Risk Management Quality Assurance
Resume:
Nathan D Mello, MBA, CISA, CRISC
https://www.linkedin.com/in/nathan-dmello-1b12b92b/
469-***-****, *************@*****.***
Grand Prairie, TX
Summary:
Professional with 15+ years of experience in Compliance, Risk Management and Sarbanes Oxley (SOX)
Professional with progressive experience and excellent ability to aid in the development of effective security controls, policies, procedures, and business / technical.
infrastructure/Enterprise Architecture, risk and control assessment as well as manage/ monitor regulatory compliance.
Worked as Payment processing analyst, Performed Quality Assurance and third-party risk assessment
Helped to build and refine the IT risk management program and provide business mitigations.
Performed internal control assessments under NIST 800-53 /CSF risk management. Assessed control environment and developed roadmap and initiatives for implementation of technological projects into current or existing architecture. Security Risk Assessment of Cloud Providers using (RMF) and NIST 800, CSF & ISO 27000’s, -3, ISAM/ISRM, COSO/ COBIT5,SSAE16/18-SOC2 Type I & II, ISO 27001/27002, ISO 9001, HIPAA, HITRUST-CSF, ITIL, GLBA/SEC, CFTC, AS9100, FAR/DFAR, DCAA, ITAR/EAR, HIPAA, IP (Intellectual Property Protection PCI DSS
Developed and updated Change Control and Change Management policy and procedures to include CCB/CAB for all significant changes and ensured approval by change advisory /control board.
Helped to build and refine the IT risk management program and provide business mitigations.
Performed internal control assessments under NIST 800-53 /CSF risk management. Assessed control environment and developed roadmap and initiatives for implementation of technological projects into current or existing architecture. Reviewed third party penetration test results and ensured resolution to items flagged in test results generated from Cyber-Ark, Crowd-strike, etc.
Developed and updated Change Control and Change Management policy and procedures to include CCB/CAB for all significant changes and ensured approval by change advisory /control board.
Helped to build and refine the IT risk management program and provide business mitigations.
Performed internal control assessments under NIST 800-53 /CSF risk management. Assessed control environment and developed roadmap and initiatives for implementation of technological projects into current or existing architecture.
Developed and updated Change Control and Change Management policy and procedures to include CCB/CAB for all significant changes and ensured approval by change advisory /control board
Skills:
Software (proficient user) – MS Excel, MS PowerPoint, MS Outlook, MS Word, MS Visio
Technologies reviewed – SAP, Oracle EBS, MS SQL Server, Oracle, AS/400, Windows Server, Linux, Unix, IBM – Open Pages, SURALINK, Cyber Ark, Crowd Strikes, Nexus, IBM-Open Pages, Palo Alto Networks, SQL – Using VB Scripts for data mining.
Operating Systems & Applications: – MVS, VMS, MS Windows 10, MS Office (Excel, Word, PowerPoint, Outlook), Zoom, MS Teams, /Share Point, Service Now, Jira (Ticketing), ERP & GRC – Archer, SAP – ECC, SAP-GTS, SAP-CRM, RSA-Archer Aveksa, ENOVIA, CATIA V4/V6, .NET/VISTA, IBM Open Pages,
Good working knowledge and understanding of programming languages such as SAS-Data Analytics, COBOL, JCL, C, C#, C++, Mongo DB, (Teradata), SVN, Bit, Git, Jenkins, DB2, VB, Java, Jira, Service Now, Hyperion, KRONOS, RSA-Archer/AVEKSA, SAP-FICO module including hands-on configuration and two full life cycle project experience. PCI-DSS, Network Segmentation Controls.
DNS- Cyber Security, Cloud Architecture, TCP/IP, SOC 2 Type I & Type 2, Data Encryption (HTTP/SSL/TLS, Data Loss Prevention (DLP) /Data Breach Incident Response Plan etc.
Training and Certification:
SOX specialist - Certification –Tulane University, School of Law 2007
Certified Information Systems Auditor – CISA-2007, CRISC.
