Risk Management Regulatory Compliance

JONATHAN KOFI ABABIO, MBA, CISA, Security +

**** *************, ********, ******* *****

Email: ********@*****.***

Phone: 727-***-****

PROFESSIONAL SUMMARY

Certified and results-driven GRC and cybersecurity professional with over 15 years of progressive experience in information assurance, security assessment & authorization, compliance audits, and continuous monitoring across federal and commercial environments. Proven ability to lead Security Control Assessments (SCAs), align enterprise IT strategies with frameworks such as FISMA, NIST, FedRAMP, SOX, and HIPAA, and manage end-to-end governance programs.

Demonstrated success in IT Risk Management, including IT General Controls (ITGCs) and Application Controls (ITACs) testing, audit readiness, risk reporting, and regulatory compliance. Skilled in driving secure cloud migrations, evaluating system security, and producing actionable audit reports and remediation plans. Experienced in managing systems, supporting PCI DSS and SOC attestation efforts, and leading legal and regulatory compliance initiatives. Adept at assessing and improving policies, standards, and procedures while applying data and business analytics to strengthen security posture and risk visibility.

Strong communicator and trusted advisor, with a strategic mindset and the technical, regulatory, and analytical expertise needed to support secure, compliant, and resilient enterprise IT operations.

EDUCATION

Master of Business Administration, Project Management, GIMPA, Ghana Bachelor of Arts, Psychology and Information Systems, University of Ghana, Legon, Ghana

CERTIFICATIONS

• CISA – Certified Information Systems Auditor

• Security Plus

• PMP – Project Management Professional (Pending)

PROFESSIONAL EXPERIENCE

Pacific Cyber Solutions, Virginia 2019 – Present

Senior Information Security Risk Specialist

Reported to the Senior Project Manager, acting as an RMF Expert to assess and validate the implementation of security control baselines, providing guidance on validation, documentation, vulnerability mitigation, and residual risk determination.

• Supported System Owners and ISSOs in preparing ATO packages, ensuring compliance with NIST SP 800-53 security control requirements.

• Updated System Security Plans (SSPs), Security Test & Evaluations (ST&Es), Risk Assessment Reports (RARs), and Plans of Action and Milestones (POA&Ms).

• Manage FedRAMP and FISMA compliance through control implementation, assessment, and continuous monitoring to maintain ATO status, including effective POA&M tracking and resolution.

• Served as a Security Control Assessor (SCA), supporting A&A activities by preparing and reviewing RMF artifacts including System Security Plans (SSP), Security Assessment Reports (SAR), Security Assessment Plans (SAP), Privacy Threshold Analyses (PTA), Privacy Impact Assessments (PIA), and E-Authentication documentation.

• Utilized eMASS to review, verify, and validate program artifacts as part of security assessment procedures.

• Monitored audit findings and tracked remediation efforts, providing ongoing updates on corrective action plan progress.

• Conducted vulnerability scans and log analysis using Nessus and Splunk to detect and remediate security gaps.

• Facilitated internal compliance reviews and collaborated with audit teams to monitor network operations. Reviewed audit logs, tracked suspicious activity, and ensured timely vulnerability remediation.

Stanbic Bank, Ghana 2010 – 2018

Senior Risk Management & Compliance Consultant

Assisted the Bank Cyber Risk Management division in identifying, assessing, reporting, and managing enterprise cybersecurity risks to protect sensitive information, ensure regulatory compliance, and mitigate potential security threats, including:

• Directed and tracked risk assessments and attestations for IT and operational controls, conducting audits and security assessments aligned with SOX, SOC 2, HITRUST, PCI DSS, FFIEC, and ISO frameworks.

• Led processes to evaluate security risks, identify control gaps, and implement remediation plans supported by metrics dashboards and compliance reporting.

• Authored and maintained System Security policies and standards, Security Test & Evaluation (ST&E) reports, and Security Control Assessments (SCA) with corresponding SARs and POA&Ms to support Audit and compliance.

• Maintained continuous monitoring procedures, responded to audit requests, and documented control weaknesses and testing exceptions with detailed remediation recommendations.

• Identified and communicated IT audit findings to senior management and clients, while managing audit activities across Segregation of Duties (SOD), SOX, PCI DSS, HIPAA, and pre-/post-implementation reviews.

• Conducted FISCAM-based Business Process Application Control and General Computer Controls assessments, validating compliance with FISCAM, and SSAE 16 requirements.

• Applied IT security principles and emerging technologies to assess complex security challenges, support accreditation efforts, and evaluate the impact of system modifications.

• Reviewed system documentation including security policies, contingency plans, access controls, and incident response procedures to validate compliance with classification levels and regulatory standards.

• Executed cybersecurity audits in areas such as incident, vulnerability, and capacity management while supporting SOC audit readiness and evidence collection for NIST, PCI-DSS, and ISO 27001 frameworks.

• Demonstrated strong understanding of risk governance and compliance across domains including SOX, SOC, PCI, FFIEC, and FERC, leveraging risk registers, reporting, and exposure assessments.

• Applied frameworks such as COBIT, COSO, ITIL, NIST, ISO, GDPR, and FFIEC to conduct audits on access control, change management, and IT operations, ensuring alignment with regulatory expectations.

Ministry of Finance, Ghana 2008 – 2009

Senior Security Risk Consultant

• Develop Test Plans, testing procedures and document test results and exceptions.

• Identify gap and documented gaps, develop remediation plans, conduct walkthroughs, and develop remediation plans for each area of testing.

• Identify, track and assist with mitigation strategies for reporting security findings.

• Monitor and track global privacy and data protection regulatory frameworks

• Participate in developing and maintaining policies regarding Enterprise Holding’s data life cycle management for customer and employee data.

• Collaborate with legal, risk management, internal audit, and compliance and ethics departments to align compliance efforts and strategies

• Provide privacy assistance and subject matter expertise on privacy, data protection, and data governance issues as they relate to contract requirements and the evaluation of new technologies, applications, or processes.

• Support development and communication of employee training and awareness programs to promote Enterprise Holdings data governance policies and best practices

TECHNOLOGIES & TOOLS

• GRC Platforms: eMASS, Archer, GRC RiskVision

• Security Tools: Nessus, Qualys, Splunk

• Platforms: AWS, Azure, SharePoint, ServiceNow

• Compliance Frameworks: NIST SP 800- Series, FISMA, CMMC, FedRAMP, PCI DSS, SOX, SOC 2

Contact this candidate