Javier Sotelo Felix
Information Security And Compliance Program Director
Santa Clarita,CA
Summary
· Expertise in Enterprise Security Governance, Risk and Compliance program management, and change-agent with a unique blend of technical, compliance, and business acumen.
· Proficiency in information technology security, regulatory compliance, business analysis, and operations with over 20+ years of experience managing technology, of which 16 years have been in global ISO-certified manufacturing enterprises in multiple industries.
· 17+ years in implementing safeguards for Personal Identifiable Information (PII) telemetry on the internet in both Biomed/Healthcare and Automobile industry.
· Proven track record leading cross-functional and multi-site programs with a “process before tool” philosophy that balances cost, maturity, and operational risk.
· Expertise in information security/privacy business process improvement, IT audit management, business to IT strategy alignment, and supplier risk management.
· Expertise in regulatory requirements analysis; compliance audit readiness: SOX, HIPAA, ISO 27001/2/5, ISO 27701, CCPA, CPRA, EU GDPR, PCI, COBIT, ITIL, NIST CF, CIS 18, HITRUST.
· Effective communicator across disciplines and cultures, translating complex technology, risk, and business subjects to any audience. Excellent writing skills, e.g., policies, procedures, training, white papers, executive summaries, etc.
· Effective leader dealing with all aspects of team management, e.g., recruiting, retention, budgeting, planning, and mentoring.
Overview
25
25
years of professional experience
1
1
Language
Work History
Principal Consultant and Senior Project Manager
Asescco Consulting
Santa Clarita, CA
01.2023 - Current
- Responsible for providing technology, governance, and security consulting services for clients. Asses compliance levels; identify risks; develop remediation plans; create and update policies, standards, procedures, and trailing.
Manager, Security GRC
Hyundai AutoEver America
Fountain Valley, CA
06.2015 - 10.2022
- Security Governance, Risk and Compliance
- Defined and built the GRC department: Defined all roles, policies, and procedures; recruited and retained a very effective team; established an ISO 27001-based ISMS program to service all Hyundai-owned companies in North America
- Achieved ISO 27001 Certification: Successfully led IT Shared Services program to ISO 27001 certification for KIA USA Customer Datamart on time and within budget
- Implemented Risk Management for IT PMO: Led and championed business culture change by applying meaningful risk management by integrating security assessments into the Project Management Office (PMO) lifecycle, e.g., security architecture, supplier risk, application penetration testing, compliance scope/readiness, etc
- Achieved 27% savings in Cyber Insurance premium: Aggressively marketed information security program to underwriters and obtained a $60K savings in annual cyber insurance premium while increasing coverage for Regulatory, Event Management, PCI, Fraud, and Reputational Loss for Hyundai Motor America
- Integrated Security/Privacy requirements into complete organizational self-assessments: Worked with IT shared services customers in various industries (marketing, distribution, sales, telematics, etc.) to perform custom security/privacy assessments (CCPA, CPRA, corporate policy, vetting by insurance brokers, etc.) to give status and guidance on compliance gaps, and planning their remediation
- Established and led the Steering Committee to review and prioritize the Risk Register and Risk Treatment Plan
- Authored Policies, SOPs, Standards, and White Papers: Authored policies, standards, and procedures from scratch to build an ISO 27001-based information security management system (ISMS)
- Established document control policy, standards, and procedures
- Oversaw closure of documentation gaps.
Principal Consultant and Senior Project Manager
Asescco Consulting
Santa Clarita, CA
12.2012 - 06.2015
- Responsible for providing technology, governance, and security consulting services for clients. Assess compliance levels; identify risks; develop remediation plans; create and update policies, standards, procedures, and trailing.
Information Security Compliance Consultant
The Walt Disney Company
Glendale, CA
12.2013 - 01.2015
- Information Security and Compliance Center of Excellence
- Responsible for providing information security compliance consulting services on SOX, EU-US Safe Harbor, policy and process maturity, and automation.
