Post Job Free
Sign in

Risk Management Third-Party

Location:
Lanham, MD
Salary:
114000
Posted:
March 16, 2025

Contact this candidate

Resume:

Jonas Njinkeng

**************@*******.***

202-***-****

Professional Summary

An accomplished and motivated Audit Analyst with 8+ years’ experience in audit planning, execution, and reporting. I have good knowledge of conducting audits for IT systems such as applications, databases, and operating systems for over 60 federal and commercial systems. I pay attention to detail and ensure that PBCs (Provided by the Client) and DRLs (Document Request List) are meticulously completed in a timely fashion. I am familiar with financial systems audits such as SOC1 Type2 audits, Trust Service Criteria’s SOC2 Type2 audits, IT General Control audits, and remediation. In-depth experience in risk assessments, compliance, and Third-Party/Vendor Risk Management. Demonstrated success in identifying and mitigating risks, and driving process improvements.

Key Expertise

Risk Management: ITGC audits, risk assessments, and Third-Party risk management.

Internal Controls: Skilled in evaluating internal controls, identifying deficiencies, and developing risk mitigation strategies.

Compliance Knowledge: Extensive knowledge of ISO 27001, NIST 800-53, SOX, HIPAA, and GDPR requirements.

Audit Proficiency: Conducted SOX and ITGC audits, SOC1 & SOC2 reviews, and control validations for financial and IT General controls.

Communication: Strong written and verbal skills with a collaborative team approach.

Technical & Professional Skills

Tools: Audit Management System (AMS), One Trust, XACTA, Microsoft Teams, ServiceNow, JIRA

Frameworks & Standards: FISMA, OMB Circular A-123, A-130, GRC, Third-Party Risk/Vendor Management, IV&V(Independent Verification and Validation), Security Control Assessment, SOC1/SOC2, SOX 404, SSAE 16, ISO 27001/27002, NIST 800-53A, FIPS 199, NIST 800-37 (RMF), 800-137 (continuous monitoring), NIST 800-60 Vol. 2

Professional Experience.

Audit and Supplier Risk Analyst

United Sates Postal Service(USPS) May 2023 - Present

Prepare and execute annual application, database, and operation systems audits for the Postal Evidencing System, document findings, develop audit reports, and follow up with remediation.

Assist with the design and implementation of management’s internal testing program for SOX ITGCs for application, Operation systems, and Database controls

Perform Vendor systems audits following recognized audit guidelines and write audit risk reports.

Design, develop, implement, and improve the third-party cyber risk management strategy and practices for the United States Postal Service.

Create ITGC testing templates to validate (SOX ITGCs for application, Operation systems, and Database) controls ITACs, ITOCs and ITDBs are appropriately implemented and operating effectively

Conduct quarterly Center for Internet Service audit assessments following industry cyber security frameworks and standards (e.g., ISO 27001, NIST CSF, NIST 800-53, NIST 800-171

Handle competing priorities to ensure timely completion of work.

Communicate with cross-functional leadership and stakeholders on third-party risk management strategy and risks.

Working with third-party risk assessment platforms (e.g., Process Unity GRX) to implement the supply management program and identify gaps.

Added the identified risk into the risk management platforms (Diligent RSAM).

Perform annual Postal Evidencing System audit and monitor remediation.

Drive remediation processes for identified risks within the Third-Party supplier relationship and Postage Evidencing System’s providers (POA&M management process).

Test controls and assist in the development and advancement of IT audit and compliance efforts pursuant Sarbanes-Oxley (SOX)

Develop and update the vendor management and vendor assessment SOP.

Liaised with procurement to review standard contract provisions and vendors and third-party organizations.

Provide inputs for process enhancements and follow up on audit findings to ensure they are addressed by process and control owners to meet the timeline of the audit calendar

Federal Aviation Authority Sep. 2021 – 12/28/2023

Governance, Risk & Compliance Specialist:

( GRC)

Conducted kickoff meetings with stakeholders to identify the scope and roles of engagement for initial and annual audits.

Performed core security audit testing and validation on key applications, databases, and operating systems based on OMB A-123 auditing guidelines.

Developed, reviewed, and updated ATO package (documents) such as SSP, POA&M, SAR, and executive summaries for both on-premise and cloud applications.

Collaborated with developers, security engineers, and business stakeholders to remediate core audit findings and drive remediation processes.

Performed quantitative and qualitative audit assessments and led remediation processes for identified exceptions.

Executed core audit functions, examined artifacts, interviewed stakeholders, and tested procedures in accordance with OMB-A123 auditing standards, and uploaded supporting documents in the System Artifact Libraries (Audit Management Systems) and CSAM.

Followed up Plan of Action and Milestones (POA&M) remediation processes to ensure that audit findings and milestones were remediated timely.

Obtained and reviewed vulnerability scan reports, classified results in order of severity, and prioritized remediation based on the criticality of the vulnerabilities

Maintained the risk register, added new risks, reviewed existing risks, and followed remediation processes with process owners.

