SUMMARY

• I am an IT risk analyst with years of experience as an IT auditor, vendor/third party risk assessor, security analyst, information system auditor with in - depth knowledge of HITRUST, SSAE 18, SOC 1, SOC 2, SIG, NIST Confidentiality, Integrity, Availability, Access Control, Audit and Accountability. PCI-DSS, General Computer Controls, Compliance Testing, Risk Assessment, Change Management, Security Maintenance, Policies and Procedures.

PROFESSIONAL EXPERIENCE

Confidential

SENIOR THIRD-PARTY RISK ANALYST

Responsibilities:

• Plan and conduct security risk assessments for all third-party vendors/suppliers.
• Work with vendors to ensure adequate tiering for the vendors based on the level of data they have access to.
• Design and constantly upgrading suppliers’ questionnaires to ensure all areas of new threat signatures discovered are covered.
• Administer questionnaires to all vendors to determine the control effectiveness.
• Conduct onsite and virtual risk assessment to continuously determine the security posture at the vendor site.
• Review and validate all controls at the vendor site to ensure data confidentiality.
• Validate security questionnaires during onsite visits, to ensure up-to-date data protection on vendor site.
• Conduct on-site risk assessments based on agreed upon procedures guidelines.
• Review all essential security policies and procedures documentation.
• Provide detailed reports of assessments to business owners and the vendor management office.
• Work as a remediation analyst to ensure all gaps discovered during the assessment are remediated or mitigated timely.
• Escalate issues of 3rd party vendor’s non-compliance to the vendor risk management office (VMO).
• Performed continuous monitoring by assessing tools during onsite visits to validate the security questionnaires filled out by the vendors to ensure protection of data at the vendor sites.
• Experience with e-GRC tools such as RSA Archer to ensure secured and prompt communication of findings and deployments of questionnaire to the vendor and to track vendor progress on remediation.
• Ensure third party relationship adherence to company’s policies, procedures and compliant with regulatory guidelines and industry best practices.
• Facilitated remediation for any third-party related operational issues as needed.
• Assess operational fitness of assigned third parties through due diligence reviews.
• Provide ongoing monitoring for third party risk due diligence.

Confidential

SENIOR THIRD-PARTY RISK ANALYST / SECURITY CONTROL ASSESSOR

Responsibilities:

• Improved existing tools for recording and tracking vendor assessments.
• Developed methodology of risk ranking vendors and streamlined level of effort for each assessment.
• Ensure third party relationship adhere to company’s policies, procedures and compliant with regulatory guidelines and industry best practices.
• Developed and implemented a continuous monitoring process for the vendor management program.
• Developed and updated policies as required.
• Plan and conduct security risk assessments for all third-party vendors/suppliers.
• Design and constantly upgrading suppliers’ questionnaires to ensure all areas of new threat signatures discovered are covered.
• Administer questionnaires to all vendors to determine the control effectiveness.
• Conducts onsite and virtual risk assessment to continuously determine the security posture at the vendor site.
• Review and validates all controls at the vendor site to ensure data confidentiality.
• Validate security questionnaires during onsite vitals, to ensure up to date data protection on vendor site.
• Review all essential security policies and procedures documentation.
• Provide detailed reports of assessments to business owners and the vendor management office.
• Work as a remediation analyst to ensure all gaps discovered during the assessment are remediated or mitigated timely.
• Perform advisory and challenge functions regarding the TPRM program to the business units (first line)
• Validate that business units (first line) are executing the TPRM program requirements effectively.
• Review third party risk assessments for conformance to program objectives and methodology.
• Assist in researching, reviewing, developing, and maintaining TPRM policies and standards that comply with federal and state regulatory laws.
• Effectively monitor the tracking of issues, gaps, and exceptions and mitigation plans as they relate to third party risks to ensure timely resolution.
• Prepare third party portfolio reporting of risk and performance to senior executives.
• Ensure timely and accurate escalation of issues and observations of non-compliance or risks outside of acceptable thresholds.

Confidential

THIRD PARTY RISK ANALYST

Responsibilities:

• Administered assessment questionnaires to our vendors.
• Performed continuous monitoring by assessing tools during onsite visits to validate the security questionnaires filled out by the vendors to ensure protection of data at the vendor sites.
• Conducted on-site risk assessments based on agreed upon procedures guidelines.
• Reviewed key vendor-provided documentation such as SSAE 18 Type-II report, HITRUST.
• Experience with e-GRC tools to ensure secure and prompt communication of findings and deployments of questionnaire to the vendor and to track vendor progress on remediation.
• Reviewed the access control managements on the vendor site.
• Act as remediation analyst to work with vendors in remediating findings discovered during the onsite/virtual assessment.
• Assessed areas such as business continuity and disaster recovery, physical security, system development, operation, access control, incident management,
• Escalated issues of 3rd party vendor’s non-compliance to the vendor management office.
• Planned and executed onsite security/risk assessments for third party vendors.
• Performed Data lost prevention assessment of our data at the vendor site.
• Carry out various types of vendor assessments such as onsite, virtual, risk assessment for our vendors depending on triage information from the vendor management office.
• Act as peer-to-peer review for other colleague to ensure all findings are accurate and well defined.
• Validated all controls at the vendor site to ensure their confidentiality, integrity, and availability of our data in their custody.
• Working with the vendors to ensure risk discovered are remediated within reasonable time.

Confidential

IT AUDITOR

Responsibilities:

• Performed audit of IT general and application controls, information security, systems development, change management, business continuity, disaster recovery and computer operations.
• Performed IT general controls testing for Sarbanes-Oxley (SOX) 404 compliance, and Service Organization Control (SOC) reports /SSAE 18 (formerly SAS 70).
• Performed IT Infrastructure Audit to test default account, vendor update & patches, password setting and unnecessary services running over the application such as UNIX, Window, Mainframe, Network devices, Firewall, Database and Active Directory.
• Participated in SAP Transaction testing to perform, including testing of segregation of duties to assist the client in improving their user management, authentication management, authorization management, access management, and provisioning capabilities.
• Helped in the configuration of GAP Analysis difference in AS IS and TO BE.
• Tested General Computer Controls and Business Process Application controls using COSO, COBIT, PCI DSS and NIST rev. 4 frame works and performed walkthroughs and detailed testing of controls to evaluate the design and operating effectiveness of controls.
• Performed SSAE 18 /SOC engagements by overseeing the identification of control objectives, the assessment of risk, planning and executing control testing and documentation of IT General, Application, and Process controls.
• Performed testing of IT General and Application controls in support of external financial audit engagements with clients include those requiring compliance with SOX utilizing UNIX, AS-400, SAP, Oracle, and People Soft environments.