Charles Davis, Certified Risk Manager;
Certified Internal Auditor
Lawrenceville, NJ 08648
INFORMATION SECURITY SPECIALIST
Seasoned professional CRM (Certified Risk Manager) with significant years of experience in analysis and implementation of the NIST Cybersecurity Framework.; ISO 27001 and 27002; SOC1; SOC2; SSAE18; Sarbanes Oxley (SOX) Consulting; GDPR Compliance; BCR Compliance and development; Development and implementation of polices, programs and standards in CyberArk Compliance and auditing experience focusing in Governance Risk and Compliance and Vulnerability Management utilizing technologies such as Lock Path version 2 Key light Platform GRC tool, SailPoint IAM Solution Tool, Beyond Trust PAM Solution Tool, AWS Cloud Security, RSA Archer Platform GRC tool, Qualys, Qualys Pro, Risk Vision, ServiceNow, and Metric Stream GRC Tool including Technical experience (Java, CSS, CMS). Hands-on experience in ERP implementation projects (SAP Financials (FICO), SAP CRM and SAP SRM Solutions including SAP ECC 5.0 to 7.2; HANA; SAP Warehouse Management Systems). Extensive experience in IT Technical and Functional requirements to fit client’s needs to meet project portfolio management and responsibilities for compliance in NIST; PCI; ISO; HIPAA; HITECH and other regulatory Cybersecurity Framework.
TRAINING AND CERTIFICATION
Certified Risk Manager
Certified in Risk Management (CRM), April 2008
CEU focus on:
NIST Security and Compliance Standards NIST -800-53; ISO 27001 through ISO 27006
SAP Accelerated Implementation Program SRM SAP Implementation and Testing
CRM SAP Implementation and Testing PCI Version 3.2 Changes and Compliance
SAP GRC 10.1 Implementation and Compliance SAP Identity Management Implementation
Advance Compliance with AWS Cloud Security AWS Cloud Security Risk March 2017
Oracle R12 Implementation, Compliance & Testing
CASB cloud access security broker) July 2017
Access and Identity Management Implementation and Testing December 2017
Risk Management (GDPR) Self-Assessment Security Risk December 2017
CAP Regulatory Compliance July 2018
Qualys Vulnerability Management Tools July, August 2018
PROFESSIONAL EXPERIENCE
LYNX Tech. Partners, New York, NY January 2019 – Present Certified Risk Management Officer/Security Consultant/IAM Consultant
March 2019 – Present (Assigned to Several Clients as SME for IAM Development)
Documented RSA Archer process design including business and security requirements
Implementation of polices, programs and standards in CyberArk Compliance and auditing experience focusing in Governance Risk and Compliance and Vulnerability Management
Identified and designed reports within the RSA Archer GRC tool, ServiceNow and assist the Risk and Compliance Manager and Director to establish an effective Vulnerability Management monitoring program
Evaluated SailPoint for various Global Identity and Access Management program (IAM) and Privileged Access Management (PAM) including Beyond Trust and Hitachi.
Assigned To Concord USA
AmeriHealth Insurance, Philadelphia, PA October 2018 – January 2019
Senior Project Manager PCI Assessment Consultant/Senior Security Consultant
Direct focus was on compliance; process flows and functionality within the PCI 3.1 Version Compliance and Compliance experience focusing on Governance Risk and Compliance utilizing the RSA Archer GRC tool and development and implementation of polices, programs and standards in CyberArk Compliance and auditing experience focusing in Governance Risk and Compliance and Vulnerability Management.
Documented RSA Archer process design including business and security requirements
Implementation of polices, programs and standards in CyberArk Compliance and auditing experience focusing in Governance Risk and Compliance and Vulnerability Management
Identified and designed reports within the RSA Archer GRC tool, ServiceNow and assist the Risk and Compliance Manager and Director to establish an effective Vulnerability Management monitoring program
Evaluated SailPoint for various Global Identity and Access Management program (IAM) and Privileged Access Management (PAM) including Beyond Trust and Hitachi
Implementation, testing, and verification of the PCI Version 3.1 DSS Requirements and Mitigating Controls. Project Management, Implementation and Compliance oversite for 8 Major Mitigating Controls and testing of security, risk and compliance management solutions for business acceleration including managing organizational risk, CyberArk Compliance, safeguarding mobile access and collaboration, proving compliance, securing virtual and cloud environments, and access and identity management within the Roll Based Access Control environment.
