*

Mehmet Cuneyt UVEY

P: 516-***-**** e: ad44nv@r.postjobfree.com http://www.linkedin.com/in/mcuvey/

A results-driven senior professional with extensive expertise in various areas, including IT Audit, IT Assessment & Assurance, IT Risk Management, Information Security – Cyber Security & Privacy, Third Party Risk Management, IT GRC, IT Process & Service Management, Product & Service Security, Training Skills, and Program/Project Management. My attested track record includes establishing and implementing effective risk detection and governance management programs, ensuring compliance with laws, standards and frameworks, and providing assurance for corporate information security in highly regulated businesses like banking and finance, fintech, defense, healthcare, professional and advisory services, automotive and government offices. I have a proven ability to develop company-wide information security programs aligned with organizational objectives, achieve compliance with industry best practices to mitigate IT/Cyber Security risks, and enhance the control environment for projects, operations and products. Furthermore, I excel in managing & coaching diverse IT & InfoSec-related teams to continuously improve their knowledge & skills in a matrix environment, fostering resilience. With global and multidisciplinary experience in reputable multinational organizations renowned for their process maturity, business integrity, and professional standards, I bring a comprehensive & valuable perspective to any role.

Championship, oversight &/or hands-on working in the activities in GRC (Governance, Risk & Compliance) areas such as:

Corporate & IT Governance, IT Strategy, IT General Controls (ITGC), Program/Project Management,

Internal/External IT/IS Audit & Internal Control, including Assurance, Risk & Control Self-Assessment (RCSA),

IT Risk Management, Risk Registry, Risk Mitigation, (establishing programs from scratch & operationalizing)

Information Security &/or Cyber Security, (Information Security Management System - ISMS foundation & certification)

Product / Process Security, Certification & Training,

IT Operational Security, (DevOps, DevSecOps, ProdOps), including Business Continuity

3PRM Vendor/Third Party Risk Assessment & Management

Process Improvement, Risk & Compliance based Process Assessment

GDPR (General Data Protection Regulation) & Personal (PII/PHI) Data Protection, Privacy

