Summary
Overview
Work History
Education
Skills
Certification
Affiliations
Addendumofaward
Languages
Timeline
Generic

Michael Isenberg

Lynn,USA

Summary

Experienced, thoughtful, and enthusiastic leader focused on information security, compliance, and governance risk and control (GRC). Skilled in supporting organizational objectives, achieving regulatory compliance, overseeing security initiatives, and creating an actionable information security culture. A problem solver and consensus builder who aligns information security and business objectives with key business, technical, and legal stakeholders to support the overall organizational long-term strategy. Proven experience as a senior information security engineer and third-party vendor cybersecurity risk and compliance assessor. Led a team of information security specialists in performing cybersecurity risk assessments and remediation to address security threats to the enterprise. With 15 years of combined professional experience in software development, programming, management, IT audit, and third-party cybersecurity risk and compliance. Supported the operationalization of various GRC initiatives in enterprise security risk management, compliance management, policy management, third-party risk management, contract review, metrics, and reporting. Broad base understanding of information technologies and background in financial, manufacturing, entertainment, utilities, and healthcare industries. Passionate about championing and leading cybersecurity assessments based on recognized best practices framework and compliance governance risk and controls activities. Dedicated to supporting corporate objectives, achieving legal and regulatory compliance, managing IT vendor compliance, and creating a culture of risk awareness and empowerment. Goal is to drive communication and transparency among key business stakeholders to protect data confidentiality, integrity, availability, and accountability. Results-oriented achiever with a proven ability to exceed targets in fast-paced environments. Combines strategic thinking with hands-on experience to deliver impactful solutions that enhance organizational performance.

Overview

13
13
years of professional experience
1
1
Certification

Work History

Information Protection – Senior Advisor

Pyramid Consulting
03.2023 - Current
  • Performs critical security reviews of application and systems on enterprise projects
  • Performs focused risks assessments of existing or new services and technologies, security architecture, identifies design gaps, risks, and recommends security enhancements
  • Assists project teams in the implementation of security measures to meet corporate security policies, standards and external regulations, e.g., Sarbanes-Oxley, HIPAA
  • Communicates risk assessment findings to information security customers or business partners
  • Serves as an Information security expert and trusted advisor to partners in IT and the business to enable them to make informed risk management decisions
  • Identifies opportunities to improve risk posture, developing solutions for remediating or mitigating risks and assessing residual risk

Sr. Information Security Analyst and Cloud Security Risk Assessor

Robert Half International
06.2022 - 10.2022
  • As part of the Enterprise Technology Audit Group (ETAG) Team at Wells Fargo, my responsibilities included, but not limited to:
  • Performing Information Security Audit and Risk Assessment of Wells Fargo systems hosted by third-party cloud service provider, Sales Force
  • Reviewed logical and details design that support Welles Fargo cloud systems
  • Reviewed Security vulnerability scan reports to identify existing critical, high, and medium vulnerabilities, including application and servers
  • Managed remediation plan with business owners, technical supporting team, legal, architecture team and compliance
  • Engaged regularly with the legal team, procurement, security/architecture teams and development teams to ensure that all identified cyber security controls requirements were effectively implemented and operating as expected
  • Monitored project exception requests, compensating controls and security gaps
  • Monitored identified security gaps and remediation plan activities up-to resolution

Sr. Information Security Engineer and Cloud Security Risk Manager

Beacon Hills Staffing
12.2021 - 04.2022
  • As part of the Enterprise Risk Management Team at CVS Pharmacy, responsibilities were to, but not limited to:
  • Design, implement, and evaluating a light-weight security assessment process, utilizing Archer, to determine the security readiness of CVS (PHI/HIPAA, PCI) applications portfolio (1300 apps) compliancy prior for migration to MS Azure Cloud
  • Solicited and reviewed custom security questionnaire based on ISO2700, PCI/DSS, HIPAA
  • Reviewed logical and details design that will support CVS cloud migration
  • Reviewed Security vulnerability scan reports to identify existing critical, high, and medium vulnerabilities, including application and servers
  • Manager remediation plan with business owner, technical supporting team, legal, architecture team and compliance
  • Manager remediation plans for critical, high, and medium vulnerabilities impacting those applications, prior to their migration schedule to MS Azure Cloud
  • Engaged regularly with the legal team, procurement, security/architecture teams and development teams to ensure that all identified cyber security controls requirements where effectively implemented and operating as expected
  • Monitored project exception requests, compensating controls and security gaps
  • Monitored identified security gaps and remediation plan activities up-to resolution
  • Provided security reports and metrics to senior management and maintained the security risk register and control exceptions