Assigned to DivIHN Integration Inc., Hoffman Estates, IL January 2018 – June 2018
Assigned to KELLOGG Information Technology Center
Position Title: Project Manager Information Security IV (Lead/ Architect)
Lead the development of security standards and assisted in the development of the plans for performing Vendor Risk security audits.
Assist the Risk and Compliance Manager and Director with risk assessment process re-engineering to include GDPR Compliance within the RAS Archer GRC tool and development of the Binding Corporate Rules including the strict and approved codes of conduct as well as the approved codes of conduct under the GDPR: including Technical experience (Java, CSS, CMS the internal codes of conduct which concern transfers of personal data to third countries in the context of cross-border data transfers to entities of the international organization or multinationals (a group of undertakings, or group of enterprises engaged in a joint economic activity, including members) which are outside the EU.
Assisted in establishing and Development and implementation of polices, programs and standards in CyberArk Compliance and auditing experience focusing in Governance Risk and Compliance and Vulnerability Management efficient processes for Risk Assessment processes and change management process within the GRC tool as part of RSA Archer Reengineering Project(s).
Perform gap analysis of security requirements implemented within the RSA Archer GRC tool and risk assessment process according to security statute, regulation, standards and SOM policies
Documented RSA Archer process design including business and security requirements
Implementation of polices, programs and standards in CyberArk Compliance and auditing experience focusing in Governance Risk and Compliance and Vulnerability Management
Identified and designed reports within the RSA Archer GRC tool, ServiceNow and assist the Risk and Compliance Manager and Director to establish an effective Vulnerability Management monitoring program
Evaluated SailPoint for various Global Identity and Access Management program (IAM) and Privileged Access Management (PAM) including Beyond Trust and Hitachi.
Cross-mapped ISO, NIST, HIPAA, GDPR, CMS, PCI and COSO security requirements to NIST and Kellogg Baseline controls.
Documented RSA Archer process design including business and security requirements
Identify and design reports within the RSA Archer GRC tool, ServiceNow and assist the Risk and Compliance Manager and Director to establish an effective Vulnerability Management monitoring program
Evaluated SailPoint for various Global Identity and Access Management program (IAM) and Beyond Trust Privileged Access Management (PAM).
Assisted with establishing Cyber Security Framework for the Kellogg.
Other cyber security related tasks as assigned
Assist with Kellogg Risk Assessment volume of work for Vendors and Suppliers including auditing SOC1 or SOC2 and SSAE18.
SRM Responsibilities of implementing a centralize procure-to-pay process flow. Implemented the SAP Supplier Relationship Management module that supported the full e-procurement cycle: from source- and purchase-to-pay to spend and supplier performance management
Provided technology deployment activities ranging from design to architecture to configuration
Built IGL interfaces and connect security controls to multiple applications
Designed and implemented access request workflows
Supported Security Management solution postproduction -- system upgrades, patching and
Troubleshooting
Provided feedback on internal processes required to help train and mentor other professionals as needed
Remained current on relevant IAM market-related trends, and change management process tools and methodologies
Vulnerability Management Compliance and Monitoring:
Implemented and Monitored the Qualys VM continuously scans and insured that as advertised it identified vulnerabilities with Six Sigma accuracy, protecting the IT assets on premises, in the cloud and mobile endpoints.
Reviewed the executive dashboard displays for compliance to an overview of the security posture and information on access for remediation details.
