Margarita Zakuta, CISA, CRISC
Details
2020 : Present
Happy Money
Information Security Manager
Lead Application Security Risk Program. Provided Dynamic Vulnerability Scanning. Delivered and managed 3rd Party Vendor Risk Assessments. Provided recommendations on security features and Data Classification for assessed vendor products. Maintained Risk Registry. Evaluated new Security Solutions to improve Cloud Architecture. Provided Application Threat Modeling & AppSec Architecture Risk Assessments. Worked with Development Community to mitigate known risks. Audited roles and access via AD, Okta, Varonis, AWS Security Groups, AWS IAM, and AWS S3 bucket solutions. Maintained Kenna Risk System, opened JIRA tickets for known Qualys WAS vulnerabilities via Kenna/Qualys WAS/Tenable.io WAS/JIRA/connectors(API-s). Provided SonarQube Quality Gates criteria Recommendations.
2018 : 2020
Foundation Medicine
Sr. Security & Risk Engineer
Provided Risk Management via Kenna Risk System for all company-wide Application Security.
Reviewed Evidence submitted for false/positive vulnerabilities. Lead vendor consultations.
Managed client relationship for Mobile Applications. Oversee Mobile Risk Assessments by a 3rd party.
Provided subject matter expertise on application security vulnerability assessments for CVS Caremark IT assets. Scheduled, performed and reviewed application Qualys WAS assessment results with various IT system and application owners to answer and resolve technical questions. Provided guidance on the risks remediation and mitigation strategies.
Provided Veracode Administration.
Worked closely with application teams to understand assessment results and provided guidance on the remediation of vulnerabilities.
Created Option Profiles, Selenium Authentication scripts, and Asset Groups within Qualys WAS (Web Application Security) module. Run Discovery and Vulnerability scans. Schedule weekly vulnerability scans for known production applications.
Coordinated internal and external compliance application scanning schedule with application teams and Change Control board.
Worked with WhiteHat vendor to provide proper coverage for scanning of the PCI applications. Served as a liaison between developers and WhiteHat vendor.
Collaborated with Security Architecture team. Advised on process gaps. Responded to audits.
Provided overall Application Security Risk Assessment. Evaluated current security controls.
Conducted third party security assessments.
2015 : 2018
CVS Health
Sr. Application Security Engineer
Conducted Vendor Information Security Risk Assessments including Security Policy, Asset Management, HR Security, Physical & Environmental Security, Communications & Operations Management, Access Control, Information Systems Acquisition & Development, Information Security Incident Management & Compliance, Business Continuity & Disaster Recovery.
Led Conference Calls with Vendors.
Provided onsite Data Center Security Reviews.
Delivered Vendor Risk Assessment Reports with rated risk issues and suggested remediation.
Managed risk issues within GRC Archer system.
2014 : 2015
Fidelity Investments
PRINCIPLE VENDOR TECHNOLOGY RISK ANALYST (Contract)
Performed IT Security and Compliance assessments/audits for Data Center Access, Wireless Rouge Access, Database, and others.
Perform Risk Assessments for various projects : Big Data, Moving to the Cloud, Offshoring, and others...
Deliver Security Presentation for Developers; Propose Secure SDLC and Secure Development Standards. Provide Policy/Framework Gap Analysis.
Participate in a wide range of concerns and projects including the development of secure architectures and methodologies requiring security best practices and use of industry standards, such as ISO 27002, ISO 27005, etc. Guiding compliance to major governance and regulatory standards such as PCI DSS 2.1 & 3.0, MA Data Privacy and SASE 16. Provide research on Enterprise Crypto Key Management, Identity and Access Management, Cloud Technology, Asset Management, Data Classification, Internal & External Scanning, Server Hardening Scanning, GRC, Data Masking, and other vendor solutions.
2013 : 2014
Agero, Inc.
Senior Security Engineer
About
Manage Information Security Team. Oversee Application Security, Vulnerability Management, Incident Response, and Vendor Risk Assessment Programs. Perform Threat Modeling and Application Architecture Risk Assessments. Perform IT Risk, Security, and Compliance Assessments/Audits. Test for adequacy and effectiveness various departments. Perform Vendor Risk Assessments.
Hold expertise in secure SDLC, IS Policy, IS Standards, SOA Architecture, perform Risk Assessments, Security Code Review, Testing Methodology. Lead Vendor Risk Assessments. Lead vendor selection process, conduct Web-ex, produce RFI & RFP, KT Matrix, and implement solutions. Conduct security awareness training presentations. Ran Qualys/Tenable.io/Whitehat application vulnerability scans, suggest remediation plan. Work together with application development and support engineers to mitigate known vulnerabilities.
Compile Business/System Requirements, produce Visio & Enterprise Architect DFD and Entity relation diagram. Conduct application gap analysis and suggest process automation. Perform Quality Assurance - white box and black box testing, regression, automation triage; Produce Test Plans and Test Grids.
Produce Project Plan, Project Charter and Cost Benefit Analysis.
Specialties: ISO 27001 & 27002, SOX, SOC 2, GLBA, Cal 1386, FERPA, PCI DSS, IdAM, SSO, DLP, Data Masking, Access Control, Qualys Guard/QWAS, Tennable.io VM/WAS, JFrog, Whitehat, Veracode, ZenGRC, Archer, Kenna, Secunia, Mercury WinRunner/Test Director, QTP/Quality Center, SOAPUI, Firefox/Rest, MS SQL Server, security code review, IBM Appscan, Secure Development Standards, Change Management, Active Directory, NetIQ, NetPro, SMS, ESM, ACL, AWS S3, Security Groups & IAM, AD/Okta, Varonis/DataAdvantage.
Profile Photo
