Shell Oil Risk Analyst
Resume:
Nathan Scott DMello
CISA, MBA
https://www.linkedin.com/in/nathan-dmello-1b12b92b/
SOX IT Compliance Security Audits & Risk Management
Professional Summary
Accomplished IT Security, Compliance, Risk Management and Sarbanes Oxley (SOX) Professional with progressive experience and excellent ability to aid in the development of effective security controls, policies, procedures, and business / technical infrastructure/Enterprise Architecture, as well as manage/ monitor regulatory compliance issues related to: PCI-DSS, SOX404, GRC, SSAE16&18/SOC 1, 2. ISAE 3402, NIST- 800-37, Unified Control Framework (UCF), NIST – 800-53, 63), ISAM/ISIM, Data Protection/Privacy/NIST 800-53/DOD/ FAR/DFAR & FAA regulations, IAM –Identity Access Management (Aveksa) – RSA Archer Product at Bell Helicopter /Textron- ^ years. etc.
SAS – Developed SAS programs to merge, match and analyze data from various platforms and created reports for quick decisions for data analytics at Verizon Billing systems.
SOX – 16 years (ITGC), Third Party Vendor Risk Assessment (IRM), Remediation, Section SOX 404-Testing Controls (ISO 270**-*****. FFIEC/NIST- 800-53, 88, CSF, GDPR, EU Privacy Laws, CCPA, SOC1 SOC2), Security Risk Assessment of Cloud Providers using (RMF) and NIST 800, CSF & ISO 27000’s, -3, ISAM/ISRM, COSO/ COBIT5, ISO 27001/27002, ISO 9001, HIPAA, HITRUST-CSF, ITIL, GLBA/SEC, CFTC, AS9100, FAR/DFAR, DCAA, ITAR/EAR, HIPAA, IP (Intellectual Property Protection PCI DSS.
Helped to build and refine the IT risk management program and provide business mitigations.
Performed internal control assessments under NIST 800-53 /CSF risk management. Assessed control environment and developed roadmap and initiatives for implementation of technological projects into current or existing architecture.
Worked closely with Internal & External auditors (Deloitte, PWC, E&Y) in providing solutions and additional documentation to meet compliance with ISO 27001, ISO 27018 (GDPR), PCI DSS, SOC1 SOC2 Type 1 & Type 11 and prepared executive summary report.
Periodically updated the IT Policies and Standards based on the IT environment
Consulted with the line of business and enterprise functions on financial reporting or information technology governance controls and provided oversight to ensure completeness.
Identified compliance and risk management requirements for assigned controls.
Provided oversight for testing and monitored key control areas to ensure compliance with organization policies, regulatory reporting (SEC, HIPPA, SOX, COSO/COBIT)
Communicated and provided consultation regularly to stakeholders throughout the enterprise.
Performed ad-hoc projects related to information security and risk management, such as Data Loss Prevention, Data Classification, etc.
Assisted in the design of security controls leveraging a combination of automated tools, manual procedures, and review of automated script outputs.
Education:
MBA - Business Admin & Strategic Leadership from AMBERTON University, Dallas Texas 2008
B.Sc. Accounting/Computer Science from Langston University, Langston Oklahoma
Certifications & Training
•SOX SPECIALIST-Certification –Tulane University, School of Law 2007
•Certified Information Systems Auditor – CISA-2007
•Greenbelt Certification – Business Process Improvements - FMEA, Fish Bone Analysis (Six Sigma), TQM, ISO 9001- QFD Institute-2011
Technical skills:
Software (proficient user) – MS Excel, MS PowerPoint, MS Outlook, MS Word, MS Visio
Technologies reviewed – SAP, Oracle EBS, MS SQL Server, Oracle, AS/400, Windows Server, Linux, Unix, IBM – Open Pages, SURALINK, Cyber Ark, Crowd Strikes, Nexus, IBM-Open Pages, Palo Alto Networks, SQL – Using VB Scripts for data mining.
Operating Systems & Applications: – MVS, VMS, MS Windows 10, MS Office (Excel, Word, PowerPoint, Outlook), Zoom, MS Teams, /Share Point, Service Now, Jira (Ticketing), ERP & GRC – Archer, SAP – ECC, SAP-GTS, SAP-CRM, RSA-Archer Aveksa, ENOVIA, CATIA V4/V6, .NET/VISTA, IBM Open Pages,
Good working knowledge and understanding of programming languages such as; SAS-Data Analytics, COBOL, JCL, C, C#, C++, Mongo DB, (Teradata), SVN, Bit, Git, Jenkins, DB2, VB, Java, Jira, Service Now, Hyperion, KRONOS, RSA-Archer/AVEKSA, SAP-FICO module including hands-on configuration and two full life cycle project experience. PCI-DSS, Network Segmentation Controls.
