Risk Management Information Security
Resume:
Summary:
Global information technologist, Risk Management, and Audit with experience in identification, operation, and information risk remediation, assessment, and planning.
Well-versed in the Security Poster, IAM architecture around a wide variety of hardware, operation systems,
Proven ability to develop, manage, and monitor complex programs with strong attention to detail, including coordination of deliverables, resources, milestones, and success metrics tied to business and project plans,
Interpersonal communication skills coupled with the ability to work with all levels of organization are keys to success.
Experience developing audit plans encompassing IT operational, financial SOX 404, and SOC internal control activities.
Prepared and electronically filed government applications and other supporting documentation concerning tower erection.
Reviewed permits and other documents to track compliance with company policy.
Researched compliance inquiries as required, including analyzing due diligence documentation and responding to any alleged site violations.
Led aligned the HIPAA compliance data privacy policies with the HITRUST framework.
Privacy Enablement Reviews PIAs and DPIAs for the HIPAA assessment
Experience in the NIST 800-53 to build the regulatory and Risk Assessment.
Provided guidance and training to different internal personnel regarding cell site regulatory compliance on an ongoing basis.
I drove the optimization of incident impact assessment and response times and managed the end-to-end vulnerability management workflow.
Provides recommendations on improving the security posture of the client’s enterprise.
Scanning and identifying vulnerabilities associated with Allstate Capital One assets connected to the network.
Responsible for the infrastructure Audit Controls (SCO1 & SOC2), secure configuration management (MSB’s finding), and Vulnerability Management.
Experience in data asset management involves acquiring, tracking, utilizing, optimizing, and leveraging data assets to create value.
Develop a business case concerning NIST frame configuration management controls after the merger.
Develop and present business cases to management to improve security posture and mitigate advanced threats effectively.
Help build/improve exception process to manage policy compliance deviation.
Identify risks, mitigate controls for the newest technical end-users, and adhere to all IT security policies and programs.
I formed an IT risk assessment request to identify risks and mitigate controls for the necessary approvals and prepared monthly risk assessment and vulnerability KRI dashboard reports for leadership.
Develop and maintain information security policies, standards, and guidelines; oversee the security policies and practices; and conduct gap analyses to increase district awareness of relevant information security practices.
Essential Skills:
Experience working with stakeholder management, Customer service management, & Quality Management
Versatile Security manager with experience managing security team and implementing Security Plans. I am knowledgeable about company requirements and behavior markers, highly observant, and incredibly skilled in Risk management, Incident Response, Application Risk analysis, GRC, SIEM tools, Vulnerability management, and Internal and External Audits
Experience Developing and implementing security policies, protocols, and procedures. Controlling budgets for security operations and monitoring expenses and recruiting, training Other Security Analyst
I led the Secure Configuration Management MSB Program, Vulnerability Management, Critical Risk Patching, and an IAM/PAM project to isolate the corporate network and identities.
Working knowledge of federal Cyber Security regulations, including NIST 800, FedRAMP, FISMA, HIPAA, ISO 27001, and others
Drive forward the development, enhancement, deployment, communication, and governance of the SSDLC roadmap, which is aligned with a comprehensive Cybersecurity by Design strategy.
Develop and enhance a reliable, scalable, and secure set of SSDLC solutions to efficiently meet business requirements while adhering to the NIST Cyber Security framework.
Drive a continuous improvement approach to securing the SDLC program by defining and enforcing security requirements across the entire software development life cycle. This includes the underlying software delivery pipeline, ensuring security is seamlessly and effectively integrated.
Develop and operationalize strategies to continuously assess, identify, and mitigate vulnerabilities within the SSDLC ecosystem.
Soft Skills:
I have a long history in Delivery Leadership, which has required regular interaction, support, reporting, and collaboration with all resources, from development and production teams to C-level leadership. I emphasize building trust by listening closely to his colleagues, ensuring alignment, providing detailed and timely reporting, and being adaptable to ever-changing environments and requirements.
Education and Certifications:
•MBA from Northern Illinois University, 2007
•BSEE, Electrical Engineering from the University of Illinois, 1992
•Certified SAFe 5.0 Scrum Master
•Certified Information Security Auditor™ (CISA™) Certificate ID 20170222
•Certified Data Privacy Solutions Engineer™ (CDPSE™) Certificate ID 2002327
•Certified Information Security Manager (CISM) Certificate ID 2051413
•Certified Scrum Master (CSM) Certificate ID: 000772043
•PMP Certification # 1612381
Skills:
Proficiency in GRC systems administration (Service Now, ZenGRC, Archer, and Tenable)
Strong understanding of Information Security Governance, Risk Management, and Compliance frameworks (e.g., ISO 27001, NIST800-53v3, HIPPA, HIRUST, GDPR)
Excellent analytical and problem-solving skills
Effective communication and interpersonal abilities
Project management skills
Attention to detail and accuracy.
