Kelly Masango
Irving,TX
Summary
Multi-talented IT professional with over 10+ years’ experience developing and implementing security controls in fast-paced environment, Third-party vendor risk & Compliance Analyst. Committed expert in reviewing and implementing internal control procedures to ensure efficiency and risk mitigation, vulnerability management, risk assessment, corrective action plan, continuous monitoring PCI DSS, HIPPA, HITRUST, ISO 2700 NIST 800, FISMA, and FEDRAMP. Skilled in security and privacy control assessment with proven history of delivering exceptional risk management support (Risk Management Framework (RMF). Skilled in assembling authorization package using documents like NIST 800 series, FIPS 199, FEDRAMP. Implement new security solutions as well as conduct vulnerability assessments and compliance audits to ensure that systems obtain and maintain their ATO's while interfacing with stakeholders in an interdisciplinary environment. Solutions-oriented Business Analyst possessing unique combination of business analysis, quality assurance testing and applications development experience in top-tier organizations. Solid SQl query writing skills paired with familiarity of visualization tools and techniques. Successful provider of financial services with 10 years of comprehensive experience. Solutions-oriented Business Analyst possessing unique combination of business analysis, quality assurance testing and applications development experience in top-tier organizations. Solid SQl query writing skills paired with familiarity of visualization tools and techniques. Successful provider of financial services with 8 years of comprehensive experience. Flexible and versatile Business Analyst specializing in developing innovative solutions to organizational problems. Advanced knowledge of asset tracking software. Committed to providing accurate, effective advice to customers. Detail-oriented risk management specialist versed in financial analysis and reporting. Brings advanced understanding of market conditions and trends, risk mitigation strategies and financial decision-making. Expert in diverse statistical analyses techniques. Adept at uncovering fraud and suspicious transactions. Well-versed using strong attention to detail and systematic approach to review daily merchant portfolio batches. Good report writing and recordkeeping abilities.
Overview
10
10
years of professional experience
1
1
Certification
Work History
Risk Management Analyst
SNF Inc.
Fort Worth, Texas
07.2021 - Current
- Conducted Privacy Threshold Assessment to determine if there have been any changes that might lead to PII collection and Privacy Impact Analysis
- Vast knowledge in all aspects of Security Authorization and Continuous Monitoring process using National Institute of Standard Publications 800-30, 800-37 Rev 2, 800-60, 800-53 Rev 5, 800-53(a) Rev 5, 800-171, FIPS 199, FIPS 200
- Experience in remediating vulnerabilities and defect fixes by working closely with development leads and engineers
- (Emergency on-call ISSO)
- Managing and ensuring information systems security is secured within my organization for systems that are under my care
- Conducting continuous monitoring, risk assessments, monitoring security compliance, practicing security training, and responding to security incidents
- Security Control Selection: Based on the categorization of the information system, I select security controls using NIST 800-53 Rev 5
- Set up meetings with the common control providers to identify system-specific and hybrid controls and tailor the control based on the organization’s mission and needs
- Work with developers, system administrators, and third parties such as vendors and Cloud Service providers (CSP) to ensure that the controls are implemented and document all approved controls in the SSP
- Assist with the development and maintenance of all necessary A&A documents
- Experience using the Risk Management Framework (RMF) to support the A&A process, including analyzing the development of supporting policies, procedures, and plans, designing, and implementing security controls
- I play a crucial role in safeguarding sensitive data and maintaining the integrity, confidentiality, and availability of information systems under my care
- Knowledge of Federal regulatory bodies such as the Office of Management Budget (OMB), National Institute of Standards and Technology (NIST), Federal Information Security Management Act of 2002 (FISMA), Federal Risk and Authorization Management Program (FedRAMP) Tracking IT security risks by monitoring POA&Ms that exceed the remediation timelines established in the vulnerability, management plan and ensuring valid risk mitigation plans are in place
- Provide coordination, tracking, and management through all aspects of the initial and recurring A&A processes.
- Investigated incidents related to security breaches, malware infections, or other cyber-attacks.
- Issued clear warnings to violators, outlining infractions, penalties and remediation steps.
- Analyzed system logs regularly to identify suspicious activity or unauthorized access attempts.
