SAFO A. DONKOR
Information Assurance Analyst, with 8 years’ experience in Risk Management, Vulnerability management, RMF and Vendor / Third- Party Risk assessments. Specialize in providing IT security expertise and guidance in support of security assessments and continues monitoring for government (FISMA & NIST) and commercial clients. Familiar with Federal as well as Private industry standards and Frameworks, such as NIST SP 800 Series, ISO 27001 & ISO 27002, ISO 27005 and used GRC tools. Organized, solutions-focused, deadline-focused, team oriented with in-depth knowledge and understanding of numerous software packages and operating systems.
Areas of Expertise and Skills
•Compliance and Risk Management
•Conduct Security and Privacy control.
•Develop, review, and evaluate System Security Plan
•Develop and conduct SCA (Security Control Assessment) according to NIST SP 800-53A.
•Familiar with RMF and NIST publication; FIPS 199, SP 800-60, SP 800-53rev4, SP -800-137, IS0 27001 & 27002
•Develop and update POA&Ms
•Experience in developing RMF documentation.
•Managing technical security Q&A team/SA&A Package Independent Validation and Verification (IV&V)
•MS Excel, Power Point, SharePoint, Windows 360, Microsoft Teams, Zoom, Skype
•GRC tools: Process Unity, ServiceNow, Archer, Jira, Monday, Ripple.
•Ability to multi-task
•Ability to work independently.
•Good Analytical skills
•Strong written and verbal communication skills
Security Control Implementation Specialist January 2023 - June 2023
Creates, edits, and maintains cybersecurity compliance and implementation documentation for current and future applications.
Create and update policies, standards, and guidelines to address emerging security threats and regulatory changes.
Support internal peer review and quality assurance efforts, assemble documentation for audits and ensure that documentation is compliant with governance policies.
Design and implement security controls, procedures, and technical safeguards to ensure compliance across the organization.
Research and evaluate new documentation needed.
Develop documentation plans and timelines with the level of effort required.
Collaborate with platform analysts, project managers and subject matter experts to collect and interpret their input.
Develop and maintain an effective security compliance framework that aligns with organizational goals and objectives.
Utilize critical thinking skills to problem solve issues that arise.
Coordinate communication amongst all project team members
Collaborate with the Education Team in the design and development of training programs or project specific materials to support the workflows to be implemented.
Communicate project status amongst the team and up through project and department leadership.
Train end users on the proper use of the application
Develop best practices to be utilized for future implementations.
Ability IT Consultancy February 2019 – December 2022
Third Party Risk Management Analyst
•Conduct kick-off meeting with management and business stakeholders to start the Risk Management process.
•Reviewing, maintaining, and ensuring all Assessments and Authorizations (A&A) documentation are included in the system security package. Experience with GRC Tool such as process Unity, ServiceNow, Archer.
•Schedule meetings with business owners and control owners to have application walkthroughs and understand the data transmitted by such applications and systems.
•Perform risk and control assessment for all high-risk third-party service providers to evaluate effectiveness of control systems.
•Performed Security Control self-assessments to ensure compliance throughout the RMF process.
•Conducted detailed vendor risk assessments using SIG Questionnaire, working closely with key partners, to identify and evaluate risks before continuing operations with third-party vendors. Accurately determine the risk rating with qualifications based on the potential impact and likelihood.
•Engage with service providers to obtain due diligence reports and evidence of control operation.
•Review key reporting to validate accuracy and identify discrepancies and gaps.
•Test the design/operation of general, contractual, and regulatory controls.
•Report risk assessment results, including VRM metrics to internal senior management and the service provider, and recommend remediation actions.
•Recommended remediation plans based on control deficiencies and monitored improvement efforts.
•Assist in preparing third party risk management assessment responses and other compliance-related documents.
•Assist in developing and maintaining TPRM framework as well as processes and procedures.
•Assess and monitor TPRM lifecycle activities (risk assessment and due diligence, contract negotiation, ongoing monitoring, and termination.
•Communicate TPRM requirements to clients and vendors as well as internal employees and partners. Prepare third-party risk reports.
•Manage department files and other administrative tasks as needed.
•Develop and maintain positive working relationships with various company stakeholders and client/vendor representatives.
•Assistance with projects related to the development and implementation of risk management policies and compliance as assigned.
•Reviewed business and technical assessments questionnaires and evidence. Scheduled and conducted review calls with vendors and tracked questionnaires sent to vendors, reported on abandoned vendors, received, and reviewed questionnaires.
