Business Analyst Risk Management

KELLY MASANGO

Irving, TX ***** 612-***-**** ***********@*****.***

SUMMARY

Multi-talented IT professional with over 10+ years' experience developing and implementing security controls in fast-paced environment, Third-party vendor risk & Compliance Analyst. Committed expert in reviewing and implementing internal control procedures to ensure efficiency and risk mitigation, vulnerability management, risk assessment, corrective action plan, continuous monitoring PCI DSS, HIPPA, HITRUST, ISO 2700 NIST 800, FISMA, and FEDRAMP. Skilled in security and privacy control assessment with proven history of delivering exceptional risk management support (Risk Management Framework (RMF). Skilled in assembling authorization package using documents like NIST 800 series, FIPS 199, FEDRAMP. Implement new security solutions as well as conduct vulnerability assessments and compliance audits to ensure that systems obtain and maintain their ATO's while interfacing with stakeholders in an interdisciplinary environment. Solutions-oriented Business Analyst possessing unique combination of business analysis, quality assurance testing and applications development experience in top-tier organizations. Solid SQl query writing skills paired with familiarity of visualization tools and techniques. Successful provider of financial services with 10 years of comprehensive experience. Solutions-oriented Business Analyst possessing unique combination of business analysis, quality assurance testing and applications development experience in top-tier organizations. Solid SQl query writing skills paired with familiarity of visualization tools and techniques. Successful provider of financial services with 8 years of comprehensive experience. Flexible and versatile Business Analyst specializing in developing innovative solutions to organizational problems. Advanced knowledge of asset tracking software. Committed to providing accurate, effective advice to customers. Detail-oriented risk management specialist versed in financial analysis and reporting. Brings advanced understanding of market conditions and trends, risk mitigation strategies and financial decision-making. Expert in diverse statistical analyses techniques. Adept at uncovering fraud and suspicious transactions. Well-versed using strong attention to detail and systematic approach to review daily merchant portfolio batches. Good report writing and recordkeeping abilities.

SKILLS

Risk Management Framework

Expert Knowledge of NIST SP 800

Special Publication Series/FISMA

requirements.

Vulnerability Scan analysis with

Nessus, dB Protect, & Web Inspect

scanning tools, Qualys, Nmap

Knowledge of Enterprise Risk

models and tools as well as a

good understanding of Enterprise

Risk framework.

Excellent written communication

and documentation skills

Compliance /Audits

Vendor Risk/ Third-Party Security

Risk Management

Operational Reporting

Data Mapping

Data Mining

Business Planning

Requirements Gathering

Internal Auditing

Strategic Planning

Technical Writing

Quality Assurance

Competitive Analysis

KPI Tracking

Cost-Benefit Analysis

Product Management

Revenue Development

Search Engine Optimization

Needs Assessments

Plan of Action and Milestones

(POA&M)

LogMeIn/One-Trust Tool and Jira,

Service now, knowBe4

Fed Ramp Compliance

SOC Reports, and SIG Review

Excellent analytical, decision-

making, and problem-solving skills

Multi-tasking work independently

and with team

Strong skills in MS PowerPoint, MS

Word, and MS Excel

Risk Mitigation Strategies

Stress Testing

Data Interpretation

Internal Audits

Employee Safety

Risk Mitigation

Trend Analysis

Incident Investigations

Analytical Mindset

Mediation

Claims Management

Data Analysis

Quantitative Analysis

Root Cause Analysis

Operations Analysis

Campaign Performance Tracking

Workflow Analysis

Customer Needs Assessment

Business Process Improvement

Gap Analysis

User Acceptance Testing

Project Management

CRM Systems

Stakeholder Management

Financial Advising

Product Development

Pivot Tables

Operations Management

Microsoft Office Suite

Human Resources Information

Systems (HRIS)

HTML and CSS

BI Tools Expertise

SAP

Consulting

Negotiation

Staff Management

Customer Targeting

Forecasting and Planning

EXPERIENCE

07/2021 - Current Risk Management Analyst

SNF Inc. - Fort Worth, Texas

Conducted Privacy Threshold Assessment to determine if there have been any changes that might lead to PII collection and Privacy Impact Analysis Vast knowledge in all aspects of Security Authorization and Continuous Monitoring process using National Institute of Standard Publications 800-30, 800-37 Rev 2, 800-60, 800-53 Rev 5, 800-53(a) Rev 5, 800-171, FIPS 199, FIPS 200

Experience in remediating vulnerabilities and defect fixes by working closely with development leads and engineers

(Emergency on-call ISSO)

Managing and ensuring information systems security is secured within my organization for systems that are under my care

Conducting continuous monitoring, risk assessments, monitoring security compliance, practicing security training, and responding to security incidents

Security Control Selection: Based on the categorization of the information system, I select security controls using NIST 800-53 Rev 5 Set up meetings with the common control providers to identify system- specific and hybrid controls and tailor the control based on the organization's mission and needs

