SUMMARY:

Enterprise Governance, Risk and Compliance Consultant with extensive experience leading strategic framework development, capability mapping, and operating model development projects, focused on providing guidance around Risk - based Security Architecture, Cybersecurity Governance, regulatory compliance and industry standards .

PROVEN EXPERTISE IN:

• IT Security Strategy, Governance & Risk management
• High Value Assets Risk Management
• SABSA, TOGAF & Zachman
• LDAP & MS Active Directory
• Networking - TCP/IP and other protocols
• VPN, Firewall, IDS/IPS, DLP
• Cloud( AWS),Network/Security metrics
• IT Security compliance regulations: HIPAA, SOX, GLBA, PCI-DSS, GDPR etc.
• Stakeholder Management
• Member cybersecurity working group.
• IT Security Program Management
• Cyber Security Policies, frameworks, Standards
• SOW, RFP, RFQ.
• Intrusion Detection & Prevention
• Encryption and PKI Infrastructure
• Log file analysis/correlation
• Risk and vulnerability assessment
• Secure SDLC, ITIL, DevOps, NIST,CIP, ISO, NIST CSF,COBIT,OWASP TOP 10, SANS25
• Identity & Access management
• Security Incident & Event Management

TECHNOLOGIES:

• Windows 2000, 2003, XP, Vista, 2007, Unix, Solaris, Linux, HP Service Manager, AWS, Splunk, MS Project
• RTMT, LDAP, PKI, XML, UML, HTML, HTML, FTP, XML, VB Script, OWASP, CVE, SANS CWE 25
• SDLC, BCLC, RUP, Waterfall, Agile, DevOps --- MGCP, H323, VOIP, and SIP.TFTP, IDS,IPS,
• Mega, Ms Visio, WireShark, Metasploit, Nessus, Splunk, Aircrack, Snort, BackTrack, Nmap, Qualys, Burp Suite, OWASP ZAP
• AppScan, SonarQube, Qradar, Archer, Fortify

EXPERIENCE:

Confidential, Detroit, MI

Sr. IT Risk, controls & Compliance Specialist

Responsibilities:

• Contributed across multiple enterprise verticals to develop an integrated organizational IT Security & Risk Strategy.
• Developed risk management program and planned, developed and modified policies, processes, guides, standards and procedures and ensured the compliance working with appropriate teams.
• Developed security control and risk scorecards, metrics, and reporting capabilities in GRC.
• Maintained up to date controls, coordinated the control assessments, identified and escalated the non-compliance issues.
• Performed static/dynamic code testing, manual code inspection, threat modeling, design reviews and penetration testing of internal web applications and external partner applications to identify vulnerabilities and security defects
• Created the secure coding standard for development teams to full fill the PCI DSS compliance requirements
• Created secure coding verification checklist for the as per OWASP secure coding standards to avoid the security and vulnerabilities in the new development initiatives and solutions.
• Analyzed the current state of SSO/SAML base identity and access management (IAM) solution in the environment and provided the recommendation for the PCI compliant solution.
• Performed Source Code Analysis for comprehensive insight into vulnerable patterns and coding flaws and created strategies to mitigate them.
• Collaborated with the project teams throughout the SDLC to implement the secure development processes as required by PCI-DSS.
• Developed the information security standard to establishing PCI-DSS compliant CDE throughout the enterprise and within the third party service provider’s environment.
• Led the efforts for asset identification and classification for the PCI-DSS compliant asset security assessment and gap analysis also created the secure coding verification checklist for application development
• Established, monitored, evaluated and reported key performance and key risk indicators (KPIs and KRIs) to provide leadership with accurate information regarding the effectiveness of the information risk & security strategy
• For critical infrastructure protection (CIP) and High value asset risk management implemented the NIST Risk Management Framework including all phases of RMF.
• Created the security requirements for customer data storage on AWS cloud environment and negotiated SLA for data security
• Responsible for appropriate control design, documentation and evidence to meet the security audit requirements.
• Responsible for payment application security, privacy and risk management hosted on AWS cloud platform.
• Partnered with Awareness team to build “risk management awareness” materials for key stakeholders regularly involved in risk-based decision-making.
• Involved in Prioritization and implementation of cybersecurity frameworks and standards including PCI-DSS, NIST and COBIT to address client environment specific risk optimization needs.
• Developed the information security standard to establishing PCI-DSS compliant cardholder data environment throughout the enterprise and within the third party service provider’s environment.
• Performing as QSA worked closely with global business, contract and legal teams to assess proposed terms and conditions to be aligned with appropriate risk profile and provided feedback on changes needed
• Created inter-business unit change request (IBUCR) process and trained the business unit leaders and SMEs
• Developed the secure coding guidelines and secure coding verification checklists for the secure enterprise business application development and provided on secure coding practices.
• Oversaw third party/business partner compliance process and led assessment and review sessions with third party supplier.
• Directed and advised asset internal vulnerability scans, vulnerability assessments and mitigation activities.

