Post Job Free

Resume

Sign in

Director GRC

Location:
Silver Spring, MD
Posted:
January 17, 2023

Contact this candidate

Resume:

RUWANMALI PREMATILAKE

*****, ******* **** ****, ****** Spring, Maryland 20906 Phone: +1-202-***-**** aduqt5@r.postjobfree.com

SUMMARY

A highly results driven, solution oriented, and hands-on IT Audit, Security and Privacy professional with extensive expertise in HITRUST assessment, ISO 27001 audits, FedRAMP assessments, HIPAA, GDPR, PIPEDA and other Privacy assessments, SOC 2 audits, SOX audits. A Security, Privacy & Compliance professional who has over 20+ years’ experience, worked in the consulting, financial, media and other industries seeks a challenging position in the IT Audit industry. This highly accomplished Senior Technology Leader has been previously employed by multinational corporations such as Ernst & Young, RSA Insurance, Aviva Insurance, Torstar Print & Digital Media Corp, Harlequin Publishing, Coca-Cola, 3M Health Information Systems and Taj Hotels to name a few.

EXPERIENCE

Teladoc Health Inc. Purchase, New Yor, USA (Remote) June 2017 to date

Director, Information Security - Governance, Risk and Compliance.

Defined the IT GRC strategy and ensure the strategy is continuously reviewed and updated to meet the business needs,

Established a new Information Security GRC program with a new strategy and build a new GRC team by recruiting new and internal team members.

Continuously provide the oversight and coordination of the Teladoc GRC program.

Enhance and continuously expand GRC portfolio to improve Teladoc’s overall security and compliance posture.

Develop and Implement Policies, Procedures and Standards and ensure maintenance of compliance to the implemented policies, procedures, standards, and frameworks, including SOC2, SOX, HIPAA, HITRUST and others.

Implement and mature a Continuous Control Assessment program framework selecting controls consistent with the GRC strategy to ensure industry better practices, and regulatory requirements relating to cybersecurity (including NIST, SOX, PCI, FedRAMP, ISO, GDPR, HITRUST, and others) are designed and implemented accordingly.

Lead all security compliance efforts, working with all relevant partners (e.g., IT, Privacy, Legal) to ensure that all compliance obligations are understood, all relevant processes are fully established, and compliance is continuously tracked, measured, and reported on.

Designed, implemented, lead and continue to mature integrated risk management program, that applies operating controls to manage information security risk efforts, consisting of internal IT Risk Management program and external Third-Party Risk Management programs

Collaborate and act as a true enabler of the business and partner to technology and other departmental leaders and teams by providing oversight to the risk management process to ensure that cyber risk to mission and business success is considered in decision making.

Drive security outcomes through influence and partnership, and relentlessly focused on establishment of a security-first culture.

Engage in deep, detailed conversations to executive level briefings, distilling challenging compliance, risk, and technical constructs in a digestible manner.

Act as the primary point of contact to internal and external auditors and assessors, client auditors by leading assessment coordination activity across Teladoc.

Articulate cyber risks in a business context, their impacts, and recommending mitigation activities,

Lead remediation activities, governance, and tracking

Mature Third-Party Risk Management program to encompass all relevant elements (e.g., initial assessments, continuous monitoring),

Create and update Information Security policies and procedures

Formalize and operationalize Information Security exception process and provide continuous governance

3M HEALTH INFORMATION SYSTEMS Silver Spring, Maryland May 2017 – June 2021

Senior Risk Program Manager, Data Security

Provide subject matter expertise to stakeholders on Risk Management, Information Security and Privacy, Security Frameworks related to NIST HIPAA, HITRUST, ISO 27001, SOC2 and FedRAMP as well as Internal Controls

Perform Third Party Vendor Assessments to approve PHI tools and venders including those handling PHI as approved vendors; Perform recurring vendor risk assessments

Perform Security Risk Analysis & Compliance Assessments (applications/ ePHI tools/infrastructure/vendors) with IT, Business, and Project teams to deliver comprehensive, contextualized, actionable information in

accordance with industry "best practice"

Lead HITRUST certification assessments and third-party service auditor attestations of compliance (ISO, SOC2, NIST, FedRAMP) efforts including self-assessments and continuous assessments of control environment.

Manage multiple Risk Assessments and related projects in fast-paced environments including the suggested security clauses in contract addendums and Business Associate Agreements

Review security requirements, approval processes, exception handling, and remediation activities to assist remediation planning, governance, and risk treatment/management with an emphasis on increasing the

security posture

Provide generalized as well as discrete input to develop security standards, IT plan policy, roadmaps, and project prioritization guidelines

Generate periodic reports utilizing dynamic updates from security assessment analysis, vendor and ePHI tool assessments, third party audit report reviews, adhering to the maxim of “Accuracy, Consistency, and

Alignment” for all deliverables

Promote information security as a core business process of the organization and support implementation/enforcement of 3M HIS information security programs and policies

Execute, examine, and test procedures in accordance with industry, regulatory, and corporate requirements

Build positive relationships within 3M HIS and 3M’s technology organizations to accomplish stated goals, objectives, and requirements

Create/manage Security Information Gathering questionnaires for external clients and RFP responses.

