SUMMARY:

• Senior Information Security Manager responsible for establishing governance policies and systems for risk mitigation/management and compliance training. Oversee the end - to-end integration of infrastructure components to support the effective, efficient, and security delivery of information technology services. Manage efforts to control the confidentiality and integrity of data & information used by personnel and stored in systems/databases. Assess current information security capabilities, strengths, and weaknesses to assist in definition of the future-state information security model and roadmap. Perform periodic information privacy risk assessments and monitors compliance regularly. Establish and maintain strong collaborative working relationships with leadership across the enterprise, in order to build partnerships, and determine the appropriate technology to support business needs and protect confidential data & information.
• Provide guidance to product teams regarding the security compliance landscape, standards, and legislative requirements required for improvement to the present systems, as well as to support the development of new systems and features.
• Develop vendor relationships to facilitate compliance with performance and security expectations and engage in contract management negotiations to facilitate the best performance / pricing / product mix. Ensure that partner vendors have adequate policies in place for protection of proprietary and sensitive data.
• Implement and maintain information privacy policies and procedures alongside legal counsel. Ensure that the organization acquires or distributes the appropriate authorization forms, consent forms, informational materials, legal notices etc. for customers, vendors, employees and other third parties
• Oversee security awareness and training within the organization as a whole. Work with the IT group to maintain the integrity of our deployment environment, including plans for business continuity and incident response. Assist in the execution of audits and assessments performed both internally or by an external third party.
• Stay abreast of trends and advances in IT information security solutions and monitor changes in legislation that affect information security. Create vision for information security and risk mitigation program and establish a business plan, justification and approach to achieve vision. Present business cases to Senior Management to win acceptance and secure agreement to proceed.
• Responsible for establishing information security strategic plans and objectives together with other senior managers and aids the leadership in maintaining a corporate-wide information security management program to ensure that information assets are adequately protected.
• Recommend/ Direct IT Security staff and other managers to control planning, staffing, budgeting, expense priorities and implementing changes to the Information Security Management System to assure activities related to the availability, integrity and confidentiality of customer, business partner, employee and business information are conducted in compliance with information security policies.
• Work closely with managers, the IT organization and others to operate an effective governance framework and meaningful risk assessments in accordance with CISO guidance; support effective enterprise risk management; and recommend the establishment of measurable controls that map to all relevant regulations and standards.
• Aid in the development of cybersecurity policy and technical areas including data classification, access controls, Identity and Access Management, security controls, remote access, network access control, security monitoring, auditing and reporting.
• Develop plans for the security program, ensure staff execute on security-related roles and responsibilities, create a sourcing strategy, develop an annual security plan, and guide the creation of the enterprise Information Security Management System (ISMS). Plan exercises related to information security and risk and identify risks and opportunities. Collect and synthesize lessons-learned in response to these exercises. Understand the fundamental business activities performed by the company and recommend appropriate cybersecurity solutions that protect these activities.
• Ensure infrastructure design is derived from the ISMS; assist or perform technology selection; and institute effective process management and improvements, including the policies compromising the ISMS itself.
• Ensure effective identity and access management; control security threats; manage vulnerability impacts; direct forensics; manage incident response; conduct security engineering.
