Summary
Overview
Work History
Education
Skills
Certification
Timeline
Generic

Tosin Betiku

Frederick,MD

Summary

Productive, objective and success-oriented Security Control Assessor with about 15 years of experience in System Security, IT Security Compliance, Risk Management, ITGC Audit, Project Management, and Vulnerability Management at both the public and private sectors of the economy.

Experience in leveraging FISMA and applicable NIST Special Publications e.g. FIPS 199, 200, SP 800-30, 800-53r5, 800-60 800-37 and 800-137 to design appropriate security controls for the environment.

Knowledge of IT controls (auditing/Security/Compliance) across several control frameworks and applicable regulatory requirements (e.g. NIST, COBIT, ISO 27001, IRS 1075, FFIEC, GLBA, NYDFS, HIPAA, CJIS, etc.).

Detail-oriented risk management specialist versed in data analysis and reporting. Brings advanced understanding of IT Security (in an on-prem, hybrid, or cloud setup) and Business Management to recommend risk mitigation strategies aligned with the business continuity goals.

Overview

6
6
years of professional experience
1
1
Certification

Work History

IT Security Risk and Compliance Senior Analyst

DCHF/DCAS - DC Government
11.2023 - Current
  • Perform security assessments and review system security documentation based on FISMA and FedRAMP requirements.
  • Conduct security testing and risk assessments to ensure the DC Department of Health and Finance (DCHF) complies with CMS (Center for Medicare and Medicaid Services) MERs (Medicare Enterprise Risk Management), IRS 5, HIPAA, and other regulatory requirements.
  • Tests IT security controls to evaluate the effectiveness of security controls, including access controls, incident response, and vulnerability management, and their sufficiency for regulatory compliance.
  • Develop, review, and update Certification and Accreditation (C&A) packages and Authority to Connect (ATC) documentation for systems hosted and owned by DCHF on-prem and in the cloud environments.
  • Maintain and manage the required systems security documentation on the SharePoint Site (e.g., SSP, RAR, BCP, PIA, ISA, etc.).
  • Leverages GRC Archer for compliance and audit findings management.
  • Leverages ServiceNow to create tickets for user stories and all other task tickets.
  • Leverages Jira for managing the cloud migration tasks.
  • Conducted comprehensive data analysis using Excel, including advanced functions, pivot tables, and VBA scripting to automate repetitive tasks.
  • Developed interactive and insightful dashboards in Tableau, facilitating real-time data visualization and enabling strategic decision-making.
  • I work with cross-functional teams to gather requirements for the Agency’s migration to the AWS cloud.
  • Helped with the program manager to review user stories and also performed user testing.
  • Cleaned, organized, and transformed large datasets for analysis, ensuring data integrity and accuracy.
  • Develop and update the IRS Safeguard Security Report (SSR)
  • Develop and update the IRS Corrective Action Plans (CAPS)
  • Develop and update the IRS Inspection Plan and Inspection Reports
  • Coordinate with departmental agency staff as necessary to guide the process of conducting risk analysis and computer security reviews, security assessments, the preparation of Disaster Recovery Plans, security plans, and the processes involved in the Agency’s required security activities for the Certification and Accreditation of Major Information and General Support Systems (MIS/GSS)
  • Review and update IT security Policies
  • Review and update IT security Procedures
  • Manage the Computer Security Awareness Training and Role-Based Training projects
  • Develop, review, update, and publish Rules of Behavior
  • Develop and implement information sharing regarding cyber security best practices and common vulnerabilities
  • Conduct vulnerability assessment, and security risk analysis leveraging the Tenable scanner
  • Research new technologies, systems, and processes to make recommendations on the enhancement of the security posture
  • Perform research and preliminary proof-of-concept testing of security tools
  • Prepare and submit SAR responses
  • Conduct Plan of Action and Milestones (PO&AM) reviews, oversight, and reporting as well as Privacy Impact Assessments
  • Aggregated and synthesized data from various sources to create detailed reports for IT Risk and Compliance leaders.
  • Monitored and evaluated key risk indicators (KRIs) and key performance indicators (KPIs) to assess compliance with regulatory requirements.
  • Prepared and presented reports on IT risk assessments, identifying potential threats and recommending mitigation strategies.

