Profiles search
Amy Robson Breslin, CISSP, CISA, CRISC, CDPSE
Senior Manager, InfoSec GRC
Boston, MA, United States
Details
Education:
Bachelor of Science
Business Administration, Concentration in Finance
University of Vermont
1997 : 2001
Business Administration, Concentration in Finance
University of Vermont
1997 : 2001
Experience:
- Lead the Information Security GRC team responsible for all aspects of Information Security risk across the enterprise.
- Responsible for the management of the Information Security Risk Management program including development and maintenance of a detailed risk register, enhancement and management of the Information Security risk assessment process leveraging NIST 800-300 and FFIEC IT Management guidelines, and development and adoption of a common control framework based on a combination of industry-accepted frameworks (i.e. CIS, NIST CSF, and NIST 800-53 frameworks).
- Ensure a comprehensive suite of Information Security policies that establish and communicate the security requirements and responsibilities to the organization.
- Manage the Information Security third-party risk management (TPRM) program to ensure third parties with access to sensitive data are assessed and appropriate actions are taken to mitigate identified risks.
- Development of security baseline exception process including analysis, risk acceptance, and tracking.
- Oversee the security training and awareness program to ensure employees have the knowledge and awareness to defend against security attacks.
- Responsible for development of key risk indicators (KRIs) for ongoing risk monitoring and identification of risks exceeding defined thresholds that could cause harm to the organization as well as metrics to report to the CISO, executive management, and the Board.
- Coordination and management of audits, attestations, and assessments including the Upstart SOC 1 and SOC 2, SOX IT and Information Security controls, FFIEC Cybersecurity Assessment Tool (CAT), and Standard Information Gathering (SIG).
- Facilitate and respond to Information Security due diligence requests from various business partners.
2022 : Present
Upstart
Senior Manager, Information Security GRC
- Responsible for the development of the IT risk management program including IT risk assessments and the development of IT policies, standards, procedures, and controls in accordance with NIST 800-53 and FFIEC guidelines.
- Work with appropriate IT personnel to revamp and align critical IT and Information Security processes (i.e. patch management, asset management, vulnerability management, change management, risk management, etc.) with NIST 800-53.
- Part of the IT Leadership Team working with the CTO to develop and maintain an IT Strategic Plan to align IT strategic objectives with the corporate strategic objectives to ensure the IT department is supporting the corporate vision and strategy.
- Develop and present metrics and reporting for management to show an accurate, and holistic view of the risk profile of the IT environment.
2018 : 2022
Berkshire Bank
First Vice President, IT Risk Management Officer
- Developed and managed third party risk program including : identification and assessment of risk posed by a third party based on services provided and data to be shared; evaluation of administrative, technical, and physical controls in place; determination of necessary compensating controls to mitigate identified risks; and participating in contracting discussions with vendor and Legal to ensure security requirements are included within contracts.
- Participate in corporate projects to identify areas of risk, regulatory compliance requirements, ensure the principal of least privilege is adhered to in terms of access and data, and ensure security requirements are identified and included in the requirements.
- Review policies pertaining to third-party vendor management as well as critical information technology (IT) polices to ensure policies are current.
2014 : 2018
CDPHP
Third Party Risk Manager
- Complete in-depth analyses of information technology operating environments and controls including application software, databases, operating systems, hardware, client/server networks and communicate with technical staff and managers to improve internal controls.
- Manage HIPAA Security Rule compliance assessments, SSAE16 (formerly SAS 70) audits, Sarbanes-Oxley engagements, business process reviews, general control reviews, internal audits, and issue identification and resolution engagements while adhering to applicable standards and regulations promulgated by the AICPA, the IT Governance Institute, and other applicable governing boards.
- Perform IT risk assessments and reviews of operational, general and application controls for various business processes to identify and evaluate risks as well as assess alignment with industry best practices and compliance with applicable regulations.
- Evaluate information security strategies to assist in the implementation of industry best practices to increase efficiency and effectiveness.
