Mark Welch

**** ***** ****

Nashville, TN *****

Email: ad3ez7@r.postjobfree.com

Phone: 615-***-****

Education: Bachelor of Science - Middle Tennessee State University, Murfreesboro, TN. Certifications: Certified Information Systems Auditor (CISA) Member: Information Systems Audit Control Association

(ISACA)

Summary of Qualifications

Possess over 20 years of experience working as a consultant and full-time employee in governance and compliance roles performing IT audits, risk assessments, third party risk management assessments, and security assessments.

Experienced with GRC tools such as Cynomi and CyberSaint.

Knowledgeable and experienced with IT control frameworks standards, and regulation including: COBIT, NIST CSF, CMMC, HIPAA, HITRUST, ISO 27001, 27002, GDPR, SOC 1, SOC 2 and PCI.

Subject matter expert in the auditing of Unix-based systems.

Experienced in the auditing of operating systems platforms including Unix, Linux, Windows, Mainframes, and iSeries.

Five years of experience working as a Technical Trainer for system administrators and security administrators specializing in Sun/Solaris.

Experienced working in various industries such as banking, healthcare, education, and public accounting

Track record for successful completion of projects under tight deadlines.

Heavy experience in report writing

Cyber and Information Security Consultant – InfoSystems, Inc. (March 2023 – December 2023) Main responsibility was to perform risk, governance, and compliance work for InfoSystems clients.

Performed security and privacy assessments that included: HIPAA security, NIST CSF and GDPR.

Coordinated and managed third-party risk management assessments.

Developed and wrote the InfoSystems internal policies based on NIST CSF framework for its SOC II compliance requirements.

Identified and communicated IT deficiencies.

Identified and recommended process improvements for clients. Security Compliance Analyst – Intraprise Health (May 2022 – January 2023) Core responsibility was to manage HIPAA risk assessments using company’s proprietary assessment tool HIPAA One

Managed over 20 HIPAA projects

Performed NIST 800-53 assessments

Assisted in special projects such as third-party risk management

Analyzed evidence for compliance purposes

Performed policy review for HIPAA compliance

Security Compliance Advisor II – Fortified Health Security (May 2016 – April 2022) Performed risk assessments for healthcare providers. Responsibilities include, but not limited to:

Managed security risk assessment projects for healthcare providers in compliance with HIPAA security rules.

Manage risk assessment projects for healthcare providers based on NIST 800-53 Cyber Security Framework, (NIST CSF).

Assist in HITRUST audits for healthcare providers.

Advise clients on implementation of vulnerability management program.

Analyzed results of vulnerability scans and penetration tests to help customers identify potential gaps and vulnerabilities in their environment.

Meet with senior management to discuss results of risk assessment and explain nature of any findings to them including potential impact to their business.

Worked with senior management regarding remediation efforts from risk assessment.

Experienced in analyzing output of NESSUS vulnerability scanning reports for identification of risks in the environment’s IT infrastructure.

Performed onsite assessments for existence of physical and environmental controls in the environment.

Performed risk assessments involving cloud environments such as Azure and AWS

Identify risks to exposure of Patient Health Information (PHI)

Assessed logical access risks to EHR applications such as Meditech, and Millennium. Security Consultant – ATOS (2014 – 2016)

Key role was performing ISO 27001, and 27002 internal audits with team members for international IT consulting firm.

Other projects include:

PCI readiness

Risk Assessments/Gap Analysis for various business units within the organization based on ISO standard.

Sr IT Audit Consultant – WEX (2012 – 2013)

Consulting position that was primarily focused on internal SOC readiness and as a conduit for external SOX auditors. Primary responsibilities:

Testing of IT general controls (ITGCs)

Testing of Business Processes

IS Assurance Manager – BDO (2006 – 2012)

For six years I worked for a public accounting firm, BDO, performing SOX and SOC audits, risk assessments, and security work for the firm’s customer base.

Managed over 60 Sarbanes Oxley (SOX) IT General Controls audit projects for companies required to comply with Section 404 of the Sarbanes Oxley Act.

All SOX projects audited by PCAOB never received written comments.

Performed controls test of design (TOD) and test of effectiveness (TOE).

Managed over 100 IT Risk Assessments of financial systems as part of financial audit.

Experienced in performing SOC audits involving the testing of ITGC’s and business processes.

Performed peer reviews of SOC audits involving BIG 4 audit firms such as Deloitte, KPMG, PWC and Ernst and Young.

Responsible for the identification of IT security vulnerabilities and communicating to senior management.

Responsible for identifying remediation of IT security vulnerabilities and communicating to senior management.

Worked with financial audit teams to identify scope of systems to be audited, and the budgeting of hours needed to complete the project.

Subject matter expert in the auditing of Unix-based systems.

Performed vulnerability assessments of Unix-based systems.

Performed password cracking for Unix-based systems.

Experienced in the auditing of operating systems platforms including Unix, Linux, Windows, Mainframes, and iSeries.

Audited financial applications including Great Plains, Dynamics, MRI, WMS, and various in-house developed applications.

Wrote IT audit training material and provided audit training in the areas of Unix- based operating systems for IT audit staff at corporate IS Assurance conferences.

Managed staff in performing and delivering audits in a timely manner and within budgeted hours.

Served as mentor to junior staff members to improve audit knowledge and audit methodology and processes.

IT Audit Consultant – KPMG (2005)

Consulting position with Big4 audit firm KPMG working on audit project for US Department of Energy. Primary Responsibilities:

Performed IT audit testing based on US governments’ FISMA audit program.

Areas of focus include testing of logical access, change management, backup processes and physical security.

Experienced in auditing and performing risk assessments in various industries, including banking, healthcare, manufacturing, retail, and government. IT Auditor – Kraft CPAs (2004)

Performed IT audits and risk assessments for firm’s customers. Specific areas of focus include:

Worked on internal projects among the firm’s banking clients testing controls based on FFIEC regulations.

Performed risk assessments.

UNIX Systems Administration & Security – EDS (2001 – 2003) Consulting position with IT consulting firm EDS working on major health care project for state of Tennessee (TENNCARE)

Unix team lead in the planning, building, and supporting of major health care projects.

Supported development environment that included Sun Solaris, Oracle, and FileNet.

Architected the backup strategy and wrote scripts to support that strategy.

Performed patch installations, managed drive space with the Solaris Volume Manager, installed and administered printers.

Assisted with Disaster Recovery planning and documentation. UNIX Technical Trainer – NSC Systems Group (1995 – 2000)

Taught Sun/Solaris, HPUX and Linux courses for end-users, system administration, advanced system administration, and security administration. Course contents include but not limited to:

Configuring Unix file and directory permissions, File Systems, syslog, file integrity,

Configuring authentication tools such as PAM, TCP wrappers, and SSH

Configuring Solaris system accounting, with Basic Security Module (BSM), and logging with the UNIX syslog facility.

Configuring File integrity tools such as tripwire.

Configuring encryption tools such as SSL, and IPsec.

Taught Unix Korn, Bourne, and C-shell scripting.

Contact this candidate