• Maintained security compliance programs within a GRC or compliance automation solution• Tracked audit remediation actions, help develop solutions, and report on the status.• Coordinated with external auditors and Flexential’s operations teams to obtain audit evidence for in-scope IT systems to support the annual audit, such as SOC 1&2, ISO 27001, HITRUST, PCI-DSS. • Developed and maintained flexential’s security policies, standards and guidelines.• Supported Flexential’s response to Regulators, Auditors, Client inquiries, and Due Diligence Questionnaires.• Conducted assessments of third-party vendors and partners to ensure they meet our security and compliance standards• Executed vulnerability scans and coordinate related remediation activities.• Monitored and responded to information security risks related to systems, networks, and applications to ensure internal security controls are operating as intended

• Coordinated with external auditors and operations teams to obtain audit evidence for in-scope IT systems to support the annual audit such as SOC 1&2, ISO-27001, HITRUST, and PCI-DSS.• Supported the development and implementation of a risk register process.• Performed quarterly risk register reviews; managed and monitored remediation and exceptions of cybersecurity risks.• Provided guidance and support to business units on information security matters, including security awareness training and incident response.• Developed and maintained information security policies, standards, and procedures aligned with industry best practices.• Identified and communicated control gaps; evaluated management remediation action plans, and provided ongoing monitoring of resolution.• Maintained awareness of external regulations and industry standards for new or modified requirements (PCI-DSS, NIST 800-53, ISO 27001, etc.).

• Conducted comprehensive risk assessments to identify potential security vulnerabilities and threats.• Implemented GRC processes to automate and continuously monitor information security controls, exceptions, risks, and control testing.• Documented incidents and reported them per regulatory requirements.• Conducted incident response activities, including investigation and remediation.• Led external audits with frameworks such as SOC 1&2, ISO 27001, PCI-DSS, HITRUST CSF.• Analyzed security logs to detect suspicious activities.• Collaborated with cross-functional teams for holistic security risk management.

• Reviewed technical systems controls and report on security weaknesses and communicate significant control and compliance risk to management.• Identified and resolve any issue of noncompliance, with a related standard or framework• Developed and implements information security policies, procedures, and standards to protect the confidentiality, integrity, and availability of information systems and data• Responded to external requests for Security Questionnaires, Due Diligence, Vendor Risk Assessments, and other categories that require responses.• Leveraged GRC tools to efficiently manage external authoritative sources, information technology controls, and risk management workflows.• Actively offered internal security consulting on policies, controls, standards and best practices to business functions and end users.• Supported in vulnerability scan reports interpretation, enabling prompt resolution of identified vulnerabilities. • Conduct security awareness and training programs.

Examine SOC and HITRUST reports, vulnerability assessments, policies, procedures, and standard documents to evaluate compliance. This involves reviewing system configurations, security protocols, access controls, encryption measures, and incident response plans.• Ensure the protection of Confidential Unclassified Information (CUI), the standards outlined in DFARS and NIST 800-171• Prepare a plan of action and milestones based on the findings and recommendations of a security assessment report excluding any remediation actions taken.• Develop/Review deliverables associated with a FedRAMP security authorization package including, but not limited to: System Security Plan, Information System Contingency Plan, Security Assessment Plan, Security Assessment Report.• Supports Security Control Assessments using NIST 800-53A Rev5 as guidance for current federal directives and policies.• Performs System Security Categorizations using FIPS 199 and the NIST 800-60 Vol.11 Rev1 guidelines and templates to select provisional impact level assigned to the Confidentiality, Integrity and Availability (CIA) based on the information type.• Analyzes and updates System Security Plan (SSP), Risk Assessment (RA), Privacy Impact Assessment (PIA), System Security test and Evaluation (ST&E).• Develops and track Plan of Actions and Milestones (POA&Ms) to ensure remediation closure.• Maintains and manages Security Authorization and Assessment packages that include System Security Plans (SSP), Contingency Plans (CP), POA&Ms, SAR, and other relevant security documentations for the system.• Perform security risk assessment and analysis of resources, controls, vulnerabilities, asset decommissioning, and information security threats to the organization’s objective.