Experience

WSP Global

• United Arab Emirates
• Public Relations and Communications Services
• 1 - 100 Employee

• Senior Information Technology Security Consultant

  • May 2023 - Present

  Preparing client subsidiary for ISO 27001 certification (ISO27001:2022). Writing ISO 27001 Clauses documentation and ISMS Manual; Completing Statement of Applicability, developing IT Risk Policy and Standard, reviewing and improving IT Risk Model and Risk Assessment process. Developing, implementing new controls required by ISO27001:2022. Developed 5.7 Threat Intelligence Program and Policy. Assisting client to develop and update information security roadmap.



Verizon

• United States
• IT Services and IT Consulting
• 700 & Above Employee

• IT Cyber Security Controls Consultant

  • Nov 2021 - Feb 2023

  United States • Performed cybersecurity framework assessments for a range of Verizon clients including the following: • Performed a HIPAA Security Rule Assessment for a regional healthcare system; • Performed an ISO27001 Security Standard Assessment for a Fortune 500 Data Storage Data Management corporation; • Performed a NIST Cybersecurity Framework (CSF) Assessment for an international subsidiary of a major information technology corporation; • Performed a NIST Cybersecurity Framework (CSF)… Show more • Performed cybersecurity framework assessments for a range of Verizon clients including the following: • Performed a HIPAA Security Rule Assessment for a regional healthcare system; • Performed an ISO27001 Security Standard Assessment for a Fortune 500 Data Storage Data Management corporation; • Performed a NIST Cybersecurity Framework (CSF) Assessment for an international subsidiary of a major information technology corporation; • Performed a NIST Cybersecurity Framework (CSF) Assessment for an agency within Commonwealth of Pennsylvania; • Performed a Federal Reserve Bank (FRB) Security Program Assessment (SPA) of a major bank’s technology controls around Federal Reserve Bank services and access. Show less



Royal Bank Of Canada (US Subsidiary)

• Cyber Security & IT Risk Consultant

  • Feb 2021 - Sep 2021

  Raleigh, North Carolina, United States Provided IT Risk and Compliance services. Assisted in Cyber Security KRI's tracking, monitoring & reporting. Prepared an IT Risk Assessment model and procedures.



Star IT Projects USA

• IT Consulting Director

  • Jan 2020 - Jan 2021

  Providing a wide range of consulting and advisory services.



WellCare Health Plans

• United States
• Insurance
• 700 & Above Employee

• IT SOX Audit & Security Consultant

  • Feb 2019 - Aug 2019

  Tampa, Florida, United States Performed Gap Analysis of IT controls & processes for completeness & effectiveness; Made recommendations; Prepared Requirements definitions, uses cases, input / output requirements for SOX Framework Implementation Conducted risk assessments for SOX IT Controls in place and performed controls testing. Performed IT process walkthroughs, developed process narratives, process flows, controls documentation; Worked with IT process owners, developed remediation plans for control… Show more Performed Gap Analysis of IT controls & processes for completeness & effectiveness; Made recommendations; Prepared Requirements definitions, uses cases, input / output requirements for SOX Framework Implementation Conducted risk assessments for SOX IT Controls in place and performed controls testing. Performed IT process walkthroughs, developed process narratives, process flows, controls documentation; Worked with IT process owners, developed remediation plans for control deficiencies; Performed assessment & testing of Information Security and Data Privacy controls for HITRUST CSF annual certification. Made recommendations to improve Risk Management practices. Performed review of cyber security tools (implementation, configuration) including CyberArk, Solarwinds (SEM), Splunk, Firepower, ForcePoint, SailPoint, AD Audit Plus, ServiceNow Show less



