Carrie Rose

Project Management Office – lead team of project managers responsible for the support and governance of 20+ strategic initiatives involving technology resources.

Budgeting Lead – coordinate with IT leaders to track and report on performance against budget for expenses related to software licensing, outsourced services, hardware asset purchases, and other personnel related costs.

Communication – partner with the Corporate Communications team to develop and distribute IT communications relevant to stakeholders across the organization.

Culture – co-develop and sustain a department level set of values to guide team principles and behaviors that align with the enterprise vision - We Partner, We Listen, We Deliver, We Care.

Leadership – set the strategic vision for the programs supporting the governance, risk, and compliance across information technology.

Governance Program – manage drafting and maintenance of information technology policies, ensuring alignment with the CIS control framework for security controls and standards.

Training and Awareness Program – lead efforts related to security awareness training across the enterprise, including simulated phishing, policy acknowledgement, IT surveys, and other related campaigns.

Risk Management – develop the program and tools to manage information technology, cybersecurity, and third party risk across the organization including risk assessments, Access database, documentation templates, and team processes.

Partnership – collaborate with Internal Audit, Enterprise Risk, and Cybersecurity teams to reduce risk, execute internal audits, and fulfill external assessments.

Leadership – manage teams responsible for drafting and maintaining information technology policies, ensuring compliance with CCPA, PCI, CPNI and other data regulations, and assess and monitor information security and third party risk.

Information Security Governance Program – lead change management effort to align existing policies with the NIST framework for security controls and standards.

Compliance Program – monitor PCI compliance including control testing and monitoring to enable technology advancements while remaining compliant. Oversee activities in place to prove compliance with other applicable regulations.

Risk Reporting Program - define and maintain risk dashboards to inform and guide leadership decisions related to information security risks.

Security Training and Awareness Program – mature and maintain plan for phishing tests, policy acknowledgments, general awareness, and security training programs focused on enterprise employees.

Third Party Security Scorecards – develop, publish, and support the program and tools to effectively communicate vulnerability and compliance issues discovered in third party provided solutions.

Tool Development - In addition to the tools developed as Risk Management Manager, focused on building tools more aligned with an eGRC tool. An Access Database was built to manage and report on Information Security GRC activities including:
o Issue and Action Management for audit findings, security incidents or vulnerabilities, third party issues, risk assessment findings, policy gaps, training opportunities, and more.
o Risk and Control Library Management tying inherent risks to mitigating controls and regulatory requirements.
o Policy and Procedure Management to ensure all documentation is drafted and reviewed according to internal requirements.
o Third Party Management including the risk related details and annual risk assessment monitoring, along with policy renewal requirements and collection of AOC and SOC reports.

Risk Management – develop and maintain risk assessment and control design review framework for the consistent management of risk and control libraries spanning across operational, regulatory compliance, consumer privacy, and information security risks. Develop and document new or updated risks and controls for new marketing initiatives. Lead the business unit through annual control self-assessment activities to ensure accurate residual risk assessments. Consolidate a new risk and control library for the Marketing Business Risk department to ensure proper oversight of risk mitigation efforts. Manage the End User Computing policy’s annual expansion requirements across all Card Marketing departments and maintained a consolidated inventory.

Process Documentation – manage team responsible for migrating 400+ procedure documents into an enterprise template while linking processes to policies, standards, and controls to ensure proper oversight by leadership. Develop and maintain workbook used to leverage Archer and SharePoint database record information to analyze required approvals, plot and normalize annual review cycles, and identify streamline or gap opportunities.

Educate and Train – identify and communicate critical controls to ensure that the company delivers on promises made to consumers and regulators. Coordinate efforts to develop role based training for critical control activities across the marketing department. Analyze and present ongoing risk reduction results and corrective action recommendations to senior leadership.

Database Development – created and maintained databases to assist in operational incident capture and reporting, parking lot to track and trend risk and control updates identified through control design reviews or internal exams, and team task tracking used to provide project status to leadership.

Third Party Program Owner – design and implement an expansion plan to incorporate best practices and consistent third party management across all four towers within the department. Act as a single point of contact for all third party activities across several relationships, such as risk assessment and corporate data release management, contract and other legal document facilitation, exam coordination, control and service level monitoring, scorecard completion, and program reporting.

Act as Card Marketing expert while consulting teams such as Information Security, Compliance, Operational Risk, Privacy, Finance, and Deposits.