Risk Management Information Security
Resume:
Summary:
Global information technologist with experience in risk management and audit, specializing in identifying, operating, and remediating information risks and assessing and planning.
Well-versed in the Security Poster, IAM architecture around a wide variety of hardware and operating systems,
Proven ability to develop, manage, and monitor complex programs with strong attention to detail, including coordination of deliverables, resources, milestones, and success metrics tied to business and project plans.
Interpersonal communication skills and the ability to work effectively with all levels of the organization are key to success.
Experience developing audit plans encompassing IT operational, financial, SOX 404, and SOC internal control activities.
Prepared and electronically filed government applications and other supporting documentation concerning tower erection.
Reviewed permits and other documents to track compliance with company policy.
Researched compliance inquiries as required, including analyzing due diligence documentation and responding to any alleged site violations.
Led the alignment of the HIPAA compliance data privacy policies with the HITRUST framework.
Privacy Enablement Reviews PIAs and DPIAs for the HIPAA assessment
Experience with NIST 800-30 and NIST 800-53 V3 to build regulatory and Risk Assessments.
Provided guidance and training to different internal personnel regarding cell site regulatory compliance on an ongoing basis.
I drove the optimization of incident impact assessment and response times and managed the end-to-end vulnerability management workflow.
Provides recommendations for enhancing the client’s enterprise security posture.
Scanning and identifying vulnerabilities associated with Allstate Capital One assets connected to the network.
Responsible for infrastructure Audit Controls (SOC1 & SOC2), secure configuration management (addressing MSB findings), and Vulnerability Management.
Experience in data asset management involves acquiring, tracking, utilizing, optimizing, and leveraging data assets to create value.
Develop a business case concerning NIST frame configuration management controls after the merger.
Develop and present business cases to management to enhance security posture and effectively mitigate advanced threats.
Assist in building and improving the exception process to manage policy compliance deviations.
Identify risks, implement mitigation controls for the newest technical end-users, and adhere to all IT security policies and programs.
I submitted an IT risk assessment request to identify risks and establish mitigation controls for obtaining necessary approvals, and prepared monthly risk assessment and vulnerability KRI dashboard reports for leadership.
Develop and maintain information security policies, standards, and guidelines; oversee the implementation and enforcement of security policies and practices; and conduct gap analyses to increase district awareness of relevant information security best practices.
Essential Skills:
Experience working with stakeholder management, Customer service management, & Quality Management
Versatile Security Manager with experience managing a security team and implementing Security Plans. I am knowledgeable about company requirements and behavior markers, highly observant, and incredibly skilled in Risk management, Incident Response, Application Risk analysis, GRC, SIEM tools, Vulnerability management, and Internal and External Audits
Experience in developing and implementing security policies, protocols, and procedures. Controlling budgets for security operations, monitoring expenses, and recruiting, training, and Other Security analysts
I led the Secure Configuration Management MSB Program, Vulnerability Management, Critical Risk Patching, and an IAM/PAM project to isolate the corporate network and identities.
Working knowledge of federal cybersecurity regulations, including NIST 800, FedRAMP, FISMA, HIPAA, ISO 27001, and others
Drive forward the development, enhancement, deployment, communication, and governance of the SSDLC roadmap, which is aligned with a comprehensive Cybersecurity by Design strategy.
Develop and enhance a reliable, scalable, and secure set of SSDLC solutions to efficiently meet business requirements while adhering to the NIST Cybersecurity Framework.
Drive a continuous improvement approach to securing the SDLC program by defining and enforcing security requirements across the entire software development life cycle. This includes the underlying software delivery pipeline, ensuring security is seamlessly and effectively integrated.
Develop and operationalize strategies to continuously assess, identify, and mitigate vulnerabilities within the SSDLC ecosystem.
Soft Skills:
I have a long history in Delivery Leadership, which has required regular interaction, support, reporting, and collaboration with all resources, from development and production teams to C-level leadership. I emphasize building trust by listening closely to my colleagues, ensuring alignment, providing detailed and timely reporting, and being adaptable to ever-changing environments and requirements.