- Conducted regular audits to ensure compliance with internal controls, applicable laws, and regulations.
- Investigated reported and identified compliance issues against accepted standards.
- Followed proper protocols for reporting suspected violations to internal personnel or outside governing agencies.
- Established working relationships with regulatory agencies.
- Facilitated adherence to safety and regulatory objectives and managed client-specific projects, training programs and personnel background checks.
- Analyzed data to provide insights and recommendations for mitigating conduct risk.
- Developed and implemented strategies necessary for minimizing risk of non-compliance.
- Issued official approvals in instances of achieved or exceeded compliance standards.
- Established internal controls and processes to support compliance through project management and engagement of key stakeholders.
- Liaised between regulatory agencies and internal departments to facilitate regulatory and related matters.
- Collected and reviewed data to identify potential compliance issues requiring further review.
- Researched emerging technologies that can improve the organization's overall security posture.
- Evaluated vendor services for compliance with organizational requirements regarding data protection.
- Monitored compliance risk controls to identify deviations and offer recommendations.
- Performed periodic vulnerability scans to identify potential points of entry into the network.
- Recruited, hired and oversaw team of personnel maintaining [Type] compliance.
- Utilized risk management techniques and business knowledge to improve compliance programs.
- Developed systems to track and monitor compliance with regulatory requirements and internal policies.
- Conducted reviews to foster ongoing compliance with federal and local regulations.
- Stayed abreast of applicable laws and state or federal regulation to report violations.
- Documented all processes related to systems administration tasks performed by IT personnel.
- Monitored network traffic using intrusion detection software to detect potential threats or malicious activities.
- Used proprietary systems to process applications, filings and registrations.
- Provided guidance on how best to respond when faced with a security incident.
- Reviewed existing applications for security vulnerabilities or weaknesses before deployment into production environments.
- Produced reports outlining assessments completed and follow-up recommendations.
- Maintained compliance frameworks, policies and documentation to support audits.
- Identified areas of risk within the system and worked to eliminate them through appropriate solutions.
Information System Security Officer (ISSO)
Acuity Brands
Irving, Texas
01.2018 - 07.2021
- Conducting risk assessments and collaborating with clients to provide recommendations regarding critical infrastructure, network security operations and Continuous Monitoring processes
- Coordinating with team members to perform in-house security risk assessments (SRA)
- Providing high-level analysis of data security to identify significant gaps in controls on Information Systems
- Performing security oversight of security and compliance requirements of FISMA, NIST, HIPAA, PCI-DSS
- Identifying and analyzing threats, providing mitigation strategies, and documents and presenting the impact of resulting threats including security gaps to management
- Developing, coordinating, implementing, and maintaining cybersecurity policies, standards, and procedures to protect the security and integrity of information systems and data
- Assisting System Owners with developing and reviewing Interconnection Security Agreements, and Memoranda of Understanding
- Responding to IT Security trouble tickets generated by customers and IT staff
- Identifying solutions, working with customer and OCIO team to execute solutions, and managing ticket input, updates, and resolution in the OCIO ticketing system to maintain service level agreements
- Performing system assessments and reaccreditations within required timeframes and reviewing proposed system changes for security impact
- Prepare requests for waivers and exceptions and providing advice and assistance to stakeholders on security-related issues
- Identifying and prioritizing information security risk advise business partners on security/privacy requirements and solutions to ensure compliance
- Creating, updating and revising Planning documents such as System Security Plans, Contingency Plans, Incident Response and Plan of Action & Milestone Collaborating with SOC engineers to perform continuous monitoring of systems to ensure security and compliance
- Reviewing new and existing systems to ensure baseline security requirements are met and to recommend security enhancements Generating, reviewing, and updating the SSP against NIST 800-18 and NIST 800-53 requirements
- Performing POA&M remediation and evaluating policies, procedures, security scan results and system settings to go through the SA&A and continuous monitoring
- Determining security controls effectiveness (i.e., controls implemented correctly, operating as intended, and meeting security requirements)
- Evaluating threats and vulnerabilities based on Nessus tenable reports and Implementing Risk Management Framework (RMF) in accordance with NIST SP 800-37
- Classifying and categorizing Information Systems using the RMF processes to ensure system Confidentiality, Integrity, and Availability
- Selected security control and applied allocated control inheritance in Archer
- Ensuring all documentation pertaining to key management policies and procedures reflects current practice within the organization
- Working with the client and internal development team to identify security gaps and resolve them to protect client data and reduce business risk.
