CISSP, CISM
Resume:
Alfonso J. Yi, CISSP, CISM
**.*******@*****.***
973-***-**** mobile
.
Information Technology Security & Risk Management Professional A proven business and technology leader with over two decades of enterprise delivery and risk mitigation experience at top global financial services, security, energy, technology and management consulting firms, leveraging broad Financial, Technology, Security & Risk acumen to forward the business mission through collegial organizational and third party engagements, while protecting the confidentiality, integrity and availability of enterprise assets. CORE COMPETENCIES
Technology Operations Management
Change & Configuration Management
Security Operations & Risk Management
Risk Program Development & Management
Business Continuity & Disaster Recovery Management Operational & Financial Risk Management
Global Team Building & Management
Vendor & Contract Management
PROFESSIONAL EXPERIENCE
Gartland and Mellina Group, CISO & Client Engagement Manager, New York 2011-2016 As Chief Information Security Officer (CISO), developed & managed the Information Security & Risk management program. Managed vendor resources responsible for information processing. Participated in Industry events to promote security awareness. As Client Engagement Manager, served as a trusted adviser, responsible for identifying business opportunities, managing pursuit team, closing deals, developing requirements, responding to RFPs, coaching and mentoring associates, and managing client engagements.
Conducted continuous monitoring of information assets, authored and implemented Information Security & Risk Management policies, standards, procedures and guidelines, including: Access Control, Acceptable Use, Cyber Security, and Data Classification. Lead Risk Assessment, Business Impact Analysis, and authored Business Continuity and Disaster Recovery plans. Developed and delivered Information Security & Risk awareness and education. Provided quarterly management reports on Security program effectiveness, industry trends, and potential threats. Managed Computer Incident Response Team (CIRT), Network, Telecommunications vendors, contracts and annual recertification process. Managed change and configuration network infrastructure, services and application processes, including third party hosted solutions.
Venture Capital Firm Client: Conducted a due diligence assessment on a Private Financial Services Market Data company to support a venture fund investment round.
o Approach: evaluated the target company’s Technology, Operations, Information Security & Risk profile, including integration with key third party vendors and suppliers. Conducted management interviews to assess the human capital commitment and effectiveness in contributing to the organization’s strategic objectives. Documented and assessed corporate assets, human capital, and strategic client delivery channels. o Result: delivered a target company assessment including technical capabilities, and recommendations to mitigate deficiencies in network infrastructure, source code management, third party sourcing, change and configuration management, security policy, documentation & controls management. Private Equity venture client subsequently completed the planned target company investment. And with the client’s consent, provided the target company a prioritized and cost-effective list of recommendations to correct material findings, and strengthen existing controls to protect their customer data, corporate assets, and achieve their strategic business mission.
Middle East Investment Bank Client: Partnered with client, and strategic integration partners to perform a business, technology, and risk assessment, followed by planning and delivery of a multi-year $40 Million Core Banking Transformation program.
o Goals: included simplification of the technical environment, reducing operational expenses, bring the organization into U.S. Federal Regulatory Compliance, and improving the client experience. 2 P a g e
o Approach: lead engagement team to perform a current state business, technology, and risk assessment to identify organizational challenges, opportunities and strengths. Presented client with findings, and developed a framework and plan to accomplish goals. Partnered with strategic integration partners to create high level, and detailed program plans, including: financials, governance, communication, technology, information security, business model design and support, resourcing, and change & configuration management. o Challenges: included resolving Financial, and Operational analytics reporting, reducing high OPEX resulting from maintaining an inefficient legacy technical environment, reducing reliance on Subject Matter Experts and excessive manual processes, and addressing weak security and risk controls. o Solution: migrated client to an Application Support Provider (ASP) model, and restructured regional workflows, implemented reference data cleansing and normalization, records archival management, employee education and data classification and access controls, based on ISO, NIST, ITIL & COBIT frameworks. o Result: projected annual 25% expense avoidance, achieved U.S. Federal Regulatory conformance. Enhanced sales channels for Liquid and Illiquid Asset Classes, delivered enhanced business analytics, security and risk management by restructuring organizational hierarchy, implementing data classification, and access controls, and retiring unsupported legacy applications.
