Bottomline Technologies (September 2021 – Present)•Consulting as an embedded member of Audit, Risk & Compliance team of $3B company that provides corporations, financial institutions, and banks with e-payment, invoice, and document automation solutions.•Overseeing all internal and external audits including ISO 27001, SOC 1 & 2, PCI, FFIEC, NACHA, CCPA, etc. Federal Aviation Administration (October 2018 – December 2020)•Managing project performing security assessment and vulnerability reporting for Cloud environments [Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)] for compliance with FedRamp & NIST Standards•Developing streamlined security assessment methodologies and workflow schedules for conducting security assessments to ensure achievement of FAA deadlines and compliance with FAA, NIST and FedRamp requirements•Enhancing processes for, and communication of, cloud control analysis and ownership of utilizing Cloud Service Providers' (CSP) Control Implementation Summaries (CIS) and Customer Responsibility Matrices (CRM) to identify gaps in end-to-end control implementations and recommend corrective actionsFreddieMac (January 2018 – September 2018)Embedded as a core member of Internal Audit Management Team reporting to SVP/ General Auditor for Fortune100/10,000 employee industry leader in secondary mortgage market. Lead IT Infrastructure Operations and Integrated Business Application Audit Team in complex business and technology environments; responsibilities included:•Developing detailed work plans to provide adequate assurance to management •Performing complex risk and controls assessments; determining scope of audits and testing approach•Supervising innovative IT control design and operational effectiveness tests •Managing resources; coaching and mentoring staff, senior and supervisor level auditors•Providing subject matter expertise of industry standards: COBIT, NIST, ISO, etc.

• Consulting as an embedded member of the Information Security Risk Management Assessment & Regulatory Team for a systemic financial services utility, leading key corporate initiatives for application and cloud risk management, control management and testing methodologies• Leading Information Security Risk Management Framework workstreams to redefine controls inventory, re-baseline to new risk taxonomy and map to NIST 800-53, Rev. 5; revamping controls testing methodology• Chairing monthly Security Controls Inventory Review Meeting

Direct department as primary UMUC liaison for all external IT audits – Federal, MD Office of Legislative Audits, University System of Maryland. Represent UMUC on the University System of Maryland IT Security Council. Recommend and oversee development of IT policies, procedures, and security best practice guidelines. Lead UMUC’s IT Risk & Compliance Department and all related functions including:- Compliance with IT policies, standards (e.g. NIST, FERPA, GDPR, GLBA) and best practices- Data governance, privacy and security- Security Awareness Training- IT & Vendor risk management- Management of UMUC’s cyber threat landscape- Internal IT risk, security assessments and penetration testing- Discovering, protecting and reducing footprint of sensitive data: - PII, Financial and Proprietary- Coordinating efforts and overseeing projects and responsibilities for IT Risk & Compliance staff

- Directed 2011 United States Agency for International Development (USAID) independent information security evaluation for compliance with Federal Information Security Management Act (FISMA). - Managed 2010 Department of Justice, Justice Management Division independent information security evaluation for compliance with Federal Information Security Management Act (FISMA). - Performed a cyber security review for a classified DOJ system based on NIST SPs 800-53, rev. 3. - Supervised SEC OMB A-123 services; reviews were performed for general support systems and financial systems based on NIST SP 800-53, FISCAM, and custom steps specifically addressing SEC risk areas. Oversaw the development of System Security Plans (SSPs), execution of Security Testing & Evaluations (ST&E), and preparation of all required Certification & Accreditation (C&A) documentation, in packages compliant with NIST standards, for major applications of the General Service Administration’s (GSA) Office of the Chief Financial Officer.

Developed initial IT audit function for Aggregate Industries, a subsidiary of Holcim Ltd ($15 billion annual revenue) and successively designed annual IT Audit Plans using NIST-based IT risk assessment process. Planned, conducted and reported on design and operational effectiveness testing for Internal Control System Project (Swiss version of SOx) focused on physical/logical access, change management, BCP and IT general controls. Executed IT General Controls audits for all corporate and regional businesses resulting in the consolidation of multiple data centers and the enhancement of enterprise Disaster Recovery and Business Continuity Plan. Represented Internal Audit during major system upgrades, including primary ERP system (JDEdwards) in a consulting role to identify internal control issues and periodically report project status to the Steering Committee. Worked closely with System Administrators and Managers of the IT Department to develop policies and procedures to control infrastructure-related IT risks.

Conducted IT & operational audits, which included reviews of key business processes, applications and compliance. Member of IT Security Working Group that evaluated current technologies, security threats, their impact on HHMI IT Security and issued security awareness information. Collaborated with network security consultants assessing the security of network platform supporting enterprise-wide business applications, which resulted in identifying and correcting significant security deficiencies. Project leader for vendor selection and implementation of continuous monitoring software. Evaluated design and operation of internal processes/controls within the Application Security Office resulting in considerable operational efficiency changes; participated in quarterly application security reviews. Monitored HHMI’s data center recovery and departmental business continuity plans. Performed periodic field site visits to HHMI Offices of Administrative Services to evaluate the adequacy and efficiency of the internal controls in effect.

Successfully performed client services of audit, compilation, litigation support, reviews for a diverse client base of organizations in the Manufacturing, Retail, Distribution, Law, Healthcare, Real Estate Development, and Non-profit industries. Supervised audit teams on engagements from planning phase through completion of financial statements. Achieved client needs through consulting services for a wide range of accounting, financial systems, and internal control issues. Worked collaboratively with team members to achieve common goals, met budget expectations, trained and supervised new-hire employees, and coordinated in-house training classes.

Audited the U.S. Small Business Administration (SBA), the U.S. Department of State, multiple New Jersey Department of Transportation contracts and the Environmental Protection Agency (EPA). Developed indirect cost rates for the Agency for Toxic Substance and Disease Registry (ATSDR) of the Centers for Disease Control (CDC). Consulted the accounting department of the Drug Enforcement Administration (DEA) and audited the U.S. Bureau of Public Debt (BPD). Responsible for recruiting and interviewing prospective employees, training and supervising new-hires.