Education and Certifications:
•MBA from Northern Illinois University, 2007
•BSEE, Electrical Engineering from the University of Illinois, 1992
•Certified SAFe 5.0 Scrum Master
•Certified Information Security Auditor™ (CISA™) Certificate ID 20170222
•Certified Data Privacy Solutions Engineer™ (CDPSE™) Certificate ID 2002327
•Certified Information Security Manager (CISM) Certificate ID 2051413
•Certified Scrum Master (CSM) Certificate ID: 000772043
•PMP Certification # 1612381
Skills:
Proficiency in GRC systems administration (Service Now, ZenGRC, Archer, and Tenable)
Strong understanding of Information Security Governance, Risk Management, and Compliance frameworks (e.g., ISO 27001, NIST800-53v3, HIPAA, HIRUST, GDPR)
Excellent analytical and problem-solving skills
Effective communication and interpersonal abilities
Project management skills
Attention to detail and accuracy.
Tools Project Management: MS Project, MS Project Server, Clarity, Changepoint, Plainview, SharePoint, Dashboard, Jira, Clarizen
Cyber Security Tools: GRC (ZenGRC and ServiceNow), Data Privacy (OneTrust and Nuix), Vulnerability Management (Qualys & Nessus), Risk Management (FAIR Model, RiskLens), SIEM Incident Response (Rapid7, & Splunk), IAM (SailPoint & CyberArk), DLP (Symantec), End Point Encryption (McAfee),
Professional Experience:
Virginia Department of Health, August 2022 to Present.
Sr Manager GRC /IT Auditor/Risk Analyst
Participate in State-wide and other departmental projects and initiatives as a GRC representative and subject matter expert to provide GRC guidance and interpret rules, regulations, risks, and best practices. Create and implement policies, procedures, training, and communication of the new policies and procedures to support these projects
Participate in the filing and creation of the GRC goals
Deployed Integrated Risk Management (IRM) & Asset Management ServiceNow modules. Led the deployment of IRM and Asset Management modules (SAM and HAM) from start to finish.
Devised a strategic information security risk management plan to meet regulatory requirements and audit recommendations.
Build out the NIST 800-53 framework for the Data classification (Sensitive, High, Medium, and Low)
Reviewed the SEC 530 (Information Security Standard for VDH); I reviewed the security policies and updated them as required by VDH and VITA
Conduct and document security risk assessments. Report to provide to ISO and CISO.
Develop a user-friendly form in ServiceNow to capture hardware asset details during asset requests.
Configure workflows and approvals to streamline the asset request and procurement process.
Strong understanding of various compliance and regulatory areas (e.g., SOX, PCI, FFIEC), the risk register, risk exposure, risk reporting, and handling of risk events
As part of the AD clean team, they align all attributes and remove stalled accounts.
Develop the Data governance model for IAM/PAM and RBAC Model
Conduct the Business Impact Analysis (BIA) & Business Continuity Planning for the VDH applications
Responsible for ServiceNow dashboards for Risk Reporting and Risk Assessment, tracking gaps, deficiencies, and open issues.
Responsible for Applications Risk Assessment, Security Annual review
Experience using Archer for Managing Risk Exceptions and Maintaining Plans of Action and Milestones (POA&Ms) in the Archer GRC Tool and providing timely updates on their status.
Part of the VDH and VITA Security team to build the Fed Ramp (Cloud) security SaaS system to develop the environment for segregation of duties with the cloud applications
Conduct and document security risk assessments. Report to provide to ISO and CISO.
Deployed SIEM tool across the VDH platform.
Collaborate with the Application team to develop a DR planning strategy, BIA, and business continuity plan for recovering data and restoring systems in case of a failure or breach.
Develop training materials for employees on the Secure SDLC policy and best practices.
Maintain and update the Secure SDLC policy in response to evolving technologies and emerging threats.