Wayne County Airport Authority

• United States
• Airlines and Aviation
• 300 - 400 Employee

• IT Audit Risk Security Consultant

  • Aug 2018 - Feb 2019

  Detroit Metropolitan Area Led and conducted ISO 27001 Compliance Audit; information security critical controls; Performed Risk Assessments, prepared audit program & procedures, gathered evidence, performed audit testing; Audit included: IT Assets Inventory Mgmt; Vulnerability Mgmt; Secure Configuration Mgmt; Data protection & privacy; Malware Defenses; Email & Web browser protection; Audit Logs Maintain-Monitor-Analysis; Data Recovery & Backups; Data Protection, Boundary Defense; SIEM; Application Security;… Show more Led and conducted ISO 27001 Compliance Audit; information security critical controls; Performed Risk Assessments, prepared audit program & procedures, gathered evidence, performed audit testing; Audit included: IT Assets Inventory Mgmt; Vulnerability Mgmt; Secure Configuration Mgmt; Data protection & privacy; Malware Defenses; Email & Web browser protection; Audit Logs Maintain-Monitor-Analysis; Data Recovery & Backups; Data Protection, Boundary Defense; SIEM; Application Security; Security Awareness Training; Wireless Access Control; Secure Configuration-Network Devices; Network Ports, Protocols and services security; Access Controls. Performed PCI DSS Controls review including risk assessment, control owner interviews, walkthroughs, audit evidence gathering & testing; Wrote up audit findings, audit report & made presentation to management. Worked with IT process owners to develop remediation plans for identified control deficiencies. Show less



Cinemark

• United States
• Entertainment Providers
• 700 & Above Employee

• IT SOX Audit & Security Controls

  • Jun 2018 - Aug 2018

  Dallas, Texas, United States Assignment: Interim SOX ITGC IT Control Testing; Information Security and Privacy Controls testing supporting PCI DSS framework. Performed walkthroughs with IT Control Owners, Performed Test Of One. Updated process documentation Prepared document requests (PBC), gathered evidence (cloud) & performed interim SOX IT general computer controls (ITGCC) testing. Performed audit procedures on Windows OS, UNIX / Linux OS and SQL database Performed gap analysis of SOX IT controls and… Show more Assignment: Interim SOX ITGC IT Control Testing; Information Security and Privacy Controls testing supporting PCI DSS framework. Performed walkthroughs with IT Control Owners, Performed Test Of One. Updated process documentation Prepared document requests (PBC), gathered evidence (cloud) & performed interim SOX IT general computer controls (ITGCC) testing. Performed audit procedures on Windows OS, UNIX / Linux OS and SQL database Performed gap analysis of SOX IT controls and reviewed / improved testing procedures; Worked with IT process owners to develop remediation plans (compensating controls) for control deficiencies; Prepared final audits and made presentations to senior management. Performed assessments, gap analysis & testing Information Security and Data Privacy controls supporting PCI DSS framework. Show less



TCF Bank

• Banking
• 700 & Above Employee

• IT Audit Supervisor

  • Feb 2018 - Jun 2018

  Metro Detroit Conversion & implementation: FIS IBS Core Banking system from Bankway: provided information security controls risk management guidance through all project stages. Planned & executed Interim SOX ITGC control testing, work papers & evidence into RSA Archer GRC. Ran rpts; Performed risk assessments, gap analysis & testing Information Security and Data Privacy controls supporting PCI DSS framework; Managed risk assessment on Bank’s Cyber Security controls using FFIEC Cybersecurity… Show more Conversion & implementation: FIS IBS Core Banking system from Bankway: provided information security controls risk management guidance through all project stages. Planned & executed Interim SOX ITGC control testing, work papers & evidence into RSA Archer GRC. Ran rpts; Performed risk assessments, gap analysis & testing Information Security and Data Privacy controls supporting PCI DSS framework; Managed risk assessment on Bank’s Cyber Security controls using FFIEC Cybersecurity Assessment Tools; Performed Information Security controls audits including DR/BCP, Change Management, Pen tests, Vulnerability Assessment, Data Protection, IAM, Encryption, (14 control domains in total); Performed audit procedures--Windows OS, UNIX / Linux OS, Oracle DW & SQL databases. Ran queries scripts Conducted InfoSec Risk Assessments on the bank’s service organizations (vendors) using Shared Assessments Program (SIG) tools, AICPA Trust Services Principles -Information Security & Privacy. Assessed SOC1, SOC2’s Show less



