FRANCIS ALU

adrftl@r.postjobfree.com +301-***-****

Summary

Results-Driven IT Third-Party Risk Analyst professional with 6 years of experience in performing IT Audit, Vendor/Third-Party Risk Assessment, and Security Control Assessment with in-depth knowledge of Sarbanes-Oxley Act (SOX), Application Controls (ITGC) and SAS70/SSAE18 attestation. Security Control assessment with deep knowledge of HITRUST, Standardized Information Gathering (SIG) ISO 27001, SSAE 18 (SOC 1, SOC 2), NIST 800-53, NIST 800-37, NIST 800 -137, PCI-DSS to achieve Confidentiality, Integrity, Availability of Information Systems.

Experience

Citi Group

Snr Third Party Risk Analyst & Assessor

10/2020 - Current

Plan and conduct a security risk assessment for all third-party vendors/suppliers

Provided detailed reports of assessments to business owners and the vendor management office

Work as a remediation analyst to ensure all gaps discovered during the assessment are remediated or mitigated timely

Experience with e-GRC tools such as ProcessUnity, RSA Archer, and Prevalent to ensure secured and prompt communication of findings and deployments of questionnaires to the vendor and to track vendor progress on remediation

Conduct an in-depth risk-based security assessment of housed, cloud, vendor, and third-party hosted environments

Assessment focus included risk management, physical security, identity & access management, encryption, data loss prevention, secure development, incident management, security infrastructure, and security policy

Work with vendor oversight to ensure adequate tier-in of our vendors based on the level of data they have access to

Escalate issues of 3rd party vendor's non-compliance to the vendor risk management office (VMO)

Perform continuous monitoring by assessing tools during onsite visits to validate the security questionnaires filled out by the vendors to ensure the protection of data at the vendor sites

Facilitate remediation for any third parties related operational issues as needed

Assesses operational fitness of assigned third parties through due diligence reviews

Conduct onsite and virtual risk assessments to continuously determine the control effectiveness

Design and constantly upgrade suppliers' questionnaires to ensure all areas of new threat signatures discovered are covered

Develop methodology of risk ranking vendors and streamlined level of effort for each assessment

Administered questionnaires to all vendors

Ensure third-party relationships adhere to the company's policies, and procedures and are compliant with regulatory guidelines and industry best practices

Reviewed Corrective Action Plan (CAP; validates remediation control and follow-up on the remediation process

Evaluate and monitors procedures and internal controls as related to physical security over data centers and computer operations, network communications, and database management

Reviewed violations of computer security procedures and developed mitigation plans.

Secu Bank

Third Party Risk Analyst & Assessor

10/2017 - 10/2020

Administer assessment questionnaire to our vendor

Perform continuous monitoring by assessing tools during onsite visits to validate the security questionnaire filled out by the vendors to ensure the protection of data at the vendor sites

Plan and execute onsite security/risk assessments for third-party vendors based on agreed-upon procedure guidelines

Reviewkeyvendor-provideddocumentationsuchasSSAE18SOC2Type-IIreport

Worked with e-GRC tools such as Process Unity, RSA Archer, and Prevalent to ensure secured and prompt communication of findings and deployments of questionnaires to the vendor and to track vendor progress on remediation

Provided detailed reports of assessments to business owners and the vendor management office

Act as remediation analyst to work with vendors in remediating findings discovered during the onsite/virtual assessment

Assess areas such as business continuity and disaster recovery, physical security, system development, operation, access control, and incident management

Escalatesissuesof3rdpartyvendor'snon-compliancetothevendormanagement office

Perform Data lost prevention assessment of our data at the vendor site

Carry out various types of vendor assessments such as virtual/ onsite risk assessment for our vendors depending on triage information from the vendor management office

Act as peer-to-peer review for other colleague to ensure all findings are accurate and well defined

Validates all controls at the vendor site to ensure their confidentiality, integrity, and availability of our data in their custody

Working with the vendors to ensure risk discovered are remediated within the time frame as stipulated

Promoted enterprise-level risk management practices and helped instill strong culture focused on protective policies and procedures

Developed short-term goals and long-term strategic plans to improve risk control and mitigation.

Tech System

IT Auditor

10/2016 - 10/2017

Performed assessment of IT General Controls (ITGC) such as Access Control,

Change Management, IT operations, Disaster recovery, and Job Scheduling

Assisted IT management in identifying gaps between policy and process, developing recommendations to remediate control weaknesses, and responsible for developing and maintaining IT control metrics related to compliance activities

Strong background in all stages of the Auditing process, including planning, fieldwork/execution /risk assessment, reporting, and follow-up

Developed audit plans and programs to evaluate control areas on projects such as financial statement

Identified control gaps in processes, procedures, and systems through in-depth research and assessment and suggested methods for improvement

Established internal control systems by updating the audit program

Documented control weaknesses related to testing exceptions and assisted in preparing draft audit reports communicating findings and recommendations to senior management

Reviewed Corrective Action Plan (CAP; validates remediation control and follow-up on the remediation process

Performed internal and external IT risk assessments, conducts gap analysis against industry standards, and provides recommendations on mitigating options

Skills

Strong written/verbal communication skills, and organizational and work documentation proficiency

Good communicator with demonstrated ability to pass messages in a clear and concise manner

Ability to adapt to changing priorities, handle multiple assignments, and adhere to strict deadlines

Ability to coordinate actions from several different teams

Experience performing IT audits or IT security risk assessments

Education and Training

Benue State University Makurdi

Bachelor of Arts, Mass Communication

11/2002

Graduated with Second Class Upper Division

Certified Information Systems Auditor (CISA), ISACA

Contact this candidate