Carol (Pollard) Daniel Email and Phone Number

Accountable and responsible for the risk management program for BK Origination Technologies (OT) division and serves as first line of defense in support of the BK Enterprise Risk Management Program. Serves as single point of contact to review, analyze, and provide direction and guidance to ensure compliance with security policies and standards and risk frameworks, processes, and governance. • Conducts divisional risk assessments across all risk disciplines, including security, operational, financial, strategic, legal, emerging, and compliance risk. • Works with senior OT executive business and software development leadership teams in consultative relationship to proactively identify risks and move toward a self-identifying risk culture.• Interface and assist with client & regulatory audits, RFPs, and client questionnaires, including SSAE-16. Manage applicable SOC testing for business unit. Manage the Risk Assessment process to include asset inventory, system criticality, data classification, threat analysis, and action plans for GLBA reporting.• Responsible for Risk Registry management to ensure corrective action plans are in place and tracking for on time remediation.• Build strong trust relationships with business senior leaders, risk peers, and other support groups serving as subject matter expert for enterprise risk and security policy compliance.

• Dedicated Information Security Manager for the Origination Technologies division. Responsible for researching, evaluating, and developing Information Security policies, standards, and guidance relevant to the line of business. Actively participate in technical exchange meetings and application reviews to ensure secure product delivery for clients.• Communicate with senior management providing status on key ISO programs, projects or initiatives. Maintain strong relationships with the Business Owner and Application Development Managers to ensure security policies and standards are being implemented throughout the SDLC process. • Support client & regulatory audits, RFPs, and client questionnaires, including SSAE-16. Manage applicable SOC testing for business unit. Manage the Risk Assessment process to include asset inventory, system criticality, data classification, threat analysis, and action plans for GLBA reporting.• Guide the business in development of action plans while reporting and tracking to closure all information security issues resulting from various security assessments.

• Lead Control Officer for both Global Corporate Technology and Global Compliance Technology areas within CTO GFTS. Lead a team of Control Officers responsible for managing the execution of all control-related activity to ensure compliance to Citi Information Security policies and standards. With a focus on risk identification and self-assessment of controls (RCSA/MCA), supported 330+ CTO applications, evaluating International and Domestic data privacy requirements and impacts, export licensing, program/projects secure development requirements, and corrective action plan management (ICAPS). Partner with GFTS Directors, Senior Leaders, and application development managers as single point of contact to ensure implementation of compliance and control programs.• Manage monthly CTO compliance metrics reporting by analyzing results, determining root cause of non-compliance, and guide managers in appropriate corrective action. Create and present monthly scorecard compliance review for senior executives to ensure leadership team understood their domain’s risk profile, compliance trends, and potential risks and concerns. Developed qnd cultivated a Citi award-winning environment for proactive risk management vs reactive, issue-based responding.• Partnering with GFTS management, served as audit liaison for both internal and external/regulatory audits. Ensured requests were applicable to domain, intent was clear, managed the delivery of artifacts, participated in management response creation and ensured ownership of any identified issues as appropriately assigned. • Created CTO Risk and Control service catalog to advance Risk and Control Group as a shared services organization, which expanded to be a division-wide catalog used for support structure for GFTS and work prioritization. Founding member for structuring a Center of Excellence for CTO Risk and Control for the purpose of centralizing and streamlining application manager compliance-driven tasks.

Senior Information Risk Director – Information Security Officer Program Manager• Manage a team of Information Security Officers (ISO) who are aligned with the WaMu major lines of business for the purpose of ensuring integration between information security and business initiatives. • Develop programs that ensure proactive information security requirements are embedded in to the business initiatives early in the project lifecycle.• Develop information security self service tools for the enterprise’s use to improve efficiency and developed the first information security portal for all Corporate Information Security (CIS) services to improve our customer’s (both technology and business) experience.• Manage the Gramm-Leach-Bliley Program (501.b) across the enterprise. Develop annual risk assessment methodology, program scope, testing execution, track progress, and produce final report to regulators.

• Managed the corporate IT Security department, including Access Delivery Specialists and Security Risk Analyst teams. Responsible for IT Security annual budget management and projections to include security solutions to mitigate areas of weakness.• Developed and manage information security policy program. • Established and managed programs that ensure security is taken into consideration during new application development. Oversee the performance of application, network, and e-commerce security consultations and reviews. Led security architecture upgrades and implementations, and lead a technical team developing security infrastructure across enterprise lines of business.• Kept the organization apprised of new threats to information or privacy, and evaluated and recommended new information security technologies and countermeasures. Documented current state of security for executive management.