Third Party Risk Management Consultant

Truist Bank - Through Artech
07.2022 - 09.2023
  • Engaged in the analysis of historical data to develop fraud rules to mitigate and prevent fraud losses to the bank’s business.
  • Provided inputs on the Vendor’s inherent risk rating during the inherent risk assessment meeting with the stakeholders internally.
  • Conducted the review of the SOC 2 Type 2 reports of multiple Third-Party Service providers to validate vendors' responses on implemented controls.
  • Reviewed third-party controls on the Data protection for all vendors touching the bank’s sensitive data.
  • Assisted in guiding business owners and vendors on the implementation of solutions that comply with the Bank’s IT Security and Data Privacy policies and standards.
  • Reviewed vendor agreements and ensured compliance with applicable federal and state laws, rules, regulations, and enterprise policies and procedures.
  • Built and maintained effective relationships with team members, leadership, key business unit stakeholders, and third-party representatives.
  • Ensured the coverage of inherited controls from cloud service providers (AWS, Google, Azure, etc.) was properly defined by the relevant third parties.
  • Used the Archer GRC tool to assign, process, and document Third Party Assessments.
  • Created Third Party Security Risk findings in Archer and assigned same to the Business POC based on the risks identified during the assessment.
  • Used documented records of Security Standards in Archer to determine security baselines for the Third Party based on their responses to the Assessment Questionnaire and provided security artifacts.

Third Party Risk Management - Finding Remediation

Navy Federal Credit Union
05.2021 - 06.2022
  • Engaged in the conduct of efficient, and high-quality risk assessment remediation activities for complex third-party relationships.
  • Analyzed third-party remediation responses, evidence, and external audit reports to confirm third-party compliance with control expectations.
  • Review assigned findings in the Archer GRC tool.
  • Make comments on finding records to document discussions with the Third Party (Supplier)
  • Conducted the review of the SOC 2 Type 2 reports of multiple Third-Party Service providers in a bid to remediate security gaps or findings issued against such Third Parties from the InfoSec due diligence assessments.
  • Reviewed third-party controls on Data protection for all vendors touching NFCU-sensitive data.
  • Made relevant remediation suggestions to third parties on appropriate controls that will be effective and provide a good level of assurance that NFCU data will be protected.
  • Assisted in guiding business owners and vendors on the implementation of solutions that comply with IT Security and Data Privacy policies and standards of NFCU.
  • Assisted in prioritizing departmental findings remediation tasks including new information security risk assessments, privacy impact assessments, and associated exception requests according to related processes and procedures. Reassessed, identified, and escalated issues appropriately.
  • Produced professionally written summaries of third-party assessment remediation results.
  • Facilitated meetings with internal business units and third parties on Information Security third-party risk management remediation processes.
  • Built and maintained effective relationships with team members, leadership, key business unit stakeholders, and third-party representatives.
  • Reviewed third-party remediation implementation to address findings or control gaps and areas of non-compliance.