Ensured security policies adhered to the organization’s framework and standards and met the security requirements for the system.

Provided security expertise and guidance in support of security audits supported system assessments and authorization (C&A) activities according to the A&A project plan

Communicated effectively with management and provided weekly and monthly status reports on the systems I supported

Gridiron IT Solutions

(Department of Homeland Security) Sep 2020 – Aug 2021.

Audit Analyst & Risk Management

Conducted opening conference meetings with different teams and stakeholders at the beginning of the audit cycle and presented the audit plan

Interacted with the internal audit unit to obtain and review audit requests in preparation for an external audit, engaged various process owners, and obtained artifacts and deliverables needed for audit readiness.

Managed the ITGC/SOX audit cycles, and facilitated meeting and document submission.

Conducted A-123 audits on Cloud-based systems, identified control exceptions, and documented results.

Recommended remediation for deficiencies and audit exceptions discovered during the Management testing phase of the audit and uploaded all PBCs and DRLs into the relevant audit folders.

Tracked incident remediation and validated elevated access controls in systems and applications.

Tested and validated controls to ensure proper segregation of duties within the development and Production teams

Verified incident tickets and tracked remediation of the incidents and obtained approvals.

Perform audits of Sox and ITGC controls and produce security documentation with various exceptions found.

Monitored system performance through badge job and CPU bandwidth consumption reports

Interact with the audit team and ISSOs by distinguishing security-related artifacts and System related artifacts.

Reviewed and updated process SOPs and general policies and procedures relevant to Audit assessments.

Verified and closed out MAPs and Milestones that were documented during the various phases of the audit assessments.

Performed assurance testing to validate the control effectiveness of the various systems hosting company data.

Conducted audit closure meetings with various stakeholders at the end of the audit cycle and presented the final audit report.

TATA Consultancy Services 02/19 – August 2020

Third-Party Risk Analyst (SME)

Developed comprehensive third-party risk management programs, including SOPs, vendor risk assessments, and security documentation.

Managed vendor selection process and evaluated performance metrics

Evaluated External Audit attestations; SOC1 Type 2, SOC2 Type2, ISO 27001 certifications and created audit reports based on findings

Conducted segregation of duties and privileged access monitoring within Workday security groups.

Let remote and onsite third-party risk assessments, updated assessment matrix, and risk register.

Drafted and presented risk assessment documentation, categorized risk findings, and proposed remediation

Performed the pre-vendor selection process to identify High, Medium, and Low-risks vendors.

Schedule meetings with system owners to discuss constraints and arrive at a consensus.

Interfaced with procurement to obtain vendor contracts and align various contractual clauses with the organization’s requirements.

Recommend remediation for risk identified during assessments, giving priority to High and Moderate risk.

Evaluate complementary entity controls and align them with service the organization’s internal controls.

Schedule closing conferences for the review of vendor assessments with senior management and business stakeholders.

Zions Bank Corporation. 05/18 – 01/19

InfoSec – Third-Party Risk Analyst

Supported GLBA (Gramm-Leach-Bliley Act) risk assessment framework and classified risk based on findings.

Co-chaired assessment meetings, aligned GRC compliance, and authored risk memos.

Customized vendor risk assessment questionnaires and let peer reviews and validation

Align the GRC compliance model to risk assessments and implement change control procedures.

Collaborated with both internal and external stakeholders, risk assurance team, compliance, and audit with system owners to develop a treatment plan for the effective management of risk.

Monitored the execution of risk treatment and evaluate its effectiveness

Performed vendor assessments to determine inherent risk from risk within the vendor environment.,

T&N Reliable Nursing 01/14 – 04/18

Information Security Control Analyst

Conducted kick-off meetings with stakeholders, control owners, ISSO, admins, and the assessment team members prior to Assessment engagements to gather evidence and deliverables about the control environment and vulnerabilities discovered.

Performed Audits on system applications, operating systems, and database controls

Assisted the ISSO and System Owner in developing, gathering, and reviewing the authorization package (SSP, SAR, POAM).

Document assessment results and develop resultant SCA documentation, containing, but not limited to the Security Assessment Report (SAR).

Participated in the audit process to compile the audit responses and track audit findings.

Use the E-learning tool to track employee’s compliance with the online training modules.

Performed simulation test during IT Contingency planning test to evaluate user and employees understanding.

Updated Security policies and standards based on the Security framework and knowledge acquisition processes.

Tested and validated security controls relevant to NIST Controls and ISO controls.

Contributed to implementing of new systems by putting together the ATO package, and updated the various artifacts for re-authorization process.

Education

MS, Information Assurance and Cybersecurity: Grand Canyon University- May 2024

Bs. Economics. Grand Canyon University- 2005

Certifications

CISA, CASP, Security+

Security Clearance:

Public Trust



Contact this candidate