SUMMARY

• Over 10 years of IT risk management experience in third party risk, internal controls, information security, audit and risk governance
• Extensive experience using the Shared Assessments Framework (SIG, SCA), Trusight BPQ & Cloud Security Alliance CAIQ
• Good knowledge of Third Party Risk Management regulations (OCC, FDIC, FRB, CFPB, FFIEC, NYDFS)
• Broad understanding of Information Systems Security/Risk, IT Auditing and ITIL (Information Technology Infrastructure Library)
• Extensive experience in Process and control design, remediation, or improvement initiatives
• In - depth knowledge of web technologies, relational databases and multi-tier applications

TECHNICAL SKILLS

GRC: RSA Archer, KY3P, MetricStream, Prevalent, Process Unity, ServiceNow GRC

Databases: Oracle 10g, 11g, MS SQL Server 2008, Sybase ASE, DB2

Languages: VBA, SQL, Java

Basic: MS Excel (Advanced), MS Word, MS Access, MS Project, MS Visio

Collaboration: SharePoint, Jira, ServiceNow

Other: RiskRecon, Bitsight, SecurityScorecard, Normshield

PROFESSIONAL EXPERIENCE

Confidential, McLean, VA

Responsibilities:

• Responsible for enabling secure supplier relationships by performing initial risk assessments and ongoing monitoring of third party vendors that store, process, and/or transmit the firm’s data.
• Performed third party risk management activities such as supplier security assessments/reviews, contractual terms analysis, and ongoing monitoring of supplier adherence to security commitment
• Performed vendor due diligence using theShared Assessments guidelines (SCA, SIG, VRMM)
• Assessed adherence to security controls using standard audit and assessment methodology (e.g. inquiry, inspection, observation
• Addressed risk utilizing standardized and consistent methodology
• Integrated emerging risk control requirements into the existing third party cyber risk management assessment process
• Provided recommendations to remediate control gaps and assist with project management on remediation efforts Executed assessment kick-off, planning, and scoping activities for risk assessments
• Executed on-site, desktop, or virtual risk assessments
• Performed third party risk management activities such as supplier security assessments/reviews, contractual terms analysis, and ongoing monitoring of supplier adherence to security commitments
• Developed and managed structured third party risk identification, assessment, and treatment programs
• Assessed adherence to security controls using standard audit and assessment methodology (e.g. inquiry, inspection, observation)
• Assessed remediation plans and non-compliance acceptances where Information Security standards compliance could not be achieved in the environment; and validated evidence from vendors before findings were closed.
• Gathered and documented risk & control assessment results, working as a liaison with Divisional Risk Officers to help the business understand control deficiencies
• Wrote assessment reports including executive summaries and work papers detailing the assessment work completed, evidence reviewed, and identified gaps
• Supported initiatives to drive quality assessment reporting by reviewing the assessment results and confirmed appropriateness of risk ratings based on engagement risk
• Provided weekly inherent risk assessment completion reports using excel leveraging vlookups and macros

Confidential, New York, NY

Senior Cybersecurity Third Party Governance Analyst

Responsibilities:

• Performed onsite/remote assessment of third parties
• Reviewed security policies, procedures, standards and guidelines
• Tested IT controls to validate effectiveness
• Contributed to Cyber assessment metrics and GRC reporting to senior management to influence risk based results
• Performed vendor due diligence using the SIG as the risk survey
• Logged findings and exception in Archer
• Identified and assessed risk, determine applicable controls which mitigate risk, and communicate opportunities for control improvements to third party vendors
• Challenged security control design at third parties that use the latest information technology, from cloud to big data analytics
• Developed process for assessing security controls within cloud environments
• Served as a subject matter expert and/or provides direction on process, projects, and issues pertaining to third party cloud security
• Developed and managed third party operational (KPI) and risk (KRI) metrics
• Collaborated with business partners to manage third party cybersecurity risks
• Serve as a mentor and shares knowledge with more junior team members and internal stakeholders
• Keep abreast of the latest information security trends, apply them to risk analysis, and in corporate them into the team's risk assessments methodology

Confidential, Jersey City, NJ

IT Risk Manager

Responsibilities:

