Cyber Security Risk Analyst
Resume:
Tina L. Burgess, M.B.A.
IT Risk Analyst/Consultant
******@*******.*** – 804-***-****
Experience
Sure Power Consulting – Energy Industry – September 2024 – January 2025
IT Risk Consultant – Southern Power
Advised onshore/offshore technical teams SOX guidance on a granular, technical feature level – 2,000 features for project
Supporting Large Energy Company with a SOX Implementation Project - Consulting onshore and Offshore programming resources with SOX Compliance dynamically during project implementation. Ensuring client information such as PII, are confidential. PCI-DSS experience to guide resources with correct implementation direction. SOX, NIST, ISO27001 experience used to ensure full IT Compliance. Heavy use of JIRA to verify accuracy of project features for new cloud-based implementation.
EY / Bridgewater Consulting – Energy Industry – Exelon May 2024 – August 2024
Risk Business Analyst
Supporting client with NIST 1.1 vs. NIST 2.0 mapping, risk assessment, policy & procedure review. Daily use of excel spreadsheet work, VLOOKUP, pivot tables, and PowerBI. Implementation of NIST controls into policy & procedures, ISO 27001 ensuring client it compliant with current regulatory standards
Daily analytical work, in-depth understanding of large projects, project status reports, regular client meetings
Involved in Governance, Risk Management, and Compliance (GRC) processes in developing software solutions.
Using JIRA to track, update, and review for SOX controls on technical development.
Commonwealth of Virginia March 2020 - February 2024
ISO Centralized Security Risk Analyst
Reported directly to the Information Security Officer for the Virginia IT Agency (VITA) assisting security program support to agencies for state clients participating in the ISO Security Service, Risk Assessment/Vulnerability Review for 13 state agency clients.
Vulnerability Review: Responsible for reviewing Business Impact Analysis and Risk Assessments for state agencies.
Conducted Risk Assessments, Business Impact Analysis ensuring adherence to the COV SEC 501 and SEC 525 IT Security Controls. NIST800 IT Security Standard Controls, ISO 27001, and Cloud Software Vulnerabilities. Ensured agencies were prepared for IT audits, preparing them with updated policies, procedures, and system vulnerability information.
Applied risk management frameworks to implement security recommendations to protection of Commonwealth of Virginia’s assets; Third party risk management reviews, SOC 2 Report analysis.
Translated technical data pulled from Archer to assimilate against agency risk reviews. Conducted Archer training sessions, agency stakeholders to understand the Archer application creating measurable data for agency analytics.
Ensured IT issue resolution is met for key agency stakeholders. Trained with Information Security Officers for COV.
Senior Cyber Security Risk Analyst
Dominion Energy October 2016 – February 2020
IT Audit Preparation & Remediation to identify and prevent security breaches and mitigate risk
SIEM Management monitoring internal threats – Detect, Analysis, Respond, Report, before and after detection used daily.
IT Audit Review Experience in NERC CIP audit preparation and evidence collection, SME CIP 004; CIP 007
Threat Detection: Ensuring all cyber access revocation tasks for NERC assets are removed within Compliance of the NERC Regulation standard of 24 hours
SIEM Tasks: Ensuring internal controls provide removal tasks to internal groups and tasks are completed daily
Cyber Security Training: Ensuring all quarterly and annual training tasks are completed by users who have NERC Cyber Access
Cyber Security Training: Review the annual NERC Cyber Security training for all 20,000 internal users with NERC access
Internal Threat Monitoring: Ensuring all Corporate Security physical asset access removal tasks are completed
24-hour status: Partnering with internal departments to create and maintain internal cyber controls. Frequently worked nights, weekends, and holidays on call, rotating schedule to ensure compliance standards are met
Annual review of internal procedures and controls to ensure accuracy and compliance with the NERC Standard
Administrator of the Access Revocation Application used to track NERC and SOX access to applications
Tracking/Reporting data within the Access Revocation Application for audit review and control purposes; internal threat monitoring and compliance with NERC CIP 004
Participated in the Critical Incident Team for NERC Self-Reporting
Role Based Access Review: Ensuring users' access profiles match their role- based access – NIST 800
System Administrator: Learning Management System (LMS) used to track NERC training controls for users.
o o Quarterly Learning Assignments for Managers, Supervisors, and Directors
Access Control: Review of all users who request NERC access to ensure compliance with NERC Cyber Security Training
Ensuring all content is updated annually, following the review process with program managers. Working with LMS technical teams to ensure content has the latest NERC CIP Requirements
Training less experienced Analysts: Senior Analysts on the Access Revocation application and cyber security best practice
Mentoring less experienced analysts on Compliance, and NERC Standards
IT Audit Experience: Supplying evidence for audit success.
Secondary approver: ITRM NERC Access to Access Revocation application.
Key Skills used: Relating technical information to non-technical personnel, Internal threat monitoring, and audit evidence collection, SIEM technology used to identify internal threats.
Key Frameworks used: NIST 800; SOX; ISO 27001; NERC
Key Applications used as system administrator: Patch Management; Access Revocation; SharePoint; Learning Management System; Service Now.
Senior Business Analyst, AVP February 2009 – September 2016
SunTrust Mortgage
Highly visible position, partnering with executive management, audit and operational risk management to ensure compliance with the SOX Standards
Application Administrator for Empower and Lending Space a key financial Application for the mortgage industry, ensuring compliance with the SOX standard for financial organizations
Annual Operational Risk Review completion for key financial application
Quarterly access reviews for users
IT Audit Technical Support testing for internal controls
Ensured IT Audit Quality results by understanding the business systems and operational procedures and policies
IT Audit Remediation to identify and prevent security breaches and mitigate risk
Developed business processes based on audit findings to improve controls and reduce risk
Partners with Technology and Risk users to ensure segregation of duties and entitlement reviews
Conducts IT User Attestation audits across all lines of business including Retail and Correspondent lending
Identified, lead, and facilitated process improvement projects
Extensive business process analysis and remediation in Excel to identify internal threats.
Trained less experienced business analysts as system administrators for key financial applications
System Administration for sensitive financial systems; Lending Space
Systems Administration: Patch Management Testing; Documentation (CPMS); Access Revocation (Access Control Compliance); SharePoint Administrator; Learning Management System Administrator (cyber security training); ServiceNow, JIRA, and Active Directory for technical features development.
Certifications:
Information Security Officer – Commonwealth of Virginia
Training Programs and Continuing Education:
Leadership Development 2023 – Virginia IT Agency
Current Student – DeVry – Keller Graduate School of Management Cyber Security Certification – 2026
Strayer University MBA Finance- 2016
Expertise
Ensuring client success via project management mediums, delivered risk assessment, business impact analysis and controls deliverable for clients.
Creating training programs for agency-wide state agencies for SEC 530 Controls Review
Revising agency policy documentation for SEC 530 compliance
Security Event Management – for internal threat management
Training programs administrator *cyber security – Energy Industry
NERC CIP SME - 004 - CIP 007
Contact this candidate