Sr. Security Engineer and Third-Party Vendor Cyber Security Risk Assessor and Compliance Manager

The Judge Group
05.2018 - 05.2021
  • As a member of the National Grid Security Team my responsibilities included, but not limited to:
  • Accountable, with approval authorities, for assessing the security risk posture of National Grid internally hosted solutions, and cloud-based solutions, including hybrid cloud solution, interfacing with the internet for existing third-party vendors and the on-boarding of new vendors
  • Supported National Grid Web Based portfolio solutions, including the Energy Efficiency and Clean Energy program, Billing systems, Payment systems, etc
  • As the principal cyber security risk assessor, by assessing the security risk posture of third-party vendors based on NG information Security Policies and Standards, processes and NIST 800-53 framework standing on identifying, protecting, detecting, responding, and recovering
  • Worked closely with business owners to ensure that the business requirements document (BRD) accounted for the necessary security controls requirement base on the data classification in scope and NG security policies and standards
  • Monitored changes to the business requirements document impacting the security requirements
  • Performed initial vetting of the security posture of third-party vendors included in NG Requests for Proposals, via phone interview, security questionnaires, security reports and on-site presentation of the proposed solution
  • Submitted security reports to management for selecting only those proposals that were fit for purpose
  • Engaged with the security architecture team and the development teams to ensure that the secure system development life cycle was followed by reviewing and approving the architectural solution vision, logical and physical solution architecture, details solution architecture, were completed for approval by senior management
  • Engaged regularly with the development teams to ensure that all identified cyber security controls requirements were effectively implemented and operating as expected
  • Monitored project exception requests, compensating controls and security gaps
  • Monitored identified security gaps and remediation plan activities up-to resolution
  • Engaged with NG internal vulnerability management team and independent third-party security assessors to perform vulnerabilities scans and pen-testing for all solutions interfacing with the internet
  • Defined the scope of the testing to be performed, monitored security vulnerabilities identified and recommended plan of remediation activities to be executed
  • Worked closely with NG Procurement, the Legal and privacy teams to ensure that all agreed-upon cyber security controls were properly included and documented within the final contract agreement and SLA with vendors, with approval authorities
  • Worked with NG CISO senior management team in defining cyber security policies, standards, procedures and repeatable processes to assess third-party vendor cloud-based solutions, SaaS, PaaS, and IaaS
  • Provided security reports and metrics to senior management and maintained the security risk register and control exceptions

Sr. Privacy and IT Compliance Security Risk Assessor

SAP/Ariba
11.2017 - 01.2018
  • Company Overview: Palo Alto, CA
  • As a member of the SAP/Ariba Trust Office:
  • Assisting SAP/Ariba in assessing their Information Security Management System and readiness in achieving FedRAMP compliancy
  • Planning, coordinating, and performing security reviews of internal and external SAP/Ariba business applications and systems, including third-party service provider, to determine their security posture against NIST 800-53 Cybersecurity controls requirements and ISO27000x
  • Palo Alto, CA

Global Information Security – Senior Third-Party Vendor Cyber Security Assessor

Aditi Staffing
01.2017 - 10.2017
  • Company Overview: eBay – San Jose, CA
  • As a member of GIS Team and Risk Management:
  • Served eBay as a subject matter expert in leading, planning, scoping, coordinating, executing and reporting on third-party vendor security posture to meet eBay information security control requirements, and IT audits against existing and new eBay partners distributed worldwide in North America, Europe, Asia, South America, and Australia
  • Worked with internal cross functional teams, application security team, legal, privacy and compliance, to ensure that third-party vendors ISMS are aligned with eBay information security requirements to protect/secure eBay customers data and privacy
  • Conducted third-party program level reviews of information security program and controls of third parties in the context of the services being provided by third-party vendors and data exchanged; scoping, assessing and reporting on the security posture of vendors
  • Maintained the TPVM risk register documenting findings and security gaps and associated risk level, and target date of remediation
  • Monitored, managed, and closed existing internal and external audit issues, and ensuring that internal systems are compliant with security eBay security standards and controls including regulatory requirements
  • Redlining vendor contracts and legal privacy security shields (Data Privacy Requirements Addendum) to ensure that eBay security and privacy requirements are adequately documented and provisioned in vendor contract
  • Defined a risk-based third-party vendor re-assessment strategy to re-assess those high-risk vendors on a pre-defined schedule
  • Provide continuous educational and coaching assistance to business units to support eBay Vendor Management Program
  • Initiated, scoped, and assessed over 120 third party vendors during my assignment
  • Contributed to eBay third-party vendor management program to improve its efficiency base on empirical data driven from past executions
  • EBay – San Jose, CA

