SUMMARY:

• Sr. IT Auditor and third - party vendor security risk assessor with Confidential experience as an individual contributor or leading a team of IT auditors and technical security specialists focusing on performing security risk assessment and remediation addressing security threats to the enterprise, change to systems, compliance management, policy management, third party risk management, metrics and reporting.
• Have a combined professional hands-on experience in software development, programming and management, 15 years, and IT audit and third party cyber security risk and compliance, 10 years, supporting the operationalization of various GRC initiatives in the areas of enterprise security risk management, compliance management, policy management, third party risk management, and metrics and reporting.
• With a broad base understanding of information technologies and background in financial, manufacturing, entertainment, utilities, and healthcare industries, I’m pursuing my career to delivers best practice paradigms around IT audit, third-party vendor security assessment including cloud service providers, IT governance, risk and control.
• I’m passionate about championing and lead IT Audit efforts, and cyber security assessments base on recognized and authoritative best practices framework and compliance, governance, risk and controls activities in an organization where I can leverage my experience to support corporate objectives, achieve legal and regulatory compliancy, manage IT vendor compliancy and create a culture of risk awareness and empowerment by fostering people, process and technology; To drive communication and transparency among key business stakeholders, thus supporting asset protection and value creation for both the business and its clients entrusting the business to protect the confidentiality, integrity, availability and accountability of data.
• Confidential has have worked in Canada and United States, speak and write fluently in French and English.

SKILLS:

• Compliance (SOX 404, PCI-DSS, HIPPA/HITRUST, PII, GDPR, Confidential, GLBA, etc.)
• Security Standards (ISO 270001:27002, Confidential SP800-53, 800-60 Vol1 and 800-60 Vol 2, OWASP, FFIEC IT Audit, COBIT, COSO, ITIL/ITSM)
• Vendor Management Report SSAE-16/SAS 70, SOC2, SOC 1, Bits Shared Assessment
• Internal & External IT Audit Experience
• Information Security Risk Management
• Physical and Logical Security, Security Architecture
• Network, Server, and Database Security
• On-site and remote third-party Vendor Security Risk assessor experience
• ITGC, Secure System Development Life Cycle (SSDLC)
• Enterprise Change Management, Patch Management
• Business Continuity and Disaster Recovery
• Information Security Program Management and Strategic Plan
• Nessus, Qualys, Nexpose Rapid 7, Veracode, NMAP
• RSA Archer, ACL, IDEA, Risk Navigator, TeamMate

PROFESSIONAL EXPERIENCE:

Confidential, Palo Alto, CA

Sr. Privacy and IT Compliance Security Risk Assessor

Responsibilities:

• Assisting SAP/ Confidential in assessing their Information Security Management System and readiness in achieving Confidential compliancy.
• Planning, coordinating, and performing security reviews of internal and external SAP/ Confidential business applications and systems, including third-party service provider, to determine their security posture against Confidential 800-53 Cybersecurity controls requirements and ISO27000x.

Confidential, San Jose, CA

Global Information Security - IT Auditor and Third-Party Vendor Security Risk Manager

Responsibilities:

• Served Confidential as a subject matter expert in leading, planning, scoping, coordinating, executing and reporting on third-party vendor security posture to meet Confidential information security control requirements, and IT audits against existing and new Confidential partners distributed worldwide in North America, Europe, Asia, South America, and Australia.
• Worked with internal cross functional teams, application security team, legal, privacy and compliance, to ensure that third-party vendors ISMS are aligned with Confidential information security requirements to protect/secure Confidential customers data and privacy.
• Conducted third-party program level reviews of information security program and controls of third-parties in the context of the services being provided by third-party vendors and data exchanged; scoping, assessing and reporting on the security posture of vendors.
• Maintained the TPVM risk register documenting findings and security gaps and associated risk level, and target date of remediation.
• Monitored, managed and closed existing internal and external audit issues, and ensuring that internal systems are compliant with security Confidential security standards and controls including regulatory requirements.
• Redlining vendor contracts and legal privacy security shields (Data Privacy Requirements Addendum) to ensure that Confidential security and privacy requirements are adequately documented and provisioned in vendor contract.
• Defined a risk-based third-party vendor re-assessment strategy to re-assess those high-risk vendors on a pre-defined schedule.
• Provide continuous educational and coaching assistance to business units to support Confidential Vendor Management Program.
• Initiated, scoped, and assessed over 120 third party vendors during my assignment.
• Contributed to Confidential third-party vendor management program to improve its efficiency base on empirical data driven from past executions.