Huntington National Bank

• United States
• Banking
• 700 & Above Employee

• Information Security Analyst

  • Oct 2017 - Feb 2018

  Columbus, Ohio Area Conducted ISO 27001 Compliance Audits of service organizations on information security controls; Performed ISO 27001 Risk Assessments using Shared Assessments Program (SIG) tools, AICPA Trust Services Principles -Information Security & Privacy. Improved risk assessment procedures for vendors’ IT information security control frameworks Conducted analysis and assessments of vendors’ SOC1, SOC2 reports. Reviews include Data Encryption, ID & Access Mgmt, Change Mgmt, Vulnerability… Show more Conducted ISO 27001 Compliance Audits of service organizations on information security controls; Performed ISO 27001 Risk Assessments using Shared Assessments Program (SIG) tools, AICPA Trust Services Principles -Information Security & Privacy. Improved risk assessment procedures for vendors’ IT information security control frameworks Conducted analysis and assessments of vendors’ SOC1, SOC2 reports. Reviews include Data Encryption, ID & Access Mgmt, Change Mgmt, Vulnerability Mgmt, Security Incident Mgmt; Bus.Continuity, Change Controls, SDLC, Data Protection & Privacy, Asset Mgmt; Utilized ISO27001 & NIST 800-53 benchmarking to assist vendors improve IT controls, procedures. Made recommendations, developed action plans, and status reports to improve IT security and vulnerabilities to assist bank in meeting regulatory compliance requirements Collected data (audit evidence) from vendors and assess data against ISO27001 requirements. Conducted walkthroughs of vendor InfoSec processes & security apps to assess control environments; Collaborated with Technology Segment Risk team & key stakeholders of third party tech risk program, third party vendors, bank technology team, Information Security, and segment risk teams. Show less



ZF Group

• Germany
• Motor Vehicle Manufacturing
• 700 & Above Employee

• IT Audit Supervisor

  • May 2017 - Sep 2017

  Livonia, Michigan, United States Led IT Audits of IT Operations, ERP systems, data centers, applications, databases, servers, networks. IT audits included SAP, BPCS, PeopleSoft, QAD, JDE, Integrity Software. Audit Assignments were in Europe. Provided field leadership and training to staff in audit issue identification, problem definition & resolution. Assisted IT Audit management in development, implementation & administration of procedures for work practices, standards, workpapers, and IT evidence collection. Ran… Show more Led IT Audits of IT Operations, ERP systems, data centers, applications, databases, servers, networks. IT audits included SAP, BPCS, PeopleSoft, QAD, JDE, Integrity Software. Audit Assignments were in Europe. Provided field leadership and training to staff in audit issue identification, problem definition & resolution. Assisted IT Audit management in development, implementation & administration of procedures for work practices, standards, workpapers, and IT evidence collection. Ran IT Security & audit reports/scripts/queries for ERP, applications, servers, databases, O/S, SQL. Provided guidance to IT Control owners on ITGC controls & related self assessments and testing procedures; Conducted SOX ITGC interim testing; loaded workpapers into GRC; Setup GRC dashboard & issued rptg metrics; Performed audit procedures on Windows OS, UNIX / Linux OS, SQL and Oracle databases; Utilized electronic audit tools and client utilities including Teammate, ACL., Putty, NMAP, VISIO, CIS CAT PRO. Assisted clients with periodic self-assessments for IT landscape including re-testing, remediate IT Control gaps. Show less



AmeriTrust Group, Inc.

• United States
• Insurance
• 200 - 300 Employee

• IT Audit & Security Consultant

  • Sep 2016 - Dec 2016

  Metro Detroit Performed SOX ITGC walkthroughs with control owners; Updated process documentation; Prepared document requests (PBC), gathered evidence & tested interim SOX IT general computer controls; Performed risk assessment & gap analysis on IT controls & processes for Data Privacy, Information Protection; Reviewed company’s compliance status with NYDFS Cybersecurity Regulation on Data Protection for financial & insurance institutions; Developed improvement strategies for Information Security… Show more Performed SOX ITGC walkthroughs with control owners; Updated process documentation; Prepared document requests (PBC), gathered evidence & tested interim SOX IT general computer controls; Performed risk assessment & gap analysis on IT controls & processes for Data Privacy, Information Protection; Reviewed company’s compliance status with NYDFS Cybersecurity Regulation on Data Protection for financial & insurance institutions; Developed improvement strategies for Information Security controls & referred Security applications, tools Developed remediation plans (and compensating controls) for IT control deficiencies; Performed audit procedures on Windows OS, UNIX / Linux OS and SQL databases PeopleSoft, Point, Sharepoint, CIMS, PROCEDE, Vision, Windows, UNIX, CIS-CAT PRO scans. Show less