RSA CANADA Toronto, Canada Area

Director Information Technology Audit & Head of IT Audit Canada July 2015 – May 2017

Developed IT Audit Plans to provide insights that matter considering risks within the appetite established

Reported control deficiencies and obtained remediation plans from stakeholders for GDPR, PIPEDA and other continuous assessment audits

Advanced the audit approach to consider fraud in individual audits

Increased the level and quality of audit coverage within the annual controllable expense budget

Applied appropriate capabilities to audits working with co-sourced service providers with specialized expertise in transformational change, on a cost- effective basis

Provided early warnings to the Canadian Executive Team to prevent deterioration of the Governance, Risk management and Internal control environments

Monitored insurance risks/control indicators by attending key meetings to increase visibility and impact

Dealt with confidential and sensitive issues discretely in a fair, objective, and professional manner

Implemented tracking and escalation mechanisms to monitor actions arising from Internal/External Audits

Monitored post-Audit activity to ensure follow-up actions are completed to mitigate relevant risks

Delivered reports to Canadian Executives, Group Internal Audit function, Group & Local Audit Committees, and external audit

Drove long-term profitable growth through minimization of losses arising from unmitigated risks and ineffective controls

Provided timely, relevant & insightful feedback to stakeholders on governance, risk and control environment

Managed performance, career development, and succession plans of direct reports consisting of Technical Audit Managers and Audit Leaders

Worked collaboratively with risk Management function and other assurance providers to leverage knowledge and results

Performed Thematic Reviews across the Group through coordination of audit approach, scope and schedules

Maintained relationships with external auditors through periodic discussions and provision of audit and advisory reports

TORSTAR CORPORATION Toronto, Canada

Manager (Corporate) - IT Internal Audit & PCI Internal Security Assessor March 2009 – July 2015

Reviewed Security & Controls of enterprise-wide technology projects such as Enterprise Monitoring, Enterprise Back up, Unified Threat Management, Payment Card Industry project

Planed, organized, and conducted operational & compliance audits (PCI security/Bill C 198) for print, digital Media, and book publishing companies

Demonstrated critical thinking and performed analytical procedures to determine potential problem areas

Presented the effectiveness of IT control environment to executive management and the audit committee

Defined scope of the audit and expanded/decreased audit tests based on audit findings

Developed IT audit plans considering risks/exposure coverage to protect information assets

Ensured compliance with established policies, procedures, and federal/state regulations

Appraised effectiveness of internal controls (Canada and Overseas) implemented to safeguard assets, adherence to sound business practices and company policy

Appraised application of policies/procedures in project Management and technology risk assessments

Prepared clear, concise, and objective audit reports with findings and recommendations

Assisted public accounting firms and Independent Review Organizations in performing their audits

AVIVA CANADA Toronto, Canada

Manager, Compliance - Operations and Technology Department October 2007 – March 2009

ERNST & YONGE, Toronto, Canada

Manager Technology and Security Risk Services July 2005 – July 2007

INTERBLOCKS LIMITED Colombo, Sri Lanka

Business Consultant November 2004 – February 2005

ERNST & YOUNG Sri Lanka

Manager Technology and Security Risk Services July 2000 – September 2004

KINGSLAKE ENGINEERING SYSTEMS PVT. LTD Colombo, Sri Lanka

Manager Information Systems July 1999 – July 2000

COCA-COLA BEVERAGES Ltd. Sri Lanka

Executive – Administration 1998 – 1999 - Special Project – ERP Implementation project member

TAJ LANKA HOTELS LIMITED

Executive - Finance and Administration April 1993 – September 1996 - Special Project - Project Subject Matter Expert for the computerization of the back-office operations of the finance department

EDUCATION

University of Moratuwa - Master of Business Administration, Management of Technology 2001 – 2003

British Computer Society, U.K. - Chartered Information Practitioner, Information Technology 1998 – 2000

University of Colombo Post Graduate Diploma in Computer Technology, Computer Technology 1996 – 1998

Murdoch University Bachelor of Commerce (B.Com.), Commerce and Public Administration 1989 – 1992

Other Training Institutions 1983 – 1987

CERTIFICATIONS

Certified Information Systems Auditor® (CISA) - Issuing authority ISACA - Issued Mar 2008

ISO 27001 Lead Auditor - Information Security Certification Issuing authority

Certified CSF Professional (HITURST)-Issuing authority HITRUST Credential Identifier 57315

Chartered Engineer, CEng. - Issuing authority Engineering Council, United Kingdom

BRITISH STANDARDS INSTITUTION - MBCS CITP - Issuing authority British Computer

PCI Professional PCIP Issuing authority PCI Security Standards Council

Health Care Information Security and Privacy Practitioner (HCISPP) ISC2



Contact this candidate