RUWANMALI PREMATILAKE
*****, ******* **** ****, ****** Spring, Maryland 20906 Phone: +1-202-***-**** aduqt5@r.postjobfree.com
SUMMARY
A highly results driven, solution oriented, and hands-on IT Audit, Security and Privacy professional with extensive expertise in HITRUST assessment, ISO 27001 audits, FedRAMP assessments, HIPAA, GDPR, PIPEDA and other Privacy assessments, SOC 2 audits, SOX audits. A Security, Privacy & Compliance professional who has over 20+ years’ experience, worked in the consulting, financial, media and other industries seeks a challenging position in the IT Audit industry. This highly accomplished Senior Technology Leader has been previously employed by multinational corporations such as Ernst & Young, RSA Insurance, Aviva Insurance, Torstar Print & Digital Media Corp, Harlequin Publishing, Coca-Cola, 3M Health Information Systems and Taj Hotels to name a few.
EXPERIENCE
Teladoc Health Inc. Purchase, New Yor, USA (Remote) June 2017 to date
Director, Information Security - Governance, Risk and Compliance.
Defined the IT GRC strategy and ensure the strategy is continuously reviewed and updated to meet the business needs,
Established a new Information Security GRC program with a new strategy and build a new GRC team by recruiting new and internal team members.
Continuously provide the oversight and coordination of the Teladoc GRC program.
Enhance and continuously expand GRC portfolio to improve Teladoc’s overall security and compliance posture.
Develop and Implement Policies, Procedures and Standards and ensure maintenance of compliance to the implemented policies, procedures, standards, and frameworks, including SOC2, SOX, HIPAA, HITRUST and others.
Implement and mature a Continuous Control Assessment program framework selecting controls consistent with the GRC strategy to ensure industry better practices, and regulatory requirements relating to cybersecurity (including NIST, SOX, PCI, FedRAMP, ISO, GDPR, HITRUST, and others) are designed and implemented accordingly.
Lead all security compliance efforts, working with all relevant partners (e.g., IT, Privacy, Legal) to ensure that all compliance obligations are understood, all relevant processes are fully established, and compliance is continuously tracked, measured, and reported on.
Designed, implemented, lead and continue to mature integrated risk management program, that applies operating controls to manage information security risk efforts, consisting of internal IT Risk Management program and external Third-Party Risk Management programs
Collaborate and act as a true enabler of the business and partner to technology and other departmental leaders and teams by providing oversight to the risk management process to ensure that cyber risk to mission and business success is considered in decision making.
Drive security outcomes through influence and partnership, and relentlessly focused on establishment of a security-first culture.
Engage in deep, detailed conversations to executive level briefings, distilling challenging compliance, risk, and technical constructs in a digestible manner.
Act as the primary point of contact to internal and external auditors and assessors, client auditors by leading assessment coordination activity across Teladoc.
Articulate cyber risks in a business context, their impacts, and recommending mitigation activities,
Lead remediation activities, governance, and tracking
Mature Third-Party Risk Management program to encompass all relevant elements (e.g., initial assessments, continuous monitoring),
Create and update Information Security policies and procedures
Formalize and operationalize Information Security exception process and provide continuous governance
3M HEALTH INFORMATION SYSTEMS Silver Spring, Maryland May 2017 – June 2021
Senior Risk Program Manager, Data Security
Provide subject matter expertise to stakeholders on Risk Management, Information Security and Privacy, Security Frameworks related to NIST HIPAA, HITRUST, ISO 27001, SOC2 and FedRAMP as well as Internal Controls
Perform Third Party Vendor Assessments to approve PHI tools and venders including those handling PHI as approved vendors; Perform recurring vendor risk assessments
Perform Security Risk Analysis & Compliance Assessments (applications/ ePHI tools/infrastructure/vendors) with IT, Business, and Project teams to deliver comprehensive, contextualized, actionable information in
accordance with industry "best practice"
Lead HITRUST certification assessments and third-party service auditor attestations of compliance (ISO, SOC2, NIST, FedRAMP) efforts including self-assessments and continuous assessments of control environment.
Manage multiple Risk Assessments and related projects in fast-paced environments including the suggested security clauses in contract addendums and Business Associate Agreements
Review security requirements, approval processes, exception handling, and remediation activities to assist remediation planning, governance, and risk treatment/management with an emphasis on increasing the
security posture
Provide generalized as well as discrete input to develop security standards, IT plan policy, roadmaps, and project prioritization guidelines
Generate periodic reports utilizing dynamic updates from security assessment analysis, vendor and ePHI tool assessments, third party audit report reviews, adhering to the maxim of “Accuracy, Consistency, and
Alignment” for all deliverables
Promote information security as a core business process of the organization and support implementation/enforcement of 3M HIS information security programs and policies
Execute, examine, and test procedures in accordance with industry, regulatory, and corporate requirements
Build positive relationships within 3M HIS and 3M’s technology organizations to accomplish stated goals, objectives, and requirements
Create/manage Security Information Gathering questionnaires for external clients and RFP responses.
