Risk Analyst It Auditor
Resume:
FRANCIS ALU
************@*****.*** +301-***-****
Summary
Results-Driven IT Third-Party Risk Analyst professional with 6 years of experience in performing IT Audit, Vendor/Third-Party Risk Assessment, and Security Control Assessment with in-depth knowledge of Sarbanes-Oxley Act (SOX), Application Controls (ITGC) and SAS70/SSAE18 attestation. Security Control assessment with deep knowledge of HITRUST, Standardized Information Gathering (SIG) ISO 27001, SSAE 18 (SOC 1, SOC 2), NIST 800-53, NIST 800-37, NIST 800 -137, PCI-DSS to achieve Confidentiality, Integrity, Availability of Information Systems.
Experience
Citi Group
Snr Third Party Risk Analyst & Assessor
10/2020 - Current
Plan and conduct a security risk assessment for all third-party vendors/suppliers
Provided detailed reports of assessments to business owners and the vendor management office
Work as a remediation analyst to ensure all gaps discovered during the assessment are remediated or mitigated timely
Experience with e-GRC tools such as ProcessUnity, RSA Archer, and Prevalent to ensure secured and prompt communication of findings and deployments of questionnaires to the vendor and to track vendor progress on remediation
Conduct an in-depth risk-based security assessment of housed, cloud, vendor, and third-party hosted environments
Assessment focus included risk management, physical security, identity & access management, encryption, data loss prevention, secure development, incident management, security infrastructure, and security policy
Work with vendor oversight to ensure adequate tier-in of our vendors based on the level of data they have access to
Escalate issues of 3rd party vendor's non-compliance to the vendor risk management office (VMO)
Perform continuous monitoring by assessing tools during onsite visits to validate the security questionnaires filled out by the vendors to ensure the protection of data at the vendor sites
Facilitate remediation for any third parties related operational issues as needed
Assesses operational fitness of assigned third parties through due diligence reviews
Conduct onsite and virtual risk assessments to continuously determine the control effectiveness
Design and constantly upgrade suppliers' questionnaires to ensure all areas of new threat signatures discovered are covered
Develop methodology of risk ranking vendors and streamlined level of effort for each assessment
Administered questionnaires to all vendors
Ensure third-party relationships adhere to the company's policies, and procedures and are compliant with regulatory guidelines and industry best practices
Reviewed Corrective Action Plan (CAP; validates remediation control and follow-up on the remediation process
Evaluate and monitors procedures and internal controls as related to physical security over data centers and computer operations, network communications, and database management
Reviewed violations of computer security procedures and developed mitigation plans.
Secu Bank
Third Party Risk Analyst & Assessor
10/2017 - 10/2020
Administer assessment questionnaire to our vendor
Perform continuous monitoring by assessing tools during onsite visits to validate the security questionnaire filled out by the vendors to ensure the protection of data at the vendor sites
Plan and execute onsite security/risk assessments for third-party vendors based on agreed-upon procedure guidelines
Reviewkeyvendor-provideddocumentationsuchasSSAE18SOC2Type-IIreport
Worked with e-GRC tools such as Process Unity, RSA Archer, and Prevalent to ensure secured and prompt communication of findings and deployments of questionnaires to the vendor and to track vendor progress on remediation
Provided detailed reports of assessments to business owners and the vendor management office
Act as remediation analyst to work with vendors in remediating findings discovered during the onsite/virtual assessment
Assess areas such as business continuity and disaster recovery, physical security, system development, operation, access control, and incident management
Escalatesissuesof3rdpartyvendor'snon-compliancetothevendormanagement office
Perform Data lost prevention assessment of our data at the vendor site
Carry out various types of vendor assessments such as virtual/ onsite risk assessment for our vendors depending on triage information from the vendor management office
Act as peer-to-peer review for other colleague to ensure all findings are accurate and well defined
Validates all controls at the vendor site to ensure their confidentiality, integrity, and availability of our data in their custody
Working with the vendors to ensure risk discovered are remediated within the time frame as stipulated
Promoted enterprise-level risk management practices and helped instill strong culture focused on protective policies and procedures
Developed short-term goals and long-term strategic plans to improve risk control and mitigation.
Tech System
IT Auditor
10/2016 - 10/2017
Performed assessment of IT General Controls (ITGC) such as Access Control,
Change Management, IT operations, Disaster recovery, and Job Scheduling
Assisted IT management in identifying gaps between policy and process, developing recommendations to remediate control weaknesses, and responsible for developing and maintaining IT control metrics related to compliance activities
Strong background in all stages of the Auditing process, including planning, fieldwork/execution /risk assessment, reporting, and follow-up
Developed audit plans and programs to evaluate control areas on projects such as financial statement
Identified control gaps in processes, procedures, and systems through in-depth research and assessment and suggested methods for improvement
Established internal control systems by updating the audit program
Documented control weaknesses related to testing exceptions and assisted in preparing draft audit reports communicating findings and recommendations to senior management
Reviewed Corrective Action Plan (CAP; validates remediation control and follow-up on the remediation process
Performed internal and external IT risk assessments, conducts gap analysis against industry standards, and provides recommendations on mitigating options
Skills
Strong written/verbal communication skills, and organizational and work documentation proficiency
Good communicator with demonstrated ability to pass messages in a clear and concise manner
Ability to adapt to changing priorities, handle multiple assignments, and adhere to strict deadlines
Ability to coordinate actions from several different teams
Experience performing IT audits or IT security risk assessments
Education and Training
Benue State University Makurdi
Bachelor of Arts, Mass Communication
11/2002
Graduated with Second Class Upper Division
Certified Information Systems Auditor (CISA), ISACA
Contact this candidate