AAM - American Axle & Manufacturing

• United States
• Automotive
• 700 & Above Employee

• IT Audit & Risk Consultant

  • Jul 2016 - Sep 2016

  Detroit, Michigan, United States Performed SOX walkthroughs and risk assessment on COBIT based ITGC framework; Planned ITGC SOX testing and audit doc requests with IT process owners, external auditors, management. Performed interim SOX IT general computer controls (ITGCC) testing. Performed audit procedures on Windows OS, UNIX / Linux OS and SQL database Performed gap analysis of SOX IT controls and reviewed / improved testing procedures; Worked with IT process owners to develop remediation plans (and mitigating… Show more Performed SOX walkthroughs and risk assessment on COBIT based ITGC framework; Planned ITGC SOX testing and audit doc requests with IT process owners, external auditors, management. Performed interim SOX IT general computer controls (ITGCC) testing. Performed audit procedures on Windows OS, UNIX / Linux OS and SQL database Performed gap analysis of SOX IT controls and reviewed / improved testing procedures; Worked with IT process owners to develop remediation plans (and mitigating controls) for control deficiencies; Audited SOX 302 documentation and process flows/mappings for SOX IT controls. QAD, JDE, SAP, BPCS-AS400, UNIX, FAS, Microsoft, Sharepoint. Show less



DTE Energy

• United States
• Utilities
• 700 & Above Employee

• IT Security Project Controls Consultant

  • Jan 2015 - Jul 2016

  Fermi Nuclear Plant, Newport, MI Assignment: Brought on to assist DTE / Fermi Nuclear Plant to meet NRC Milestone 8 (2017) requirements for full IT Security program implementation, NIST 800-53 CSF guidelines, NEI 08-09. Prepared risk management framework (RMF) for NRC IT Cyber Security requirements Performed comparative review of NERC CIP, NIST guidelines, NEI 08-09, and ISO controls to determine effective appropriate IT controls for DTE / Fermi Nuclear Plant RMF. Reviewed and performed GAP analysis of current… Show more Assignment: Brought on to assist DTE / Fermi Nuclear Plant to meet NRC Milestone 8 (2017) requirements for full IT Security program implementation, NIST 800-53 CSF guidelines, NEI 08-09. Prepared risk management framework (RMF) for NRC IT Cyber Security requirements Performed comparative review of NERC CIP, NIST guidelines, NEI 08-09, and ISO controls to determine effective appropriate IT controls for DTE / Fermi Nuclear Plant RMF. Reviewed and performed GAP analysis of current Cyber Security IT controls Assisted in updating, revising, writing DTE / Fermi Nuclear Plant policies & procedures related to Cyber IT controls and processes within the Cyber Security Framework. Ensure IT Controls meet NRC cyber security compliance requirements Assisted in control design remediation actions.CV Provided guidance Identifying, determining best IT controls evidence to demonstrate compliance Planned coordinated collection of compliance requirement evidence Facilitated pre-audit evidence reviews to ensure specific standard compliances. Audits, Reviews, Self-Certifications, control design, P&P development included the following areas: Change Management, Patch Management, Vulnerability & Threat Analysis, Back Up & Restore, Disaster Recovery/ Business Continuity, Access Management & Provisioning, IT Physical Security, Firewalls, Asset Commissioning & Configuration Management, Ports & Services, Incident Reporting & Response, Application Controls. Show less



ITC Holdings Corp.

