• Manage and work with Compliance Analyst, including assigning tasks to assist in the completion of compliance activities.• Manage implementation, compliance tracking, and reporting processes for the security governance frameworks, regulatory, and client compliance requirements.• Manage SaaS applications and processes used to track various compliance initiatives.• Define and monitor security metrics and KPIs.• Manage the Thrid-Party Risk Management (TPRM) function, along with preparing and reviewing third-party risk assessments.• Ownership of all internal and external audit coordination between auditors and internal stakeholders, performing initial reviews of evidence submissions and subsequent project management tasks.• Successfully led entire HITRUST r2 re-certification process.• Ensure risk-based compliance to governmental and industry standards such as SOX, HIPAA / HITECH, HITRUST, and SSAE 18 SOC1 / SOC2.• Provide input for corporate security projects with regards to identifying requirements for ongoing compliance.• Ensure oversight of compliance of IT Security obligations for training / awareness, risk assessments, BCDR & Incident Response exercises, and security reviews.• Manage vendor security vetting.• Work proactively with all areas of the business to ensure security compliance objectives are met.• Chair the Committee on Risk and Control, and provide reporting to various senior leaders.

• Drove Supplier Assurance Services (SAS) Standards and Procedures and ensured enhancements in response to internal and external drivers; ensured awareness and communication of relevant updates.• Lead SAS Governance forums ensuring appropriate coverage and tracking.• Designed, developed and maintained assessment processes, procedures, checklists and guidance.• Provided governance and requirements into development and maintenance of toolkits.• Identified impact of changes across Corporate Third-Party Operations (CTPO), ensuring appropriate handling of impacting changes.• Ensured SAS community understood assessment requirements and processes as well as impacts resulting from changes.• Ensured assessment documentation libraries were kept current.• Provided governance input into SAS training program and SAS input into CTPO and broader training programs• Functioned as the primary interface with CTPO Exam Management Team, Compliance, Operational Risk Oversight, Control Management, and JPMC Client Teams for SAS-aligned exam, audit and other review matters including responding to and tracking of RFIs.• Partnered with regional CTPO governance functions on SAS-aligned exam, audit and other review RFIs and key issues as required.• Managed bi-annual SAS Audit activities and responses.• Facilitated reporting and communications related to SAS-aligned exam, audit, reviews and issues• Managed Risk & Control Self-Assessment (RCSA) and execute RCSA activities for SAS.• Managed issue identification and oversaw action plan remediation for risks and control deficiencies aligned to SAS.• Prepared materials and supporting documentation to assist Manager and/or acted as a delegate for management meetings, awareness sessions, global and regional activities and ad hoc forums as required.

• Planned and executed third-party risk assessments of multiple suppliers to evaluate their overall operational and information security posture and specific application security posture, ensuring that the appropriate controls were in place to meet JPMC’s standards and requirements. • Tracked all assessments, remediations, and exceptions in JPMC’s implementation Archer GRC system branded as 4Site.

• Oversaw the Manager's Control Assessment (MCA) and ensured that the appropriate risks, controls, tests and Key Risk Indicators (KRI) are in place and reported on.• Identified issues through proactive interactions with customers to ensure timely identification and reporting of control deficiencies via documented issue management practices• Ensured on-time remediation and appropriate management reporting of issue status and corrective actions.• Managed all audit-related activities including ensuring factual issue accuracy and documentation of corrective actions. • Partnered with other team members to provide MCA Governance for several CTI Global Functions.

• Served as North American and EMEA Information Security Compliance Lead, ensuring all internal, external and client audits and assessments were successfully completed in a timely fashion• Managed a global team of security and compliance professionals.• Responsible for successfully achieving and maintaining ISO/IEC 27001:2013 certification at several key NTT DATA Services Data Centers in the United States and the United Kingdom.• Conducted ISO/IEC 27001:2013 Internal Audits to ensure compliance with the ISO/IEC 27001:2013 standard.• Responded to customer Security Compliance questionnaires, assessment and audits for a variety of control standards including ISO/IEC 27001, HIPAA, HiTech, Sox, PCI DSS, among others.• Performed asset-based Risk Assessments to identify potential risks to NTT DATA Services’ operations and developed appropriate Risk Treatment Plans to mitigate any identified risks. • Managed NTT DATA Services’ Information Security Management System (ISMS), including coordination of the Vulnerability Assessment program, Asset Management, Risk Assessment, Continual Improvement, Security Monitoring, and Incident Response.• Ensured the alignment, accuracy, and compliance of all company policies, procedures, standards and methodologies with the company’s Information Security Management System (ISMS).• Conducted information security meetings to keep management updated on current identified risks and mitigation• Facilitated and drove Root Cause Analyses (RCA), identification of corrective and preventive actions, and closure follow-up for various information security problems and issues.

