Paula Ofosu-Siaw

Brought in to assess and mature the company’s TPRM program and ensure third party adherence to contractual obligations through monitoring activities.Responsible for identifying vulnerabilities, remediating risks and identifying gaps in the company’s systems and programs while recommending specific measures that can improve the company’s overall security posture.

Key Responsibilities:

• Analyzes vendor risk assessment responses to validate the existence of information security controls and identify non-compliance with NIST industry frameworks. Conducts reassessment of vendors periodically and monitors vendors' security practices and compliance against their contractual obligations.
• Provides detailed reports of assessments to business owners and stakeholders ensuring their understanding of associated risks and actions needed to remediate those risks. Serves as a remediation analyst to ensure all gaps discovered during vendor assessments are remediated in a timely manner. Used e-GRC tools Archer, Service Now and Prevalent to ensure secured and prompt communication of findings and deployments of questionnaire to the vendor and to track vendor progress on remediation.
• Reviews vulnerability scans, penetration tests, SOC 2, ISO 27001, and PCI supporting documents and outlines findings in risk register to track remediation efforts per vendor classification (Critical, High, Medium and Low).
• Works closely with third party auditors to smoothly facilitate ISO 27001, PCI-DSS, HIPAA and SOC 2 audits.
• Partners with key stakeholders to develop and update Information Security documents such as security policies and procedures as well as training materials for VRM team. Continuously modifies suppliers’ questionnaires to ensure all areas of new threats discovered are evaluated.

Acted as the primary liaison between GSO and other business units on matters related to information security and provided guidance to the organization on industry best practices. Improved processes associated to vulnerability management and drove successful remediation efforts.

Key Responsibilities:

• Collaborated with internal and external auditors to participate in and document key IT General Controls (ITGCs) contributing to audit readiness and compliance.
• Remediated control deficiencies, recommended improvements, and provided strategic guidance to key management stakeholders.
• Managed System Development Life Cycle (SDLC) controls for new software implementations, overseeing cross- functional teams to ensure successful project outcomes.
• Administered security awareness and training aligned with industry best practices and internal policies.
• Conducted Gap Analyses to assess compliance with regulatory requirements, recommending and implementing tools to support compliance objectives.
• Conducted technical incident responses and security assessments, evaluating IT system impacts and implementing effective remediation plans.
• Contributed to prospect security reviews, completing information security questionnaires for Sales RFPs and participating in security due diligence during sales calls.

Supported the organization’s compliance initiatives by ensuring systems were operating, maintained and disposed of in accordance with internal security policies and practices outlined in the SSP. Responsible for supporting System Owners and ISSO in preparing Certification and Accreditation package for the company’s IT systems, making sure that all security controls adhered to well-established security requirements authorized by NIST SP 800-53 R4.

Key Responsibilities:

• Developed an RMF Executive Package for each Authorization that included a System Security Plan, Security Assessment Report (SAR), Plan of Actions and Milestones (POA&M), Risk Assessment Report (RAR), and Authorization Decision Document. Ensured that security requirements for IT systems were compliant and consistent with NIST security policies and procedures.
• Drew upon learning outcomes in junior role to become a capable subject matter expert in the C&A process with success stemming from adaptability and resilience in a fast-paced technical environment.
• Conducted security risk evaluations including vulnerability and IT controls assessments, ensuring implementation of proper actions to limit risk impacts on information systems. Updated the Plan of Action and Milestones by including findings identified during assessments.
• Developed standardized information gathering templates for security assessments and authorization documents to help drive efficiency in during assessments.