PROFESSIONAL SUMMARY:

• Accomplished IT Security, Risk Management and Sarbanes Oxley Professional with progressive experience and excellent ability to aid in the development of effective security controls, policies, procedures, and business / technical infrastructure/Enterprise Architecture, as well as manage/ monitor regulatory compliance issues related to: PCI - DSS, SOX404, GRC, SSAE16&18/SOC 1, 2. ISAE 3402, NIST, Unified Control Framework (UCF), NIST, 63-3,ISAM/ISRM,COSO/ COBIT5, ISO 27001/27002, ISO 9001, HIPAA, ITIL, GLBA/SEC, CFTC, AS9100, FAR/DFAR, DCAA, ITAR/EAR, HIPAA, IP (Intellectual Property Protection), ISAM/ISIM, Data Protection/Privacy/NIST /DOD/ FAR/DFAR & FAA regulations, RSA Archer etc.
• SOX - 16 years (ITGC),Third Party Vendor Risk Assessment (IRM), Remediation, Section SOX 404-Testing Controls (ISO 2 . NIST, 88, CIS, GDPR, EU Privacy Laws, SOC1 SOC2)
• SOX Project Leadership - 10+ years; led up to 8 Auditors
• Extensive experience in implementing Data Awareness, Impact & Classification of types of data (PHI/PII, PCI, IP, GDPR/FAR/DFAR, GLBA etc.,) cyber security defense (SPIRION). Data types and controls to comply with specific regulation(s) both US & Non US.
• SOX IT Security Compliance consulting experience at Confidential & Young and Confidential
• Six (6) year(s) experience with Application Security Controls/Risk Management - SAP-ECC6.0, SAP-GTS-SAP-CRM-SAP-CAMS, ENOVIA, CATIA V4/V6, .NET/VISTA, KRONOS, RSA-Archer/AVEKSA, SAP-FICO module including hands-on configuration and two full life cycle project experience
• Experienced in developing process/sub-process/activity flows & profiles in design of new applications and integrating the ITIL controls at initial and detail design- level. Developed policies and procedures to align with new /updated processes and comply with current laws and regulation - SOX, PCI-DSSv3.2, ITIL v3, AS9100 etc.,
• Excellent Excel and PowerPoint skills. Developed effective relationships with Business & IT stakeholders and promoted internal audit awareness.
• Conducted and documented process walkthroughs to evaluate design & operating effectiveness of internal controls.
• Reviewing the change control/change management process.
• Perform current developer’s code review to ensure the code meets functional requirement, review change impact of code change in case it uses shored resource. Pay attention to design impact and issues at implementation.
• Four (4) years in implementation of global financial applications, to include IT audits, information security, SDLC procedures, software change management, Y2K software conversion, QA and User Acceptance testing, business continuity planning and testing, process improvement, implementation of self-assessment and compliance programs, and IT governance, including walkthrough, design effectiveness, operating effectiveness of IT/Business general controls Sarbanes Oxley Sections 404 and 302, using HIPAA, COBIT and COSO risk frameworks- with emphasis in SAP internal IT/Financial process improvement, change management controls (GRC) and compliance.
• Possess deep understanding of the financial and payment card processing industries and the Payment Card Industry Data Security Standards ( PCI DSS), served as an assessor.
• Performed testing in accordance with company processes, including change control, business continuity and disaster recovery.
• Developed IDAM (Identity and Access Management) controls, standards, processes, and monitored controls to ensure adherence to Organization IT Policy (NIST, NIST 3 digital identity.
• Area of expertise include design and testing security controls, assess risk and mitigate risks of IT Controls for new applications under development to include: Penetration Tests (IDS/IPS, penetration and vulnerability testing, HIPS/DLP, using Security tools Palo Alto, Nessus, Splunk, Qualys
• Information Security Management - (Security policy, Roles, responsibilities and procedures for security personnel)
• Monitoring security incidents and compliance with policy, Application level access controls, administering logical security over user access, to include privileged accounts, SOD (segregation of duties or least privilege access)
• New development - project initiation, requirement definition, design and build controls (manual) to support in-house systems under development, developed test scripts for testing, and validation of controls to ensure controls operate as intended. Reviewed internal control procedures and performed risk assessment data privacy, security for systems under development or enhancements of existing systems.
• Application changes- management of maintenance activities, change request process, testing program changes to include emergency fixes, approval of changes by change control board prior to migration to live environment.
• Conduct process walk-thru of controls with various levels of management and communicate the risks involved in the findings.
• Experienced and hands on experience using IDS/IPS security tools such as Service Now, Splunk, ITIL-based incident problem (SIEM) along with SANS /ISACA Six Sigma, TQM certificate and training.
• Strong skills in implementing SOX 404 security controls (SAS70/SOC1 &2 /SSAE18/COSO/COBIT-control (s) frame-work) at process level /Sub-process/activity level, developed test scripts, validated test results and documented evidence for audit team.
• Reviewed third party software application & IT Controls(s) for in-house development. Performed SOC 1 & 2 Type 1 & 2 review, audits & mapping Complementary User Entity Controls SSAE18/ ISAE 3402,SAS70 I & II to ensure compliance with SOX, and performed remediation where required.
• Experienced in Risk Management Control Framework - UCF, COBIT 5/NIST/ISO 27000’s - Financial /Global Investment - JP Morgan Chase

