Third Party Risk
Resume:
OLUSEYE DARE
Tel:-443-***-**** adztnb@r.postjobfree.com Washington DC, USA
THIRD-PARTY RISK MANAGEMENT / SECURITY CONTROL ASSESSOR
PROFILE SUMMARY
An Information Security Analyst/Risk Management with years of experience specializing in performing Third Party Risk Management, Vulnerability assessment, Compliance. Adept in NIST-800 series, Risk Management Framework (RMF), Systems Development Life Cycle (SDLC) Third-party Risk Assessment, IT Audit, and other relevant skills reviewing SOC Report, ISO 27001, PCI-DSS, COBIT, Sarbanes-Oxley Act (SOX)_frameworks and tools like RSA Archer, One Trust. HIPAA, HITRUST, strong history of supporting Third Party Risk Program across enterprise organization. In depth knowledge on how to mitigate potential security threats.
SKILLS
Risk Assessment Tools
(Archer, One Trust, Jira, Security Scorecard)
Risk Management Principles
Domain Knowledge
Data Analysis Tools
Industry Regulations and Standards
Network defense
Managing security breaches
Encryption
FedRAMP
NIST Compliance
FISMA
Protecting networks
Data Loss Prevention
Incident Response
Authentication services
Endpoint Defense
Risk mitigation
VPN IPSec
SIEM Tools
Identity and Access Management
Vulnerability Assessment
Encryption
Customer satisfaction
Databases
Contingency
PIA/PTA, SSP, CP, SIA, FIPS 199
Disaster recovery
Documentation
Firewalls
Gateway
PROFESSIONAL EXPERIENCE
TRUIST BANK Sept 2020 - PRESENT
SECURITY CONTROL / THIRD-PARTY RISK ASSESSOR
Conducts information security assessments of suppliers (third party vendors and cloud services) including advising management on how to mitigate any identified risks.
Assessing and evaluating the technical controls in place to protect the organization's data and assets. This may include reviewing network security, access controls, encryption, and other technical measures designed to prevent unauthorized access or data breaches.
Conducting comprehensive risk assessments to identify vulnerabilities and threats.
Analyzing security controls and recommending risk mitigation strategies.
Implementing risk management frameworks, such as NIST, ISO 27001, or COBIT.
Arrange and conduct interviews with process owners, control operators, and other subject matter specialists to develop a robust understanding of the procedures, inherent risks, and mitigating internal controls.
Performs third party compliance risk tracking, trending, analysis, and executive reporting.
Responsible for information security preparedness, policies, practices, and identifying and mitigating information Conducting vulnerability testing and risk analyses to assess security and performing internal and external security audits.
Developed SSPs, SARs, and POA&Ms which were presented to the Designated Approving Authorities (DAAs) to obtain the Authority to Operate (ATO).
Conducted security self-assessments on major applications, updated POA&Ms with findings, and monitored for remediation deadlines.
Provided weekly status reports on ongoing tasks and deliverables.
Performed risk assessments to identify the risk level associated with findings.
Reviewed artifacts regarding POA&Ms created by ISSO before closing.
Conducted risk assessments and developed risk mitigation strategies to protect critical assets.
Collaborated with business units to ensure compliance with security policies and standards.
Assisted in the design and implementation of security controls and frameworks.
Led vulnerability assessments and penetration testing to identify system weaknesses.
Provided recommendations to improve security posture based on assessment findings.
Monitored and analyzed security logs and alerts from various security tools.
Assisted in security incident response activities and performed root cause analysis.
Participated in the development and delivery of security awareness training programs.
Assist in building Third Party risk metrics for various Risk Committee.
Conducts assessments and provides recommendations to the organization on how to mitigate these risks. Also assist in the development of security policies and procedures to ensure that the organization's security requirements are met by their vendors.
Reviewing of sensitive, and confidential information appropriately for both internal and external partners
Conduct Risk Assessments, Vulnerability Scanning
Analyzing security incidents to identify the cause and to update incidence responses and disaster recovery plans.
Creating procedures for IT employees and training them in security awareness.
Report large or repetitive vendor risk events impacting the Division to assess the banks’ exposure.
Consult with Risk and Compliance Business Partners and the Third-Party Oversight Second Line of Defense
Review internal and external questionnaires and supporting evidence that risks identified are mitigated through proper controls. Generate observations for control gaps and remediation.
Identifies opportunities to improve risk posture, developing solutions for remediating or mitigating risks and assessing the residual risk.
Mitigating Third-party risks in areas, such as, information risk, technology risk, and fourth-party risk,
AMERICA EXPRESS Sept. 2017– August 2020
THIRD PARTY RISK ASSESSOR
Partner with internal and external stakeholders to perform due diligence reviews of third-party providers to determine their compliance with the Bank’s third-party requirements.
Uncover risks and document controls in line with our risk appetite.