Greenbelt Certification – Business Process Improvements - FMEA, Fish Bone Analysis (Six - Sigma), TQM, ISO 9001- QFD Institute-2011
Education:
MBA - Business Admin & Strategic Leadership from AMBERTON University, Dallas Texas 2008
B.Sc. Accounting/Computer Science from Langston University, Langston Oklahoma
Work Experience:
NSD – IT - Risk & Compliance LLC. December 2022– Present
Dallas Texas
Senior IT Auditor – Compliance & Audits
Acted as SOC/SOX liaison to external auditors (Deloitte & PWC), to include Audits, Review & Testing of Controls in scope – gained an understanding of SOC reports and the associated (apps/infrastructure) in scope. Managed Issues and worked with client stakeholders to determine root cause, recommended action plan to address issues (near term/long term solution), drafted management response, advised the client, key stake-holders on next steps. Reviewed the tested (ITGC) controls to include test evidence; ensured it meets control requirements & completeness.
Provided guidelines and feedback to junior auditors and ensure corrective steps are incorporated in the control framework and aligned with the test evidence where needed,
Performed testing of SOX 404/ ITGC /Application controls (SAP/ORCL/JDE) to include design and operational - effectiveness prior to the issuance of SOC 1 & SOC2 reports. Ensured compliance with ISO 27001 & 27002, NIST 800-53, CSF-HITRUST,SSAE18 /SOC1&2. Reviewed bridge letters and the new enhancements introduced that were not of material nature to cause system reporting issues.
Bank of America Feb 2022 – Oct 2022
Vendor Payment Processing - QA/QC – IT Application Security /NSD IT Risk & Compliance (Contractor)
Performed QA review of controls within Global Payment System that received a Severity of “2” from Audit Identified- Audit Issue.
Verified and validated the evidence that was provided to support control requirement lacked full adherence to the control.
Data Privacy cross border – compliance with GDPR and applicable laws, ISO27001, SOC 1 SOC 2, PCI DSS, SOX, HIPAA, COBIT/CSF/COSO. Third Party Risk Assessments (NIST 800-53, 30, 37) to include penetration test results, Vulnerability, PaaS/ SaaS (Software as platform-cloud based as described SOC 2 Type 2 report of the service AWS, Azure etc.,)
Identified controls that lack holistic governance and oversight from Application Manager(s) to complete QA requirement(s) as identified in the Global Policy.
Protiviti – Inc. Oct 2021- Jan 2022
Senior IT Application Security/ SOX Compliance Analyst (Contractor)
Worked for SOC 2/ISO – Audit Readiness - Client- COMMERCE HUB - UK
Reviewed, assessed, and tested ITGC /ITAC (IT General Controls and IT Application Controls) for SOC 2/ISO 27001 & 27002 readiness.
Developed and executed risk-based external and internal audit strategies for Sarbanes Oxley/404 and Service Organization Controls (SOC) reporting.
Reviewed, analyzed, and validated all testing results to ensure adherence to organization IT Policies, IT Controls and regulatory SOX 404 standards.
Delivered deliverables on projects with challenging deadlines, limited resources, complex IT environments, and demanding clients.
Identified control gaps and sought remediation and process improvements and validated evidence of ninety- seven controls (97) IT Controls and uploaded to SURALINK for external /internal auditor review.
Provided guidance to control owners in areas of Change Control, Access Requests, Terminations & New Hires, Data Centre Access removal of terminated individuals. Reviewed and validated SOC 2 Type II reports from Service Providers (AWS, Azure) as part of SOC2 readiness.
Reviewed change control tickets, and ensured approved changes comply with IT Change management policy. Interact with key stakeholders of IT security team, Internal Audit, Legal to mitigate risk and ensure compliance with NIST 800, COBIT, CSF, SSAE18, SOC 1 &2 Type 1 & 2. (AWS Amazon, MS- Azure, and other Cloud Service Providers).
Managed all Issues in JIRA, documented issues, assigned issues, resolution of issues and escalated priority of issues to seek timely resolution and subsequently closed the issues in JIRA.
Created 101 tickets for IT Controls under review and validated evidence. Updated the JIRA. tickets upon successful remediation implementation.
Provided issue resolution for IT Controls related to Change Management, Cyber Security, Disaster Recovery, Data Loss Prevention, and consultative support to the Control Owner(s) & Issue Owner (s) on remediation approaches, timelines, completeness, and assigning compensating controls.
Generated JIRA reports for management review and effectively communicated areas of concern.
Deloitte Consulting LLP – USDA Client- New Orleans, LA Feb 2019 – Oct 2021
IT Security Applications /Risk Assurance/Compliance - Consultant /Agency - Thompson Technologies LLC (100%-REMOTE)
Conducted a series of walkthroughs to understand the existing control environment, review existing control activities and testing procedures and review of recent audit reports.
Performed information security risk assessments of technology enabled projects, inclusive of vendor reviews, security requirement, security testing and management of residual risk.
