- Proven IT Security and Risk Management Professional with ability to aid in development of effective security controls, policies, procedures, and business / technical infrastructure/Enterprise Architecture, as well as manage/monitor regulatory compliance issues related to:
- PCI-DSS, SOX404, GRC, SOC I, II/SAS 70, NIST, COSO/ COBIT5, ISO 17799, HIPPA, ITIL,
- AS9100, ITAR/EAR, IP Intellectual Property Protection , FAR/DFAR FAA regulations etc
- Experienced in developing process/sub-process/activity flows profiles in design of new applications and integrating the ITIL controls at initial and detail design- level. Developed policies and procedures to align with new /updated processes and comply with current laws and regulation SOX, PCI-DSS, ITIL v3, AS9100 etc
- Coordinated the information security compliance efforts of all internal and outsourced functions and provided awareness and training, worked closely with business leads, stakeholders and meet as needed to ensure compliance requirements have been included in the design stages of SDLC. Review and document the remediation and mitigation plan and controls with Champions/Leads.
- Maintained communication and working relationships with champions, group leads engineering, Physical Plant Security, ITRM - Information Technical Resource Management Team, HR , Internal Audit team, Legal and other external outsourced groups.
- Area of expertise include design and assessment of IT Controls for new applications under development to include:
- Information Security Management Security policy, Roles, responsibilities and procedures for security personnel
- Monitoring security incidents and compliance with policy, Application level access controls , administering logical security over user access, to include privileged accounts, SOD segregation of duties or least privilege access
- Computer Operations to include Network management-to include network intrusion and detection and implementing remediation and mitigation controls,, assess vulnerability risks , monitoring operational performance and compliance with procedures batch processes, scheduling, business impact analysis, disaster recovery, business continuity, back up process, application recovery from operational failure, contingency planning, upgrades to system software etc
- New development project initiation, requirement definition, design and build controls manual to support in-house systems under development , developed test scripts for testing, and validation of controls to ensure controls operate as intended. Reviewed internal control procedures and security for systems under development or enhancements of existing systems.
- Application changes- management of maintenance activities, change request process, testing program changes to include emergency fixes, approval of changes by change control board prior to migration to live environment.
- Conduct process walk-thru of controls with various levels of management and communicate the risks involved in the findings.
- Strong skills in implementing SOX 404 security controls SAS70/COSO/COBIT-control s frame-work at process level /activity level , developed test scripts , validated test results and documented evidence for audit team.
- Reviewed third party software application s for in-house development. Performed SAS70 I II to ensure compliance with SOX, and performed remediation where required.
- Assisted process team in identifying potential security risks within process flows identifying roles responsibilities, SOD, at process/activity levels, monitored compliance with federal, state and local laws.
- Results oriented business professional with over fifteen 15 years of combined experience and expertise in IT Infra-structure/enterprise architecture , IT Controls and Audits, to include the design and testing of manual and automated controls and ensure regulatory compliance.
- Three 3 years with Oil Gas and refinery/pipeline industry.
- Eight years 8 with Aerospace and Defense experience with Government Regulations such as FAR/DFAR/ITAR/EAR/FAA/AS9100- related to Engineering Process Controls/IT Security and Risk Management controls Financial/Accounting Systems at a major defense contractor
- Six 6 years experience with Application Security Controls/Risk Management SAP-ECC6.0, SAP-GTS-SAP-CRM-SAP-CAMS, ENOVIA, CATIA V4/V6, .NET/VISTA, KRONOS, AVEKSA, FI/CO module including hands-on configuration and two full life cycle project experience.
- Conducted - operational, compliance and investigative audits and worked closely and maintained communication with management , internal and external auditors, DCAA related to security initiatives and incidents and timely identification of internal control deficiencies, recommending improvements as well as developing tailored security and control techniques in conjunction with systems under development.
