SUMMARY

• Goal - oriented professional with twenty-three years of experience in Information Technology Support, Governance, Compliance and Administration, plus seventeen years in Information Security Risk Analysis.
• Excellent in information security assessment and security risk rating scale within organizations.
• Vendor Risk Management, IT Audit and Enterprise Risk Management (ERM)
• Sound knowledge of new developments in IT security, including data-mining and analysis tooling.
• Trained users on security awareness to promote/ensure compliance and reduced accidental breaches.
• Team lead and Trainer on several IT projects on Documentations, Governance, Security Risk Assessments, Business Continuity/Disaster Recovery Planning, E-Commerce and Audit/ Compliance reviews.
• Areas of expertise: Systems Integration, Risk-Based Audit, Management & Documentation, Operations Management, Business Impact Analysis, Technology Architecture Review, Regulatory Compliance, Client Needs Analysis, Business Continuity, E-Commerce, Business Development, Identity & Access Management, IT Auditing, Strategic/Tactical Planning, Change Management, IT Budgeting and Cost Control, EU Anti-Money Laundry, Information Assurance in Documentations.
• Experience in NIST, SOC, ISO, SOX, COPPA, FCRA, GLBA, HIPPA and other privacy legislation procedures.
• Knowledge of international data protection laws on energy trading & application audits to meet Federal Trading Commission (FTC) recommendations.

TECHNICAL SKILLS

• Auditing using FFIEC booklets
• BSIMM
• ISO/IEC 27001
• ISO 27002
• ISO 17799
• COBIT
• COSO
• Data Guard
• Nessus
• NIST nMap
• Excel
• FISMA/FedRAMP
• FFIEC
• ITIL
• GLBA
• Gateways Active Session
• Mainframe
• PL/SQL
• OSI Model
• OWASP
• PCI.DSS
• RAC
• RFQ
• Safe Harbor
• SAP
• SOC1 & 2 - SS70/SSAE
• SOA
• SOX
• TCP/IP
• Tripwire
• Wireshark
• Tivoli Insight Manager- IBM
• RSA Archer
• Qualysguard
• Product Owner and Scrum Master.

PROFESSIONAL EXPERIENCE

Information Security Risk Analyst

Confidential

Responsibilities:

• Performing independent and comprehensive client security assessment as Information Security SME working with various assigned companies.
• Identifying and assessing key IT and data related risks and controls within the business processes and develop effective test plans for each engagement.
• Performing Walk-through policy assessments with multiple business representatives to validate corporate security control design, and process documentation.
• Issue report findings on client (business partner) security management and gap analysis.
• Participating in peer reviews on engagements before reporting supervisor and Senior Audit Managers.
• Work with related business functions that include technology, operational, financial, and regulatory understanding across multiple businesses around the globe.
• Lead projects that are generally moderate in size and complexity and also handles additional assignments simultaneously.
• Escalate significant risks and loss exposures to appropriate levels of management with objective opinions reflecting relevant facts that lead to logical conclusions.
• Monitor adherence to Risk Mitigation strategies, Security Compliance, Risk rating, IT Governance and documentations in conjunction with Information and Cloud Security.
• Leading IT Audit and Enterprise Risk Management (ERM) including Vendor and 3rd Party Risk Management.

Sr. Information Security

Confidential

Responsibilities:

• Performed security controls assessment for SOC 2 Type II + NIST 800-53 R.4 framework. Common Criteria Security content development and documentation for internal/external auditors and Implementation guidance on BCBS Association mandated Platform.
• Review and verify documented artifacts on SOC Security, Contingency, and Data Recovery plan.
• Prepare industry relevant process Roadmap and POAMs.
• Review Network Design to determine the enterprise over-arching Security posture.
• Engages with multiple business stakeholders, area management, and technology owners to ensure that vulnerabilities and risks are adequately identified, communicated, and tracked for remediation.
• Collaborate with peers, leadership, facilitate and lead project meetings to execute Gap analysis, drafts, and review feedback/approvals based a formalized process.
• Collaborate with team members to formulate, design and develop internal operating controls to mitigate identified gaps. Contribute ideas to improve existing standards or create new and consistent processes to ensure sustained agile security and resiliency of critical assets.