• United States
• Utilities
• 700 & Above Employee

• Business Analyst IT Security Controls Consultant

  • Apr 2014 - Dec 2014

  Novi, MI Assignment: Implement NERC CIP Control Framework V.5 Critical Infrastructure Protection (CIP) standards Implemented NERC CIP Compliance Software (OATI) Collaborated with control owners, process owners, IT asset owners, stakeholders. Responsible for elicitation, analysis and documentation of business and user requirements. Responsible for analyzing business needs; developed use cases of IT processes; identified new processes, process improvements; Reviewed design documents for… Show more Assignment: Implement NERC CIP Control Framework V.5 Critical Infrastructure Protection (CIP) standards Implemented NERC CIP Compliance Software (OATI) Collaborated with control owners, process owners, IT asset owners, stakeholders. Responsible for elicitation, analysis and documentation of business and user requirements. Responsible for analyzing business needs; developed use cases of IT processes; identified new processes, process improvements; Reviewed design documents for project requirements; Analyzed detailed system factors including input/output requirements, information and process flow, data, integration, controls, security, hardware and software needs. Developed test scripts, performed UAT testing, developed user manuals, presented training; Assessed processes, determined and documented requirements; Used Visio to develop process flow diagrams of key control processes; Used SmartDraw for use case diagrams • Bridged gap between IT, business and compliance groups • Performed GAP Analysis of Compliance Programs / Requirements (CIP) V3 to V5. Identified necessary changes Prepared company for external audits (ie. NERC CIP Audit, Order 693 Audit, RTO (Regional Authorities) Reviews, Service Reliability Review (SRP), Self-Certifications, Spot Checks). Planned coordinated collection of compliance requirement evidence; Facilitated pre-audit evidence reviews to ensure specific standard compliances. Change Management, Patch Management, Vulnerability & Threat Analysis, Back Up & Restore, Disaster Recovery/ Business Continuity, IT Physical Security, Access Management & Provisioning, Asset Commissioning & Configuration Management, Ports & Services, Incident Reporting & Response, Firewalls, Application Controls. Maintained Control Deficiencies Tracking. Reviewed spreadsheets, milestones. Identified improvement opportunities. Assisted in preparation of periodic reports. Performed internal compliance self-certifications and audits Show less



NextEra Energy Resources

• United States
• Utilities
• 700 & Above Employee

• Senior IT Security & Audit Consultant

  • Jul 2013 - Mar 2014

  West Palm Beach, Florida Area Performed interim and roll-forward SOX IT general computer controls (ITGCC) testing. Performed QA reviews of SOX IT auditors’ test work ensuring completeness, accuracy of testing, and supporting wp’s/audit evidence. Worked with IT process owners & management to develop remediation plans for control deficiencies SOX 302 – Reviewed IT processes and control activities; updated work flows/mappings and SOX IT related process narratives. Performed gap analyses; recommended improvements to… Show more Performed interim and roll-forward SOX IT general computer controls (ITGCC) testing. Performed QA reviews of SOX IT auditors’ test work ensuring completeness, accuracy of testing, and supporting wp’s/audit evidence. Worked with IT process owners & management to develop remediation plans for control deficiencies SOX 302 – Reviewed IT processes and control activities; updated work flows/mappings and SOX IT related process narratives. Performed gap analyses; recommended improvements to IT controls, ITGC testing procedures (COBIT 5). Planned coordinated ITGC SOX testing activities and schedules with IT process owners, external auditors Perform SAP related Identity and Access Management (IAM) duties (additions, deletions, changes) Processed IAM tickets for Remedy Service Request Mgmt & SAP Compliant User Provisioning CUP Performed User administration duties with SAP GRC Process Controls system (Identity & Access Management) Resolved SAP SoD issues utilizing SAP GRC Segregation Of Duties (SOD) tool Performed IT audits, testing, analysis of SAP F1, GRC Access Control and GRC Process Control applications (system patches, upgrades, etc). Maintain system mapping of users, system settings and system coding. Other IAM tasks included SharePoint access role provisioning and Remedy Tool Change Management Show less