IT Quality Management (QMS) & ISO Standards / Frameworks Implementation (27XXX, 20000, ITIL, COBIT, NIST) o MBA-Masters in Business Administration: Bloomsburg University PA – 3.75 GPA o BSc. Degree in Public Administration Middle East Technical University – Honor Student 2 Semesters o CISA - Certified Information Systems Auditor – ISACA - Information Systems Audit & Control Association - 2003 o CISM - Certified Information Security Manager - ISACA – 2004 o CGEIT - Certified in the Governance and Enterprise IT - ISACA – 2009 o CRISC - Certified in Risk and Information Systems Control – ISACA - 2011 o CDPSE - Certified Data Privacy Solutions Engineer – ISACA - 2020 o Accredited ISACA - APMG Training Provider (ATP) for CISA, CGEIT, CISM, CRISC Certifications - 2018 o ISO 27001 ISMS Information Security Management - Lead Auditor by BSI -British Standards Institute – 2004 / 2006 o ISO 20000 ITSM - Service Management - Lead Auditor by APMG – 2016 (parallel with ITIL processes) o PMP - Project Management Professional by PMI - Project Management Institute (pmi.org) - 1999 o ISACA Information Systems Audit & Control Association – South Florida Chapter Board 2020-22 & President 2022-24 o ISACA – Ankara Chapter Founder President & Board Member – Past President (2010-2020) o ISACA – Istanbul Chapter Founder Board Member (2006-2010) & Global Platinum Member; 2001 onwards o PMI – Project Management Institute Member since 1999. Joined International Conferences & local chapter events. o Tarsus American College Alumni Association – Active Board Member o Health & Education Foundation (SEV) Member of IT Committee & Governance Committees of SEV Foundation, o German (Upper Intermediate Level) – Goethe Institute (completed 5 level courses) o Turkish (Superior/Academic Level: Educated Native Speaker - www.clscholarship.org (imp. language for U.S. Gov.) o Spanish (Beginner/Classroom Training/Basic Level) Roche Diagnostics PM - ISMS SME Subject Matter Expert (Product/Process Security & Privacy) - (Remote from FL – Santa Clara, CA) (Aug.2022–July2023) Established strategies, program & implemented them for compliance for the foundation, implementation &/or maturing the processes, internal/independent audit readiness & certification for the ISO 27XXX Information Security Management Standards of Roche Products (uPath, Avenio Connect, NMP Navify Mutation Profiler, etc.) in a) ISMS (ISO 27001), b) Cloud Security Controls (ISO 27017), c) Public Cloud Privacy Management System (ISO 27018), d) PIMS - Privacy Information Management System (ISO 27701) & other standards/frameworks such as e) GDPR & California Consumer Privacy Act (CCPA) & relevant parts of COBIT Controls Framework, CCM (Cloud Controls Matrix) Cloud Security Alliance CSA, NIST CSF Cybersecurity Framework, all integrated under ISO 13485. Performing Risk assessments, leading & facilitating RCSA and consolidate & follow-up of action plans with ISMS Asset Owners (Commercial, Cybersecurity, Development, DevOps & ProdOps, HR, Legal, Supplier Management (including Third Party & Vendors), Technical Project Management, Validation & Verification and ISMS Management through Cloud Trust Framework (CTF) & Privacy Information Management Sytem (PIMS) using SecTool (Customized GRC Tool) & JIRA. Financial Axis (FINAX CPA Company) - Officially Authorized IT/IS Auditor in Charge - Head of IT Risk & Control Services Aug.2018-Jan2020 (Full Time) Prepared and implemented the FINAX IS/IT Audit & Security Policies, Procedures, Processes, Guidelines, Rules of Conduct & Ethics, IT Audit Work Programs for assurance regarding the regulation on IT Governance & Audit issued by Board of Capital Markets (BOCM), for the accreditation & license to perform “independent audit” in the institutions on behalf of the Board. Hired, trained & managed the team of Sr. & Jr. IT Auditors & consultants being Head Auditor. Provided IT Assurance Consultancy and IT Risk Management (including CORE

COMPETENCIES

EDUCATION

CERTIFICATES

ASSOCIATIONS

&

NETWORKING

PROFESSIONAL

EXPERIENCE

LANGUAGE

SKILLS

SUMMARY

2

Vendor/TPRM), services as Head of IT Risk & Control Services. Feb.2020-June 2022 (PT 10 hr/week) Provided for Remote Oversight as Board/CEO Advisor for IT/IS Audit + IT Risk & Control Services from overseas, while working for other full time contract projects listed below. Owned the two business lines and made $5.3 million audit & consultancy revenue with the teams I founded and managed.

FISERV IT Audit Manager (Contract – Remote from FL) July2021-Oct.2021 – Worked for managing a team for the

