Pooja Saxena

Seasoned security risk management professional with 12 + years experience in Cyber risk audits & assessments, data privacy, Technology Risk, security governance & compliance, security policy & procedures. Experience with BFSI, retail and consulting firms. 

Strong understanding of different security governance regulations, risk compliance & management strategies, operations resilience, Cyber risk assessments, cloud security, Data privacy assessments, emerging risks, enterprise risk, GDPR and regulatory compliance.

PROFESSIONAL EXPERIENCE

• Sr. Security Specialist-Vice President |Technology Risk Management-Enterprise Risk |BNY Mellon India Pvt. Ltd.|24th Jan 22- 14 Mar’23
• Assess overall technology & Cyber risk issues at Enterprise level for the bank. Work with 1LOD and functional leaders to manage inherent & residual risk ratings ,risk mitigation/treatment, and map key risks for various Technology RCSA’s(Risk control self assessment) across Technology platform. 
• Review and challenge RCSA’s for key technology/security risks. Highlight identified risk issues and challenges to leadership in monthly & quarterly dashboards/reporting.
• Review /Challenge control gaps assessment from 1LOD within Technology & Cyber to ensure it reflects the changing regulatory landscape and bank wide minimum control standard requirements. 
• Review Operational Risk Events for external/internal events quarterly for technology related significant financial losses and identify potential risks. Work with multiple stakeholders to get applicable risks mapped to relevant RCSA’s. Monitor KRI’s (key risk indicators) and escalate breaches to risk appetite and recommend mitigating solutions to minimize the risk exposure.
• Review/challenge and provide oversight on technology risk accepted issues for adherence to BNY policy requirements and risk appetite of bank. Established a process with 1LOD to manage/track such risks effectively for remediation/renewal and engage functional leadership accordingly.
• Participate and review emerging risks(e.g new regulations, technology, geopolitical, cyber) for technology and operations on quarterly basis, understand applicable risks to be linked with technology RCSA’s for better risk coverage and operational resilience.
• Participate in enterprise wide and business level scenario analysis to understand emerging risks for bank from technology/operations standpoint. Review annual business level scenarios as 2LOD and challenge applicable gaps.
• Review and challenge overall control design effectiveness and its applicability on a monthly basis and if required, modify or eliminate unwarranted controls to 1LOD.  Review appropriate RCA’s(Root cause analysis) & lessons learned for significant technology risks. Also, review and document relevant artifacts, evidences for external/internal audits.
• Manager |Global Security Services-Information Security| Aon India Pvt. Ltd. | 27th April 20 – 17th Jan 22.
• Support the development and continuous maintenance of firm’s cyber security policies, standards and guidelines in alignment with applicable regulations, common security frameworks and industry leading practices. Work with various business, technical teams and senior leadership. 
• Assess security risks in line with internal policies, regulatory framework, industry best practices and security frameworks. Support remediation activities for identified gaps with different stakeholders and report key risks to senior leadership.
• Assist with internal and external audits, client queries, security questionnaires and facilitate relevant details around security documentation and internal processes. Establish common control framework as per regulatory and security frameworks to achieve ongoing compliance and preparedness for internal/external assessments.
• Manage and lead security exceptions against Aon’s security standards and related findings from regulatory audits. Work with senior leadership and work with multiple stakeholders to communicate security risks. 
• Lead Consultant |Deloitte & Touché LLP |4th July 2016 - 30th Aug’2018|
  • Sr. Consultant |Deloitte & Touché LLP| 1st Sept’18 - 16th April 2020.
• Managed multiple client engagements to perform & supervise cyber risk assessments as per different security risk frameworks i.e. ISO27001, NIST 800-53, NIST-CSF etc. Monitor quality/delivery of all audits as per client’s requirements. Guide & train the assessors as per the client engagement requirements to produce quality work papers/deliverables. 
•  Lead engagement communications with senior internal/external stakeholders to meet and exceed the expectations of service, including audit plans, reports and service deliverables.  
• Performed onsite audits for different clients and facilitate the global onsite audits as per different risk frameworks and regulatory requirements. Also helped clients with ISO27001 readiness assessment to evaluate their current security posture and required action plan before actual audit.
• Perform Privacy Impact assessments as per GDPR for client and worked with legal team members & Data protection officers globally for various data privacy documentation, drive remediation and compliance with identified privacy risks.
• Ensure all the technical and organizational measures, Records of processing activities are updated and evaluated for data processors.
• Work with different clients establishing and evaluating new & existing supplier risk programs based on risk frameworks and regulations. Assist with developing security policies and risk strategy consulting. 
• Assessing the cloud service providers and applications risk controls leveraging annual pen test, vulnerability scan reports, SOC 1 and SOC 2 Type 2 reports and CCM/CAIQv3.1.0 questionnaire.
• Team Leader | Ameriprise Financial | 14th Aug 2013 - 24th June 2016|
• Audited 3rdparty suppliers for Ameriprise based on ISO 27001, PCI-DSS Compliance, OWASP top 10 security frameworks and work to mitigate Critical, High & medium findings in supplier’s environment within defined SLA’s.
• Assess vendor’s applications and hosting environments using relevant security reports and documentations. Review network, application pentest reports and work on closure of identified non-conformities in supplier’s environment. 
• Report monthly process metrics to the leadership. Creating/Reviewing SOP's for the process to record all steps & procedures from audit perspective. Also, managed security exceptions process against Ameriprise security standards. Assessing the risk factors for different exceptions, mitigating controls and risk rating for further approvals.
• Team developer |BA continuum India Pvt. Ltd. |3rd Sept 2010 – 13th Aug 2013       
• Managed Network Infrastructure Compliance related to Network devices at Bank of America including reviewing Router, Switch, VPN, and Wireless Access Point (WAP) configuration files as per Bank of America's baseline and standards.
• Performed GAP analysis on existing security standards & baselines for routers & switches. Highlight the identified gaps to senior leadership and get them documented as findings.
• Discuss non-compliant issues and drive remediation efforts to get them fixed within timelines. Worked with governance team to implement 802.1x protocol to fix issues with rogue devices on bank’s network.

B.com- Delhi University 2006

PG Diploma in Cyber Security-2010

ISO27001 LA

PCI DSS- SISA