Tools Project Management: MS Project, MS Project Server, Clarity, Changepoint, Plainview, SharePoint, Dashboard, Jira, Clarizen
Cyber Security Tools: GRC (ZenGRC and ServiceNow), Data Privacy (OneTrust, and Nuix), Vulnerability Management (Qualys & Nessus), Risk Management (FAIR Model Risklens), SIEM Incident Response (Rapid7, & Splunk) IAM (SailPoint & CyberArk), DLP (Symantec), End Point Encryption (McAfee),
Professional Experience:
Virginia Department Health August 2022 to Present.
Sr Manager GRC /IT Auditor/Risk Analyst
Participate in State-wide and other department projects/initiatives as a GRC representative/subject matter expert to provide GRC guidance and interpret rules, regulations, risks, and best practices. Create and implement policies, procedures, training, and communication of the new policies and procedures to support these projects
Participate in the filing and creation of the GRC goals
Deployed Integrated Risk Management (IRM) & Asset Management ServiceNow modules. Led the deployment of IRM and Asset Management modules (SAM and HAM) from start to finish.
Devised a strategic information security risk management plan to meet regulatory requirements and audit recommendations.
Build out NIST 800-53 framework for the Data classification (Sensitive, High, Medium, and Low)
Reviewed the SEC 530 (Information Security Standard for VDH); I reviewed the security policies and updated them as required by VDH and VITA
Conduct and document security risk assessments. Report to provide to ISO and CISO.
Develop a user-friendly form in ServiceNow to capture hardware asset details during asset requests.
Configure workflows and approvals to streamline the asset request and procurement process.
Strong understanding of various compliance and regulatory areas (e.g. SOX, PCI, FFIEC) or the risk register, risk exposure, risk reporting and handling of risk event
Part of the AD clean team aligns all attributes and removes stalled accounts.
Develop the Data governance model for IAM/PAM and RBAC Model
Conduct the Business Impact Analysis (BIA) & Business Continuity Planning for the VDH applications
Responsible for Service Now Dashboards for Risk Reporting and Risk Assessment, tracking gaps, deficiencies, and open issues.
Responsible for Applications Risk Assessment Security Annual review
Experience using Archer for Risk Exception and Maintain Plans of Action and Milestones (POA&Ms) in the Archer GRC Tool and providing timely updates on their status.
Part of the VDH and VITA Security team to build the Fed Ramp (Cloud) security SaaS system to develop the environment for segregation of duties with the cloud applications
Conduct and document security risk assessments. Report to provide to ISO and CISO.
Deployed SIEM tool across the VDH platform.
Work with the Application team for the DR Planning, BIA, and Business Continuity strategy for recovering data and restoring systems in case of a failure or breach.
Develop training materials for employees on the Secure SDLC policy and best practices.
Maintain and update the Secure SDLC policy based on evolving technologies and threats.
Internal Audit Soc
Planned, executed, and oversaw the entire audit cycle, including risk management and control management over operations' effectiveness and financial reliability.
Ensuring compliance with all applicable laws, regulations, and standards within the financial industry.
Prepare and present reports that reflect the audit's results and document the process.
Evaluate the adequacy and effectiveness of the NIST controls using a risk-based methodology as auditing standards, such as PCI DSS, HIPAA, COBIT, and FISCAM.
Participate in audits requiring technical IT skills to evaluate network application compliance with VDH security policy. Assess internal IT controls as part of statement audits, internal and operational audits, attestation engagements, and audit readiness.
Perform all audit stages, including planning, fieldwork/execution, reporting, and follow-up.
Tested Access Controls to ensure effectiveness and functionality, good reporting, and interface
Risk Analyst:
Led a cross-functional team to implement an Archer risk assessment tool, reducing risk analysis time by 40% and enhancing accuracy by 25%.
Developed and executed a comprehensive risk mitigation strategy for VDH by working with Virginia Information Technology Agency (VITA)
Collaborated with IT to integrate blockchain technology into risk reporting processes, enhancing data security and transparency for stakeholders.
Managed the Risk Register across the VDH and maintained it.
