Third Party Risk Management
Resume:
BISMARK AVORNU
SPOKANE, WA *****
CELL: 509-***-**** EMAIL: *******@*****.***
PROFILE
I have over 8 years’ experience in conducting comprehensive assessments and review of IT security controls for audited applications and information systems. My expertise includes Conducting Third Party Vendor Risk Assessments, NIST Risk Management Framework (RMF), FISMA Reportable systems compliance, Information Assurance, System Monitoring, Regulatory Compliance and Loss Mitigation. During the past 8 plus years, I had experience in legal compliance, documentation skills, attention to detail, risk management, research and analytical skills, thoroughness, among others. Worked with various clients in the financial industry. My knowledge of industry standards and ability to meet milestone deadlines make me a valuable addition to any organization focused on staying on top of information security matters.
SKILLS
RMF/NIST
INFORMATION SYSTEMS SECURITY
ISO 27001/27002
VENDOR RISK MANAGEMENT
PCI DSS
HIPAA
PROFICIENT IN MICROSOFT OFFICE
ABILITY TO COLLABORATE WITH INTERNAL/EXTERNAL PARTNERS
TENABLE SECURITY CENTER
EDUCATION
Eastern Washington University, Cheney/Spokane, WA
Masters in business administration - MBA December 2018
Bachelor of Arts in Business Administration (BAB) - Dual Majors, Professional Accounting, Finance
June 2016
Ho Technical University, Ghana, West Africa
Higher National Diploma (HND) in Statistics Bachelor’s Equivalency in Statistics June 2002
EXPERIENCE
TEKSPROS, FREDERICK, MARYLAND
IT Auditor/IT Security Analyst - Consultant 2018 – Current
Perform basic risk assessments and security reviews to ensure compliance with internal policies, standards, and regulatory requirements. This included performing root cause analysis, investigated, and resolved security incidents, identified security risks and exposures, determined causes of security violations and design, recommended, and tracked procedures to mitigate future incidents.
Proactively evaluated, if an event needed to be escalated to management, recommended a course of action for low to medium complexity situations
Tracked progress of remediation with responsible partners and support teams
Provided support to projects, worked with user community, and assisted with IT risk and compliance needs.
Perform third party risk assessments and Vendor due diligence.
Monitored 3rd party operational risk trends and provided analysis of data and other operational risk metrics using Security Scorecard
Tracked exceptions to IT policies and procedures and followed up with management approval for implementation.
Used GRC tool, Archer, to conduct application assessment and track issues identified during the assessment with supporting mitigations measures.
Perform IT Risk, Security Risk & Control Assessments for new products/initiatives.
Review services provided by vendor and defined scope of assessment.
Review assessments performed by 3rd party and provided feedback. Defined appropriate risk levels and corrective actions for issues identified.
Presented issues to 3rd parties and obtained corrective action plans.
Input corrective action plans into system. Follow up on corrective action plans and reviewed evidence for closure. Provide metrics on a regular basis (KPI / KRI).
Periodically reach out to vendors hosting our data regarding current threats to ensure they are taking necessary steps to reduce exposure as part of ongoing monitoring.
Conduct vendor risk assessment using Standardized Information Gathering Questionnaire (SIG Core/SIG-Lite) to assess service providers during onsite or virtual assessments.
Designed and performed IT and infrastructure HIPPA audits related to information security policy, regulations, governance, and other security-related provisions and best practices.
IT Auditor - FISMA
Performs security assessments on Major Applications (MA) and General Support Systems (GSS) in accordance with the requirements of NIST SP 800-53A.
Holds kickoff meetings to initiate the assessment engagements.
Reviews System Security Plans (SSPs) to get a clear understanding of security control implementation statements.
Creates Artifact Requests Lists (ARLs) by going through the control implementation statements in the SSP.
Interviews system key stakeholders to gain a clear understanding of how security controls have been implemented in the application.
Facilitates Contingency Planning Tabletop and Simulation Exercises in accordance with the producing with the requirements of CP-4
Reviews Tenable Nessus and Fortify Web Inspect Vulnerability Scan Reports and SIEM tool outputs to augment security assessment activities.
Creates final Security Assessment Results (SARs) that detail all findings identified during the security assessment engagement.
Conducts annual Continuous Monitoring Compliance Checks and analyze system assessment documentation for accuracy, compliance, and adherence to federal cybersecurity requirements.
Works with and identify key stakeholders for annual assessments as needed to include conducting OMB A-123 compliance assessments and the High-level assessments of government shared services as needed.
Apply IDS and IPS tools to detect and prevent any malicious activity coming to the Network.
UMPQUA BANK, SPOKANE, WA
IT Compliance Analyst - Contractor 2016-2018
Point of contact for the Information Technology (IT) team to assist on all internal and external audit requirements. Act as the primary liaison between the IT staff and corporate internal and external audit resources.
Supported with maintaining the process and controls documentation (Risk Control Matrix, process flowcharts, controls testing procedures) and supported with compliance activities for both IT, Finance, and other groups.
Supported SOX and regulatory requirements for the IT systems.
Owned the IT controls, framework mappings and GRC process to ensure coverage, mapping and change management for various compliance frameworks such as SOX 404 and 802, PCI, SOC1/2, ISO 27001-2013
Supported and managed detailed testing of controls to ensure risks are appropriately identified, associated audit procedures are applied, related controls are designed and operating effectively, and mitigated any identified risks.
Monitored activities of IT teams to ensure compliance with internal policies and procedures including monthly, quarterly, and annual activity reviews.
Ensured execution of required testing and auditing activities for IT by internal and external parties leading to successful certification of the company on an ongoing basis
Assisted the business to document, assess, and remediate any gaps and risks raised during assessments.
Developed and updated IT Policies and Controls and updated related control matrixes.
Coordinated IT Change Control
Maintained IT Training records and training plans.
Maintained SOC 1/2 vendor lists and 3rd party vendor compliance requests.
Maintained documentation of all audits, results, and remediation activities.
Assisted with assessing the results of testing, including the assessment of identified control deficiencies, and work with the process owners on ensuring timely remediation.
BSYSTEMS, ACCRA, GHANA
IT Compliance Analyst 2015-2016
•Performed third party risk assessments and Vendor due diligence.
•Designed, implemented, and maintained a continuous compliance framework.
•Performed internal auditing functions and compliance reviews.
•Supervised and participated in external compliance audits/certifications.
•Created and maintained company security & compliance policies and procedures.
•Researched new regulatory compliance requirements, legal obligations, and framework revisions.
•Provided guidance and subject matter expertise to project teams on security and compliance.
•Evaluated and implemented GRC products/solutions.
•Managed the risk register and developed metrics for reporting risk.
•Recommended, documented, and monitored implementation of risk treatment plans.
•Developed and maintained vendor risk management program.
•Supervised and perform internal assessments such as SIG.
•Developed and maintained security awareness training materials.
•Worked across the organization to evaluate and address gaps in governance, risk, and compliance.
•Managed cross-team initiatives related to security and compliance.
Contact this candidate