EVELYN TANDOH
Email: *************@*****.***
Mobile: 253-***-****
PROFESSIONAL SUMMARY
An IT Security Assessor with immense years of combined experience in Federal Information Security Management Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP), National Institute of Standards and Technology (NIST), Risk Management Framework (RMF) processes, Risk Assessment (RA), System Development Life Cycle (SDLC), as well as Third PARTY Vendor Risk Assessment. Thorough understanding of NIST 800-53 Rev 4 and 5 security controls. Audit projects including Security Audit, RMF, PCI DSS and HIPAA. Knowledge of the process to obtain a system ATO and requirements to maintain the ATO. An IT professional with experience in vulnerability management, security control implementation, assessment and authorization, POA&M management, continuous monitoring, as well as risk assessment. Understanding of information technology concepts, cloud computing models (PaaS, SaaS, IaaS). CYBER SECURITY TRAINING/SKILLS/STANDARDS/SOFTWARE
NIST Guidelines Publications Certification and Accreditation (C&A) Assessment and Authorization
(A&A) HIPAA & PRIVACY ACT training. PCI DSS ISO 27001 IT Security Compliance Vulnerability Assessment Network Vulnerability Scanning Information Assurance System Risk Assessment System Development Life Cycle Nessus Vulnerability Scanner ACAS HBSS SCAP Splunk SharePoint Nexpose LAN WAN NIST SP 800-53 SP 800-53A SP 800-37 NIST SP 800-171 FIPS FISMA FedRAMP Risk Management Framework (RMF) FIPS-199 PTA PIA SSP CP SAR POA&M ATO ISA, MOU/A IDS IPS Windows Archer Linux Microsoft Office SERVICENOW. SKILLS & QUALITIES.
• Creativity and innovation at conducting a high volume of risk analyses, report accurate and relevant risks to the appropriate constituents, and align initiatives to the core organizational mission of research and education
• Good interpersonal skills, with good negotiating and influencing skills at a senior level
• Strong oral and written communication skills, including confidence with presenting to senior stakeholders
• Skills in managing priorities and conflicting issues in a professional manner
• Excellent writing, documentation, and interpersonal communication skills
• Strong project management skills and ability to work independently or with others and adhere to strict deadlines
• Excellent analytical skills to evaluate root cause, optimal resolution point and portfolio analysis
• Relevant tertiary qualifications and Proven years of healthcare experience in risk, compliance, or audit
CERTIFICATIONS
CISM – Certified Information System Manager
CompTIA Security +
EDUCATION
KWAME NKRUMAH UNIVERSITY OF SCIENCE AND TECH, Ghana August 2009- July 2013 Bachelor of Science, Risk Management
PROFESSIONAL EXPERIENCE
TECHFLOW CONSULTING 06/2020 - Present
Security Assessor
• Conducts assessment of the security and privacy controls implemented by an information system officer to determine the overall effectiveness of the controls and the vulnerability state of components, applications and databases residing within the system boundary.
• Perform vulnerability/risk assessment analyses to support A&A activities.
• Develop solutions to security weaknesses in the Requirement Traceable Matrix (RTM) and SAR, while working on POA&M remediation and Corrective Action Plan (CAP).
• Perform assessments on FedRAMP based on customer responsibility documentation and controls provided by the Cloud provider to assess.
• Maintains and manages Security Authorization and Assessment packages that include System Security Plans (SSP), Contingency Plans (CP), POA&Ms, SAR, and other relevant security documentations for the system.
• Performs risk assessments, develops, and recommends mitigating controls, and remains abreast of advancements that address emerging business and environmental factors impacting assurance levels.
• Analyzes and updates System Security Plan (SSP), Risk Assessment (RA), Privacy Impact Assessment (PIA), System Security test and Evaluation (ST&E).
• Provide security control assessor (SCA) services, such as assisting with the Assessment and Authorization process, including A&A scanning, documentation, reporting and analysis – analyzing current threats to information security and systems.
• Ensuring all supporting artifacts and results will be documented appropriately and timely manner.
• Adhering to the NIST Risk Management Framework (RMF) to support the A&A process, including analyzing the development of supporting policies, procedures, and plans, designing, and implementing security controls, testing, and validating security controls, and analyzing and tracking corrective action plans.
• Performing ongoing continuous monitoring (ISCM) using NIST 800-137 Rev 1 as a guide.
• Analyzed financial information and developed solutions to new credit requests
• Provide security control assessor (SCA) services, such as assisting with the Assessment and Authorization process, including A&A scanning, documentation, reporting and analysis – analyzing current threats to information security and systems
• Performed application controls testing related to data protection, logical access, programming, problem management, contingency planning and back-up, data transmission, input, and output and processing controls.
• Analyzes and updates System Security Plan (SSP), Risk Assessment (RA), & Privacy Impact Assessment (PIA).
• Execute on day-to-day deliverables that support the ongoing compliance needs related to, PCI, IT policy, compliance, and risk, as well as any new regulatory requirements. MultiCare Hospital (Good Sam), Puyallup WA 10/2017 - 05/2020 Risk & Compliance Manager / Analyst
• Participated in various IT audits for clients within the financial, technology and information security industry, including development of risk and controls matrix and audit procedures, execution of testing and communication of findings to key stakeholders.
• Prepared audit plan and report detailed results of audits; provided written recommendations to clients.
• Documented audit findings and developed thorough and creative recommendations for business and process owners to mitigate identified risks.
• Documented control weaknesses and testing results relating to controls in relevant templates.
• Conduct IT audit fieldwork and walk through of controls; perform detailed testing, analysis of controls, validations, and creation of clear, accurate documentation of workflows in IT process and report of test results and exceptions.
• Prepared, executed, and reported on audit of subset of NIST SP 800-53 cybersecurity controls to include interview, document review, and testing of systems to support compliance audit activities.
• Knowledgeable on NIST Cybersecurity Framework and how the Identify, Protect, Detect, Respond, and Recover categories comprise and facilitate an information security program
• Developed concise, tailored cybersecurity awareness content, improving targeted end-user base cyber hygiene
• Developed Just-In-Time cybersecurity awareness content for emerging threats to reduce operational risk to tailored audiences
• Semi-quantitatively analyzed cybersecurity risk using NIST SP 800-30 methodology to identify highest risk weaknesses for a system
• Executed threat modeling exercise to determine higher likelihood threat events to inform cybersecurity risk modeling
• Semi-quantitatively analyzed cybersecurity risk using NIST SP 800-30 methodology to identify highest risk weaknesses for a system
• Executed threat modeling exercise to determine higher likelihood threat events to inform cybersecurity risk modeling