PROFESSIONAL EXPERIENCE:

Confidential, harlotte, North Carolina

Senior Associate (Assurance) Consultant

• Performed User Access Reviews - Applications impacted by SOX and SOC 2. Conducted walkthrough (UAR) design check list with key stakeholders to determine if access to applications are on role based and if access been authorized at system or server level.
• Reviewed queries generated via SQL and user access listing of applications and conducted data analytics utilizing AD User profile for all users and determine if access was commensurate with job title and consistent with organization IT security policies.
• Ensured changes to configuration and change to code repository are committed in accordance with change control policies and proper reviews and approvals exist prior to migration to prod environment. SOD is maintained throughout the code development by respective roles within separate environment..
• Performed comprehensive internal risk assessment of existing applications and gap analysis to close the security risks exposures in areas Vulnerability, IPs/IDs, Incident & Access management, Change management etc.,
• Performed data analysis and problem resolution by integrating and correlating large volume of data to identify complex problems and trends - in areas of user access to PHI/PII data and reviewing user provisioning based on job roles for UAR/ SOC 2. Data classification as it relates to cyber security defense and types of data and restricted access, based upon need to know basis based upon job role. Developed Impact of data breaches - (severity & probability and impact analysis).Tools used SPIRION.
• Performed pre-clear analysis of users with only read access. Performed detailed analysis of privileged users with read & write access to ensure access is approved and authorized by application owner.
• Reviewed all admin and system admin roles to ensure access did not violate built in (SOD) rules.
• Applications utilized - NetApp (MongoDB) Net backup (Teradata), AWD, SVN, Solar, SUDS, Git, Bit Bucket, Uptivity Jennings, Linux, Unix .,,etc.,. Compliance with ISAM/ISIM, GRC/COBIT/ISO27002,SOX,SSAE18/SOC PCI DSS/HIPAA and PHI/PII data within various applications and DB are protected from unauthorized access (SPIRON).

Confidential, harlotte, North Carolina

Lead Risk Analyst - Completed Assignment

• VRM - Performed Vendor Risk Management - Vendor Assessment - Infrastructure Risk Assessment
• Reviewed Info-Security Pre-Assessment Questionnaire, Identify IT Security Risks, communicated Findings and seek timely resolution. Prepared Full Executive Summary Report on Vendors and determine if compliant with BCG Minimum Security Requirements. Created IT Security Score Card and bench mark against Industry standards.
• Review Vendor Access, Architecture Review of Target Environment, Review DPIA screening questionnaire, Review Pre-Assessment questionnaire, in regards Data content and type of data (PHI/PII, IP, GRC/HIPPA, PCI, public, sensitive, proprietary non-sensitive, restricted data, proprietary & sensitive, DLP and data encryption tools etc.,) ensure compliance with BCG IT Security Requirements and GDPR requirements (US/UK- regulatory requirements). Prepared Executive Risk Summary Report to include risk findings and seek resolution/remediation. Assessment around (SSO) Single -Sign-on, SAML2.0, Access management (MFA), Role based Access, 3rd party Websites - review, data sensitivity, data encryption, SOX/PCIDSS/NIST /ISO27002.
• Create Service Now tickets, up-load Executive Vendor Summary Report with artifacts to share point for further review with Vendor and seek resolution or create a road map to meet BCG security risk requirement.
• Work and interact closely with Architecture team, Legal, Procurement, and other key stake holders.