“Agile Audit Pilot” project of the System Development Life Cycle. Completed follow-up & issue validation assignments. TD-Ameritrade Security Risk Management – SRM Vendor/Third Party Assessment Sr. Risk Analyst (PROCOM - Contract – Remote from FL) July2020-Apr.2021 Assessed the Information & Cybersecurity Risks of Vendors & Third Party Providers for TD Ameritrade, using work papers based on NIST, SOX, SOC, ITGC, PCI, ISO 27001, Privacy, Cloud Security, Bitsight Scores, Standardized Information Gathering (SIG) Framework (14 domains) & reporting templates. CARRIER Global HQ IT/DT Security & GRC Policies Lead, (DISYS Contract - Hybrid) Jan.2020-Apr.2020 – Reviewed GRC Program & Information/Cyber Security Policies, built Governance, Risk and Compliance Policies Life Cycle & Cadence, mapped and performed gap analysis between current policies & control standards with ISO27001 in relation to DFARS, SOX, PCI-DSS, HIPAA, SOC, NIST - CSF, GDPR, ISO9001, ISO20000 & ITIL & COBIT. Requirements Analysis for GRC Policies Management & 3PRM functions in adapting S-NOW (Service Now) Platform & GRC Policies Life Cycle. EVAM Streaming Analytics Inc. WA – Risk Assessment Consultant (Contract) May2019-July2019 Detailed ISO 27001 and COBIT Assessment and reporting of IT development, product & customer service (in Banking, Manufacturing, Retail & Loyalty, Transportation & Telco) processes (Continuous Intelligence platform & service for big data analytics) with the perspective of risk, information/cyber security, governance, privacy, compliance, third party & control maturity of ITGC. Bank BNP Paribas/TEB Kosovo HQ-Pristine – ISMS Consultant to CEO Sept.2017-Jan.2018 (Largest international private bank of Kosovo) – Completed a detailed ISO27001 Audit & Assessment, reported the findings to CEO & followed the action plans for CIO. Performed ISMS Implementation (5 days) and ISO Internal Audit (2 days) Training. SUNAR AGRO CORN INDUSTRIES GROUP ISMS Program Director – Oct.2016-Nov.2018 Consultancy & Training services for ISO27001 full Implementation and integration into current Quality Management System (ISO 9001). Training, internal audits & management reviews were implemented for official certification of 4 different exporter companies. Managed the project & the team & successfully got all the four companies ISO 27001 certified. YURTKUR-KYK Higher Education Credit & Hostels Institution (EU Program DEZODES) Director - Key Expert - KE Jan.2017-Mar.2018 Performed 2 Director roles as SME within the program team. A) Service Quality Standards: Reviewed/audited all the Hostels Service processes & prepared Student Loans Quality Policies. Presented a roadmap for ISO 9001 Certification. B) Prepared IT Process Audit/Assessment Report & presented to the CIO & IT Management. PTT Bank & Postal Services Consultant to CIO Jan.2016-July2016 - Performed COBIT4.1 Processes Risk / Maturity Assessment and Reporting/Action Planning with the CIO and all the IT Management / IT Audit & Operations Teams. Delivered IT Governance and COBIT Framework Training for IT Managers and Senior Staff and performed RCSA. TEPE Service & Management Group ISMS Program Director Aug.2015-Aug.2016 Managed ISO27001 full Implementation, Audit & Training Program through certification. (as in SUNAR above) – Success in Official Certification. A-Tel Technology & Defense Industry Head Consultant May2015-Dec.2015 ISO27001 Training, Consultancy & Implementation, Awareness, Internal Audit, Management Review. Official Certification acquired for Defense Contracts. Bottle & Glass Group (SISECAM - World’s 3rd Largest in Glass) ISMS Program Consultant Apr.2015-June2016 ISO27001 ISMS Implementation and Security Governance & Certification Program – Training, Gap Analysis & Implementation (16 Plants) for EU Compliance in Customs. Delivered training, gap assessment & reporting services to the group. Successful implementation of the standard ending with official certification. HAVELSAN – Aero Electronics Software Inc. Advisor to CIO in Project-Process Audit & Risk May2014-Mar.2015 Audit, assessment, review & C-Level reporting of projects, operations & processes of HAVELSAN & its corporate clients: o TCDD – Turkish State Railways Company Assessment & Business Development Reporting for potential IT projects for HAVELSAN’s further involvement. Presented to the BOD of HAVELSAN & TCDD. (Sep.2014–Mar.2015) o Assessed and audited ASOS – Military Health Automation System Project, its operations, and provided training to ASOS employees in process management & service delivery. Audited GATA (Military Hospital) on Site. Full CobiT Methodology is used. The systems and data covered under the audit are classified as top secret, including Health Information and Visual Records (PACS) of all armed forces & families. The audit and findings had strategic importance for protection of information & information assets of a central & 36 city hospitals, plus 450 health centers in troops. (May-Sept.2014) CNH/TTF Tractors, Agro & Construction Equipment Head of Internal/IT Audit & Process Improvement Aug.2011- Apr.2014 Founded & managed the Internal Audit (Financial, Operational & IT Audits in TTF/CNH - CASE & New Holland Co.) and the Process Improvement Function. The jobs and duties were performed are as follows: o Audit, Risk Assessment, Analysis, Examining, Testing & Reporting of Corporate Processes & Systems (in Oracle/SAP). o Audit Issues Follow-up (Export/Import, Material Return/Scrap, IT Development & Security, Order Process & Production Planning, Supply Chain & Logistics, ECO Engineering Change Order, Marketing – Brand PR & Communications, etc.) o Member of Information Security Forum & Internal / IT Audit / Follow-up of ISMS - Information Security Management System – ISO 27001 Certification. Annual COBIT Processes Audit & Maturity Assessment of the IT Department. o Coordination and/or oversight of compliance projects (such as Positive BOM Project, Memorandum Export Project & Agricultural Equipment Ordering on Memorandum, including IT integration & control assessment of SAP & Oracle) ROKETSAN MISSILES – Consultant, Trainer and Project Director 2010-2011 Project for the Assessment, Gap Analysis & Delivery of an action plan for the foundation of Information Security Governance based on ISO27001 Standard, to be applied within the IT Department. Training of the IT Staff in Information Security, IT Audit & Governance. PROFESSIONAL

