SUMMARY

• Information Security, IT Risk and Compliance Professional, Third Party security risk management, Assessment, Analysis, Remediation, IT Auditing, Cyber Security, Privacy, Business Continuity, Disaster Recovery, ISO 27001 Implementation, Policy and Procedure Development, Cyber Security, NYS DFS 500, NIST CSF
• Expertise in IT Management, IT Governance, IT Risk Assessment, Business Continuity, Disaster Recovery, Data Center Reviews, Developing Policy and Procedures, IT Audit, COSO, COBIT, RISK IT, Identity & Access Management (IAM), Data Classification, PCI - DSS, Access Control Remediation, Incident Management, Third Party Risk Assessment, RSA Archer, Shared Assessments Methodology, SIG, SIG/AUP, AUP, SOC1/SSAE16, SOC2, SOC3, ISO2700X, ISO 27001, ISO 27003, ISO 27005, NIST, NIST 800-53, SANS Top 25, ITIL, GLBA, FFIEC, HIPAA, FISMA
• Innovative, analytical, conceptual, results-driven, highly dedicated, well organized, customer-oriented, committed to quality, high-discipline, self-starter, work independently without supervision, ready, willing, and able to deliver excellence collaboratively, high-caliber IT Professional with exceptional international IT experience in corporate financial enterprises. Very good knowledge of Excel and Powerpoint.
• Strong ability to interact and communicate both written and verbally with people at all levels, both technical and non-technical terms.
• Implementing necessary IT General Controls, IT Security Controls, IT Security Operations
• Interface with non-technical cross-functional business teams in determining IT Security approach which requires effective communication skills thus providing information security guidance to business stakeholders;
• Proven leadership skills involving managing, developing & motivating teams to achieve their objectives. Outstanding organizational, follow-up & problem solving skills

TECHNICAL SKILLS

• ISO 27001 Certification from BSI, ISMS
• Business Continuity Planning, BIA, Disaster Recovery
• Third Party Risk Management
• COBIT, COSO, IT Audit
• IT Operations Management
• Access Remediation
• IT Processes, IT Controls, SOX, SOC
• IT Risk Management
• NIST, FIPS, FISMA, NIST CSF. FFIEC
• SDLC Lifecycle
• Operating Systems: Windows / Unix
• ISO 9001 Implementation
• Security Awareness Training
• IT Risk Analysis, ISACA RISK IT Framework

PROFESSIONAL EXPERIENCE

Confidential, Jersey City, NJ

IT Audit, Security and Risk Consultant

Responsibilities:

• ISO 27001 Implementation, Gap Assessment
• Third Party Risk Assessments
• Cyber Security Program Development
• IT Risk Assessments
• Business Continuity, Business Impact Analysis
• Disaster Recovery Planning
• IT General Controls (SOX)
• IT Auditing
• GRC Tools Implementation
• Project Management

Confidential, Jersey City, NJ

Third Party Security Risk Assessment SME

Responsibilities:

• Perform information security assessments based on Shared Assessments Methodology
• Vendor Assessment Program based on Shared Assessments.org SIG and AUP
• Execution of On-Site and Remote Assessments
• Execution of Termination Process and Exit Strategy on vendors decommissioned.
• Use of templates and follow procedures during the assessments for QA compliance
• Review all Third-Party compliance of policies and procedures and other compliance reports like SOC, pentests
• Complete the assessments with relevant findings by collecting the evidences and provide recommendations for remediations
• Provide metrics on a regular basis (KPI / KRI)
• Provide feedback for improvements of the policies and procedures

Confidential, Roseland, NJ

Third Party Security Risk Assessment Lead

Responsibilities:

• Take ownership of Vendor Risk Management Program
• Assume responsibility for all activities regarding the contract management database, including reporting, due diligence, and quality assurance
• Working on multiple assessment engagements concurrently based on a Third Party Assessment Program
• Initiate, scope and plan Third Party Security Risk Assessments of new and existing vendors by coordinating with business owners and third party suppliers and service providers as per Confidential Third Party Risk Management policies and procedures
• Perform Information Security risk based remote assessments, and onsite assessments when required
• Identify control deficiencies and risks with the Third Party suppliers, service providers
• Standardized, improved and automated the process by adding new communication templates
• Assessments done based on three levels of vendor profiles - aka Tier ranking - according to their risk level
• Issue security questionnaire (SIG) based on Shared Assessments Methodology to vendors thru RSA Archer.
• Coordinate with the vendor to provide all required documentation based on their Tier rankings, to revalidate vendor appropriate implementation of information security controls; analyze the information to identify information security weaknesses or non-compliance issues with Confidential and industry standards.
• Document, prepare final assessment report at the end of each assessment process, including findings with their risk levels and remediation recommendation with Target Completion Date
• Work with business owners to communicate those gaps and findings to receive Third Party provider’s commitments on the remediation and Target Completion date.
• Seek the compensating controls from Third Parties in case they cannot commit the remediation plans and work with business owners to seek risk acceptance approvals for these non-compliant issues
• Add those findings to Third Parties Risk Register and ensure the follow-up by business owners.
• Work with business owners to validate the remediation is completed to close the findings in Risk Register
• Give proactive suggestions to improve the Assessment Process in order to be more effective on the overall process
• Escalate issues associated with vendors as needed to management.