IT Security Risk Governance

Freddie Mac
08.2020 - 04.2021
  • Worked with the IT Risk Governance Director to support the IT division’s top risk and control priorities including the creation of a centralized exception request management process for exception requests within the Freddie Mac IT Division.
  • Conducted risk assessment and test of controls on IT Issues/exceptions to measure compliance with the FHFA and other regulatory requirements given existing MRAs.
  • Developed a stakeholder management plan for the team with clear definitions of the expectations and approach methodology to maximize cooperation and efficiency.
  • Met with multiple stakeholders across the IT Division to gather requirements for the various exception processes across the teams within the Division.
  • Created a set of mandatory exception request fields for the solution to be adopted for the centralization of exception requests.
  • Implemented and supported IT Division security functions, activities, and initiatives related to the Azure Cloud solution.
  • Worked with the Azure Cloud Security Architect to ensure that appropriate security standards and best practices are integrated into the development of cloud applications and deployments.
  • Developed technical requirements for the implementation of IT-related exception management in ServiceNow.
  • Held regular meetings with the Freddie Mac Application Development Director and his team to walk through the requirements for the application as provided by the business.
  • Held POC (proof of concept) meeting with the development team along with multiple stakeholders including Division heads and representatives of the Enterprise Risk Management.
  • Developed Use Cases and User Stories to provide an idea of the system’s usability from the user’s point of view.
  • Reviewed and understood assigned User Stories and acceptance criteria for the exception solution.
  • Participated in UAT test planning and strategy discussions.
  • Developed and documented test cases based on User Stories and acceptance criteria.
  • Executed test cases and reported defects or issues found.
  • Met with the 2nd line of defense to walkthrough the new requirements related to Three Lines of Defense initiatives.
  • Worked with the 2nd line of defense to develop an exception risk assessment methodology.
  • Conducted risk assessment of all pending exception requests.
  • Supported the communication, and training on exception requests, and monitoring to stakeholders within IT, and across the three lines of defense.
  • Engaged in the analysis, reporting, and risk aggregation of exception requests to IT leadership.
  • Conducted the collection and collation of responses to FHFA audits on behalf of the IT Division.

IT Security Risk Lead

OCTO - DC Government
06.2019 - 08.2020
  • Worked with the CISO and other stakeholders to establish, implement, and maintain an effective information security program that meets FISMA requirements by leveraging the NIST 800-53 Rev 5 guidelines including the development of relevant security policies and procedures.
  • Developed an overall Risk Management Framework Strategy document for the Government of the District that is based on the requirements of the NIST RMF.
  • Provided regular reports and updates on the RMF effort to the CISO.
  • Created relevant security controls in the Archer GRC tool and submitted them to the CIO and CISO for review and approval through the approval workflow.
  • Ensured that the RMF was comprehensive, and aligned with the District’s objectives and risk appetite, and applied consistently to protect the confidentiality, integrity, and availability of information and systems across the District agencies.
  • Contributed to the development of an Incident Response Plan, including communication strategies and escalation procedures for the DC Government.
  • Participated in the testing of the Incident Response Plan as an observer and made sure that appropriate POA&M is developed and executed to address all identified gaps in the After-Action Report (AAR) issued by the independent assessor.
  • Conducted risk assessment on exception/waiver requests for vulnerability remediation spanning all departments and teams within the District Agencies.
  • Conducted risk mapping exercises for critical processes within District Agencies with high regulatory footprints. This included identifying and prioritizing business processes and reviewing/testing associated security controls to determine the residual risk rating.
  • Led the conduct of risk assessment for cloud-based solutions/applications as part of the application Authorization and Deployment Process for multiple DC Government Agencies.
  • Participated in the assessment of application controls and ensured security hardening of all applications by adopting the OWASP recommended controls.

Snr Consultant, IT Vulnerability Remediation

KPMG US
02.2019 - 07.2019
  • Worked in a team of four (4) to manage the remediation of Cyber Vulnerabilities discovered because of continuous security assessments conducted by the KPMG Security team. The activities of my team cover the KPMG offices in the USA, the Americas, and Asia.
  • Used the ServiceNow tool as a ticketing software to assign remediation tasks to owners of the Systems, Applications, or Devices with identified vulnerabilities.
  • Facilitates the performance of the periodic cloud application security testing.
  • Executed processes for coordinating and tracking remediation activities.
  • Conduct a review of the vulnerability remediation exemptions created by System owners on the Archer GRC tool and make recommendations to business leaders on Risks.
  • Created Standard Operating Procedures (SOP) for the Vulnerability Management Process that includes services and processes to be performed by the Vulnerability Remediation team as well as Remediation Owners and cross-functional remediation champions. The SOPs include a clear workflow diagram and a RACI.
  • Worked with various service teams to ensure the appropriate rating of discovered vulnerabilities based on the data stored, transmitted, and processed on the scoped asset.
  • Made recommendations for the remediation of discovered Application Vulnerabilities based on the OWASP guidelines.
  • Researched and oversaw the development of risk-mitigating approaches with cross-functional teams to drive timely responses and improve cyber-related operations.
  • Provided support for Vulnerability scanning and the analysis of the report generated from the vulnerability scans.
  • Ensured that vulnerabilities confirmed to have been remediated by the Remediation Owners are validated through a rescanning of the IT asset in scope for remediation.
  • Identified and resolved gaps related to Governance Risk Compliance integration and reporting to improve accountability and improved results from remediation activities.
  • Provided enterprise-level reports and status updates on all vulnerability remediation efforts across multiple teams and businesses to the IT Leadership.

