SUMMARY

• Information Technology Audit and cyber security professional with over 5 years’ experience in Governance Risk and Compliance, Information Security risk assessment, Data Privacy. In - depth Knowledge of NIST 800-53 and COBIT Framework for mapping IT controls and Third Party | Vendor Risk Assessment.
• Sound Knowledge of information systems audit and ITGCs using industry standard frameworks.

AREAS OF EXPERTISE

• General IT controls Review
• Cloud Security Audit (Azure & AWS)
• Governance Risk and Compliance
• ERP Audit (SAP, Oracle)
• OS Security (Linux, Unix)
• Data Privacy and Third Party | Vendor Risk Assessment
• Sarbanes Oxley Compliance (SOX)
• Infrastructure Security risk assessment

TECHNICAL SKILLS

• COBIT
• COSO
• NIST
• ITIL
• PCI-DSS
• HIPAA
• SOX
• SAP
• Oracle
• SEIMs
• Microsoft Excel
• Microsoft Access
• MS Project
• report writing
• Power Point
• ACL
• and network security
• Quick Book
• Standardized Information Gathering (SIG)
• MS Office 365
• Visio
• Service Now
• Archer GRC
• Qualys.

PROFESSIONAL EXPERIENCE

Confidential, Fort Worth TX

Third Party Vendor Risk Management Analyst

Responsibilities:

• Perform initial risk assessment, and vulnerability assessments to identify, measure and manage third party risks.
• Classify vendor’s inherent risk and recommend remediation for identified risks.
• Gather due diligence documentation and complete the risk assessments for assigned third party relationships in accordance with the third-party risk management policy.
• Perform continuous annual re-assessment of vendors.
• Conduct security risk assessments on third parties and assist in reviewing contract agreements to ensure necessary security controls are in place.
• Review the vendor due diligence process by ensuring security and data privacy requirements e.g. HIPAA, GDPR, PCI-DSS are maintained in contractual relationships and continuously monitored.
• Review and analyze vendor service profile by utilizing; Service now, Archer GRC and Standardized Information Gathering (SIG) questionnaire and artifacts during onboarding and periodic assessments.
• Review third party service organization control (SOC) report and ISO 27001 during assessment.
• Compile an initial risk assessment for new and existing third-party suppliers in accordance with third party risk management procedures regarding assessments and level of risk.
• Collaborate with legal, and business unit to translate risk and legal regulations into system requirements.
• Review vendor files for completeness and work with business units to update accordingly.
• Contribute to GRC programs such as IT general controls, PCI-DSS, GDPR, CCPA, SOX compliance with the NIST Cybersecurity Framework (NIST CSF) as needed.
• Perform SOX readiness walkthrough and testing of all in-scope applications and supporting infrastructures (Applications, operating systems and databases).
• Review IT risk profiles for SOX general computing controls for infrastructure operations, security and change management.
• Perform SOX compliance audits, conducted walkthroughs, performed testing of several operating systems; UNIX, WINDOWS applications and physical security controls related to general computer controls for the company’s infrastructure group using COBIT methodology.
• Update vendor tracking software and database with risk assessments and related information to maintain a current record of activities.

Confidential, Irving, TX

IT Risk/Security Compliance Analyst

Responsibilities:

• Contributed to the development and oversight of required corrective action plans relating to security compliance issues.
• Performed summary of findings meeting with process owners to ensure gaps identified are closed on time.
• Participated in annual PCI-DSS readiness assessments.
• Through data analysis and interviews with information technology and business units, identified all PCI/PII related applications and systems that stores, transmit and process card holder and PII information.
• Ensured card holder data is maintained and secured by protecting the PAN information in the custody of the organization.
• Established guidelines for procedures and policies that comply with new and revised regulations.
• Evaluated management process for managing operating system, software changes and maintenance to ensure all changes to company information assets are properly authorized and documented in accordance with defined standards.
• Determined appropriateness of password configuration settings for compliance with standards defined in the IT Security policy.
• Communicated with IT administrators, developers and support teams to help improve the company’s security posture.
• Coordinated with the external auditors and regulators for testing the organizations internal IT controls pertaining to Sarbanes Oxley (SOX).
• Coordinated quarterly penetration testing with various vendors such as McAfee to hardening servers with stakeholders.
• Schedule interview meetings, provide and vet evidence before providing it to the auditors.
• Responsible for identifying and escalating vulnerability assessment and penetration testing report.
• Identified and analyzed OWASP top 10 issues like SQLite, CSRF, and XSS.
• Recognized existing and emerging information security threats and vulnerabilities.
• Performed infrastructure security review, operating systems and databases to determine appropriateness of access monitoring, users with elevated permissions, and general systems security settings.
• Performed self-assessment and continuous monitoring of internal controls.

Confidential, Dallas, TX.

IT Auditor

Responsibilities:

• Planned and execute audit engagements, including assessing the design and operating effectiveness of the internal control structure and compliance with policies and procedures.
• Evaluate audit fieldwork independently in accordance with audit work programs and makes improvement recommendations.
• Reviewed systems and application strengths and weaknesses as well as recommended appropriate compensatory controls to mitigate against any potential risk.
• Reviewed and tested access control - physical access relating to server room or data center and logical access control relating to applications.
• Worked using Excel spreadsheet for data Analysis.
• Tested Networking control (LAN, WAN, Firewall).
• Reviewed organization’s disaster recovery readiness - DR plan, Business impact analysis (BIA), annual testing, site adequacy, etc.
• Participated in the design of business impact analysis (BIA).
• Managed IT risk-based audit to review ITGC, Change management, Access control, segregation of duties, IT operations etc.
• Tested operating effectiveness of client’s internal control.
• Conducted periodic SOX compliance audit and tracked expectations to remediation.
• Performed post implementation review on every past due resolution.
• Built a strong relationship with the business owners, IT management and external auditors.