Confidential -Charlotte, North Carolina

IT Audit Specialist - Contractor - Completed Assignment

• Plan and perform IT Audits, prepare Audit reports addressing findings and recommendations - reviewing financial applications to make sure compliant over IT systems (GRC/COSO,COBIT5, HIPAA, NIST 800, PCI DSS) from a Security, Disaster Recovery, Vulnerability & PCI Compliance view, etc.
• Reviewed and approved ITGC controls in IBM - Open Pages. Evaluate & validated SSAE16 /SOC 1 & 2 CSP (Cloud Service Providers complementary controls.
• Identified gaps and obtained additional supporting evidence to determine control effectiveness
• Entered all Internal Audit ITGC issues and assigned issues for resolution /remediation to field auditors.
• Reviewed and validated the remediation log to ensure control deficiency been mitigated timely and drill further on unresolved deficiencies.
• Developed and monitored ITRM processes, sub-processes, activity profiles and methodology for designated ITRM initiatives by documenting process requirements and acceptance criteria from process owners and key stakeholders.
• Conducted risk assessments of key processes with process owners and implemented compensating controls or solutions to mitigate risks.
• Performed vendor risk assessment and reviewing vendor’s to security questionnaire, vendor service scope, review SOC2 audit reports, validate responses and identify risks, risks calculation upload to security score card, and finalize the executive summary report with risks finding and recommendations to mitigate the risks.
• Ensure if vendor is subject EU GDPR laws and mitigate risks.
• Special projects include developing monitoring tools around user access, change controls, 3rd parties monitoring performance, data security, DR/ BCP

Confidential, Addison, TX

IT General Controls - Risk & Compliance Audits (Consultant)

• Conducted information security and business continuity assessments of vendors providing services to Client.
• Performed Testing of ITGC controls related to Information Security Controls (Application Security, Infrastructure Security, Access Management, Physical Security, etc.), IT Compliance, SOX Compliance, Change Management, Enterprise Risk Management and ensure compliance to NIST / PCIDSS, ISO27001, SDLC, GRC, COSO,COBIT, and ITIL standards.
• Gathered, documented, analyzed and evaluated the effectiveness of audit evidence of controls pertinent to the audit.
• Conducted PCI DSS v 3.2 assessments of existing security landscape and identified gaps/risk exposure and seek corrective solutions.
• Reviewed policies and procedures and examined results from penetration/network segmentation tests.
• Reviewed the changes in the change control/change management processed (SAP/JDE applications/AS400)

Confidential, Irving, TX

Lead Controls Risk and SOX Compliance & Audits Analyst

• Developed, implemented a strategic comprehensive enterprise information security and IT risk management program to ensure integrity, confidentiality and availability of information owned, controlled or processed.
• Developed and assessed internal controls of processes in accordance with SOX requirements.
• Reported results of process walk through, results of control testing and work closely with internal/external customers (auditors) and make recommendation to mitigate identified risks. Worked closely with business and key stakeholders.
• Developed and enhanced information security/compliance management framework, based on COBIT 4.1 /5.0 Cloud Computing /Risk Assessment of CSP and ensure ISO 27000’s throughout the IT operations.
• Reviewed and validated SOC 1 Type I & II reports, Bridge Letter(s), Inclusive & carve-out methods – of third party service providers. Conduct extensive reviews of SOC - 2 Type 2 reports of service providers (PaaS, SaaS, IaaS) to ensure it is aligned to User Organization Controls. Ensure compliance to SSAE16 and determine if all-inclusive or carved out method used, review and validate Bridge Letters issued by Service & sub-service providers.
• Performed Risk Assessment of Potential CSP (Cloud Service Providers), implement Controls to mitigate risk and ensure compliance with SOX, GRC, NIST, HIPAA and other regulations.
• Ensured compliance to Code of Conduct & Ethics by Vendors and Contractors to Rouse Policies and provide HR with compliance documents related to IT Acceptable Use Policy.
• Work Closely with Internal & External Auditors ( Confidential ) and performed Risk Advisory Services and ensured compliance to COBIT 5 framework.
• Developed Risk Management framework and monitored 3rd party services, implemented risk mitigation controls.