IT Security Risk Analyst

Essex Technology Group
04.2018 - 02.2019
  • Ensured that applicable IT security policies are implemented for the enterprise system. Carried out several business cases to justify the adoption and implementation of the ISO 27001/22301 ISMS program.
  • Consistently performed Information Security Risk Assessment for existing and potential vendors using the SIG classes of questionnaires.
  • Ensured operational security posture consistent with the current security policy is maintained.
  • Helped to create and implement Compliance Programs and ensure that a clear compliance workflow is in place for the GDPR privacy and data protection requirements.
  • Served as the Company's subject matter expert on compliance matters, with an emphasis on global and national laws and regulations.
  • Consistently collated relevant data and analyzed them to create an actionable report for decision-makers by using data analytic tools to create dashboards that give a clear interpretation of the data being analyzed.
  • Developed, implemented, and managed information security training and awareness for Essextec software/Application developers and other employees through the KnowB4 training platform.
  • Maintained a good understanding of current and emerging information security, regulatory, and compliance trends through active engagement within ISACA.
  • Collaborated with the Information Technology team to ensure projects are in alignment with data security and compliance policies and practices.
  • Performed tabletop exercises (TTX) to test a client’s disaster recovery and business continuity plans. Draft and present those clients with the after-action reports (AAR) detailing the strengths and weaknesses of the plans and identifying gaps with a recommendation of how those gaps are remediated.
  • Performed Gap analysis to identify areas of the organization’s operation with potential control weaknesses.
  • Support the development of processes, controls, and continuous compliance testing, remediation, and risk mitigation solutions to support internal processes and external audit requirements and collaborate cross-functionally to establish high levels of automated testing of controls and evidence collection.

Education

Bachelor of Science - Accounting

Ekiti State University
Nigeria
01.2002

Skills

  • Security
  • Risk Management
  • Quality assurance
  • Compliance Vulnerability Assessment Expert
  • Excellent with SharePoint
  • Experienced Security Trainer
  • Excellent in developing security policies, procedures, and guidelines
  • Excellent using cloud-based tools, applications, and vendors such as AWS, Azure, and Google
  • Regulatory Compliance
  • Project Management (project management methodologies (Agile)
  • Relation building; developing strategic partnership
  • Excellent with Microsoft Word, Excel, Project, Access, Power Point
  • Business Analysis
  • Data Research and Validation
  • Analytical Thinking
  • Root Cause Analysis
  • Business Operations Analysis
  • Process Improvements
  • Continuous Improvement
  • Documentation And Reporting
  • Strategic Planning
  • Information Gathering
  • Project Management
  • Corrective Action Planning
  • Compliance Analysis
  • Risk Mitigation
  • Audit Support
  • Risk Analysis
  • Issue Identification
  • Workflow Analysis
  • Data Integrity Assurance
  • InfoSec
  • Analytical Skills

Certification

CISA, CISM, CRISC, CDPSE, PMP.


Timeline

IT Security Risk and Compliance Senior Analyst

DCHF/DCAS - DC Government
11.2023 - Current

Third Party Risk Management Consultant

Truist Bank - Through Artech
07.2022 - 09.2023

Third Party Risk Management - Finding Remediation

Navy Federal Credit Union
05.2021 - 06.2022

IT Security Risk Governance

Freddie Mac
08.2020 - 04.2021

IT Security Risk Lead

OCTO - DC Government
06.2019 - 08.2020

Snr Consultant, IT Vulnerability Remediation

KPMG US
02.2019 - 07.2019

IT Security Risk Analyst

Essex Technology Group
04.2018 - 02.2019

Bachelor of Science - Accounting

Ekiti State University

Similar Profiles

CREATE PROFILE
Tosin Betiku