American Electric Power

• United States
• Utilities
• 700 & Above Employee

• IT Audit Risk Security Consulting Manager

  • Nov 2012 - May 2013

  Bridgman, Michigan, United States Cook Nuclear Plant Assignment Objective: Perform NIST Cyber Security Review – Access Controls & Physical Security Controls Performed NIST 800-53 Risk Assessment for ACCESS (AC) Controls, Physical & Environmental Protection (PE). Information Security. Performed GAP Analysis, identified improvements for Access Controls (AC) and Physical & Environmental (PE) within the NRC Cyber Security Framework (CSF) NEI 08-09 Prepared and updated process flows, process narratives and control… Show more Cook Nuclear Plant Assignment Objective: Perform NIST Cyber Security Review – Access Controls & Physical Security Controls Performed NIST 800-53 Risk Assessment for ACCESS (AC) Controls, Physical & Environmental Protection (PE). Information Security. Performed GAP Analysis, identified improvements for Access Controls (AC) and Physical & Environmental (PE) within the NRC Cyber Security Framework (CSF) NEI 08-09 Prepared and updated process flows, process narratives and control documentation; Did walk throughs & control testing; Audit evidence & workpapers into RSA Archer GRC Worked with control owners to develop remediation plans & security upgrades planning Prepared and presented audit findings and audit report to senior management. Show less



Southern California Edison (SCE)

• United States
• Utilities
• 700 & Above Employee

• IT Security & Security Manager

  • Aug 2009 - Nov 2012

  Southern California Edison Nuclear Plant (SONGS) at San Onofre, CA Assignment: Implement Cybersecurity Plan NEI 08-09 milestones 1 - 3 Documented, categorized IT hardware & software inventories; information processed, stored & transmitted; asset owners; Developed IT inventory management & reporting controls. Performed risk assessments (NIST 800-53A) assessing existing IT security and privacy controls within Cybersecurity Framework (CSF) Identified and reported on CSF control weaknesses & significant risks; Developed initial baselines (per security… Show more Assignment: Implement Cybersecurity Plan NEI 08-09 milestones 1 - 3 Documented, categorized IT hardware & software inventories; information processed, stored & transmitted; asset owners; Developed IT inventory management & reporting controls. Performed risk assessments (NIST 800-53A) assessing existing IT security and privacy controls within Cybersecurity Framework (CSF) Identified and reported on CSF control weaknesses & significant risks; Developed initial baselines (per security categorizations) for information security and data privacy controls thru comparative review of NIST guidelines, NEI 08-09 & ISO 27001 / 2; Performed scanning and reviews of network device configurations; Developed baseline hardening & secure configurations for network devices: firewalls, routers, switches, network IDS / IPS and DLP setups; Developed, improved change management controls for network devices. Participated in Security Defensive Architecture strategy planning and Network connectivity / security planning. Improved hardware-based segmentation and network segmentation; installed protective devices between security levels. Worked on project team for Data Diode implementation. Show less



Origen Financial Services

• United Kingdom
• Financial Services
• 100 - 200 Employee

• Director, Internal Audit & Regulatory Compliance

  • Mar 2006 - May 2009

  Southfield, Michigan, United States Created, set up & managed internal audit department; Developed/ executed annual audit plan; reported to Audit Committee. Established controls - GLBA, Reg A/B. Set up ITAM; significantly improved IAM. Designed, implemented SOX Compliance Framework (& ITGC) utilizing the COSO and COBIT frameworks. • Managed, executed SOX COMPLIANCE ERP SOFTWARE IMPLEMENTATION. IBM Open Pages GRC. • Led Feasibility Study & Requirements Phase—identifying user & functional requirements; • Collaborated… Show more Created, set up & managed internal audit department; Developed/ executed annual audit plan; reported to Audit Committee. Established controls - GLBA, Reg A/B. Set up ITAM; significantly improved IAM. Designed, implemented SOX Compliance Framework (& ITGC) utilizing the COSO and COBIT frameworks. • Managed, executed SOX COMPLIANCE ERP SOFTWARE IMPLEMENTATION. IBM Open Pages GRC. • Led Feasibility Study & Requirements Phase—identifying user & functional requirements; • Collaborated with control owners, process owners, IT asset owners, stakeholders. Prepared business case. Responsible for elicitation, analysis and documentation of business and user requirements. Responsible for analyzing business needs; developed use cases of IT processes; identified new processes, process improvements; Reviewed design documents for project requirements; Analyzed detailed system factors including input/output requirements, information and process flow, data, integration, controls, security, hardware and software needs. Developed Dashboard and Reporting module; Developed test scripts, performed UAT testing, developed user manuals, presented training; Show less