IT Risk & Audit consultant with a profound understanding of operational and IT-related controls to mitigate associated risks. 5 years of applying the NIST Risk Management Framework (RMF). Focused on monitoring the IT security environment to immediately detect, verify and respond swiftly to cyber threats. 4 years of experience in executing the formulation of the Security process relative to threat intelligence, security monitoring, security automation, security awareness as it pertains to security monitoring, Third-Party Security Assessment, compliance, IAM. Career highlights in client services, business-facing, and operational experience.
Service Now Nessus RSA Archer Jira Process Unity Risk Recon Microsoft Office Product SharePoint
Skills
TECHNICAL SKILLS
Work History
Information Security Analyst, 01/2021 to 11/2021 Amalgamated Bank – Washington, DC,
27001: 2013, ISO/IEC 27002: 2013 ISO/IEC 27005: 2018 (Information technology - Security techniques - Information security risk management) ISO/IEC 19011: 2018 (Guidelines for auditing management systems) ISO/IEC 31000:2011 (Risk management — Principles and guidelines) Federal Information Processing Standards (FIPS) 199 and 200 and National Institute of Standards ISO 27001/ISO 27002
Obtaining Security +|Public Trust clearance, Resolved up to 93% requests from remedy system and 37% reduction of work load within two months of service
Manage responses for all clients’ cyber security risk assessments while building an audit repository log for the whole IT department and for the CIO/CTO to review the records of responses to risks events
Conduct formal end-to-end Information Security Risk Assessments (review of questionnaires, third-party security audit reports, and evidence)
Work together with the TPRM team and stakeholders to review the assessment and escalate any issues
Conducted meetings with of approved vendors for penetration testing, threat analysis, and vulnerability management vendors and reassess the findings based on their risk rating
Assist in the development and implementation of security policies and procedures for the firm sub-processes, IT systems, other applicable guidelines to meet the client's processes and controls (e.g., user log-on and authentication rules, security breach escalation procedures, security auditing procedures, and use of firewalls and encryption routines)
Independently evaluated the client's business goals and improve the effectiveness of my role in risk management, compliance, and governance processes according to the policy standards
Reviewed contracts and agreements to identify potential risks and ideal mitigation strategies that are relevant to the scope of the audit, the identified business objectives, and specific controls
Senior IT Risk Auditor, 07/2019 to 02/2021 Pennsylvania Higher Education Assistance Agency – City, STATE,
Cyber Security experience in the understanding of PAM (Privileged Access Management), IAM Governance and Database Security
Working with audit engagement workflow diagrams, defining use cases, and standards documentation
Experience working with Security Engineers, IT Operations, and Infrastructure Engineers on use cases and gathering requirements (evidence collection)
Experience raising tickets, reviewing, scrubbing, and preparing evidence for review and sharing with auditors, triage auditor follow up
Independently evaluated the client's business goals and improve the effectiveness of my role in risk management, control, compliance, and governance processes
Maintained a Risk Consideration log for the department, and the business unit reviewed the records of risks, events, and considerations notes through the course of walkthroughs
Performed day-to-day support in ITGC Remediation (i.e., Appropriateness of access, seg
Of duties, privileged user accts., & BCP) on Application/Process specific integrated audits
Supported activities on Information financial statement audits and reviews for financial institutions, investment advisors
Interviewed system owners /ISSOs to ensure compliance with all systems security requirements and updates, providing guidance and instruction as necessary to the existing personnel; resulted in financial data that was analyzed to verify the accuracy and integrity of the information
Followed the Sarbanes-Oxley Act to expand mandated internal controls reports and disclosures to include cyber-security systems and risks of publicly traded companies
Experience using ticketing systems for tracking (JIRA, Remedy, ServiceNow, Archer, Process Unity, Risk Recon etc.)
IT Security Control Assessor, 07/2017 to 07/2019 Wolf & Company P.C – City, STATE,
My team and I meet with stakeholders for an ASSESSMENT KICK-OFF MEETING to gather all necessary info on the system to be assessed
For example, if there is a previous assessment report, any new changes with controls being assessed, the current security state of the system
After that, we develop the SAP to be presented for review and approval
After approval, my team and I will go ahead and do the assessment using the Examine, Interview, and Test method with NIST 800-53Ar4 as a guide to check for effectiveness of the controls, whether they are operating as intended, correctly, and producing the desired outcome
We then document all the findings in the SAR with all the required recommendations on how to mitigate them
The findings that were identified from the SCAN report (NESSUS) are then categorized into their RISK RANKING and then POAM is created to mitigate them
E.g
Of controls: AC-7, AC-11, RA-5
Work with clients to test for compliance with various prevailing regulatory laws, requirements, and standards including but not limited to Sarbanes-Oxley Act of 2002, NYDFS, Cloud Security Framework, General Data Protection Requirement (GDPR), COBIT 5, PCI DSS, ISO 27001, HIPAA, California Consumer Protection Act (CCPA), RMF-NIST, etc
Supported activities for Information Security Continuous Monitoring (ISCM), in compliance with NIST SP 800-171 controls within the Risk Management Framework
Certified/validated items uploaded into the POA&M tracking tool in Word/Excel in support of remediated findings
Revised security assessment reports (SAR) and the authority to operate (ATO) were within their 3-year lifespan, alongside making sure the system’s POA&Ms were closed or updated
Hands-on Certification and Accreditation/SAA experience and implementation status for both new and existing systems
Analyzed the results Firewall to correct any identified weaknesses/vulnerabilities such as missing patches, weak password settings, weak configurations from retention of temporary privileged accounts, or the system's default account
Education
Bachelor of Science: , Expected in Lincoln University - , GPA:
Master of Science: , Expected in University of Delaware - , GPA:
Certifications
Certified Authorization Professional Certification (CAP) - ISC2 (IAM Level I) – Certification #: 1028400
Certified Information Systems Auditor (CISA) – ISACA (IAM Level III) - Certification #: 20169433
Resumes, and other information uploaded or provided by the user, are considered User Content governed by our Terms & Conditions. As such, it is not owned by us, and it is the user who retains ownership over such content.