- Recommend and assist in the implementation of industry best practices to increase efficiency and effectiveness of information security programs and business processes.
- In-depth experience in the healthcare, insurance, financial services, and professional services industries.
2013 : 2014
UHY LLP
Senior Manager - IT Advisory Services
- Old Mutual Asset Management has investment boutique firms located throughout the US and UK each with distinct investment capabilities which include fixed income (traditional), alternative (fund of funds, long/short, real estate, and timber), and equities (mirco, smid, small cap, and large cap).
- Member of the Senior IT Leadership Team to identify key initiatives and develop and align the IT strategy with the business strategy.
- Developed and implemented a control framework to focus on high-risk areas and align with COBIT and ITIL frameworks.
- Revised the change management process to increase efficiency while maintaining key controls and responsible for holding weekly change management meetings to prioritize and evaluate changes.
- Responsible for identification of applicable privacy laws and developing a framework for complying with applicable regulations.
- Maintained the Business Continuity Plan (BCP) program by keeping plan updated and completing business impact assessments with business units to identify gaps and determine system criticality.
- Accountable for disaster recovery (DR) program including maintaining and updating system criticality list and ensuring testing is adequate and completed at least annually.
- Developed and maintained a risk-based vendor due diligence framework of assessing critical vendor to ensure internal control structures met industry information security and control standards and applicable privacy regulations.
- Assessed key IT policies and standards such as IT Security, Change Management, Program Development, Privacy, and Outsourcing and revised to align with COBIT and ITIL frameworks and industry best practices.
- Worked closely with the Risk Department and the Compliance Department to assess key business risks and determine whether controls exist to mitigate high risk areas.
2012 : 2013
Old Mutual Asset Management
IT Risk and Controls Manager
- Responsible for the management of the Information Security Risk Management program including development and maintenance of a detailed risk register, enhancement and management of the Information Security risk assessment process leveraging NIST 800-300 and FFIEC IT Management guidelines, and development and adoption of a common control framework based on a combination of industry-accepted frameworks (i.e. CIS, NIST CSF, and NIST 800-53 frameworks).
- Ensure a comprehensive suite of Information Security policies that establish and communicate the security requirements and responsibilities to the organization.
- Manage the Information Security third-party risk management (TPRM) program to ensure third parties with access to sensitive data are assessed and appropriate actions are taken to mitigate identified risks.
- Development of security baseline exception process including analysis, risk acceptance, and tracking.
- Oversee the security training and awareness program to ensure employees have the knowledge and awareness to defend against security attacks.
- Responsible for development of key risk indicators (KRIs) for ongoing risk monitoring and identification of risks exceeding defined thresholds that could cause harm to the organization as well as metrics to report to the CISO, executive management, and the Board.
- Coordination and management of audits, attestations, and assessments including the Upstart SOC 1 and SOC 2, SOX IT and Information Security controls, FFIEC Cybersecurity Assessment Tool (CAT), and Standard Information Gathering (SIG).
- Facilitate and respond to Information Security due diligence requests from various business partners.
2022 : Present
Upstart
Senior Manager, Information Security GRC
- Responsible for the development of the IT risk management program including IT risk assessments and the development of IT policies, standards, procedures, and controls in accordance with NIST 800-53 and FFIEC guidelines.
- Work with appropriate IT personnel to revamp and align critical IT and Information Security processes (i.e. patch management, asset management, vulnerability management, change management, risk management, etc.) with NIST 800-53.
- Part of the IT Leadership Team working with the CTO to develop and maintain an IT Strategic Plan to align IT strategic objectives with the corporate strategic objectives to ensure the IT department is supporting the corporate vision and strategy.
- Develop and present metrics and reporting for management to show an accurate, and holistic view of the risk profile of the IT environment.
