SUMMARY

• With over 8 years’ experience, A result oriented practitioner specializing in delivery and fulfillment of enterprise and regulatory IT control objective in the area of vendor management and information security, privacy and protection, auditing, controls, compliance, governance and risk management.
• Good knowledge of risk policies in a regulated environment (OCC, FDIC, FRB, CFPB, FFIEC, NYDFS)
• Extensive experience using the Shared Assessments Framework (SIG, SCA), Trusight BPQ & Cloud Security Alliance CAIQ, FIPPS 199 (CIA).
• Control Frameworks (COBIT, ISO 27001 (SSAE), NIST), SOC reports (TSP,HistrustCFS,Cloud Alliance), PCI - DSS
• Extensive experience in Process and control testing/design, remediation, or improvement initiatives, in this capacity acted as a primary liaison to management and reported risk assessment, incident management, issues, tracking statistics, and security performance metrics, internal audit and risk mitigation efforts, Business continuity planning.
• Broad understanding of Information Systems Security/Risk, IT Auditing and ITIL (Information Technology Infrastructure Library)

TECHNICAL SKILLS

GRC: RSA Archer, RiskVision, MetricStream, Brinqa, Prevalent, ServiceNow GRC, Process Unity

Collaboration: SharePoint, Jira, MS Teams, supply central sales force.

Basic: MS Excel (Advanced), MS Word, MS Project, MS Visio

BI: SSRS, Cognos, BusinessObjects, Tableau, Crystal Reports

Databases: Oracle 10g, 11g, MS SQL Server 2008, Sybase ASE, DB2

Other: RiskRecon, Bitsight, SecurityScorecard, Normshield

PROFESSIONAL EXPERIENCE

Confidential

Senior Third Party Risk Consultant

Responsibilities:

• Provided security due diligence reviews for critical and high rated 3 rd parties .
• Assisted in preparation of KPI/KRI reporting
• Provided support to TPRA office and SMEs in various areas to ensure risk management process is effective
• Performed cyber security Risk Assessments on vendor utilizing my knowledge of the CIA to determine potential impact of risk based on low, moderate and high rating.
• R eviewed SOC1,2, SIG and other industry standards to assess the Cybersecurity risk and provide recommendations to the contract owner on residual risk and mitigation strategies.
• Performed Risk remediation tracking against reported vulnerabilities. This person will be a key player within the vulnerability risk management team in providing governance, facilitation and driving results.
• Leverage Pacific Life proprietary questionnaire when needed.
• Reviewed SOC 1,2, ISO, SIG, CIAQ, PCI and supporting documentation of vendors.
• Reviewed/evaluated new security tools,IPS,IDS, SIEM, DLP systems etc.
• Worked on internal questionnaire for vendors.
• Experienced GRC tools like shared assessment, servicenow and Archer for vendor assessment/review.
• Worked on Servicenow for workflow and vendor coordination.
• Worked with the stake holder/ BISO on control gaps of vendors.:
• Reviewed and assigned vendors for initial assessment process.
• Reviewed change management required to facilitate timely remediation and response on failed remediation attempts
• Reviewed scope and services provided by vendor and assigned risk triage.
• Defined scope of assessment based on internal questionnaire.
• Coordinated with various departments on vendor services.
• Validate and upload evidences to SharePoint or any other central location.
• Engage with stakeholder cross organizationally to ensure any issues or inquiries are properly addressed.
• Setup operational routines, implement issues & corrective action plans on vendor vulnerabilities.
• Conducted remediation call with Business and stakeholders on outcome of vendor assessment on finding and control gaps.
• Conducted remediation call with vendor on control gaps, with remediation timelines.
• Sent risk surveys to 3rd parties, evaluating assessments, making sure they are providing clear evidence of their security.
• Communicate effectively with representatives of Cyber security, technology specialists, and vendors.
• Communicated with vendor on remediation items and close out findings.
• Provided metrics on a regular basis (KPI / KRI)
• Ensured all vendor relationships are documented in the VRM system and all supporting documentation related to vendors that provide outsourced services are uploaded in the system in accordance with the VRM policy.
• Ensured assessments and remediation plans are progressing and meeting company’s SLA.

Confidential

Third Party Risk Analyst

Responsibilities:

• Assisted in preparation of KPI/KRI reporting
• Provided support to TPRA office and SMEs in various areas to ensure risk management process is effective
• Supported sourcing managers in conducting and validating vendor risk assessments
• Day-to-day management of risk activities for the TPRM office
• Generated compliance and risk metrics and provided reporting to the VRM Advisory Board
• Assisted business lines in identifying and escalating potential areas of risk
• Evaluated and document residual risks prior to contract execution
• Completedstrategic and reputational Risk reviews for due diligence and ongoing monitoring reports
• Ensured assessments and remediation plans are progressing and meeting company’s SLA
• Managed security tools, provide system administrative support and maintained and upgrade tool sets.

