Senior Manager Risk Management
Resume:
Raghu Nair GRCP, ISO ***** LA 1-909-***-****
ad219j@r.postjobfree.com
https://www.linkedin.com/in/nairraghu
Recipient of Certificate for Honesty & Integrity from Los Angeles County Police Headquarters
Rationalization & Design.
Mergers & Acquisition, Transformation & risk-aware decisions.
Expectation based Risk Assessment Framework
Governance of CMDB
Planned Implementation of Risk Assessment Process
Governance & Oversight
Audit & Assurance
Security & Compliance
Risk Management & Business Continuity
Strategy & Performance
Regulations, Standards, Frameworks, Systems: -
HIPPA, SOX, COSO, GLBA, AML, NYSDFS, ISO 27001, NIST, NERC-CIP, GDPR, PIPEDA, SSAE 16/18, SOC1/2, PCI-DSS, ITIL, COBIT, HITRUST, HITECH, SEC 404, NI -52-109 Professional Membership (Local Chapters & Online): - PMI, ISACA, COBIT OFFICIAL, COBIT for IT Governance and Risk Management, ITSM (ITIL) Professionals Certifications and Trainings:
Certified Governance Risk and Compliance Professional – OCEG
ISO 27001:2005 – Lead Auditor -BSI
Certified Cyber Security Professional – Global Tech
COBIT - ISACA
ITIL - EXIN
ServiceNow System Administrator – Service Now
SAS – Time Series – SAS corporation
Project Management certifications – PMI & Others
Data Governance & Privacy Foundation certification – Informatica
IT & Cyber Security – CYBRARY
Asset Security Fundamentals – CYBRARY
Payment Card Industry Data Security Standards - CYBRARY
Certified Cloud Security Professional - CYBRARY
Insider Threat Program – CYBRARY
GRC Tools:
GRC Module (Compliance, IRM) Service
CSAM, Archer
PM Tools:
Jira, Confluence, MS Project, Advanced Excel
EDUCATION:
Postgraduate in Computer Application
Bachelor of Commerce
Managing Risk – Harvard University
EXPERIENCE
March 2020 – May 2023 Cognizant Technology Solutions – Sr. Program Manager/ GRC Architect Extensively worked on native ERP systems to generate Request For Information/Proposal/Quotation (RFI/P/Q), Statement Of Work (SOW), Memorandum Of Understanding (MOU) and Service Level Agreements (SLA).
PCI – DSS Premium Architect – PCI DSS 4.0 CoE Build– (A major Credit Card Issuer –Grand Rapids, Michigan, USA)
Lead a team of 14 members to Strategize, Design, Architect and Establish - Enterprise-wide Risk assessment, to drive PCI-DSS Control requirements through a PMO office and govern Technology Risk Management & Control Information Systems across different geographies to facilitate PCI – DSS compliance in Phases.
My Responsibilities:
Governance – Tracking - reporting and project scope reassessment
Mange the recruitment of team members through an onshore / offshore model
Application Risk assessment and Data protection
Contractors and External supplier onboarding through Third party Risk Management steps
Assess Control Gaps; Establish Control Owner connects, Report Gaps, Highlight Vulnerabilities, to strategize mitigation steps.
Create Repeatable, sustainable PCI process and procedures.
Collaborated with the Process Control Owners in refining the control Objectives to accommodate 4.0 mandates.
Senior Program Manager – Revamp Cyber Security Posture – (A major health care provider, Bloom field Connecticut, USA)
To integrate with an existing Control Based Management system - HiTrust control, Compliance control delta between current and potential integrated entity, Policy and Standard Harmonization, Access Integrations, and Application assessment for Data Lake were normalized utilizing the Cognizant-START methodology.
Responsible for the project plan timeline and budget (ECT)
Responsible for the program management and reporting of 3 major projects. Advisory role to CISO:
To strategize approach and manage the tiered M&A needs using the native START Methodology
Conceptualized, Designed and Established RISK ASSESSMENT framework utilizing NIST 800-53, COBIT and ISO 27001, factoring resiliency into solution controls.
Responsible for the oversight and interdependencies and integration of interrelated projects
In the Build relationships across organization including legal, compliance, IT and Business
In the Risk Management, Policy Integration and Data Governance (Enterprise and Cloud)
In the Governance of Identity and Access Management (IAM), Compliance, Audit and Remediation
In the Information Security Compliance, in its approach to privacy and security
To define evaluation report to establish the baseline for security measures utilizing Balance Scorecard
Advocate for Policies & Procedures
To statute HIPAA requirements as applicable to its affected business functions and covered entities that utilize PHI/ePHI
Participate in special projects and initiatives as cyber security advocate to align with HITECH mandates. Performed an internal Cyber Security risk assessment of IT systems and infrastructure based on NIST CSF to enhance information security. The solutions that were implemented were transitioned to a managed security service.
