Enterprise Technology And Security Compliance Lead
CurrentExpanded the Enterprise Technology & Security (ET&S) Compliance program to operationalize processes for identifying, assessing and prioritizing mitigation of risks across PNC’s technology & cyber programs. Results included: • Assessed & remediated gaps between PNC’s current IT compliance policies and the guidance established in the FFIEC IT handbooks• Implemented an objective scoring methodology for challenging technology and cyber 1st LoD’s self-identified Quality of Risk Management (QRM) & Risk Outlook (RO) ratings, based on scoring factors such as upcoming regulatory changes, third-party risk, Prime Process reports, and progress toward resolution of Matters Requiring Attention (MRAs), Issues, Incidents, Policy Exceptions. Risk Plans, and metrics breaching defined yellow/red boundaries• Established a tracking system to identify new & past due technology and cyber issues, assess the adequacy of their proposed remediation plans, and then monitored progress through interim milestones toward timely completion • Led the project to develop a ServiceNow approval flow to replace the manual system for Symantec desktop encryption access requests • Served as the Privacy Office SME on the effort to establish responsible A.I. principles • Assumed responsibility for developing the ET&S generative A.I. regulatory compliance framework, by • Drafting PNC’s generative A.I. policy based on the EU A.I. Act • Partnering with our Security Operations Center to block access to 46 generative A.I. websites, reducing the risk of data exfiltration • Writing delta questions for addition to our KY3P privacy assessment to gauge generative A.I. risk • Identifying generative A.I. regulatory compliance risks and drafting proposed mitigation strategies • Assessing privacy & financial regulatory compliance risk for PNC’s first two generative A.I. uses cases, a retrieval-augmented generation (RAG) help desk assistant and a Github Copilot code generation implementation