Sr. Security Analyst
Security Manufacturing
Irving, Texas
05.2015 - 01.2018
- Selected security control and applied tailoring and control inheritance in Cyber Security Assessment Management (CSAM)
- Created POA&Ms and POA&M milestones and requested for POA&M closure using the CSAM tool
- Assisted and recommended policies, standards, procedures, and controls to assure the confidentiality, integrity, and availability of the information technology environment for on-premises as well as cloud-hosted IT applications and infrastructure
- Analyzed the type of information collected, processed, maintained, disseminated, transmitted, or stored by or through the information system and determined whether it contained privacy data and financial data, and then determined the security impact that might have resulted from the unauthorized disclosure, modification, or loss of availability of this information
- Conducted Security Test and Evaluation (ST&E) assessment and populated Requirement Traceability Matrix (RTM) based on NIST SP 800-53A
- Reviewed the provisional impact levels (NIST-recommended) for appropriateness based on the organization's mission and considered whether the NIST- recommended impact level was appropriate for the System or whether the impact level should be modified to a lower or higher level and then provided the rationale for the adjustment
- Managed IT Security awareness training program in coordination with the Learning Management team, to including developing and delivering IT Security awareness training modules
- Coordinated activities related to internal and external assessments and/or audits of information technology systems and processes, interpreted results and developed and communicated recommendations to management
- Managed Password Management system in coordination with Service Desk
- Provided support and recommendations to various application users and proactively identified, diagnosed, took corrective action, and resolved application system incidents and problems
- Then, documented, communicated, and escalated technical issues, managed them to resolution, and articulated business impact
- Collaborated closely with the IT team and vendors to understand the overall application architecture/design and, as warranted, submitted change requests for system improvements, recommended and implemented system changes and enhancements, and participated in planning sessions regarding the application, hardware, and software changes
- Developed and recommended appropriate information security policies, standards, procedures, checklists, and guidelines using generally recognized security concepts tailored to meet the requirements of the organization for on-premises as well as cloud-hosted IT applications and infrastructure
- Established, implemented, and managed security procedures and practices in support of customer requirements and objectives.
Vendor Risk Analyst / Information Assurance
EJ Ajax & Sons
Minneapolis, MN
11.2013 - 02.2015
- Actively reviewed vendor compliance documents from a BCP/DR and Data Security perspective ensuring document meet all corporate guidelines and specifications
- Managed the maturity and execution of the division’s Third-Party IT Risk Management program to reassess current risks and to identify emerging key risks
- Planned, designed and executed IT compliance testing, controls assessment and documentation across all domains for IT General Controls, (PCI DSS) Payment Card Industry, Data Privacy, HIPAA and other compliance requirements, as appropriate
- Develop and update compliance control and process documentation as required in support of SOC2 initiatives
- Tracked compliance processes such as remediation plans, audit requests, and recurring audit reviews to ensure timely completion
- Performed Risk and Control assessments for all Third-Party Service Providers to evaluate effectiveness of control systems
- Ensured vendors adherence to contractual/regulatory compliance to minimize the risk of fines and reputational harm
- Demonstrated in-depth understanding of security requirements associated with cloud- hosted environments, services, and solutions
- Reviewed services provided by vendor and defined scope of assessment based on the Standardized Information Evaluates, recommends, and implements security controls associated with cloud-hosted environments, services, and mobile device solutions
- Gathered (SIG) questionnaire and audit reports
- Forged strong working relationships with vendors to ensure seamless audits.
- Monitored daily and long-term routes for weather, traffic, and other conditions.
- Studied product and industry specs and prices to update signage and complete merchandising activities.
- Listened to customer needs to identify and recommend best products and services.
- Advised senior leadership on issues concerning vendor relations.
- Resolved conflicts between vendors and internal stakeholders in a timely manner.