Confidential, Monterey Park, CA

AVP IT Audit and Third-Party Vendor Risk Assessor

Responsibilities:

• Served Confidential Credit Union and Enterprise Information Security Cyber Security team as a subject matter expert in planning, coordinating conducting and reporting on third party vendor security risk posture by determining vendor’s capability to protect the confidentiality, integrity, availability and privacy of Confidential assets and client’s data.
• Executed security risk assessment review of controls based on Confidential security policies and standards for third party vendor and relevant laws, regulations, and industry security standards.
• Analyzed assessment findings and determined a risk score based on an established assessment scoring framework.
• Presented risk assessment findings to business owners as well as third party vendor to identify and establish adequate remediation plans and activities, including post-review of security controls remediated.
• Reviewed third party vendor remediation plans and determined if the plan sufficiently mitigated the identified risks. And keep informed business owners on the adequacy of mitigation plans to secure their applications, systems, and data.
• Tracked progress on remediation of identified risks and vulnerabilities and provided appropriate reporting to all stakeholders, internal third-party manager, external vendor, and senior management.
• Actively participated in the enhancement of Confidential security risk assessment programs and associated security due diligence requirements and questionnaires to facilitate the identification and mitigation of cyber security risks.
• Monitored Confidential RSA/Archer for newly identified vulnerabilities and evaluated the risks such vulnerabilities posed to the organization’s information and systems and advised management of appropriate measures to eliminate or reduce the organization’s risk or exposure to such vulnerabilities.
• Maintained the vendors risk management System Archer, to ensure that all due diligence efforts were captured and preserved along the determination of the risk rating to those vendors.
• Conducted post security review and follow-up with internal third-party vendor manager, and third-party vendor on controls gaps remediated to determine their adequacy and effectiveness to comply with Confidential cyber security control requirements.
• Provided trusted advisory services and guidance to stakeholders to reduce organizational risk and improve overall security and compliance security posture through the Bank organization.

Confidential, CA

Information Security Analyst - Cyber Security

Responsibilities:

• Monitored Intrusion Detection System and Logs and escalated security incident breaches.
• Reviewed vulnerability scans reports of Acunetix, Nessus, and Qualys and developed remediation action plans.
• Maintained Information Security Policy and Procedures for Confidential University Cyber Security Program.

Confidential, San Diego, CA

Senior IT Auditor

Responsibilities:

• Planned and performed full Information Technology and integrated audit projects based on Scripps Health Information risk assessment program, in accordance Confidential information security framework and best practices to protect and secure the confidentiality, integrity and availability of Protected Health Information.
• Supported Scripps Health in transitioning to Epic HER.
• Interfaced with business and IT key stakeholders, Compliance, Legal and Privacy teams to ensure that control gaps are adequately managed and mitigated with agree-upon corrective action plans for remediation of internal control gaps and deficiencies.

Confidential, Los Angeles, CA

Sr. IT Auditor and Third-Party Vendor Cyber Security Risk Assessor

Responsibilities:

• Served the Director of Information Security, in working with various Confidential units ( Confidential, Server Team, Network Team, Compliance, Engineering Etc.,) to ensure adherence to corporate policies and standards of the Information Security program.
• Performed application security assessments on both internal and third-party vendor applications. Identified security risks, and gaps, and recommended mitigating control plans.
• Ensured that information assets (System, application and Data) are adequately protected through application and third-party risk assessments, by applying ISS Risk Assessment standards and procedures.
• Plan, organize and execute Information Security risk assessments by identifying, evaluating, and reporting on information security risks in a manner that meets the company’s legal, regulatory and contractual requirements.
• Assist Legal team and Confidential in contract negotiations with third parties around Information Security related matters.
• Proactively and collaboratively work with business units (NPR Review Board, PMO, Confidential, and DRB) to develop and implement procedures that meet defined policies and standards for Information Security Management.
• Actively participate in the review of all New Project Requests (NPR) to triage needed ISS security review, and the Design Review board to determine the scope of risk assessments.
• Provide professional advises on best practices and methodology, processes to be implemented to assess the security posture of Confidential systems and applications.
• Identify security gaps against Confidential requirements and application security vulnerabilities, coordinate remediation plans for remediating identified security vulnerabilities prior to production release of applications.

Confidential, Anaheim, CA

Information Security Program Manager & IT Auditor/Third-Party Vendor Security Assessor

Responsibilities:

• Served the office of the Chief Security Officer and Ministry Security, in leading the development and implementation of Confidential Ministry Security Application Security Program, including security Policies and standards and identification of best practices, to empower stakeholders to properly secure Confidential business solutions processing confidential, internal and public data against un-authorized disclosure, and tempering, either hosted within Confidential ’s data centers or by third party vendors hosting providers (I.e. Cloud services providers).
• Responsible for assessing, reporting and monitoring Confidential applications portfolio and compliancy with applicable state laws and Federal regulations (HIPAA, PII, PCI, etc.,).
• Responsible for the development of application security metrics, and reports to be communicated to the business stakeholders to monitor and improve the security posture of the organization application portfolio.
• Leading third party vendor security assessments, from initiation, assessment, up to the issuance of disposition reports documenting the general security posture of vendor’s solutions and identification of security gaps and required remediation activities, including vendor contract review.
• Leading the rationalization and maintenance of Confidential Ministry Security Internal Control Framework and controls requirements, addressing the minimum set of security controls required to secure Confidential ’s application portfolio for all functional security areas/domains in scope.
• Providing continuous security awareness training and best practices recommendations to stakeholders seeking to protect the confidentiality, integrity and availability of their systems, applications and data.