Sr. Information Security Analyst

Confidential

Responsibilities:

• Security SME - SOC 2 Type II on NIST CIC Framework implementation and Compliance Certification.
• Performed security controls assessment for SOC 2 Type II using NIST 800-53 R4 framework. Common Criteria Security content development and documentation for internal/external auditors and Implementation guidance on BCBS Association mandated Platform.
• Review and assess artifacts documentation on Security Plan, Contingency Plan, Data Recovery, Network Diagrams and Design to determine the enterprise over-arching Security posture.
• Engages with multiple business area management, technology owners and compliance stakeholders to ensure that IS risks are adequately identified, communicated, and tracked for remediation.
• Responsible for implementing logical & Physical continuous monitoring, process improvement, aligning policies with information security, and change management while executing security risk assessments in accordance with Big Data industry mandated standards.
• Collaborate with peers, leadership, facilitate and lead project meetings and execute the writing process to Gap analysis, drafts, and review feedback/approvals based a formalized process.
• Collaborate with team members to formulate, design and develop internal operating controls to mitigate identified gaps. Contribute ideas to improve on existing standards or create new and consistent processes to ensure sustained agile security and resiliency of critical assets. Led Vendor Risk Management.

Program Manager

Confidential

Responsibilities:

• PMO/SME - ISO 27001 Compliance and SOC 1 & SOC 2 Type II Certification and programs implementation.
• Analysis project process framework and control documentation content development for internal/external auditors and Implementation Guidance on Cisco Cloud Services Platform.
• Generates project health Dashboards for executive level weekly reviews and reporting.
• Partners with stakeholders to align scoped resources across Cisco global services organization.
• Brand Compliance development, SOC controls evidence strategy, statistical analysis & Risk rating.
• Implement and Assess Security Control Baselines, Control standards cross-mappings and documentation review, organization policy review, Gap mitigation and resolution including Vendor Risk Management.
• Change Management monitoring, Business Impact Analysis and Business Continuity (BCP) reporting.
• System incidence, vulnerability and non-compliant - second level escalation contact for resolution.
• Advising on formation of compliance procedures on cloud privacy policies and structuring audit.
• Generating new development supports for GRC analysis that focuses on a mixed cloud environment.
• Business Continuity/Disaster Recovery Planning, Audit analysis for compliance enforcement.
• Currently instituting “do once, use many times” framework approach that will save cost, time, and staff required to conduct redundant enterprise-wide security assessments within systems development life cycle.

Sr. Security Program Manager

Confidential, Washington, DC

Responsibilities:

• Responsible for Cloud Security Threat Assessments on internal BYODs policies & Partner access points.
• Responsible for enterprise-wide information security, GRC, compliance in SOX, and business continuity efforts.
• Site lead for global team of security professionals with a strategic focus on information protection, assessment, compliance awareness, governance, and enterprise business continuity.
• Suggest overall security posture to mitigate risk in accordance with assessment of acceptable tolerance level in ISO 27001, NIST, FISMA/FedRAMP, SOC 1 & 2, COSO, FIPS 200, HIPAA, and COBIT guidelines.
• Instituted security process that identified risks, and strategy to manage the risks through tests that monitored the environment controls before implementation.
• Tracked and managed the effectiveness of established security risk metrics with vulnerability testing and updated assessment including Vendor Risk Management.
• Prepared and documented Audit/Compliance materials using FFIEC, ITIL and ISO/IEC 27002
• Systems infrastructure & network security vulnerability identification, definitions and classification.

Business Analyst

Confidential, San Antonio, TX

Responsibilities:

• Internal risk management with IT control standards. Vulnerability scanning solution based on customer environment.
• Managed user logical & organizational resources. Identity monitor on privilege/emergency access requests to ensure activities are within approved parameters. Incidents/enhancements prioritization, team worked to facilitate use of technology-based tools and methodologies to design and/or implement products and services.
• Participated in various levels of Global Identity and Access Management program.
• Provided guidance and support for the Identity & Access Management programs.
• Supported the enterprise-wide definition, establishment and guidance for identity and access management (IAM) related technology, policies, and procedure.
• Defined, established and managed risk metrics and tracked its effectiveness with vulnerability testing and risk assessment including Vendor Risk Management.
• Conducted business impact analysis (BIA) for vital functions and document recovery priorities of key processes, applications and data.
• Planned and coordinated testing of recovery support and business resumption procedures (BCP).
• Prepared and documented Audit/Compliance materials using FFIEC booklets and ISO/IEC 27001 on the following: Audit, Business Continuity Planning, E-Banking, Information Security, Operations, Outsourcing Technology, Retail and Wholesale Payment Systems.
• Responsible for endpoint Cyber Security Threat Assessments including internal, external, website/online class authentication, shields and application centric solutions.
• Managed logistics and development of Information Security Awareness training program and Communications Manual for IT Security using ITIL, FISMA, COBIT, COPPA, SOX & NIST frameworks.
• Coordinated penetration testing, security risk assessments and recommended measures to deal with identified risks; evaluated COTS/GOTS security products and provided recommendations for use as security tools.
• Ensured appropriate NIST SP 800-34, FISMA and FIPS standards for Information Technology Service Continuity Management Plan.
• Enforced Policies and Standards related to IT Security using ITIL, ISO, NIST, COBIT, and BSIMM.