Insured that the Qualys VM generated the custom, role-based reports for multiple stakeholders, including automatic security documentation for compliance auditors
LYNX Tech. Partners, New York, NY June 2011 – Current
Certified Risk Management Officer/Program and Project Manager Security Consultant
Assist in the development of Statement of work and/or RFQ to coordinate and test IT corporate policies, change management process and procedures to meet client’s project portfolio management requirements and Federally Regulated NIST Standards and mandated Systems Security Standards and CyberArk Compliance for compliance in NIST -800-53, SOX, SOC1 or SOC2 and SSAE18; SAP; PCI; ADP Global Payroll Implementation and Compliance; RSA Archer 5.0; ServiceNow; Rsam; MetricStream GRC Tool
Required to enhance Risk Management Certification by obtaining 24 continuing education units (CEU’s) to implement policies and procedures to meet the SOX 404 Compliance;
GDPR Compliance; Access and Identity Management; SAP Project Management; PCI; Compliance experience focusing on Governance Risk and Compliance
Performed SailPoint IAM selection and performance strategies and Privileged Access Management (PAM). implementation plans, and solutions.
Documented RSA Archer process design including business and security requirements
Implementation of polices, programs and standards in CyberArk Compliance and auditing experience focusing in Governance Risk and Compliance and Vulnerability Management
Identified and designed reports within the RSA Archer GRC tool, ServiceNow and assist the Risk and Compliance Manager and Director to establish an effective Vulnerability Management monitoring program
Evaluated SailPoint for various Global Identity and Access Management program (IAM) and Privileged Access Management (PAM) including Beyond Trust and Hitachi.
Implementation of polices, programs and standards in CyberArk Compliance and auditing experience focusing in Governance Risk and Compliance and Vulnerability Management
Defined systems and application security baselines based on industry best practices, which efficiently and effectively mitigated risks, while respecting functionality and operational constraints.
Monitored AWS Cloud Security compliance with hardening baselines and manage exceptions and CASB (cloud access security broker)
Performed technical security assessments of information systems and applications to CyberArk Compliance and identify vulnerabilities and non-compliance with established security standards and recommend effective mitigation strategies.
Assisted, Implemented and Monitored the Qualys VM continuously scans and insured that as advertised it identified vulnerabilities with Six Sigma accuracy, protecting the IT assets on premises, in the cloud and mobile endpoints. Reviewed the executive dashboard displays for compliance to an overview of the security posture and information on access for remediation details. Insured that the Qualys VM generated the custom, role-based reports for multiple stakeholders, including automatic security documentation for compliance auditors
Supported engineering groups with security engineering expertise in the different security domains, such as identification and access management, authentication and authorization, secure design, system hardening, risk management, vulnerability assessment and management, security testing, secure software development.
Implemented SRM Responsibilities of implementing a centralize procure-to-pay process flow. Implemented the SAP Supplier Relationship Management module that supported the full e-procurement cycle: from source- and purchase-to-pay to spend and supplier performance management
Supported the development of a risk management framework for information system-related security risks and manage information system-related security risks accordingly with client’s project portfolio management requirements.
Evaluated emerging risks and information security technologies to ensure an up-to-date information security risk register and defined and implement effective, state-of-the-art security concepts for ADP Global Payroll Implementation and Compliance.
ADP Inc., Roseland, NJ March 2016 – June 2016
Senior Project Manager Global Privacy / Senior Project Business Analyst / Senior Project Security Consultant
Focus was on compliance; process flows and functionality within the RSA Archer Modules ServiceNow and Compliance focusing on Governance Risk and Compliance utilizing the Lock Path version 2 Key light Platform GRC tool:
Specified, implemented and documented information system security Privacy concepts and information security controls for new systems, ADP Global Payroll and operational systems in close collaboration with system owners and engineering groups for ADP Global Payroll Implementation and Compliance.
Delivered information security Privacy support services to architects and system/application engineers by providing clear, concise and constructive recommendations regarding information system and application security for ADP Global Payroll Implementation and Compliance.
Implemented and Monitored the Qualys VM continuously scans and insured that as advertised it identified vulnerabilities with Six Sigma accuracy, protecting the IT assets on premises, in the cloud and mobile endpoints. Reviewed the executive dashboard displays for compliance to an overview of the security posture and information on access for remediation details. Insured that the Qualys VM generated the custom, role-based reports for multiple stakeholders, including automatic security documentation for compliance auditors
Assisted architects, system/application engineers in the CyberArk Compliance and identification and implementation of Privacy and other appropriate information security controls and hardening of systems to ensure ADP Global Payroll effective safeguarding of Clients information assets. Defined policies, processes, procedures, configuration baselines and guidelines to ensure appropriate security risk management throughout the system life cycle for ADP Global Payroll Implementation and Compliance.