RSA CANADA Toronto, Canada Area
Director Information Technology Audit & Head of IT Audit Canada July 2015 – May 2017
Developed IT Audit Plans to provide insights that matter considering risks within the appetite established
Reported control deficiencies and obtained remediation plans from stakeholders for GDPR, PIPEDA and other continuous assessment audits
Advanced the audit approach to consider fraud in individual audits
Increased the level and quality of audit coverage within the annual controllable expense budget
Applied appropriate capabilities to audits working with co-sourced service providers with specialized expertise in transformational change, on a cost- effective basis
Provided early warnings to the Canadian Executive Team to prevent deterioration of the Governance, Risk management and Internal control environments
Monitored insurance risks/control indicators by attending key meetings to increase visibility and impact
Dealt with confidential and sensitive issues discretely in a fair, objective, and professional manner
Implemented tracking and escalation mechanisms to monitor actions arising from Internal/External Audits
Monitored post-Audit activity to ensure follow-up actions are completed to mitigate relevant risks
Delivered reports to Canadian Executives, Group Internal Audit function, Group & Local Audit Committees, and external audit
Drove long-term profitable growth through minimization of losses arising from unmitigated risks and ineffective controls
Provided timely, relevant & insightful feedback to stakeholders on governance, risk and control environment
Managed performance, career development, and succession plans of direct reports consisting of Technical Audit Managers and Audit Leaders
Worked collaboratively with risk Management function and other assurance providers to leverage knowledge and results
Performed Thematic Reviews across the Group through coordination of audit approach, scope and schedules
Maintained relationships with external auditors through periodic discussions and provision of audit and advisory reports
TORSTAR CORPORATION Toronto, Canada
Manager (Corporate) - IT Internal Audit & PCI Internal Security Assessor March 2009 – July 2015
Reviewed Security & Controls of enterprise-wide technology projects such as Enterprise Monitoring, Enterprise Back up, Unified Threat Management, Payment Card Industry project
Planed, organized, and conducted operational & compliance audits (PCI security/Bill C 198) for print, digital Media, and book publishing companies
Demonstrated critical thinking and performed analytical procedures to determine potential problem areas
Presented the effectiveness of IT control environment to executive management and the audit committee
Defined scope of the audit and expanded/decreased audit tests based on audit findings
Developed IT audit plans considering risks/exposure coverage to protect information assets
Ensured compliance with established policies, procedures, and federal/state regulations
Appraised effectiveness of internal controls (Canada and Overseas) implemented to safeguard assets, adherence to sound business practices and company policy
Appraised application of policies/procedures in project Management and technology risk assessments
Prepared clear, concise, and objective audit reports with findings and recommendations
Assisted public accounting firms and Independent Review Organizations in performing their audits
AVIVA CANADA Toronto, Canada
Manager, Compliance - Operations and Technology Department October 2007 – March 2009
ERNST & YONGE, Toronto, Canada
Manager Technology and Security Risk Services July 2005 – July 2007
INTERBLOCKS LIMITED Colombo, Sri Lanka
Business Consultant November 2004 – February 2005
ERNST & YOUNG Sri Lanka
Manager Technology and Security Risk Services July 2000 – September 2004
KINGSLAKE ENGINEERING SYSTEMS PVT. LTD Colombo, Sri Lanka
Manager Information Systems July 1999 – July 2000
COCA-COLA BEVERAGES Ltd. Sri Lanka
Executive – Administration 1998 – 1999 - Special Project – ERP Implementation project member
TAJ LANKA HOTELS LIMITED
Executive - Finance and Administration April 1993 – September 1996 - Special Project - Project Subject Matter Expert for the computerization of the back-office operations of the finance department
EDUCATION
University of Moratuwa - Master of Business Administration, Management of Technology 2001 – 2003
British Computer Society, U.K. - Chartered Information Practitioner, Information Technology 1998 – 2000
University of Colombo Post Graduate Diploma in Computer Technology, Computer Technology 1996 – 1998
Murdoch University Bachelor of Commerce (B.Com.), Commerce and Public Administration 1989 – 1992
Other Training Institutions 1983 – 1987
CERTIFICATIONS
Certified Information Systems Auditor® (CISA) - Issuing authority ISACA - Issued Mar 2008
ISO 27001 Lead Auditor - Information Security Certification Issuing authority
Certified CSF Professional (HITURST)-Issuing authority HITRUST Credential Identifier 57315
Chartered Engineer, CEng. - Issuing authority Engineering Council, United Kingdom
BRITISH STANDARDS INSTITUTION - MBCS CITP - Issuing authority British Computer
PCI Professional PCIP Issuing authority PCI Security Standards Council
Health Care Information Security and Privacy Practitioner (HCISPP) ISC2