Security Audit

For a little over two years at Jackson National Life Insurance, I was the only security auditor for all company North American business units. These comprised approximately eight separate companies (the number actually varied) with locations around the U.S. covering different financial services, insurance, and annuity products. At the time, Jackson itself was a subsidiary of Prudential PLC of London and I served as part of the global audit team, supporting global audit projects cutting across international business units. The position also allowed me to recruit experts from around the world to support special areas of audit projects that I led. While many of my audit projects were focused around security, many also placed me into a role of supporting complex financial audits with evidence from assessment of security controls.

Following my time in Internal Audit, also while at Jackson, I served as the Security Department representative to the SOX audit team. This entailed providing guidance to the team gathering evidence and writing attestation statements in preparation for audit by external teams. Mainly in my time as Security Control Program Manager, I acted in a similar capacity to address requests for evidence by audit teams, internal and external, including for SOC2 audits.

Earlier, as a Security Consultant with Info@Risk, I developed controls testing programs employing audit approaches, based around NIST Special Publication 800-53A guidance on Assessing Security and Privacy Controls and ISO 27001 / 27002. Development of this customer deliverable was my response to the needs of our customers to satisfy multiple regulatory compliance schemes. In some instances, the assessment project was in support of a customer internal audit team. More often it was designed to help security teams document their controls ahead of an audit by a regulatory oversight agency. Other audit preparation project deliverables I provided, included risk assessments, development of standards and policies, and guidance around implementation of other controls. I've continued to apply audit approaches within my role as Manager Information Security Controls Program at Jackson National designing and testing controls, and as Manager Security Controls Validation at Zoom Video Communications designing, documenting, and implementing a multi-year controls testing program.

Professional certifications supporting this work include: CISSP, CISA, GCCC, GPYC