• Develop and maintain an enterprise-wide information security awareness, education and training program.
• Extensive regulatory compliance experience with Sarbanes-Oxley, FISMA, ITAR, Gramm-Leach-Bliley, European Privacy Directive, etc.
• Manage Governance, Risk, Security Assessments and Regulatory Oversight engagements for different clients. Implemented by defining processes and organization: maintain an IT and Cloud ( AWS/Azure/ Public/Private) governance framework, define organization structure and responsibilities, assign owners for all IT assets; set policies and standards: information security policies, enforce compliance through training and assessments; maintain a risk management framework that is reviewed periodically, ensure that the IS program is reviewed independently for effectiveness and compliant with legal requirements, and consistent with latest practices. Establish risk assessment frameworks and methodology, perform risk assessments and remedial actions; identify, capture and report risk events. Ensure management reviews metrics and assessment results and monitor responses. Identify IT and IS related laws and regulations. Monitor compliance action plans. Delivering functional solutions based on risk governance with the help of tools like RSA Archer, Hiperos, MetricStream, IBM OpenPages, BWise and RSAM. Collected business requirements and used them in customizing GRC modules like Third Party Risk Management, Internal Audit, Policy & Document Management, IT Risk, IT Governance, Regulatory Compliance and Operational Risk.
• Deep understanding of Third Party Risk Management (TPRM), Vendor Risk Management, Contract Risk Management, Contract and Vendor Management Lifecycle including vendor selection, maintaining vendor business profiles, performing targeted and ongoing risk assessments and risk scoring, monitoring Service Level Agreements, and managing the vendor off-boarding process. Managed SOC2 and SSAE16 reviews. Other areas of focus include SLA management and monitoring through the use of key performance indicators (KPIs) and key risk indicators (KRIs).
• Worked on enterprise level GRC (governance, risk and compliance) modules to define process streams and audit trails for different clients. Knowledgeable on policies and guidelines issued by different regulatory bodies like the Federal Reserve, OCC, DFS, SEC, FINRA, PSA and the MAS.
• BCP/DR documentation and periodic testing, compliance and policy management (support for all existing regulations within that industry); FFIEC, FR 14, FISMA, SOX, DFS, Dodd-Frank, Pillar 111, CCAR, credit/liquidity/interest rate risks, and other regulatory change management (business impact analysis).
• Responsible for delivering business continuity plans should at a minimum take into account the following: identification of critical business functions and recovery time objectives; dependencies, both internal and external; alternate work sites; response to loss of power, phone, and computer networks; response to loss of critical staff; response to loss of workforce; critical equipment failure; vital records preservation; emergency communications; disaster recovery planning; succession planning; and delegation of authority.
• Contribute to the effectiveness of security-related operations, including Cloud operations, and assist with onboarding, maintenance and issue escalations associated with that security service. Provide technical consultation concerning business implications of application security development projects.
• Manage efforts to control the confidentiality and integrity of data & information used by personnel and stored in systems/databases and on the Cloud. Assess current information security capabilities, strengths, and weaknesses to assist in definition of the future-state information security model and roadmap. Perform periodic information privacy risk assessments and monitors compliance regularly. Establish and maintain strong collaborative working relationships with leadership across the enterprise, in order to build partnerships, and determine the appropriate technology to support business needs and protect confidential data & information.
• Provide guidance to product teams regarding the security compliance landscape, standards, and legislative requirements required for improvement to the present systems, as well as to support the development of new systems and features. Establish Cloud compliance.
• Oversee security awareness and training within the organization as a whole. Work with the IT group to maintain the integrity of our deployment environment, including plans for business continuity and incident response. Assist in the execution of audits and assessments performed both internally or by an external third party.