Internal Audit Society
Planned, executed, and oversaw the entire audit cycle, including risk and control management to assess operations' effectiveness and financial reliability.
Ensuring compliance with all applicable laws, regulations, and industry standards.
Prepare and present reports that reflect the audit's results and document the process.
Evaluate the adequacy and effectiveness of the NIST controls using a risk-based methodology, such as auditing standards, such as PCI DSS, HIPAA, COBIT, and FISCAM.
Participate in audits that require technical IT skills to evaluate network application compliance with VDH security policies. Assess internal IT controls as part of statement audits, internal and operational audits, attestation engagements, and audit readiness.
Perform all audit stages, including planning, fieldwork, execution, reporting, and follow-up.
Tested Access Controls to ensure effectiveness and functionality, good reporting, and interface
Risk Analyst:
Led a cross-functional team in implementing an Archer risk assessment tool, resulting in a 40% reduction in risk analysis time and a 25% increase in accuracy.
Developed and executed a comprehensive risk mitigation strategy for VDH by working with the Virginia Information Technology Agency (VITA)
Collaborated with IT to integrate blockchain technology into risk reporting processes, enhancing data security and transparency for stakeholders.
Managed the Risk Register across the VDH and maintained it.
Assist management in assessing project risks and controls, working closely with the apps team to develop the Risk Action plan and create POEM.
Aetna/CVS September 2020 – August 2022
Security Lead ( GRC Analyst/IT Risk Auditor)
Responsible for infrastructure Audit Controls (SOC1 & SOC2), secure configuration management (addressing MSB findings), and Vulnerability Management post-merger for Aetna and CVS.
Work with the integration process to ensure that the merged entity operates efficiently, complies with regulatory requirements, and achieves the strategic objectives that motivated the merger.
Manage risks effectively and ensure that the Atena merger aligns with the CVS strategic vision
Review the Due Diligence Risk Register Report and provide a summary of the Risk statement to the CCB Board for approval.
Responsible for accomplishing a thriving “Culture of Compliance” by directing HITRUST CSF implementation, passing HIPAA audits, establishing risk Management practices, implementing computer-based HIPAA and CMA training, and
Implementation of Identity and Access Management (IAM) and Network Kill Switches.
Build out the DIR/BIA strategies Plan.
Secure Configuration Management MSB Program:
Develop a business case concerning NIST frame configuration management controls after the Aetna and CVS merger.
Develop a program with operational goals, objectives, and metrics that align with Aetna and CVS’s vision and strategy.
Develop a project plan and create a hybrid process (SDLC + Agile) to manage severity findings.
Measure progress and plan as needed. Holds direct reports accountable for achieving goals.
Achieves goals for productivity, quality, and customer satisfaction.
Present the monthly expectation request report to CCB to provide insight and guidance on the request.
Vulnerability Management and Critical Risk Patching:
oTLS Vulnerabilities – to remediate the TLS 1.0/1.1 to TLS 1.2
oJava Patching – remediate the Java update.
Ability to build long-term relationships and partnerships with other enabling teams for the vulnerability assessment.
Interface with and support the work of the cybersecurity GRC risk and control teams, contributing to the GRC's overall goals and objectives.
MS and vulnerabilities, Patching work with the technical team.
Audit (Soc1 and Soc2):
Develop audit plans and perform risk assessments.
Lead all phases of an audit, from planning to report publication.
Conduct thorough reviews of audits and provide constructive feedback to team members.
Quantify materiality and articulate business.
Isolation of the corporate network and identities (IAM) Kill Switches:
Implementing a network layer allows for isolation of a specific location from the rest of the network.
Implement an identity kill switch – deactivate accounts, terminate active sessions, and disconnect devices assigned to employees in a specific location.
Allstate (Info Armor) Northbrook, IL, March 2020 – September 2020
Sr GRC & Risk Auditor
•Oversee the information security, governance, risk, and compliance team, reporting to the SVP. Led and managed multiple security and compliance-related projects.
