Information Security Third-Party Risk

Esther Benson

214-***-****

**************@*****.***

linkedin.com/in/adben

SUMMARY:

• Results-driven Information Security Governance, Risk, and Compliance (GRC) Analyst with a strong background in cybersecurity strategy, risk management, third-party risk, and regulatory compliance. Proven ability to lead enterprise-wide GRC initiatives, assess vendor risks, and implement compliance frameworks (SOC 2, NIST, ISO 27001, PCI-DSS, HIPAA). Adept at utilizing tools like ServiceNow, OneTrust, and RSA Archer to manage compliance programs, conduct assessments, and automate reporting processes. CORE COMPETENCIES TECHNICAL SKILLS

• Strategic Planning

• Risk Management & Assessment

• Policy & Procedure Development

• Regulatory Compliance (SOC 2, ISO 27001,

HIPAA, GDPR, CCPA, PCI-DSS)

• Security Awareness & Training

• Risk Remediation Strategies

• Business Continuity & Disaster Recovery

• Third-Party Risk Management (TPRM)

• Vendor Risk & Contract Reviews

• GRC Tools: ServiceNow, OneTrust, RSA Archer,

AuditBoard

• Frameworks: NIST CSF, CIS, HITRUST

• Tableau for Reporting & Risk Visualization

• ITGC & Internal Audits

• Microsoft Excel Advance

• Office 365, Compliance360, BitSight, Proofpoint, Abnormal Security, Recorded Future, Cyrisk,

Symplr,

• Productivity Tools: Excel (Advanced), MS Project, PowerPoint

• OKTA

• KnowBe4, OpenVAS, Splunk, Semperis, Workday

• Security Policy development

• Quality Integreation

EDUCATION

• Master’s in business Analytic and Risk Management - The Johns Hopkins University

• B.Sc. Information Technology – Lagos State University

• Diploma in Cyber Risk Management – Elgin Community College CERTIFICATIONS

• CISM – Certified Information Security Manager

• CISA – Certified Information Systems Auditor

• CySA – Cybersecurity Analyst

PROFESSIONAL EXPERIENCE:

Southwestern Health Resource – Information Security GRC Analyst Remote Nov 2024 – Present

• Designed and implemented comprehensive cybersecurity strategies including risk assessments, vulnerability management, and incident response planning.

• Lead third-party risk assessments and internal security audits to evaluate compliance with NIST, ISO 27001, and HIPAA standards.

• Assess vendor SOC 2 reports and IAM configurations in Azure AD to mitigate identity-based risks.

• Utilize ServiceNow, OneTrust, and RSA Archer to manage security policies, track remediation, and automate compliance evidence collection.

• Develop and enhance ISMS-aligned policies and procedures, conducting regular training across departments.

• Prepare risk assessment reports and present mitigation strategies to senior leadership.

• Drive GDPR and HITRUST compliance through collaboration with IT, legal, and procurement.

• Monitor risk registers and escalate vendor vulnerabilities in real time using Recorded Future and Cyrisk.

• Developed and leads security assessments to measure the adequacy of existing information security controls.

• Leads and oversees reporting on information security risks and works with IT sub-divisions, third party partners, and business units in identifying the impact of technology implementation on IT and business unit operations.

• Engage with security vendors for tool configuration, solution design, and GRC process enhancement.

• Participate in security incidents, compliance assessments (SOC 2), and security risk evaluations by gathering and analyzing relevant data elements.

• Collect data surveys and facilitate risk assessments for all third-party and internal solutions that may process or store data.

• Establish and monitor the policy/standards attestation process by all stakeholders.

• Develop and deliver training programs to raise awareness of ISMS requirements and promote a culture of information security awareness across the organization.

• Stay updated on relevant laws, regulations, and industry standards pertaining to data security, privacy, and compliance (e.g. PCI-DSS, GDPR, HITRUST) and ensure the organization's practices align with these requirements.

• Developed and enforced IT governance frameworks based on industry standards (e.g., NIST CSF, ISO 27001, HITRUST), ensuring regulatory compliance and improved cybersecurity posture.

• Provided consultation on IT procurement and deployment, aligning technology investments with business goals and enhancing operational efficiency.

• Delivered technical support and troubleshooting, including remote assistance and on-site diagnostics, ensuring quick resolution of software, hardware, and network issues.

• Leverage a GRC platform to monitor and manage compliance activities, automate evidence collection, and track the company’s progress toward SOC2 certification.

• Assess and manage risks related to data breaches, unauthorized access, and compliance with data protection regulations (e.g., GDPR, HIPAA, PCI-DSS, CCPA).

• Authored policies aligned with control frameworks like NIST CSF, CIS Controls, and ISO/IEC 27001.

• Collaborate with cross-functional teams to address any gaps identified during assessments and develop remediation plans.

• Utilize ServiceNow and OneTrust as GRC tools for IT system compliance and security control management.

