Risk Management Third Party

MARY ADJOA BARNOR

Cedarville Mews, Midlothian, VA 23112 Phone: (804) – 309 – 6394

Email address: ***********@*****.*** /***********@*****.***

PROFESSIONAL SUMMARY

A highly skilled risk professional with notable expertise in Vendor Risk Management audit scope planning and execution controls implementation, and special projects. Proficient experience in reviewing and implementing operational, and IT procedures, and risk analysis to identify legal and contractual obligations and ensure alignment for each entity to determine compliance with policies and industry best practices. Experience with Risk identification, mitigation, and remediation. Identification and updating of Risk ranking as the IT universe changes. Experience working across a broad range of GRC platforms. Strong ability to interact and communicate both written and verbally with people at all levels, both technical and non-technical, in a dynamic environment where interactions are not always in person.

PROFESSIONAL CERTIFICATIONS & EDUCATION

Certified Information Security Manager – (CISM) 05/2022

CompTIA Security+ 12/2019

Kwame Nkrumah University of Science and Technology, Kumasi 07/2010

CTPRP and CISSP Planned Q4 12/2024

CORE EXPERTISE

•System Documentation Development

•Develop and maintain SharePoint Site

•Project Management and Support

•Risk Management including Identification through Remediation

•Security Artifacts Review & Maintenance

•Systems Risk Assessment

•Security Control Assessment

•Vendor Compliance Management

•Third-Party Risk Management (TPRM)

SOFTWARE, HARDWARE, TECHNICAL EXPERIENCE

•Governance, Risk, and Compliance Tools: Fusion Risk Management, ServiceNow, CyberGRX, OneTrust platform, SAI Global. Available to jump on new GRC tool if training is provided.

•Operating Systems: MAC OS, Slack. GSuite

•Proficiency in Microsoft Word, Excel, PowerPoint Presentations, and Outlook Applications (Teams).

•Regulatory Frameworks: NIST-SP-800 series such as -30/37/39/53 and 53(a), PCI-DSS, HIPAA, ISO 27000’s

•Strong interpersonal skills, capable of interacting at all levels of the organization from analyst level to C-suite.

•Strong problem-solving and analytical skills, with the ability to assess, prioritize and identify issues with data security and work with IT to mitigate risks.

•Strong communication skills, both written and oral, to effectively communicate with technical and non-technical partners and stakeholders.

PROFESSIONAL EXPERIENCE

Senior Governance, Risk, & Compliance Specialist - DICKS SPORTING GOODS LLC (Remote)

• Collaborate with technology and business teammates while conducting cybersecurity vendor risk assessments.

• Led the company’s cybersecurity vendor risk assessment program, including scoping/conducting/reporting assessments, and assessing non-compliance with established risk thresholds.

• Collaborating with teammates and vendors to remediate issues, and reporting cybersecurity risks to technical and non-technical stakeholders with the ultimate goal of identifying and reducing third-party cybersecurity risks.

• Served as a subject matter expert on cybersecurity risk management as it relates to third parties, utilizing industry standards such as the NIST CSF, ISO 27001, OWASP top 20, etc.

• To articulate key cybersecurity risks, I partner with additional stakeholders in the overall vendor risk management process, including procurement, legal, and privacy.

• Have working knowledge of cybersecurity risks, controls, frameworks, and governance and possess the ability to apply these concepts within the work environment.

• Perform system administration functions to support the platform/functionality for the risk assessment program.

Senior Vendor Risk Management Specialist (Hybrid) Thomson Reuters Richmond, VA 07/2018 - 2022

•Coordinate with key Global Vendor Risk Management stakeholders to initiate, scope, and plan cyber security risk control assessments of new and existing Critical/high-risk suppliers.

•Working knowledge of Vendor Management, and regulatory compliance (e.g., FFIEC, NIST, ISO 22301, ISO 27001, SOX, SOC II, as they relate to Vendor Risk Management) activities.

•Conduct third-party risk assessments by evaluating third-party questionnaire responses, performing control validation, and assessing documentation per established procedures and standards.

•Works closely with counterparts in Procurement, other risk functions, business leaders, and third parties.

•Multitask and project manage multiple assessment deadlines by coordinating execution with both external suppliers and internal business partners. Escalate issues, understand project trends, and anticipate potential blockers

•Drive remediation activities with stakeholders, including developing remediation plans, and tracking, and reporting remediation progress.

•Identify security gaps, designed remediation plans, and made recommendations to the IT Management

•Accountable for oversight of vendor risk assessments, vendor risk methodologies, periodic monitoring, process documentation, risk remediation, and reporting (both internal and external)

•Communicate audit findings to management and identify opportunities for improvement in the design and effectiveness of key controls.

•Collaborate with third-party/vendor relationship owners to conduct third-party risk assessments during initial and ongoing evaluation of vendors, and identify risks inclusive of inherent and residual risks.

•Conduct vendor performance monitoring to proactively identify issues and work with stakeholders and third parties as appropriate to track the risk remediation through closure, including assisting the business in creating either formal Mitigation Plans and/or Issues.

•Perform reasonable SLAs that are related to Vendor due diligence, contracting, oversight, and reporting are adhered to by working with the Legal and Procurement Team.

•Help validate privacy and compliance controls including accessibility trade control and sanctions

•Provide support and input for related audits or examinations from internal/external parties and collaborate with relevant stakeholders to ensure findings are appropriately remediated.

Vendor Risk Management Analyst - Clearbridge Technology Group, Billerica, MA, 30047 05/2013-02/2018 (Onsite)

•Collaborate with team members to provide subject matter expertise with respect to the Firm’s third-party risk management program.

•Create and update documents and presentations that can be used to inform internal employees, external auditors, or internal auditors about the Firm’s third-party risk management program.

•Contribute to the continuous improvement, including automation where possible, of all aspects of the third-party risk management program based on expert knowledge, industry best practices, business objectives, and risk tolerance, keeping the program relevant and in alignment with the business objectives.

•Utilize an understanding of the company’s information technology environment and how systems support business activities to coordinate and /or conduct audits as assigned, including specialized activities.

•Execute detailed reviews of third-party risk assessments to identify gaps in risk identification and inform solutions that minimize losses resulting from inadequate internal processes, systems, or human errors.

•Partners with sourcing and vendor relationship/contract management functions where they are not part of this group to manage vendor behavior.

•Contributes to the gathering of vendor risk assessment data and prepares risk assessments for critical-related vendors as needed, to be published and communicated to stakeholders

•Ensured management, operational, and technical security controls adhere to a formal and well-established security requirement authorized by NIST 800 53 rev5.

•Supported the security assessment team in conducting the adequacy of the management, operational, privacy, and technical controls implemented.

•Working knowledge of security standards, frameworks, and best practices (ISO 27001/27701, NIST 800-53, CSA, OWASP.

•Communicates identified risk requirements and violations to internal stakeholders (and end users within the business) and responsible vendors while supporting the response to and addressing these issues.

Contact this candidate