Program 1: Internal and External Audit/NY Shield ACT
•Led the team to audit the SOC 2 & SOC 1 Type 1 & Type 2 reports.
•Implement a data security program that includes reasonable administrative, technical, and physical safeguards, and analyze program gaps.
Program 2: GRC Deployment (ZEN GRC)
•GRC - Develop a Plan to implement the GRC tool (ZenGRC) for PCI, vendor management, Risk and Vulnerability Management
•PCI DSS—Implement all Payment Channel, SAQ A-EP, SAQ C-VT, and SAQ D controls for all 12 requirements of the PCI DSS.
Incremented the Report on Compliance (ROC), Attestation of Compliance (AOC), and all validation, testing, and assessment requirements to ensure compliance with the PCI DSS as a Level 1 Merchant.
•Vendor Management – Collaborate with the Legal and Vendor Contract team to establish vendor management processes and questionnaires.
•Risk Management – Implementing RiskLens, the FAIR Model for Risk Management.
•Vulnerabilities Management - Work with the team to export vulnerabilities from Quals to the GRC tool.
SDLC Framework Engineer :
Improve the development, enhancement, deployment, communication, and governance of the Regeneron SSDLC roadmap aligned with a comprehensive Cybersecurity by-design strategy
Collaborate with software development teams to design software solutions that incorporate secure design principles, ensuring their implementation.
Collaborate with leadership on preparing and managing the SSDLC program's yearly budget.
Stay current on evolving security threats and trends, recommending proactive measures to maintain a secure SDLC framework
Program 3: DLP/SIEM/ Incident Response/Disaster Strategy & Business Continuity Plan
•Work with the Allstate IT team to upgrade DLP (Symantec version 15.5)
•Plan an Incident response plan using the SIEM tool.
•Deploy Splunk SIEM and onboard Infor Armor data sources (Physical devices, Azure, MS, Checkpoints) to NTT’s SOCaaS.
•Implement a Business Continuity and Disaster Recovery Strategy plan. Draft Identification of Priorities, Conduct Gap Analysis, Determine BIA/DR Strategies, and Understand Recovery Timeframe.
Program 4: ADA Compliance WCGA 2.0
Audit (Soc1 and Soc2):
Develop audit plans and perform risk assessments.
Lead all phases of an audit, from planning to preparing audit reports.
Conduct thorough reviews of audits and provide valuable feedback to team members.
Responsible for infrastructure audit controls, Secure Configuration Management (MSB’s findings), and Vulnerability Management.
Collaborate with Deloitte and the Internal Audit team on addressing audit findings.
Responsible for reviewing the evidence and submitting it to the Deloitte team.
Create an exception milestone date in Archer.
State of Wisconsin DHS (DXC) Jan 2019 to March 2020
Security Analyst/Project Manager
Project 1: Long-Term Care (LTC) DDI enhancement
Project 2: Program Integrity
Implement enhancements to the MMIS to fully integrate all long-term care DHS programs. Building on previous enhancements, add provider and member data, and fully implement the functionality to process and pay all program claims through the MMIS.
Roles and Responsibilities
Work with a Cross-functional team to identify cross-team dependencies, manage inter-team tasks, and facilitate Scrum of Scrum meetings.
Agile Too; JIRA, Burndown Chart. Ensure all user stories are tested before deployment.
Continuous Integration: Increase quality by helping the team implement/Scrum daily automation tests.
Test-Driven Development: Manage the System Cycle of Code Development from ideation to sprints to deployment; encourage developers to debug previously written code and confidently make changes.
Manages overall coordination of projects from planning through implementation of LTC and Program integrity enhancement.
Facilitate discussions and consensus among various project stakeholders to obtain approval.
Arthur J Gallagher, Rolling Meadows, IL, May 2018 – Jan 2019
Program Manager/GRC Lead (M&A)
•Perform a dual role as an Integration Program Manager for Mergers and Acquisitions and a Cyber Security Consultant. Manage enterprise data protection plan (EDPP), security awareness, and mergers and acquisitions (M&A)
•Collaborate with the CISO, Legal Counsel, Compliance, and M&A teams to assess the security and compliance implications of the Merger.