Assist management in assessing project risks and controls, working with the apps team for the Risk Action plan and creating POEM.
Aetna/CVS September 2020 – August 2022
Security Lead ( GRC Analyst/IT Risk Auditor)
Responsible for the infrastructure Audit Controls (SCO1 & SOC2), secure configuration management (MSB’s finding), and Vulnerability Management post-merger for Aetna and CVS.
Work with the integration process, ensuring that the merged entity operates efficiently, complies with regulatory requirements, and achieves the strategic objectives that motivated the merger.
Manage risks effectively and ensure that the Atena merger aligns with the CVS strategic vision
Review the Due Diligence Risk Register Report and provide the Risk statement summary to CCB Board for approval.
Responsible for accomplishing a thriving “Culture of Compliance” by directing HITRUST CSF implementation, passing HIPAA audits, establishing risk Management practices, implementing computer bases HIPAA and CMA training, an
Implementation of Identity (IAM) and Network Kill Switches.
Build out the DIR/BIA strategies Plan.
Secure Configuration Management MSB Program:
Develop a business case concerning NIST frame configuration management controls after the Aetna and CVS merger.
Develop a program with operational goals, objectives, and metrics to align with Aetna and CVS’s vision/strategy.
Develop a project plan and create a hybrid process (SDLC+Agile) to manage severity findings.
Measure progress, planning as needed. Holds direct reports accountable for achieving goals.
Achieves goals for productivity, quality, and customer satisfaction.
Present the monthly expectation request report to CCB to provide insight and guidance on the request.
Vulnerability Management and Critical Risk Patching:
oTLS Vulnerabilities – Scrum Master (Scale Agile) with 12 teams to remediate the TLS 1.0/1.1 to TLS 1.2
oJava Patching – Scrum Master (Scale Agile) with eight teams to remediate the Java update.
Ability to build long-term relationships and partnerships with other enabling teams for the vulnerability assessment.
Interface with and support the work of the cyber security GRC risk and control teams and contribute to overall cyber security GRC goals and objectives.
MS and vulnerabilities Patching work with the technical team.
Audit (Soc1 and Soc2):
Develop audit plans and perform risk assessments.
lead all phases of an audit from the planning stage to audit report publication.
Perform effective reviews of the audits and provide valuable comments to team members.
Quantify materiality and articulate business.
Isolation of the corporate network and identities (IAM) Kill Switches:
Implementing a network layer kills switchable to isolate a specific location from the rest of the network.
Implement an identity kill switch –deactivate accounts or terminate active sessions and disconnect devices assigned to employees in a specific location.
Allstate (Info Armor) North Brook IL, June 2019 – September 2020
Sr GRC & Risk Auditor
•Oversees information security, governance, risk, and compliance team and reports to SVP. Led and managed multiple security and compliance-related projects.
Program 1: Internal and External Audit/NY Shield ACT
•Led the team to audit the SOC 2 & SOC 1 Type 1 & Type 2 reports.
• Implement a data security program that includes reasonable administrative, technical, and physical safeguards, performing an analysis to identify program gaps.
Program 2: GRC Deployment (ZEN GRC)
•GRC - Develop a Plan to implement the GRC tool (ZenGRC) for PCI, vendor management, Risk and Vulnerability Management
•PCI DSS—Implement all Payment Channel, SAQ A-EP, SAQ C-VT, and SAQ D controls for all 12 requirements of the PCI DSS.
Incremented the Report on Compliance (ROC), Attestation of Compliance (AOC), and all validation, testing, and assessment requirements for becoming compliant with the PCI DSS as a Level 1 Merchant.
•Vendor Management – Work with the Legal and Vendor contract team to establish VM processes and questioners.
•Risk Management – Implementing RiskLens, the FAIR Model for Risk Management.
•Vulnerabilities Management - Work with the team to export vulnerabilities from Quals to the GRC tool.
SDLC Framework Engineer :
Improve the development, enhancement, deployment, communication, and governance of the Regeneron SSDLC roadmap aligned with a comprehensive Cybersecurity by-design strategy
Partner with software development teams in the architectural design of software solutions to ensure the implementation of secure design principles.
Collaborate with leadership on the yearly budget preparation and management of the SSDLC program.
Stay current on evolving security threats and trends, recommending proactive measures to maintain a secure SDLC framework
Program 3: DLP/SIEM/ Incident Response/Disaster Strategy & Business Continuity Plan
•Work with the Allstate IT team to upgrade DLP (Symantec version 15.5)
•Plan an Incident response plan using the SIEM tool.
