Summary
Overview
Skills
Work History
Education
Affiliations
Continued Learning
Timeline

Storm D.M. van de Werken

IT AUDIT PROFESSIONAL

Summary

  • Experienced professional IT and Operational Audit, Compliance, Risk Assessment, Privacy (including HIPAA, PHI, PCI, FedRAMP, FISMA, etc.), Cyber Security including Cloud technologies (SaaS, PaaS, IaaS), Disaster Recovery, Business Recovery Planning (BRP), Risk & Compliance, Auditing, SOX, SOC I &II, Project Management, Controls Mapping, Information Technology. Certified Trainer/Teaching, Troubleshooting and Support, Microsoft Office Software SME including Microsoft Office 365 Suite of products, Strong Excel skills including Y&Y Lookup and pivot tables, Agile, Lean, Rapid and Lean SDLC, Six Sigma, Certified Ethical Hacker, Oracle, Sap, ISO, NIST, SOC 1 and 2, Diligence High Bond Audit Software, Archer – Service Now ITM, Artificial Intelligence, Third-Party Risk Assessment - SigLite, Payment Card Information (PCI – DSS) Working Full-Time Remote
  • Open to Hybrid Roles
  • Authorized to work in the U.S. for any employer.

Overview

25
25
years of professional experience

Skills

ACCOMPLISHMENTS

  • Identified and communicated findings to senior management that are potential high-risk issues taken up by Management
  • Brought forth potential security exposure regarding printer servers, resulting in a future audit
  • Completed first full IT Audit in under 90-day timeframe in Y1
  • Effective communication of complex IT concepts into non-technical terms in written and verbal communications
  • Strong builder of positive relationships with audit clients across departments and divisions
  • MassDOT Mentoring Program for 5 cohorts
  • Member of Women’s, Veteran’s, and Diversity ERGs (Employee Resource Groups)
  • Identification and advocate for AI Cybersecurity Controls
  • Pursuing Project Management Certification

SKILLS:

Security policies, Access control Compliance reporting,

IT governance Security awareness training,

Application security Network security Audit planning,

Internal controls Business continuity Disaster recovery

Information security Cybersecurity, Cloud security,

Ethical hacking, Risk assessment Security protocols

Data analysis, Compliance monitoring Risk management

Data encryption Intrusion detection Cybersecurity frameworks, Teamwork and collaboration Problem-solving abilities Reliability Excellent communication Adaptability and flexibility Decision-making Relationship building,

Task prioritization Self motivation, Goal setting,

Professionalism, Continuous improvement Written communication, Information governance, Problem solver,

Procedure documentation, Information protection, Security metrics Analytical skills, Regulatory compliance,

Experienced professional auditor, IT and Operational Audits, Compliance, Risk Assessment, Privacy (including HIPAA, PHI, PCI, FedRAMP, FISMA, etc), Cyber Security including Cloud technologies (SaaS, PaaS, IaaS), Disaster Recovery, Business Recovery Planning (BRP), Risk & Compliance, Auditing, SOX, SOC I &II, Project Management, Controls Mapping, Information Technology, Certified Trainer/Teaching, Troubleshooting and Support,Microsoft Office Software SME including Microsoft Office 365 Suite of products, Strong Excel skills including V&Y Lookup and pivot tables, Agile, Lean, Rapid and Lean SDLC, Six Sigma, Certified Ethical Hacker, Oracle, Sap, ISO, NIST, SOC 1 and 2, Diligence High Bond Audit Software, Archer – Service Now ITM, Artificial Intelligence, Third-Party Risk Assessment - SigLite, Payment Card Information (PCI – DSS)

Employed Full-Time Remote Ÿ Open to Hybrid Roles (NC) Ÿ Authorized to work in the US

