Information Security Management
Resume:
CARRIE JENSEN-BADAA
Novato, CA
415-***-**** www.linkedin.com/in/carriejensenbadaa/ *******@*****.*** SUMMARY
I am a versatile technology risk leader with extensive expertise in risk management, general computer controls and information security programs. I partner and collaborate with senior business and technology stakeholders to identify and implement practical risk mitigation solutions and to ensure client and regulator satisfaction with technology control activities. AREAS OF EXPERTISE
• Risk and Control Assessments
• Vendor Risk Assessments
• Information Security
• NIST Cybersecurity Framework
• ISO27001 & 27002
• PCI-DSS
• Access and Identity Management
• CISA, CISM, CRISC and CIPP/IT
• General Computer Controls
• SOC 1 & 2 (SSAE-18 (16) / SOX
• Privacy
• Process Design
PROFESSIONAL EXPERIENCE
Blue Shield of California (BSC), San Francisco, CA 2014 - 2018 Director, IT Compliance & Risk Management
Led the information technology compliance and risk management activities.
• Implemented annual vendor security oversight reviews for vendors handling sensitive information (PHI/IIPI)
• Oversaw completion of HIPAA security risk assessments and analyses
• Partnered with leaders in Blue Shield’s IT Security division to complete the final reviews/approvals of security risk assessment final reviews.
• Enhanced technology risk management program, including: o Defined and implemented capabilities to identify, assess, mitigate, track and report technology risks; and o Oversaw technology activities supporting enterprise risk management program
• Advanced technology activities supporting internal audits, external audits, regulatory audits and customer due diligence reviews. Specific activities included:
o Ensured initial SSAE-18 SOC 2 report received an ‘unqualified’ overall opinion; o Reduced reportable technology-related SSAE-18 SOC 1 test exceptions to zero for 2017; o Reduced overall volume of issues identified by internal auditors and regulators; and o Reduced overall volume of 'overdue' activities to address identified issues.
• Developed inventory of key technology controls, including: o Partnered with IT stakeholders to enhance process and control design and execution effectiveness; and o Implemented awareness program for control owners and operators.
• Supported PCI-DSS self assessment
Robert Half Financial Services, San Francisco, CA 2013 - 2014 Senior Consultant
Worked with financial services clients to meet the challenges and opportunities of the global market place in the areas of technology risk, IT general controls and information security.
• Wells Fargo – Internal Audit Consultant focused on Identity and Access Management. BLACKROCK, Inc., San Francisco, CA 1997 - 2013
Director, Technology Risk Management (2009 – 2013) Defined and executed the global technology risk management program.
• Improved client and regulator satisfaction via delivery of the global technology risk and control assessment program. Specific activities included:
o Defined risk and control assessment methodology and completed initial risk and control assessments for application development, systems operations and technology delivery and support activities; and o Agreed ‘top technology risks’ and defined risk appetite and profile statements, key risk indicators and capital adequacy assessments for these risks.
Carrie Jensen-Badaa 415-***-**** *******@*****.*** PAGE 2
• Delivered high-priority, high-visibility projects to meet diverse technology risk-related needs, including: o Redesigned processes for client event micro sites that ensured brand protection, privacy compliance, information security and availability;
o Managed access recertification activities that prevented reportable exceptions for SOX and SSAE 16; and o Completed a maturity assessment of the privacy program using the AICPA’s ‘Generally Accepted Privacy Principles’
(GAPP) maturity model, identifying maturity gaps and developing the action plan to address the gaps.
• Collaborated with partners in the Vendor Risk Management, Operational Risk and Business Continuity teams to ensure effectiveness of technology-focused activities of those teams, including: o Served as escalation point for the Vendor Risk Management team for assessing the adequacy of vendor technology controls and for assessing proposed modifications to vendor agreements; o Completed root cause analysis with the Operational Risk team on technology-related operating events and agreeing actions to be taken to prevent such events from recurring; and o Coordinated with the Business Continuity team to ensure alignment with disaster recovery risk activities.
• Assured compliance with technology-related regulatory requirements via collaborating with Legal & Compliance, technology and business leaders on global technology regulatory requirements and requests. Principal, Information Security and Technology Risk Management (for Barclays Global Investors (BGI) which was acquired by BlackRock in 2009) 1997 - 2009
Managed BGI’s technology risk management, technology regulatory compliance and technology-related Sarbanes Oxley (SOX) and SSAE 16 programs. Also managed BGI’s global user access management program and information security activities.
• Ensured the technology-related SOX and SSAE activities successfully passed annual testing with no reportable exceptions.
• Improved access management capabilities via overseeing the definition and implementation of an on-line access request and certification management system, eliminating the paper-based processes and reducing request delivery times from an SLA of 5 days to 3.
• Advanced the information security program via definition of policies, standards and compliance assessment processes, and implementation of security monitoring and vulnerability management capabilities.
• Enhanced vendor management activities via defining and implementing the vendor technology risk assessment program within BGI’s overall vendor risk assessment program.
• Strengthened developer access to production controls via delivery of an automated solution for developers to obtain ‘greater than read’ access. Scope included the Windows, Solaris, Sybase and MS SQL environments and addressed compliance monitoring and escalation activities.
OTHER SIGNIFICANT EXPERIENCE
Vice President, Union Bank (formerly Bank of California) Managed the Bank’s Information Security and Disaster Recovery programs and the Technology Internal Audit program. EDUCATION
BS in Computer Science – University of Nebraska Lincoln CERTIFICATIONS
Certified Information Systems Auditor (CISA)
Certified Information Security Manager (CISM)
Certified in Risk and Information System Control (CRISC) Certified Information Privacy Professional/Information Technology (CIPP/IT) ITIL Foundation
Contact this candidate