European Investment bank client: Managed a U.S. Federal Regulatory Dodd-Frank program. Specific responsibility for establishing framework for enterprise swaps reporting, and assisting business in establishing strategic regulatory conformance state.
o Scope: included 5,000+ Associated Persons (sales/traders) across two registered Swap Dealers in 36 global jurisdictions. Target state included retention of daily trade, and business records, including: voice, mobile meta data, e-mail, instant messenger, trade and paper records. o Approach: assessed various Big Data solutions from NICE, Autonomy, Bloomberg, and Mark Logic to develop a reporting solution, by unique identifiers: Legal Entity (LEI), Swap (USI), Counterparty (UCI), and Product (UPI). Partnered with internal Audit, Risk, business and technology teams to create proprietary product position models, and refresh record retention standards.
Bank of New York Mellon, Vice President, Senior Corporate Consultant, New York 2011 Conducted assessments, and partnered with business, operations and technology teams to develop strategic operations and technology investment recommendations intended to drive business growth, while mitigating operational risk and expenses for Financial Markets and Treasury Services, Alternative & Broker Dealer Services, Asset Management, and Asset Servicing.
Served on operations committees and was responsible for conducting risk assessments (i.e. including market and regulatory, credit, legal, technology, and client delivery) and recommending various approaches to grow a $60 Million global, multi- asset class portfolio channel.
Recommended enhancements to redesign: Trading and Execution, Confirmations / Settlements, Valuation, Recon, Collateral, Event, Margin, Custody, Cash Collateral Investing, Accounting, VAR/Risk Analytics, and Futures technology systems, and operational workflows to improve business analytics, achieve incremental $5 Million in cross-sales opportunities, and reduce annual OPEX expenses by over $1 Million.
Conducted risk assessment of procurement and accounts payable workflows, identifying $3 Million in OPEX savings across Bank of New York Mellon and Pershing LLC. subsidiary. Citigroup, Senior Vice President, New York 2004 -2011 Managed global business and technology teams performing operational, technology and risk assessments to identify business growth opportunities, enhance operational effectiveness, mitigate risk, and reduce overall CAPEX and OPEX expenses.
As Senior Vice President, Business Planning and Analysis Group Manager performed financial, and operational risk analysis to enhance Balance Sheet, Activity Based Costing, and regulatory reporting. o Earned promotion by managing business, and control teams across 68 countries to source, enrich, and integrate referential, and reconciliation data. These efforts served to create a culture of accountability by assigning ownership to over $3 Billion in previously unassigned or incorrectly reported balance sheet activity. 3 P a g e
o Leveraged Data Warehouse Business Objects reporting model analytics to close reporting gaps (i.e. mapping individual and department ownership, aging history), resulting in over $50 Million in annual OPEX reduction. o Partnered with business, technology and control/risk teams to develop and syndicate reports via customized web- based management dashboard, providing executive, operational, internal Audit and Risk management oversight. o Assisted in the preparation and analysis of regulatory reports for U.S SEC, Fed & FINRA Regulators. o Managed a Center of Excellence program, including development of a reporting portal to capture Key Performance, Risk and Control Indicators with strategic vendors (Wipro, TCS) to support right-shoring selected business functions, impacting 30,000+ institutional employees, third party captives, overseas resources, and temporary staff.
As Vice President, Information Security & Risk Compliance Manager, earned promotion by managing a security information and event management (SIEM) team to conduct continuous monitoring of the majority of hosted Internet facing business applications.
o Hired, coached and mentored an international, multifunctional team of 50+ network & security professionals (based in New York, Orlando, Mumbai, & Chennai, India), with $10 Million P&L o Responsible for the operational risk effectiveness, including change & configuration control for business Internet facing applications, and corresponding middleware, O/S, and network architecture (i.e. security and anti-virus software, firewalls, IDS, IPS, OS on servers, applications, DBMS, and networking equipment). o Partnered with Audit, Risk, Operations and Business to develop KPIs, KRIs and KCIs benchmarks and reports to alert to anomalous network behavior, and transactions. o Invited to serve to support multiple business, operations and technology audits and reviews across Asia, Europe, the Middle East, North and South America.
o Executed corrective action plans to remediate inherited client data management deficiencies. KPMG International LLP, Information Technology (ITS Global) Manager, New Jersey 2004 Partnered with business to develop and execute strategies to deploy new technologies and applications, implementation guidance for all 120+ KPMG Member firms (impacting 140,000 users). Instrumental in developing core concepts, processes, and marketing collateral to promote the global adoption program.