Work History

Management Analyst II – IT Auditor

MassDOT (MA Department of Transportation)
12.2021 - Current
  • Member of Internal IT Audit team of three (3).
  • Conducted all facets of IT Audit including but not limited to developing risk assessments, audit scoping, physical and logical access reviews, succession planning, Third-party Security Risk Assessments as well as SOC 1 & 2 and Change Control, Audit Reporting, and Metrics.
  • Use NIST 800-53 frameworks/NIST Cybersecurity Framework 2.0, IT SOX, COBIT, COSO, and NIST 800-53 frameworks/NIST Cybersecurity Framework 2.0 as guides to conduct annual risk assessment in key areas to develop a risk-based audit plan.
  • Assist audit teams in understanding findings and steps that can be taken to prevent and detect errors in a company’s response to audit risk.
  • Development of Controls Questionnaires tailored to each audit (ICQ) in conjunction with IT Audit staff based on ITGCs and audit risk.
  • Assess third-party risk through the use of Sig-Lite/Service Now tool to monitor risk assessment responses.
  • Coordination of all Audit meetings with appropriate staff to gather information and develop Narratives, Walk-throughs, Tests of control design and effectiveness, and
  • Publishing draft and final reports utilizing the Risk & Compliance SaaS, High Bond, by Diligent.
  • Highlights/Activities
  • Mentor for 5 cohorts of the MassDOT Mentor/Mentee program and current Mentor and Mentee
  • Mentoring Program Advisory Committee
  • Secretary of Multicultural ERG (Employee Resource Groups) – Elected to two (2) year term – 2024-25
  • Member of Women’s ERG (Employee Resource Group) Board
  • Presentation to ERGs: Meditative Drawing: An Introduction to Zentangle
  • Communications: Train the Trainer Course on Communication Strategies, Partners in Communication, Inc., May 2023

Sr. Multidisciplined Engineer II

Raytheon -Waltham, MA
02.2019 - 02.2020
  • Verified credentials for company-produced equipment users including PII (Personally Identifiable Information) in order to be prepared for SOX audits.
  • Analyzed and catalogued Radar hardware and software to determine inventory.
  • Developed Hardware baseline utilizing specialized internally developed inventory tool.
  • Edited and updated Intro to Radar coursework based on a variety of resources.
  • Tracked and reported on licensing of Raytheon Technologies for other countries, applying DOD guidelines and policies.
  • Reviewed/edited international proposals.
  • Trained new team members on Office 365. Looked to as Office 365 SME.
  • Volunteer for multiple Wounded Warriors Project activities.
  • Facilitator for Girl Scouts Cyber Security camp.
  • Volunteer at Hackathon in Boston
  • Off work due to health reasons.
  • Kept abreast of and remained knowledgeable regarding current Compliance and Risk regulations regarding PII, HIPAA, PCI, SOC I and II, etc.

IT Security & Audit Analyst (Short Term Contract)

Hasbro (Insight Global - RI)
05.2016 - 07.2016
  • Performed HIPAA/PII Risk Assessment. Identified where related data is housed, how it moves, and who has access including cloud-based data. Utilized Archer – ServiceNow integrated tool to enter and track risk assessment responses from multiple third-party vendors.
  • Identified training needs in concert with HR leadership to meet HIPAA compliance standards resulting in identification and remediation of annual HIPAA training across the appropriate teams.
  • Led interim audit (ITGC and ITAC) with external auditors (SOX Audit). Ensured timely audit completion (Audit completed with minor findings already known to Management prior to the audit).
  • Coordinated all resources to address audit findings and remediation plans.
  • Assisted with vendor assessment program: evaluated third-party security, ensured protection of
  • Hasbro information accessed, processed, and stored by third parties.
  • Assessed controls around data stored in The Cloud (encryption of data at rest and in transit).
  • Recommended improvements to existing controls (changing access reviews from annually to quarterly to assure that access meets “need to know” and SOD controls).
  • Worked as part of monitoring team employing Tripwire and SPLUNK (SIEM).
  • Trained new team members on Office 365. Looked to as Office 365 SME.

PCI Compliance Analyst - Short-Term Project

Insight Global Contract -CVS
09.2015 - 10.2015
  • Connected with Business owners for PCI documentation requests, collected requested information to assure information met all PCI standards in preparation of onsite QSA.
  • Evaluated systems relating to PCI DSS (e.g., flat vs. hierarchical network) to discover compliance issues and recommend remediation strategies to meet PCI 3.2 compliance using a variety of tools.
  • Recommended process improvements leading to PCI compliance in accordance with PCI DSS 3.1 and 3.2 standards.
  • Highlight(s): Audit completed with minor findings already known to Management prior to audit.