Work with developers, system administrators, and third parties such as vendors and Cloud Service providers (CSP) to ensure that the controls are implemented and document all approved controls in the SSP Assist with the development and maintenance of all necessary A&A documents

Experience using the Risk Management Framework (RMF) to support the A&A process, including analyzing the development of supporting policies, procedures, and plans, designing, and implementing security controls I play a crucial role in safeguarding sensitive data and maintaining the integrity, confidentiality, and availability of information systems under my care

Knowledge of Federal regulatory bodies such as the Office of Management Budget (OMB), National Institute of Standards and Technology (NIST), Federal Information Security Management Act of 2002

(FISMA), Federal Risk and Authorization Management Program (FedRAMP) Tracking IT security risks by monitoring POA&Ms that exceed the remediation timelines established in the vulnerability, management plan and ensuring valid risk mitigation plans are in place Provide coordination, tracking, and management through all aspects of the initial and recurring A&A processes.

Investigated incidents related to security breaches, malware infections, or other cyber-attacks.

Issued clear warnings to violators, outlining infractions, penalties and remediation steps.

Analyzed system logs regularly to identify suspicious activity or unauthorized access attempts.

Conducted regular audits to ensure compliance with internal controls, applicable laws, and regulations.

Investigated reported and identified compliance issues against accepted standards.

Followed proper protocols for reporting suspected violations to internal personnel or outside governing agencies.

Established working relationships with regulatory agencies. Facilitated adherence to safety and regulatory objectives and managed client-specific projects, training programs and personnel background checks.

Analyzed data to provide insights and recommendations for mitigating conduct risk.

Developed and implemented strategies necessary for minimizing risk of non-compliance.

Issued official approvals in instances of achieved or exceeded compliance standards.

Established internal controls and processes to support compliance through project management and engagement of key stakeholders. Liaised between regulatory agencies and internal departments to facilitate regulatory and related matters.

Collected and reviewed data to identify potential compliance issues requiring further review.

Researched emerging technologies that can improve the organization's overall security posture.

Evaluated vendor services for compliance with organizational requirements regarding data protection.

Monitored compliance risk controls to identify deviations and offer recommendations.

Performed periodic vulnerability scans to identify potential points of entry into the network.

Recruited, hired and oversaw team of personnel maintaining [Type] compliance.

Utilized risk management techniques and business knowledge to improve compliance programs.

Developed systems to track and monitor compliance with regulatory requirements and internal policies.

Conducted reviews to foster ongoing compliance with federal and local regulations.

Stayed abreast of applicable laws and state or federal regulation to report violations.

Documented all processes related to systems administration tasks performed by IT personnel.

Monitored network traffic using intrusion detection software to detect potential threats or malicious activities.

Used proprietary systems to process applications, filings and registrations. Provided guidance on how best to respond when faced with a security incident.

Reviewed existing applications for security vulnerabilities or weaknesses before deployment into production environments.

Produced reports outlining assessments completed and follow-up recommendations.

Maintained compliance frameworks, policies and documentation to support audits.

Identified areas of risk within the system and worked to eliminate them through appropriate solutions.

01/2018 - 07/2021 Information System Security Officer (ISSO) Acuity Brands - Irving, Texas

Conducting risk assessments and collaborating with clients to provide recommendations regarding critical infrastructure, network security operations and Continuous Monitoring processes

Coordinating with team members to perform in-house security risk assessments (SRA)

Providing high-level analysis of data security to identify significant gaps in controls on Information Systems

Performing security oversight of security and compliance requirements of FISMA, NIST, HIPAA, PCI-DSS

Identifying and analyzing threats, providing mitigation strategies, and documents and presenting the impact of resulting threats including security gaps to management

Developing, coordinating, implementing, and maintaining cybersecurity policies, standards, and procedures to protect the security and integrity of information systems and data

Assisting System Owners with developing and reviewing Interconnection Security Agreements, and Memoranda of Understanding Responding to IT Security trouble tickets generated by customers and IT staff

Identifying solutions, working with customer and OCIO team to execute solutions, and managing ticket input, updates, and resolution in the OCIO ticketing system to maintain service level agreements Performing system assessments and reaccreditations within required timeframes and reviewing proposed system changes for security impact Prepare requests for waivers and exceptions and providing advice and assistance to stakeholders on security-related issues Identifying and prioritizing information security risk advise business partners on security/privacy requirements and solutions to ensure compliance Creating, updating and revising Planning documents such as System Security Plans, Contingency Plans, Incident Response and Plan of Action & Milestone Collaborating with SOC engineers to perform continuous monitoring of systems to ensure security and compliance Reviewing new and existing systems to ensure baseline security requirements are met and to recommend security enhancements Generating, reviewing, and updating the SSP against NIST 800-18 and NIST 800-53 requirements

Performing POA&M remediation and evaluating policies, procedures, security scan results and system settings to go through the SA&A and continuous monitoring

