GRC Manager Information Security

Kevin P. Fallon CISM, CTPRP, MBA

Manager, Governance Risk and Compliance

*******@*****.*** • 570-***-****

LinkedIn • 17 Stone Brook Circle,

Hockessin, DE 19707

PROFESSIONAL SUM MARY

GRC & Information Security professional with 19+ years delivering high-impact consulting engagements across financial services, technology, and healthcare sectors. Proven expertise in designing and implementing enterprise Governance, Risk, and Compliance frameworks aligned with ISO 27001, SOC 1/2, PCI DSS, NIST 800-53, HIPAA, HITRUST, and FedRAMP. Skilled at rapidly assessing client environments, identifying control gaps, and delivering actionable remediation roadmaps that achieve compliance and strengthen security posture. Demonstrated success partnering with C-suite executives, audit teams, and cross-functional stakeholders to enable secure business transformation, regulatory readiness, and continuous risk management.

CORE CONSULTING COMPETENCIES

Compliance & Audit Readiness

Framework Implementation

SOC 1, SOC 2 Types I & II preparation and execution

ISO 27001 ISMS design & implementation

PCI DSS, HIPAA, HITRUST compliance programs

NIST 800-53, NIST CSF, CIS Controls alignment

Risk Assessment & Management

Control Optimization & Testing

Enterprise & application-level risk assessments

Control mapping, gap analysis & remediation planning

Third-Party Risk Management (TPRM)

Control testing & validation (SOC, PCI, ISO)

Program Development & Maturation

IAM & Access Governance

Policy, standards & procedures development

SailPoint, Azure AD, access reviews & provisioning

GRC tool implementation (Fusion, Onspring, Jira)

BCDR governance & resilience testing

Issue management & corrective action plans (CAP)

Executive risk reporting & KRI/KPI dashboards

PROFESSIONAL EXPERIENCE

Infrastructure Audit and Compliance Manager

AmeriHealth Caritas, Newtown Square, PA January 2026 - Present

Lead comprehensive GRC consulting services for healthcare infrastructure during major organizational divestiture, managing SOC 1/2, HITRUST, HIPAA, and MAR audit programs.

Direct multi-framework compliance program spanning SOC 1, SOC 2, HITRUST, HIPAA, MAR, and HEDIS/LTSS audits across complex healthcare IT infrastructure.

Conduct comprehensive gap assessments against NIST, COBIT, and ISO 27001 frameworks, delivering prioritized remediation roadmaps to executive leadership.

Design and implement corrective action plans with cross-functional stakeholders, tracking regulatory compliance through complex organizational transformation.

Partner with internal audit, legal, risk management, and external auditors to ensure continuous compliance monitoring and regulatory readiness.

Senior Information Security Risk Analyst – IAM/GRC (Contract)

DuPont Specialty Products, Wilmington, DE May 2025 - December 2025

Delivered specialized GRC consulting services during large-scale corporate divestiture, implementing ISO 27001 ISMS and strengthening IAM governance across enterprise applications.

Architected and implemented ISO 27001-aligned Information Security Management System from ground up, including policy framework, risk registers, control documentation, and audit readiness procedures.

Led enterprise-wide compliance initiatives aligned to SOC 2, NIST, and internal control frameworks, conducting control testing, evidence collection, and remediation validation.

Executed comprehensive application and enterprise-level risk assessments, managing findings through complete issue lifecycle to closure with documented remediation evidence.

Strengthened Identity & Access Management governance through access control testing, provisioning standards development, and periodic user access review programs.

Senior Third Party Cyber Risk Analyst (Contract)

TD Bank, Mt. Laurel, NJ February 2025 – May 2025

Provided specialized third-party risk consulting to address regulatory Matters Requiring Attention (MRAs), conducting vendor assessments aligned with banking regulatory frameworks.

Delivered governance oversight for Third-Party Cyber Risk Management program supporting regulatory MRA remediation efforts across financial services portfolio.

Conducted vendor risk assessments, control testing, and due diligence aligned with GLBA, SOX, NIST 800-53, and internal banking risk frameworks.

Evaluated inherent and residual risk across vendor portfolio, validating remediation plans and ensuring timely issue closure with documented evidence.

Developed and presented executive KRI/KPI dashboards to senior management, enhancing risk transparency and enabling data-driven decision-making.

Third Party Cyber Risk Program Manager

Best Egg, Inc., Wilmington, DE 2021 – 2024

Built and matured enterprise Third-Party Cyber Risk Program from inception, establishing foundational GRC frameworks and achieving SOC 2 and PCI DSS certifications for fintech organization.

Designed and implemented comprehensive GRC framework spanning ISO 27001, NIST 800-53, SOC 2, and PCI DSS, establishing control mapping and continuous compliance processes.

Led SOC 2 Type II and PCI DSS audit readiness initiatives, coordinating evidence collection, control testing, and audit response management resulting in successful certifications.

Improved audit remediation closure rates by 25% through implementation of structured issue management and corrective action tracking systems

Implemented and optimized enterprise GRC tooling (Fusion Risk Management, Onspring, Jira) to automate vendor assessments, issue tracking, and compliance reporting.

Designed executive-level risk reporting framework including KRIs, KPIs, and compliance dashboards, serving as trusted advisors to senior leadership and board committees.

Information Security Specialist for GRC & IAM

Best Egg, Inc., Wilmington, DE 2017 – 2021

Developed foundational security governance programs including policy frameworks, IAM governance, and continuous compliance monitoring aligned to ISO 27001, NIST, and SOC 2.

Established information security policy framework aligned to ISO 27001 and NIST standards; led IAM governance using SailPoint and Azure AD including access reviews and provisioning automation; managed enterprise risk registers and conducted risk assessments supporting continuous compliance activities.

Additional Security & Compliance Experience

Information Security Analyst & Technical Writer, Best Egg (2015-2017) Data Security Analyst, Decision Data Company (2015) Compliance Analyst, JP Morgan Chase (2014-2015)

Engineered ISO 27001-aligned ISMS; managed IAM governance and regulatory compliance workflows; conducted FINRA and SEC complaint investigations and remediation documentation.

EDUCATION & CREDENTIALS

Master of Business Administration: Information Security Northcentral University

Bachelor of Arts: Crime, Law, and Justice Pennsylvania State University

Professional Certifications:

Certified Information Security Manager (CISM), ISACA 2020 - Current

Certified Third Party Risk Professional (CTPRP), Shared Assessments 2024 - Current

Security+ (CompTIA) + (CompTIA)

Contact this candidate