We provide IT Staff Augmentation Services!

Sr I.t Security Lead/ Senior Security Risk Assessor Resume

SUMMARY

  • Experience in identifying, evaluating, and prioritizing risks to optimize continuous improvement in the Financial Services, IT outsourcing, and Telecommunications industries.
  • Expertise in technologies such as Cloud, Kubernetes, Containers, Data analytics and AI technologies
  • Experience in Security Control Assessment with in - depth knowledge of HITRUST, SIG, SSAE 18 (SOC 1, SOC 2), NIST 800-53, NIST 800-37, NIST 800 -137, PCI-DSS to achieve Confidentiality, Integrity, Availability of Information Systems.
  • Investigate minor security breaches in accordance with established procedures
  • Experience in audit and control, risk assessments and Vendor/Third Party Risk Assessment.
  • In-depth knowledge of Sarbanes-Oxley Act (SOX), application control risk assessment, IT General Controls (ITGC) and SAS70/SSAE18 attestation.
  • Network & System Security, Shared Assessments, Risk Management, Vulnerability Assessments, Authentication & Access Control, System Monitoring, Regulatory Compliance, System Integration Planning, Multitier Network Architectures.
  • Tests professional proficiency in all aspects of enterprise security as delivered by the SABSA method.
  • Proven record in building and heading vendor/third party/supplier risk management, contract administration, second line of defense Programs: Policies, standards, controls/risk assessing functions, business strategy, operations management, and managing vendor relationships.
  • Security Risk Assessment & Management, Business Continuity and Disaster Recovery, Policy Management and Compliance, Security Operations, Security Program Management, Security Architecture & Engineering.
  • Experience in security technologies such as Identity & Access Management, encryption, DLP, etc.
  • AWS - IAM, EC2, VPC, S3, Route53, CloudFront, RDS, SQS, SWF, SNS, Kinesis, Redshift, DynamoDB, Neptune, Aurora, CloudWatch, AWS CLI, Storage gateway, Direct connect, VPN connect, ELB, Teammate, Veracode, Checkmarx, Aquasec, Twistlock, OWASP ZAP

TECHNICAL SKILLS

  • CAAT, TeamMate, ACL, GAMx, CANVAS, IDEA, ETL, Microsoft SharePoint, CITRIX Office Tools, RSA Archer, Ariba, MetricStream
  • Agile, DevSecOps, NESSUS, Xacta, CSAM, STIGs, eMASS, ACAS, SCAP, Qualys, Splunk, ServiceNow, PeopleSoft, Jira, Azure
  • AWS, SharePoint, Active Directory, TraceSecurity, Tableau, MS Office Suite, MS Visio, MS Project, NIST CSF, NIST, RMF
  • JavaScript, SQL, Python, Jenkins, Docker, Git, Maven, Selenium, Ansible, Nagios, SnatchBot, TOAD, PuTTY, SSH
  • Crontab, VMware, VirtualBox, Nexpose (by Rapid 7), RACF, SailPoint, WebInspect etc.

PROFESSIONAL EXPERIENCE

Confidential

SR I.T Security Lead/ Senior Security Risk Assessor

Responsibilities:

  • Deep knowledge of application security fundamentals (OWASP Top 10, SANS Top 25) and how these vulnerabilities manifest/operate at different layers of application architecture
  • Knowledge of assessing and understanding the risk of supplier products/ services customer data, network and clients products/ offerings, identify areas of improvement and analyze and provide appropriate recommendations for mitigation of the risk.
  • Worked closely with Functional Business Area (FBA) senior managers and managers to ensure awareness and understanding of third-party risk program requirements and associated risk within their portfolios.
  • Plan and conduct security risk assessments for all third-party vendors/suppliers.
  • Reviewed and validated all controls at the vendor site to ensure data confidentiality.
  • Validate security questionnaires during onsite vitals, to ensure up to date data protection on vendor site.
  • Ensure appropriate security terms are included in supplier contracts
  • Coordinate and perform the firm-wide third-party risk assessment supporting the aggregate, annual and quarterly assessment of inherent risk, control effectiveness, residual risk exposures, and direction of risk.
  • Perform governance, oversight, and assessment on third-party risk management process design and alignment to third-party risk policy and standards.
  • Lead the execution of external third-party events (incidents) governance and oversight.
  • Executing evaluations of third-party risks within unique projects as facilitated through centralized processes and mechanisms.
  • Develop reports and presentations documenting outcomes of assessment results clearly and concisely.
  • Participate in the first line of defense risk forums supporting oversight from a third-party risk perspective.
  • Support audit, testing, and examination activities by acting as the point-of-contact and subject matter expert on the TPRM program.
  • Collaborate with other risk subject matter experts on the performance of ad hoc assessments to assess third-party risks and identify opportunities for improvement.
  • Provide guidance to business partners on risks associated with third parties.
  • Maintain subject matter expertise on third-party risks.
  • Conduct on-site risk assessments based on agreed upon procedures guidelines
  • Review all essential security policies and procedures documentation
  • Provide detailed reports of assessments to business owners and the vendor management office
  • Conducted third party risk assessments aligned with ISO and NIST standards
  • Reviewed completed SIG questionnaires based on vendor inherent risk
  • Provide support for various third-party management meetings.
  • Provide strategic input to the development of new processes and redesign of existing processes.
  • Report risks in the manner appropriate for each target audience, highlighting the relevant likelihood and severity of each risk.
  • Monitor controls and perform control testing on effectiveness of TPRM compliance in accordance to Risk methodology and program set by Group and Regional TPRM
  • Support TPRM team on the reporting of high-risk third-party contracts and third-party high risks / ineffective controls and highlight third party risks and the action planned to address inadequate controls to executive management.
  • Improve awareness of Operational Risks faced by Business from third party failure/poor performance and work with Local TPRM/Legal/Business to mitigate any losses
  • Proactively work with Third Party Risk Management Category teams and Business Partners to identify areas of risk and reduce, mitigate, or eliminate third party risk within the category plans
  • Collaborating on risk management efforts between various risk functions within the TPRM team
  • Keep abreast of business and technology trends, particularly in the areas of business resilience, third party risk, cybersecurity, information governance, and identity management
  • Coordinate with the Third-Party Program Manager/Officers to maintain the third-party inventory, risk assessment information, contracts, action plans, watch list, service level agreements, issues, and required documents within the SharePoint, and document management system
  • Working knowledge of assessing controls against standards and frameworks such as ISO27001:2013, ISO 22301, NIST 800-53 Rev 4
  • Maintain hosted applications within the IDAM toolsets and framework, supporting the business need to change and decommission as and when required
  • Develop and maintain system templates and ensure authority levels within those systems are correct and appropriate against predefined RBAC and UAC templates
  • Collaborate with team to understand the business context in which the supplier services are used, internal processes for engaging the suppliers and integration points

