Information Security Risk Management
Resume:
KOJO KYEI BADU
*********@*****.***
Objective
Information Security Professional with over 9 years of experience in IT Risk management, vulnerability assessments/management, Third Party/Vendor Risk, Governance, National Institute of Standards & Technology (NIST), Federal Information Security Management Act (FISMA), SOX, ISO, PCI, SOC, Testing of Information Technology controls and developing Security policies, procedures and guidelines. Experience working with stakeholders including business units and assessors to ensure a secure risk posture through effective control implementation and gap analysis for on-time remediation.
Education
•University of Maryland, University College - Masters of Science in Information Technology.
•University of Ghana - Bachelor of Arts in Political Science and Psychology.
Certifications
•CompTIA Security+
•Certified Information System Security Professional (CISSP)
Summary of Qualifications
•Risk Management Framework • Third Party Risk Management.
•Risk Management & Issues Management
•Information Assurance
•IT Governance
•SOX 404
•ISO 27001:2013
•Effective interpersonal and verbal/written communication skills.
Experience
MAXIMUS ATTAIN OCTOBER 2021-PRESENT
Senior GRC Analyst
•Collaborate across the organization on documenting, monitoring and managing Information Security controls
•Review and updated information security policies, procedures, standards, and other information security related documentation according to the framework adopted by the organization (ISO 27001:2013, CIS Top 20, NIST CSF or PCI)
•Drive communications between the business and other stakeholders to promote security practices and provide guidance in matters pertaining to data security.
•Facilitate external audits such as but not limited to PCI, SOX, SOC 2 type 2 and manage the evidence request and collection process from auditors to control owners
•Communicate and document all audit findings to appropriate owners and assist with risk remediation efforts till they are complete and closed out
•Perform Audit readiness for teams before major audit (ISO, PCI, SOC etc.) such as controls reviews and updates, proper control owners, updated process, documentation and diagrams.
•Familiar with GRC tools such as RSA Archer and ServiceNow
VARIQ INC MAY 2018 - OCTOBER 2021
Information Assurance Specialist
Lead tasks supporting CISO Office for Variq Inc Information Assurance Program including overseeing quality of deliverables, plan, organize, and coordinate execution of project activities such as Security Assessment and Authorization (SA&A).
Developed and present monthly Program Management Review (PMR) report depicting project performance health to executive team and directors.
Provided subject matter expertise to agency stakeholders on cybersecurity initiatives and overall IT governance, risk and compliance.
Developed dashboards and improved metrics that quantify agency IT security posture to be used in management decisions and strategy by agency CIO, CISO and Directors.
Developed research documents to apprise system stakeholders about requirements, new technology, publications and legislation that affects the agency’s IT information systems.
Supported FISMA audit by coordinating activities and liaising between agency and OIG auditors.
Lead ongoing remediation and risk determination activities to validate security controls and assess the security posture of systems.
Developed IA policies and other related documentation necessary for compliance with federal regulations and NIST guidelines.
Perform continuous monitoring to help identify and remediate risk gaps in IA program through activities such as Security Control Assessments, assisting with SSP updates and Security Impact Analysis of proposed system changes.
Developed and track POA&M’s for all systems from OIG assessments, independent annual assessments and continuous monitoring activities.
CONDUENT JUNE 2011 - MAY 2018
Vendor Risk Analyst
•Responsible for the performance of information security and compliance assessments to systems, processes, technology to initiatives such as SOX audits, SOC 2 certification Audits and PCI Audits
•Identified improvement opportunities and control enhancements and developed meaningful
reporting metrics to senior levels of management.
•Reviewed third-party vendors for information security, compliance, and data protection measures
•Performed risk and control assessments for all high-risk third-party service providers to evaluate effectiveness of control systems.
•Engaged with service providers to obtain due diligence reports and evidence of control operation
•Ensured the third-party adherence to contractual regulatory compliance to minimize the risk of fines and reputational harm.
•Collaborated across the organization on documenting, monitoring and managing Information Security controls
•Coordinated review of existing risks, along with treatment plans, to ensure they were being managed in accordance with client policies and standards
•Reviewed and updated information security policies, procedures, standards, and other information security related documentation.
REFERENCES AVAILABLE UPON REQUEST
Contact this candidate