Confidential

Governance Risk Compliance Consultant

Responsibilities:

• Led a cross-divisional team for Risk-based Enterprise Security Architecture and supported Pre-Sales activities providing presentations/demos, RFP responses and recommended enhancements in security processes, standards and guidelines based upon a Risk-aligned prioritization
• Created the Security Architecture for the customer account information services provided in the AWS platform.
• Performed as lead risk and compliance architect for the AWS cloud-based customer business applications
• Developed and led the risk management program and planned, developed and modified policies, processes, guides, standards and procedures for compliance working with appropriate teams.
• Directed cross-organization and LOBs business Controls and operational teams to address security controls and compliance, coordinate exception evaluations, and tracked risk remediation activities and control status.
• Implemented the Risk Management Framework, iteratively completing all phases of RMF at the multiple client environments.
• Compiled and delivered need-based regular and ad-hoc reports and briefings to management, business and technology risk owners and other audiences.
• Created SSO/SAML based identity and access management (IAM) solution in the environment and provided the recommendation to the implementation teams for multiple business areas.
• Developed secure code practices as per OWASP Top 10 and provided hands-on to developers and quality engineers in the multiple teams.
• Collaborated with the project teams throughout the SDLC to make sure the new initiatives are conformed with the defined security requirements.
• Performed static(SAST /dynamic code testing (DAST), manual code inspection, threat modeling, design reviews and penetration testing of internal web applications and external partner applications developed in java to identify vulnerabilities and security defects
• Coordinate and communicate the choice of security technologies necessary to ensure a highly secure yet usable and flexible computing environment
• Collaborate with development and QA teams to ensure secure development standards and secure coding best practices are followed
• Conduct web application and mobile security vulnerability assessments, penetration testing and handled vulnerability remediation of applications
• Monitor, measure, and refine the execution of the security architecture plans against the security strategy and metrics: Key Risk Indicators (KRIs) & Key Performance Indicators (KPIs)
• Created project based roadmap to achieve the target state security architecture integrating TOGAF and SABSA architecture frameworks.
• Delivered a multi-disciplinary Risk-based architecture to address cybersecurity, compliance, operational risk management, business resilience and e the stakeholders concerns with cross functional and technical perspectives.
• Delivered guidance and awareness of security policies, standards and requirements in cross-functional project settings.
• Responsible for implanting and assuring compliance for GDPR Key areas of privacy rights, data security, data control, and governance.
• Involved in Prioritization and implementation of cybersecurity frameworks and standards including PCI-DSS, NIST,ISO, COBIT, NFPA and HIPPA as per client business requirements.
• For multiple client environments, Conducted assessments for areas: quality assurance procedures, information security, including regression testing, vulnerability management, penetration testing, information technology controls testing and patch management, capacity planning, and business continuity and disaster recovery processes and procedures to identify areas of non-compliance with industry standards, best practices and enterprise specific implemented Framework

Confidential, Chicago, IL

Risk Strategy & Reporting Senior Lead

Responsibilities:

• Maintained an information risk management program based on multiple streams of incoming data such as submitted risk forms, security and architecture assessments, incidents, vulnerability scanning, exception requests and threat intelligence.
• Improved risk management processes and framework by driving participation in information risk management processes to create a more risk-aware culture throughout enterprise.
• Coordinated and communicated the choice of security technologies necessary to ensure developing a highly secure yet usable and flexible computing environment
• Performed Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) to adequately identify crucial problems within the Java applications and to fix them.
• Led the development and QA teams to ensure secure development standards and secure coding best practices are followed following the OWASP secure coding and testing standards.
• Responsible for driving the information risk strategy, assumed the responsibilities of maintaining the global risk register system as well as all processes related to the risk lifecycle.
• Performed as lead risk and compliance architect for the AWS cloud-based customer business applications.
• Created the end to end security business requirements to be included in AWS vender SLA including network, host and application security aspects.
• Planned, designed and implemented enterprise-wide Data Loss Prevention (DLP), Security Information and Event Management (SIEM) and vulnerability management services.
• Conducted compliance assessment, reviews and analysis and prepared reports Identifying areas of non-compliance
• Established, monitored, evaluated and reported key performance and key risk indicators (KPIs and KRIs) to provide leadership with accurate information regarding the effectiveness of the information risk & security strategy
• Worked with business and technology risk owners to document risk treatment plans as well as tracked and reported progress on or of risk reduction activities.
• Performed enterprise wide research to implement and assured compliance for GDPR Key areas of privacy rights, data security, data control, and governance
• Delivered an Enterprise level architecture which established the capability to address Sarbanes-Oxley, PCI-DSS and SOCs report compliance
• Established functional area specific cyber risk-based prioritization, definition and implementation of cybersecurity strategy, policies, standards, procedures and guidelines
• Led the teams engaged in architecting governance models to organize roles and responsibilities of personal involved, to achieve better audit control and enhance the quality of documentation.
• Engaged IT and security leadership, both technical and managerial specifically for continuous improvement in enterprise security strategy, architecture and standards based upon emerging threats, emerging security standards, privacy regulations and emerging regulatory impacts.

