Mark A. Stone, Jr.
Memphis,TN
Summary
Results-driven Information Security professional with over 13 years of experience across diverse industries. Expertise includes governance, risk management, compliance, security awareness training, and auditing, with a strong focus on process improvement. Proficient in aligning security practices with industry standards such as HIPAA, HITRUST, and NIST CSF to ensure robust protection of organizational assets. Committed to fostering a culture of security awareness and continuous improvement to effectively mitigate risks.
Overview
15
15
years of professional experience
Work History
Senior Auditor
Memphis, Light, Gas & Water
03.2024 - Current
- Recommends changes to controls, processes, and procedures based on industry best practices to ensure data integrity and improve operational efficiency.
- Prepares appropriate documentation (narratives, control matrices, audit reports) in support of assurance and consulting activities performed.
- Conducts and documents inquiries regarding internal audit recommendations to ensure implementation.
- Efficiently execute tests appropriately for assigned control areas.
- Effectively demonstrates knowledge of Internal Audit Methodologies including planning, fieldwork, and reporting of engagement conclusions.
- Performs annual Quality Assurance Assessments of peer engagements to ensure conformance with Internal Standards for the Professional Practice of Internal Auditing (Standards).
- Serves as cybersecurity subject-matter expert.
Manager, Information Assurance
Pillsbury Winthrop Shaw Pittman LLP
03.2023 - 09.2023
- Reviewed and provided security requirement recommendations for client Outside Counsel Guidelines/Addendums.
- Lead Information Assurance cross functional assessments of information resources, processes, and tools.
- Matured a Third-Party Risk Management Program to continuously monitor and mitigate potential risks.
- Completed client risk questionnaires as part of due-diligence processes.
- Implemented a client onboarding process to assess potential vendor and supplier risk.
- Periodic reviews of internal controls and processes for improvement.
- Partnered with key stakeholders in technology, risk management, business units, and third parties to maintain evidence and artifacts to successfully obtain certifications (ISO27001 & SOC 2).
- Served as the primary point of information assurance and compliance activities such as analyzing and tracking identified information security compliance risks.
Director, Information Security
Regent Surgical Health
01.2022 - 01.2023
- Developed and implemented a comprehensive cyber security program to mitigate risks.
- Managed MSP and prospective vendor/3rd Party relationships.
- Introduced a 3rd Party Security Program to evaluate and remediate vendor risk.
- Developed and disseminated security policies, procedures, and standards to address identified deficiencies.
- Created and disseminated periodic security awareness training materials/content.
- Established and disseminated reoccurring newsletter to communicate security and compliance initiatives enterprise wide.
- Developed IT due-diligence processes for Ambulatory Surgery Centers in the pre-acquisition phase.
- Monitored, evaluated, and triaged security events/incidents (via CrowdStrike).
- Initiated and managed a cross-functional project to successfully attain PCI Compliance.
- Presented security trend metrics to quarterly Investment Board Meetings.
- Conducted monthly and quarterly role-based access reviews with appropriate business/process owners.
Manager, Information Security
Covenant Surgical Partners Inc
02.2019 - 01.2022
- Established a comprehensive security awareness program, which includes:
- Simulated phishing email campaigns.
- End-user training
- Periodic security awareness reminders
- Created initial baseline Risk Assessment process utilizing the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework
- Reviewed, analyzed, and provided recommendations for the remediation of deficiencies for all Ambulatory Surgery Center/Physician Practice security risk assessments.
- Manages the acquisition and technical implementations of various security solutions.
- Conducts quarterly physical access and privileged user account activity reviews.
- Monthly quality assurance audits of terminated users
- Reviews the security posture of 3rd party vendors.
- Chairman of Cybersecurity Committee
- Provides quarterly IS update(s) to Internal Compliance Committee and Board of Directors (investment firm, KKR)
- In collaboration with Compliance Department, documents and reviews submitted Ethics Point/Navex privacy cases.