Provided technical expertise and managed delivery of applications to end users, including formulating plans to gather and define business requirements while managing the risks to improve business processes and translating the requirements into systems solutions by preparing functional specifications.
Supported the evaluation of enterprise application, security tools, and network solutions to improve business efficiency, while mitigating risk, and improving the client experience. Yi Engineering, Inc., Founder & CEO, New Jersey 2000 -2003 Advised Fortune 500 Bank &Technology clients on operational effectiveness, including: conducting pre-M&A due diligence, information security & risk management, network architecture, and business continuity and disaster recover management assessments.
Republic National Bank / (acquired by) HSBC Bank USA, Technology Project Manager, New York 1998-2000 Kastle Systems Inc. (Security Management), Operations Manager, New York, and Washington D.C. 1998 Consolidated Edison, Inc. (Power Utility Management), Network Engineer, New York 1997 Securities Industries Automation Corporation (NYSE/AMEX), Network Engineer, New York 1994-1996 4 P a g e
SECURITY, TECHNICAL & REGULATORY COMPETENCIES
COBIT 4.1/5.0; ITILv3, SOC1/2, COSO IC FW 2013; ISO 27001:2013, ISO 22301; NIST 800 IT Security -27rA IT Security, 30r1 Risk Assessments, 37r1 IS Risk Mgt., 39 IS Security Risk, 40r3 Patch Mgt., 52 TLS Configuration, 53 Privacy Controls, 81-2 DNS, 82r2 ICI, 88r1 Media Sanitation, 89 Digital Signatures, 122 Protecting PII, 124r1 Enterprise Mobile Mgt., 137 IS Monitoring, 152 Crypto Key Mgt., NIST 1800 Cybersecurity - 1 Mobile Health Records, 2 & 3 Access Controls, 4 Cloud & Hybrid, and 5 IT Asset Mgt.
Cryptography, Environmental Security, Networks &
Internet Security, Application Security, Access Control, Operations Security, Security Architecture & Design, Security Information Event Monitoring (SIEM), Legal, Regulatory, Compliance & Investigations, Network
Telecommunications, Mobile & Cloud Security, Big
Data, Reference Data, Data Warehousing; Sarbanes
Oxley (SOX), Dodd-Frank, PCI-DSS, HIPPA, GLBA,
Basel II/III, and Safe Harbor
BUSINESS COMPETENCIES
Operational & Financial Planning Management
Program & Portfolio Management
Client Advisory & Management
Enterprise Application & Portal SDLC
Capital Markets, Broker Dealer Services
Corporate Trust, Shareholder Services
Treasury Services, Asset Servicing
EDUCATION & CERTIFICATIONS
Northwestern University – Kellogg School of Management, Executive Education, Enterprise Risk Management, Operational, & Market Risk Management, including Basel II/III, Credit Swaps, Credit Derivatives, Liquidity risk & CDOs (Statistical Loss, Empirical, Parametric & Extreme Value Theory Models) Stevens Institute of Technology, Howe School of Technology Management, Masters of Science, Management Information Systems, concentration in Finance and Strategic Sourcing New York University School of Engineering, Bachelors of Science, Computer Science ISACA, Certified Information Security Manager (CISM) No. 0911021 ISACA, Cybersecurity Certificate (CSX) No. 201*-******-CSXF ISC2, Certified Information System Security Professional (CISSP) PROFESSIONAL AFFILIATIONS
.
Information Systems Audit & Control Association (ISACA) Institute of Electrical and Electronics Engineers (IEEE) International Information Systems Security Certification Consortium (ISC)2
Global Association of Risk Professionals (GARP)
Professional Risk Managers’ International Assoc. (PRMIA) The Society of Hispanic Professional Engineers (SHPE) The Global Sourcing Council (GSC)
Native Spanish communication proficiency, and U.S. Citizen
Contact this candidate