• Performed onsite and remote assessments of vendor engagements
• Performed vendor documentation review and analysis
• Documented and reported risk to Vendor Assessment management team, business partners and vendors
• Reviewed completed SIG questionnaires and supporting documentations
• Reviewed exception requests and approved in Archer
• Documented risks and recommendations based on a vendor’s lack of controls
• Identified and measured risk associated with vendor security controls
• Tested IT controls (content filtering, password lockout etc.) and documented gaps
• Provided recommendations to remediate control gaps and assist with project management on remediation efforts
• Developed and maintained currency of supporting procedures and documentation to provide a reference source for ensuring consistency of future activities
• Performed BCP analysis on vendor hosted systems to determine if vendor RTO met company’s requirement
• Assisted with various third party risk management program initiatives working closely with the Third Party Risk Management Leads
• Performed onsite and remote assessment of third parties.
• Identified opportunities to improve risk posture, developing solutions for remediating or mitigating risks and assessing the residual risk
• Identified and assessed potential risks by performing walkthroughs of data centers, gathering essential data, and auditing functions, recommended and implemented corrective action when necessary
• Created and presented reports for system owners and senior management.
• Collaborated directly with large groups of information technology and business stakeholders.
• Reviewed security policies, procedures, standards and guidelines

Confidential, Jersey City, NJ

IT Risk Lead

Responsibilities:

• Developed and created the IRQ and CRQ for IT Risk Assessment.
• Conducted IT Risk assessments on Applications, Infrastructure and processes and coordinated with respective owners/source teams for remediation.
• Reviewed security policies, procedures, standards and guidelines.
• Overseeing completion of risk remediation plans to ensure they are consistent with enterprise-wide risk appetite, policies and standards
• Maintenance of Process Risk Control (PRC) library and management of the RCSA
• Mapped internal IT security controls to frameworks.
• Collated and quality assured data provided to other departments such as Risk Management and Internal Audit.
• Created BRD/FRD for risk assessment tool
• Created and defined the issue management process flow

Confidential, Jersey City, NJ

IT Risk Manager

Responsibilities:

• Conducted application classification assessment
• Reviewed BIA results in identifying critical business systems
• Ensured IT Risk and Security Control issues are addressed, and respective corrective action plans are completed on committed dates.
• Managed application security testing review & application vulnerability assessments to identify potential risks.
• Tracked the statuses of RCSA issues, action plans, risk acceptances, change requests in Archer and working with responsible source teams to resolve them
• Mapped internal IT security controls to frameworks
• Project management/leadership for governance, risk management, internal controls, security, compliance, and audit programs
• Conducted IT Risk assessments and log all findings to monitor and coordinate with respective owners/source teams for remediation.
• Provided support for 3rd party/ vendor assessments reviews.
• Performed Control Break Analysis
• Exception Register Management to record and monitor non-compliance/ variance
• Development, maintenance and enhancement of security processes and procedures per standards and best practices
• Created and managed IT Risk & Control dashboard - RCSA Units, RCSA Issues, Control Procedures, Control Test Reports, Risk Reports
• Preparing weekly and monthly status to stakeholders

Confidential, Jersey City, NJ

Third Party IT Risk Analyst

Responsibilities:

• Engaged multiple LOB Delivery Managers for firm-wide critical suppliers to ensure compliance with all required assessments per the JPMC policy and procedures.
• Implementedinformationriskprocesses,executesandmonitorsriskrelatedprocedures,promotesriskpolicyawareness,and/ortracksandreportsonriskcomplianceinlinewithestablishedITControlpolicies,processesandprocedures
• Led the Service Organization Control (SOC) SSAE 16 Review and also third party reviews under the OCC initiative.
• Performed vendor due diligence using theSIG
• Drove all aspects of the risk assessment of firm-wide critical suppliers, service providers.
• Assessed completed questionnaire and supporting materials to ensure completeness and accuracy
• Identified control breaks and vulnerabilities with third party.
• Documented findings and work with the LOB Delivery Manager to resolve those findings through Remediation Plans (RPs) or seek Non-Compliance Acceptance (NCA) approvals.
• Validated evidence from third party before Remediation Plans are closed.
• Escalated issues associated with third parties as needed.
• Assisted with various third party risk management program initiatives
• Supported internal education and best practices sharing with peers and colleagues

Confidential, New York, NY

Information Security Analyst

Responsibilities:

• Conducted interviews with Process Owners, Administrators and Functional Heads to document how Information Security processes are performed
• Provided information assurance support to TISOs and I TAOs to form, evaluate and maintain all security agreements according to required standards.
• Provided policy clarification, guidance and procedure interpretation to managers, data owners, project leads, application development teams, system operators and users
• Assisted in the implementation of controls to ensure the appropriate level of protection and adherence to the goals of the overall information security strategy.
• Assisted in the development of access-controls and SOD.
• Assisted in the testing of Sarbanes-Oxley (SOX), Service Organization Control (SOC) SSAE 16 Review
• Participated in the development and maintenance of global information security policy
• Researched and reported on information security events and incidents
• Helped maintain and support the organization's security requirements/infrastructure and other components of the Information Security Program
• Reviewed security waivers for security technology or practices that deviate from established architecture and standards.
• Reviewed and documented practices and procedures on technical processes for a development project of a target operating model
• Flowcharting as is/to be procedures for security domains for target operating model