EIS – Cyber Security Risk Management – AVP Third-Party Vendor Cyber Security Risk and Compliance Assessor

MUFG Credit Union Bank
06.2016 - 11.2016
  • Company Overview: Monterey Park, CA
  • As a member of MUFG Enterprise Information Security (EIS) Cyber Security Team and Risk Management:
  • Served MUFG Credit Union and Enterprise Information Security Cyber Security team as a subject matter expert in planning, coordinating conducting and reporting on third party vendor security risk posture by determining vendor’s capability to protect the confidentiality, integrity, availability, and privacy of MUFG assets and client’s data
  • Executed security risk assessment review of controls based on MUFG security policies and standards for third party vendor and relevant laws, regulations, and industry security standards
  • Analysed assessment findings and determined a risk score based on an established assessment scoring framework
  • Presented risk assessment findings to business owners as well as third party vendor to identify and establish adequate remediation plans and activities, including post-review of security controls remediated
  • Reviewed third party vendor remediation plans and determined if the plan sufficiently mitigated the identified risks
  • And keep informed business owners on the adequacy of mitigation plans to secure their applications, systems, and data
  • Tracked progress on remediation of identified risks and vulnerabilities and provided appropriate reporting to all stakeholders, internal third-party manager, external vendor, and senior management
  • Actively participated in the enhancement of MUFG security risk assessment programs and associated security due diligence requirements and questionnaires to facilitate the identification and mitigation of cyber security risks
  • Monitored MUFG RSA/Archer for newly identified vulnerabilities and evaluated the risks such vulnerabilities posed to the organization’s information and systems and advised management of appropriate measures to eliminate or reduce the organization’s risk or exposure to such vulnerabilities
  • Maintained the vendors risk management System Archer, to ensure that all due diligence efforts were captured and preserved along the determination of the risk rating to those vendors
  • Conducted post security review and follow-up with internal third-party vendor manager, and third-party vendor on controls gaps remediated to determine their adequacy and effectiveness to comply with MUFG cyber security control requirements
  • Provided trusted advisory services and guidance to stakeholders to reduce organizational risk and improve overall security and compliance security posture through the Bank organization
  • Monterey Park, CA

Information Security Analyst – Cyber Security

Envy Resources Inc
03.2016 - 04.2016
  • Monitored Intrusion Detection System and Logs and escalated security incident breaches
  • Reviewed vulnerability scan reports of Acunetix, Nessus, and Qualys and developed remediation action plans
  • Maintained Information Security Policy and Procedures for Loyola Marymount University Cyber Security Program

Senior IT Auditor

TekSystems
01.2016 - 03.2016
  • Company Overview: Assigned to Scripps Health, San Diego, CA
  • Planned and performed full Information Technology and integrated audit projects based on Scripps Health Information risk assessment program, in accordance HIPAA/PHI, NIST information security framework and best practices to protect and secure the confidentiality, integrity and availability of Protected Health Information
  • Supported Scripps Health in transitioning to Epic HER
  • Interfaced with business and IT key stakeholders, Compliance, Legal and Privacy teams to ensure that control gaps are adequately managed and mitigated with agree-upon corrective action plans for remediation of internal control gaps and deficiencies
  • Assigned to Scripps Health, San Diego, CA