2018 : 2022
Berkshire Bank
First Vice President, IT Risk Management Officer
- Developed and managed third party risk program including : identification and assessment of risk posed by a third party based on services provided and data to be shared; evaluation of administrative, technical, and physical controls in place; determination of necessary compensating controls to mitigate identified risks; and participating in contracting discussions with vendor and Legal to ensure security requirements are included within contracts.
- Participate in corporate projects to identify areas of risk, regulatory compliance requirements, ensure the principal of least privilege is adhered to in terms of access and data, and ensure security requirements are identified and included in the requirements.
- Review policies pertaining to third-party vendor management as well as critical information technology (IT) polices to ensure policies are current.
2014 : 2018
CDPHP
Third Party Risk Manager
- Complete in-depth analyses of information technology operating environments and controls including application software, databases, operating systems, hardware, client/server networks and communicate with technical staff and managers to improve internal controls.
- Manage HIPAA Security Rule compliance assessments, SSAE16 (formerly SAS 70) audits, Sarbanes-Oxley engagements, business process reviews, general control reviews, internal audits, and issue identification and resolution engagements while adhering to applicable standards and regulations promulgated by the AICPA, the IT Governance Institute, and other applicable governing boards.
- Perform IT risk assessments and reviews of operational, general and application controls for various business processes to identify and evaluate risks as well as assess alignment with industry best practices and compliance with applicable regulations.
- Evaluate information security strategies to assist in the implementation of industry best practices to increase efficiency and effectiveness.
- Recommend and assist in the implementation of industry best practices to increase efficiency and effectiveness of information security programs and business processes.
- In-depth experience in the healthcare, insurance, financial services, and professional services industries.
2013 : 2014
UHY LLP
Senior Manager - IT Advisory Services
- Old Mutual Asset Management has investment boutique firms located throughout the US and UK each with distinct investment capabilities which include fixed income (traditional), alternative (fund of funds, long/short, real estate, and timber), and equities (mirco, smid, small cap, and large cap).
- Member of the Senior IT Leadership Team to identify key initiatives and develop and align the IT strategy with the business strategy.
- Developed and implemented a control framework to focus on high-risk areas and align with COBIT and ITIL frameworks.
- Revised the change management process to increase efficiency while maintaining key controls and responsible for holding weekly change management meetings to prioritize and evaluate changes.
- Responsible for identification of applicable privacy laws and developing a framework for complying with applicable regulations.
- Maintained the Business Continuity Plan (BCP) program by keeping plan updated and completing business impact assessments with business units to identify gaps and determine system criticality.
- Accountable for disaster recovery (DR) program including maintaining and updating system criticality list and ensuring testing is adequate and completed at least annually.
- Developed and maintained a risk-based vendor due diligence framework of assessing critical vendor to ensure internal control structures met industry information security and control standards and applicable privacy regulations.
- Assessed key IT policies and standards such as IT Security, Change Management, Program Development, Privacy, and Outsourcing and revised to align with COBIT and ITIL frameworks and industry best practices.
- Worked closely with the Risk Department and the Compliance Department to assess key business risks and determine whether controls exist to mitigate high risk areas.
2012 : 2013
Old Mutual Asset Management
IT Risk and Controls Manager
Company:
Upstart
Years of Experience:
23
Skills
Analysis, Assurance, Business Process, Change Management, COBIT, Disaster Recovery, Due Diligence, Finance, Financial Services, Information Security, Internal Controls, IT Audit, ITIL, IT Strategy, Risk Assessment
About
Amy is a highly knowledgeable and driven Information Technology and Information Security risk, audit, and controls professional with over 15 years of experience. She thrives when presented with complex challenges including building IT risk management programs and comprehensive control environments from the ground up to meet regulatory, compliance, and control frameworks such as NIST 800-53, FFIEC, SOX, GLBA, SOC 1 & 2, etc. Amy has a proven record of collaborating with various individuals and teams throughout companies from developers and engineers to executives. Her experience in IT, business, and risk gives her a unique combination that allows her to balance strategic business objectives with risk and compliance.
Profile Photo