TECHNICAL SKILLS:

• ITIL expert level, PMP and Prince2 Practitioner certified. Strong knowledge of governance frameworks and financial regulations: ISO27001, Cobit, CMMi, TickIT, Balanced Scorecard (BSC), TOGAF, Six Sigma, Sarbanes Oxley (SOX404), CCAR, AML/ KYC, Basel 2 and Basel 3. Documented and tested security strategies for various financial services clients.
• Implemented Identity and Access Management (IAM) solutions based on considerations around Identity Management including Privileged Identity Management, Access Management, Policies around Identity and Access Controls, Identity Monitoring and Compliance.

PROFESSIONAL EXPERIENCE:

Confidential, NEW YORK NY

Risk Management and Security Compliance

• Aid in the development of cybersecurity policy and technical areas including data classification, access controls, Identity and Access Management, security controls, remote access, network access control, security monitoring, auditing and reporting, especially relating to Enterprise Cloud ( AWS/Azure/Private). Expertise with industry standard frameworks (NIST, FFIEC, PCI, SOX, Safe Harbor, ISO)
• Develop plans for the security program, ensure staff execute on security-related roles and responsibilities, create a sourcing strategy, develop an annual security plan, and guide the creation of the enterprise Information Security Management System (ISMS). Plan exercises related to information security and risk and identify risks and opportunities. Collect and synthesize lessons-learned in response to these exercises. Understand the fundamental business activities performed by the company and recommend appropriate cybersecurity solutions that protect these activities.
• Deep understanding of Third Party Risk Management (TPRM), Vendor Risk Management, Contract Risk Management, Contract and Vendor Management Lifecycle including vendor selection, maintaining vendor business profiles, performing targeted and ongoing risk assessments and risk scoring, monitoring Service Level Agreements, and managing the vendor off-boarding process. Managed SOC2 and SSAE16 reviews. Other areas of focus include SLA management and monitoring through the use of key performance indicators (KPIs) and key risk indicators (KRIs).

Confidential, ISELIN NJ

System Analyst

• Manage efforts to control the confidentiality and integrity of data & information used by personnel and stored in systems/databases. Assess current information security capabilities, strengths, and weaknesses to assist in definition of the future-state information security model and roadmap. Perform periodic information privacy risk assessments and monitors compliance regularly. Establish and maintain strong collaborative working relationships with leadership across the enterprise, in order to build partnerships, and determine the appropriate technology to support business needs and protect confidential data & information.
• Provide guidance to product teams regarding the security compliance landscape, standards, and legislative requirements required for improvement to the present systems, as well as to support the development of new systems and features.
• Develop vendor relationships to facilitate compliance with performance and security expectations and engage in contract management negotiations to facilitate the best performance / pricing / product mix. Ensure that partner vendors have adequate policies in place for protection of proprietary and sensitive data.
• As a consultant for Siemens responsible for delivering risk, governance and compliance (GRC) solutions to different clients. Implemented solutions such as RSA Archer, Accelus, MetricStream, Paisley, IBM OpenPages, BWise.
• Focus on specific streams and models: risk management (IT risk management based around documentation, workflow, assessment, analysis, reporting, visualization and remediation of risks); Sarbanes Oxley (SOX404) testing and reporting, audit management (audit related tasks and audit trails, managing work papers, time and resource management, reporting); compliance and policy management (support for all existing regulations within that industry); FFIEC, NIST, FISMA, FR 14, Pillar 111, CCAR, credit/liquidity/interest rate risks, and other regulatory change management (business impact analysis). Depending on nature of business, focused on risk management, audit trails and finance controls, compliance and policy management and regulatory change management.
• Addressed supply chain risks assessment and risk mitigation through different channels like onboarding, predictive indicators and monitoring for stability. Created centralized supplier portal. Created visibility into potential key risk indicators disruptions caused by geopolitical threats, acts of nature, etc. Established and used benchmarks for measuring supplier performance. Created a system for collaboration and supplier development. Established control across the extended enterprise. Create integrated supplier networks. Extended performance management benchmarks to second and third tier suppliers. With a transparent, accessible and comprehensive set of supplier information, the firm has been able to monitor suppliers for behavioral changes which contribute to overall stability, including: changes in the supplier’s management team, EPA violations, OSHA incidents, Quality issues, noticeable lags in response time to inquiries, OFAC violations.
• Reducing supplier risk gave the insight to create defensive and offensive strategies that helped turn risk into a competitive advantage . Helped determine whether or not it was beneficial for a company to conduct a customer intervention and know in advance what the potential outcomes might be for an intervention. Improved competitive position in the market. Lowered supplier costs. Positioned client to better address customer needs by addressing supplier vulnerabilities before they became apparent.
• Delivering software solutions based on ITIL best practices and good operational risk governance. ITSM focused on people, process, products and technology perspectives to provide business solutions within the IT infrastructure. Set up all the elements of service operations and their management: event, incident, problem, request fulfillment and access control. Set up a change management module that covered changes to all base line assets as well as all configuration items across the entire service lifecycle. Focus on capabilities within workflow driven sales and contact management solutions. Emphasis was on application/database integration, information delivery and subsequent analysis based on different metrix.

