.
• Ensure that all system accounts are strictly used between systems as non-interactive and request a Risk-Acceptance Letter for Interactive system accounts and mitigating controls
• Obtain evidence and ensure the audit log has been enabled or the application or system being reviewed sends captured logged data to a centralized login server and the contents of these logs contain the user ID, time user logged into the system, activity performed by the user, IP address of the connecting system, Failed/Successful login attempts, and are kept for a minimum of one year or per the company policy and I ensure that no user is granted permission in deleting the contents of these logs.
• Ensure the SOC team performs daily reviews and monitors log contents.
• Validate that the SIEM is configured to send an alert for critical incidents. I also Validate that there is documented, and updated incidence response plan and that each incident has a documented root cause analysis and investigation conducted and incidents are resolved in a timely manner.
• Conduct analysis of the various environments within an organization and verify that there is development, testing, and production environment.
• Validate version controls are implemented in code development
• Assess Secure coding standard is in compliance with the industry standard code development such as OWASP
• Assess vulnerability report to ensure that developed codes are scanned for vulnerabilities such as SQL Injection, Buffer Overflow, Cross-Site-Scripting, etc.
• Ensure all remote Access Privileged users use a Multifactor authentication combo.
• Obtain the methodology in which a user gained access to the system to know where to obtain the password complexity
• Obtain password configurations such as password set time to expire, alpha-numeric, session timeout, and failed login attempts are in compliance with the company standard and policy
• Verify every user is dually authorized before access is granted to the system through analyses of authorization forms.
• Test the system for Terminated or transferred employees within a system being audited
• Verify adequate physical security controls are in place such visitors log form, adequate access controls upon entering computer room, distinct visitor and employee badge, etc.
• Assess and ensure systems being audited have evidence of a documented and updated configuration or baseline standard for all devices and components and that these configurations are in compliance with the industry standard and control framework such as NIST or CIS.
• Validate that all default settings and passwords have been changed per company policy.
• Assess services running in a system and ensure that insecure protocols have been disabled
• Obtain documented proof that a system is in compliance with the organizations patch management standard and that vendor released updates have been applied to a system. Request for Security Exception Letter in events where patches cannot be applied.
• Ensure compliance with development standard and obtain evidence that a peer-to-peer code review has been conducted upon finalization.
• Review Job scheduling assessment and ensure jobs in the abend have been run for a successful completion with no error and ensure job scheduling is strictly on a need-to-know basis.
• Review the application GUI (Graphical Use Interface) and ensure controls such as field character length, validation, and data completeness check are enabled.
• Conduct Data Integrity assessment and obtain evidence that the application or system has the capability of an error log and ensure all failed transactions in the error log are reprocessed for completion and obtain evidence of transaction completeness by comparing the transaction input and output.
• Assess the network diagram and ensure that no user has direct access to the internal network without passing through the DMZ and Validate NAT is enabled
• Obtain and review Firewall rules and Validate that insecure protocols are disabled and that the last rule states “Infinite Deny”. Ensure that the firewall log is enabled and sent to a centralized login server
• Conduct user access review on the firewall
• Obtain a list of changes made upon the firewall and request for a change request form.
• Verify the firewall is pen tested and scanned for vulnerabilities per the company policy
• Request for documented and updated Firewall Configuration Standard
• Assess IDS/IPS configuration and ensure it is enabled to generate and alert in the event of a critical event by obtaining the list of critical events and request for the corresponding generating alerts and ensure there is a root cause analysis, thorough investigation, and preventive measures.
• Ensure adequate testing (performance testing, functional testing, security testing, completion of regression, completion of unit testing, etc.) on a system or application has been fulfilled upon entering the Production environment.

Confidential

Vulnerability Management Engineer

Responsibilities:

• Utilizing common tools used in the VM lifecycle, including ITSM, CMDB, etc.
• Using operating system and application security, administration, and debugging.
• Utilizing security controls (e.g. access control, auditing, authentication, encryption, integrity, physical security, and application security).
• Using operating systems such as Windows environments, Active Directory, VPN systems, encryption schemas and algorithms, various authorization and authentication mechanisms/software, network monitoring and sniffing, TCP/IP networks, and vulnerability and threat management tools.
• Using vulnerability Management products from vendors such as Qualys, Tenable and Rapid7.
• Configuring vulnerability assessment tools, including the integration of feedback from IT owners to reduce false positives.
• Analyzing identified vulnerabilities, along with identifying remediation techniques.
• Compiling vulnerability data and reports for both technical and executive audiences.
• Identifying dependencies and timelines required to address vulnerabilities, including system patching, deployment of specialized controls, code or infrastructure changes, and changes in build engineering processes.
• Reporting remediation of vulnerabilities by coordinating agreed-upon action plans and timelines with responsible technology partners and support teams.
• Reviewing and reporting changes to patching policies, procedures, standards, and audit work programs in a continuous improvement model.
• Raising awareness of valuable information and maintaining the confidentiality and integrity of data through industry trends, including current and emerging risks, relevant legislation, regulatory requirements, guidelines, and industry developments relating to data protection, privacy, security, and data governance.
• Providing analysis of impacts to key stakeholders.
• Configuring vulnerability assessment tools, including the integration of feedback from IT owners to reduce false positives.
• Analyzing identified vulnerabilities, along with identifying remediation techniques.
• Compiling vulnerability data and reports for both technical and executive audiences.
• Identifying dependencies and timelines required to address vulnerabilities, including system patching, deployment of specialized controls, code or infrastructure changes, and changes in build engineering processes.
• Reporting remediation of vulnerabilities by coordinating agreed-upon action plans and timelines with responsible technology partners and support teams.
• Obtain evidence of a documented and updated third party vendor management policy.
• Ensure vendors are classified into Tiers based upon the risk to the organization.
• Review and ensure there is an established procedure for vendor onboarding detailing type of data that will be accessed, stored, or process by the vendor etc.
• Collaborate with other key stakeholders such as IT Security, IT Risk and Business units to ensure applicable controls are in place before granting vendor access to data, applications and systems of the organization.
• Review as well as ensure adequate management of Third Vendor Life Cycle risk management from vendor onboarding through exit.
• Monitor and assess Third Party Vendor risk through the administration of annual Vendor Risk Questionnaire as well as ensure remediation of noted gaps.
• Conduct onsite audit of Tier 1 third party vendors and follow up for remediation of any noted gaps.
• For onboarding of IT Service providers, ensure the receipt and review of annual independent auditors’ attestation of Compliance (SSAE18), ISO and or PCI Attestation of Compliance (AOC).
• Ensure Tier 2 vendors complete questioner every 2 years and Tier 1 on an annual basis.
• Ensure legal department reviews the contract agreement with the vendor before finalization and review contract for the following: annual offsite audit requirement, notification within 24hrs of a breach, provision of SSAE-18 report or AOC on an annual basis, Ensure there is a backup provision, and insurance provision in the event of data loss