EDDY DENNIS NYOH
Chesapeake,VA
Summary
Information Security professional with a DoD Secret Clearance and extensive combined experience in IT Audit, Governance, Risk, Compliance, Control Testing, and Information Security. I have extensive experience in successfully performing IT Audits to support audit projects such as Sarbanes-Oxley (SOX), Information Systems, Operations, and Service Organization Controls (SOC) audits. Key areas of focus include testing security controls across the IT infrastructure, such as applications, databases, and servers, and ensuring compliance across various domains.
Overview
8
8
years of professional experience
1
1
Certification
Work History
IT Auditor
United States Navy, USN
11.2021 - Current
- Evaluate the design and operating effectiveness of IT infrastructure controls across applications, databases, and server environments.
- Test internal controls over financial reporting (ICFR) in support of the Sarbanes-Oxley audit.
- Perform audit procedures, including collecting, reviewing, and analyzing relevant information, documenting business processes, and completing audit documentation.
- Conduct detailed testing of IT General Controls and IT Application Controls to ensure compliance with relevant frameworks and regulatory standards.
- Led and actively participated in all phases of the audit lifecycle, including planning, fieldwork, reporting, and follow-up activities.
- Facilitate Kick-off meetings between the external auditors, the internal audit department, and stakeholders.
- Conduct application, process, and system walk-throughs with application owners to understand the end-to-end process, identify control gaps, and assess if controls are designed appropriately.
- Perform control testing across key IT domains, including Access Management, Change Management, IT Operations, and Security controls.
- Perform detailed testing on security controls related to vulnerability management, incident management, business continuity, and network infrastructure.
- Conduct testing on both commercial off-the-shelf (COTS) applications and internally developed (in-house) applications.
- Identify deficiencies in the design and operating effectiveness of implemented internal controls.
- Support in the testing of business controls related to operations and enterprise projects.
- Review SOC 1 and SOC 2 reports, along with bridge letters, for key systems and applications to assess the effectiveness of third-party controls and continuity of reporting.
- Conduct risk assessments of newly scoped applications and control deficiencies identified during the audit.
- Coordinate and facilitate collaboration between external auditors, internal audit teams, and key stakeholders during audit planning, kickoff, and throughout the IT audit lifecycle.
- Prepare draft and final IT audit reports for presentation to key stakeholders, ensuring clarity, accuracy, and actionable recommendations.
- Collaborate closely with issue owners and risk advisors to ensure the timely remediation of identified deficiencies.
- Obtain and evaluate artifacts to verify the sustainability and effectiveness of remediation efforts.
- Raise issues of control weakness with management and propose recommendations on remediation actions.
Application /Vendor Risk Analyst
United States Navy, USN
11.2019 - 10.2021
- Oversee IT risk activities for business-managed applications, ensuring alignment with enterprise-wide third-party and IT management programs.
- Conducted application-centric risk assessments and served as a subject matter expert to Division Risk Owners, facilitating the timely completion of assessments and ongoing monitoring.
- Collaborated with stakeholders in product management, technology, and information security to drive a centralized risk and compliance process.
- Maintained procedural documents and managed a centralized repository for compliance and audit artifacts, supporting business continuity planning related to application security.
- Led various ad hoc projects focused on enhancing program processes and contributing to strategic planning initiatives within the Office of the President division.
- Coordinated closely with stakeholders’ areas (i.e., product management, Technology and Innovation, Information Security, Third Parties) for the timely completion of assessments and ongoing monitoring responsibilities.
- Supported Business Application Owners with identification, tracking, and remediation of control gaps, issues, and risk exceptions.
- Escalated any delays, significant gaps, etc., to management on time.
- Participated in the vendor risk assessment process and provided security risk assessment services and contract reviews to ensure that third parties meet the Bank’s information security control requirements.
Application /Vendor Risk Analyst
United States Navy, USN
11.2019 - 10.2021
- Overseed IT risk activities for business-managed applications, ensuring alignment with enterprise-wide third-party and IT management programs.
- Conducted application-centric risk assessments and served as a subject matter expert to Division Risk Owners, facilitating the timely completion of assessments and ongoing monitoring.
- Collaborated with stakeholders in product management, technology, and information security to drive a centralized risk and compliance process.
- Maintained procedural documents and managed a centralized repository for compliance and audit artifacts, supporting business continuity planning related to application security.
- Led various ad hoc projects focused on enhancing program processes and contributing to strategic planning initiatives within the Office of the President division.
- Coordinated closely with stakeholders’ areas (i.e., product management, Technology and Innovation, Information Security, Third Parties) for timely completion of assessments and ongoing monitoring responsibilities.
- Supported Business Application Owners with identification, tracking, and remediation of control gaps, issues, and risk exceptions.
- Escalated any delays, significant gaps, etc., to management on time.
- Participated in the vendor risk assessment process and provided security risk assessment services and contract reviews to ensure that third parties meet the Bank’s information security control requirements.
IT Risk & Compliance Consultant
Roper Technologies
08.2018 - 10.2019
- Provided analysis and recommendations for identified security exceptions; participated in defining remediation efforts.