Performed technical Privacy security assessments of information systems, and change management process and applications, SOX 404, GDPR, PCI, SOC1 or SOC2 and SSAE18, endpoint security, CyberArk Compliance, vulnerability and compliance management solution, security information and event management).
To identify vulnerabilities and non-compliance with established security standards and recommend effective mitigation strategies for ADP Global Payroll.
Supported the development and promotion of information security policies, Hitachi PAM technologies tool, Roll Based Access Control environment standards, processes and procedures and monitoring compliance to the information security policy framework with a focus on information system security.
Implementation of polices, programs and standards in CyberArk Compliance and auditing experience focusing in Governance Risk and Compliance and Vulnerability Management
Evaluated emerging risks and information Privacy security technologies to ensure an up-to-date information security risk register and defined and implement an effective, state-of-the-art Privileged Access Management IAM security concepts and Hitachi PAM technologies tools.
AIG International Global Development, New York, NY December 2015 – Feb 2016
Senior Project Manager Business Analyst/Senior Project Manager Security Consultant/Global Privacy
Designed, implemented and documented Global information security systems and controls (e.g., file server encryption, SOX 404, GDPR, PCI, endpoint security, vulnerability and compliance management solution, security information and event management).
Lead Global information security projects as laid down in client’s information security (RSA Archer) strategy and recommended a Privileged Access Management IAM (SailPoint and RSA Archer Aveska) IAM Solution Tool; Hitachi PAM technologies tool) as a projected tool to satisfy identified strategy in the Roll Based Access Control environment and compliance in the AWS Cloud Security and ServiceNow environment.
Reviewed and Monitored the Qualys VM continuously scans and insured that as advertised it identified vulnerabilities with Six Sigma accuracy, protecting the IT assets on premises, in the cloud and mobile endpoints. Reviewed the executive dashboard displays for compliance to an overview of the security posture and information on access for remediation details. Insured that the Qualys VM generated the custom, role-based reports for multiple stakeholders, including automatic security documentation for compliance auditors.
Defined, optimized and executed the vulnerability, change management process and patch management process. Developed reports from vulnerability assessment scanners, patch management tools, and emerging threat information, advised on the risk remediation and monitored the mitigation of CyberArk Compliance identified security issues.
SRM Responsibilities of implementing a centralize procure-to-pay process flow. Implemented the SAP Supplier Relationship Management module that supported the full e-procurement cycle: from source- and purchase-to-pay to spend and supplier performance management
Assigned to Office Depot/Office MAX, thru MSH GROUP, Fort Lauderdale, FL September 2015–November 2015
Project Manager/Senior Business Analyst/Senior Project Security Consultant
Direct focus was on compliance; process flows and functionality within the RSA Archer Modules and Compliance experience focusing on Governance Risk and Compliance utilizing the Lock Path version 2 Key light Platform GRC tool
Implementation, testing, and verification of the PCI Version 3.1 DSS Requirements and Mitigating Controls. Project Management, Implementation and Compliance oversite for 8 Major Mitigating Controls and testing of security, risk and compliance management solutions for business acceleration including managing organizational risk, CyberArk Compliance, safeguarding mobile access and collaboration, proving compliance, securing virtual and cloud environments, and access and identity management within the Roll Based Access Control environment.
Reviewed and Monitored the Qualys VM continuously scans and insured that as advertised it identified vulnerabilities with Six Sigma accuracy, protecting the IT assets on premises, in the cloud and mobile endpoints. Reviewed the executive dashboard displays for compliance to an overview of the security posture and information on access for remediation details. Insured that the Qualys VM generated the custom, role-based reports for multiple stakeholders, including automatic security documentation for compliance auditors.