IS Security Advisor Special Project - Contract

American Family Insurance
05.2015 - 07.2015
  • Assessed and assisted IS Security teams to improve/create day-to-day operations.
  • Developed and recommended process improvement plans
  • IT Security Architecture team: Brought backlog current and designed new ongoing day-to-day operation procedures to ensure timely and ongoing communication with security reviews to ensure appropriate protection of PHI.
  • Assisted Disaster Recover/Business Continuity (BC) teams with the transition from current BC system to new system.
  • Identified appropriate BC plan owners.

Sr. Security Specialist - Contract

Beacon Hill Staffing – EOHHS
07.2014 - 12.2014
  • Worked with project teams within EOHHS to protect sensitive information for the various applications and technologies as directed by the CSO.
  • Insured all networks, applications, and database systems followed appropriate security to minimize the risk of unauthorized access.
  • Worked with project teams on software/system initiatives to ensure best practices were put into place regarding data sharing, HIPAA, PHI, and PII data protection and compliance with all related regulations and standards required by Federal and State laws including SOX, FISMA, ISO, and NIST.
  • Identified security issues and risks, and developed mitigation plans, analyzed, and assessed the security measures, and determined effectiveness.
  • Participated in security compliance efforts, providing security guidance, communicating, and educating on proper security measures both in the office and online.
  • Reviewed, created, and updated security documentation regularly.
  • SME for guidance to other staff in the organization regarding privacy guidelines.
  • Identified information security privacy control enhancements and improvement opportunities.
  • Assisted CSO in developing, implementing, and enforcing IT infrastructure as it pertains to privacy policies, standards, guidelines, and technologies and ensuring these controls effectively safeguard information systems against accidental or unauthorized modification, destruction, or disclosure.
  • Conducted Personal Health Information (PHI) research on healthcare industry trends, laws, and product reviews.
  • Assisted in the coordination and management of response to Privacy incidents.
  • Established requirements for Privacy technology controls within the environment to reduce data loss potential, system integrity.
  • Highlight(s):
  • Designed and published healthcare security risk assessment for a large, primary healthcare system used across the Commonwealth of Massachusetts with major healthcare vendor.
  • IT arm for the Office of Compliance and SAO (State Auditor’s Office) to complete audit of Commonwealth DYS (Division of Youth Services) system for tracking at-risk youth. Audit covered both backend and frontend user systems regarding information handling, user access review, and reporting to establish data reliability and validity. Worked side by side with Legal counsel to protect all necessary HIPAA, PHI, and PII of clients and information in related databases (data redaction/masking, etc.).
  • IT SME (subject matter expert) working with external auditor(s) to complete audit and remediation plans of major healthcare systems portal including user access reviews employing AD reporting.
  • Developed remediation plans to address audit findings.
  • Worked with legal counsel on multiple projects including projects requiring SOX and NIST-based compliance (MA EO504). This process involved security questionnaire development, collection, review and tracking of surveys to determine compliance. Survey returns were above 90 percent, and the review of data and entry into the database was completed and submitted to the Commonwealth Secretary before the published and required deadline.

Privacy Analyst

Boston Medical Center
06.2013 - 10.2013
  • Audited logs daily to identify inappropriate access to PHI using reports from SPLUNK - SIEM (Security Incident & Event Management system/software) and other security and identity management tools.
  • Provided guidance to organization wide staff about Privacy guidelines.
  • Serves as subject matter expert by receiving and responding to patient/employee inquiries, conducting, and reporting on audits, managing privacy, and information security complaints and investigations.
  • Continuously stayed abreast of current judicial trends related to compliance regulations such as privacy, security, and responding to hotline calls

