SUMMARY

• Information system analyst with in - depth knowledge of HITRUST, SSAE 18/SOC 2, SIG, NIST 800-53, COBIT, Confidentiality, System Integrity, Access Control, Audit and Accountability.
• Detail knowledge of security tools, PCI-DSS, General Computer Controls, Compliance Testing, IT/Cloud Risk Assessment, GRC, SLA, Change Management, Security Maintenance, Policies and Procedures.
• Ability to multi-task, work independently and as part of a team
• Strong analytical and problem-solving skills.
• Effective interpersonal and verbal/written communication skills

PROFESSIONAL EXPERIENCE

Vendor/third party risk analyst

Confidential

Responsibilities:

• Conducted risk assessments for enterprise technologies, products, services and operations based on applicable framework requirements from ISO/IEC 27001, ITIL, COBIT and NIST as well as PCI-DSS standards and CSA Cloud security.
• Reviewed and validate provided documentation such as SSAE 18 Type-I&II report, Vulnerability scan report, independent pen-test report, ISO 270001, PCI-DSS certification
• Conducted in-depth risk based security assessments of housed, Cloud, vendor and third party hosted environment. Assessment focus included Risk Management, Physical Security, Identity & Access Management, Encryption, Data Loss Prevention, Secure Development, Incident Management, Security Infrastructure, and Security Policy.
• Assesses operational fitness of third parties using SIG by shared assessment questionnaire.
• Conduct Transition, Ongoing Monitoring & Oversight of on-boarded engagements, including: Intelligence source, Periodic Risk Re-assessments, Business and Onsite Reviews.
• Documented key third party risk identified in a formal report, escalate control gap findings as necessary to management, presented report and make recommendations to key technology and business process stakeholders to promote awareness and determine mitigating control or remediation requirements.
• I ensure that risk discovered during vendors assessment are remediated in reasonable time.
• I Facilitate remediation for any third-party related operational issues as needed.
• Act as remediation analyst to work with vendors in remediating findings discovered during the onsite/virtual assessment.
• I am familiar and have worked with e-GRC tools such as RSA Archer, 3Grc. Developed a module within RSA Archer eGRC suite to facilitate the assessments, categorize risk, and highlight items out of compliance. I use this platform to ensure secure and prompt communication of findings and deployments of questionnaire to the vendor and to track vendor progress on remediation.
• Worked with Management to Develop, improve and draft vendor management policies and procedures

Vendor risk ASSESSMENT analyst

Confidential

Responsibilities:

• I review business case to understand services that’s being provided, I determine the scope and depth of the assessment based of the inherent risk of the engagement.
• Conducted in-depth risk based security assessments of housed, vendor and third party hosted environment. Assessment focus included Risk Management, Physical Security, Identity & Access Management, Encryption, Data Loss Prevention, Secure Development, Incident Management, Security Infrastructure, and Security Policy.
• I Worked with our vendor oversight to ensure adequate tier-in of our vendors based on the level of data they have access to.
• Design and constantly upgrading suppliers’ questionnaires to ensure all areas of new threat signatures discovered are covered.
• Administer questionnaires to all vendors
• Conduct onsite and virtual risk assessment to continuously determine the security posture at the vendor site.
• Review and evaluate all controls at the vendor site, Vendor practices and processes to ensure data confidentiality.
• Validate security questionnaires during onsite vitals, to ensure up to date data protection on vendor site.
• Conduct on-site risk assessments based on agreed upon procedures guidelines
• Review all essential security policies and procedures documentation
• Provide detail reports of assessments to business owners and the vendor management office
• Work as a remediation analyst to ensure all gaps discovered during the assessment are remediated or mitigated timely
• Escalate issues of 3rd party vendor’s non-compliance to the business stakeholders.
• I continuously monitoring available intelligence sources related to existing vendors.
• I make use of assessment tools during onsite visits to validate the security questionnaires filled out by the vendors to ensure protection of data at the vendor sites.
• Used excel modeling skills to assist in the creation of a tool that measures/calculates risk by quantifying a vendors inherent and residual risk for various risk domains (to align with Regulatory Requirements and Industry/client best practices) and implementing a risk tiering methodology to determine an Overall Risk score.
• I Conduct risk assessment on Iaas, Saas, PaaS vendors, performing control review/validation of their questionnaire responses and documentation per established procedures and standards.
• Completed Technology’s data clean-up of engagements that had expired contracts and only transitioned active engagements into the TPRM system Archer.

IT AUDIT ANALYST CONSULTANT

Confidential

Responsibilities:

• In depth knowledge of Performing assessments of IT General Controls (ITGC) such as Access Control, Change Management, IT operations, Disaster recovery and Job Scheduling.
• Execute Computer Assisted Audit Techniques through the use of software tools such as Monarch Pro, Microsoft Access, and IDEA to analyze data.
• Experience in reviewing Service Organization Control (SOC) reports, in compliance with SSAE16 (formerly SAS 70) for organizations.
• Performed audit of IT general and application controls, information security, systems development, change management, business continuity, disaster recovery and computer operations.
• Implementing and testing of internal controls under Section 404 of the Sarbanes Oxley Act (SOX) and performing Walkthroughs of controls and evaluating operating.
• Performed IT Infrastructure Audit to test default account, vendor update & patches, password setting and unnecessary services running over the application such as Unix, Window, Mainframe, Network devices, Firewall, Database and Active Directory.
• Participated in SAP Transaction testing to perform, including testing of segregation of duties to assist the client in improving their user management, authentication management, authorization management, access management, and provisioning capabilities.
• Performed testing of IT General and Application controls in support of external financial audit engagements with clients include those requiring compliance with SOX utilizing UNIX, AS-400, SAP, Oracle and People Soft environments.
• Assisted in planning, execution of audit and work closely with financial teams, operations teams, as well as the risk management team.
• Evaluate the IT infrastructure in terms of risk to the organization and establish controls to mitigate loss and Assess ERP systems security and controls for widely used packages including SAP, Oracle, PeopleSoft and UNIX platforms (Solaris, Linux)
• Coordinate and perform reviews of data center general controls, company-server security, operating systems, systems development life cycles, monitor procedures relating to physical security over data centers, computer operations and network communications security.
• Liaised between in-house managers/IT department and External Financial and Operational Auditors.
• Prepared audit scopes, reported findings and presented recommendations for improving data integrity and operations.