Vanessa Kiwalabye
Bear,DE
Summary
Detail-oriented IT Auditor with over 3 years of experience in information security principles and compliance, internal controls, IT risk management, IT general and application control testing. Proficient in conducting internal control testing (SOX), performing HIPAA compliance reviews, conducting walkthroughs, ensuring audit readiness follow-up, and executing test of controls.
Overview
6
6
years of professional experience
1
1
Certification
Work History
Internal IT Auditor
Profile Intelligence
01.2024 - Current
- Conduct in-depth walkthroughs and testing of Information Technology General Controls (ITGCs) for industry-leading ERP systems, including PeopleSoft, Deltek Costpoint, Oracle Financials, SAP
- Assess IT internal controls as part of financial statement audits, internal operational audits, attestation engagements, and audit readiness assessments
- Perform compliance testing for Sarbanes-Oxley (SOX), OMB Circular A-123, and SOC (SSAE 16) reviews using industry-recognized frameworks like COBIT and FISCAM
- Evaluate IT General Controls (ITGCs) across applications, databases, and operating systems to identify potential risks and weaknesses
- Leverage extensive knowledge of SAP, Oracle Financials, and Microsoft Dynamics to assess business processes and security controls
- Identify control weaknesses and testing exceptions, providing clear recommendations to enhance system security and compliance
- Prepare detailed audit documentation and work papers to ensure transparency and accountability in audit processes
- Engage with senior management and clients, delivering valuable insights and strengthening relationships through exceptional communication and problem-solving skills
- Lead audit planning, execution, reporting, and follow-up, ensuring compliance with regulatory and organizational requirements
- Take on special projects, including Segregation of Duties (SOD) analysis, SOX compliance initiatives, PCI DSS, and HIPAA assessments, identifying conflicts and recommending process improvements
GRC Security Analyst/ Privacy Security Analyst/Vendor Risk Analyst
Coca-Cola MD (WTS)
01.2021 - 12.2023
- Assist in the development, review, implementation and maintenance of policies, procedures, standards and guidelines in accordance with applicable regulations including ISO 27001, NIST 800-53 Framework Controls, HIPAA, SOX, COBIT and PCI DSS
- Working knowledge of Internal privacy & data protection regime laws and regulation to include GDPR/Privacy Shield and EU privacy, CCPA regulations
- Working closely with the business team, procurement team, privacy team, security team, and legal team on the third party onboarding process
- Reviewing the intake forms and tiering of vendors
- Sending out and reviewing SIG questionnaires both the SIG CORE and SIGLITE
- Reviewing documentation attached by the third party as evidence for example SOC2 reports, penetration tests, NDAs
- Communicating and documenting my findings from the third-party risk assessment process and giving my recommendations
- Use BitSight to conduct risk scoring/rating to improve continuous risk monitoring of the vendors
- Extensive knowledge of demonstrated experience with independently applying Privacy Act, FISMA, NIST privacy-related requirements and guidance
- Understanding common privacy industry standards/regulations for example, GDPR, CCPA, PCI DSS, HIPAA
- Create information security documentation and workflows to assist with audits and vendor requirements
- Perform vulnerability scan using Nessus and Analyze vulnerability
- Performed Project management in bringing in new GRC solutions that will enforce our Risk Management
- Generated reports and communicate with all stakeholders
- Perform vulnerability remediation coordination
- Perform ad-hoc scans to validate fixed Vulnerabilities
- Perform vendor classification according to Data handling and Relationship as well as company policies and procedures
- Use BitSight to conduct risk scoring/rating to improve continuous risk monitoring
- Used ZenMinder to conduct suppliers risk assessments
- Using Ven Minder to attach artifacts that were provided by the vendors
- Assigned risk rating using Ven Minder
- Performed Vendor Assessment using Ven Minder
- Validate remediation plans by reviewing data handling/provisioning characteristics, underlying controls, data transformation, monitoring processes, process and controls, version control, and documented approvals
- Performed Risk Assessment to identify risk and documented the risk in a risk register
- Provide details of the analysis for each remediation plan including approvals and rejections
- Created policy, guidelines, and supplemental documents
- Develop and maintain relationships across a complex enterprise-wide structure in order to effectively communicate key issues and influence risk mitigation
- Created, developed, catalog of GRC services and have contributed to the improvement of Coca-Cola
- Lead awareness and training of new employees on Vendor Risk Assessment
- Create Vendor Risk Assessment Report and escalate issues when necessary
- Work with vendors to discuss appropriate remediation actions and deadlines for all identified gaps
- Analyze vendors processes to determine deficiencies within their controls that could violate applicable law, regulation, framework or internal policies and procedures
- Perform Quality Assessment (QA) of submitted inherent risk questionnaire and work with the various partners to ensure accuracy