Confidential

SR I.T Security Lead/ Senior security Risk Assessor

Responsibilities:

  • Reviewed and validated all controls at the vendor site to ensure data confidentiality.
  • Validate security questionnaires during onsite vitals, to ensure up to date data protection on vendor site.
  • Worked with the appropriate business users and experts and ensure that for any identified risk that require mitigating action, including vendor disengagement/replacement, a plan is developed and executed.
  • Understanding in detail levels of common security topics such as OAuth 2.0, OpenID Connect, SAML 2.0, VPN
  • Consistently looks for and suggests process improvement and workflow redesign opportunities within the IAM process
  • Assists resolution of customer requests and problems related to system access
  • Assists in monitoring the security of the network
  • Monitor and drive mitigation actions.
  • Conduct on-site risk assessments based on agreed upon procedures guidelines
  • Review all essential security policies and procedures documentation
  • Provide detailed reports of assessments to business owners and the vendor management office
  • Work as a remediation analyst to ensure all gaps discovered during the assessment are remediated or mitigated timely
  • Plan and conduct security risk assessments for all third-party vendors/suppliers.
  • Categorizing information systems with reference to guidelines from FIPS 199 and NIST SP 800-60.
  • Serve as the SOC’s initial point of contact for all users
  • Work with Business Continuity Planning team to understand Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical business functions and related technology.
  • Lead and perform IT general control testing in accordance with Sarbanes-Oxley (SOX) requirements.
  • Built and managed third party risk management oversight program for second line of defense; led strategic initiatives.
  • Provide oversight in developing Archer solutions to support three or more of the following: SOX, PCI DSS, ISO 27001/27002/27005 , HIPAA, Unified Compliance Framework, Enterprise Risk Management, Vendor Risk Management, Vulnerability Risk Management, Security Operations Management, Business Continuity Management, Audit Management.
  • Conducts and leads all aspects of the end-to-end IT audit process to include engagement planning, coordination, scope determination, risk and control identification, design of audit program procedures, testing, and evaluation and analysis of results.
  • Develop and maintain Risk Management plan using NIST RMF and CSF.
  • Conduct NERC CIP audits
  • Advice and recommend new tools and solutions for effective management of third party risks.
  • Prepares adequate documentation (work papers) supporting all audit work performed to support the preparation of a written report to Management
  • Prepares comprehensive, well-written Internal Audit Reports summarizing the review results.
  • Follows-up on status of prior IT audit recommendations to ensure that report recommendations are implemented on a timely basis. Provides support to the IT Director, Finance Director, Internal Control Staff, External Auditors, and to Management with respect to information technology and its application to the business.
  • Identify security controls and construct a compliance matrix for tracking.
  • Apply appropriate information security control for federal information system based on NIST 800-37, evaluate threats and vulnerabilities based on tenable reports.
  • Working directly with ISSO in the review of packages such as system security plan (SSP) to ensure the SSP is updated based upon findings in the requirement traceability matrix (RTM), and spearhead team of information security professionals responsible for the development of security policies, procedures, and security assessment and authorization (aa) packages for various commercial and government entities.
  • Providing security support to information system security officers (ISSO) and point of contact on the FISMA and NIST process.
  • Initiate security assessment and authorization environments such as system security categorization, development of security and contingency plans, security testing and evaluation, system accreditation and continuous monitoring.
  • Reviewing privacy threshold analysis (PTA) privacy impact assessment (PIA), and a system of record notice.
  • Developed, published and implemented standards and guidance related to supplier security control requirements.
  • Preparing comprehensive and executive assessment authorization (AA) packages for approval of an.
  • Ensuring customers adhere strictly to security policies and procedures following NIST 800-53 NIST 800-53a.
  • Work with process owners and external auditors to manage and execute controls testing.
  • Conducted IT-Security standards/compliance assessments/shared assessments.
  • Reviewing artifacts and removed any PII (personally identifiable information) for audit requests. Perform vulnerability scanning and analysis with Nessus.
  • Directly manage and escalate outstanding remediation items to ensure timely completion.
  • Understanding of internal control concepts and experience in applying them to perform, manage and report on the evaluation of the business processes/areas/functions
  • Strong verbal and written communication skills, to effectively present to peers and business management.
  • Managed cloud infrastructure security using IAM roles for AWS, least privilege security practices, password policies, groups, individual users, and configuring multi-factor authentication for privileged users.
  • Experience with a variety of frameworks and regulations (e.g. NIST, PII, PCI, GLBA, GDPR, FFIEC, HIPAA, SOX, ISO 27001, SSAE16, SOC1/II, COBIT, COSO, etc.)

Hire Now