Privacy Analyst

Boston Medical Center
06.2013 - 10.2013
  • Delivered privacy regulation-related presentations/training, and created training, and other documents for the Intranet and workforce education initiatives.
  • Maintained collaborative relationship with the Information Technology Services (ITS) Systems Support team to assist with the development of Boston Medical Center’s privacy technology portfolio.
  • Identified information security/ privacy control enhancements and improvement opportunities.
  • Assisted in developing, implementing, and enforcing IT infrastructure as it pertains to privacy policies, standards, guidelines, and technologies and to ensure these controls effectively safeguard information systems against accidental or unauthorized modification, destruction, or disclosure.
  • Conducted privacy research on healthcare industry trends, laws, and product reviews.
  • Assisted in the coordination and management of response to privacy incidents.
  • Established requirements for privacy technology controls within the environment to reduce data loss potential, system integrity.
  • Worked closely and effectively with Legal department and the OCR in cases of potential or identified information breaches.
  • Ensured appropriate controls were in place regarding storage of data - both onsite and offsite, destruction and disposal of electronic and hard storage of data including wiping drives, handling of third-party vendors contracted for destruction and transportation of sensitive information and retrieval of information for the purposes of investigations.
  • Updated Patient Privacy statement to include changes resulting from the HIPAA Omnibus rule published on internal and external websites. Worked directly with HIPAA legal counsel.
  • Assisted the neonatal department in process improvement for the protection of PHI after investigating a potential breach.
  • Served as annual employee satisfaction survey for ITS department with a response rate of over 90% department wide.
  • Resolved 90% of reported PHI incidents within two weeks of the initial report.

Compliance-Audit Support

DATA Analyst Bank of America
11.2011 - 11.2012
  • Worked with team Analyst and GBCR (Global Business Continuity and Recovery) to establish and maintain BIAs, (Business Impact Analyses) and BRPs (Business Recovery Plans) to meet Bank LOB standards. Business Impact Analyses, Business Recovery Plans and testing of plan to ensure compliance with GBCR requirements.
  • Input and maintained BRP information in LDRPS System.
  • Performed follow-up on the status of outstanding internal and external audit issues. Assisted with periodic reporting to the Audit, Risk and Compliance Committees.
  • Tracked any known issues, exam response requests, or other indicators to mitigate negative impacts arising from remedial action requirements or other corrective action requirement.
  • Prepared reporting on compliance or audit projects or other program elements as required for Management.
  • Maintain and update BRASO SharePoint including updates, user administration. Archiving information using Discovery.
  • Highlight(s):
  • Original 6-month contract and was extended to one year at 4-month mark.
  • BRP/BIA process, including testing, was completed for all groups ahead of the required deadline.

Aditi Technologies (WA)

Microsoft Contractor
06.2010 - 11.2010
  • Performed and monitored detailed audits and auditing cycles related to operational compliance within online advertising.
  • Monitored user access, transactional activity, and secure areas of risk through AD and database logs.
  • Worked cross-functionally to ensure the understanding and meaningful reporting and auditing of all transactions.
  • Tested key controls related to compliance and operational procedures and resolved for errors critical to revenue quality.
  • Identified and mitigated process and tool issues that cause partners pain in terms of compliance with operational procedures, including key controls.
  • Researched, analyzed, and monitored exceptions that occur due to manual credits and overrides, transaction failures, fulfillment errors, and report errors.
  • Proactively mitigated risk and ensured compliance through deep understanding of transactional fulfillment and reporting tools.

Project Manager

African Chamber of Commerce of the Pacific Northwest
06.2009 - 12.2009
  • RESULTS: Event resulted in a profit for the FIRST time in 4 years!
  • Project management for Annual Conference including:
  • Worked with President, Office Manager and BOD to establish event plan and budget.
  • Identified vendors and led the team of volunteers in securing silent auction items.
  • Created custom spreadsheets to track expenditures, contacts, and payments.
  • Created dashboard and led weekly status meetings as well as presented to the Board of Directors.
  • Managed staff of fifteen volunteers over the six-month period ensuring that work was completed as well as mentoring volunteers on professionalism and advanced use of tools in Microsoft Office including Excel and Word.
  • Created a Facebook Page for Event and Organization.
  • Updated organizational webpage with event details.
  • Created and managed a Google Shopping Cart page for the event - A FIRST FOR THE ORGANIZATION resulting in payment collection of all registered attendees!
  • Created and Maintained Electronic Correspondence.
  • Promoted event through membership contacts, recruitment of new members, and other local Chambers of Commerce.

