Franky Datch
Raleigh,USA
Summary
With over six years of experience in auditing, certification, vendor management, implementation, risk management framework and assessment, security control assessment, policies, continuous monitoring, and a track record of identifying and fixing system vulnerabilities, the author is a perceptive and results-driven information security compliance analyst. To use my experience, I'm looking for a demanding role as an information security compliance analyst in a reputable company.
Overview
6
6
years of professional experience
1
1
Certification
Work History
Cybersecurity Auditor
- Assisted System Owners in preparing certification and Accreditation packages for IT systems, ensuring management and operation
- Analyze and update System Security Plans (SSP) through knowledge and preparation of Risk Assessment (RA), Privacy Impact Assessment (PIA), System Security Test and evaluation (ST&E), E-Authentication, Contingency Plan (CP), Plan of Actions & Milestone (POA&M), SAP, RTM, RA, and SAR
- Implement technical security controls that adhere to a federal and well-established security requirement authorized by NIST 800-53R4 to obtain and maintain ATO
- Maintained up-to-date knowledge of cyber threats through researching top vulnerability sites such as OWASP Top 10, Total Virus, and National Vulnerability Database
- Acted as Liaison Analyst to respond to and assist with audits, assessments, and compliance requests
- Assisted with audits and enhanced the audit program and processes; developed, documented, and implemented internal controls testing and evidence documentation
- Perform continuous monitoring using the SIEM technologies to analyze events such as logging events (false passwords), endpoint security, firewalls, IDS, IPS, and Email security based on guidelines or regulations
- Firewalls and network devices
- Intrusion detection and prevention systems (IDS/IPS)
- Anti-malware systems
- Security Incident and Event Management systems (SIEM)
- Data Loss Prevention systems (DLP)
- Advanced Endpoint Detection and Response systems (EDR)
- External communications from outside entities, users, phone calls, and emails
- Assist senior members of the SOC with analyzing and responding to potential security incidents
- Maintain situational awareness of emerging cyber trends by reviewing open-source reports for recent vulnerabilities, malware, and other threats that can potentially impact our client organizations
- Document threat campaign(s) techniques lateral movements and extract indicators of compromise (IOCs)
- Manage the Security monitoring tools and set up dashboards and alerts
- Developed and maintained technical documentation and Standard Operating Procedures (SOP)
- Conduct security research and intelligence gathering on emerging threats and exploits
- Participate in shift transition calls to ensure all open cases and tasks are appropriately managed and addressed
- Periodic reporting of metrics and corresponding analysis for client review and strategic information security program adjustments and planning
- Maintenance and management of various security technology platforms
- Secure privilege account; Separate administrative accounts for the admin agents for elevated permissions
- Onboarding process or set up permissions and accounts for a new user (workflow processing or chain of communication for approval)
IT Risk and Compliance Analyst
Prometheus-group
09.2020 - Current
- Manage the development, review, implementation, and maintenance of policies, procedures, standards, and guidelines by applicable regulations, including ISO 27001, HIPAA, SOX, COBIT, PCI DSS, GDPR, SOC1, SOC 2, FEDRAMP, CCPA
- Conduct IT control and security-focused risk assessments; perform and document results of application risk assessments
- Manage the verification that application software/network/system security and control postures are implemented as stated, document deviations, and recommend required actions to correct those deviations
- Validate implementation and functionality of security and control requirements and appropriate information technology (IT) policies and procedures consistent with the organization's mission and goals
- Manage the determination of whether gaps in security design or controls exist and provide recommendations for remediation and implementation of mitigating controls
- Monitor and evaluate the effectiveness of the enterprise’s cybersecurity safeguards to help ensure that they provide the intended level of protection
- Manage the Risk Governance process to provide security risks, mitigations, and input on other technical risks, and conduct risk analysis whenever an application or system undergoes a significant change
- Verify and update security and control documentation reflecting the application/system security design features and provide security input into exception management processes
- Provide technical documents, incident reports, findings from computer examinations, summaries, and other situational awareness information
- Participate in the policy standards implementation strategies to ensure procedures and guidelines comply with cybersecurity policies; track audit findings and recommendations to ensure appropriate mitigation actions are taken
- Manage to ensure that plans of action and milestones or remediation plans are in place for remediation tasks identified during risk assessments, audits, inspections, etc
- Promote awareness of security and control issues among management and ensure sound principles are reflected in the organization's vision and goals
- Manage the development of security compliance processes and audits for external services (e.g., cloud service provider's data centers)
- Support necessary compliance activities (e.g., ensure system security configuration guidelines are followed and compliance monitoring occurs)
- Support verifying that all acquisitions, procurements, and outsourcing efforts address information security and control requirements consistent with organizational goals
- Work with technology and process delivery teams to ensure that information security is correctly considered and implemented in the business-as-usual delivery of solutions, services, and processes
- Be a point of reference for stakeholders on information security and IT controls delivery across the organization, supporting local security and technology teams
- Create security policies based on gap analysis
- Conduct vendor management by sending and responding to questionnaires (Sig lite, Sig core, client security questionnaires) based on the artifacts in 3rd party review (control checklist)
- Conduct quarterly and annual audits, working with the external auditor as the organization’s internal auditor, collecting evidence, and submitting them
- Conduct a monthly phishing campaign and provide training awareness to those who get phished.
