Richmond, Virginia, United States
I am a Senior Information Security, Privacy, and Third-Party Risk Management Professional with a solid technical background and a highly analytical mind. I have been involved in the information security field for the last 5 -10 years. I preferably work as the linchpin between business and the technical level using my deep technical knowledge as well as strategic and tactical insights to see multiple steps ahead, oversee consequences, and ultimately provide the best solution combining key elements from the information security, privacy, and IT Third-party risk management fields. I am a team player with an open and direct style of communication who uses humor, listening skills, broad knowledge, and interests to create a pleasant working environment. Experience
Senior Third-Party Risk Analyst
Sep 2019 - Present (1 year 1 month +)
Performs / Creates and maintains the Third-Party Risk Management process that ensures the document repository is up-to-date with vendor contracts, risk assessment, and all pertinent vendor oversight details... Senior Information Security Analyst at Thomson Reuters Thomson Reuters
Jul 2018 - Sep 2019 (1 year 3 months)
Information Security Analyst
Virginia Dept of Health [Data Concepts]
Jan 2017 - Jul 2018 (1 year 7 months)
●Developing of security documentations such as Categorization, System Inventory and Definition, System Security plan, Risk Assessment and so on.
● Business Requirement gathering using interviews, meeting workshops, process analysis, use case scenarios, gap analysis
● Requirements analysis to reconcile conflicts, information decomposition
● Translating business requirements into detailed documents, process and workflow diagrams, use case scenarios, wireframes
● Creating deliverables, traceability matrices, project plans
● Collaborates in the development, implementation and maintenance of actionable business continuity and crisis management plans and maintains plan documentation.
● Knowledge of VITA Commonwealth Security Standard SEC 501, SEC 502 in developing Security Risk Assessment, BIA’s, Technical recovery plan and security procedures and so on.
● Assist in developing, implementing, testing, and maintaining disaster recovery plans Mary Barnor - page 1
● Eﬀectively communicate with executives, managers, SMEs to enhance excellent customer – client relationship
Risk Management Consultant [Vendor]
CLEARBRIDGE TECHNOLOGY GROUP, Billerica, MA
Oct 2015 - Oct 2016 (1 year 1 month)
● Working with the Federal Information Security Management Act (FISMA) requirements, and National Institute of Standards and Technology (NIST) guidelines
● Conducts IT security (network, applications, operating systems, and databases) risk and vulnerability assessments and prepares assessment reports following standard practices.
● Ensures that security requirements for the Agency’s information systems are met by a designated date;
● Participates in business continuity, disaster recovery, and incident response planning
● Ensures risk analyses are completed to determine cost-eﬀective and essential safeguards;
● Maintains and updates system security documentation as required in accordance with Agency policies and NIST;
● Supports continuous monitoring testing and assisting in the management of the Plan of Actions and Milestones (POA&M);
● Ensures that user accounts are managed according to Agency policies and procedures; and validate Common Control inheritance of applications.
● Assist in communicating and facilitating the requirements for security risk assessments for both customs developed and third-party applications within the Freddie Mac Infrastructure.
● Provide security consulting and advisory services to business units and project teams.
● Supports requirements gathering and design eﬀorts of critical projects as needed.
● Responsible for implementing and maintaining a continuous process improvement work environment while executing security risk assessments in accordance with industry standards and best practices.
● Review information security accreditation request Information Security Analyst
CSAAC (Community Services for Autistic Adults and Children) Jan 2011 - 2012 (2 years)
● Assesses and mitigates system security risks; determines and analyzes security requirements for implementation and testing
● Reviews and continuously monitors implemented security controls
● Creates and maintains security checklists, templates, and other tools to aid in the C&A process
● Performs security control Risk assessment using VITA SEC 501, NIST 800-53A, and NIST 800-171 guidance and as per continuous monitoring requirements
● Performs risk analyses to determine and recommends essential safeguards
● Proactively mitigates system vulnerabilities and recommends compensating controls
● Develops core documents such as System Security Plan, Inventory and Definition, Risk Assessment, Contingency Plan, Incident Response Plan, Standard Operating Procedures, Plan of Actions and Milestones, Remediation Plans, Configuration Management Plan, and so on
● Contributes to and participates in security incident plan exercises.
● Identifies, investigates, and evaluates information security incidents on the network.
● Participates in threat modeling and analysis activities of business processes and current/potential IT solutions.
Mary Barnor - page 2
● Communicates security threats, policies, standards, and guidelines in clear terms to non- technical personnel.
● Under supervision, contributes to a comprehensive information security strategy.
● Performs general and application control reviews for simple to complex computer information systems.
● Performs information control reviews to include system development standards, operating procedures, system security, programming controls, communication controls, backup and disaster recovery, and system maintenance.
● Directs and/or performs reviews of internal control procedures and security for systems under development and/or enhancements to current systems. Education
Kwame Nkrumah' University of Science and Technology, Kumasi Bachelor of Applied Science - BASc, Business Administration and Management, General 2007 - 2010
Licenses & Certifications
CE CompTIA SECURITY + - CompTIA
Issued Nov 2019 - Expires Nov 2022
Information Security • Risk Assessment • Risk Management • Microso Oﬀice • Information Technology • Teamwork • NIST 800-53 • General Data Protection Regulation (GDPR) • U.S. Health Insurance Portability and Accountability Act (HIPAA) • U.S. Federal Information Security Management Act (FISMA) Mary Barnor - page 3