SUMMARY:

• A desirable cyber security professional with stellar project management and technical skills.
• An IT Risk Analyst professional with over 8 - year experience in performing IT Audit, Vendor and Third-Party Risk Assessment with in-depth knowledge of HITRUST, Sarbanes Oxley (SOX) Compliance, Tableau, Active Directory, VLOOKUP, SIG, SSAE 18 (SOC 1, SOC 2), NIST, Standardized Information Gathering (SIG) SCA, ISO 2,
• NIST, CSA STAR, NIST and PCI- DSS (AOC/ROC) to achieve Confidentiality, Integrity, Availability of Information Systems. Also an in depth knowledge of Access Control, Audit and Accountability, Compliance Testing, Change Management, End User Computing, Security Footprint, Incident response, Identity Management, Governance, Risk and Compliance.
• Project Management (IT / Non-IT)
• Vendor /3RD Party Risk
• Security Awareness
• Governance, Risk, and Compliance
• Vendor/3rd Party Risk Assessment
• Intrusion Detection Systems (IDS)
• ISO 27001, PCI-DSS,NIST,COBIT
• Due Diligence
• Information Security/Risk Management
• IT Audit and Risk Management
• Vulnerability Management
• Identify/Access Management
• Intrusion Prevention Systems (IPS)
• Cyber Security Management
• Compliance Management
• SIEMS (Security Information and Event Management System)
• Project Management
• SIG
• Microsoft Office Suite
• Ensure third party relationship adhere to company’s policies, procedures and compliant with regulatory guidelines and industry best practices.
• Responsible for performing vendor risk assessments, developing risk reports, performing on-site vendor inspections, and providing issue management and resolution. l work with other risk functions to develop and implement controls that mitigate vendor risks and will be responsible for supporting the execution of the Vendor Risk Management program.
• I essentially provide insight into the security of the vendor environment; Identifying and prioritizing vendors based on their inherent risk
• I ensure that third party vendor contract standards and due diligence controls are met and will have the ability to use independent judgment and discretion to identify, analyze and summarize financial risk issues or key points ensuring compliance with Vendor Risk Management policies, laws, and regulations.
• Lead projects, developing project objectives, strategy, scope, timelines, and progress reports. Collaborate with teams to align project scheduling, conduct risk analysis, and determine critical path analysis with proper scheduling and reporting.

TECHNICAL SKILLS:

GRC Tools: RSA Archer, ServiceNow,Process Unity,RSAM,One Trust,Panorays,AuditBoard.

Security Ratings: Security Scorecard,BitSight,ATLAS,Black Kite.

EXPERIENCE:

Cyber Security Risk Analyst

Confidential, NYC, NY

Responsibilities:

• Plan and conduct security risk assessments for all third-party vendors/suppliers.
• Review the operational, security, business continuity and/or regulatory compliance measures for vendors under management.
• Lead the remediation and on-boarding activities for new vendors into the VRM Program, and provide on-going support and maintenance as required
• Provide and coordinate input to key compliance, legal and regulatory initiatives
• Perform remote risk assessment testing using a GRC application and periodically conduct vendor risk assessments
• Perform vendor risk assessment reviews according to pre-established policies and procedures managing multiple reviews in parallel
• Streamline the review and validation of assessment results for internal team and external auditors.
• Manage, build and maintain customer relationships; strong team player, able to meet deadlines and adjust to changing priorities.
• Knowledge of SSAE 18, SOC 2, Shared Assessments, and other vender risk assessment methodologies
• Strong understanding of technical/security concepts such as network architecture design, logical access controls, vulnerability management, encryption, and cloud computing.
• Work with vendor for oversight to ensure adequate tier-in for vendors based application on the level of data they have access to.
• Administer questionnaires to all vendors to determine the control effectiveness.
• Conducts onsite and virtual risk assessment to continuously determine the security posture at the vendor site.
• Review and validates all controls at the vendor site to ensure data confidentiality.
• Validate security questionnaires during onsite vitals, to ensure up to date data protection on vendor site.
• Conduct on-site risk assessments based on agreed upon procedures guidelines.

3rd Party Risk Analyst

Confidential, NYC, NY

Responsibilities:

• Conducted on-site risk assessments based on agreed upon procedures guidelines.
• Reviewed key vendor-provided documentation such as SSAE 18 Type-II report.
• Experience with e-GRC tools to ensure secure and prompt communication of findings and deployments of questionnaire to the vendor and to track vendor progress on remediation.
• Reviewed the access control managements on the vendor site.
• Acted as remediation analyst to work with vendors in remediating findings discovered during the onsite/virtual assessment.
• Assessed areas such as business continuity and disaster recovery, physical security, system development, operation, access control, incident management.
• Utilize Coupa for the following: Understand supplier relationships including what the supplier is doing, why, and what company resources they will have access to, Off-board suppliers with appropriate measures to prevent business disruption and to ensure orderly transition and proper retention of sensitive information Demonstrate and provide proof of consistent execution, Manage multiple risk domains including InfoSec, Anti-Bribery Anti-Corruption (ABAC), GDPR, and many others—and accommodate new ones that emerge.
• Escalated issues of 3rd party vendor’s non-compliance to the vendor management office.
• Planned and executed onsite security/risk assessments for third party vendors.
• Performed Data lost prevention assessment of our data at the vendor site.
• Carried out various types of vendor assessments such as onsite, virtual, risk assessment for our vendors depending on triage information from the vendor management office.
• Provided ongoing monitoring for third party risk due diligence.

IT Risk Assessor

Confidential, NYC, NY

Responsibilities:

• Performed IT general controls testing for Sarbanes-Oxley (SOX) 404 compliance, and Service.
• Organization Control (SOC) reports /SSAE18 (formerly SAS 70).
• Review all essential security policies and procedures documentation.
• Provide detailed reports of assessments to business owners and the vendor management office.
• Escalate issues of 3rd party vendor’s non-compliance to the vendor risk management office (VMO).
• Performed continuous monitoring by assessing tools during onsite visits to validate the security questionnaires filled out by the vendors to ensure protection of data at the vendor sites.
• Ensure third party relationship adhere to company’s policies, procedures and compliant with regulatory guidelines and industry best practices.
• Participated in SAP Transaction testing to perform, including testing of segregation of duties to assist the client in improving their user management, authentication management, authorization management, access management, and provisioning capabilities.
• Tested General Computer Controls and Business Process Application controls using COSO, COBIT, PCI DSS and NIST rev. 4 frame works and performed walkthroughs and detailed testing of controls to evaluate the design and operating effectiveness of controls.
• Performed SSAE 18 /SOC engagements by overseeing the identification of control objectives, the assessment of risk, planning and executing control testing and documentation of IT General, Application, and Process controls.