Report gap analysis, assess security process maturity against the controls and framework of NIST.
Developed solutions in the space of:
o Policies
o Training & awareness
o Risk Assessment
o Access management
o Data Security
o Network Security
Conducted DR testing, studied the results, improved the BCP and resilience.
Recommended changes to the IT CHANGE MANAGEMENET Process
NERC-CIP SME – Proposal Architect – Integration of ICS with Digital Controls, Florida Proposal to enhance the existing security controls of an organization generating above 50GW of power for Florida residents.
Developed the IT Control Design
Defined the assessment framework.
Integrated ISO 17799 with NERC- CIP (ver5) to be mapped against NIST 800-53, from BES categorization to Physical Security
Engaged stakeholders heading the transmission organization and system operators, grid operations and technology leads managing the CAGE structured IT systems.
Mapped NIST – 800(53) with the NERC Control defined under CIP 002 to CIP 009
Senior Manager Projects GRC Architect – Regulatory mandate on Interoperability (HL7) – Multiple clients in US Health Sector - California, USA
Reporting to the Vice President for the geographies which the customer serves; analyze implications of federal, state, tribal, and local regulations including but not limited to HIPAA privacy rule, security rule, unique identifiers rule, and enforcement rule to define and strategize the shall and will aspects of the Medicare units embrace the interoperability norms.
Identified and developed policies for Personal representative access and privacy regulatory requirements.
Finalized policies applicable for Interoperability Solution. (HIPAA, CURES ACT, ONC, CMS)
Designed and implemented risk assessment “Expectation Based Interoperability Risk Assessment Framework.”
Mapping of health solutions to manage the covered entities of Payer, provider, and patient within the rules of HL7 standards and FHIR profile cross mapping.
Designed & documented third party applications risk management and onboarding processes.
Sensitive data definition areas for governance
Designing the Third-party APP Risk Strategy and Member portals integration
Conducted SAST/DAST testing of API’s and provided remediation exercises.
Security review – Application Security – Test Strategy
Establishing the design of data and privacy consent engine driven by the compliance standards and integration of those with member portals
Redefining the rules for member view for adjudicated claims data including provider remittances, encounter data, clinical data and other data managed by Medicare advantage, Medicaid FFS and Medicaid Managed Care.
Subject Matter Expert COBIT - IT Risk Consultant – Large Investment Management co., Jersey City, New Jersey, USA
As a COBIT IT Risk Consultant worked closely with department management and engaged key cross- functional stakeholders across Technology and with Operational & Strategic Risk to implement COBIT within the Technology organization. Evaluate, assess, and provide recommendations to the management in identifying, assessing, and documenting key risks and controls and assess the COBIT maturity level of the organization.
Evaluate, assess, and provide recommendations to management for identifying, assessing, and documenting key risks and controls, Policy Changes, vendor management.
Assess process maturity based on COBIT capability levels.
Map COBIT (2019) to the existing technology policy statements
Identify gaps and propose new controls and tests plans to be recorded in The Enterprise Risk Management tool.
Identify controls in the internal Enterprise Risk Management system that meets specific criteria to map with COBIT Management Objectives
August 2014 – March 2020 - Tata Consultancy Services Lead Consultant Cyber security & Compliance
Extensively worked on native ERP systems to generate Request For Information/Proposal/Quotation (RFI/P/Q), Statement Of Work (SOW), Memorandum Of Understanding (MOU) and Service Level Agreements (SLA).
Lead Consultant GRC, Vendor Risk Assessment & Process Governance – Large Insurance Company, Syracuse, New York
Assessing the current strengths and weakness of Information Security Risk Assessment process of Client data.
Vendor adherence to SSAE 16 SOC 2 type 2 report, analyzing the risk acceptance level in conjunction with compensating controls.
Assessing vendor managed controls impacting NYSDFS compliance.
Works with team members, Legal, IT Architects and Business l to identify areas of improvement in the contract process and implements necessary changes.
Review of vendor security controls and processes (PEN TEST Results, Data Lifecycle Encryption,)
Impart knowledge and provide training to AXA – TCS team in the space of SOX to enhance awareness of ITGC they operate and maintain.
Pilot assessment of IT General Controls for SOX 404 with Deloitte
Assess current state IT General Controls from a Design & Operating effectiveness standpoint using existing Risk Control Matrix
Walkthroughs with Stakeholders to review control effectiveness, risk control matrix, control narratives.
Recommend and guide the client Sox team to formalize response to pilot assessments by Deloitte.
Conducted DR testing, studied the results, improved the BCP and resilience.
Introduced changes to the Vendor risk assessment process.
Conducted Third Party Information Security Risk Assessments and Risk reviews.
Refined the review questionnaires, processes, and procedures for third party analysis, evidence collection and review process.
