Gerald Asche

** ***** ******

Malverne, New York 11565-1637

516-***-****

adzed3@r.postjobfree.com

IT AUDITOR \ COMPLIANCE & RISK ANALYSIS CONSULTANT

I am an IT Audit and Compliance consultant with considerable knowledge of NIST, SOX, PCI, PII and NYDFS regulations. Also, I have a technical background including administration of Microsoft and Cisco products. Patient, diligent and professional with strong diversified business experience who can understand technical concepts and describe them in plain English.

Recent accomplishments:

Developed interview questions for potential corporate vendors based on NIST, SOX and ISO regulations to be designed into an Archer vendor management tool.

Ensured the questions were properly programmed and presented in the Archer tool.

Edited and improved IT policies to ensure ongoing NIST, SOX and PCI compliance.

Managed projects to certify compliance with federal, state and industry IT regulations.

Performed compliance and IT audits including analysis of networking, operating systems and ERP software (e.g., Windows, Cisco Routers, Linux, UNIX, SAP, Oracle and SQL server).

Reviewed production server, application and database logs to ensure all technical changes were properly authorized and documented for SOX compliance.

Investigated and discussed potential irregular changes with technical support teams to verify legitimacy.

Summarized all findings in insightful reports and presented them to senior management.

Used both Service Now and RSA Archer extensively to report IT audit and compliance issues.

Provided junior analysts with instructions on how to effectively use these online tools.

Used MS Office365, Google drive and Google apps.

IT AUDIT and COMPLIANCE EXPERIENCE

Consultant for Abbott Laboratories (Medical Pharma Manufacturer) and Electronic Arts (EA – video game company) on behalf of Wipro Information Technology. August 2021 – May 2023.

Vendor management advisor:

Wrote and edited vendor management questions based on generally accepted IT regulations.

Tested an inhouse Archer vendor management tool.

IT compliance policies GRC Program Manager:

Coordinated, edited, and managed revisions to corporate IT GRC policies.

Reorganized several disparate guideline documents into a single Network Security policy.

Directed revisions made to the company Data Classification summary.

The Finlay Group on site at Bridgehampton National Bank (BNB - now the Dime bank) in Hauppauge, NY October 2020 - December 2020.

I identified and reviewed access abilities of more than 500 users to 150+ financial banking applications. The project was performed in preparation of a major banking merger. Gained knowledge of inherent user access controls in major banking applications:

Fiserv Navigator premier banking ERP.

Fiserv Director banking document management.

Fiserv Integrated Teller customer accounts management.

Fiserv Wire Exchange.

Prologue and Blackline accounting systems.

Axiom financial analysis and reporting.

UltiPro HR system.

ACI real estate appraisal software.

Tata Consultancy Services (TCS) supporting Equitable Holdings (financial services) in Syracuse, NY August 2019 - June 2020.

Primarily responsible for ensuring IT control compliance with Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500).

Consulted with senior management to identify and verify IT controls required by NYDFS.

Performed reviews of Microsoft AZURE backup procedures.

Verified test and production environments were nearly equivalent to support thorough pen testing.

Prepared reports of all projects for the CIO/CISO.

HCL IT Technologies supporting Estee Lauder Companies (ELC) in New York, NY June, 2016 - June, 2019.

Responsible for reviewing daily change management logs of all IT servers, applications and databases in scope for SOX.

Reviewed online IBM QRadar and McAfee FIM Security, Information and Event Management (SIEM) reports.

Obtained and reviewed change logs of legacy servers, mainframes and databases not supported by SIEM tools.

Ensured all technical changes of in scope devices were properly authorized and documented.

Investigated and discussed potential irregular changes with technical support teams to verify legitimacy.

Summarized all findings in insightful reports and presented them to senior ELC management.

Instructed junior analysts on how to perform log reviews.

North Carolina Department of Transportation (DOT) in Raleigh, NC

August, 2014 – September, 2015

DOT is the state agency managing all licensed drivers, motor vehicles, highways and public transportation in North Carolina.

