Rut

Glen Burnie, Maryland

THIRD-PARTY RISK MANAGEMENT / SECURITY CONTROL ASSESSOR

Profile Summary

Highly organized third–party risk management/Security Control analyst with years of experience
in assessing IT vendors’ security posture to ensure they stay compliant and take new vendors
through the due diligence process to determine the inherent and residual risks that vendors will
bring to the organization for the engagement. Familiar with frameworks like NIST 800-series,
ISO 27001, and PCI DSS. Ability to effectively review security documents i.e., SSAE 18 (SOC
1, SOC 2), Penetration test, and Security Policies.

Career Summary
• Experienced in NIST Risk Management Framework (RMF) and Cyber Security Framework
(CSF)
• Conducted Information Security Audits & Assessments & Compliance
• Expertise in Risk Management and Assessment
• Experienced in Continuous Monitoring
• SOC Report
• Information security documentation
• Vulnerability Management
• Contigency Planning & Disaster Recovery
• Maintained and revised policies for the organization
• Ensure Information Security complaince with federal regulations.

Experience

WR Berkeley 06/2021-Current
Morristown NJ
• Performs risk identification, and data and business control gap analysis.
• Analyze available artifacts and perform a gap analysis of what is missing or incomplete.
• Help to define success criteria for compliance across business process data documentation.
• Assist with development of collateral, tools, and templates for the Cyber Resilience
Consulting Practice.
• Implements Cybersecurity Framework (CSF) and developed security controls.
• Developes system security plan, security documentation, and vulnerability remediation plan.
• Conducts security control evaluation and remediated security gaps.
• Review policies and procedures to make sure they are in compliance with the company
requirements
• Identifies security vulnerabilities and worked with technical teams to remediate findings.
• Support system audits, and remediated audit findings and recommendations.
• Monitoring system against unauthorized access using Splunk
• Present audit and assessment reports to management Developed system compliance
 guidelines.
• Apply the NIST SP 800-53 controls to systems to improve security posture.
• Review Nessus and database scans, and penetration and web application testing and
developed remediation plan with the patch team and closed findings.
• Conduct controls self assessment and identified controls gap and sent to the patch team for
patching
• Complet risk assessments on multiple information systems using NIST SP 800-30.
• Engages in security control audits and assessments and responded to auditor’s requests.
• Investigates security vulnerabilities and developed remediation plan.
• Conducts continuous monitoring of systems and applications and reviewed documentation,
system scans and tests, and system vulnerabilities to make sure security controls are in
compliance.

THIRD PARTY RISK ANALYST | 04/2017 - 05/2020

Becton And Dickinson
San Antonio
• Analyzed vendor engagement by requesting the business unit (Business Requester) to
complete the initial vendor information gathering document (Inherent Questionnaire).
• Identified and uses risk drivers to determine the overall potential inherent risk of the
engagement.
• Established the inherent risk for an engagement and initiates vendor security questionnaire
(SIG)
• Reviewed the vendor’s information security questionnaire responses, independent auditor’s
reports, and all security artifacts requested or provided by the vendor.
• Performed gap analysis of the vendor’s information security posture, using the security
questionnaire responses and independent auditor’s reports on the vendor’s information
security posture.
• Completed and submit risk assessment reports to management in an understandable manner
for review and risk decision–making.
• Effectively worked with business-side users and vendor’s POCs to resolve issues identified
in the assessment process.
• Provided support for evaluating vendor security practices, including reviewing security
assessment questionnaires and attestations/bridge reports that substantiate vendor responses
to findings.
• Performed tracking and monitoring of the state of each due diligence review and
communications with the Relationship Manager (RM) to obtain missing artifacts promptly to
facilitate the due diligence process.
• Constantly upgraded suppliers’ questionnaires to ensure it meets the test of time.
• Escalated issues of non-compliance to management for action and management risk
decisions.
• Used of tools such as RSA Archer/JIRA to ensure secured and prompt communication of
findings and deployments of questionnaires to the vendor and to track vendor progress on
remediation.
• Performed continuous monitoring by assessing tools during onsite visits to validated the
security questionnaires filled out by the vendors to ensure the protection of data at the vendor
sites.
• Reviewed corrective action plan (cap; validates remediation control and followed-up on the
remediation process.
• Ensured assessments and remediation plans are progressing through the process and meeting
our Service Level Agreements

IT AUDITOR/COMPLIANCE| 03/2015 - 03/2017

Merrill Lynch
Pennington, NJ
• Performed assessment of IT General Controls (ITGC) such as Access Control, Change
Management, IT operations, Disaster recovery, and Job Scheduling.
• Identified gaps and recommend ways to reduce threats and vulnerability.
• Assists other Internal Auditors in completing IT components of audits and completing
computer-assisted audit technique.
• Conducted kick-off meetings to collect system information and documentation for
engagement.
• Provide support for SOX Audits and related activities such as planning and conducting
periodic User Access Reviews, business, and IT process walkthroughs, and evidence
management.
• Assisted with the ongoing management of compliance audit strategy and program; worked
with the key compliance to identify and remediate cybersecurity risks in a timely fashion.
• Communicates audit progress and results to both department and business unit management,
both verbally and in presentation.
• Analyze the short-and long -term effectiveness of IT Security controls implementation.
• Reviewed internal policies and procedures and existing laws, rules, and regulations to
determine applicable compliance and the adequacy of underlying internal controls.
• Prepared Security Assessment and Authorization packages to determine that management,
operational, and technical security controls adhere to NIST SP 800-53 standards.
• Develop risk Assessment reports to identify threats and vulnerabilities.
• Coordinate special projects such as Segregation of Duties (SOD) and SOX Compliance audit.
• Documented control weaknesses related to testing exceptions and assisted in preparing draft
audit reports to communicate findings and recommendations to senior management.
• Assist in the development of appropriate information security policies, standards, procedures,
checklists, and guidelines using recognized.
• Perfomed risk assessments on information systems using NIST SP 800-30 and implemented
security controls to mitigate risks.
• Developed incident response plan and investigated security logs and alerts.
• Work closely with the security operation center, Legal and Loss prevention teams to support
security incident management.
• Provided investigation findings to relevant business units to help improve information
security.
• Conducted contigency and disaster recovery table top exercise and functional tests.
• Completed system categorization using FIPS 199 and determined system impact.
• Reviewed vulnerability scan results and applied security patches to the information systems.
• Evaluated system security plan and updated with system changes and security controls.
• Collaborated with technical and threat intelligence analysts to provide indications and
warnings, and contributes to predictive analysis of malicious activity

• References
References: Available upon request