Sr. Third-Party Vendor Cyber Security Risk Assessor and Compliance Manager

Apex Systems
03.2015 - 11.2015
  • Company Overview: Assigned to UCLA Health Systems – Los Angeles, CA
  • Served the Director of Information Security, in working with various LOB units (OCS, Server Team, Network Team, Compliance, Engineering Etc.,) to ensure adherence to corporate policies and standards of the Information Security program (i.e., PCI/DSS, PHI/HIPAA, SOC)
  • Performed application security assessments on both internal and third-party vendor applications
  • Identified security risks, and gaps, and recommended mitigating control plans
  • Ensured that information assets (System, application and Data) are adequately protected through application and third-party risk assessments, by applying ISS Risk Assessment standards and procedures
  • Plan, organize and execute Information Security risk assessments by identifying, evaluating, and reporting on information security risks in a manner that meets the company’s legal, regulatory and contractual requirements
  • Assist Legal team and OCS in contract negotiations with third parties around Information Security related matters
  • Proactively and collaboratively work with business units (NPR Review Board, PMO, OCS, and DRB) to develop and implement procedures that meet defined policies and standards for Information Security Management
  • Actively participate in the review of all New Project Requests (NPR) to triage needed ISS security review, and the Design Review board to determine the scope of risk assessments
  • Provide professional advises on best practices and methodology, processes to be implemented to assess the security posture of UCLA systems and applications
  • Identify security gaps against OCS requirements and application security vulnerabilities, coordinate remediation plans for remediating identified security vulnerabilities prior to production release of applications
  • Assigned to UCLA Health Systems – Los Angeles, CA

Sr. Information Security Program Manager & Third-Party Vendor Cyber Security Risk Assessor

St. Joseph Health Ministry Security
09.2013 - 12.2014
  • Company Overview: Anaheim, CA
  • Served the office of the Chief Security Officer and Ministry Security, in leading the development and implementation of SJH Ministry Security Application Security Program, including security Policies and standards and identification of best practices, to empower stakeholders to properly secure SJH business solutions processing confidential, internal and public data against un-authorized disclosure, and tempering, either hosted within SJH’s data centres or by third party vendors hosting providers (I.e
  • Cloud services providers)
  • Responsible for assessing, reporting, and monitoring SJH applications portfolio and compliancy with applicable state laws and Federal regulations (PHI/HIPAA, PII, PCI, etc.,)
  • Responsible for the development of application security metrics, and reports to be communicated to the business stakeholders to monitor and improve the security posture of the organization application portfolio
  • Leading third party vendor security assessments, from initiation, assessment, up to the issuance of disposition reports documenting the general security posture of vendor’s solutions and identification of security gaps and required remediation activities, including vendor contract review
  • Leading the rationalization and maintenance of SJH Ministry Security Internal Control Framework and controls requirements, addressing the minimum set of security controls required to secure SJH’s application portfolio for all functional security areas/domains in scope
  • Providing continuous security awareness training and best practices recommendations to stakeholders seeking to protect the confidentiality, integrity and availability of their systems, applications, and data
  • Anaheim, CA

Sr. Information Security Risk Assessor & Compliance Program Manager

The OCJ Group (Now Genuent)
05.2012 - 05.2013
  • Company Overview: Assigned to Xerox for The Walt Disney Company, Glendale CA
  • Served the office of the CISO and Disney Technology Shared Services (DTSS), as a SME responsible for assessing and reporting to internal stakeholders on the cyber security posture of third-party service providers supporting Disney Corporate hosted solutions (ASP) and cloud-based solutions used by various business owners, including SaaS, PaaS and IaaS
  • Initiated, scoped, assessed, and reported on the adequacy of vendor’s information security management system and controls in place to secure Disney intellectual property, confidentiality, integrity and availability of information systems assets for HR, Legal, Disney Studios, and Disney corporate infrastructure
  • Assessed vendor solutions/applications against Disney Information Security Policies and Standards, HIPPA, PCI/DSS, EU Privacy laws, CA SB 1386, and ISO 27001:2005
  • Liaised with business sourcing managers, internal assurance teams, and business stakeholders to plan vendor solution evaluation, best strategy, define objectives, and address technology-related controls risks and gaps
  • Coordinated with internal security teams network penetration tests, and application vulnerability tests, reviewed reports and reported on security gaps to be addressed
  • Assisted Disney’s Legal in reviewing contracts for third party vendors to ensure that all mitigating controls were adequately reported within contracts prior to the on-boarding of new suppliers, and/or existing suppliers
  • Provided security awareness training and information security best practices to Disney Corporate stakeholders for assessing third party vendor solutions
  • Defined appropriate risk level and corrective actions for security controls gaps identified during assessment
  • Reported on assessment outcomes, risk level and associated recommendations to minimize exposure to risks identified
  • Presented control issues to 3rd parties and worked toward obtaining adequate corrective action plans
  • Monitored corrective action plans and reviewed evidence for closure on open action plans
  • Assigned to Xerox for The Walt Disney Company, Glendale CA

