• Adhering to the seven steps involved in the Risk Management Framework (RMF) and collaborating with system administrators on implementing the NIST SP 800-53 R5 controls.• Assisting and gathering evidence for the Amazon Foundational Technical Review (FTR) Assessment.• Collaborating with business unit employees and ERM team members on various projects focusing on risk quantification and developing reports and presentations.• Conducting security assessments: Regularly perform security audits, vulnerability assessments, and penetration tests to identify potential weaknesses in the organization's security posture. Based on the findings, make recommendations for remediation and improvements.• Developing and reviewing deliverables associated with a FedRAMP security authorization package including, but not limited to, a System Security Plan, Information System Contingency Plan, Security Assessment Plan, and Security Assessment Report.• Performing System Security Categorizations using FIPS 199 and the NIST 800-60 Vol.11 Rev1 guidelines and templates to select provisional impact level assigned to the Confidentiality, Integrity and Availability (CIA) based on the information type.• Documenting change management processes and other vital processes and procedures in Confluence.• Monitoring system networks with IDS/IPS tools and AWS services such as Datadog, Inspector and GuardDuty.• Monitoring threat-hunting activities and performance and visualizing threat detection and response effectiveness.• Ensure compliance with industry standards and regulatory requirements (PCI DSS, GDPR, SOX, HIPAA, ISO 27001).• Conduct security audits and risk assessments.• Developing strategies to mitigate risks, working with risk owners to create mitigation plans, and monitoring progress.

• Conducted IT controls risk assessments that included reviewing organizational policies, standards, procedures and guidelines.• Developed audit plan and performed the General Computer Controls testing, identified gaps, developed remediation plans, and presented results to the IT Management team.• Directed a cross-departmental team to conduct a comprehensive data privacy audit, identifying critical gaps and implementing remediation strategies that led to 90% improvement in compliance with internal and external privacy standards.• Conducted IT general controls risk assessments as well as risk auditing with frameworks like HIPAA, PCI, and ISO 27001.• Developed security control test plans and conducted in-depth security assessments of information systems that evaluate compliance of administrative, physical, technical, organizational and polices safeguards to maintain HIPAA compliance base on NIST SP 800-66 Rev1 and security controls (NIST SP 800-53).• Assessed vendors utilizing the stages in the Third-Party Cycle Framework (Onboarding, Due Diligence, Monitoring, Termination Plans, Off-boarding).• Performed initial review of due diligence on the vendor to ensure they are current and applicable to the product/service provided.• Tier, assess, and monitor risks associated with vendors to determine Inherent Risk Rating.• Collaborated with first line vendor relationship managers to ensure consistency in vendor delivery service and products and provide relationship managers with vendor risk posture guidance as needed.• Performed annual risk assessments of third parties across the following risk domains: financial, legal, information security, regulatory/contractual compliance, operational, reputational and strategic.• Developed a security baseline controls and test plan that was used to assess implemented security controls.• Conducted a security control assessment to assess the adequacy of management, operational, and technical security controls implemented.

• Documented and kept track of risks and recommendations based on the vendor’s lack of control.• Coordinated and performed vendor reviews.• Managed the third-party risk management program. • Identified and measured the risk associated with vendor security controls. • Worked with cross-sectional teams, including IT, human resources, contracts, and security, to address potential compliance issues, achieve data privacy program initiatives, and provide as-needed support to other programs within Ethics & Compliance. • Ensured compliance with and provided input to security policies, standards, and procedures.• Came up with ideas, presented them via reports and presentations, and made suggestions or recommendations for improvements and enhancements based on research or findings. • Tracked, monitored and reported on vendor compliance with information security standards. • Conducted information security reviews of key vendors and all externally hosted and developed websites. • Supported internal and external audits (including penetration tests and vulnerability management initiatives) – tracking audit measures, resolution tasks, and reviewing evidence of compliance. • Assisted with implementing supplier management tools and processes in coordination with the Procurement, Accounting and legal departments to optimize the vendor review process. • Collaborated with teams, stakeholders, and business partners to understand and implement improvement opportunities. • Monitored and presented project risks to senior management through ongoing processes of identifying, assessing, tracking, developing, and executing risk mitigation strategies throughout project development.• Participated in various IT audits for clients within the financial, technology, and information security industry, including developing risk and controls matrix and audit procedures, testing execution, and communication of findings to key stakeholders.