Governance Manager, Data and Security

• Mar 2021 - Present

Business Risk and Controls Manager

• Jun 2019 - Mar 2021

Manage the Information Security Policy Management (ISPM) Security Baseline team to facilitate the creation and maintenance of security baselines, provide policy guidance for security baselines, and assist partners in closing audit and regulatory issues • Supported the closure of high priority issues through the publication of security baselines and working with partners to overcome challenges• Developed 3-year strategic roadmap focused on continuous improvement of the team• Directed documentation efforts to create security baseline process narrative, operating procedures, and training materials which resulted in a sustainable repeatable process• Oversaw the timely completion of annual reviews for over 300 security baselines for multiple technologies• Worked with product owners, subject matter experts, and information security to ensure security baselines for products and technologies were appropriately documented• Orchestrated the hiring, coaching, and development of 7 team members with a strong focus on customer partnership and operational execution • Prepared and responded to audit requests related to security baseline process• Identified, wrote business requirements, and implemented enhancements to internal GRC tool that improved reporting and team productivity

Financial Controls and Oversight Manager

• Feb 2018 - Jun 2019

• Identified, wrote business requirements, and implemented enhancements to internal GRC tool that saved the testing teams hundreds of data entry hours• Developed and delivered 8 custom modules of GRC tool training to IT COSO team members• Establish resource scheduling process for a mix of onshore and offshore testers which minimized unproductive time to under 10% of available testing time • Managed completeness and accuracy of COSO significant application matrix (400+ apps) and responsible for publishing of SAM on quarterly basis• Collaborated with all levels across the IT COSO team to identify process improvements and cost savings to ensure we operate efficiently and effectively.• Directed the development of ITGC scoping database to improve reporting and demonstrate appropriate coverage for COSO applications and assets• Managed a team of 7 professionals geographically dispersed across Wells Fargo footprint with a strong focus on service excellence and quality

Operational Risk Manager

• Jul 2015 - Feb 2018

• Oversaw a team of IT risk professionals focused on IT General and IT Application control assurance and quality assurance work.• Directed quality assurance reviews of testing work papers, test plan documenting, and IT control maintenance activities for SOX404 Compliance for over 800 technology general and application controls.• Partnered with key risk team members across Wells Fargo risk first and second lines to facilitate improvements in risk management activities• Orchestrated the hiring, coaching, and development of team members.• Collaborated with teams in technology, information security, and corporate property management to accomplish Northern Operations Center (NOC) data center walkthrough as part of IT SOX Audit.• Aligned objectives with Issue Management department, providing credible challenge for control design issues & deficiencies, vetting potential issues, and gaining understanding of Issue Management Policy.• Navigated offshoring activities of Quality Assurance team, such as risk assessment of assessed data, identifying work opportunities, and training of offshore resources for quality assurance processes.• Provided credible challenge and advice to improve controls & control design, e.g. job scheduling, change management, backup & restoration, segregation of duties, logical access, and privileged access controls.• Archer GRC Platform Lead (e.g. Shared Risk Platform (SHRP)) for IT COSO department. Coordinating IT COSO activities including UAT and identification of tool enhancements to improve processes, reporting capabilities, and account for functional process requirements• DEA-QA Lead for IT COSO Offshoring. Identified categories of work for offshoring opportunities. Responsible for ensuring the training of offshore resources for DEA-QA processes.

Manager, Information Risk Management, Third Party Security Assessments

• Oct 2014 - Jul 2015

• Hired as subject matter expert in information security and third party risk management for vendor security assessment teams. • Headed a team of 4 analysts in conducting security & privacy assessments for third parties with a focus on security policies, procedures, and information security program. • Re-established Risk Based Vendor Onsite Program for Critical Vendors. • Identified 30 business critical vendors and proposed criteria for performing data center assessments, walkthroughs, physical security, and security program assessment. • Examined third parties to ensure information security controls focused on vulnerability assessment and remediation. • Organized and facilitated analyst training for the onsite program and proper execution of the program • Pioneered Remediation of 300+ open findings within 6 months of hire, working with analysts and partners to quickly identify and resolve open gaps. • Launched an Offshore Vendor Re-Assessment Program with the ability to conduct 750 re-assessments per year; guided program, managed quality assurance, and functioned as escalation point of contact. • Trained resources on assessment processes in collaboration with consulting partner firms. • Assembled Vendor PCI Compliance sub-team and worked closely with third parties and internal compliance teams to meet PCI Compliance obligations and requirements.

Manager - Security Incident Handling

• Dec 2013 - Oct 2014

- Managed a team of 5 (five) Security Incident Analysts responsible for delivering and managing SIEM outputs - Improved security controls on Palo Alto, Checkpoint, and Cisco Intrusion Prevention (IPS) platforms - Led initiatives to improve the security of outbound Internet access utilizing Palo Alto firewall controls - Directed work on proactive security measures including development of RSA Security Analytics SIEM alerts - Directed deep security analysis efforts based on customer and project requests Examples include: geo-traffic analysis for blocking purposes and firewall rule remediation analysis - Improved FireEye, Palo, Antivirus metrics and monthly reporting of incident handling team through the use of six sigma concepts - Partnered closely with Incident Response and Security Operations to provide escalation support for incidents - Worked closely with platform management, firewall management, and Information Risk Management teams to improve security controls across the environment - Presented security recommendations to senior leadership including Vice President and CISO level leadership - Gained knowledge of following security controls/platforms – FireEye, Security Analytics, Palo Alto, Cisco IPS

Lead IT Auditor

• Oct 2012 - Dec 2013

Professional Sabbatical (Global Travel for 1 year)

• Oct 2011 - Oct 2012

• Fulfilled a dream of extended travel for 1 year by visiting 14 countries • Trekked Mt. Kilimanjaro, Africa’s highest Mountain • Trekked Inca trail in Peru • Spent 6 weeks learning how to speak Mandarin Chinese • Experienced multiple cultures including Asia, South America, the Middle East, and Africa • Tried new activities including skydiving and bungee jumping • Maintained information security knowledge and awareness through IAPP email subscriptions and contact with professional colleagues

Senior Associate

• Aug 2008 - Jan 2009

Consultant

• Aug 2004 - Aug 2008