Division Information Security Officer and Senior Manager
St. Jude Medical
01.2003 - 01.2012
- IT Governance, Risk and Compliance
- Defined and built Security department: Defined all roles, policies, and procedures; recruited and retained a very effective team; established an ISO 27001-based ISMS program to service St
- Jude Medical’s Cardiac Rhythm Management division (SJM’s largest division) across multiple states and countries, e.g., U.S., Sweden, Puerto Rico
- Achieved ISO 27001 Certification: Successfully led the program to be the first in the implantable medical device industry in the U.S
- To achieve ISO 27001 certification for St
- Jude Medical's 280K patient - 15K clinician Distributed Patient Care Network (DPCN) on time, under budget and a full two years ahead of the competition
- Achieved Security Culture Change: Have championed business culture change from the top down by leading an effective security program that measurably improves the organization’s security posture and made the continuous improvement and decision-making process for InfoSec agile because all executive and senior management were fully briefed and engaged in integrating information security into everyday business risk management
- Achieved HIPAA and SOX Compliance: Successfully led the HIPAA and SOX computer control governance programs to early full compliance; right-sized the scope of systems and processes to assure efficiency and cost-effectiveness
- After three years of personally leading extensive remediation projects achieved internal and external SOX and HIPAA audits being a "non-event" each following year
- Achieved ASIP Santé / CNIL Certification: Implemented governance controls that achieved ASIP Santé and CNIL (French Health and Information Security Ministries, respectively) approval and certification for Privacy protection for DPCN well over two years ahead of the competition as well as compliance with other very rigorous EU privacy requirements
- Achieved US-EU Safe Harbor Certification: Achieved Safe Harbor Certification for St
- Jude Medical’s Clinical Trials System on time and within budget
- Achieved Integrating Security/Privacy requirements into the full Product and Service Development Lifecycle: Worked with Program Management, Software Development, Regulatory, and Legal to fully embed security and privacy requirements into the Product and Service lifecycle starting from the initial product and service conceptualization and design
- Implemented IT Asset Management Program (first-year savings $.5M): Deployed IT Asset Management procedures and tools (AirWatch MDM, Computrace, BarScan, Marimba, Remedy, and MS AD)
- Implemented a license-reclamation program that saved the organization over $340K in the first year and reduced the risk of unlicensed software on the company's network
- Saved an additional $120K+ in software licenses reclaimed from unused hardware that had not been decommissioned
- Implemented Information Security Incident Management: Deployed Information Security Incident Management protocols and tools (EnCase, Computrace, and secure SharePoint) to perform digital forensics, eDiscovery, and segregated incident tracking
- Created a dedicated lab to isolate assets for analysis and preserve a strict chain of custody
- Implemented 360-degree Data Protection and Tracking for Distributed Patient Care Network (DPCN): Implemented front-end and back-end tools to track authorized and potentially unauthorized access to confidential data (Imperva WAF, Core Impact, Acunetix, Oracle DBF, and Splunk Secure Vault) to ensure continuous improvement of detection and prevention capabilities to augment secure coding practices (AppScan) and secure infrastructure controls
- Authored Policies, SOPs, Standards, and White Papers: Authored communication materials and protocols to support Legal Sales & Marketing departments in addressing customer and regulatory agency security and privacy requirements and queries, allowing a quick yet thorough introduction to our security practices to clinicians, IT personnel and Legal/Compliance staff alike
- Authored all levels of Management System documentation.
Director, IT
PM Industries
Tijuana, Mexico
06.2001 - 06.2003
- Systems
- Defined and built IT department: Defined all roles, policies, standards, and procedures; recruited and retained a very effective team; created partnerships with key vendors; implemented ITIL-based IT service management system across multiple sites in the U.S
- And Mexico
- Overhauled Telecommunications: Replaced expensive and error-prone cross-border microwave antenna communications with secure VPN over internet connections to better integrate multiple sites across borders
- Implemented ERP systems: Successfully replaced silo/local applications with companywide enterprise solutions for ERP, graphic design - printing integration, email, CRM, and Sales in five sites in two countries
- This included prior harmonization of processes and procedures across organizational lines.
Coordinator IT
SAFT America, Inc. - Alcatel
Tijuana, Mexico
06.1998 - 06.2001
- Defined and built IT department’s governance framework: Defined all policies, standards, and procedures in compliance with ISO 9001 and corporate policies and standards (Saft America and Alcatel France)
- Overhauled IT Infrastructure and systems for Y2K Readiness: Assessed, planned, and executed remediation of hardware and software vulnerabilities in all manufacturing and administrative systems on time and within budget, and vetted all vendor dependencies by Alcatel Y2K Readiness deadline
- Responsible for IT Operations: Oversaw day-to-day operations of the IT department, e.g., multi-site/cross-border LAN/WAN/Telecomm operations, Server Operations, Service Desk, Governance, and Security.
