STEPHEN OBENG-ADJEI
Details
Information Technology
Kwame Nkrumah University of Science and Technology, Kumasi
• Select and draft a security control baseline based on the information system categorization level by SP 800-53 rev 4 and FIPS 200.
• Develop internal templates for Security Test and Evaluation (ST&E) and Security Assessment Plan (SAP), to conduct security control assessments to validate the adequacy of management, operational, and technical security controls implemented by NIST SP800-53A.
• Develop Security Assessment Reports (SAR) detailing the results of the assessment findings, tracking from initiation to completion of all findings within the Plan of Action and Milestones (POA&M).
• Prepare security authorization documentation including system security plan (SSP), Plan of Action and Milestones (POA&M), and Security Assessment Report (SAR), and other artifacts required for the ATO package.
• Review and maintain existing information system security documentation, including SSP, Security Controls Matrix and/or Assessment, and Security Configuration Guide (controlled changes to the system), and upload all necessary authorization-related documentation into GRC tool cyber security assessment and management (CSAM) using approved templates and procedures.
• Provide stakeholders (System Owner, AO, ISSM, etc.) with weekly updates on the current security posture of all assigned information systems.
• Conduct Systems Risk Assessment through Risk Analysis to assess the various assets within the systems authorizing boundaries, and rigorously identify all possible vulnerabilities that exist within the system
2019 : Present
Aryon Consulting LLC
Information Security Analyst
• Coordinated with key stakeholders to initiate scope and planned information security risk assessment of new and existing vendor engagement.
• Conducted initial assessment brief-in meeting with stakeholders to discuss assessment scope, resources required, and time frame.
• Performed rigorous assessments of IT Financial controls using industry-standard guidance and leading practices at the direction of specialists.
• Communicated and identified risks or issues to key stakeholders and other organizations to establish remediation plans to track and monitor vendor’s risks to closure.
• Performed assessment using the Interview Examine and Test (I, E, &T) methodology and documented results using the security risk traceability matrix (SRTM).
• Generated work papers on information security risk assessment and performed detailed analyses of identified issues.
• Documented test results, develops and recommends corrective actions, and develops and documented residual risk and risk assessment statements.
• Maintained a central repository of vendor risk assessment and supporting documentation.
• Continued monitoring for changes or updates in the vendor’s environment as well as changes in regulations and industrial standards.
• Audited certain vendors according to their answers to the questionnaire and conducted on-site visits where necessary.
• Monitoring system logs for unusual activities within Splunk, and tracking POA&M within the RSA Archer GRC tool which contains and monitors corrective action for weaknesses and deficiencies found during security assessment and Nessus scan.
• Requested and reviewed vulnerability scans report and recommend corrective actions to address identified vulnerabilities using the vulnerability management tool and documented findings within the GRC tool.
• Analyzed vendor risk questionnaire responses to validate the existence of information security and other controls to identify non-compliance with the industry frameworks and standards
2017 : 2018
Manav Consulting
Security Compliance Analyst (GRC)
• Performed rigorous assessments of IT Financial controls using industry-standard guidance and leading practices at the direction of specialists.
• Participated in and/or conducts Information Technology audits, Sarbanes-Oxley Reviews, investigations, and other operational/compliance audits, ranging from detailed testing to evaluating and establishing audit scopes.
• Performed walkthrough interviews while maintaining communication with a variety of client stakeholders, including system personnel such as system and database administrators.
• Requested, obtained, reviewed, and analyzed a variety of artifacts to assist in executing IT Internal Audit Readiness and Security controls testing such as system security plans, SOPs, system screenshots, and system configuration settings.
• Used audit programs as a guide for performing audits, while modifying audit procedures to meet the circumstances of individual audits, given the auditee’s systems, the inherent risk, and Internal Audit objectives.
• Professionally documented the results of IT Financial and Security controls test work in a consistent and high-quality manner that would allow a reviewer to repeat the test and reach the same conclusion.
• Summarized and communicated IT Financial and Security controls assessment results to a variety of client stakeholders, including senior leadership personnel.
• Planned and executed day-to-day activities of IT Audit engagements, System development, Service Organization Control (SOC), and control readiness assessments for senior management and clients.
• Worked with client personnel to understand and analyze known IT Financial and Security control weaknesses, identify root causes, and develop detailed, robust remediation plans.
• Performed CAP validation testing for completed remediation activities.
• Monitored, tracked, and reported on IT CAP statuses and third-party risk management (e.g., Service Providers).
2016 : 2017
Renowned system LLC
IT Audit
Skills
Access Control, Analytical Skills, Cyber-security, Cybersecurity, Cybersecurity Analyst, Governance, Risk And Compliance (GRC), Information Security, Information Technology, ISO 27001, IT Audit, Microsoft Office, Microsoft Word, NIST, NIST 800-53, Payment Card Industry Data Security Standard (PCI DSS), Penetration Testing, Risk Analysis, Risk Assessment, Risk Management, Risk Management Framework (RMF), Security, Security Compliance, Security Information and Event Management (SIEM), Security Management, SOC 1, SOC 2 Type 2, Third-Party /Vendor Risk Assessment, U.S. Federal Information Security Management Act (FISMA), U.S. Health Insurance Portability and Accountability Act (HIPAA), Vulnerability, Vulnerability Assessment
About
Information Security Analyst with over 7 years of experience in Information Security and Risk management with focus on IT Audit, Third-Party and Vendor Risk Assessment, Information Systems Audit, SOC 1, SOC 2 Type 2. Operational Policy and Procedures. Experience in preparing, conducting, and reviewing complete IT Audit for information systems and applications. Protecting enterprise Information Systems using industry-standards and best practices.
Seeking an Cyber security position in a growth-oriented organization with focus on FISMA, NIST Risk Management Framework (RMF), Service Organization Control (SOC 2) reports, system security monitoring, risk assessments, audit engagements, and testing security controls. Adept at supporting information assurance through security authorization activities, contingency Plans (CP), Risk Assessment (RA), System Security Plans (SSP), Privacy Impart Assessment (PIA), System Security Tests and Evaluation (ST&E). Proficient with additional frameworks such as HIPAA, PCI-DSS, ISO 27001, and GRC.
Profile Photo