Determining security controls effectiveness (i.e., controls implemented correctly, operating as intended, and meeting security requirements) Evaluating threats and vulnerabilities based on Nessus tenable reports and Implementing Risk Management Framework (RMF) in accordance with NIST SP 800-37

Classifying and categorizing Information Systems using the RMF processes to ensure system Confidentiality, Integrity, and Availability Selected security control and applied allocated control inheritance in Archer

Ensuring all documentation pertaining to key management policies and procedures reflects current practice within the organization Working with the client and internal development team to identify security gaps and resolve them to protect client data and reduce business risk. 05/2015 - 01/2018 Sr. Security Analyst

Security Manufacturing - Irving, Texas

Selected security control and applied tailoring and control inheritance in Cyber Security Assessment Management (CSAM)

Created POA&Ms and POA&M milestones and requested for POA&M closure using the CSAM tool

Assisted and recommended policies, standards, procedures, and controls to assure the confidentiality, integrity, and availability of the information technology environment for on-premises as well as cloud-hosted IT applications and infrastructure

Analyzed the type of information collected, processed, maintained, disseminated, transmitted, or stored by or through the information system and determined whether it contained privacy data and financial data, and then determined the security impact that might have resulted from the unauthorized disclosure, modification, or loss of availability of this information

Conducted Security Test and Evaluation (ST&E) assessment and populated Requirement Traceability Matrix (RTM) based on NIST SP 800-53A Reviewed the provisional impact levels (NIST-recommended) for appropriateness based on the organization's mission and considered whether the NIST- recommended impact level was appropriate for the System or whether the impact level should be modified to a lower or higher level and then provided the rationale for the adjustment Managed IT Security awareness training program in coordination with the Learning Management team, to including developing and delivering IT Security awareness training modules

Coordinated activities related to internal and external assessments and/or audits of information technology systems and processes, interpreted results and developed and communicated recommendations to management Managed Password Management system in coordination with Service Desk

Provided support and recommendations to various application users and proactively identified, diagnosed, took corrective action, and resolved application system incidents and problems

Then, documented, communicated, and escalated technical issues, managed them to resolution, and articulated business impact Collaborated closely with the IT team and vendors to understand the overall application architecture/design and, as warranted, submitted change requests for system improvements, recommended and implemented system changes and enhancements, and participated in planning sessions regarding the application, hardware, and software changes

Developed and recommended appropriate information security policies, standards, procedures, checklists, and guidelines using generally recognized security concepts tailored to meet the requirements of the organization for on-premises as well as cloud-hosted IT applications and infrastructure

Established, implemented, and managed security procedures and practices in support of customer requirements and objectives. 11/2013 - 02/2015 Vendor Risk Analyst / Information Assurance EJ Ajax & Sons - Minneapolis, MN

Actively reviewed vendor compliance documents from a BCP/DR and Data Security perspective ensuring document meet all corporate guidelines and specifications

Managed the maturity and execution of the division's Third-Party IT Risk Management program to reassess current risks and to identify emerging key risks

Planned, designed and executed IT compliance testing, controls assessment and documentation across all domains for IT General Controls,

(PCI DSS) Payment Card Industry, Data Privacy, HIPAA and other compliance requirements, as appropriate

Develop and update compliance control and process documentation as required in support of SOC2 initiatives

Tracked compliance processes such as remediation plans, audit requests, and recurring audit reviews to ensure timely completion Performed Risk and Control assessments for all Third-Party Service Providers to evaluate effectiveness of control systems

Ensured vendors adherence to contractual/regulatory compliance to minimize the risk of fines and reputational harm

Demonstrated in-depth understanding of security requirements associated with cloud- hosted environments, services, and solutions Reviewed services provided by vendor and defined scope of assessment based on the Standardized Information Evaluates, recommends, and implements security controls associated with cloud-hosted environments, services, and mobile device solutions

Gathered (SIG) questionnaire and audit reports

Forged strong working relationships with vendors to ensure seamless audits. Monitored daily and long-term routes for weather, traffic, and other conditions.

Studied product and industry specs and prices to update signage and complete merchandising activities.

Listened to customer needs to identify and recommend best products and services.

Advised senior leadership on issues concerning vendor relations. Resolved conflicts between vendors and internal stakeholders in a timely manner.

Reset store displays for special events and seasonal merchandise changes.

Tracked contract renewals, expirations, amendments, and terminations. Developed and implemented strategies for vendor onboarding, training, and performance management.

Identified customer needs by asking questions and advising on best solutions.

Monitored vendor performance against contracted service level agreements.

Verified accuracy of boxed merchandise against documentation to reduce errors.

Maintained well-stocked and organized sales floor with latest merchandise to drive sustained sales revenue.

EDUCATION AND TRAINING

Bachelor's degree in Law

University of Yaoundé 2 - Cameroon

CERTIFICATIONS

Certified Information security manager (CISM)

CompTIA Security +

Qualys Vulnerability Analyst Certifie

CISSP in Progress

Oracle Database Administrator Certified Associate 11g

Contact this candidate