•Planned and conducted security assessments of client’s third parties’ vendors focusing on compliance with regulations, company policies, and internal controls.
•Presented control deficiencies, findings, and recommendations to various levels of owners and leadership.
•Performed security risk and control assessments to identify vulnerabilities or security exposures.
•Ensured remediation plans were in place for vulnerabilities identified during risk assessments, audits, and inspections.
•Reviewed authorization and assurance documents to confirm that the level of risk is within acceptable limits for each third-party software application, system, or third-party vendor.
•POAM Remediation: Performed evaluation of policies, procedures, security scan results, and system settings to address controls that were deemed insufficient during Certification and Accreditation (C&A), RMF and continuous monitoring.
•Performed risk analysis on third party capabilities whenever an application or system undergoes a major change.
•Worked closely with various business leaders on addressing security vulnerabilities.
•Performed security reviews, identified gaps in security architecture and developed a third-party risk management plan.
Ability IT Solutions September 2016 – February 2019
Cyber Security Analyst / Controls Assessor.
•Analyze and update System Security Plan (SSP), Risk Assessment (RA), Privacy Impact Assessment (PIA), System Security test and Evaluation (ST&E) and the Plan of Actions and Milestones (POA&M).
•Prepare Security Assessment and Authorization (SA&A) packages to ascertain that management, operational and technical security controls adhere to NIST SP 800-53 standards.
•Perform vulnerability assessment of information systems to detect deficiencies and validate compliance using management tracking GRC tool. (Archer, ServiceNow)
•Assist System Owners and ISSO in preparing Security Assessment and Authorization package for company’s IT systems, making sure that management, operational and technical security controls adhere to a formal and well-established security requirement authorized by NIST SP 800-53 R4.
•Designate systems and categorize its C.I.A using FIPS 199 and NIST SP 800-60
•Conduct Annual Self- Assessment (ASA) (NIST SP 800-53A).
•Perform Vulnerability Assessment. Make sure that risks are assessed, evaluated and a proper action has been taken to limit their impact on the Information and Information Systems.
•Create standard templates for required security assessment and authorization documents, including risk assessments, security plans, security assessment plans and reports, contingency plans, and security authorization packages.
•Ensure Systems' Plan of Action & Milestone (POA&Ms) are closed or updated in a timely manner using a tracking tool CSAM.
•Manage Systems’ Accounts to ensure Privilege Users Accounts are Re-certified twice a year.
•Ensure Separation of Duties is enforced by reviewing all Accounts in the Windows Server Admins and Domain Admins.
Reviewed all ISSO provided documentation for accuracy and relevancy, provide follow-up to ISSOs to ensure documents are properly completed.
•Facilitated and provided continuous support to the USCIS POA&M program to include but not limited to analysis, creation, remediation plans, closure, status tracking, and overall management of System-Level and Program-Level POA&Ms in a format provided by the Government daily or as defined and directed by the Government.
•Facilitated and assisted with reviews and updates to POA&M content such as breakdown of milestones as required.
•Managed, maintained, and tracked all assigned tasks and duties related to POA&M’s.
•Conducted effective vulnerability assessments and validated all technical controls found within NIST SP 800-53R4, and requirements.
•Prepared and reviewed system documentation to include Systems Security Plans (SSPs), Certification and Accreditation (C&A) packages, contingency plan, and incident response plan.
•Developed Plan of Action and Milestones (POAMs) in response to reported security vulnerabilities.
•Monitored security controls for customers to maintain security Authorized to Operate (ATO).
•Ensured that changes to a customer's IS, its environment, and operational needs that may affect the authorization status are reported to the system owner and IS Security Manager (ISSM).
•Coordinated appropriate correction or mitigation actions and tracked the timely completion of (POAMs).
•Maintained operational security posture for systems through customized Risk Management Framework (RMF) to ensure established security processes and procedures are followed.
•Advised clients on potential impacts from new regulations and provided recommended strategies that considered both agency risk and compliance.
•Prepared reports on the status of security safeguards applied to computer systems.
•Participated in A&A testing/Security Control Assessment testing and assisted in the preparation of the necessary documentation after the tests to ensure systems attain the appropriate certifications and authorizations to operate.
•Ensured that selected security controls are implemented and operating as intended during all phases of the IS lifecycle.
•Ensured that system security documentation is developed, maintained, reviewed, and updated on a continuous basis.
Education / Certifications
•MBA- Supply Chain Management, Maryland University -2022
•BSc. – Marketing, Kwame Nkrumah University of Science and Technology - 2014
•Certified Information Systems Auditor (CISA)