- Four 4 years in implementation of global financial applications, to include IT audits, information security, SDLC procedures, software change management, Y2K software conversion, QA and User Acceptance testing, business continuity planning and testing, process improvement, implementation of self-assessment and compliance programs, and IT governance, including walkthrough, design effectiveness, operating effectiveness of IT/Business general controls Sarbanes Oxley Sections 404 and 302, using HIPPA, COBIT and COSO risk frameworks- with emphasis in SAP internal IT/Financial process improvement, change management controls GRC and compliance.
- Diversified business background, having served in the following industries: Aerospace and manufacturing, Oil Gas Products, Investment Banking, Investment Securities, Insurance, defense contracting, Waste Management and Mortgage loan processing.
- Worked closely and hands on experience with HR People Soft database , active directory in the design of AVEKSA /Access Identity Management AIM application in BSM Business System Modernization Project 5 years project
- Developed Change Control process, and work closely with Architecture Review Board ARB Change Control Board CCB prior to processing changes and ensure deep impact analysis prior to migration /implementation.
- Ensured data sensitivity and privacy throughout the design and implementation cycle and ensure controls are implemented during the design process.
- Worked closely with external application and interacted with team leads of engineering systems ENOVIA , manufacturing SAP-CAMS , labor Finance KRONOS, SAP-ECC on day to day activities etc.
- Developed appropriate risk-based manual control strategies and solutions for business processes to be integrated within process, sub-process, activity profiles flows design including Finance Controls processes, GRC, ITIL, SAP R/3 /SAP ECC-6.0 , CRM, GTS, SAP-CAMS/Visiprise,.NET/Vista, EIM, BW, Identity Access Management AIM , Aveksa KRONOS Labor system, D'ssault Engineering systems ENOVIA, CATIA V4/5 and V6, applications, to include configuration controls compliance with corporate security policy and AS9100/SOX 404/COBIT etc.
- Extensive experience in evaluation, recommendation, development, and implementation of IT/Financial controls in numerous environments and processing platforms. Worked closely with external auditors Price Waterhouse Counsel PWC and provided information and answered questions pertaining to IT/Business Controls.
Strong organizational and communication skills
Team-Oriented interpersonal skills.
Director Network Security, Risk and Compliance
- Developed, implemented a strategic comprehensive enterprise information security and IT risk management program to ensure integrity, confidentiality and availability of information owned, controlled or processed.
- Developed and enhanced an information security/compliance management framework based on COBIT /Risk IT and NIST.
- Reviewed and validated SOC 1 Type I II reports of third party service providers.
- Work Closely with External Auditors and performed Risk Advisory Services and ensured compliance to COBIT 5 framework.
- Developed Risk Management framework and monitored 3rd party services, implemented risk mitigation controls.
IT Security Risk Management, IT Process Controls Compliance Consultant/ Business Analyst
- IT /SOX 404/COSO/COBIT/FAR/DFAR/PCI-DSS/ITAR/EAR/FAA/AS9100/ITIL/SAS 70 etc
- Support PSI Process and Systems Integrity Team to ensure engineering business processes are closely aligned with engineering standards AS 100 and application controls are implemented at activity level to ensure systems security, audit-ability of processes and compliance with federal regulations FAR/DFAR/ITAR/EAR/FAA/SOX 404-COBIT,IP and AS9100.
- Demonstrated ability to consistently display accuracy and attention to detail
- Demonstrated ability to identify and analyze significant problems and opportunities and seek remediation by implementing compensated controls.
- Demonstrated ability to consistently display accuracy and attention to detail. Worked closely with engineering process team and IT team to ensure process, sub-process, activity profile and detailed tasks were in compliance with documented policies and procedures and were aligned with vendor system software Dssault Systems ENOVIA, CATIA V6, VISIPRISE/CAMS, MENTOR GRAPHICS, KRONOS, AVEKSA/AIM etc
- Demonstrated the ability to weigh business needs against security concerns and articulated issues to the user community.
- Assessed that controls in place meet regulatory compliance requirements and documented corporate polices and standards. SOX, FAA, FAR,DFAR,ITAR,EAR,HIPPA,GLBA,SAS 70,AS9100, NIST etc .