The Eight targeted areas were: Application Whitelisting, Firewall Integrity Management, Two Factor Authentication (2FA), Optimize Firewall Rule, Enhanced Vulnerability Mitigation Deployment, AWS Cloud Compliance, Advanced Persistent Threat Defense (APT), Data Loss Prevention (DLT), Privileged Account Management (PAM) (SailPoint IAM Solution Tool; Hitachi PAM technologies tool)
Crystal Run Healthcare Corporation Inc. July 2014 – July 2015
Senior IT Compliance Project Manager, and Project Manager Systems Security Subject Matter Expert
Implemented a Integrated Risk Management Framework
oRisk & Regulation - Insured that the organization’s approach to Risk Management started with planning. Insured that Corporate objectives and regulatory requirements were identified. Insured that any risks related to these requirements are identified and assessed.
oPolicy & Control - Identified and prepared Policies, Controls and procedures were documented.
oAuditing- Audited or Tested the effectiveness of the controls to see which ones were working and which are not.
oMonitoring - Assured the control process contained a monitoring program. Performed and prepared Audit findings and corrective actions plans and insured they were implemented to harden the control environment prior to an event occurring.
oResponse - Put in place procedures to address when an adverse event does occur, a response plan is kicked into gear. Identified appropriate Personnel to insure they are dispatched to respond to an event.
oIncident Report - Insured the incident was documented, and everything was collected and categorized.
oInvestigate - Insured that Information was processed and analyzed, in order that an investigation was kicked off to identify root cause.
oAnalyze - Performed data analytics and observe patterns that identify behaviors that allow continuous improvement and reduction of incidents over time.
Established the Controls Excellence Program for the end-to-end business process as the Business Process Cycle and change management process.
Led, participated as part of the core Controls Excellence management team focused on managing & leading strategic initiatives for Controls Excellence which increase value to the company and partner with leadership to influence and contribute to a strong optimal controls environment which addressed Rsam; SAP, IT Compliance in SOX 404, GDPR, PCI, SOC1 or SOC2 and SSAE18; HIPAA, HITECH reporting requirements, regulatory requirements and standalone reporting requirements.
Implemented, reviewed and Monitored the Qualys VM continuously scans and insured that as advertised it identified vulnerabilities with Six Sigma accuracy, protecting the IT assets on premises, in the cloud and mobile endpoints. Reviewed the executive dashboard displays for compliance to an overview of the security posture and information on access for remediation details. Insured that the Qualys VM generated the custom, role-based reports for multiple stakeholders, including automatic security documentation for compliance auditors.
Supported leadership in preparing & reviewing deliverables, reports & presentations to Senior Leadership, including the Audit Committee
Partnered with Controls Excellence Director and provided support in achieving overall goals and metrics of Controls Excellence, including supporting regular dashboard and Steering Committee requirements for ADP Global Payroll Implementation and Compliance.
Participated in setting and achieving Access and Identity Management performance metrics and experience focusing in CyberArk Compliance, Rsam; RSA Archer Governance Risk and Compliance utilizing the Privileged Access Management (SailPoint and RSA Archer Aveska) IAM Solution) Tool and Hitachi PAM technologies tool and compliance in the AWS Cloud Security environment.
Led, coached and developed resources to achieve the function’s objectives, including their longer-term career aspirations
Stony Brook University March 2014 – July 2014
Sherwin Williams Corp. December 2013- March 2014
Michigan State University May 2013- November 2013
Senior Consultant
Involved in Implementation, testing and verification of the PCI Version 2.0 DSS and RSA Archer 5.4; Rsam Requirements Implementation and Compliance testing of security, risk and compliance management solutions for business acceleration including managing organizational risk, safeguarding mobile access and collaboration, proving compliance, securing virtual and cloud environments, and access and identity management.
Primary areas of focus were:
Platform point of consolidation for governance, Analysis and implementation of the NIST Cybersecurity Framework, risk and compliance information of all types
Access and Identity Management Program development and enhancement
Seamless integration of data systems without the need for additional software
Automated movement of data into and out of the Platform to support data analysis
Governance Risk and Compliance utilizing the Privileged Access Management (SailPoint IAM Solution Tool and Hitachi PAM technologies tool)
Flexible, code-free tool for consolidating information within the RSA Archer eGRC Platform
Data Publication Manager which allowed users to automatically extract information from the Platform and load it into external systems for advanced data analysis and modeling
Web Services API which supported integration with other business systems using the industry standard SOAP protocol.