Conducted vendor site assessments, evidence collection and reporting.
Formalized a new third-party evidence collection procedure vetting third party audit reports.
Review and analyze compensating controls supporting deficiencies and proposed remediation.
Participate in and influence assessment process improvement, including procedures, processes, project deliverables and reporting initiatives.
Build relationships, facilitate, and collaborate with internal stakeholders and external contacts to advance program goals.
Audit Compliance & Process Excellence Manager – Energies & Utilities Co, Long Island, New York To deliver Audit, Compliance and Process excellence for security & Compliance programs and projects
Oversee the tracking and management to closure of SOX audit issues and compliance investigations.
Mapped the NERC-CIP controls with SOX ITGC from a Control Management Standpoint
Developed systems to identify critical and non-critical cyber assets.
Developed process framework for Access and monitoring of ERP assets and integrated it with the On- site command center functions.
Defined MSP operational responsibilities at a system and process level
Identified potential footprint for the Managed Service Provider in the NERC-CIP data handling.
Analyze risk trends and have an oversight on third party risk to initiate risk response process.
Assisted in root cause analysis and corrective actions.
Provided expert advice to Vulnerability management headed by CISO office.
Designed and developed a Vulnerability Handling Matrix and prioritized vulnerabilities through CISO oversight.
Work with CISO, third party vendor and client to manage the IT and other vulnerabilities.
Provided IT Vulnerability information to Senior Leadership and Stakeholders.
Lead a team of 20 people from different verticals to manage External Vulnerability and internal vulnerabilities identified through Qualys and Securicon.
Assessed the current Vulnerability management process, identified areas of improvement, designed and proceduralized new process.
Managed operational security metrics and compliance reports.
Security Consultant – For a Global Financial Services leader – New Jersey, USA
Security Control testing for Audit Readiness
o Rationalized 180 controls to identify 30 key controls, categorized them under 9 security entities. o Developed a governance structure to formalize the testing process. o Carried out Walkthrough with the stakeholders, conducted test of design and test of effectiveness using test of one principle.
o Reviewed evidence identified gaps to be remediated in the form of Observations and recommendations.
o Test Of design and Test of effectiveness on the COBIT Lite based controls
Governance around following functions – (COBIT)
o Security Incident Management
o Security Vulnerability Management
o Security Network Operations
o Security Training
o Security Baseline
Risk Identification
o Application Authorization and access management
o Authentication to firewall changes
o Device protection (Laptops, PDA, etc.)
o Firewall Management – Cisco (CSM)
o High Privileged and emergency access
o Information security tracking and monitoring (Splunk) o Baseline configurations
o Security Incidents management
Provided guidance to the team in risk identification, analysis, and risk Mitigation towards Reporting
Summarized the findings for executive reporting.
Verified the process effectiveness to direct improvements established within the NIST- cyber security framework.
Project Lead – Compliance – A Major Supplier of Energies and Utilities for the state of California - San Dimas, California
Transitioning the infrastructure services of the client to Managed Service (Integrating Service Management processes, Tools and other Infrastructure Services with the Regulatory requirements like SOX, NERC-CIP, SSAE16.
Developed Systems and Processes for the management of NERC – CIP and SOX controls.
Access Management Process Implementation (Design, Document, Train)
Evaluate to assess Gaps in the Service Provider standards for SSAE-16 SOC1 reports.
Assessed the current regulatory requirements of NERC-CIP
Lead the MSP team to mitigate Cyber Security and Compliance 2017 Observations, Vulnerabilities on SOX Controls, General Controls (BCP, Operational and Governance), NERC/CIP Controls, Internal Audit Findings
Evaluate and establish ITGC in the effectiveness of Security Operations, SIEM, NERC Security Incidents
Oversee and monitor internal teams to provide governance and audit reports- weekly, monthly, and quarterly.
Oversee General Operational Controls like BCP, operational data and System controls-
Control Narratives for 3 domains that interface with SAP – GRC, ITSM and Non-SAP applications. a) Control Processes and Narrative Documentations (SOX & NERC-CIP) b) Review Controls Activity and Evidence Design with IT Compliance, SOX Testing, Internal Audit, Process Owners Controller Team, and External Auditors c) Key controls testing with control performers by doing a tabletop exercise with each Primary/Backup control contact.
d) Managed Service Provider were given training on SOX and detailed session on Train the Trainer
(Control contact) to understand their responsibilities and obligation for each control in the 3 domains.
Documented NERC-CIP controls and process documents with MSP responsibilities aligning with Client security mandates.
Developed and managed a high level and detailed project plan for implementation of changes in the IT systems.