EXPERIENCE

-continued

3

EXIMBANK HEADQUARTERS (EXPORT IMPORT BANK) COBIT Program Director 2009-2011 Compliance & COBIT + ISO 27001 implementation project for Eximbank IT Department for BRSA requirements (Banking Regulatory and Supervisory Authority).Project was financed by IBRD–World Bank. Trained all IT, Audit, Risk Management & PMO staff in CobiT and ITGC. Delivered Security Awareness Training for all 600 employees. Designed a GRC Tool on Oracle Forms. Reviewed the SDLC process & audited the mainstream Banking applications together with Internal Audit. NATIONAL LABOR ORGANIZATION Senior Process Audit Consultant 2010 Hired by Ecorys EU Consultancy Company Team to "audit & assess" ISKUR Mainstream Software & Web Application (www.iskur.gov.tr) for Recruitment, Employment, Job Matching & Training Services. Findings reported related to HCI Human Computer Interface & Usability. PTT - POSTAL SERVICES Strategic Planning Program Manager 2008-2009 o Enabled the Board Level delivery of a Strategic Plan for PTT Group in Banking, Logistics & Postal Services for 2010-20 o Enabled the Board of PTT to invest in Sales and Marketing, Banking & Logistics; and Technology for Operational Efficiency to achieve Organizational and Digital Transformation. o Established a vision for government owned PTT to adapt a competitive and global strategy - including privatization. MINISTRY OF FINANCE and TREASURY Project Director in Internal Control & IT Governance 2007-2008 o Internal Control and IT Assessment of the Strategy Development Directorate (Using CobiT) o ISO 27001 - Information Security Management System (ISMS) Development o Central Project Office Foundation (PMO) and Process Management (Using PMI Standards) o QMS Foundation and internal compliance in ISO 9001 Process Management Quality System o Turnkey delivery of SW solutions for the above processes (especially document management) YAPI KREDI BANK (Unicredit Group) IT Risk Manager May1991-Oct.2007 (16+ years FTE – roles/timeline below) o Founder & Head of IT Risk Management Dept.(including 3PRM) 2002-2007 o Holding IT Steering Committee - Bank Representative 2006-2007 o IT Audit Manager (for Dutch National Bank-DNB Compliance) 2003-2006 o WebTrust (HITRUST Principles) Internet Banking Security Certification Program Manager 2005 o IT Audit Department Founder - CobiT Implementation Program Manager 2000-2001 o Communications Director & Head of Y2K Program Risk Committee 1998-2000 o Head Business Analyst and Program Financial Controller in YKB BPR Program 1995-1998 o Internal Auditor & Senior Internal Auditor 1991-1995 T.C. ZIRAAT BANK HQ ANKARA - Securities & Bonds Specialist Sep.1989-Apr.1991 o Specialist in Securities, Bonds & Trust Shares Department (1990-1991) o Ziraat Banking School – 1 Year MT Program Attendant (1989-1990) 2 semesters of Global Banking & Finance Classes o OPTIV Cyber Advisory – CRISC Training (Certification in Risk & Information Systems Control) 6 days, November 2023 o ROCHE Diagnostic Product Teams and Asset Owners – ISO 27001 ISMS Project Management, Risk Assessment, Audit Readiness and Cloud Trust Framework Assessment in 2022-2023 o ISACA South Florida Chapter - ISMS ISO27001 Implementation Training. 