SUMMARY

• Industry Security Frameworks ISO27001 / FISMA / NIST Risk Management Frameworks COSO / NIST / ISO27005
• Payment Industry Architecture, Standards and Guidelines PCI - DSS 3.2 / PA-DSS / PCI-PTS
• BASE I / BASE II / Clearing and Settlement / Chargeback Process EMV Chip Architecture / Digital Wallet Technology / Mobile Payments and E-Commerce Regulatory Compliance
• USA Financial (SOX / GLBA / FINCEN / OFAC / BSA - AML / FACTA / SB1386)
• USA Health (HIPAA Privacy, Security Rule, Security Breach Notification)
• Global (PIPEDA / EU Data Protection Act / Privacy Shield / GDPR)
• General Management Practices
• Operational Risk Management (Heat Maps/ Root Cause Analysis / Control Charts / Pareto Analysis) Software Process Management (Carnegie Mellon SEI / Capability Maturity Model)
• Reporting (PCI ROC, SSAE16 (SOC1 /SOC2), HIPAA Risk Assessments, Privacy Impact Assessments) Business Continuity and Disaster Recovery Planning 3rd Party Vendor Management and Contract Negotiations Employee Management and Coaching
• Project Management (Project Management Institute PMI / PMBOK)

PROFESSIONAL EXPERIENCE

Chief Information Security Officer

Confidential

Responsibilities:

• Responsible for the Information Security Program across the organization
• Responsible for developing information security strategy and implementing information security policies and standards
• Responsible for leading security risk assessments of organization products and services
• Responsible for managing 3rd Party Oversight Program
• Partners with Information Technology, Operations and Legal Counsel in implementing a security strategy that is aligned with the business goals and objectives
• Partners with Information Technology and Operations in maintaining a Business Continuity and Disaster Recovery Plan
• Responsible for Information Security Training and Awareness Program across the organization
• Monitors information security trends and keeps senior management informed of security threats and vulnerabilities that may impact the organization
• Facilitates Information Security Risk Committee meetings to review security policy revisions and evaluate deployment of security products
• Partners with Information Technology in oversight of Incident Response Process
• I report directly to the General Counsel and Chief Compliance Officer of the organization

Senior Information Security and Compliance Officer

Confidential

Responsibilities:

• Team is responsible for managing operational and security risk for Global Customer Support Services Contact Centers (100+) through identification of risk exposures and examination of controls effectiveness to calculate residual risk.
• Team is responsible for ensuring adherence to Confidential internal policies, PCI - DSS Standards, domestic and international regulations, such as, GDPR, Security Shield and PIPEDA
• Team conducts security risk assessments of call center environments to ensure they are deployed securely to preserve the confidentiality, integrity and availability of the customer data being processed (PAI / PII / PHI)
• The risk assessments focus in reviewing controls and safeguards of customer data at rest, in-flight, processed by applications and shared with Business Partners.
• Team examines Business Continuity Planning, Incident Response Process, Call Center Connections (INBOUND/OUTBOUND), Data Loss Prevention (DLP) Capabilities, Endpoint Protection, Software
• Applications, Acesss Management Processes, Security Patching and Scanning, Records Retention and Asset Management.
• Team partners with Global Privacy Office, Global Sourcing and Global Legal Team in maintaining Customer Support Services Contact Centers overall risk within Confidential ’s tolerance level and compliant to Global Regulations
• Team responds to any inquiries from external and internal audit engagements (SOX / FFIEC / GLBA / PCI- DSS )
• I represent the Global Call Center Oversight Team as a member of the Security Risk Committee

Director of External Penetration Test Team

Confidential, Miami, Florida

Responsibilities:

• Team conducted all ethical hacks of Confidential Web based applications hosted with 3rd parties
• Team conducted RFP effort to select three (3) proven service providers to assist with the Team capacity
• Team established a standardized process for penetration test engagements and negotiated a pricing model with 3rd party providers depending on the type of ethical hack being conducted
• Team functioned as liaison between the Confidential project teams and the 3rd party service providers to coordinate the establishment of the test environments, test scripts and scheduling of test windows
• Team validated the 3rd party penetration test reports for accuracy and conducted follow up of pending remediation
• Team assisted Confidential Product Owner in submitting security exceptions to The Business Controls Working Committee (BCWC) after conducting security evaluation

Director of Information Security

Confidential

Responsibilities:

• Implemented Miami Information Security Office (ISO) and Confidential Security Program (10 Key Controls) derived from ISO27001 Framework to support regional staff located in Latin America and Canada
• Provided leadership, supervision, and development of Information Security services to ensure all functions were performed accurately and in a timely fashion
• Established ISO processes and practices, such as, vulnerability scanning, security patching, AV deployment, Log Review, Identity Access Management, Information Classification, Information Stewardship, Intrusion Detection Systems (NIDS / HIDS/ WIDS), Incident Response Process, Business Continuity Planning, Security Risk Assessments and Ethical Hacking methodology
• Team made recommendations regarding appropriate administrative, technical and physical security controls required to maintain compliance with SOX, GLBA and PCI DSS Controls and ensure regions’s risk levels remain within threshold
• Team established Risk Management Framework by conducting Business Impact Analysis (BIA), Baseline Risk Assessment, establishment of a Risk Registry used to provide Management Reporting to Security Risk Committee
• Team provided Yearly Security Training and Awareness to engage all regional employees and explain their roles in the Information Security Program to ensure the region complied with Confidential Policy (10 Key Controls)
• Team partnered with Information Technology to ensure new and existing system changes aligned with security Policies, Standards and Technical Security Requirements
• Team worked closely with PMO and Application Development Teams during SDLC to identify application security vulnerabilities as early as possible and ensure compliance to Policy. Prior to deployment, our team conducted a formal information security assessment of the application complemented by an ethical hack exercise
• Team conducted periodic follow-up of recommended remediation identified in final security assessment report

Director of Information Technology

Confidential

Responsibilities:

• Participated as an integral member of the organization planning process through the development of company-wide strategic goals with a focus on how information technology could improve the company’s market presenceand product delivery.
• Implemented company wide security program (Enterprise Secure) in order to ensure that organization-wide information security efforts were consistently implemented across the different business units in the US and abroad
• Identified corporate-wide information needs and develop overall strategies in system development and infrastructure acquisition and maintenance to ensure the confidetiality, integrity and availability of the corporate and commercial networks
• Developed Information security policy and technical standards to ensure secured data exchange with external parties, data protection at rest and in flight, endpoint security, data loss prevention, identification of vulnerabilities, Security Patching and user access provisioning.
• Provided direction in the evaluation, selection, implementation of 3rd party products
• Communicated IT plans and changes in policy periodically throughout the enterprise
• Developed and maintained and enterprise-wide Business Continuity Plan to ensure timely and effective restoration of services in the event of a disaster or unscheduled interruption.
• Heavily involved in selection, acquisition, development, and installation of major applications
• Developed and maintained an appropriate organization structure capable of supporting the information needs of the company through appropriate cost-effective information technology
• Negotiated service level agreements with 3rd party vendors and monitored service level support

Manager National Shared Tables

Confidential

Responsibilities:

• The National Shared Tables Group was responsible for the design, development and support of a centralized DB2 repository used by corporate enterprise applications.
• The group provided operating systems, software applications and data base management support of the test and production environments to preserve the integrity, availability and confidentiality of the information while at rest and while being transmitted to remote production operation centers