• Collaborate with stakeholders on network performance improvements, data security, and third-party vendor management.

• Ensured SOC1 & SOC 2 compliance through evaluating ISO27001 certifications.

• Utilize Office 365 tools (Word, Excel, SharePoint, OneDrive, Teams, PowerPoint) for documentation, collaboration, and reporting.

• Proven experience in application risk assessment, AWS environment, vulnerability assessment, or software security in SDLC processes.

• Develop and support business continuity and disaster recovery strategies with relevant teams. Wintrust Bank, N.A. – Risk & Compliance Analyst

Hybrid Sep 2023 – Sep 2024

• Designed and implemented comprehensive cybersecurity strategies including risk assessments, vulnerability management, and incident response planning.

• Designed and implemented cybersecurity frameworks (NIST, ISO 27001) for SOC 2 readiness.

• Led GDPR and PCI-DSS compliance initiatives, aligning controls across departments.

• Streamlined compliance operations using AuditBoard, ServiceNow, and OneTrust.

• Reviewed third-party security controls during onboarding and annual reviews.

• Delivered ISMS training and maintained audit readiness across internal platforms.

• As Functional Area Lead, collaborated with stakeholders on control testing, analysis, and implementation of technology.

• Conduct risk assessments to identify and improve internal controls

• Conduct regular supplier audits to ensure compliance with industry standards.

• Led risk management and mitigation efforts, actively spearheading improvements by formulating short-term

• objectives and crafting long-term strategic plans.

• Evaluate the security posture of third-party vendors. This includes assessing their cybersecurity practices.

• Prioritized and categorized third party risks based on their criticality to effectively allocate resources.

• Managed cyber risks, assets management, guaranteeing the availability of critical components to prevent system downtime.

• Stay updated on relevant laws, regulations, and industry standards pertaining to data security, privacy, and compliance (e.g. PCI-DSS, GDPR, SOX) ensuring organization's requirements align

• Developed and enforced IT governance frameworks based on industry standards (e.g., NIST CSF, ISO 27001), ensuring regulatory compliance and improved cybersecurity posture.

• Provided consultation on IT procurement and deployment, aligning technology investments with business goals and enhancing operational efficiency.

• Delivered technical support and troubleshooting, including remote assistance and on-site diagnostics, ensuring quick resolution of software, hardware, and network issues.

• Leverage a GRC platform to monitor and manage compliance activities, automate evidence collection, and track the company’s progress toward SOC2 certification.

• Collaborate with cross-functional teams to address any gaps identified during assessments and develop remediation plans.

• Prepare and present reports to senior management, outlining risk assessments, compliance statuses, and remediation efforts.

T-MOBILE – Risk Compliance Analyst

Hybrid Nov 2021 – Aug 2023

• Review existing documents to identify and prioritize requirements for revisions.

• Administer and optimize security and GRC tools such as phishing and training platforms, DLP, TPRM, risk registers, and privacy management solutions.

• Managed enterprise security policy governance using OneTrust and ServiceNow.

• Led internal audit cycles for SOC 2 and ISO 27001 compliance.

• Conducted vendor due diligence and third-party security reviews, improving vendor risk posture by 8%.

• Automated policy attestation and risk tracking through GRC integrations.

• Ensured compliance with various regulatory standards, including GDPR, and PCI-DSS, by developing security policies that mitigate risks.

• Utilize ServiceNow as a GRC tool to ensure compliance with IT system and security controls.

• Established and maintained security governance frameworks to ensure that security initiatives align with business objectives and priorities.

• Developed, implemented, and reviewed security policies, procedures, and guidelines to ensure compliance with industry standards and regulations.

• Prepared and submitted compliance reports to regulatory agencies, internal stakeholders, and external auditors as required.

• Collaborated with stakeholders on risk management and control assessments to enhance security posture.

• Evaluate the security posture of vendors. This includes assessing their cybersecurity practices, data protection measures, and overall risk profile.

• Leverage a GRC platform to streamline risk management strategies and manage compliance activities, automate evidence collection, and track the company’s progress toward SOC2 certification.

• Conduct comprehensive risk assessments and assist in the development of risk treatment plans to mitigate identified risks effectively.

• Administer questionnaires to all vendors to determine the effectiveness of control.

• Validate security questionnaires during onsite visits, to ensure up to date data protection on vendor sites.

• Implement ongoing monitoring processes to track the performance and security practices of third-party vendors.

• Assisted in maintaining compliance with standards such as PCI DSS, SOC 1/SOC 2, ISO 27001, GDPR and other state data privacy regulations.

• Utilize and enhance the Enterprise Policy Management tool (OneTrust) to automate IT policy and standard management processes.

• Conduct risk assessments to identify and improve internal controls.

• Plan, conduct, and manage internal and external cybersecurity audits, focusing on security controls in the airline industry.

Contact this candidate