Evelyn Hassan
Lawrenceville
Summary
IT Governance, Risk, and Compliance (GRC) professional with over six years of experience in risk analysis and compliance operations. Expertise in IT audit frameworks such as NIST 800-53 and SOC 2, with a proven track record in developing System Security Plans and conducting risk evaluations. Skilled in managing cybersecurity risks and implementing compliance programs, leading cross-functional teams to meet strategic goals. Knowledgeable in regulatory standards including GDPR, HIPAA, ISO 27001, and PCI-DSS, with strong analytical and problem-solving abilities.
Overview
7
7
years of professional experience
1
1
Certification
Work History
Risk & Controls Analyst Senior (Contractor)
Prime Therapeutics
10.2023 - 04.2025
- Led the development and execution of comprehensive test plans for IT transformation projects, ensuring application quality and functionality.
- Prepared System Security Plans (SSPs) using NIST 800-53 controls for SOC 2 and HITRUST audits.
- Streamlined compliance evidence collection, reducing gaps by 30%.
- Conducted risk assessments and gap analyses to identify vulnerabilities and improve Prime’s security posture.
- Ensured compliance with data protection laws, regulations, and contractual obligations related to information security.
- Developed standardized templates for manual NIST assessments, streamlining application evaluations.
- Coordinate with internal and external stakeholders to implement remediation plans and ensure compliance with regulatory requirements and industry best practices.
- Partnered with the Infosec Team Lead to craft comprehensive SSPs, resulting in client approvals for cloud infrastructure transitions.
Risk Analyst – Payments
Prime Care Technologies
01.2022 - 10.2023
- Conducted comprehensive risk assessments of internal payment processes, systems, and applications to identify potential vulnerabilities and compliance with PCI-DSS requirements.
- Collaborated with cross-functional teams to assess and manage third-party risks, including conducting due diligence, vendor assessments, and contract reviews.
- Documented control weaknesses related to testing exceptions and assisted in preparing draft audit reports to communicate findings and recommendations to stakeholders and senior management.
- Conducted thorough investigations of compliance-related issues, identifying procedural gaps and improving team efficiency.
- Reviewed Statement of Work (SOW) and contracts to ensure billing coincided with agreements.
- Built disaster recovery and business continuity plans while implementing controls to align the company's security program to industry-leading frameworks.
- Conducted business continuity and risk impact analysis, identifying program and security gaps, and targeting new capabilities to increase business resilience.
IT Auditor
Navy Federal Credit Union
12.2020 - 01.2022
- Assessed IT General Controls (ITGC), including access control, change management, IT operations, disaster recovery, job scheduling, and platform reviews for Windows and UNIX operating systems.
- Conducted Sarbanes-Oxley (SOX) testing to evaluate the effectiveness of ITGCs within the audit scope, ensuring robust control environments.
- Performed walk-throughs and detailed control testing to verify proper design and operational effectiveness.
- Led SSAE 18/SOC engagements by identifying control objectives, assessing risks, planning and executing control tests, and documenting ITGCs, application, and process controls.
- Identified control weaknesses and documented testing exceptions, contributing to draft audit reports with findings and recommendations for senior management.
- Reviewed corrective action plans (CAP), validated remediation controls, and monitored the remediation process.
- Leveraged e-GRC tools like ServiceNow for secure communication of findings, questionnaire deployment, and tracking vendor remediation progress.
Third Party Risk Analyst
Deloitte
07.2018 - 12.2020
- Conducted thorough reviews of essential security policies and procedural documentation.
- Prepared detailed assessment reports for business owners and the Vendor Risk Management Office (VMO).
- Served as a remediation analyst, ensuring timely resolution or mitigation of security gaps identified during assessments.
- Designed and continuously updated supplier questionnaires to address newly discovered threat signatures.
- Ensured third-party relationships aligned with company policies, regulatory standards, and industry best practices.
- Utilized e-GRC tools like RSA Archer for secure communication of findings, questionnaire deployment, and tracking vendor remediation progress.
- Led comprehensive risk-based security assessments across on-premises, cloud, vendor-hosted, and third-party environments.
- Evaluated security measures in key areas, including risk management, physical security, identity and access management, encryption, data loss prevention, secure development, incident response, security infrastructure, and policy compliance.
- Applied expertise in vulnerability scanning, patch management, and data analytics technologies, leveraging industry best practices for risk analysis and remediation planning—particularly utilizing Tenable Nessus for vulnerability assessments.
- Conducted reviews of corrective action plans, validating remediation controls and overseeing the follow-up process.
Education
Master of Business Administration -
Cleveland State University
Cleveland, OHBachelor of Science - Management
Central State University
Wilberforce, OHSkills
- Regulatory standards: NIST 800-53, ISO 27001, SOC 2
- Data protection laws: PCI-DSS, GDPR, HIPAA
- Healthcare compliance: HITRUST
- Security platforms: Archer and ServiceNow
- Risk tools: OneTrust and JIRA
- Network scanning tools: Nessus Scan and NMAP
- Data analysis tools: Splunk and Excel
- Presentation software: PowerPoint and Access
- Document sharing platforms: SharePoint and Confluence
- Project tracking tools: Smartsheet and Salesforce
- Customer support systems: Zendesk
- Security reports creation: SSP and SAP documentation
- Assessment documentation: SAR reports and POA&M memos
- Operational audits: IT audit reports and RCSA reviews
- Control measures implementation: ITGC remediation strategies
Certification
CISA, Security+ certifications in view
Notary Public, State of Georgia. Valid until May 29th, 2028
Timeline
Risk & Controls Analyst Senior (Contractor)
Prime Therapeutics
10.2023 - 04.2025
Risk Analyst – Payments
Prime Care Technologies
01.2022 - 10.2023
IT Auditor
Navy Federal Credit Union
12.2020 - 01.2022
Third Party Risk Analyst
Deloitte
07.2018 - 12.2020
Master of Business Administration -
Cleveland State University
Bachelor of Science - Management
Central State University
Similar Profiles
Kristie GironKristie Giron
Clinical Pharmacy Technician Sr at Prime TherapeuticsClinical Pharmacy Technician Sr at Prime Therapeutics
Jade MorenoJade Moreno
Workforce Management Admin- Intern at Prime TherapeuticsWorkforce Management Admin- Intern at Prime Therapeutics
Anthony CleekAnthony Cleek
Clinical Pharmacy Technician at Prime TherapeuticsClinical Pharmacy Technician at Prime Therapeutics
Carlos CisnerosCarlos Cisneros
Cyber Security Engineer at Prime TherapeuticsCyber Security Engineer at Prime Therapeutics
Tiffany Parrott, RN,CENTiffany Parrott, RN,CEN
Staff Registered Nurse at Sono BelloStaff Registered Nurse at Sono Bello