Confidential, Hurst, TX

Lead IT Security & Risk Management, IT & Process Controls & Compliance

• Supported PSI (Process and Systems Integrity Team) to ensure engineering business processes are closely aligned with engineering standards (AS9100) and application controls are implemented at activity level to ensure systems security, audit-ability of processes and compliance with federal regulations FAR/DFAR/ITAR/EAR/FAA/SOX 404-COSO/COBIT, IP, ISO 9001, ISO 27001-2, PCI DSS controls, Data Privacy (Government drawings and sensitive materials) and AS9100.
• Identified which processes held critical sensitive data and performed failure mode effect analysis if data was breached, what processes would be at risk or derailed due to malware attack, hacking etc., and controls to minimize disruption (PI/HIPPA-PHI, IP, SOX, GRC,FAR/DFAR, DCAA). Data segmentation environment and controls, firewall configurations, cryptographic controls for data at rest and transit.
• Demonstrated the ability to weigh business needs against security concerns and articulated issues to the user community.
• Demonstrated ability to consistently display accuracy and attention to detail. Worked closely with engineering process team and IT team to ensure process, sub-process, activity profile and detailed tasks were in compliance with documented policies and procedures and were aligned with vendor system software (D’assault Systems (ENOVIA, CATIA V6, VISIPRISE/SAP CAMS, SAP GTS, SAP ECC, P2P, MENTOR GRAPHICS, KRONOS, AVEKSA/AIM etc.,)
• Demonstrated ability to identify and analyze significant problems and opportunities and seek remediation by implementing compensated controls.
• Demonstrated ability to consistently display accuracy and attention to detail and work with various level(s) of management, IT leads, often communicating and acting as educator and ambassador to Risk Identification and Controls.
• Assessed that controls in place meet regulatory compliance requirements and documented corporate polices and standards. (SOX, FAA, FAR/DFAR, ITAR, EAR, HIPAA, GLBA, SAS 70, AS9100, NIST, 63-3, IDAM & digital Access Controls etc.).
• Worked closely with defense contract audit agency (DCAA auditors /external Auditors (E&Y). in reviewing, providing and seeking resolution to audit findings.
• Identified project risks early in the development and mitigate risks by developing controls to ensure processes work as intended or designed. Work closely with engineering and Process team/IT team along with strong knowledge of SDLC- software /system development life cycle at each phase of the project. Tools utilized FMEA, Risk Bone Analysis, Risk management tools etc.,
• Confirmed how proposed new applications/systems will integrate with Confidential ’s/Bell existing architecture. Identify interfaces and perform business impact analysis of application/projects under development.
• Interact and work closely with all levels of management, seek remediation and resolutions, with Internal /External Auditors, provided supporting evidence for control effectiveness.

Confidential

SOX 404 - IT Security Compliance Lead (Consultant)

• SOX testing – Walkthrough documentation, Design Effectiveness and Operational Effectiveness for Financial Systems (IGINS/FIRST) Business and IT General Controls and Treasury E-banking controls and self- assessment testing for operational effectiveness.
• Work closely with internal & external auditors in provide/seek remediation of failed controls.
• Performed remediation testing on internal controls - Sarbanes-Oxley (SOX) 404 Compliance
• Senior Information Technology IT Testing Lead Audit/Sarbanes Oxley (SOX) Compliance (SAP ERP)
• Reviewed documented control descriptions to identify system dependent controls for testing of US and Global applications such as (Philippines, Hague (Netherlands), London UK)
• Conducted walk-thru DE / OE Test, and Remediation of SOX related /IT controls in conjunction with control owners and operators to confirm controls as described and concur on appropriate testing approach. Conducted process walk thru and interacted with internal audit to ensure compliance and control effectiveness.

Confidential, Hurst, TX

SOX – IT Test Specialist – (Consultant)

• Reviewed client’s IT general computer control environment for operational effectiveness as required by Sarbanes-Oxley section 302/404 within GRC,COSO/COBIT/HIPAA controls frame-wok.
• Identified process specific risk and introduced new or updated existing controls to mitigate risks to acceptable level as per organization policies. Work closely with process owners conducted process walkthrough of controls and conducted testing of assigned controls within control framework.
• Tested IT General controls and obtained evidence to ensure effectiveness of controls.

Confidential, Dallas, TX

Lead/Senior Risk Analyst - Global Investments & Risk Advisory Group

• Managed all aspects of risks and assessed, on ongoing basis, the material risk associated with how business unit’s activities and products are developed and launched and processed end to end.
• Determined if actions need to be taken to strengthen risk management or reduce risk against business unit’s risk profile and tolerance. Familiar and deep understating of international and cross border data privacy laws.
• Advised on new products, initiatives and strategies from a risk and control perspective.
• Provided guidance to various new product initiatives to ensure products are designed with proper controls and ensured effective and timely in corporation of risk management of merchant transactions and adherence to (GLBA, COBIT/PCI DSS, SOC, SOX 404, ICFR) requirements into everyday operations.