Education

Bachelor - Computer Science and Management Information System

University of Quebec Montreal
01.1989

Skills

  • Compliance (SOX 404, PCI-DSS, PHI, HIPPA/HITRUST, PII, GDPR, FedRAMP, GLBA)
  • Security Standards: ISO270x1-X2 series standards ISO 270001:27002
  • NIST SP800 standards including 30, 53, 82
  • OWASP
  • FFIEC IT Audit
  • COBIT
  • COSO
  • ITIL/ITSM
  • Vendor Management Report SSAE-16/SAS 70
  • SOC2 Type II
  • SOC 1
  • Bits Shared Assessment
  • Internal & External IT Audit Experience
  • Information Security
  • Cyber Security Risk Management
  • Physical and Logical Security
  • Security Architecture
  • Network Security
  • Server Security
  • Database Security
  • Governance Risk and Control (GRC)
  • On-site and remote third-party Vendor Security Risk assessor experience
  • ITGC
  • Secure System Development Life Cycle (SSDLC)
  • Enterprise Change Management
  • Patch Management
  • Business Continuity and Disaster Recovery
  • Information Security Program Management
  • Strategic Plan
  • Checkmarx
  • Prisma
  • Nessus
  • Qualys
  • Nexpose Rapid 7
  • Veracode
  • ServiceNow
  • Archer
  • ACL
  • IDEA
  • Risk Navigator
  • TeamMate

Certification

  • CISA, # 14115789
  • CISM, # 1528890
  • HCISPP, # 304078

Affiliations

  • Active membership to ISC², ISACA CA Chapter
  • Active member of Open Web Application Security Project (OWASP) SD Chapter
  • Cloud Security Alliance CSA

Addendumofaward

ISE North America Project Award Nominees 2014, Robert Rice, Bobbie Tinkler, Chris Martin, Louis Tillis, Roberto Perez, Alek Boyarov, Dan King, Jayanth Panuganti, Michel Isenberg, Shawn Kelly, Marshall Gibson

Languages

English
Full Professional

Timeline

Information Protection – Senior Advisor

Pyramid Consulting
03.2023 - Current

Sr. Information Security Analyst and Cloud Security Risk Assessor

Robert Half International
06.2022 - 10.2022

Sr. Information Security Engineer and Cloud Security Risk Manager

Beacon Hills Staffing
12.2021 - 04.2022

Sr. Security Engineer and Third-Party Vendor Cyber Security Risk Assessor and Compliance Manager

The Judge Group
05.2018 - 05.2021

Sr. Privacy and IT Compliance Security Risk Assessor

SAP/Ariba
11.2017 - 01.2018

Global Information Security – Senior Third-Party Vendor Cyber Security Assessor

Aditi Staffing
01.2017 - 10.2017

EIS – Cyber Security Risk Management – AVP Third-Party Vendor Cyber Security Risk and Compliance Assessor

MUFG Credit Union Bank
06.2016 - 11.2016

Information Security Analyst – Cyber Security

Envy Resources Inc
03.2016 - 04.2016

Senior IT Auditor

TekSystems
01.2016 - 03.2016

Sr. Third-Party Vendor Cyber Security Risk Assessor and Compliance Manager

Apex Systems
03.2015 - 11.2015

Sr. Information Security Program Manager & Third-Party Vendor Cyber Security Risk Assessor

St. Joseph Health Ministry Security
09.2013 - 12.2014

Sr. Information Security Risk Assessor & Compliance Program Manager

The OCJ Group (Now Genuent)
05.2012 - 05.2013

Bachelor - Computer Science and Management Information System

University of Quebec Montreal

Similar Profiles

CREATE PROFILE
Michael Isenberg