DNS- Cyber Security, Cloud Architecture, TCP/IP, SOC 2 Type I & Type 2, Data Encryption (HTTP/SSL/TLS etc.,
Professional Experience
Apex Systems – Bank of America – QA/QC – IT(Consultant) Mar 3 – May 22
QA - Vendor Payment Processing
•Performed QA review of controls within Global Payment System that received a Severity Two from Audit Identified Audit Issue.
Verified and validated the evidence that was provided to support control requirement lacked full adherence to the control.
Data Privacy cross border – compliance with GDPR and applicable laws.
Identified controls that lack holistic governance and oversight from Application Manager(s) to complete QA requirement(s) as identified in the Global Policy.
EY- Agency - SSI People- Client- GE-Internal Audit-(Contractor) Dec – Jan 29 2022
New York (Remote)- Senior IT SOX Compliance-Analyst
•Developed the design of net-work segmentation to ensure confidential and sensitive data are properly segregated /stored in dedicated servers and only authorized individuals were granted access as per their assigned role.
•Reviewed and tested controls (Access Management, Cryptographic Controls around data at rest and in transit, Operational Controls to include Change Control Process, SOD, Business Continuity, ICFR Controls (SOX, GAAP, COSO/COBIT) framework to ensure control objective requirements were fully satisfied in accordance with IT policies and procedures and ISO 27001/NIST 800-53
•Acted as a liaison between internal /external audit and/or assessment teams to address deficiencies and gaps.
Protiviti / Robert Half Technology – Inc., Oct 2021- Dec 2021
Woodbridge NJ USA – (100 % REMOTE)
Senior IT SOX Compliance Analyst – SOX/SOC 2 /ISO27001
SOC 2/ISO – Audit Readiness - Client- COMMERCE HUB - UK
•Reviewed, Assessed, and Tested ITGC /ITAC (IT General Controls and IT Application Controls) for SOC 2/ISO 27001 & 27002 readiness.
•Developed and executed risk-based external and internal audit strategies for Sarbanes Oxley/404 and Service Organization Controls (SOC) reporting.
•Reviewed, analyzed and validated all testing results to ensure adherence to organization IT Policies, IT Controls and regulatory SOX 404 standards.
•Consistently delivered on projects with challenging deadlines, limited resources, complex IT environments, and demanding clients.
•Identified control gaps and sought remediation and process improvements and validated evidence of ninety- seven controls (97) IT Controls and uploaded to SURALINK for external /internal auditor review.
•Provided guidance to control owners in areas of Change Control, Access Requests, Terminations & New Hires, Data Centre Access removal of terminated individuals. Reviewed and validated SOC 2 Type II reports from Service Providers (AWS, Azure) as part of SOC2 readiness.
•Reviewed Change Control tickets, and ensured approved changes comply with IT Change management policy. Interact with key stakeholders of IT security team, Internal Audit, Legal to mitigate risk and ensure compliance with NIST 800, COBIT, CSF, SSAE18, SOC 1 &2 Type 1 & 2. (AWS Amazon, MS Azure, and other Cloud Service Providers).
•Managed all Issues in JIRA, documented issues, assigned issues, resolution of issues and escalated priority of issues to seek timely resolution and subsequently closed the issues in JIRA.
•Created 101 tickets for IT Controls under review and validated evidence. Updated the JIRA. tickets upon successful remediation implementation.
•Provided issue resolution for IT Controls related to Change Management, Cyber Security, Disaster Recovery, Data Loss Prevention, and consultative support to the Control Owner(s) & Issue Owner (s) on remediation approaches, timelines, completeness, and assigning compensating controls.
•Generated JIRA reports for management review and communicated effectively areas of concern.
Deloitte Consulting LLP – USDA Client- New Orleans, LA Feb 2019 – Oct 2021
SAP – SSAE18/SOX/SOC- Risk Assurance/Compliance - Consultant /Agency - Thompson Technologies LLC (100%-REMOTE)
•Conducted a series of walkthroughs to understand the existing control environment, review existing control activities and testing procedures and review of recent audit reports.
•Performed information security risk assessments of technology enabled projects, inclusive of vendor reviews, security requirement, security testing and management of residual risk.
