Post Job Free
Sign in

Information Security Risk Management

Location:
Central Park, NC, 27701
Posted:
July 26, 2024

Contact this candidate

Resume:

PROFILE

Detail-oriented and experienced Information Security professional with extensive expertise in managing Information Security Management System, developing IT policies, and ensuring compliance with ISO/IEC 27001 standards, SOC2, PCI-DSS etc. A Certified Information Systems Security Professional certification, with a proven track record of enhancing security protocols and governance in fast-paced environments. Seeks to leverage risk management, compliance expertise, and strong interpersonal skills to contribute to your organization’s security and operational excellence

EXPERIENCE SUMMARY

Experience with IT compliance frameworks, requirements, and regulatory standards (PCI, NIST CSF, SOC 2. ISO 27005, GDPR, HIPAA.)

Hands-on experience in performing 3rd Party/vendor Risk Assessment

Hands-on experience with ISO 27001 readiness and implementation.

Hands-on experience with SOC 1 & 2 readiness and implementation.

Hands-on experience with PCI-DSS readiness and implementation.

Hands on experience reviewing and developing corporate security policies and procedures best practices

Experience performing risk assessment and management and developing mitigation strategies.

Experience facilitating security audits and/or remediation security audit findings.

Demonstrated ability to manage complex and demanding stakeholder expectations and relationships by building effective working relationships with various clients and industries.

PROFESSIONAL EXPERIENCE

KPMG VA, US Apr 2021 – Present

Sr Audit Security Governance Lead-GRC

Governance:

Led and advised on gap closure strategies after conducting internal audits, reinforcing the organization's control frameworks.

Reviewed and updated Information Security policies and procedures, working with policy owners to improve governance.

Improved operational consistency through the creation of comprehensive documentation, such as playbooks, procedures, and standards.

Led different process improvement across the GRC.

Risk:

Conducted annual Risk Assessments and authored risk reports with strategic recommendations.

Conducted Third party risk assessments based on vendor’s criticality

Managed and accountable for the organization risk register.

Directed the justification for risk acceptance, including the development and presentation of a business case.

Managed the execution of ASV Scans and Penetration testing, ensuring all remediation activities were completed promptly.

Tracked, documented, and collaborated with teams to address compliance gaps, ensuring risk mitigation measures were effectively implemented.

Managed the vulnerability management process, starting from conducting vulnerability scans.

Compliance:

Coordinated with external auditors and stakeholders during compliance audits, ensuring smooth collaboration and validation.

Led the annual SOC 2 and ISO 27001 audit readiness, aligning operations with best practices and standard requirements.

Led IT risk assessments and internal PCI-DSS audit readiness, using tools to identify and mitigate threats

Managed third-party auditors, security questionnaires, and vendor risk assessments during procurement and service delivery, ensuring compliance with relevant standards.

Led PCI-DSS internal audits and ensured that compliance gaps were addressed in a timely manner.

Contributed to compliance audits and inspections, advising on remediation activities and ensuring accurate documentation and reporting.

Led the security awareness training program

Deloitte Atlanta, US Jan. 2019 – Apr. 2021

Sr. Information Security and Compliance Specialist

Risk:

Performed third-party risk assessments and ensured process improvement within the Third-Party Risk Management (TPRM) program.

Conducted risk assessments and supported stakeholders in determining the appropriate treatment for identified risks; identified and implemented action plans for risk remediation.

Assessed risks and internal control dependencies on systems, identifying areas of non-compliance and evaluating risks associated with key technology processes.

Conducted and reviewed business impact analyses and coordinated disaster recovery planning and exercises as required.

Compliance:

Led internal and external audits for ISO27001, SOC 2, and PCI-DSS; organized meetings with Subject Matter Experts (SMEs) and liaised with auditors; gathered and reviewed documentation; collaborated with SMEs and auditors to address and remediate identified issues.

Led quarterly compliance evidence collection using the GRC tool, ensuring the accuracy, completeness, and timeliness of the evidence provided.

Managed compliance maturity by creating necessary documentation, such as processes and runbooks; identified methods to detect control gaps and conducted control monitoring; developed metrics for management reporting.

Developed action plans and collaborated with internal teams to address and close security control gaps.

Conducted IT compliance reviews, including user access reviews, risk assessments, monitoring control objectives, and third-party assessments.

Assisted in creating and maintaining the information security risk register, managing audit requests, and evaluating third-party consultant/vendor assessments.

Oversaw security awareness and training programs for employees to ensure they are informed about cybersecurity practices and policies.

PWC Fayetteville, US Oct. 2017 – Jan. 2019

Governance, Risk and Compliance Specialist

Governance:

Developed, evaluated, and implemented corrective measures to address audit findings, liaising with IT process owners, which is part of establishing and maintaining governance structures and practices.

Led the enhancement of the Information Security user training and awareness program, promoting a culture of risk management and reinforcing governance through education and behavior modification.

Develop and review policies and procedures to fulfil our annual audit

Risk:

Championed various IT risk assessments, collaborating with stakeholders to implement mitigation measures, crucial for identifying and managing risks effectively.

Coordinated with business units to define RTOs and RPOs based on Business Impact Analysis (BIA), a key activity in risk management to ensure that potential impacts to business operations are understood and mitigated.

Coordinated vulnerability remediation efforts, tracking progress and risks, and proposing strategic improvements, directly addressing the identification and mitigation of risks to the organization's assets.

Led vendor due diligence activities, including contract reviews and security assessments, to ensure third-party compliance with contractual obligations and security standards, a key compliance activity to manage third-party risks

Compliance:

Ensured evidence collection and compliance with SOC 1, SOC 2, PCI-DSS, and ISO27001 during internal and external audits, a core aspect of compliance to verify that the organization meets required standards and regulations.

Led vendor due diligence activities, including contract reviews and security assessments, to ensure third-party compliance with contractual obligations and security standards, a key compliance activity to manage third-party risks.

Conducted annual and bi-annual reviews of third-party vendor assurance processes, a compliance activity to ensure that vendors continuously meet the required security standards and contractual obligations.

Implemented follow-up procedures using GRC Archer for addressing audit findings and assessing corrective actions, ensuring that compliance issues are resolved and improvements are documented and tracked.

Deloitte Sep. 2011 – Sep. 2017

Business Analyst

Assumed the role of the finance lead on the implementation of a new record keeping system for 401k plans. Developed accounting models for the new mutual fund product, defined transaction rules and functional specification for the integration of the new record keeping system with the Lawson general ledger.

Defined business rules for the Lawson general ledger system on the integration with the record keeping system.

Developed test cases and test procedures based on the design specification document.

Responsible for test deliverables, status reporting to management and issue escalations.

Defined interface requirements between the new record keeping system and treasury system.

Data mapping from the general ledger to the new mutual fund system

Consulted with Treasury unit to define policies around disbursement, contribution, and money movement & reconciliation to integrate with the new record keeping system to streamline and improve current procedure.

Mapped out the cheque process from receipt of cheques to electronic transmission to receiving Bank to eliminate bottlenecks for maximum efficiency.

Worked on the integration of the existing tax system with the new record keeping system for the calculations of federal and state withholding tax remittance to the IRS.

Organized joint sessions with Compliance and other business stakeholders to define requirements for AML name matching and alert status in the Bridger verification system.

Reviewed and updated operational manuals (SOPs), prepared documentation and facilitated training sessions for team to ensure smooth transition to new system.

EDUCATION & CERTIFICATIONS

MSC. Construction Project Management – Edinburgh Napier University, Scotland

Certified in risk and information systems control - (CRISC)



Contact this candidate