Sign in

Information Security Manager

Garden City, New York, United States
August 19, 2019

Contact this candidate


Philip M. Cozzolino

*** ******** ******

Garden City, N.Y. 11530



Information Technology (IT) Auditor, Technology Risk and Control Auditor, FDIC IT Examination Analyst, Sarbanes Oxley (SOX) IT Audit Consultant, IT Audit Manager. Technology and Financial Industry Specialist with internal audit experience. IT SOX documentation and testing. IT Risk Assessment.

Business Experience

MEDIDATA Solutions

(c/o Wilson Management Consulting)

IT Audit Consultant (July 2019 – present)

Performing quarterly IT SOX testing for the life sciences company.

Dimensioning the risk associated with clinical trials and the data analytics platforms.

Evaluating the security posture of the cloud environment.

Examining the single sign on implementation and employee termination automation.

Completed all required company and regulatory training.


(A Robert Half Company)

IT Audit Consultant (October 2018 – December 2018)

Worked with the client’s IT Risk Management and IT Senior Management to test GLBA controls mapped to NIST guidelines.

Provided evidence to validate the remediation of IT control weaknesses cited by the OCC.

Performed IT control testing to document corrective action required to close IT audit issues.

Completed assignments as a remote IT Audit Consultant.


(Power Utility – Con Ed)

Project Auditor - IT (December 2017 to April 2018)

Performed an IT audit and security walkthrough of two of the largest Solar Facilities in the world located in Texas.

Participated in the Con Ed SOX optimization initiative.

Performed storm site safety duty to protect the public from downed electric power lines.

Completed all required OSHA training modules.


Lead IT Auditor (May 2013 to August 2017)

Performed the IT Risk Assessment used to create the CWS three-year IT audit plan.

Reviewed CWS IT infrastructure risk areas during CWS internal audits and information technology audits.

Provided guidance regarding CWS regulatory compliance (e.g., GLBA, FDIC, etc.).

Created a new audit approach and expanded scope for the CWS Security Access Audit that resulted in the discovery and removal of hundreds of unauthorized user accounts.

Reviewed and leveraged the test work from the CWS Payment Card Industry (PCI) certification.

Reviewed the CWS Business Risk Assessment process.

Performed Business Continuity Audit of CWS technologies that resulted in program expansion.

Expanded the scope of network and computer application user recertification.

Coordinated the 2013 CWS computer user recertification on behalf of CWS IT and the CWS business managers.

Participated in the composition of the Carson Smithfield SSAE 16 report.

Performed a Vendor Management Audit that resulted in program revamping.

Completed all annual CWS regulatory and compliance training.

Performed an End User Desktop Audit.

Conducted an IT walkthrough of the FIS and TransCentra lockbox operations.

Reviewed outstanding Business Continuity, Vendor Management and GLBA audit issues and evaluated IT Management’s corrective action.

Audited CWS’ implementation of Active Directory.

At the request of Management, reviewed various vendor SSAE16 reports.

Obtained and reviewed all CWS IT Policies and Procedures.

Created a Cybersecurity audit program based on FFIEC Guidance.


Technology Risk and Control Auditor

(International Investment Bank)

IT Audit Consultant (July 2012 to May 2013)

On behalf of international investment bank, assessed the adequacy of IT Management’s corrective action in response to internal audit and regulatory issues.

Determined the effectiveness of new controls in place to mitigate IT risk.

Sampled and retested documentation related to incident management events.

Evaluated the effectiveness of disaster recovery tests.

Examined applications and servers for the existence of generic accounts (functional IDs).

Assisted the IT Managers in their mission to control excessive logical access rights on servers and applications.

Evaluated the effectiveness of new controls in place for enterprise change management, software development and software migration.

Determined if IT projects and process improvements designed to mitigate risk were successful.


Division of Risk Management Supervision

IT Examination Analyst (September 2010 to July 2012 - Term not to exceed 2 years.)

Reviewed more than 30 FDIC member banks as IT Examiner-in-Charge and produced IT Examination work papers and findings that were embedded in FDIC Safety and Soundness Risk Management Examinations.

As directed by New York City Regional Office Supervisory Examiners and Examiners-in-Charge (EICs), assessed the adequacy of Information Technology policies, procedures and practices and determined if these practices are in compliance with governing laws and regulations.

Discussed findings and concerns regarding Information Technology issues with Safety and Soundness EICs.

Evaluated financial institution management's ability and willingness to correct issues identified, as well as previous examination and audit findings related to Information Technology.

IT Examination scope includes evaluation of IT Risk Assessment, IT Operations Security, IT Audit, Disaster Recovery, Vendor Management and compliance with the Gramm Leach Bliley Act of 1999.

Met with bank management, board members and others to make recommendations regarding corrective action for deficiencies; to provide support for URSIT ratings; to answer questions; and to persuade bank management to take corrective action recommended in the Report of Examination.

Trained 6 commissioned FDIC Examiners during their participation in IT Examinations in order to fulfill the requirements for them to attend ITEC School.

Served as the IT Examiner-in-Charge on IT Examinations that were performed in conjunction with the New York State Banking Department.

