Post Job Free
Sign in

IT Governance Risk Specialist, PCI Subject Matter Expert

Location:
Houston, TX
Posted:
May 01, 2019

Contact this candidate

Resume:

Teri K. Hoyt

832-***-**** **** Bering Drive, No. 11

******@*****.*** Houston, TX 77057

IT Governance Risk Management Specialist

ISO 27001/2 HIPAA/HITECH/HITRUST NIST SOX

GDPR PCI DSS

An experienced IT professional with a financial background and over 8 years of IT Governance, Risk, Security and Compliance experience with a Fortune 500 company. Significant knowledge of and experience with regulatory and industry information risk and security standards. Proven ability to manage complex internal and Third Party Assessments of diverse application and infrastructure platforms within a global data security and privacy framework.

• Risk Management • Project Management

• Third Party Risk/Security Assessments • Vulnerability Management

• Change Management • Vendor Management

Professional Experience

RR Donnelley

ITG Risk Management Specialist, Subject Matter Expert - PCI 2017–Present RR Donnelley (RRD) is a third party service provider to organizations within many industries - including healthcare, financial, insurance – and maintains compliance with specific regulatory and statutory requirements such as GLBA and HIPAA on behalf of our customers. In addition to our annual SOX, AT101 / SOC 2 and SOC 2+CSF audits, RRD also maintains PCI DSS compliance as a Level 1 Service Provider listed in Visa’s Global Registry providing our customers with e-Commerce solutions and print fulfillment services for business statements and letters containing cardholder data. Part of the global IT Governance, Risk, Security and Compliance team responsible for the enterprise information security and privacy program.

• One of six ITG Risk Management Specialists responsible for completing more than 1,400 information security assessments and onsite audits for customers across our global operations each year.

• Complete Third Party Assessments (TPAs) and GRC portal questionnaires (Archer, Hiperos, TruSight, etc.) for multiple lines of business and compliance frameworks including SOC 2, ISO 27001, HIPAA/HITRUST and GDPR.

• Manage customer onsite assessments including audit planning, resource scheduling, evidence collection, onsite support and remediation efforts.

• Maintain Third Party Risk Management Standard Information Gathering (SIG) solutions for RRD’s PCI applications and environments.

• Provide metrics and reporting of audit results and findings to IT senior management for visibility of issues, risks and process improvement opportunities across the enterprise.

• Review contracts and Requests for Proposal.

• One of ten Enterprise Change Managers – North America responsible for review and approval of more than 4,000 Requests for Change for the US, Canada and Latin America each month. IT Governance Specialist, Subject Matter Expert - PCI 2015–2017 As part of the IT Governance Compliance team and the PCI Subject Matter Expert and Project Lead responsible for managing PCI DSS compliance for RR Donnelley’s global merchant and North American Level 1 Service Provider environments.

• Manage the annual PCI QSA (Qualified Security Assessor) audit for multiple lines of business including scope validation, preparing Cardholder Data Flow diagrams, collecting evidence, providing on-premise or remote support during onsite assessments, determining any mitigating processes or compensating controls if necessary, and ensuring completion of any remediation.

• Complete the PCI annual consolidated filing and periodic bank submissions for the merchant environments.

• Provide security/risk review and impact analysis for all Requests for Change to PCI applications and infrastructure.

• Schedule and review monthly internal and external ASV vulnerability scans and work with application owners, system and network administrators for timely remediation of confirmed vulnerabilities.

• Work with certified pen tester to schedule, scope and perform internal penetration testing for PCI applications and network segmentation.

• Use DISA STIGs for PCI system hardening, benchmarks and reporting.

• Assist system administrators during initial installs and configuration of enterprise security monitoring and reporting tools for PCI network devices, Windows and UNIX servers, databases and mainframes.

• Communicate to management with reports, presentations, and metrics any identified security risks or issues of non-compliance for the PCI environments.

• Perform annual review of Information Security Policies and Standards for compliance with PCI DSS requirement.

• Stay informed of emerging threats, security best practices, and new industry standards with PCI implications.

• Support new business initiatives by identifying security risks and PCI compliance requirements in the development of e-Commerce solutions.

PCI Subject Matter Expert and Project Lead for the development of a multicurrency e- Commerce order management website and mobile UI for a US and Canadian franchise organization.

PCI Subject Matter Expert and Project Lead for the international, multicurrency Motif project, the MacOS photo printing application developed by RRD to replace Apple Photos.

PCI Subject Matter Expert and Project Lead for implementation of e-Commerce token solution with integrated order-to-cash settlement process. IT Governance Specialist, Enterprise Change Manager – North America 2014–2015 After the acquisition of Consolidated Graphics (CGX), promoted to RR Donnelley’s IT Governance Compliance team.

• Managed the CGX IT general controls testing and remediation for the post-acquisition and RRD’s external SOX audit.

• Managed controls testing and evidence collection for the CGX Data Center and 18 production facilities included in RRD’s SOC 2 compliance program.

• Assisted with the migration of CGX key controls to RRD supported and compliant processes and systems.

• As an Enterprise Change Manager – North America, provided change management training and support to CGX application owners and infrastructure administrators during the migration to ServiceNow.

Consolidated Graphics, Inc. (Acquired by RR Donnelley in 2014) IT Compliance Analyst 2010–2014

Member of the corporate Information Security team reporting to the Chief Information Security Officer responsible for information security and compliance for applications and infrastructure at the corporate data centers and 72 international production facilities.

• Managed IT General Controls for the annual SOX internal and external audits.

• Managed on-going HIPAA compliance for 18 print production facilities processing PHI data.

• Performed internal vulnerability scans of CGX corporate and field servers and worked with system administrators to for timely remediation.

• Performed application scanning for new development or code releases of in-scope applications and worked with developers to address any findings.

• SharePoint Administrator for the corporate intranet site and solutions.

• Managed McAfee ePO to deploy endpoint antivirus and encryption solution to 4,000 servers and workstations.

• Monitored Palo Alto firewalls and FireEye Endpoint Security solution for cyber threat detection and incident response.

Technologies

• Microsoft Office • CMDBuild • LogRythm • Rapid7 Insight Vulnerability Management

• SharePoint Administration • IBM BigFix • OSSEC • Qualys Vulnerability Management

• Google Enterprise Apps • IBM AppScan • SolarWinds • Palo Alto Firewalls

• ServiceNow • Splunk • Tripwire • FireEye Network Security Skills

• Bilingual (English/Spanish)

• Analytical and detail oriented

• Strong verbal and written communication skills with ability to discuss complex IT subjects with technical teams and deliver same information in clear terms to business stakeholders

• Excellent organizational and time management skills with ability to manage multiple priorities and meet deadlines

Education and Achievements

• Bachelor of Business Administration – Accounting (University of Houston)

• Palo Alto Firewall Training (February 2018)

• CISSP Boot Camp (February 2019)



Contact this candidate