Evaluated vendor controls and practices, process enhancements, occasional on-site assessments, reviewed security test reports, analyzed, and developed security requirements.
Benchmarked the results of walkthroughs as well as an analysis of configuration, security roles, and profile parameters against leading SAP risk management practices, to identify risk and improvement areas.
Performed Security Risk Assessment of the Cloud Providers using tools, Best Practices and Risk Management Framework (RMF) in compliance with NIST 800, CSF, & ISO27000’s
Evaluated identified risks and ranked according to criticality and communicated the methodology used. Validated and mapped SOC1 & SOC 2 complementary controls to User Organization Controls, identified gaps and sought resolution.
Implemented security mitigation solutions according to Security Policy and Practices and best practices (NIST/ CSF, COBIT 5 Framework(s), ITIL)
Developed and delivered presentation of findings and recommendations to the Deputy Director and Senior Leadership team using SDLC phase approach.
Performed data classification and ensured PII/PHI data were in compliance with GDPR/EU guidelines and ISO27018, 27001/27002.
Defines secure configurations leveraging technical knowledge and problem-solving skills in the network, database, server and desktop technology areas in accordance with the secure SDLC process.
PWC – Price Waterhouse LLP –CENTENE HEALTHCARE Oct 2018 – Jan 2019
Senior Associate (IT Application Security/Risk Assurance) – Contractor/Consultant
Performed User Access Reviews (UAR) – Applications impacted by SOX and SOC 2. Conducted walkthrough (UAR) design check list with key stakeholders to determine if access to applications is role based and if access been authorized at system or server level.
Performed SOC- 2 gap assessment as part of SOC 2 readiness, remediated controls, and processes. Mapped User organization controls to Service Organization (SOC 2 Type II) and identified complimentary controls.
Reviewed queries generated via SQL and user access listing of applications and conducted data analytics utilizing AD User profile for all users and determined if access was commensurate with job title and consistent with organization IT security policies.
Ensured changes to configuration and change to code repository are committed in accordance with change control policies and proper reviews and approvals exist prior to migration to prod environment. SOD is maintained throughout the code development by respective roles within separate environment.
Performed risk assessment of existing applications and gap analysis to close the security risks exposures in areas Vulnerability, IPs/IDs, Incident & Access management, Change management etc. Understanding information security risks and assessing mitigation strategies to confirm alignment with risk appetite. Performed and reviewed penetration test results generated via Qualys-Cloud platform to comply with internal and external policies.
Boston Consulting Group – BCG Dallas TX Apr 2018 – Sep 2018
Lead Risk Analyst – Completed Assignment
VRM – Performed Vendor Risk Management – Vendor Assessment – Infrastructure Risk Assessment
Reviewed SOC 2 Type II third party service /sub-service providers, identified gaps and seek resolution and remediation of identified gaps.
Capturing vendor assessment demand and completion of scoping calls with key stakeholders
to understand the service details and data managed by the vendor.
Developed self-assessment questionnaires relevant to the service scope, data managed, data.
location and legal/jurisdictional requirements
Reviewed process integrity documentation, to include vulnerability test and penetration testing results, reviewed controls, RACI, policies, and standards.
Performed risk assessment and documented procedures, risk mitigation or risk remediation.
Assessed risk, documented control deficiencies and issues, and developed appropriate corrective actions.
Experience leveraging data analysis to identify trends, issues, and drive mitigation/remediation.
Reviewed Info-Security Pre-Assessment Questionnaire, Identify IT Security Risks, communicated Findings and seek timely resolution. Prepared Full Executive Summary Report on Vendors and determined if compliant with BCG Minimum Security Requirements. Reviewed and validated controls (ITGC /ITAC) and penetration tests validation.
Created IT Security Score Card and benchmark against Industry standards.
Work and interact closely with Architecture team, Legal, Procurement, and other key stake holders.
Hearst Inc., -Charlotte, NC Jan 2018 – Apr 2018
IT Audit Manager - Contractor - Completed Assignment-Back-Fill
IT General Controls – Risk Audits & Compliance/Internal Audit
Plan and perform IT Audits, prepare Audit reports addressing findings and recommendations – reviewing financial applications to make sure compliant over IT systems (GRC/COSO, COBIT5, HIPAA, NIST 800, PCI DSS) from a Security, Disaster Recovery, Vulnerability & PCI Compliance view, etc.