• Responded to all external third part risk assessment requests, and reduced turnaround time from several weeks to just a few days• Developed and performed third-party risk assessments on all vendors and clients who handled or may handle personal data• Conducted regular Privacy Impact Assessments on personal data processing systems, identified weaknesses and instituted corrective action plans• Effectively advised and trained Leaders and employees, and collaborated with the rest of the Data Privacy team on regulatory, industry and internal standards regarding personal data collection and transmission• Consistently delivered the highest quality customer service while responding to client inquiries and questions related to Data Privacy and Data Security matters from clients, panelists and data subjects• Managed a team of Data Privacy Professionals • Maintained a complete understanding of Data Privacy and Data Security issues and regulations, particularly relating to the Data Protection Act, EU-US Privacy Shield, and the EU’s GDPR• Reviewed system architecture, data flows, and process flows to ensure data is accessible to those needing such access at the same time ensuring that the date was fully protected• Reviewed and revised legal documents, as well as vendor and customer contracts • Worked with Network Security team to ensure proper data and information security controls were put in place to protect company data and intellectual property assets• Reviewed and revised as necessary all Data and Information Security policies and procedures to ensure alignment with business strategic, tactical and operational objectives• Collaborated with Product, Sales, Marketing and Client Services teams to guarantee service offerings were effectively and efficiently delivered to clients while simultaneously ensuring the confidentiality, integrity, and availability of the Company’s, its Member’s and its Client’s data.

• Accountable for the Information Security Group’s Risk and Compliance Objectives related to Information Security governance of contracts for third parties for the global organization. • Created overall strategy for defining and governing third parties in general, and information security requirements for contracts for security concerns, ensuring new contracts have the appropriate security verbiage in them.• Ensured compliance with various control standards including SOx, PCI DSS, and NIST 800-53, among others. • Drove a staffing model to execute contract reviews, monitoring, and auditing, along with remediation on a periodic basis.• Ensured Information Security requirements were consistently challenged to ensure that they remained relevant to the current threat environment.• Defined key governance indicators for third parties to ensure that they are in compliance with all governance indicators and/or metrics; provided reporting and trends to key organizations.• Planned and executed end-to-end Information Security assessments of multiple third-party organizations to evaluate their overall security posture, to validate that they had the appropriate controls in place to meet PepsiCo’s Information Security standards.

• As a member of the Legal Affairs team, responsible for risk management, privacy and security compliance, and the audit engagement program which is focused on Healthcare IT, HIPAA and FISMA compliance. • Responsibilities include management, auditing, training, and development of enhancements to VHA's existing compliance program. • Consult with multiple departments to review security and compliance for their products and infrastructure in order to ensure regulatory and/or industry compliance is maintained. • Work with the security team and other business teams to document current and potential risk to ensure the appropriate controls are applied and documented as a part of the risk assessment/risk management process. • Manage any potential or actual breach of Protected Health Information (PHI). • Act as a trusted advisor for business units and interact when needed with member hospitals regarding privacy matters. • Monitor all state and federal regulatory requirements to ensure the VHA compliance program is up to date. • Work directly with the Legal team to ensure all contracts are compliant with state and federal requirements.

• Collaborated with business stakeholders to ensure a clear understanding of business strategies and priorities.• Fully accountable for the delivery of IT-enabled business solutions that addressed business requirements, in line with IT enterprise architecture and standards.• Established clear portfolio and project management processes to document, prioritize, select and track IT investments and their associated business value.•Managed both the IT capital and operational budgets in support of the yearly business cycle. • Owned the end-to-end process and worked with both business and IT stakeholders to gather all relevant information and document the business reasons for the investments. • Consolidated and reported on all active projects and operational expenses, forecasting future trend and possible variations.• Took ownership for the development, documentation, training, implementation and compliance audits of IT policies and processes including:••• Lead the effort with the business at large on understanding and adoption of End User policies including, but not limited to, the use of computing services and information security.••• Lead the IT team globally on IT policies related to access control, network security, information security, operations security, application development, and change management.• Lead cross-functional teams focused on the identification and management of risks, and the implementation of process improvement initiatives conducive to compliance requirements.• Documented, tested and maintained Business Continuity and IT Disaster Recovery plans, minimizing risk and potential downtime. • Facilitated both internal and external audits. • Lead the Sarbanes-Oxley (Sox) initiatives within the IT community globally to ensure proper control, documentation, proficiency, and segregations of duties were exhibited and that proper compensating controls were in place when required.

• Managed a globally distributed team of Network Security & Disaster Recovery Focal Points.• Developed and managed the Project Plan for all global annual Disaster Recovery Testing.• Implemented processes and procedures to deal with network vulnerability identification and remediation.• Analyzed and responded to a variety of threats that could potentially impact the corporate network and enterprise.• Coordinated the scheduling and development of comprehensive Disaster Recovery Plans (DRP) and Business Continuity Plans (BCP) for over 600 global IT applications and countless Business functions.• Researched, recommended, and helped implement various technology, facility, and personnel solutions to ensure Business Resiliency, and to provide Business Continuity in the event of a disaster. • Worked with Business Units and other IT Staff to conduct Risk Profiles, Risk Assessments (RA) and Business Impact Analyses (BIA).• Prepared numerous Business Continuity and Disaster Recovery Plans.• Maintained BIAs, RAs, BCPs, and DRPs in Strohl/Sungard’s Living Disaster Recovery Planning System (LDRPS)• Performed Table-top, Simulation, and Failover Disaster Recovery tests to exercise the functionality of DR Plans. • Served as departmental Sarbanes-Oxley (SOx) lead and Subject Matter Expert, analyzing and fulfilling SOx audit requests from both internal and external auditors, and legal and other entities.• Performed Quality Control Analyses on audited items and auditor’s findings. Made recommendations related to the viability of audit requests and determined whether audit requests were inappropriate.• Served as a team member, and assisted with the design, development, implementation, and training for the global roll-out of policies, processes and procedures related to the implementation of various ITIL functions.