Confidential, Bloomington, IL

Information Security Architect

Responsibilities:

• Championed the efforts to develop an Enterprise Information Security Architecture, aligned with the strategic goals and addressing the security risks under the governance of the information security management system.
• Developed, maintained, and evolved enterprise security architecture, standard templates, design patterns adhering TOGAF and SABSA Frameworks to assist solution architects to develop solutions to business units' requirements
• Established and maintained a cybersecurity and awareness program to include content development, delivery, and knowledge assessment.
• Lead implementation meetings, workshops, and create materials for architecture team
• Monitor, measure, and refine the execution of the security architecture plans against the security strategy and metrics: Key Risk Indicators (KRIs) & Key Performance Indicators (KPIs)
• Created the future state architecture for implementation of SSO/SAML, identity and access management (IAM).
• Created a risk assessment process with templates and conducted system design reviews as lead security representative on the Enterprise Architecture Review Board.
• Planned, designed and implemented enterprise-wide Data Loss Prevention (DLP), Security Information and Event Management (SIEM) and vulnerability management services.

Confidential, Indianapolis, IN

Cybersecurity Governance & Compliance Analyst

Responsibilities:

• Responsible for the Sarbanes-Oxley, PCI-DSS and SOCs report compliance management program
• Lead a cross-divisional security team using a multi-disciplinary focused approach to cyber and information security and compliance, operational risk management, client security management, workforce protection, and business resilience.
• Responsible for cyber risk Management and managed the process of defining, implementing, and enforcing cybersecurity strategy, policies, standards, procedures and guidelines.
• Determined appropriate tools and techniques, planed & scheduled IT Risk assessment, conducted scans, reported findings with recommendations and solicited the feedback from the customer and workforce to achieve all project objectives.
• Ensured enterprise-wide security, privacy, and compliance standards are maintained and processes for defining, implementing, and enforcing cybersecurity policies, standards, procedures and guidelines are in place/observed.
• Leading the IT & Cyber risk Management effort, performed IT risk Assessment by applying the IT/Cyber risk Management Strategy
• Established audit policy and reporting mechanisms for ensuring compliance with IA/IS standards by keeping current with IA/IS requirements.
• Occasionally Analyzed identified security strategies by assessing them against the organization’s needs and compliance guidelines and selected the best approach or practice for the enterprise.
• Lead the development of risk management by creating plans, procedures, protocols, and evaluation measures and ensuring there are desired levels of enterprise-wide IA/IS.

Confidential, Hartford, CT

Cyber Security Policy Analyst

Responsibilities:

• Responsible for developing, promulgating, and maintaining LOB cybersecurity policies and standards; developing and providing guidance on the Overseas Security Policy Board (OSPB) information systems security policy and standards; and providing guidance on existing policies and standards for the LOB.
• Performed the cyber/IT risk analysis, documented and communicated the results to the stakeholders.
• Responsible for contributing to IT Security Governance company security Policies and Standards adhered to by the global company
• Established a process to respond to user questions and inquiries about policy received via emails and phone calls.
• Created and managed the security approval process framework in the Architecture Compliance Review for each phase in the development lifecycle for all future projects.
• Researched, recommended, developed, maintained, and updated cybersecurity policies, to include use of new and emerging technology (e.g. WiFi, cloud, mobile devices), software, hardware, and other IT-related systems (e.g. VoIP, Building Automation Systems).
• Examined incoming requests for exceptions to policy and draft recommended decision memorandum to include requisite mitigation strategies
• Coordinated clearances of all draft cybersecurity policies and memorandum with DoS stakeholders
• Participated in intra-agency policy working groups (e.g. WiFi) and provide cybersecurity policy subject matter expertise
• Provided support for the review and coordination cyber and communications security policies and guideline