- Reset store displays for special events and seasonal merchandise changes.
- Tracked contract renewals, expirations, amendments, and terminations.
- Developed and implemented strategies for vendor onboarding, training, and performance management.
- Identified customer needs by asking questions and advising on best solutions.
- Monitored vendor performance against contracted service level agreements.
- Verified accuracy of boxed merchandise against documentation to reduce errors.
- Maintained well-stocked and organized sales floor with latest merchandise to drive sustained sales revenue.
Education
Bachelor’s degree in Law -
University of Yaoundé 2
Skills
- Risk Management Framework
- Expert Knowledge of NIST SP 800 Special Publication Series/FISMA requirements
- Vulnerability Scan analysis with Nessus, dB Protect, & Web Inspect scanning tools, Qualys, Nmap
- Knowledge of Enterprise Risk models and tools as well as a good understanding of Enterprise Risk framework
- Excellent written communication and documentation skills
- Compliance /Audits
- Vendor Risk/ Third-Party Security Risk Management
- Plan of Action and Milestones (POA&M)
- LogMeIn/One-Trust Tool and Jira, Service now, knowBe4
- Fed Ramp Compliance
- SOC Reports, and SIG Review
- Excellent analytical, decision-making, and problem-solving skills
- Multi-tasking work independently and with team
- Strong skills in MS PowerPoint, MS Word, and MS Excel
- Risk Mitigation Strategies
- Stress Testing
- Data Interpretation
- Internal Audits
- Employee Safety
- Risk Mitigation
- Trend Analysis
- Incident Investigations
- Analytical Mindset
- Mediation
- Claims Management
- Data Analysis
- Quantitative Analysis
- Root Cause Analysis
- Operations Analysis
- Campaign Performance Tracking
- Workflow Analysis
- Customer Needs Assessment
- Business Process Improvement
- Gap Analysis
- Operational Reporting
- Data Mapping
- Data Mining
- Business Planning
- Requirements Gathering
- Internal Auditing
- Strategic Planning
- Technical Writing
- Quality Assurance
- Competitive Analysis
- KPI Tracking
- Cost-Benefit Analysis
- Product Management
- Revenue Development
- Search Engine Optimization
- Needs Assessments
- User Acceptance Testing
- Project Management
- CRM Systems
- Stakeholder Management
- Financial Advising
- Product Development
- Pivot Tables
- Operations Management
- Microsoft Office Suite
- Human Resources Information Systems (HRIS)
- HTML and CSS
- BI Tools Expertise
- SAP
- Consulting
- Negotiation
- Staff Management
- Customer Targeting
- Forecasting and Planning
Certification
- Certified Information security manager (CISM)
- CompTIA Security +
- Qualys Vulnerability Analyst Certifie
- CISSP in Progress
- Oracle Database Administrator Certified Associate 11g
Work Availability
monday
tuesday
wednesday
thursday
friday
saturday
sunday
morning
afternoon
evening
swipe to browse
Timeline
Risk Management Analyst
SNF Inc.
07.2021 - Current
Information System Security Officer (ISSO)
Acuity Brands
01.2018 - 07.2021
Sr. Security Analyst
Security Manufacturing
05.2015 - 01.2018
Vendor Risk Analyst / Information Assurance
EJ Ajax & Sons
11.2013 - 02.2015
Bachelor’s degree in Law -
University of Yaoundé 2
Similar Profiles
Amanda BresetteAmanda Bresette
INFECTION PREVENTIONIST, REGISTERED NURSE at SANTA ROSA POST ACUTE SNFINFECTION PREVENTIONIST, REGISTERED NURSE at SANTA ROSA POST ACUTE SNF
Shelby ElzyShelby Elzy
Loader Operator at SNF FlopamLoader Operator at SNF Flopam
Brandon HinesBrandon Hines
Team Leader at SNF/ChemtallTeam Leader at SNF/Chemtall
Elizabeth WhiteElizabeth White
Independent Rideshare Driver | Lyft at Self-employeedIndependent Rideshare Driver | Lyft at Self-employeed
Patricia MontesPatricia Montes
Housekeeper at Go Luxury Auto GroupHousekeeper at Go Luxury Auto Group