Confidential

Vendor Risk Manager

Responsibilities:

• Developed and maintained good working relations with vendors.
• Administered all contracts and developed initiatives for enterprises.
• Oversaw all procurement and RFP processes and issued necessary purchase orders.
• Managed all classification programs for vendors.
• Coordinated with various departments made site visits and prepared vendor plans.
• Analyzed and prepared reports on vendor spend and demand.
• Ensured optimal services from vendors and maintained scorecards for each individual vendor.
• Assisted stakeholders and sponsors and developed initiatives for vendors and departments.
• Monitored vendor, identified all issues in delivery process, and resolved it.
• Maintained good relationship with vendors and ensured cost effective methods.
• Ensured vendors maintain quality of services and incorporated all organization standards.
• Assisted Distribution Centre managers and identified opportunities for improvement.
• Analyzed supply chain and prepared reports for effectiveness of programs.
• Organized monthly meetings and evaluated work of each vendor.

Confidential

IT Risk Analyst

Responsibilities:

• Ensured IT Risk and Security Control issues are addressed, and respective corrective action plans are completed on committed dates.
• Ensured that proper documentation for new and existing third party relationships is properly completed and retained including, but not limited to SOC 2 Type 2 reports, Attestations of PCI Compliance, COI, IS policies etc
• Managed application security testing review & application vulnerability assessments to identify potential risks.
• Performed information security incident response and incident handling based on risk categories
• Defined appropriate risk levels based on CIA TRAID for criticality of information handled by vendors.
• Managed security tools, provide system administrative support and maintained and upgrade tool sets.
• Tracked the statuses of RCSA issues, action plans, risk acceptances, change requests in Archer and working with responsible source teams to resolve them
• Mapped internal IT security controls to frameworks on metric stream.
• Conducted IT Risk assessments and log all findings to monitor and coordinate with respective owner’s/source teams for remediation in metric stream.
• Performed control break Analysis and root cause analysis of identified findings
• Exception Register Management to record and monitor non-compliance
• Development, maintenance and enhancement of security processes and procedures per standards and best practices
• Created and managed IT Risk & Control dashboard - RCSA Units, RCSA Issues, Control Procedures, Control Test Reports, Risk Reports
• Ensured that security and loss prevention standards and instructions are consistently and effectively applied during the planning, development and execution of business operations as well as in all administration, infrastructure and support functions activities.
• Participate in the development of the analysis of product defect data and map it with corresponding action plans to reduce defects.
• Reviewed/evaluated new security tools,IPS,IDS, SIEM, DLP systems etc.
• Assist in the prompt investigation of security incidents and be prepared to isolate and remediate incidents pursuant to established procedures.
• Develop and execute daily, weekly and monthly action plans that increase quality, inventory accuracy and service.
• Responsible for evaluating threats, Assessing Risks and developing risk management strategies.
• Participated in providing secure working environment taking into consideration relevant legal and statutory compliance requirements, Labour regulations, agreements and practices.
• Provided open, trusted and reliable partnership with internal and external stakeholders, by supporting, advising and enabling successful accomplishment of business operations and initiatives.
• Participated in driving security change and improvement by engaging leadership and associates and by providing the relevant and useful security knowledge and awareness.
• Preparing weekly and monthly status to stakeholders
• Established and maintained defensible evidentiary process for all investigation.

Confidential

Third Party Risk Analyst

Responsibilities:

• Coordinated with stakeholders to initiate, scope and plan controls assessments of new and existing vendor engagements.
• Ranked vendors in accordance with corporate tiering system
• Facilitated the adoption of new processes among contract and business area teams by contributing to the enhancement of vendor management tools and procedures.
• Ensured that the vendor’s control environment and any related processes, procedures, and standards adhere to the NIST, iso, PCI, HIPAA, and sox.
• Developed and maintained documentation related to departmental processes, procedures and standards.
• Assessed completed questionnaire and supporting documentation to validate vendor appropriate implementation of information security controls
• Produced detailed documentation of assessments
• Communicated vendor information security issues to stakeholders, ensuring their understanding of associated risks and actions needed to remediate those risks.
• Validated evidence from vendors before remediation plans are closed.
• Escalated issues associated with vendors as needed to management.
• Supported the VRM Program to effectively manage vendor risk in accordance with internal policy and regulatory requirements, ensuring strong oversight of all vendor risks and provide visibility of existing and emerging risks
• Maintained established relationships with the Business and applicable stakeholders to ensure proper execution and compliance with VRM policies and procedures
• Assisted in the reporting of vendor risk management activities
• Promoted and delivered continuous training and awareness to Business partners on vendor risk