Education
BA - Business Administration, Executive Management
Escuela Bancaria y Comercial University, ITESM University
Holistic Information Security Practitioner Certification - undefined
HISP Institute
ITIL Service Management Certification, Pink Elephant, USA Six Sigma Green Belt Certification, SigmaPro Inc., USA Getting to the heart of Leadership, Blue Point Leadership Development, US Strategic Planning, American Management Institute, US Leading Innovation, American Management Institute, US - undefined
Affiliations
Expertise in Enterprise Security Governance, Risk and Compliance program management, and change-agent with a unique blend of technical, compliance, and business acumen.
Proficiency in information technology security, regulatory compliance, business analysis, and operations with over 20+ years of experience managing technology, of which 16 years have been in global ISO-certified manufacturing enterprises in multiple industries.
17+ years in implementing safeguards for Personal Identifiable Information (PII) telemetry on the internet in both Biomed/Healthcare and Automobile industry.
Proven track record leading cross-functional and multi-site programs with a “process before tool” philosophy that balances cost, maturity, and operational risk.
Expertise in information security/privacy business process improvement, IT audit management, business to IT strategy alignment, and supplier risk management.
Expertise in regulatory requirements analysis; compliance audit readiness: SOX, HIPAA, ISO 27001/2/5, ISO 27701, CCPA, CPRA, EU GDPR, PCI, COBIT, ITIL, NIST CF, CIS 18, HITRUST.
Effective communicator across disciplines and cultures, translating complex technology, risk, and business subjects to any audience. Excellent writing skills, e.g., policies, procedures, training, white papers, executive summaries, etc.
Effective leader dealing with all aspects of team management, e.g., recruiting, retention, budgeting, planning, and mentoring.
Timeline
Principal Consultant and Senior Project Manager
Asescco Consulting
01.2023 - Current
Manager, Security GRC
Hyundai AutoEver America
06.2015 - 10.2022
Information Security Compliance Consultant
The Walt Disney Company
12.2013 - 01.2015
Principal Consultant and Senior Project Manager
Asescco Consulting
12.2012 - 06.2015
Division Information Security Officer and Senior Manager
St. Jude Medical
01.2003 - 01.2012
Director, IT
PM Industries
06.2001 - 06.2003
Coordinator IT
SAFT America, Inc. - Alcatel
06.1998 - 06.2001
BA - Business Administration, Executive Management
Escuela Bancaria y Comercial University, ITESM University
Holistic Information Security Practitioner Certification - undefined
HISP Institute
ITIL Service Management Certification, Pink Elephant, USA Six Sigma Green Belt Certification, SigmaPro Inc., USA Getting to the heart of Leadership, Blue Point Leadership Development, US Strategic Planning, American Management Institute, US Leading Innovation, American Management Institute, US - undefined
Similar Profiles
Ramanathan VenkatramanRamanathan Venkatraman
Test Manager at GDS Consulting Ernst & Young Global Consulting ServicesTest Manager at GDS Consulting Ernst & Young Global Consulting Services
Gina M. BlissGina M. Bliss
Founder at Penn Family Pharma Consulting, LLC – Bliss Compliance ConsultingFounder at Penn Family Pharma Consulting, LLC – Bliss Compliance Consulting
OKUWA EBUNJESU SAMUELOKUWA EBUNJESU SAMUEL
PROJECT ENGINEER at Sanni, Ojo and Partners Consulting Limited, Ojo and Partners Consulting Limited, SOPPROJECT ENGINEER at Sanni, Ojo and Partners Consulting Limited, Ojo and Partners Consulting Limited, SOP
John MarshallJohn Marshall
Drug and Alcohol Counselor at Aspire Counseling ServicesDrug and Alcohol Counselor at Aspire Counseling Services
Jazmine TarisJazmine Taris
Receptionist Administrator at Tracy TarisReceptionist Administrator at Tracy Taris