Confidential, Glendale CA

Sr. IT Auditor and Information Security Risk Assessor & Compliance Program Manager

Responsibilities:

• Served the office of the CISO and Confidential Technology Shared Services ( Confidential ), as a SME responsible for assessing and reporting to internal stakeholders on the cyber security posture of third party service providers supporting Confidential Corporate hosted solutions (ASP) and cloud based solutions used by various business owners, including SaaS, PaaS and IaaS.
• Initiated, scoped, assessed, and reported on the adequacy of vendor’s information security management system and controls in place to secure Confidential intellectual property, confidentiality, integrity and availability of information systems assets for HR, Legal, Confidential Studios, and Confidential corporate infrastructure.
• Assessed vendor solutions/applications against Confidential Information Security Policies and Standards, HIPPA, PCI/DSS, EU Privacy laws, CA SB 1386, and ISO 27001:2005.
• Liaised with business sourcing managers, internal assurance teams, and business stakeholders to plan vendor solution evaluation, best strategy, define objectives, and address technology-related controls risks and gaps.
• Coordinated with internal security teams network penetration tests, and application vulnerability tests, reviewed reports and reported on security gaps to be addressed.
• Assisted Confidential ’s Legal in reviewing contracts for third party vendors to ensure that all mitigating controls were adequately reported within contracts prior to the on-boarding of new suppliers, and/or existing suppliers.
• Provided security awareness training and information security best practices to Confidential Corporate stakeholders for assessing third party vendor solutions.
• Defined appropriate risk level and corrective actions for security controls gaps identified during assessment.
• Reported on assessment outcomes, risk level and associated recommendations to minimize exposure to risks identified.
• Presented control issues to 3rd parties and worked toward obtaining adequate corrective action plans.
• Monitored corrective action plans and reviewed evidence for closure on open action plans.

Confidential, San Diego, CA

Sr. IT Auditor

Responsibilities:

• Lead IT Security assessments against various IT third-party vendors and hosting providers to evaluate their ability to protect confidential and proprietary information and to ensure that proper business continuity controls are in operation, encompassing all information security domains; Controls over General Computer controls, PCI-DSS compliance, SOX 404 Compliance, HIPPA, GLBA, California SB1386, Privacy, Data centers operations/security, Applications Security Controls, Data Lost Prevention, BCP/DR, Physical Security, Logical Access to Data and Systems.
• Collaborated with internal Line of Business (Information Security, Supplier Manager, and Risk Management, Audit) and provided risk assessment disposition reports; evaluations and recommendations.
• Served as Subject Matter Expert (SME) PCI-DSS, Privacy, in SOX 404, Business Continuity Planning, Disaster Recovery Planning, and System Development Life Cycle (SDLC).
• Managed remediation efforts and reported on the status of overall remediation plans in flight.
• Executed post on-site review activities with legal, business owners and vendor management team.
• Assisted the County of San Diego and their Internal Audit Department in designing and implementing Segregation of Duties (SOD) controls across all in scope business applications of Oracle. E-Business Suite (R12) modules with Oracle Internal Control Manager.
• Performed security review and testing of SOD controls to determine their operating effectiveness and areas of improvement to comply with SOX-404, PCI-DSS, and Privacy.

Confidential, San Diego, CA

AVP IT Audit - Enterprise Risk Management

Responsibilities:

• Managed all phases of the IT audit process (Sarbanes Confidential (SOX) SAS/70, including communications with clients, audit planning and scoping, fieldwork and review of deliverables and work papers; edited reports prepared by staff members for accuracy and completeness;
• Actively participated with the “Compliance Rationalization Committee” to rationalize and streamline Confidential Financial internal controls framework, which resulted in external audit cost savings of $1M/year.
• Assisted in leading the development and execution of IT audit methodology, standards practices, and audit management system such as TeamMate.
• Participated in the development of detailed annual audit plans and programs;
• Planned and executed individual SOX/404, and SAS/70, special internal audits focusing on key application controls and ITGC to evaluate their operating effectiveness.
• Conducted IT audits which included disaster recovery/business continuity, infrastructure security, change management, general computing controls, user access controls and standalone systems (I.e. UNIX, Windows, SQL and Oracle Database, etc.) and performed various ad hoc IT related audits and investigations for executive management and Firm’s clients;
• Performed IT risk evaluations, controls assessment for scheduled audits;
• Served as a resource to the IT, Business controls owners, and Enterprise Risk Management organization in network and corporate security, vendor management, anti-fraud assessment initiatives and policy and procedure development and assessments;
• Monitored IT audit activities with internal auditors, external auditors and third-party examiners and prepared management responses and remediation planning;
• Served as Subject Matter Expert (SME) PCI-DSS, Privacy, SOX 404, Business Continuity Planning, Disaster Recovery Planning, and System Development Life Cycle (SDLC).
• Implemented quality assurance review processes to ensure audit work conforms to the Standards for the Professional Practice of Internal Auditing and the standards established by ISACA.