PROFILE SUMMARY:

An IT Risk Analyst professional with years of experience in performing IT Audit, Vendor/Third Party Risk Assessment and Security Control Assessment with in - depth knowledge of CSAE/SSAE (SOC 1, SOC 2), NIST, SIG, PCI-DSS to achieve Confidentiality, Integrity, Availability of Information Systems. Knowledge of Access Control, Audit and Accountability, Compliance Testing, Risk Assessment, Change Management, Security Maintenance, Policies, Procedures, and Incident Response.

PROFESSIONAL EXPERIENCE;

Confidential

Senior Third Party Risk Analyst

Responsibilities:

• Review and validates all controls at the vendor site to ensure data confidentiality.
• Validate security questionnaires during onsite vitals, to ensure up to date data protection on vendor site.
• Conduct on-site risk assessments based on agreed upon procedures guidelines.
• Review all essential security policies and procedures documentation.
• Provide detailed reports of assessments to business owners and the vendor management office.
• Work as a remediation analyst to ensure all gaps discovered during the assessment are remediated or mitigated timely.
• Plan and conduct security risk assessments for all third-party vendors/suppliers.
• Experience with e-GRC tools such as RSA Archer to ensure secured and prompt communication of findings and deployments of questionnaire to the vendor and to track vendor progress on remediation.
• Ensure third party relationship adhere to company’s policies, procedures and compliant with regulatory guidelines and industry best practices.
• Design and constantly upgrading suppliers’ questionnaires to ensure all areas of new threat signatures discovered are covered.
• Administer questionnaires to all vendors to determine the control effectiveness.
• Conducts onsite and virtual risk assessment to continuously determine the security posture at the vendor site.
• Escalate issues of 3rd party vendor’s non-compliance to the vendor risk management office (VMO).
• Performed continuous monitoring by assessing tools during onsite visits to validate the security questionnaires filled out by the vendors to ensure protection of data at the vendor sites.
• Facilitated remediation for any third-party related operational issues as needed.
• Assesses operational fitness of assigned third parties through due diligence reviews.
• Provides ongoing monitoring for third party risk due diligence.

Confidential

THIRD PARTY RISK MANAGEMENT

Responsibilities:

• Performed advisory and challenge functions regarding the TPRM program to the business units (first line)
• Validated that business units (first line) are executing the TPRM program requirements effectively.
• Reviewed third party risk assessments for conformance to program objectives and methodology.
• Assisted in researching, reviewing, developing, and maintaining TPRM policies and standards that comply with federal and state regulatory laws.
• Effectively monitored the tracking of issues, gaps, and exceptions and mitigation plans as they relate to third party risks to ensure timely resolution.
• Tracked and analyzed risk metrics to understand the BCD Travel's overall third-party risk exposure.
• Prepared third party portfolio reporting of risk and performance to senior executives.
• Ensured timely and accurate escalation of issues and observations of non-compliance or risks outside of acceptable thresholds.
• Evaluated the TPRM program to identify optimization opportunities and provide recommendations for process improvement.
• Performed business analysis to ensure alignment of TPRM functions with overall organizational and enterprise risk frameworks.
• Evaluated control libraries and identify when controls need to be refreshed or added.
• Served as TPRM subject matter expert to first line, providing risk management guidance as needed.
• Performed testing of controls for all phases of the TPRM lifecycle; identify and evaluate deficiencies and assist with quarterly reporting on test results and issue trends.

Confidential

IT AUDITOR

Responsibilities:

• In depth knowledge of Performing assessments of IT General Controls (ITGC) such as Access Control, Change Management, IT operations, Disaster recovery and Job Scheduling.
• Execute Computer Assisted Audit Techniques using software tools such as Monarch Pro, Microsoft Access, and IDEA to analyze data.
• Experience in reviewing Service Organization Control (SOC) reports, in compliance with SSAE18 for organizations.
• Performed audit of IT general and application controls, information security, systems development, change management, business continuity, disaster recovery and computer operations.
• Implementing and testing of internal controls under Section 404 of the Sarbanes Oxley Act (SOX) and performing Walkthroughs of controls and evaluating operating.
• Performed IT Infrastructure Audit to test default account, vendor update & patches, password setting and unnecessary services running over the application such as Unix, Window, Mainframe, Network devices, Firewall, Database and Active Directory.
• Participated in SAP Transaction testing to perform, including testing of segregation of duties to assist the client in improving their user management, authentication management, authorization management, access management, and provisioning capabilities.
• Performed testing of IT General and Application controls in support of external financial audit engagements with clients include those requiring compliance with SOX utilizing UNIX, AS-400, SAP, Oracle and People Soft environments.
• Assisted in planning, execution of audit and work closely with financial teams, operations teams, as well as the risk management team.
• Coordinate and perform reviews of data center general controls, company-server security, operating systems, systems development life cycles, monitor procedures relating to physical security over data centers, computer operations and network communications security.
• Liaised between in-house managers/IT department and External Financial and Operational Auditors.
• Prepared audit scopes reported findings and presented recommendations for improving data integrity and operations.