•Deploy Splunk SIEM and onboard Infor Armor data sources (Physical devices, Azure, MS, Checkpoints) to NTT’s SOCaaS.
•Implement a Business Continuity and Disaster Recovery Strategy plan. Draft Identification of Priorities, Gap Analysis, Determine BIA/DR Strategies, and Understand Recovery Time Frame.
Program 4: ADA Compliance WCGA 2.0
Audit (Soc1 and Soc2):
Develop audit plans and perform risk assessments.
Lead all phases of an audit from the planning stage to audit reports.
Perform effective review of the audits and provide valuable comments to team members.
Responsible for the infrastructure audit controls, Secure Configuration Management (MSB’s finding), and Vulnerability.
Work with Deloitte and the Internal Audit team on the Audit findings.
Responsible for reviewing the evidence and submitting it to the Deloitte team.
Create an exception milestone date in Archer.
Arthur J Gallagher, Rolling Meadows, IL, May 2018 – June 2019
Program Manager/GRC Lead (M&A)
•Perform a dual role as an integration program manager for Merger and Acquisition & Cyber Security Consultant. Manage enterprise data protection plan (EDPP), security awareness, and merger and Acquisition (M&A)
•Work with the CISO, Legal Counsel, Compliance, and M&A teams to address the security and compliance impacts of the Merger.
•Review the Due Diligence report to ensure all the Risk action plans are in place and are tracked to be completed.
Program 1: Enterprise Data Protection Plan: GDPR, CCPA & NYDFS (23 NYCRR 500 Compliance)
•Discover and build the plan for data protection and enforcement for PII, PHI, PCI, and PFI with the applications. NUIX can discover and analyze the resident data to determine the extent of GDPR compliance and drive remediation activities as needed.
• Implemented supercharging elastic search (ELK) to access the entire database in real-time search, tag, and export data, reduce risk exposure, and comply with GDPR CCPA privacy regulations.
•Work with the UK technical team for Application and GDPR analysis.
•Implement the OneTrust tool for data mapping, PIA (Privacy Impact Assessment), and DPIA Data Protection Impact Analysis for the database, application, and vendor apps.
•The Data Protection API allows you to process Subject Erasure Requests, as mandated by the General Data Protection Regulation (GDPR).
Program 2: Security Awareness
•Social Engineering Phishing: An anti-phishing training program trains and conditions employees to identify and report phishing attacks by sending targeted phishing scenarios that non-punitively enforce desired user behaviors.
•Security Score Card: Implement the Security Score Card process for M&A acquisitions.
Program 3: WCGA Compliant ADA
•Establish WCAG-EM guidance on using the methodology and considerations for specific situations and conformance evaluation procedures.
New York Life, New York City, NY August 2017 – December 2018
Sr. IT Portfolio/Program Manager/Scrum Lead - Cyber Security Portfolio
Managed Security, Data Migration (from On-Prem center to Azure Cloud) Infrastructure, and Application Development projects (CyberArk/IAM, SOD, FireCall, Data Migration/Window 2000 Server Upgrade)
Managed migration of the Annuity landscape by migrating all products (32 FDA and 11 VA) and similar policies from legacy OAS/VAS to Pay using hybrid Cloud/On-premises integration migration using the Agile Scrum (JIRA tool) methodology
Implement a PAM/IAM solution using Cyber-Ark by designing control access to privileged accounts that automatically randomize, manage, and vault.
enhance project risk, develop mitigation plans, and escalate decisions and unresolved issues.
Create a Project timeline, Scope, Schedule, Plan, and project/governance PMP.
Data migration and window 2010 server upgrade
Horizon Blue Cross Blue Shield, Newark, NJ July 2016 – August 2017
Sr. IT Project Manager - Cyber Security Portfolio
•Senior Project Manager in the Cyber Security Portfolio, including Endpoint Encryption, CyberArk IAM/PAM, Data Loss Prevention (DLP)
•Develop SC for assembling the project team, assigning individual responsibilities, identifying appropriate resources needed, and developing schedules.
•Manage project risk, develop mitigation plans, and escalate decisions and unresolved issues.
•Establish and update project plans and budgets with actual forecasts and, with assistance, manage deviations from plan and project parameters.
•Provide weekly status reports to the integration committee, stakeholders, and PMO Manager.
•I created a project timeline, scope, schedule, plan, and project/governance PMP.