Senior IT Compliance Analyst

T-Mobile
02.2008 - 04.2008
  • Directly assisted Enterprise IT (EIT) Compliance with documentation, tracking status of testing, and evaluation of internal controls.
  • Assisted in ongoing training of SOX IT to EIT Compliance and process owners to help ensure understanding and ongoing compliance.
  • Assisted in QA of key control testing and worked with EIT Compliance on issues, evaluation of the risk of failed controls, and implementation of solutions.
  • Worked with IT and other departments to understand and assess the impact of new systems and changes to existing processes and systems.
  • Administered SOX risk management system and documentation tool (developed internally by parent company).
  • Worked closely with the SPI (Oracle security implementation) team to understand segregation of duties violations and determine mitigating controls.
  • Member of Risk Assurance division committee for new employee orientation.
  • Administered SOX Compliance SharePoint site.

IT Auditor

Nordstrom, Inc
06.2007 - 10.2007
  • Member of Internal IT Audit team of four that audited IT functions. I personally audited security and user access for databases, UNIX (Sun OS), Oracle Financials, Active Directory, and in-house applications.
  • Partnered with business leaders on special projects and data analyses to support decision-making in an unstructured environment (e.g., Internal Audit member of 150+ member team advising and ensuring appropriate controls were cultivated and implemented as this four-phase company-wide initiative was developed to integrate all avenues of merchandising.
  • Conducted IT security access audit as the IT partner for the operational audit of corporate purchasing process.
  • Assessed risks across all areas of the Business, designed and influenced process improvements, drafted audit reports, and communicated results to high-level professionals.
  • IT Auditor on Corporate Purchasing Audit team.
  • Conducted IT Risk Assessment with IT Supervisor by meeting with key business unit managers to assess IT risks (i.e., security, capacity and availability of all IT resources, perceived risk areas) and presented findings to IT Management. IT Audits for 2007 and beyond were defined as a result of this risk assessment.
  • Partnered with contracted IT Senior Auditor on Capacity & Availability Management audit to provide a high-level view of current risks regarding performance and availability in key systems.
  • Conducted PCI - DSS audits, IT general and application controls testing.
  • Highlight(s): Regarded as a positive relationship builder with internal audit clients across departments.

IT Auditor

KPMG
10.2004 - 06.2006
  • Performed IT Controls over financial reporting on Sarbanes-Oxley (SOX) attestation engagements including: Costco, Weyerhaeuser, Expeditors, Savers, ICOS-Lilly Pharmaceutical and Aquantive Pharmaceuticals, Salem Hospital, Salem, OR and Asante Health Care Systems - OR, which includes both public and private organizations.
  • Provided IT audit reviews of varying types of applications and system platforms.
  • Audited SAP (CRM and HRMS Modules) account creation and security as well as QMS (Quality Management Systems).
  • Performed PCI (DSS), PII and HIPAA controls audits ensuring that information security standards were met or exceeded.
  • Performed walk-throughs on PeopleSoft account creation as well as data centers for multiple clients.
  • Wrote controls work papers on IT General Controls for public and private clients’ IT Controls systems.
  • Tested security in Windows and Unix OS.
  • Performed quality reviews of Sarbanes-Oxley attestation engagement workpapers and SAS 70s(SOC), including providing feedback on the adequacy of control tests and evidence for a regional Bank, a regional credit union, a software developer, a manufacturer, and a mining company.

Computer User Analyst (II)

Seattle Children's Hospital and Regional Medical Center
04.2001 - 10.2004
  • Troubleshot and resolved 80% of in-house tier I and II troubleshooting of Microsoft Office products, Active Directory profiles, PCs and printers, handheld devices, internal medical systems.
  • SME for VPN and remote access set up and resolved call center issues.
  • Designed and maintained VPN related documentation.
  • Worked hand in hand with the Center team to implement, train and support patient data, orders, and Rx modules.
  • Participated in preparation and execution of JCAHO.
  • Installed home wireless systems for remote users and administrators.
  • Designed tracking/distribution system for AV equipment resulting in 0% lost or missing equipment.
  • Designed, published, and updated “Tools and Tips” document on organization’s intranet.
  • Avaya phone system trainer - assisted in developing supporting documentation and acted as main contact for ongoing support.
  • Excellent problem-solving skills utilized daily.

