• Manage the information security risk assessment function in the Chief Information Security Office for all IT infrastructure and application projects; including chairing meetings to discuss risk mitigation with business areas; providing follow up guidance on how to mitigate identified risks, and reviewing security designs for approval.• Developed the Information Security Risk Register to document key risk drivers and monitor actions towards their mitigation. Report Information Security risks to the Chief Risk Management Office for inclusion in the Enterprise Risk Register. • Chair the Information Security Risk Working Group to review the Information Security Risk Register and discuss emerging risks.• Managed the selection and implementation of the Governance Risk and Compliance (GRC) framework; including documentation of requirements, RFP process management, and vendor relationship management.• Developed GRC applications to maintain the Information Security Risk Register, monitor third party risk, and access HIPAA compliance. • Provide oversight of Information Security Policy, Policy Exception, Policy Awareness, and Risk Assessment functions for the enterprise.• Provide oversight of the enterprise Information Security Liaison and Security Officer programs; including providing guidance on how to mitigate risk within their respective business areas. • Member of enterprise wide councils including Records Management and Operational Risk Working Group (Alternate for the CISO)

• Managed one of the two enterprise-wide Security Review Boards that review new and modified systems for security vulnerabilities.• Developed the Information Security Risk Model that is used to determine the risk level that new IT projects or system modifications will have on NYL. • Developed the questionnaire used to calculate inherent risk• Business Continuity Representative for the Chief Information Security Officer’s organization.• Performed gap analyses of domestic and International Security Programs to the ISO 27002 standard.• Participated in Health Insurance Portability and Accountability Act (HIPAA) regulatory reviews • Developed a metrics program report KRI progress against goals to the Chief Information Security Officer.• Managed New York Life submission to Industry and Peer group industry benchmark studies.

• Documented information security policies and technical security standards • Managed the Security Liaison Program, which provided training and support approximately 200 departmental security representatives throughout the company.• Developed and implemented Security Certification, Testing, and Training programs• Developed training programs, including an Introductory Security Liaison Computer Based Course • Wrote the Security Liaison Handbook that explained access control responsibilities and procedures.• Performed annual Security Liaison performance appraisals.• Arranged quarterly meetings and awareness presentations• Managed the server policy compliance program including selection and implementation of a server compliance product; and risk mitigation and follow up• Implemented a plan for risk assessment and mitigation of externally performed penetration tests.• Promoted security awareness by initiating an Information Security intranet site, issuing security alerts, publishing newsletters, and managing the company’s annual Information Security Awareness Day