•Implement the Multifactor Authentication (MFA) tool for endpoint encryption with an MS AD account.
•Full-disk encryption for laptops/Desktops to prevent loss of sensitive data. Implement Multifactor Authentication (MFA) tools. With the Smart Badge project
•Create the vendor engagement plan following the project schedule and timeline.
•Clean up the lower environment to protect sensitive data, including PHI and PII. I am involved in full HIPAA compliance.
•Managed PAM/IAM, DLP, SIEM Integration, McAfee Endpoint, Smart badge integration, Office 365 deployment (Active Directory Clean up. Please see the attached file for project details.
Medtronic, Mansfield, MA, November 2015 – October 2016
Sr. IT Program Manager Merger & Acquisition
•Responsible for representing Medtronic IS and the financial department after the acquisitions of Covidien and interfacing during the integration phase.
•Provide leadership for the entire project impacted by Covidien acquisitions.
• developed with all organization levels to gather and document requirements and develop systemic solutions to improve the productivity and efficiency of finance and IT projects.
•Led project to integrate legacy reporting tools into global reporting tools, eliminate redundant software, allow for seamless worldwide reporting, and save the company over $2m annually.
•Responsible for assembling a project team, assigning individual responsibilities, identifying appropriate resources needed, and developing schedules.
•I have successfully implemented financial projects for multiple departments within MITG by providing.
•The ped assessment and RACI impact analyzed actual results compared to the Plan.
Medical Devices Migration and Deployment
•Develop the new process; Med iGATE’s platform consists of two main software components: the Medigate Collection Server
•(MCS) and Medigate Analysis Server (MAS).
•The collection servers (MCS instances) deployed throughout the PeaceHealth care system communicate to a unified cloud-based MAS dedicated to that healthcare system.
•Develop the project plan to integrate devices.
DHS State of Minnesota, June 2015 – December 2015
Sr. Project Manager/Scrum Master
•Serve as MNIT State Department of Human Service (DHS) project manager.
•I collaborated with the project lead and MNsure Business, Treasury, and Financial Management to create a scope to finalize the project budget.
•Manage and communicate with the IT and business stakeholders to ensure the success of the MNsure Project.
•Attended requirements validation sessions, wrote technical analysis documentation, and performed an in-depth analysis of EDI transactions for the new MMIS environment.
•Work with Insurance Carriers to comply with FedRAMP and ISO 7001 guidelines to implement information security controls using a federal risk-based approach to information security assessment for all EDI file transmissions.
State of Wisconsin (DHHS, DCF & DPI), October 2014 – June 2015
Portfolio Manager/Project Manager IV
•Work as a Portfolio Manager/Project Manager for an interagency team (DPI, DCF, and DHS).
•work with agency leads and external groups to gather system requirements and prioritize requests.
•Work has created technical specialists to help prioritize professional needs in the ECIDS projects.
•I have created the Governance business flow process for all three agencies to accept the research questions for data approval.
•DS. has integrated the product/process development process for all three data warehouse projects to create a centralized model for ECIDS.
•Implement refined as needed, execute the implementation plan, and Race to the Top scope of work (SOW) with Feds.
•Work with the DPI accounting and Federal treasuring to forecast the budget.
Consumers Energy, MI, October 2013 – June 2014
Program Manager/SAP Project Manager
•Project 4 Project Managers and 50+ Resources will guide the Program to completion within the target budget and date.
•Coordinate with four vendors (Get There, JP Morgan Chase Bank, Anand-PAG, and BCD Travel Agency -Part of Saber Travel).
State of Michigan DTMB, MI, December 2012 – May 2013
IT Program Manager
•Manage the project team by creating detailed and accurate project descriptions, estimates, functional and technical specifications, schedules, timelines, and written status reports.
•Document and other acts of project development using the SUITE (State Unified Information Technology Environment) Waterfall and Agile Processes, Project extranets, meeting notes, change request forms, and other documents.
• I integrated ITIL processes with IT project management to enhance ELITE (Electronic Local Government Information and Tax Evaluation) for Michigan's state.
•I have implemented GIS ESRI to evaluate each county’s PRE and IFE tax audit through the ELITE database.
Lockheed Martin, Lakeland, FL, February 2012 – November 2013
Project Manager
AmericanEagle.com, IL, February 2009 – December 2011
Program Manager
Cedar Sinai Medical Center, CA, January 2006 – January 2009
Sr. Project Manager
Computer Marketing Technology, IL, 1995 – 2005
Sr. Project Manager
Contact this candidate