2 days August, 2021 o Bottle & Glass Group SISECAM - COBIT 2019 & IT GRC Training for CIO & Senior Managers. 18/19 July, 2019 o ISACA Belgrade Chapter CISM Exam Prep Training Q&A / Exam Program – hosted by Crowe Serbia Feb.2019 o Ministry of Energy CISA Exam Prep - IS Audit Process, Mock-up Exam Q&A Review, November, 2018 o IIA Kiev, Ukraine International Conference – Keynote GDPR – Participant in Forum for Privacy - 26-28 Sept.2018 o INNOVA (IT Corporation) – Quality and Information Security Dept. CISA Training & Prep Course. June 2018 o ASELSAN Military Electronic Technologies CISA Exam Training Program – 5 days July, 2018 o ISACA Belgrade Chapter – COBIT 5.0 Training & Seminar in Serbia Chamber of Commerce. December, 2017 o AGT – Advanced Tech Wood Industries. – COBIT 4.1 & COBIT 5 Training & Workshop. 4 days July 2016 o BOTAS – Petroleum Pipeline Corp – ISO27001 Impl. Training & Certification 6 months. Feb-July 2016 o TURKAK – Turkish Accreditation Agency – ISMS ISO27001 Impl. & Internal Audit Training. 4 days October, 2016 o Felda Iffco – Edible Oil Corp. - ISO27001 Foundation & Impl. Training. 4 days Feb, 2016 o Kartonsan Cardboard – Information Security and ISO27001 ISMS Implementation Training. 4 days Feb. 2016 o Insurance Association of Turkey – COBIT 4.1 Training and COBIT 5 Comparison. 5 days, Jan.2016 o ERICSSON Mobile – ITIL Training & ISO 20000 (with CobiT comparison) 5 days, Dec.2015 o Figensoft Mobile Technologies – Information Security Awareness and ISO27001 Training. 4 days, Nov. 2015 o METU - Middle East Technical University - IT Dept. – COBIT 5 Training. 6 days Sept, Oct, Dec. 2015 (2 days/mo) o TUBITAK – Cyber Security Institute ISO27001, ISO31000, Internal Auditor & CobiT - GRC Training. July 2015 o Ugur Cooling Inc. – ISO31000 Risk Management Standard Implementation and Auditor Training 6 days, May 2015 Adjunct Professor / University Instructor 2004-2020: Launched & lectured “IT Governance” and “Project Management in IT Programs & Projects” classes in the Graduate Level Programs in 5 universities in Turkey such as:

MIDDLE EAST TECHNICAL UNIVERSITY (M.Sc. Informatics Institute & STPS Technology Policies Graduate Studies)

SABANCI UNIVERSITY (M.Sc. ITM – Information Technology in Management Program)

BILKENT UNIVERSITY (MBA Program – Masters in Business Administration) – IT Governance & Management

ISTANBUL TICARET UNIVERSITY (MSc. In Audit) – Graduate Instructor, Thesis Advisor & IT Audit, IT Risks

BASKENT UNIVERSITY (Faculty of Management Information Systems - MIS) – Instructor in IT Project Management SAMPLE of

TRAINING

PROGRAMS

&

COURSES

DELIVERED

ACADEMIC

-

ADJUNCT

PROFESSOR

PROFESSIONAL

EXPERIENCE

-continued

Contact this candidate