Confidential, Jersey City, NJ

IT Risk Consultant

Responsibilities:

• Worked with the Technical Access Management Team to gather responses from ITAOs through questionnaires to assess the level of compliance to the bank’s security policies, MAS and FRB guidelines
• Identified control gaps and Vulnerabilities
• Analyzed user information and database design to evaluate the level of compliance of the application to regulatory policies
• Performed security risk assessments to identify security weaknesses and proposed remediation controls
• Ensured that all remediations are planned, capturing risks and issues
• Verify and validate evidence of remediation in order to close Remediation Plans
• Built and maintained effective relationships with IT Application Owners and other contacts to ensure that application access remediation is planned and executed efficiently
• Engaged Application owners, managers and database administrators to ensure that the correct processes are adhered to as specified in the Confidential IT security policy documentation
• Created Global change management tickets and service requests for access to various databases so as to be able to carry out database remediation
• Developed infrastructure documentation and procedures as needed for applications to comply with different regulatory policies
• Worked with IT Application owners and database production support team to ensure correct implementation of new access controls within the specified applications
• Ensured Applications are included in recertification process
• Provided regular updates to stakeholders, including but not limited to Functional Delivery Managers, Technical Delivery Managers, Regulatory Program Managers, Technical Access Management and the IT security steering committee

Confidential

Information Security Analyst

Responsibilities:

• Conducted risk assessments of information systems as per Bank's methodology and technical security standards
• Prepared and presented reports and metrics on the status of completed assessments and the progress of remediation actions.
• Maintained an awareness of existing and proposed security standards, industry best practices, legislation and regulations pertaining to Information Security and recommend appropriate changes
• Collaborated with members of the Information Security team and colleagues from other IT disciplines to identify and propose practical solutions to resolve issues
• Recommended security controls and/or corrective actions for mitigating technical or business risk
• Performed and created procedures for security audits
• Syndicated identified risks with stakeholders, record risks in risk register, review management response, and follow-up accordingly with status of remediation
• Assisted in the development of database access controls and separation of duties
• Performed periodic security review of privileged accounts
• Communicated any violation of controls to appropriate team members and ensure compensating controls were implemented.
• Developed and improved multiple processes in the areas of IT Security like User Access Management and Program change management.
• Maintained system security roles, permissions and privileges while maintaining SOD controls with Security committee approvals.
• Supported the overall IT control practices, remediation, action plan execution and QA

Confidential

IT Auditor

Responsibilities:

• Performed assessment of IT internal controls as part of financial statement audit, Internal and operational audits, Attestation engagement and Audit readiness.
• Led the testing of Sarbanes-Oxley (SOX), Service Organization Control (SOC) SSAE 16 Review
• Review of IT General Controls (ITGC) for various applications, databases and operating systems.
• Documented control weaknesses and related testing exceptions.
• Identified and communicated IT audit findings to senior management and client.
• Documented work completed by preparing work papers.
• Maintained a good working relationship with clients to enhance customer satisfaction and work with client management and staff at all levels to perform audit services.
• Performed all stages of audit, including planning; fieldwork/execution; reporting and follow-up.
• Assisted in special projects such as Segregation of Duties (SOD) and Compliance business challenge projects, PCI DSS, HIPAA and identify conflicts or inadequate internal controls and provide recommendations
• Evaluated the status of the internal control environment within business units and provide recommendation to ensure control gaps are remediated
• Conducted and supervised all aspects of the end-to-end IT audit process to include engagement planning, coordination, scope determination, risk and control identification, design of audit program procedures, testing, and evaluation and analysis of results

Confidential

Data Analyst

Responsibilities:

• Used Excel, Access and VBA in the development of robust and flexible reporting systems
• Retrieved data from data warehouse and generated a series of meaningful business reports using SSRS and Cognos.
• Performed and conducted complex custom analytics as needed by stakeholders.
• Designed and developed specific databases for collection, tracking and reporting of data.
• Established, maintained and distributed daily, weekly and monthly reports
• Data auditing, creating data reports & monitoring all data for accuracy
• Data cleansing - checking for data redundancy, duplicates and reporting on all findings
• Assisted in the development of Metrics to measure the business data cleansing progress
• Created reports using SAP Crystal Reports, BO XIR3 and web intelligence
• Assisted in the development of cross functional, robust and flexible reporting
• Data manipulation with SQL
• Ran and distributed scheduled financial reports, including management reports for the business relating to KPI’s, debt and other financials using Excel, VBA
• Ensured data held within the system passes quality control guidelines and data integrity is maintained, including data cleansing