The above functions were performed in all of the below RSA Modules and Rsam:
RSA Archer e-GRC Platform v5.4.4
Modules, Policy Management, Risk Management, Compliance Management, Enterprise Management, Business Continuity Management, Vulnerability Risk Management, Security Operations Management, Incident Management, Threat Management, Vendor Management, Audit Management, Federal, Assessment & Authorization, Federal Continuous Monitoring, GRC Platform
Various Clients September 2012- May 2013
Senior Business Analyst
Assist in the development of Statement of work and/or RFQ to coordinate and test IT corporate policies and procedures to meet Federally Regulated NIST Standards and mandated Systems Security Standards for compliance in NIST -800-53, SOX, SOC1 or SOC2 and SSAE18; SAP; PCI; RSA Archer 5.0; Rsam; MetricStream GRC Tool; Meaningful Use; and Sarbanes Oxley.
Required to enhance Risk Management Certification by obtaining 24 continuing education units (CEU’s) to implement policies and procedures to meet the SOX 404 Compliance; Access and Identity Management; SAP Project Management; PCI; Compliance experience focusing in Governance Risk and Compliance utilizing the Lock Path version 2 Key light Platform GRC tool HITRUST; Meaningful Use Stage 1 and 2; Sunshine Act; Dodd-Frank; Sarbanes Oxley; NIST -800-53; ISO 27002, ISO 27001; SSAE 16 Compliance.,
Governance Risk and Compliance utilizing the Privileged Access Management (SailPoint IAM Solution Tool), Data Feed Manager, Flexible, code-free tool for consolidating information within the RSA Archer eGRC Platform
Accuride Corporation February 2012- August 2012
Senior Business Security Analyst (RSA Archer Systems Security Implementation)
Developed, coordinated and tested IT corporate policies and procedures to meet Federally Regulated NIST Standards and mandated Systems Security Standards for compliance in SAP 7.0 to 7.2 HANA environment. Helped to implement policies and procedures to meet the Sarbanes Oxley; NIST -800-53; ISO 27002, ISO 27001; SSAE 16 Compliance;
Implementation, testing and verification of the PCI Version 2.0 DSS and RSA Archer 5.2 Requirements Implementation and Compliance testing of security, risk and compliance management solutions for business acceleration including managing organizational risk, safeguarding mobile access and collaboration, proving compliance, securing virtual and cloud environments, and access and identity management.
Platform point of consolidation for governance, Analysis, and implementation of the NIST Cybersecurity Framework. Risk and compliance information of all types, automated movement of data into and out of the Platform to support data analysis, Access and Identity Management enhancement, AWS Cloud Security, User and Group Synchronization which supported Active Directory and LDAP integration of user accounts and groups.
The above functions were performed in all 14 RSA Archer e-GRC Platform v5.2.4
Bank of New York Mellon June 2011– October 2011
Senior Business Analyst (RSA Archer and PCI Security Standards Implementation)
Managing a 15-member team
Active Directory and Bind view implementation and testing to ensure compliance to meet Federally Regulated NIST Standards (NIST -800-53) and mandated SOX 404 Systems Security Standards.
Additional responsibilities were penetration testing and verification of the PCI Version 2.0 DSS and RSA Archer 5.0 Requirements developed towards reaching the following six (6) milestones:
Analysis and implementation of the NIST Cybersecurity Framework. experience focusing in Governance Risk and Compliance utilizing the Lock Path version 2 Key light Platform GRC tool
ADP Global Payroll Implementation and Compliance
Compliance Monitoring of implementation of RSA Archer Platform GRC tool
Functional responsibility was in Implementation, testing and verification of the PCI Version 2.0 DSS and RSA Archer 5.1 Requirements Implementation and Compliance testing of security, risk and compliance management solutions for business acceleration including managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments.
Platform point of consolidation for governance, Analysis and implementation of the NIST Cybersecurity Framework, risk and compliance information of all types, automated movement of data into and out of the Platform to support data analysis
Flexible, code-free tool for consolidating information within the RSA Archer eGRC Platform
Web Services API which supported integration with other business systems using the industry standard SOAP protocol.
The above functions were performed in all 14 RSA Archer e-GRC