IT Audit/Compliance Program Administrator
Corizon Health
04.2016 - 02.2019
- Documented and escalated real-time monitoring events for 50+ SOX Compliance relevant production servers, file systems, and databases via Change Auditor and DLM Dashboard.
- Facilitated and conducted Monthly and Quarterly (Powerful Account/System Admin) SOX reviews for various applications with appropriate technical and business owners.
- Conducted annual SOX Baseline Access Reviews for various in-scope applications.
- Managed, lead, and coordinated Corizon’s 2016 HIPAA Security Risk Assessment project including: project scheduling, budgeting, and status updates to executive management.
- Builds, maintains, and updates control matrices containing detailed policy and verbiage for information processes, systems, and applications.
- Primary liaison between external auditors and relevant business/system owners.
Security, Strategy & Compliance Engineer
Community Health Systems
03.2014 - 04.2016
- Subject matter expert for the Meaningful Use Security Risk Assessment program.
- Conducted onsite HIPAA Security assessments to ensure compliance and provides guidance to CHS partners/providers.
- Initiated and managed a Gap Analysis project that implemented HITRUST Baseline Requirements into the pre-existing Meaningful Use Security Risk Assessment process.
- Proactively identified risk and gaps in policies, procedures, and standards and report to management.
- Disseminated guidance to stakeholders in weekly Project Development regarding new developments and trends in security and compliance.
- Subject matter expert for Endpoint Encryption deployment and security governance/compliance issues and concerns.
- Created a CHS Corporate approved template that facilities utilize to satisfy IS security policy reviews per CMS requirements.
- Facilitated and led CHS’ 2015 internal HIPAA Corporate Risk Assessment process. Created training documents and conducted training sessions for regional clinicians.
- Analyzed data to ensure that hospitals/clinics adhere to guidelines regulated by CMS (Centers for Medicare & Medicaid Services) and OCR (Office of Civil Rights).
- Educated IS Directors to ensure that facilities are compliant with HIPAA’s administrative, physical, and technical safeguards.
Systems Administrator/Application Support
Hewlett Packard Enterprises at Healthways
05.2011 - 01.2014
- Provisioned user security roles in Oracle Identity Access Manager to various servers by using the PuTTY Configuration tool to run AD/OID commands for the integration and syncing of data from Active Directory to Oracle Access Manager.
- Assigned internal and external users (SSO and Direct Logon) to various security groups in Active Directory, utilizing Active Directory Federation Services.
- Provided administrative and technical support to web-based clinical applications.
- Served as the technical liaison between internal users and external resource, Verisk Analytics. Consisted of delivering BRD to Verisk and ensuring end users are properly able to access analytic charts and client information is configured by intended production/go-live dates.
- Conducted quarterly security audits to ensure HIPAA/SOX guidelines are met.
- Planned, lead, and facilitated JAD sessions regarding application/user access issues and business processes.
- Served as the subject matter expert for permissions and login issues for various web-based applications.
- Provisioned and provided support for FTP accounts via the GlobalScape Server for file/data transfers for Healthways clients.
- Conducted daily, weekly, and monthly Symantec security and monitoring reports.
- (contractor through Rezult Technology)
Education
Bachelor of Arts - Business Information Systems (Industry)
05.2010
Skills
- Security awareness training
- Vendor risk management
- Regulatory compliance
- Security policy creation
- Risk management expertise
- Information governance
- Risk assessment
- Business process analysis
- Internal controls
Timeline
Senior Auditor
Memphis, Light, Gas & Water
03.2024 - Current
Manager, Information Assurance
Pillsbury Winthrop Shaw Pittman LLP
03.2023 - 09.2023
Director, Information Security
Regent Surgical Health
01.2022 - 01.2023
Manager, Information Security
Covenant Surgical Partners Inc
02.2019 - 01.2022
IT Audit/Compliance Program Administrator
Corizon Health
04.2016 - 02.2019
Security, Strategy & Compliance Engineer
Community Health Systems
03.2014 - 04.2016
Systems Administrator/Application Support
Hewlett Packard Enterprises at Healthways
05.2011 - 01.2014