Software/systems Training Specialist

Seattle Children's Hospital and Regional Medical Center
03.2000 - 04.2001
  • Reviewed and assessed training needs of existing and new software applications including Microsoft.
  • Products and healthcare specific software packages.
  • Familiarized 150 + Super Users, Administrators and Patient Care Coordinators (PCCs) with Windows 2000 and Office 2000 including use of Outlook, file hierarchy, personal folders, etc. with AV presentation.
  • Successfully trained over 150 participants as a member of a teaching team of three trainers on Pathways patient scheduling system (PHS).
  • Worked in concert with IS department on problem solving of technical and software related issues.
  • Reviewed and maintained Training and Development and Pathways websites.
  • Lead New Employee Orientation (NEO) committee and effort for restructuring of the program.

Office Manager/Training Coordinator

CTS, WA
08.1999 - 04.2000

Executive Assistant

Microscan Systems, WA
11.1998 - 08.1999

ESL Instructor

Pierce College
09.1995 - 12.1998

ESL Instructor

Japan
07.1990 - 07.1995

Education

CEH - Certified Hacker - undefined

WA State High Tech Crime Investigation Assoc., Edmonds, WA
02.2007

Certified Training Specialist - undefined

University of Washington, Seattle, WA
01.1999

B.A. in Industrial & Organizational Psychology - undefined

Indiana University of Pennsylvania
01.1987

Certified ESL Instructor - undefined

01.1990

Affiliations

  • Veteran’s Employment Services
  • IIA and ISACA
  • Seattle Metropolitan Chamber of Commerce
  • YWCA Dress for Success

Continued Learning

Pursuing PMP and Security Certifications to be completed in 2026

Timeline

Management Analyst II – IT Auditor - MassDOT (MA Department of Transportation)
12.2021 - Current
Sr. Multidisciplined Engineer II - Raytheon -Waltham, MA
02.2019 - 02.2020
IT Security & Audit Analyst (Short Term Contract) - Hasbro (Insight Global - RI)
05.2016 - 07.2016
PCI Compliance Analyst - Short-Term Project - Insight Global Contract -CVS
09.2015 - 10.2015
IS Security Advisor Special Project - Contract - American Family Insurance
05.2015 - 07.2015
Sr. Security Specialist - Contract - Beacon Hill Staffing – EOHHS
07.2014 - 12.2014
Privacy Analyst - Boston Medical Center
06.2013 - 10.2013
Privacy Analyst - Boston Medical Center
06.2013 - 10.2013
Compliance-Audit Support - DATA Analyst Bank of America
11.2011 - 11.2012
Aditi Technologies (WA) - Microsoft Contractor
06.2010 - 11.2010
Project Manager - African Chamber of Commerce of the Pacific Northwest
06.2009 - 12.2009
Senior IT Compliance Analyst - T-Mobile
02.2008 - 04.2008
IT Auditor - Nordstrom, Inc
06.2007 - 10.2007
IT Auditor - KPMG
10.2004 - 06.2006
Computer User Analyst (II) - Seattle Children's Hospital and Regional Medical Center
04.2001 - 10.2004
Software/systems Training Specialist - Seattle Children's Hospital and Regional Medical Center
03.2000 - 04.2001
Office Manager/Training Coordinator - CTS, WA
08.1999 - 04.2000
Executive Assistant - Microscan Systems, WA
11.1998 - 08.1999
ESL Instructor - Pierce College
09.1995 - 12.1998
ESL Instructor - Japan
07.1990 - 07.1995
WA State High Tech Crime Investigation Assoc. - CEH - Certified Hacker,
University of Washington - Certified Training Specialist,
Indiana University of Pennsylvania - B.A. in Industrial & Organizational Psychology,
- Certified ESL Instructor,

Similar Profiles

CREATE PROFILE
Storm D.M. van de WerkenIT AUDIT PROFESSIONAL