Obtained ISO 27001, ISO 27017, and ISO 27018 certification. Building Risk and Compliance program, including governance, monitoring, reporting, risk management, and related activities.

Lead cross-functional IT and business teams in building FedRAMP program, timelines, and reporting, including educating senior leadership and team members on control and documentation requirements, and guiding them through the implementation and development process.• Developed data schema and strategy to build FedRAMP implementation workflow and tracking system using Workfront tool, to automate program rollout and minimize manual efforts required to oversee control implementation and status reporting.• Educated team members in IT, Finance, and HR organizations on their responsibilities as FedRAMP control owners and obtained timelines for issue remediation and control implementation. Created roadmap for FedRAMP compliance, allowing for go-to-market strategy for Federal agencies.

Implement NIST Cybersecurity Framework; evaluate IT risk and controls, remediate control deficiencies, ensure PCI DSS compliance, write and update Department of Commerce (Commerce) security policy, manage and coordinate Department of Technology Services (DTS) security and incident response for Commerce.• Began implementation of NIST Cybersecurity Framework and identified control gaps, improving oversight and performance of IT security services for Commerce.• Consolidated individual Division policies for Bureau of Criminal Identification (BCI) information security into Commerce-wide policy, satisfying requirements for FBI audit of Criminal Justice Information (CJI) security. • Inventoried Commerce systems, applications, and databases and performed initial assessment of risks and controls, identifying preliminary control gaps and initial prioritization of more detailed control testing to be scheduled.• Updated and improved Commerce Administration Business Continuity Plan (Continuity of Operations Plan), led successful tabletop exercise, and guided Divisions to update and enhance their plans based on results of exercise.

Oversaw implementation of IT risk program, including risk assessment, tracking and remediation of IT security / cybersecurity risks, evaluation of security tools, vendor IT risk assessment program, and implementation of controls to improve security and mitigate risk. Led cross-functional teams and managed projects to implement security tools, methodologies, and frameworks to meet security requirements, including PCI DSS compliance. Budgeted annual security projects and reported results of IT risk and security program activities.• Implemented vendor IT security assessment process in new GRC tool, streamlining the approach and ensuring consistency and timeliness of vendor reviews. Performed IT risk assessments of new vendors, ensuring vendor security controls meet business needs to limit risk. • Worked with DFC Legal team to enhance vendor contract language requiring appropriate IT and security controls to protect DFC data.• Developed and oversaw corrective action plans for security improvement, and managed the reduction of IT Risk Register open / unmitigated risks & vulnerabilities from 150+ to fewer than 20 open items.• Oversaw PCI DSS gap assessment by vendor, developed security strategy roadmap for PCI compliance, and planned and initiated project within an Agile development methodology to outsource Cardholder Data Environment (infrastructure & applications) to meet PCI requirements.• Managed security policy and standards updates to meet security and PCI DSS requirements.• Oversaw remediation of control gaps and implementation of processes to meet PCI DSS requirements and other relevant standards. Directed the delivery of targeted training to improve user awareness and enhance security.

Led teams in providing IT risk, consulting, and internal audit services to clients in consumer products, technology, health care, and financial services industries. Managed client relationships, budgets, and maintain satisfaction with services. Develop, mentor, and provide feedback to team members.• Improved IT internal audit process and tools. Trained and coached consultants on audit and risk methodology and new tools, resulting in consistent risk-based services, improved security, and satisfied clients.• Advised growing technology client on best practices for maintaining evidence for audits, improving external auditor reliance on control environment and reducing external audit fees paid by client.

Led audits and oversaw results of North America audit teams impacting GECB, including audits of IT governance, infrastructure, and related processes. Prepare audit reports and share findings with relevant stakeholders, including GECB Board of Directors, FDIC Examiners, and Information Security senior leaders. Evaluate and approve management action plans and test remediation of issues. Coordinate audits and share findings with auditors and stakeholders from other Capital businesses to ensure all relevant risks are mitigated across the organization.• Conduct and oversee audits covering all aspects of IT to comply with GLBA, including governance, 3rd party oversight, problem and incident management, business continuity/disaster recovery, IT operations, IT asset management, IT security (e.g. firewalls, IDS/IPS, SIEM / log management, anti-virus), application interface controls / file integrity, identity and access management, change and release management / application development / SDLC, capacity management, patch and vulnerability management and scanning, configuration management, and physical security. Identify issues, recommend and review improvement plans, and test effectiveness of remediation efforts, thereby mitigating risk and maintaining regulatory compliance for GECB.• Prepare risk assessments and develop four year audit plan, maximizing effective use of audit team resources to reduce organization risk.• Present audit plan, program, and findings to FDIC Examiners, resulting in improved exam ratings over previous years.• Developed project management guidance and tracking tool enabling North American audit teams to more accurately track progress and improve audit efficiency.