Reviewed online IBM Security QRadar Security information and event management (SIEM) reports.

Managed implementation of IBM Guardium security encryption and access reporting tool for DB2-based confidential data.

Defined security requirements for new internet-facing applications and interactive voice response (IVR) software.

Made security-based decisions for new development and security technologies including opensource IDM software, and use of the “POST “request method supported by the HTTPS protocol to upload a file in browser application.

Researched and published best-practices and server hardening guides for SharePoint, BizTalk, SSIS, DQS and MDS.

Defined controls for PCI, PII, DPPA and state regulatory compliance.

Revised the NC DOT memorandum of agreement (MOA) for security of data shared with third party organizations.

Served as the IT security SME for RFP bid evaluations from prospective application and website development vendors.

Experis Finance

March, 2014 to August, 2014

Conducted IT SOX audits for clients in Plainview, NY, East Rutherford, NJ and Karlskoga, Sweden.

Genesis 10 Partners, Inc.

January, 2013 to January, 2014.

IT Vendor Risk Assessor Consultant for Bank of America in Charlotte, NC, the worldwide banking and financial corporation.

Performed IT security control review assessments of the Bank’s contracted vendors based on generally accepted IT control standards including PCI.

Prepared reports of the results for senior management.

Assisted in providing direction and defining requirements to use RSA Archer for the Bank’s vendor security assessment and management program using the following Archer modules:

Policy management - Published established IT security policies as they pertained to vendors and developed IT security questionnaires for vendor assessments.

Risk management - Procedures for field auditors to record potential risks regarding noncompliance issues of vendors when necessary for subsequent mitigation.

Compliance management - The vendor efforts to mitigate documented risks related to vendors’ non-compliance with bank policies were recorded here.

Vendor Management - I had to ensure all data related to vendors’ assessments were maintained here. In addition, I had to annotate vendor information (e.g., new applications in support of the bank, new vendor contacts, etc) here to inform the bank’s vendor management department known as LOB – line of business.

Conveyed the results of the penetration tests and vulnerability assessments as business level risks to business unit owners and advised how to mitigate them.

Ensured periodic disaster recovery (DR) tests were performed.

Revised and maintained all risk analysis and DR documentation.

Assisted internal auditors with testing of SAP ERP and AIX server controls.

Data Based Development Systems, Inc.

March 2011- March 2012

IT Compliance and Security Consultant for Hamilton Sundstrand, then a division of United Technologies, Inc. (now Rockwell) in Windsor Locks, CT, manufacturer of aerospace and electronic components with locations worldwide.

Developed procedures to use new corporate-wide audit risk management RSA Archer-type database known as E-SOX.

Converted all the business unit’s IT control documentation (policies and procedures; outstanding audit issues, etc.) from MS Office documents, PDFs and hard copies into E-SOX.

Reviewed, authorized and rejected variance requests to established IT security controls.

Published companywide IT Security and Compliance policies and procedures.

Managed periodic testing of IT controls governing JDE ERP and engineering applications.

Mickneel Inc. - IT Audit Consultant for United Water, a holding company in Harrington Park, NJ of several water utilities nationwide.

Performed IT Audit of PeopleSoft and Utility Billing Systems (UBS) applications.

General controls audit of PeopleSoft ERP and Windows infrastructure.

Accume Partners\Leblanc-Associates - Senior IT SOX Consultant for United Components Incorporated (UCI), an entity of the Carlyle Group based in Evansville, IN, Maurices, a subsidiary of Dress Barn in Duluth, MN, Mortgage IT, a division of Deutsche Bank in New York, NY and The Kookmin Bank in New York, NY.

Performed SOX 404 AS400, Oracle and JDE general control audits at all UCI business units and authored IT SOX documentation for all business units.

GR Consulting -Senior IT SOX Consultant for Imperial Chemical (ICI) Paints in Cleveland, OH,

Performed SOX 404 AS400, general control audits and reviews of SAP and BPCS in Shanghai, China and Delhi, India and developed IT SOX documentation for all clients.

Contact this candidate