Reviewed and approved ITGC controls in IBM –Open Pages. Evaluated & validated SSAE16 & SSAE18 /SOC 1 & 2; CSP (Cloud service providers- complementary controls aligned and tested).
Identified, gaps and obtained additional supporting evidence to determine control effectiveness.
Entered, all Internal Audit ITGC issues in SharePoint and assigned issues for resolution /remediation to field auditors. Supervised seven (7) field auditors and provided directions and answered questions via IBM Open Pages – repository of ITGC controls.
Client -COPART Inc., Addison, TX Jan 2017 – Dec 2017
IT General Controls – Risk & Compliance Audits (Consultant)
Conducted information security and business continuity assessments of vendors providing services to Client.
Performed Testing of ITGC controls related to Information Security Controls (Application Security, Infrastructure Security, Access Management, Physical Security, etc.),
IT Compliance, SOX-404 Compliance, Change Management, Enterprise Risk Management and ensure compliance to NIST 800-53/ PCIDSS, ISO27001, SDLC, GRC, COSO, COBIT, and ITIL standards.
Rouse Properties – Real Estate Investment Trust (REIT), Irving, TX Jan 2014 – July 2016
Senior IT Risk Analyst - Controls Risk and SOX Compliance & Audits
Developed, implemented a strategic comprehensive enterprise information security and IT risk management program to ensure integrity, confidentiality and availability of information owned, controlled or processed.
Developed and assessed internal controls of processes in accordance with SOX requirements.
Performed Risk Assessment of Potential CSP (Cloud Service Providers), implemented Controls to mitigate risk and ensure compliance with SOX 404, SOC 1& 2 Type I &II, JDE/SAP, GRC, NIST-800-53, HIPAA and applicable regulations.
Textron Inc., Bell Helicopter, Hurst, TX March 2007 –Feb 2013
Lead IT Security & Risk Management, IT & Process Controls & Compliance
Supported PSI (Process and Systems Integrity Team) to ensure IT, Engineering &Business processes are closely aligned with engineering standards (AS9100) and application controls are implemented at activity level to ensure systems security, audit-ability of processes and compliance with federal regulations FAR/DFAR/ITAR/EAR/FAA/SOX 404/COBIT, IP, ISO 9001, SSAE18/SAS70, ISO 27001-2, PCI DSS controls, Data Privacy utilizing NIST 800-53/CSF, ITAR, (Government drawings and sensitive materials) and AS9100.
Monitored privacy regulations, technology trends, business process changes, and developments in the privacy field; evaluated potential business impacts; and directed implementation of applicable changes to Company privacy and data protection governance.
Developed and maintained oversight of privacy policy compliance measures and ensured endurance with company policies and procedures, regulations, and industry best practices.
Compliance lead for BSM (Bell System Modernization) project focused on process improvement, IT security, operational risks (FMEA), SAP/ ORCL/ JDE, Cloud Computing (SAAS/FAAS/PAAS) and hybrid cloud.
Interacted with key stake holders from engineering, Logistics, Finance, ITRM and performed Gate reviews at each Gate utilizing Risk Based Approach.
Ernst & Young - Client Shell Oil Products –Houston TX Oct 2005 – March 2007
IT Security Risk and Compliance Lead (Consultant)
SOX testing – Walkthrough documentation, Design Effectiveness and Operational Effectiveness for Financial Systems (IGINS/FIRST) Business and IT General Controls and Treasury E-banking controls and self- assessment testing for operational effectiveness.
Worked closely with internal & external auditors in providing/seek remediation of failed controls.
Performed remediation testing on internal controls - Sarbanes-Oxley (SOX) 404 Compliance throughout Shell Operations – Global (Hague, Netherlands, London, UK and Barcelona Spain).
JP Morgan Chase Bank-Investment, Dallas, TX (Employee) Dec 2001 – Sept 2005
Lead Treasury Analyst - Global Investments & Risk Advisory Group
Performed, all aspects of risks and assessed, on ongoing basis, the material risk associated with how business unit’s activities and products are developed and launched and processed end to end.
Conducted process walk-thru of controls within the group provided independent reviews concerning testing and maintained quality assurance within control framework and acted as main point of contact for questions in evaluating the design and performance of control effectiveness.
Collaborated with key stakeholders and built business relationships and completed tasks within scheduled time frame.
Reviewed risk trends within existing vulnerabilities and potential threats created from newly implemented platforms.
Continuous monitoring of control activities to ensure no additional risks been introduced into existing architecture.
Contact this candidate