•Evaluated vendor controls and practices, process enhancements, occasional on-site assessments, reviewed security test reports, analyzed and developed security requirements.
•Benchmarked the results of walkthroughs as well as an analysis of configuration, security roles, and profile parameters against leading SAP risk management practices, to identify risk and improvement areas.
•Performed Security Risk Assessment of the Cloud Providers using tools, Best Practices and Risk Management Framework (RMF) in compliance with NIST 800, CSF, & ISO27000’s
•Evaluated identified risks and ranked according to criticality and communicate the methodology used. Validated and mapped SOC1 & SOC 2 complementary controls to User Organization Controls, identified gaps and sought resolution.
•Implemented security mitigation solutions according to Security Policy and Practices and best practices (NIST/ CSF, COBIT 5 Framework(s), ITIL)
•Developed and delivered presentation of findings and recommendations to the Deputy Director and Senior Leadership team using SDLC phase approach.
•Performed data classification and ensured PII/PHI data were in compliance with GDPR/EU guidelines and ISO27018, 27001/27002.
•Defines secure configurations leveraging technical knowledge and problem solving skills in the network, database, server and desktop technology areas in accordance with the secure SDLC process.
PWC – Price Waterhouse LLP Oct 2018 – Jan 2019
Senior Associate (Assurance) – Contractor/Consultant
Lead SOC 2 Analyst – Client – CENTENE INC – (HealthCare) Clayton MO
•Performed User Access Reviews (UAR) – Applications impacted by SOX and SOC 2. Conducted walkthrough (UAR) design check list with key stakeholders to determine if access to applications are on role based and if access been authorized at system or server level.
•Performed SOC 2 gap assessment as part of SOC 2 readiness, remediated controls and processes. Mapped User organization controls to Service Organization (SOC 2 Type II) and identified complimentary controls.
•Reviewed queries generated via SQL and user access listing of applications and conducted data analytics utilizing AD User profile for all users and determine if access was commensurate with job title and consistent with organization IT security policies.
•Ensured changes to configuration and change to code repository are committed in accordance with change control policies and proper reviews and approvals exist prior to migration to prod environment. SOD is maintained throughout the code development by respective roles within separate environment.
•Performed risk assessment of existing applications and gap analysis to close the security risks exposures in areas Vulnerability, IPs/IDs, Incident & Access management, Change management etc. Understanding information security risks and assessing mitigation strategies to confirm alignment with risk appetite.
Boston Consulting Group – BCG Dallas TX Apr 2018 – Sep 2018
Lead Risk Analyst – Completed Assignment
•VRM – Performed Vendor Risk Management – Vendor Assessment – Infrastructure Risk Assessment
•Reviewed SOC 2 Type II third party service /sub-service providers, identified gaps and seek resolution and remediation of identified gaps.
•Capturing vendor assessment demand and completion of scoping calls with key stakeholders
•to understand the service details and data managed by the vendor
•Developed self-assessment questionnaires relevant to the service scope, data managed, data
•location and legal/jurisdictional requirements
•Reviewed process integrity documentation, metrics/KRIs, controls, RACI, policies, and standards.
•Performed risk assessment and documented procedures, risk mitigation or risk remediation.
•Assessed risk, documented control deficiencies and issues, and developed appropriate corrective actions.
•Experience leveraging data analysis to identify trends, issues, and drive mitigation/remediation
•Reviewed Info-Security Pre-Assessment Questionnaire, Identify IT Security Risks, communicated Findings and seek timely resolution. Prepared Full Executive Summary Report on Vendors and determine if compliant with BCG Minimum Security Requirements. Reviewed and validated controls (ITGC /ITAC) and penetration tests validation.
•Created IT Security Score Card and bench mark against Industry standards.
•Work and interact closely with Architecture team, Legal, Procurement, and other key stake holders.
HEARST INC., -Charlotte, NC Jan 2018 – Apr 2018
IT Audit Manager - Contractor - Completed Assignment-Back-Fill
IT General Controls – Audits & Compliance/Internal Audit
•Plan and perform IT Audits, prepare Audit reports addressing findings and recommendations – reviewing financial applications to make sure compliant over IT systems (GRC/COSO, COBIT5, HIPAA, NIST 800, PCI DSS) from a Security, Disaster Recovery, Vulnerability & PCI Compliance view, etc.
•Reviewed and approved ITGC controls in IBM –Open Pages. Evaluated & validated SSAE16 & SSAE18 /SOC 1 & 2 CSP (Cloud Service Providers complementary controls).
