Mercy Koomson
third party analyst
Bronx,NY
Summary
Detail oriented Professional with 8 years of extensive experience and knowledge in Managing and Protecting Information Systems and integrity of data through Information Assurance, Compliance Verification, Controls, Vulnerability Assessment, and Corrective Action Plan or POA&M management using the industry best security practices. Proficient in Risk Management Framework (RMF) process (NIST SP 800-53 rev 4, 800-53A, 800-171, 800-171A, 800-137, and ISO 27001/2) requirements in the preparation of Assessment & Authorization (A&A) Package, System Continuous Monitoring, regulatory compliance, and recommendation of mitigation strategies. Also, Internal Controls, Federal Information Security Modernization Act (FISMA), NIST Special Publications, FedRAMP, system security monitoring, risk assessments, compliance, audit engagements, testing information technology controls, developing security policies, procedures, and guidelines. Core Strength Information Security | Risk Analysis & Remediation | Security Controls Assessments | Compliance| Plans of Action and Milestone (POA&M) | Vendor Partnerships | Security Awareness | Documentation| Team Leadership | Security Artifacts | Stakeholder Engagement| Governance | Coaching | Mentoring |Reporting | Identity Access Management Detail-oriented team player with strong organizational skills. Ability to handle multiple projects simultaneously with a high degree of accuracy.
Overview
8
8
years of professional experience
Work History
Third-Party Risk Analyst
Cyber Beyond Solution
Huntsville, AL
06.2020 - Current
- Perform complex information security risk assessments of current and prospective third-party business and technology providers to assess their control structure and alignment to regulatory, federal/state guidelines and information security bank requirements and partner with internal stakeholders to assess the cyber risk the third party presents to the Company
- Partner with internal business units and third parties to inventory all services, status, performance, and cyber risk assessments
- Direction and program support for a small team of third-party cybersecurity analysts
- Complete a cyber risk assessment detailing third party’s service inherent risk(s), strengths of cyber risk scores, along with any cyber risk control gaps presenting elevated risk to the company
- Coordinate and drive cyber risk findings using formalized reviews, exception reporting, and cyber risk acceptance reporting with the support to management
- Oversee and confirm the resolution of any cyber risk gaps identified during the cyber risk assessment process
- Maintain a very strong knowledge of the regulatory cyber risk requirements to ensure that each third party meets those requirements
- Must be able to competently interpret and apply the requirements independently to mitigate cyber risk to the company
- Contribute to various departmental projects related to third party management activities
- This could be as a project lead or supportive role to an existing project
- Collaborate across various operational and enterprise risk lines of business to ensure all third-party cyber review processes are being met
- Collaborate with the third-party cybersecurity analysts and TPRM team regarding onboarding and offboarding of new and existing 3rd party cyber risk review assessments
- Perform annual audit of vendors to ensure cyber risk is within risk tolerance for the company
- Establish and mature continuous monitoring for the company’s vendors
- Build third-party incident response plan, along with existing cyber incident response plans.
FISMA Security Compliance Analyst
Cyber tech
Bronx, NY
07.2017 - 05.2020
- Worked with a team of Information Security Owners, Developers and System Engineers to ensure proper system categorization using NIST 800-60 and FIPS 199 and determined if the system required PTA or PIA
- Selected and tailored security controls to safeguard system information using NIST SP 800-53 and FIPS 200
- Conducted assessments of security controls on various impact systems in accordance with agency guidelines to ensure compliance with NIST 800-53A, 800-171A, ISO 27001/2
- Liaised with system owners to develop, test, and train on contingency plans and incident response plans
- Prepared and updated security authorization documentation including security plan, risk assessment, contingency plan, privacy impact analysis
- Documented NIST 800-53A, 800-171A, ISO 27001/2 security control compliance findings within Security Assessment Reports (SARs)
- Conducted security assessment interviews to determine the security posture of the System and to develop a Security Assessment Report (SAR) in the completion of the Security Test and Evaluation (ST&E) questionnaire using NIST SP 800-53A required to maintain company’s Authorization to Operate (ATO), the Risk Assessment, System Security Plans, and System Categorization
- Reviewed and updated remediation on plan of action and milestones (POA&Ms), in organization's Cyber Security and Management (CSAM) system
- Work with system administrators to resolve POA&Ms, gathering artifacts and creating mitigation memos, residual risk memos and corrective action plans to assist in the closure of the POA&M
- Ensured that adequate controls are maintained for SOX, HIPAA, and NIST regulations
- Maintained and monitored IT security practices to protect the confidentiality, integrity, and availability of data
- Developed, implemented, maintained, and oversaw enforcement of security policies
- Assessed network intrusion detection systems IDS/IPS and artifacts including logs, system images and packet captured (SIEM) to enable mitigation of network incidents
- Tested, assessed, and documented security control effectiveness
- Collected evidence, interviewed personnel, and examined records to evaluate effectiveness of control.
Information Assurance Analyst
Cyberrisk Beyond Solutions
Bronx, NY
09.2015 - 06.2017
- Performed Security Control Assessment (SCA) using NIST 800-53 Rev4 and NIST 800-53A Rev.4 for multiple systems
- Developed, updated, and reviewed Security Assessment and Authorization (A&A) documentation such as System Security Plan (SSP), Security Requirements Traceability Matrix (SRTM), and Risk Assessment in compliance with NIST 800 SP series
- Developed Security Control Assessment Report (SAR) in compliance with NIST SP 800-53 Rev.4, and 800-53A Rev.4
- Interviewed system administrators and support personnel to extract functionality narratives
- Conducted assessments of system safeguards and controls and respond to external audits
- Ensured that Management, Operational and Technical Controls for securing sensitive security information systems are in place in accordance with NIST 800-53 Federal Guideline
- Documented the results of Assessment and Authorization (A&A) activities, prepared the System Security Plans and updated the Plan of Actions and Milestones (POA&M)
- Periodically conducted a complete review of each system's audits and monitored corrective actions until all actions were closed
- Conducted Security Test and Evaluation (ST&E) using NIST 800 53A
- Rev 4 and developed supporting documentation to the result based on security control requirement
- Supported Security Assessment and Authorization (SA&A) activities, by preparing the complete ATO package for the authorization official to make accreditation decision
- Reviewed and Updated System Security Plans using the NIST 800-18 as a guide
- Collaborated with internal security and IT staff to ensure the continued compliance and secure operation of accredited information systems
- Provided A&A support, system security reviews.
Education
Associate Degree - Marketing
Central University College
2013
CompTIA Security + Certified Information System Auditor (CISA) - undefined
Skills
- Risk Identification
- Customer Satisfaction
- Organizational Standards
Work Availability
monday
tuesday
wednesday
thursday
friday
saturday
sunday
morning
afternoon
evening
swipe to browse
Accomplishments
- Achieved [Result] through effectively helping with [Task].
Affiliations
- Association for Computing Machinery
- Society of Human Resource Management
Timeline
Third-Party Risk Analyst
Cyber Beyond Solution
06.2020 - Current
FISMA Security Compliance Analyst
Cyber tech
07.2017 - 05.2020
Information Assurance Analyst
Cyberrisk Beyond Solutions
09.2015 - 06.2017
Associate Degree - Marketing
Central University College