- Ensured all vendor relationships are documented and all contracts related to vendors that provide outsourced services are uploaded in the system.
- Performed 3rd Party Vendor Risk Assessments & assisted in the reporting of vendor risk management activities.
- Identified opportunities to improve risk posture, develop solutions for remediating or mitigating risks, and assessed residual risk.
- Contributed to the Cyber assessment metrics and GRC reporting to senior management to influence risk-based results.
- Reviewed and validated vulnerability findings.
- Identified weaknesses and vulnerabilities within the system and proposed countermeasures.
- Maintained strong working relationships with individuals and groups involved in managing information risks across the organization.
- Assisted in remediating penetration tests, application & vulnerability assessment findings.
- Performed focused risk assessments of existing or new services and technologies.
- Worked with cross-functional teams, including IT, human resources, contracts, and security, to address potential compliance issues and achieve data privacy program initiatives, and provide as-needed support to other programs within Ethics & Compliance.
- Executed day-to-day deliverables that support the ongoing compliance needs related to PCI, IT policy, compliance, and risk, as well as any new regulatory requirements.
- Documented audit findings and developed thorough and creative recommendations for business and process owners to mitigate identified risks.
- Executed threat modeling exercise to determine higher likelihood threat events to inform cybersecurity risk modeling.
Information System Security Assessor
Roper Technologies
08.2017 - 07.2018
- Developed solutions to security weaknesses in the Requirement Traceable Matrix (RTM) and SAR, while working on POA&M remediation and Corrective Action Plan (CAP).
- Performed assessments on FedRAMP based on customer responsibility documentation and controls provided by the Cloud provider to assess.
- Performed risk assessments, developed and recommended mitigating controls, and remained abreast of advancements that address emerging business and environmental factors impacting assurance levels.
- Worked with IT Controls Manager to improve efficiency and effectiveness of IT audit testing procedures, processes, and attributes.
- Provided security control assessor (SCA) services, such as assisting with the Assessment and Authorization process, including A&A scanning, documentation, reporting, and analysis, and analyzing current threats to information security and systems.
- Reviewed for accuracy Security Control Assessment (SCA) documentation, including but not limited to the Security Assessment Report (SAR).
- Performed ongoing RMF/A&A/ATO projects in support of client security systems using NIST SP 800-37 Rev 1 as a guide.
- Ensured compliance with data security policies and relevant legal and regulatory requirements under agency directives and applicable Risk Management Framework (RMF) requirements.
- Validated system requirements, security policies and procedures, contingency plans, incident response plans, personnel security, access control mechanisms, and identification and authentication mechanisms.
Education
Master of Science - Cybersecurity and Information Assurance
Western Governors University
B. Eng. - Electrical/ Electronic
Madonna University
Skills
- IT Audit
- Risk Assessment
- Audit Planning
- Fieldwork
- Reporting
- Follow-up
- IT General Controls (ITGC)
- IT Application Controls (ITAC)
- Service Organization Controls – SOC 1
- SOC II (Type I)
- SOC II (Type II)
- Sarbanes-Oxley (SOX)
- Governance Risk and Compliance (GRC)
- HIPAA & PRIVACY ACT training
- PCI DSS
- IT Security Compliance
- Third-Party Risk Management
- Risk Management Framework (RMF)
- Vulnerability Assessment
- System Development Life Cycle
- ServiceNow(SNOW)
- RSA Archer
- SharePoint
- ISO 27001
- COSO
- COBIT
- NIST SP 800-53
- SP 800-53A
- SP 800-37
- FISMA
- FedRAMP
- Linux
- Microsoft Office
- Microsoft 365 Defender
- AWS and Azure Cloud Infrastructures
Certification
- CompTIA Security+
- CompTIA Network+
- CompTIA A+
- Splunk Admin User
Timeline
IT Auditor
United States Navy, USN
11.2021 - Current
Application /Vendor Risk Analyst
United States Navy, USN
11.2019 - 10.2021
Application /Vendor Risk Analyst
United States Navy, USN
11.2019 - 10.2021
IT Risk & Compliance Consultant
Roper Technologies
08.2018 - 10.2019
Information System Security Assessor
Roper Technologies
08.2017 - 07.2018
Master of Science - Cybersecurity and Information Assurance
Western Governors University
B. Eng. - Electrical/ Electronic
Madonna University
Similar Profiles
Justin GayJustin Gay
Records Keeper at Navy Special Warfare G2, United States Navy, USNRecords Keeper at Navy Special Warfare G2, United States Navy, USN
Kimberlee LeidichKimberlee Leidich
Hospital Corpsman Second Class at United States Navy, USNHospital Corpsman Second Class at United States Navy, USN
Marquise JonesMarquise Jones
Gas Turbine Systems Technician at United States Navy, USNGas Turbine Systems Technician at United States Navy, USN
Christopher ThomasChristopher Thomas
Aviation Electrician at United States Navy, USNAviation Electrician at United States Navy, USN
Antoinnette RodgersAntoinnette Rodgers
Receptionist/Medical Records Specialist at Portside Health and RehabReceptionist/Medical Records Specialist at Portside Health and Rehab