Lead Security Governance Analyst
Payments Canada
Total des années d'expérience :9 years, 10 Mois
Develop, implement, and validate information security controls and policies to
help the payment payment-clearing organization avoid risk and maintain data system
integrity. Communicate findings to business owners and supplier managers to
initiate remediation. Coor dinate internal and external audits in partnership with
IT process owners and other stakeholders; respond to audit queries. Present
metrics and reports to executive leadership during weekly meetings. Assess the
security requirements included in statements of work (SOW) and master service
agreements (MSA) with third third-party risk assessments. Manage internal and
external audits.
Maintain policies governing data, networks, and web services to support
ISO 27001 compliance. Prepared the team for an ISO 27001 audi t; gathered
information, prepared control owners to answer auditors’ questions,
uploaded documents to internal and external portals, and attended
auditors’ testing interviews.
Support in reviewing preliminary reports, debated selected findings, and
prepare d management action plans for remediation.
Improved the risk register by identifying the risk owner and specifying
timelines and responsibilities.
Documented and prepared the final assessment report at the end of each
thirdthird-party assessment process, inclu ding findings with their risk levels and
recommendation for remediation with the target completion date.
Working with business owners/supplier managers to communicate those
gaps and findings to receive third third-party provider’s commitments on the
remediation and target completion date.
Proactively managing and tracking information security security-related risks and
corresponding action plans with due dates to ensure issues are resolved in
an efficient and timely manner.
Prepare and evolve periodic IT compliance management reports and
dashboards.
Performed cybersecurity risk assessments for a privately held company that offers engineering and geosynthetics solutions
for construction projects. Collaborated across the organization to test processes’ and controls’ effectiveness, document
identified risks in risk control matrices, and retest updated controls. Reviewed IT standards and conducted security risk
analyses of business processes and technology solutions to t est compliance with company policies and regulatory
requirements. Fulfilled requests from auditors performing SSAE18 (SOC) and ISO 27001 audits. Developed remediation
models for incidents or alerts in IT control domains, internal/external audits, and contr ol readiness assessments.
Spearheaded an internal and third third-party gap assessment and readiness assessment to evaluate the company’s ISO
27000, SOC 1, and SOC 2. Maintained consistent controls, enabling Paradox to consistently pass its audits with zero
nonnon-conformities and very few opportunities for improvement (OFIs).
Initiated the practice of conducting pre pre-audit interviews before external auditor walkthrough, so they were better
prepared.
Documented and prepared the final assessment report at the end of each third third-party assessment process, including
findings with their risk levels and recommendation for remediation with the target completion date
Assisted with compliance assessment of applications, systems, and business processes.
Assist in annual sec urity planning by maintaining the risk register and providing analysis of trending related to KRI's
Evaluated third parties’ control effectiveness and reviewed controls against regulatory requirements, security best
practices, and know ledge of ISO 27000, SIG, SOC reports, privacy requirements, and additional risk domains. Scoped,
planned, and executed third third-party security risk assessments, evaluating new and existing vendors. Reviewed SOC 2 and Pen
Test reports to validate findings. Pre pared assessment reports that included findings, risk levels, recommendations for
remediation, and target completion dates. Partnered with business owners and vendor managers to communicate findings
and gaps to vendors and obtain their commitment to implem ent corrective actions by the established deadlines.
Partnered with IT compliance resources and vendors to implement the ServiceNow third third-party risk management
platform to support vendor assessments and review vendors’ SOC/ISO/SOA reports to understand their security
postures.
Implemented automation that increased the efficiency of tracking GRC risk and vulnerability, reducing headcount.
Providing support to third third-party risk assessors by reviewing the SOW and MSA to ensu re security requirements are
captured in the contracts document before being signed by affected parties.
Worked with business owners/supplier managers to communicate those gaps and findings to receive third third-party
provider’s commitments on the remediation a nd target completion date date.
Involved In every stage of TPRM lifecycle from Planning > Due Diligence and Third Third-party selection > Contract negotiation
> Ongoing monitoring > Termination
Reported security vulnerabilities that led to the company’s changing ven dors to preserve security.
Managed the company’s information security policies, PCI/ISO compliance plans, third
third-party control effectiveness and
audits, and internal and external IT security audits. Reviewed audit reports; evaluated gaps in information security
governance, risk manag ement, and compliance; and delegated gap remediation tasks. Monitored and mitigated
vulnerabilities disclosed by the software stack providers. Responded to information security incidents, performed root
cause analysis, and communicated issues to the affect ed parties. Managed business continuity.
Achieved excellent audit results; the SOC audit resulted in zero findings, and the ISO audit produced only one OFI.
Collaborated with security and business leaders to build a culture of security awareness through t raining.
Recommended a cloud backup solution instead of single single-space storage to support continuity planning.
Trained staff in concepts in secure SDLC and regulatory/PCI compliance requirements.
Collaborated across multiple departments to identify and resolve cybersecurity risks; provided executives with
cybersecurity incident and activity reports. Performed intrusion analysis using SIEM, EDR, vulnerability management, anti anti-malware, packet captures, data visualization, log and pattern analysis, and reports. Backed up data and managed disaster
recovery operations. Configured hardware, created and managed user accounts in Active Directory, set up VPN access and
trained users, and handled IT onboarding for new employees. Resolved hardware, software, and connectivity issues.
Supported networks, desktops, laptops, Office 365, and collaboration tools.
Organized and led cybersecurity awareness tr aining for employees.
Perform vulnerability identification; manage the Vulnerability Management program and collaborate with interested
parties on remediation plans and tasks
Develop and maintain cyber security awareness content, campaign activities and r eporting.
Perform risk assessments on technology projects, initiatives and infrastructure by working closely with stakeholders to
identify, classify, and mitigate cyber threats
Le lien a été supprimé pour non-respect des conditions d'utilisation. Veuillez contacter l’équipe d'assistance pour plus d'informations.