Third-Party Cyber Risk Analyst
IBM
04.2018 - 09.2020
- Conduct cybersecurity risk assessments of third-party vendors and suppliers using industry-standard frameworks
- Develop and maintain a comprehensive inventory of third-party vendors and suppliers and track their cybersecurity risk profiles
- Collaborate with procurement and legal teams to ensure that third-party contracts include appropriate cybersecurity requirements and provisions
- Coordinate, plan, and execute risk-based security assessments of third parties to ensure ongoing compliance with regulations, legislation, contractual obligations, company policies, and internal controls
- Monitor third-party vendors and suppliers for changes in their cybersecurity risk profiles and report any management concerns
- Provide guidance and recommendations to internal teams on best practices for managing third-party cybersecurity risks
- Keep abreast of the latest security, privacy, and regulatory concerns and best practices impacting third-party risk management
- Review Technical Security Controls and provide implementation responses to determine if systems are currently meeting requirements and make sure the systems are compliant using NIST SP 800-171 and NIST SP 800-61
- Manage the development, review, implementation, and maintenance of policies, procedures, standards, and guidelines by applicable regulations, including ISO 27001, NIST SP 800-53 Framework Controls, HIPAA, SOX, COBIT, PCI DSS, GDPR, SOC 2, FEDRAMP, CCPA, CMMC, NIST SP 800-171
- Conduct Quarterly and annual SOC audits and PCI DSS audits
- Coordinate prompt security audits and assessments and design cloud environment using Azure
- Lead in Implementing the NIST framework in conducting Risk Management Framework (NIST SP 800-37, 800-39) and Risk Assessment (NIST SP 800-30), as well as developing System Security Plans (NIST SP 800-18), to provide an overview of system security requirements, to identify system threats, vulnerabilities, and impact levels
- Gain knowledge with cloud service providers such as AWS, Microsoft Azure, and Google Cloud
- Manage internal audits, collecting control evidence for SOC1,2, PCSS, CMMC, etc., and working with external Auditors.
Education
MS - Cyber Security Management and Policy
University of Maryland Global Campus
11.2023
AS - Information Technology
Prince George Community College
01.2020
BS - Cybersecurity, Agile and Scrum Industries, Basic Leader
University of Beau
01.2016
Skills
- Risk Mitigation Strategies
- Internal Controls
- Risk Management Framework (RMF)
- FEDRAMP
- FISMA
- POAM
- CSAM
- SSP
- SAP
- ATO
- HIPAA
- Risk Assessment
- Test Security Controls
- Vulnerability Scans
- Threat Management
- Audit system
- ID/ACCESS
- Experience with frameworks NIST 800 Series
- FIPS
- PCI-DSS
- ISO27001
- SOC-2
- HITRUST
- OWASP
- SOC 2
- GDPR
- Security Compliance
- Policies and Standards
- Continuous Monitoring
- IDS/IPS Firewall
- TCP/IP protocol
- MFA
- Windows
- Linux
- Microsoft Office
- Nessus
- Splunk
- Office365 Security
- SIEM Tech
- SOX
- COBIT
- CSF
- Azure
- Agile
- DevOps
- ServiceNow GRC
- Leadership
- Self-Development
- JIRA
- IaaS
- PaaS
- SDLC
- HyperProof
- SimpleRisk
- RiskRecon
- Smartsheet
- Cloud Security
- GRC tool
- Very good at research
Clearance
Active Public Trust
Certification
- CompTIA Network+
- CompTIA Security+
- CompTIA CYSA+
- CompTIA CSAP
- Splunk 7.x Fundamental Part 1 & 2
- CISA
- CISM
- CMMC AB Register Practitioner (RP)
COVID VACCINATED: True
CLEARANCE: Active Public Trust
Timeline
IT Risk and Compliance Analyst
Prometheus-group
09.2020 - Current
Third-Party Cyber Risk Analyst
IBM
04.2018 - 09.2020
Cybersecurity Auditor
MS - Cyber Security Management and Policy
University of Maryland Global Campus
AS - Information Technology
Prince George Community College
BS - Cybersecurity, Agile and Scrum Industries, Basic Leader
University of Beau
Similar Profiles
Isabella PantaleoIsabella Pantaleo
Hair Salon Assistant at NAHair Salon Assistant at NA
MOHAMED EL HEMOUNIMOHAMED EL HEMOUNI
NA at NANA at NA
Charlee GrondinCharlee Grondin
Gardienne d'enfants at NAGardienne d'enfants at NA
Do Hyun KwakDo Hyun Kwak
Multifunctional Additive Process Optimization at NAMultifunctional Additive Process Optimization at NA
PEYTON C. JAMESONPEYTON C. JAMESON
Tutor at NC State University College of Veterinary MedicineTutor at NC State University College of Veterinary Medicine