Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Designed risk assessment and control architectures at the enterprise, process, and information
systems levels (NIST Tiers) to be consistent with FFIEC, FISMA, HIPAA, HITRUST CSF,
COSO, ISO ERM, MAR and PCI DSS requirements to improve risk management and control
maturity levels.
Managed information systems projects for banking, manufacturing, financial reporting, and
financial services applications over a 30-year career including designing Risk Management and
control procedures for Agile / Scrum programs.
During my career I successfully filled the positions of Chief Financial Officer (CFO), Chief
Auditing Officer (CAO), and Chief Compliance Officer (CCO).
Worked extensively throughout my career as a business information systems project manager
PROFESSIONAL DEVELOPMENT
CRMA, Certified Risk Management Assessor
CISA, Certified Information Systems Auditor (10-year Gold Member)
CIA, Certified Internal Auditor (Internal Controls)
2011 to 2018: Completed extensive CPE training seminars in Auditing, Risk Management, IT Security
(CISSP review), and the COSO/COBIT Internal Control Frameworks to maintain all certifications
“Active”.
Areas of Expertise
GRC / Enterprise Risk Management: Performed enterprise governance, risk, and control (GRC)
audits and recommended improvements for existing internal fraud control, and information systems
“Risk Assessments” based on commercially accepted Risk and Control frameworks consistent with
ISO 31000, NIST SP 800-30r1 and COSO ERM.
IT Security Risk, Auditing and Management: Assessed process and Cybersecurity risk, and
compliance controls for HIPAA, Sarbanes Oxley (SOX) ICFR. I also audited and improved controls per
HITRUST, Fed RAMP FISMA NIST, and FFIEC standards. I have also applied the “Shared Risk
Assessment“ (SIG) program for vendor technology risk assessments.
Internal Auditing: Applied internal auditing standards at over a dozen companies to audit and
document SOX internal controls and information systems Compliance, and to assess HIPAA, PCI, and
IT security internal control strengths and weaknesses.
Project / Program Management: I have managed multiple banking and manufacturing information
systems projects including a global “conversion” project and have implement internal Risk and Control
programs. I have worked with “Waterfall” and “Agile” Project Management techniques to produce
successful project outcomes.
Business Process Analysis: Over 30 years’ experience analyzing, designing, reengineering, and
documenting “Business Process” workflows.
Financial Analysis: Over 20 years’ experience in financial reporting, Cost/Volume/Profit analysis,
variance analysis, Budgeting, and product / services pricing analysis.
PROFESSIONAL EXPERIENCE
The Broad Institute of MIT and Harvard March 2016 to April 2016
Cambridge MA, IT InfoSec Auditor
Reported to InfoSec manager
Provided a summary level review with recommendations for their Fed RAMP “FireCloud
Project” based on an independent review and interpretation of their System Security Plan (SSP)
and their Security Assessment Report (SAR) documentation.
Evaluated FISMA NIST 800- 53r4 SSP information security controls to determine POAM
requirements for achieving the clients “authorization to operate” (ATO) status for their Cloud
based SaaS application.
Massachusetts Office of State Auditor (OSA) April 1st to June 30th 2015
Boston, MA, IT Security Risk and Compliance SME
IT Risk and Security Compliance SME
Engaged by OSA to complete an IT Risk and Security Assessment that merged NIST
standards (800-39, 37, and 30), the 2014 NIST Cybersecurity Framework, and CMS standards
with MassIT department guidelines.
This information system Risk and Security Assessment program focused on establishing an
information systems security baseline “Risk Assessment” and control gap analysis to drive
applying the HITRUST control framework to improve OSA’s IT Security compliance program
in health PHI data analytics.
The information system assessed focused primarily on HIPAA PHI and PPI Data Privacy
security and compliance for OSA / MassIT network confidential data transfers.
Engaged by BTS as a Sr. Compliance Audit & “Risk” Consultant to perform a system audit of their
IBM AS-400 / iSeries legacy system and legacy RPG applications, TCP/IP network, DB2 and SQL
database use, and MS Dynamics GP application as part of a legacy software review program.
Initiated projects to mitigate SEC Compliance and IT Security risk by improving the effectiveness
of preventive and detective internal control policies and procedures in accordance with SEC Rule
206(4)-7 to meet recent SEC / NIST “Cyber-Security” requirements.
Assessed GLBA and PPI data privacy compliance and IT Security procedures and assessed existing
data input workflows and NIST 800-53r4 (j) controls and assessment models.
Expanded my role to improving BTS’s Enterprise Risk Management (ERM) program.
Performed Business Impact Assessment (BIA) audits, and Business Continuity Planning (BCP) /
Disaster Recovery (DR) audits as a part of the BTS SEC compliance improvement project.
Wright Express Corp., S. Portland ME (now WEX Inc.) Dec. 2010 to Feb. 2011
Sr. IT Project Manager, Tax Compliance project
Credit Card, payment & Settlement Processing Company