Senior Risk and Security Consultant

• Performed Risk Assessments for the IT Firewall Infrastructure, Web Servers, and Online Business Applications.
• Re-Engineered Internet Firewall and DMZ Network Security Infrastructure with add-on deployment of ISA 2006 Reverse Proxy Firewall. Developed Disaster Recovery Planning and Testing Documentations.
• Provided technical support and end-user training to internal and external customers on network, software, and computer systems. Reports done via Powerpoint and Excel.
• Performed IT Infrastructure Security Polices Risk Assessment / Gap Analysis Audit.
• Reviewed client corporate IT and Security Policies, Procedures Standards and Guidelines. Performed document-driven and interview-driven security gap analysis risk assessments and audits for client technologies solutions. Created technical Control Matrix, technical Gap Analysis Assessment Reports for each technology department.
• Worked on Finance and Audit, Enterprise Risk Management and Compliance projects directed at strengthening, development, review and implementation of the bank's global counterparty Corporate & Retail credit risk models and systems. This included the elevation of the bank's standards for legal compliancy plus the associated effective communication and liaising with the home and the very many host regulators on all matters relating to these credit risk models.

  Responsible for detailed Requirement and Gap Analysis interacting with business users, understanding their business processes, understanding their current IT architecture.

• Worked closely with developers and Product Architects for better understanding the functionality and architecture to devise solutions for new business requirements and business problem statements.
• Facilitated collection of User Requirements and Business Requirements from Business User Group such as to document Business/User/Functional/Technical Requirement Specification using MS Word and MS Visio that provided appropriate scope of work for technical team to develop prototype and overall system.
• Prepared graphical depictions of Narrative Use Cases, Use Case Diagrams, Activity Diagrams, Sequence Diagrams, using MS Visio. Mapped financial data, general ledger data, loss event data, transaction data and people reference data from source to target database for creating a central Risk Data Repository (RDR) as required by reporting regulations. Reported weekly on status, milestones and project tracking to project management and stakeholders.
• Addressed supply chain risks through different channels like onboarding, predictive indicators and monitoring for stability.
• Created centralized supplier portal. Created visibility into potential disruptions caused by geopolitical threats, acts of nature, etc. Established and used benchmarks for measuring supplier performance.
• Created a system for collaboration and supplier development. Established control across the extended enterprise.
• Created integrated supplier networks.
• Extended performance management benchmarks to second and third tier suppliers.
• With a transparent, accessible and comprehensive set of supplier information, the firm has been able to monitor suppliers for behavioral changes which contribute to overall stability, including: changes in the supplier’s management team, EPA violations, OSHA incidents, Quality issues, noticeable lags in response time to inquiries, OFAC violations.
• Reducing supplier risk gave the insight to create defensive and offensive strategies that helped turn risk into a competitive advantage . Helped determine whether or not it was beneficial for a company to conduct a customer intervention and know in advance what the potential outcomes might be for an intervention.
• Positioned client to better address customer needs by addressing supplier vulnerabilities before they became apparent.

Security Specialist

• Responsibilities included Firewalls, Network and Systems Infrastructure Support & Risk Assessments Audits.
• Managed customized, secure Intranet/Extranet Application & Messaging Solution Development & Implementation with a team of 40 resources. Managed IT Infrastructure Projects for Design, Install and Upgrade for various divisions.
• Designed, owned and managed the business analysis, development, policies, procedures, controls and standards in support of technology solutions, hardware, software development, infrastructure and support.
• Filled the role of business/technology liaison, tasked with discovering, articulating and driving the strategy and tactics of the global technology solutions with both senior business leaders and the technology teams.
• Established a consistent business analysis process for gathering, understanding and time/resource sizing of business needs.
• Conceived, designed and led a team to build and deploy an internet news delivery product.
• Conceived, architected, developed and deployed an ERP/CRM data warehouse client coverage solution.
• Provided functional knowledge for the development of help desk system, customer relationship management system, expense tracking application, IT changes control process, library management, project management, human resource management system and purchase management system.