•Review the Due Diligence report to ensure all risk action plans are in place and tracked for completion.
Program 1: Enterprise Data Protection Plan: GDPR, CCPA & NYDFS (23 NYCRR 500 Compliance)
•Develop and implement a plan for data protection and enforcement of PII, PHI, PCI, and PFI across applications. NUIX can discover and analyze the resident data to determine the extent of GDPR compliance and drive remediation activities as needed.
•Implemented supercharging of Elasticsearch (ELK) to access the entire database in real-time, enabling search, tagging, and exporting data, reducing risk exposure, and complying with GDPR and CCPA privacy regulations.
•Collaborate with the UK technical team on application and GDPR analysis.
•Implement the OneTrust tool for data mapping, PIA (Privacy Impact Assessment), and DPIA (Data Protection Impact Analysis) for the database, application, and vendor applications.
•The Data Protection API allows you to process Subject Erasure Requests, as mandated by the General Data Protection Regulation (GDPR).
Program 2: Security Awareness
•Social Engineering Phishing: An anti-phishing training program educates and conditions employees to identify and report phishing attacks by presenting targeted phishing scenarios that non-punitively reinforce desired user behaviors.
•Security Scorecard: Implement the Security Scorecard process for M&A acquisitions.
Program 3: WCGA Compliant ADA
•Establish WCAG-EM guidance on using the methodology and considerations for specific situations and conformance evaluation procedures.
New York Life, New York City, NY August 2017 – December 2018
Sr. IT Portfolio/Program Manager/Scrum Lead - Cyber Security Portfolio
Managed Security, Data Migration (from On-Prem center to Azure Cloud) Infrastructure, and Application Development projects (CyberArk/IAM, SOD, FireCall, Data Migration/Window 2000 Server Upgrade)
Managed migration of the Annuity landscape by migrating all products (32 FDA and 11 VA) and similar policies from legacy OAS/VAS to Pay using a hybrid Cloud/On-premises integration, using the Agile Scrum (JIRA tool) methodology
Implement a PAM/IAM solution using CyberArk by designing controls to access privileged accounts that automatically randomize, manage, and vault.
enhance project risk, develop mitigation plans, and escalate decisions and unresolved issues.
Create a Project timeline, Scope, Schedule, Plan, and project/governance PMP.
Data migration and Windows 2010 server upgrade
Horizon Blue Cross Blue Shield, Newark, NJ July 2016 – August 2017
Sr. IT Project Manager - Cyber Security Portfolio
•Senior Project Manager in the Cyber Security Portfolio, including Endpoint Encryption, CyberArk IAM/PAM, Data Loss Prevention (DLP)
•Develop a strategy for assembling the project team, assigning individual responsibilities, identifying necessary resources, and developing schedules.
•Manage project risk, develop mitigation plans, and escalate decisions and unresolved issues.
•Establish and update project plans and budgets with actual forecasts and, with assistance, manage deviations from plan and project parameters.
•Provide weekly status reports to the integration committee, stakeholders, and PMO Manager.
•I created a project timeline, scope, schedule, plan, and project governance plan (PMP).
•Implement the Multifactor Authentication (MFA) tool for endpoint encryption with an MS AD account.
•Full-disk encryption for laptops and desktops to prevent loss of sensitive data. Implement Multifactor Authentication (MFA) tools. With the Smart Badge project
•Develop the vendor engagement plan following the project schedule and timeline.
•Clean up the lower environment to protect sensitive data, including PHI and PII. I am involved in full HIPAA compliance.
•Managed PAM/IAM, DLP, SIEM Integration, McAfee Endpoint Protection, Smart badge integration, and Office 365 deployment (including Active Directory cleanup). Please see the attached file for project details.