- Identified project risks early in the development and mitigate risks by developing controls to ensure processes work as intended or designed. Work closely with engineering and Process team/IT Team along with strong knowledge of SDLC- software /system development life cycle at each phase of the project. Tools utilized FMEA, Risk Bone Analysis, Risk management tools etc
- Confirmed how proposed new applications/systems will integrate with Textron's/Bell existing architecture. Identify interfaces and perform business impact analysis of application/projects under development.
- Developed IT security controls to be implemented during the design phase of KRONOS application. Validated and tested configurations controls and obtained evidence the application was working and integrated with other directly impacted applications as per design specification.
- Confirm presence of planned security controls, engineering aerospace process controls and identify potential security risk, confidentiality, privacy or regulatory issues. HIPPA/SOX/FAR/DFAR/ITAR/AS9100/FAA
- Develop risk assessment using COSO/COBIT4/SAS 70/Third party software framework for new project developments and identify weaknesses in the existing system of controls.
- Developed IT controls to be implemented in the new system applications under development. Conducted process walk-thru of enterprise architecture controls with peers to ensure understanding and risks involved if controls are not implemented during the design phase.
- Managed Enterprise Privileged Access Project as part of Sarbanes-Oxley Section 404 SOX 404 compliance initiative to include comprehensive Privileged Access audit to conduct gap analysis related to regulatory compliance.
- Contributed to design planning for Active Directory Role Based Access Control RBAC Aveksa framework using XACML application , that satisfied NIST National Institute of Standard Technology requirements. ITAR/EAR compliance
- Updated Information Security Gate Review Reference document at each phase of the project and implemented security controls relevant to standards and best practices such as ITIL,
- ISO/IEC 17799 and PRINCE2 to include the overall IT architecture design and alignment with the corporate information architecture.
- Confirmed that the design included controls within the application that support general control objectives such as security, network management to include , intrusion detection/prevention, encryption and cryptographic controls, defense in-depth, data classification, taking into account the organization security architecture and policies, industry security and privacy best practices, and regulatory and compliance requirements for security and privacy integrity.
- Effectively interfaced with Legal / Compliance and Internal Audit departments.
- Tested and validated that controls were implemented and working as designed. Obtained evidence for reporting the audit/review findings. Ensured that risk mitigation controls operated as designed or intended.
- Performed technology vulnerability assessment to identify potential risks.
- Identify and create controls for new projects and work closely with Engineering/Drawings and process teams to ensure compliance with ITAR/FAR/DFAR and SOX.
- Support SAP security, SAP-ECC, CRM, GTS, KRONOS, SAP-CAMS, ENOVIA, CATIA, Mentor Graphics, Approva- SOD, AIM Aveksa, P2P and E-WIN team in compliance reviews and walkthroughs of existing controls and update steering review committee of any deficiencies. Performed Information Security Gate Review for new projects as part of the process improvements /modifications of business system modernization and provided support documents prior to exit at each Gate/Phase of the project.
- Senior Information Technology IT Testing Lead Audit/Sarbanes Oxley SOX Compliance SAP ERP
- Performed remediation testing on internal controls - Sarbanes-Oxley SOX 404 Compliance
- Walkthrough documentation, Design Effectiveness and Operational Effectiveness for Financial Systems IGINS/FIRST Business and IT General Controls and Treasury E-banking controls and self assessment testing for operational effectiveness
- Review documented control descriptions to identify system dependent controls for testing of US and Global applications such as Philippines, Malaysia, Brazil, Australia, Germany, Netherlands
- Conducted walk-thru DE / OE Test, and Remediation of SOX related /IT controls in conjunction with control owners and operators to confirm controls as described and concur on appropriate testing approach.
- Review client's IT general computer control environment for operational effectiveness as required by Sarbanes-Oxley section 302/404 within COSO/COBIT/HIPPA frame-wok.
- Identified process specific risk and develop control objectives to ensure risks are adequately managed.