Led audits and oversaw results of global audit teams impacting GECC CTO organization, including audits of IT infrastructure and related processes, including integrated (combined process and IT) and horizontal audits (audits of multiple business units). Prepared audit reports and shared findings with relevant stakeholders, including GECC Chief Technology Officer (CTO) organization and Information Security senior leaders. Reviewed management action plans and evaluated and tested remediation of IT issues. Coordinated audits and shared findings with auditors and stakeholders from other Capital businesses to ensure all relevant risks are mitigated across the organization. Maintained relationships with GECC CTO team members to monitor initiatives.• Conducted and oversaw audits, and evaluated and reported results from audits impacting GECC CTO organization. Identified and consolidated issues and evaluated remediation plans, thereby mitigating risk in all aspects of IT, including governance, 3rd party oversight, problem and incident management, business continuity/disaster recovery, IT operations, IT asset management, identity and access management, change and release management, capacity management, and configuration management.

Performed risk assessments and monitored compliance with University/Hospital IT security policy and regulations (e.g. HIPAA). Managed projects to improve business processes and controls. Designed and implemented University/Hospital controls and security standards. Coordinated investigation and reporting of security and privacy incidents. Developed and maintained security policy. Assisted in the design of security training, and awareness activities. Developed service provider assessment procedures and reviewed service contracts to maintain regulatory compliance.• Initiated and managed project to implement “security zones” (network segmentation) to isolate and protect critical systems, directing and coordinating the Networking, Architecture, Service Management, and Security Operations teams, to limit exposure to malicious Internet activity.• Designed a risk management framework and processes. Created risk and control survey templates, tools, and assessment methodology, allowing for streamlined, consistent measurement of compliance with control standards across University and hospital systems.• Developed and implemented University-wide IT security control standards and framework based on NIST SP 800-53, ISO 27001 / 27002, and HITRUST CSF, taking into account other standards, such as PCI DSS. Initiated improvement of the University’s control environment using the developed assessment and control framework and templates, starting with critical applications.• Performed risk and control assessments for the most critical University systems and identified control weaknesses, increasing risk awareness among IT leadership. Implemented a plan to remediate deficiencies prioritized by risk.• Developed enhanced procedures to ensure vendors, cloud-based software-as-a-service (SaaS) and other IT service providers undergo security and controls reviews prior to signing contracts, significantly reducing service provider risks and maintaining regulatory (HIPAA) compliance.

Provided IT risk and audit services in both an internal and external capacity to clients in technology (hardware and software), health care and life sciences, manufacturing, and financial services industries, including reviews of IT operations and audits of IT general controls across various platforms in client / server, mini-computer, and mainframe environments, following methodologies and frameworks such as COBIT. • Scoped and planned audits by coordinating with Ernst & Young (EY) financial audit team, client internal audit team, client SOX team, and client functional / control owners, which resulted in the completion of 10 to 20 engagements annually (each between 100 and 10,000+ hours) while meeting budget and quality requirements. Reduced costs up to 20% each year.• Led the enhancement of IT audit and documentation methodology for the Pacific Northwest (PNW) Sub-Area, which resulted in more efficient audits, consistent quality, and up to 20% lower cost.• Co-directed the PNW IT Quality team, whereby quality standards were developed and communicated and team members were trained.• Performed data analytics services, including process efficiency assessment and fraud investigation.• Served as the PNW IT GAMx Champion and directed all GAMx IT training activities and communication in the PNW surrounding the implementation and rollout of GAMx (EY’s new audit tool) between National and the PNW. Identified 12 trainers and scheduled them to cover more than 45 two-day training events throughout the PNW, resulting in the successful training of over 1000 professionals on the use of the new software and related audit methodology.• Completed business process improvement assessments and identified opportunities to streamline procedures and make them more effective.• Served as counselor, coach, and mentor, and represented counselees in roundtables that determine annual ratings.

Set up, maintained, and configured computers for faculty and for student computer labs. Managed Novell NetWare network.Resolved faculty and student problems with estimated average response times less than one hour.