FEB 2013 – JUN 2014: Qaknights.inc (Project Manager) Calgary, Canada Significant Projects and Responsibilities: -
Provided advice and guidance to business partners and project teams, established systems, processes to manage integration, developed processes to complete transition by, adapting best practices and standards. 1. Engineering Document Management System for IDocz (As a Senior BA)
Assessed the current EDMS practices of a client from the Petroleum and Petrochemical industry.
Developed a Software Selection Matrix (SSM), based on SEI standards to evaluate requirements.
Used the SSM to short list Vendors during the selection process.
Recommend and Report to client with software vendor list.
Implement Solution after re-engineering the transmittal/submittal/Document control. 2. Bair Project for UFA (UNITED FARMERS OF ALBERTA) (Part of the Transformation program) (As a Senior BA)
Conducted discovery workshops with business stakeholders across SAP Application Support, IT Infrastructure and Transformation team.
Collaborated with the Business stakeholders and IT stakeholders in defining business needs.
Documented the delineation of task ownership and relevant roles and responsibilities.
Identified and documented internal OLAs and IT Infrastructure Service Level Thresholds
Completed the data collection and Analysis and BA for OLA process.
Integrated the Release Management Process with the OLA process for Pre-Prod Environments
Integrated OLA framework with Service Now
Created Operational Level Agreement (Framework) for SAP Hardware Refresh & Data Centre Migration
MAR 2012 – NOV 2012: INFOSYS (Lead Project Consultant) Calgary, Canada Guided the design, planning, scheduling, and execution of IT Service Management (ITSM) Programs through a Global Delivery Model. This involved leading and coordinating offshore and onsite teams and if required business advisors with industry specialization. Performed cross functional activities to support the horizontal layers of Sales and Delivery across the four industry verticals as the SME in COBIT and ITIL. This was predominantly used for the preparation of Business Cases and Responses to RFP’s. Responsibilities
Manage consulting services cost from analysis phase through to completion of engagement.
Perform accurate analysis and effective diagnosis of client issues.
Serve as a principal consultant and trusted advisor for matters pertaining to knowledge transfer.
Responsible for achieving time frames for all active projects and within financial guidelines.
Maintain reference-table of clients from beginning to end of the project/engagement life cycle.
Manage direct reports (i.e., hire, train, develop, appraise, reward, motivate, discipline, etc.)
Maintain effective utilization/morale of project resources.
Participate in direct sales cycle to support stakeholder needs. Projects
Service Operations Processes - (Asset & Configuration, Release and Change, Request - Event & Incident
– ServiceNow)
Service Process Maturity Assessments and CSI (8–10 weeks)
Business Service catalogue and technical Service catalogue for production systems
IT Asset and Configuration Management (Service Now)
Transformations of Data Centre (Physical to Virtual, Managed services to in sourcing)
JUL 2010 - MAR 2012: IBM (Project Lead Control Framework) Calgary, Canada Focused on the Merged IT services for Alberta Health services; Project Managed, Counselled, Advised, Facilitated and Trained Process assessment participants in adding value to the Control Framework. Interacted with Business unit leads, third party vendors, Business Analysts, Operation centre staff, Developers and various groups within the ITS department, Providing facilitated guidance in the integration of systems and processes. Post assessment - facilitated guidance for solutions implementation and establishing IT controls to comply with HIPPA, FDA and FOIP requirements and standards. Responsibilities
AHS IT Control Framework
o An AHS Baseline Self-Assessment
Formalized assessment process
Identified AHS personnel to participate in the assessments validated through RACI charts o Quality Assurance Cycle for validation and updating of the established AHS IT Control Framework
Validated the draft AHS IT Control framework as part of the QA Cycle using PDCA methodology. o Formal Assessment of AHS utilizing the AHS specific IT Control Framework o Assessments and Evaluation
Identified governance structures and functions within each individual processes.
Identified Potential Risk
Assessed the architecture of applications running on distributed systems.
Assessed Data centre environment including thin client reliant servers, network backbone, Systems supporting Patient care systems and all associated Technology that support Clinical applications. 1.3.2 Facilitation and Guidance (Mitigation plan and Treatment)
Improved initiatives for electronic record management
Improved security controls in all layers of patient care Systems
Improved Network management
Removed dependency through failovers, mirroring, and other scalable redundant platforms. 1.3.3 Recording analysis and reporting for executive visibility.
Notification of potential Risks
Moving the identified risk to Risk Register
Trained new recruits and transitioned the project to an operation group
JUN 2007 - APR 2009: Enerflex (Lead IT Governance & Control) Calgary, Canada
DEC 2005 - APR 2007: CompuCom (Technical Support Analyst) Toronto, Canada
SEP 2005 – NOV 2005: Bank of Montreal (Project Coordinator) Toronto, Canada
APR 1989 – MAR 2005: Emirates Airline (Senior Network Engineer) Dubai, UAE
Working Towards CISM
Contact this candidate