Worked with the New York State Department of Financial Services during joint IT Examinations and Safety and Soundness Examinations.

JEFFERSON WELLS (presently known as Experis)

A Manpower Company

Technology Risk Advisory Services Professional –

IT Auditor (July 2005 to September 2010)

As an IT Auditor, performed information technology risk assessments for many clients that led to the decision to perform new audits and offer additional professional services.

Assessed information security issues for systems and networks in many industry segments.

Reviewed and evaluated corporate information technology policies and procedures (e.g., Information Security Policy, System Administration Procedure, etc.) for deficiencies.

As an IT Auditor, found 21 financial software applications that were not identified and evaluated for security vulnerabilities by a bank’s Information Security Officer.

Revealed that terminated employees still had active computer user IDs at various clients.

As an IT Auditor, performed technical infrastructure audits of many and varied businesses.

Evaluated validated system protocols for a medical manufacturing client required to adhere to FDA standards and audits.

As an IT Auditor, completed numerous continuity of business reviews (disaster recovery).

Performed information technology Sarbanes Oxley (SOX) testing for many companies in many industries.

Assisted a broadcasting company in IT SOX compliance.

Acted as liaison between big four accounting firms and my clients to resolve (SOX) issues.

As an IT Auditor, provided recommendations to resolve client audit and IT SOX issues.

Assumed the IT Audit role during a staff augmentation for an internal audit department at a credit card services company. Completed their 2007 IT Audit Plan.

Performed internal IT audit work for a US national professional sports league.

Composed IT narratives for a trust company SAS-70 type 1 report.

As an IT Auditor, created and implemented my firm’s first VoIP audit program.

Adjusted to changing client requirements, changing scope of work, Jefferson Wells’ requirements and Management requirements during many projects.

Published IT audit issues and audit reports for senior management in many companies and various industries.

Provided IT Audit services for small, midsized and large corporations.

Led Jefferson Wells Technology Risk Management tri-state area practice in billable revenue in 2006.

In 2008, ranked second in Jefferson Wells Technology Risk Management tri-state area practice billable utilization.

Performed IT SOX testing in Sweden and Italy for a US chemical company.


Certified Public Accountants

IT Auditor (June 2004 - April 2005)

Sarbanes Oxley Group

Performed technology infrastructure risk reviews of labor unions, employee benefit funds and manufacturing companies.

Provided S&B clients with Sarbanes Oxley Compliance Services.

Performed IT SOX general controls and application controls walkthroughs.

Created IT process documentation.

Managed client IT SOX deficiency remediation and performed testing.


[BDO Seidman’s Risk Consulting and Advisory Service]

SOX IT Audit Consultant (January 2004 - May 2004)

Issued an IT infrastructure risk report for a New England power utility.

Assisted a housing developer to prepare for Sarbanes Oxley attestation.

Prepared IT SOX clients for external audit reviews.

Provided incremental IT audit assistance to client’s internal auditors.

Performed IT SOX general controls and application reviews.

Developed audit approaches and implemented audit programs.

CITIGROUP (Citibank)

IT Audit Manager, Global Technology Infrastructure (1996 - January 2004)

Audit and Risk Review

Vice President

Managed and performed full scope network audits.

Assessed information security issues for Citigroup networks and systems.

Evaluated the control of technology risk after corporate mergers (e.g., European American Bank, Salomon Smith Barney, Travelers Insurance, Associates First Capital Corporation).

Managed technical infrastructure audits of many and varied Citigroup businesses.

Participated in numerous continuity of business reviews (disaster recovery).

Assisted in the implementation of network connectivity for the Citigroup Audit Labs in New York.

Published rated audit reports distributed to Citigroup senior management.

Performed continuous business monitoring.

IT Audit Manager (1995 - 1996)

Global Telecommunications Industry Specialist

Responsible for all Citicorp Global Information Network reviews (NCC, WAN, etc.).

Participated in global technology audits in London, Saudi Arabia, Bahrain and Latin America.

Determined the adequacy of controls and procedures for various processes such as technology change management, problem management, vendor management, network and system access controls, physical security, environmental controls, continuity of business, capacity planning, etc.

Evaluated management’s corrective action plans for the resolution and closure of audit issues.

Senior Telecommunications IT Auditor (1992 - 1995)

Assistant Vice President

Large and midrange data center reviews (general controls and technical).

Backbone network audits (including routers, firewalls, etc.).

Data center continuity of business reviews.

Network control center, network management audits.

Data processing facilities audits.

Pre-implementation reviews.

Electronic mail system audits.


Bachelor of Arts, Queens College. Attended various internal and external IT, audit and personal development seminars (e.g., CISCO Router Configuration, Audit Methodology, Client Server Computing, Information Security, Internet Security, Managing People, Cybersecurity, Leadership, Conflict Resolution, Team Building, etc.). Coached and mentored associates as well as newly hired audit staff. Received the “Citicorp Service Excellence Award” for major network expansion associated with the creation of a new data center and the relocation of several Citigroup Private Bank businesses. Received 2 FDIC STAR Awards for examining troubled institutions.

Contact this candidate