Proven skills of resolving complex issues in a timely manner within challenging environments. Due to my experience in Information Security Risk Management, in other aspects of systems security evaluation, validation, monitoring, incident response, Governance, Risk & compliance, Risk Management Framework, reporting and other skills gained over 7 years of professional record of successfully assessing information security risks, coordinating remediation efforts, and carrying out organization Information Security Awareness Training. I am seeking to use my skills and expertise to help achieve Enterprise-wide information risk prevention, mitigation, privacy, governance goals and objectives of Confidentiality, Integrity, and Availability (CIA). Working independently, as well as a team player who is enthusiastic, reliable, hardworking, adaptable, and versatile to grasp new concepts and technologies with an unjustifiable desire to learn.

PROFESSIONAL EXPERIENCE

Third Party Risk Analyst

Qualys 12/2020 – Present

Ensure risk is being managed throughout the third-party life cycle (planning, due diligence, contract, transition, on-going monitoring, and off-boarding).

Coordinate with stakeholders to initiate scope and plan controls assessment of new and existing vendor engagements.

Analyze all new vendor contracts and point out areas of improvement to management.

Support the Vendor Risk Management (VRM) Program to effectively manage vendor risk in accordance with internal policy and regulatory requirements, ensuring strong oversight of all vendors risk and providing visibility of existing and emerging risks.

Conduct periodic risks assessment for potential and existing vendors through SIG, and site visits. Review SOC reports identify gaps.

Participate and assist in gathering evidence for ISO 27001 Audits.

Tracking Vendors with deficiencies and writing of Vendor Risk Assessment report (VRA).

Communicate vendor information security issues to stakeholders, ensuring their understanding of associated risks and actions needed to remediate those risks.

Work with vendor relationship managers and business partners to address and respond to risks in compliance with organizational risk policies and procedures.

Ensuring compliance with ISO, GDPR, CCPA & HIPAA regulations.

Respond to vendor Questionnaires covering areas of HIPAA, GDPR, CCPA and NYDFS.

Participate in updating existing Business Impact Analysis (BIA) and Business Continuity Planning (BCP).

Conduct tabletop exercises and carry out drills for Disaster Response (DR).

Assist firm wide transition to work from home (WFH) with regards to the Covid-19 Pandemic using the guidelines of the BCP.

Prioritize/rate vendors based on Tier ratings and analyzing vendor evidence such as the SOC 2 Type 2 report, Vulnerability scan report, Pen-test reports, BCP, DR, SLA etc.

Act as remediation analyst to work with vendors in remediating findings discovered during the onsite/virtual assessment.

Work closely with managers to ensure awareness and understanding of third-party risk program requirements and associated risk within their portfolios.

Vendor Risk Analyst

Humana, inc. 11/2018-11/2020

Assist in the development, implementation and maintenance of policies, procedures, standards, and guidelines in accordance with applicable regulations including ISO 27001, NIST 800-53 framework and HIPAA.

Identify strengths and weaknesses in the security program as they relate to privacy security, business resiliency and compliance frameworks.

Maintain strong oversight of third parties, vendors, and business partners to safeguard against undue risk presented by external entities. Escalate to security management and business units leads when points of weakness are discovered.

Monitor current and proposed security changes impacting regulatory, privacy and security industry best practice guidance. Apply GRC expertise across key lines of business, including products, practice, and procedures.

Lead the identification, evaluation, and documentation of Risk and controls associated with new and existing vendor engagement into an enterprise-wide basis and ensure appropriate processes have been followed prior to agreement/contract signature.

Ensure security and technology teams maintain up-to-date configuration documentation for systems and processes. Maintain oversight of security systems and security configuration administration to reduce risk to enterprise system and accounts.

Act as key participant in incident response to track occurrence and resolution with documentation and reporting.

Work with security, audit, and risk management leadership to perform ongoing security program assessments and create annual strategic technology and budgetary directives.

Act as liaison with auditors, both internal and external, to maintain and implement controls for compliance and privacy laws.

Act as a point of contact for disaster recovery and business continuity as it relates to security framework, compliance, and privacy.

Review services provided by vendors and defined scope of assessment based on SIG.

Identified gaps, create a risk treatment plan, track remediation process as well as providing recommendations.

Direct the creation and organization of a comprehensive workflow, training, and security awareness.

Analyze vendors processes to determine deficiencies within their controls that could violate applicable law, regulation, framework or internal policies and procedures.

Review SOC 2 reports, Penetration test report, Vulnerability scan reports, BCP, DR, and IRP as supporting evidence backing up the information security questionnaire.

I review vendor contracts and vendors certifications PCI, HIPAA, GDPR, HITRUST, ISO 27001, LICENSES, and INSURANCES.

Security Control Assessor

AutoZone, Inc 08/2014-09/2018

Ensured management, operational and technical security controls adhere to well-established security requirements authorized by NIST SP 800-53.

Lead control assessment by assisting to create SAP, SAR, conduct kickoff meetings and send kickoff email.

Conduct security control assessments in accordance with NIST SP 800-53A r4.

Perform A&A documentation reviews, identify/document/communicate assessment results, and update core IT security documentation to be developed includes Security Assessment Plans and Security Assessment Reports.

Perform Risk Management Framework (RMF) Step 4 Security Control Assessments with guidance of SP 800-53A rev 4, SP 800-30 and input assessment results.

Perform control implementation using NIST SP 800-53 and NIST SP 800-18 as a guide

Conducted awareness and training of new employees.

Performed Risk Assessment using NIST SP 800-30 and Risk Management using NIST SP 800-39 as a guide.

Created POA&M to track all remediation processes for the identified vulnerabilities.

Experience with Auditing by acting as a Liaison Analyst, performing walk through and providing all necessary evidence to the auditors.

Create policies and procedures as well as SOP, Contingency plan (CP) and Incident Response (IR).

Identify weaknesses, determine impact/likelihood then recommend remediation actions.

Review vulnerability scan reports, research on the reports and provide remediation strategies.

Performed continuous monitoring to maintain strong security posture.

Education:

Bachelor of Science

Certificates:

CompTIA Security Plus

Certified Ethical Hacker (CEH)

Certified Information Systems Auditor (CISA)

AWS Security Professional

Language:

English

Skills/Tools:

Technical Skills:

Windows, Basic Linux,

MS Office 360 (Word, Excel, Outlook, Access, and PowerPoint) Share point.

ISO 27001, PCI DSS, FEDRAMP, FISMA Compliance, NIST 800 Series (800-53: Risk Management Framework, 800-61: Incident Handling), GDPR, GRC, CCPA, HIPAA, HITRUST, NYDFS.

Information security

Soft Skills:

Ethics, Communication, Teamwork, Problem solving, Diplomacy, Accountability, Integrity.

Contact this candidate