Medtronic, Mansfield, MA, November 2015 – October 2016
Sr. IT Program Manager, Merger & Acquisition
•Responsible for representing Medtronic IS and the financial department after the acquisitions of Covidien and interfacing during the integration phase.
•Provide leadership for the entire project impacted by Covidien acquisitions.
•Developed with all organizational levels to gather and document requirements and develop systemic solutions to improve the productivity and efficiency of finance and IT projects.
•Led a project to integrate legacy reporting tools with global reporting tools, eliminating redundant software and enabling seamless worldwide reporting, resulting in annual savings of over $2 million for the company.
•Responsible for assembling a project team, assigning individual responsibilities, identifying necessary resources, and developing schedules.
•I have successfully implemented financial projects for multiple departments within MITG by providing.
•The ped assessment and RACI impact were analyzed based on actual results compared to the Plan.
Medical Devices Migration and Deployment
•Develop the new process; Medigate’s platform consists of two main software components: the Medigate Collection Server
•(MCS) and Medigate Analysis Server (MAS).
•The collection servers (MCS instances) deployed throughout the PeaceHealth care system communicate to a unified cloud-based MAS dedicated to that healthcare system.
•Develop the project plan to integrate devices.
DHS State of Minnesota, June 2015 – December 2015
Sr. Project Manager/Scrum Master
•Serve as MNIT State Department of Human Services (DHS) project manager.
•I collaborated with the project lead and MNsure's Business, Treasury, and Financial Management teams to create a scope that finalized the project budget.
•Manage and communicate with the IT and business stakeholders to ensure the success of the MNsure Project.
•Attended requirements validation sessions, wrote technical analysis documentation, and performed an in-depth analysis of EDI transactions for the new MMIS environment.
•Collaborate with Insurance Carriers to comply with FedRAMP and ISO 27001 guidelines, implementing information security controls using a federal risk-based approach to assess information security for all EDI file transmissions.
State of Wisconsin (DHHS, DCF & DPI), October 2014 – June 2015
Portfolio Manager/Project Manager IV
•Serve as a Portfolio Manager/Project Manager for an interagency team comprising DPI, DCF, and DHS.
•Work with agency leads and external groups to gather system requirements and prioritize requests.
•Work has created technical specialists to help prioritize professional needs in the ECIDS projects.
•I have developed a governance business flow process for all three agencies to facilitate the approval of research questions for data collection.
•DS has integrated the product and process development process for all three data warehouse projects to create a centralized model for ECIDS.
•Implement refinements as needed, execute the implementation plan, and work within the Race to the Top scope of work (SOW) with the Feds.
•Work with the DPI accounting and Federal Treasury to forecast the budget.
Consumers Energy, MI, October 2013 – June 2014
Program Manager/SAP Project Manager
•Project 4 Project Managers and 50+ Resources will guide the Program to completion within the target budget and date.
•Coordinate with four vendors: Get There, JP Morgan Chase Bank, Anand-PAG, and BCD Travel Agency (part of Saber Travel).
State of Michigan DTMB, MI, December 2012 – May 2013
IT Program Manager
•Manage the project team by creating detailed and accurate project descriptions, estimates, functional and technical specifications, schedules, timelines, and written status reports.
•Document and track all project development activities using the SUITE (State Unified Information Technology Environment), including Waterfall and Agile Processes, Project extranets, meeting notes, change request forms, and other relevant documents.
• I integrated ITIL processes with IT project management to enhance ELITE (Electronic Local Government Information and Tax Evaluation) for the state of Michigan.
•I have implemented GIS (ESRI) to evaluate each county’s PRE and IFE tax audits through the ELITE database.
Lockheed Martin, Lakeland, FL, February 2012 – November 2013
Project Manager
AmericanEagle.com, IL, February 2009 – December 2011
Program Manager
Cedar Sinai Medical Center, CA, January 2006 – January 2009
Sr. Project Manager
Computer Marketing Technology, IL, 1995 – 2005
Sr. Project Manager
Contact this candidate