- Present gap analyzes to stakeholders and management to give a better knowledge of the risk level
- Perform periodic vendor risk assessment to make sure vendor controls are properly implemented to ensure confidentiality, integrity, availability, and privacy throughout the contract
- Identify gaps and create a risk treatment plan/corrective action plan to track gap remediation process as well as providing recommendations
- Perform Qualitative Risk Assessment to maintain a defined internal and external security posture
- Review SOC 2 Reports & SIG and gather evidence to make sure it complies with company’s control standards
- Continuously monitor vendor services/activities relating to information security
- Involved in due diligence to determine the right vendor for onboarding
- Worked with the legal, financial and procurement team in reviewing vendor’s contracts
- Perform Documentation Review
- Championed control assessment
- Assisted in SOC 2, ISO 27000 Audits by gathering of evidence and answering to security questions
- Responding to Request of Proposals
- Performing Risk and Control Self Assessments and tracking gaps in risk register
- Making sure core processes are Identified
- Documenting process for controls
- Performing risk assessment to identify key inherent operational risks
- Performing gap analysis for controls
- Performing risks scoring
- Presenting results to management
- Developing mitigation plans
- Develop and support processes for responding to, tracking and managing internal and external audit and compliance exam findings
- Evaluate alternative means of reducing the business operations’ exposure to financial loss, information security breaches, damage to the organization's reputation, loss of business continuity, and other types of operational risk
- Develop and implement operational risk management frameworks, methodologies, reporting, quantification/testing, policies, standards, and procedures as appropriate
- Develop and coordinate the production of performance reports to senior management
- Make presentations to management and staff on industry and regulatory related news and developments
- Performed access Review quarterly
Security Assessor/Privacy Security Analyst
MTN Uganda
06.2019 - 08.2020
- Managing users and user roles authentication
- Commissioning and decommissioning of data sets
- Processing confidential data and information according to guidelines
- Helping develop & automate reports and analysis
- Supporting initiatives for data integrity and normalization
- Participate in scheduling kick off meetings with system owners to help identify assessment scope, system boundary, information system’s category and attain artifacts needed in conducting control assessment
- Discuss preassessment procedures with team members and notated findings and relevant questions
- Participate in the development of Security Assessment Plan (SAP) and perform assessment
- Perform comprehensive security Control assessment using assessment method such as, interviewing, examination and testing
- Participate in weekly meetings to discuss the status of the assessment process
- Document and populate findings in the requirement traceability matrix based
- Document findings to be presented in Security Assessment Report (SAR) and provide recommendations for failed controls
- Conduct risk assessment to determine the likelihood and impact of controls that failed
- Experience in independent assessment
- Effecting, supporting and enhancing security awareness
Education
Bachelor’s - computer science
Makerere University
Kampala UGANDA01.2019
Skills
- WORD
- POWERPOINT
- OUTLOOK
- ONENOTE
- SOC REPORT ANALYSIS
- SharePoint
- TEAM PLAYER
- EXCEL
- Microsoft office
- Analytical skills
- Leadership skills
- Risk Assessment
- Management
- Teamwork
- Communications Skill
- POAM MANAGEMENT
- SNOW & GRC
- Scout
- Splunk
- Nessus
- Nmap
- SIEM
- GAP Analyzer
- ZenMinder
- BITSIGT
- CrowdStrike
- Process Unity
- NIST
- HIPAA
- GRDP
- PCI DSS
- CCPA
- HITTRUST
- ISO 27001
- Vulnerability assessment
- Security awareness training
- Security policies
- Access control
- Compliance reporting
- IT governance
- Application security
Accomplishments
I attained security Security + certification
Certification
- CompTIA Security+
- Bachelor’s in computer science Makerere University (2019)
- CISA
Compliances
- NIST
- HITTRUST
- HIPAA
- ISO 27001
- GDPR
- PCI DSS
- CCPA
CISA
I was able to complete my CISA certification
Languages
English
Full Professional
Timeline
Internal IT Auditor
Profile Intelligence
01.2024 - Current
GRC Security Analyst/ Privacy Security Analyst/Vendor Risk Analyst
Coca-Cola MD (WTS)
01.2021 - 12.2023
Security Assessor/Privacy Security Analyst
MTN Uganda
06.2019 - 08.2020
Bachelor’s - computer science
Makerere University
Similar Profiles
Blessing Ita-SamuelBlessing Ita-Samuel
Internal IT Auditor (Contract) at Profile IntelligenceInternal IT Auditor (Contract) at Profile Intelligence
CHRISTOPHER OBOHCHRISTOPHER OBOH
Project Coordinator at Profile Intelligence LLCProject Coordinator at Profile Intelligence LLC
Innocent NgwaInnocent Ngwa
Product Manager at Profile intelligence LLCProduct Manager at Profile intelligence LLC
Monserrat Martin Del CampoMonserrat Martin Del Campo
Representative, Shareholder Services at Bank Of New York Mellon CorpRepresentative, Shareholder Services at Bank Of New York Mellon Corp
Jade Haman-PhillipsJade Haman-Phillips
Owner/Creator of Custom Press-On Nails at Clawed MonetOwner/Creator of Custom Press-On Nails at Clawed Monet