Providing recommendations based on the results of the risk assessment, a third-party risk assessor should provide recommendations for improving the security posture of the third-party vendor or partner. This may include suggesting specific controls or policies to implement or recommending changes to existing security measures.
Document findings and recommend risk mitigation plans for risks and controls.
Promotes vendor risk awareness throughout the Business Unit.
Manage timely completion of information requests for third party products/services.
Lead or contribute to strategic projects to enhance the overall effectiveness of the program.
Provide oversight and reporting of third party by utilizing data and facts during score carding process to satisfy regulatory.
Consult with Risk and Compliance Business Partners and the Third-Party Oversight Second Line of Defense
Review internal and external questionnaires and supporting evidence that risks identified are mitigated through proper controls. Generate observations for control gaps and remediation.
Utilize vendor management system to document risk ratings on all vendors.
Assessing and evaluating the technical controls in place to protect the organization's data and assets. This includes assessing the security of the vendor's network, applications, and infrastructure, as well as evaluating their access control and encryption mechanisms.
Assess inherent risk for vendors. Must be able to think analytically and critically to adjust risk assessment ratings as warranted by vendor specifics.
Further develop, augment and operate the firm’s third-party risk management program.
Update and maintain full inventory of third parties, data elements shared, and nature of connectivity/information sharing mechanism.
Facilitate questionnaire or desktop assessment of third parties upon initial onboarding and periodically reviews.
Actively manage all assessment deadlines by coordinating execution with both external third party and internal business partners
Coordinate the creation of Third-Party Risk metrics to include but not limited to aging issues, closed issues, average time of resolution, and number of vendor risk acceptances.
Coordinate with external vendors to enhance and operate the third-party risk management program.
Respond to assessment and audit requests from clients.
Coordinate and manage internal and external assessment requests.
Review information security requirements for both new and existing contractual agreements with outside parties
Review contractual agreements with new, current, and prospective clients.
Update and review Information Security policies and procedures
Review and enhance Technology and Security systems, processes, and tools to identify, track, and reduce risk within the firm.
Prepare Reports and documentation process.
ERNST & YOUNG
IT AUDITOR January2015 –August 2017
Plan and define audit project scope, objectives, identify significant risk areas and develop appropriate audit plan based on results of risk assessment, leveraging frameworks and standards such as COBIT, NIST Cybersecurity Framework and ISO 27001.
Identify ways to make the finishing of audit scope efficient and innovative.
Perform walkthrough procedures and detailed testing of IT General Controls (ITGCs) related to logical access, change management and computer operations to determine their operating effectiveness and make recommendations where controls are determined to be insufficient.
Prepare comprehensive, well-written, audit work papers documenting the test steps performed and accompanying evidence, audit results and recommendations.
Review client’s business continuity plan (BCP) and disaster recovery testing results to ascertain the suitability and appropriateness of the BCP in resuming business operations in the event of a disaster.
Performs compliance testing related to Sarbanes-Oxley (SOX 404) by assessing IT controls such as change management, access controls, data backup and recovery and vendor risk management.
Provides technical support for systems managed by security team, such as antimalware, encryption, etc.
Evaluates compliance of IT policies and manages policy exceptions.
Processed & preparing for assessment, conducting an assessment, communicating assessment results, and maintaining the assessment. Effectively engage in the assessment
Validated selected security controls in the SSP that were documented using 800-18 and NIST 800-53 rev 5 as a guide.
Used the implementation section of the (SSP) System Security Plan in addressing how each control is implemented (frequency of performing the controls, control types, and status).
Created SAP (to document assessment schedules, control families to be assessed, control tools, and personnel, client's approval for assessment, assessment approach and scope, and Rules Of Engagement (if vulnerability scanning is involved).
The role of engagement is sent to the various parties (ISSO/Analyst) for signatures.
Reviews security configurations of key systems to verify that they are properly implemented, monitored and reported.
Provides support in security management, architecture, and documentation.
Executes security related projects; prepares project plans and documents progress toward completion.
Conduct client’s third-party vendor due diligence by reviewing service provider’s Service Organization Control (SOC) 1 and 2 reports and validating the appropriateness of internal control design and operating effectiveness.
Effectively communicates audit issues and related recommendations in both technical and non-technical terms to senior auditors and/or IT audit management and propose sound recommendations for remediating audit findings.
Manage the follow-up activities for remediation of issues identified and communicated to management to ensure timely resolution and risk mitigation.
Develops and maintains effective business relationships and partnerships with audit clients to ensure mutual understanding of audit scope, procedures, reporting progress, and advise on internal control matters.
EDUCATION
University of Ibadan, Nigeria. B.sc
Sheffield Hallam University United Kingdom. GDP
PROFESSIONAL CERTIFICATION
CISA
CRISC
Security+ (CompTIA)
Contact this candidate