•Identified gaps and obtained additional supporting evidence to determine control effectiveness
•Entered all Internal Audit ITGC issues and assigned issues for resolution /remediation to field auditors. Supervised seven (7) field auditors and provided direction and answered questions.
Client -COPART Inc., Addison, TX Jan 2017 – Dec 2017
IT General Controls – Risk & Compliance Audits (Consultant)
•Conducted information security and business continuity assessments of vendors providing services to Client.
•Performed Testing of ITGC controls related to Information Security Controls (Application Security, Infrastructure Security, Access Management, Physical Security, etc.),
•IT Compliance, SOX-404 Compliance, Change Management, Enterprise Risk Management and ensure compliance to NIST 800-53/ PCIDSS, ISO27001, SDLC, GRC, COSO, COBIT, and ITIL standards.
Rouse Properties – Real Estate Investment Trust (REIT), Irving, TX Jan 2014 – Nov 2016
Senior IT Risk Analyst - Controls Risk and SOX Compliance & Audits
•Developed, implemented a strategic comprehensive enterprise information security and IT risk management program to ensure integrity, confidentiality and availability of information owned, controlled or processed.
•Developed and assessed internal controls of processes in accordance with SOX requirements.
•Performed Risk Assessment of Potential CSP (Cloud Service Providers), implemented Controls to mitigate risk and ensure compliance with SOX 404, SOC 1& 2 Type I &II, GRC, NIST-800-53, HIPAA and applicable regulations.
Textron Inc., Bell Helicopter, Hurst, TX Feb 2007 – Jul 2013
Lead IT Security & Risk Management, IT & Process Controls & Compliance
•Supported PSI (Process and Systems Integrity Team) to ensure IT, Engineering &Business processes are closely aligned with engineering standards (AS9100) and application controls are implemented at activity level to ensure systems security, audit-ability of processes and compliance with federal regulations FAR/DFAR/ITAR/EAR/FAA/SOX 404/COBIT, IP, ISO 9001, SSAE18/SAS70, ISO 27001-2, PCI DSS controls, Data Privacy utilizing NIST 800-53/CSF, ITAR, (Government drawings and sensitive materials) and AS9100.
•Monitored privacy regulations, technology trends, business process changes, and developments in the privacy field; evaluated potential business impacts; and directs implementation of applicable changes to Company privacy and data protection governance.
•Developed and maintained oversight of privacy policy compliance measures and ensured endurance with company policies and procedures, regulations and industry best practices.
•Compliance lead for BSM (Bell System Modernization) project focused on process improvement, IT security, operational risks (FMEA), Cloud Computing (SAAS/FAAS/PAAS) and hybrid cloud.
•Interacted with key stake holders from engineering, Logistics, Finance, ITRM and performed Gate reviews at each Gate utilizing Risk Based Approach.
Ernst & Young
Client Shell Oil Products –Houston TX Nov 2005 - Jan 2007
SOX 404 - IT Security Compliance Lead (Consultant)
•SOX testing – Walkthrough documentation, Design Effectiveness and Operational Effectiveness for Financial Systems (IGINS/FIRST) Business and IT General Controls and Treasury E-banking controls and self- assessment testing for operational effectiveness.
•Worked closely with internal & external auditors in provide/seek remediation of failed controls.
•Performed remediation testing on internal controls - Sarbanes-Oxley (SOX) 404 Compliance
JP Morgan Chase Bank-Investment, Dallas, TX (Employee) Oct 2001 – Nov 2005
Risk Analyst - Global Investments & Risk Advisory Group
•Performed all aspects of risks and assessed, on ongoing basis, the material risk associated with how business unit’s activities and products are developed and launched and processed end to end.
•Reviewed risk trends within existing vulnerabilities and potential threats created from new implemented platforms.
•Continuous monitoring of control activities to ensure no additional risks been introduced into existing architecture.
KPMG, LLC – Dallas Texas Apr 2000 – Sep 2001
UICI Inc., Hurst, TX - Client – INSURANCE COMPANY
SOX – IT Test Specialist – (Contract Assignment)
•Reviewed client’s IT general computer control environment for operational effectiveness as required by Sarbanes-Oxley section 302/404 within GRC, COSO/COBIT/HIPAA controls frame-wok.
•Identified process specific risk, and introduced new or updated existing controls to mitigate risks to acceptable level as per organization policies. Work closely with process owners conducted process walk-through of controls and conducted testing of assigned controls within control framework.
Contact this candidate