Experience Fannie Mae – Governance, Risk and Compliance Analyst Washington, DC 05/2023- Present - Follows Enterprise Risk Management and compliance procedures.
- Tracks timely resolution of third-party risk management issues at enterprise level.
- Stratifies vendor risk through a tiering process matrix based on vendor data and systems accessibility.
- Provides support during User Acceptance Testing (UAT)
- Uses eGRC platforms, SharePoint, and document management for compliance testing/assessment, tracking data, conducting follow-up, and monitoring.
- Applies regulatory requirements pertaining to information security and third-party/vendor risk management.
- Reports and escalates third-party issues and remediation actions associated with control gaps for closure.
- Obtains and reviews 3rd party documentation and other evidence to validate appropriate implementation of information security controls.
- Analyzes information to identify information security weaknesses or non-compliance.
- Communicates 3rd party information security issues to stakeholders, ensuring their understanding of associated risks and actions required to remediate the referenced risks.
- Manages assessment findings and track findings through remediation.
- Performs assessments remotely via conference calls and occasionally at vendor sites.
- Identifies and reports on new and emerging security risk and risk trends, including participating in risk remediation solution discussions and recommending updates to policy and standards.
- Updates and maintains documentation support of Audits and Exams
- Manages vendor management lifecycle including vendor risk reporting and oversight of assessed vendors.
- Assesses third parties and services and or products provided through Business Unit expenditure.
Berry Solutions –Snr GRC Analyst Frederick, MD 04/2020 – 05/2023 - Participated in the development and enhancement of the Third-Party Risk Management policy, standards, and supporting procedures, with the aim of optimizing our service delivery to the organization while conforming to NIST CSF, NIST 800-53 Moderate Baseline, and SOC 1/2
- Monitored and tracked any outstanding risks with third parties and/or internal stakeholders, contributing to Enterprise Risk Register processes.
- Conducted internal security assessments for various business tools and applications.
- Managed vendor and internal stakeholder relationships with a focus on operational effectiveness provided by the vendor.
- Ensured that project/department milestones/goals are met and adhered to approved budgets.
- Followed Enterprise Risk Management and compliance procedures.
- Conducted Third-Party Risk Assessments using client’s Risk Assessment framework and Supplier Privacy Impact Analysis (PIA)s in accordance with the company’s Privacy Program Framework and Privacy Office guidance.
- Worked regularly with stakeholders influencing business decisions for reducing risk to acceptable levels while achieving business objectives.
- Provided finding reports and remediation recommendations to system/applications POCs.
- Maintained definition and documentation of internal controls to meet company governance, risk, and compliance requirements.
- Collaborated with client’s Legal group to identify information security contractual requirements with third parties.
- Experienced using BitSight, Security Scorecard and reviewing Penetration Test and Vulnerability Scans.
- Developed and refined enterprise policy, standards, and procedures
- Contributed to operational planning between the vendor and internal business stakeholders.
- Identified and recommended appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to a level acceptable to the organization.
Wells Fargo -Business Analyst McLean, VA 01/2019 - 04/2020 - Performed third party risk assessments and Vendor due diligence of Access to vendors.
- Monitored 3rd party operational risk trends and provided analysis of data and other operational risk metrics using Security Scorecard
- Tracked exceptions to IT policies and procedures and followed up with management approval for implementation.
- Reviewed services provided by vendor and defined scope of assessment.
- Drove vendor performance and contractual adherence.
- Reviewed risk assessments performed by 3rd party and provided feedback. Defined appropriate risk levels and corrective actions for issues identified.
- Presented issues to 3rd parties and obtained corrective action plans.
- Updated procedure documentation to incorporate process changes to SOPs.
-
- Managed Operational vendor risk management team for vendor onboarding, due diligence, and ongoing monitoring.
Bank of America- Business Analyst Washington, DC 11/2014 - 12/2018 - Determined the scope for system audit. Usually started with a kickoff meeting with key officials and the audit committee
- Created a test plan to determine controls to be tested as well as methods of testing. Effectively participated in testing of the IT General Controls.
- Conducted audit within specific timeframe utilizing subject matter experts and other system owners. Supported requirements gathering and design efforts of critical projects as needed.
- Collected evidence from various point of contacts to update audit finding report for compliance.
- Tested for effectiveness and adequacy of controls by analyzing test plan against evidence collected via examination, interview, and testing.
- Conducted IT controls risk assessments that included reviewing organizational policies, standards and procedures and provided advice on their adequacy, accuracy and compliance with company policy.
- Interfaced with clients to review and analyze complex systems (Applications, operating systems, databases, and Networking devices), to identify risks, exposures, define and implement compensating controls.
- Worked independently to collect, consolidate, and analyze information required for the evaluation of security controls and gaps.
- Produced final reports on compliance to detail the controls observed during security assessments in accordance with various security standards and regulations (PCI DSS, ISO 27001/2, Sarbanes-Oxley, etc.)
- Provided guidance to prepare organizations for Statement on Standards for Attestation Engagements No. 16 (SSAE 16) audits.
- Managed client's third-party assessment program, including security assessments, task tracking, analyses reporting, documentation, and process improvement.
- Completed tests on financial system controls compliance (OMB A-123), IT General Computer Control (ITGC), and Application Controls
- Utilized audit procedures (Testing, Interviewing, and Examination) to determine the design and operating effectiveness of the controls.
- Performed walkthrough interviews and maintained communication with a variety of client stakeholders, including system personnel such as system and database administrators.
- Created, reviewed, and managed lifecycle of company policies related to compliance and Enterprise Risk Management
- Ensured results are consistently delivered through setting expectations and monitoring performance against objectives and metrics.
. |