Confidential, Jersey City, NJ

Identity Access Management (IAM) Consultant

Responsibilities:

• Identity and Access Management Project - Global Application Access Remediation Project
• Reviewed and redesigned access control roles for all Support Team Members as L1, L2, L3, DO.
• Implemented special software (PowerBroker) based on Role Based Access Control (RBAC)
• Lead regular meetings with the application owners (ITAO), business managers and stakeholders to provide /obtain status updates and feedback
• Provide trainings about the process of remediation, validation of roles and presence of users, reporting of investigated compliancy issues, and escalate when necessary
• Review, evaluate and performing the risk assessment for the existing roles of support team members restricting their direct access onto the app servers
• Ensure that remediation meets the identified criteria and regulations, and bank security policies and procedures enforcing “Least Privilege” rule across all assets, data and applications
• Ensure the segregation of duties (SOD) between all support team members has been met on the application environments across all business units and all sites including US, Germany, UK, Hong Kong, Singapore, and Japan with tight regulatory committed delivery deadlines.
• Accomplishment: Achieved to implement Power Broker Software on 149 applications within 24 months.
• The Project completion remediated serious audit findings making the Bank in a more competent compliant level for regulations.

Confidential, New York City, NY

QMS Consultant

Responsibilities:

• Quality Management System (ISO 9001:2008) Project
• Implementation QMS in all business units, helping to develop Policies, Standard Operating Procedures, SOPs and Work Instructions (WI) based on the day-to-day business workflows
• Installation of ISOXpress Document Management Tool in all business units of New York Office
• Document Management on ISOXpress Tool and Confidential Exchange
• ISO 9001 Certification resulted the organisation having benefited the foundation to better customer satisfaction, staff motivation and continual improvement.

Confidential

Information Security Officer (ISO)

Responsibilities:

• Implemented ISO 27001 Standard successfully. Developed IT security policies & procedures
• Contributed IT & Business units to implement security policies & procedures (ISO 27001)
• Workaround on the policy exceptions and keeping record of them for risk acceptance
• Achieved to build the ISMS Framework, IT Risk Management Methodology (ISO 27001)
• Developed and organized security awareness trainings
• Achieved to build the full PDCA Cycle (ISO 27001)
• Managed Business Continuity Project
• Performed Business Impact Analysis (BIA) for all applications for BCP
• Achieved to implement Information / Data Security Program effectively
• Worked on Access Control Management Policy and Procedures and implemented new ones including User Access Reviews periodically, and built Access Control KPIs
• Worked to define data strategy and information baseline to draw corporate enterprise data map in order to help building the data inventory of the information assets. (ISO 27001)
• Organized workshops with business teams related with the Information Assets and IT Risk Management (ISO 27001)
• Data Inventory & Data Classification (ISO 27001)
• Data Handling Policy and Procedures (ISO 27001)
• Developed Third-Party Vendor Management Procedures and coordinated Information Security Risk Assessments with Third Party vendors (ISO 27001)
• ISO 27001 Project completion contributed the Bank’s IT Department to work in a well-documented environment and remediated several audit findings raising the Bank’s compliancy level for regulations and increasing level of information security awareness of employees.

Confidential

Regional IT Audit Director

Responsibilities:

• Managing a small team of hi-caliber IT Auditors, performing risk-based IT Audits.
• Developed and performed IT Audit Workprograms based on COBIT Framework.
• Took part in the E-Purse Project (PCI-DSS)
• Achieved to organize training sessions to Turkish Military for E-Purse Project.
• Some of the IT AUDIT PROGRAMS that have been prepared and performed:
• System Development Life Cycle (SDLC)
• Information Security
• E-mail System
• Data Center Operations
• Oracle Database Management
• Retail Banking Applications (ATM, Credit Card Systems)
• Network Management (LAN / WAN)