INFORMATION SECURITY, PRIVACY, COMPLIANCE AND TECHNOLOGY RISK LEADER An accomplished IT professional with over 16 years of progressive experience and responsibilities managing technology risks across several vertical markets, such as financial, insurance, education, healthcare and government. Core Competencies & Strengths Include:  Information Risk Management  Security Tools, Processes & Policies  Information Privacy & Online Safety  Security Incident Response Programs  IT Audit & Compliance Management  Project Lifecycle Management  IT Governance & Best Practices  Vendor Management  Contingency Plans & Business Resumption  ISO 27001/27002, SOX, MAR, GLBA, CObIT, COSO, PCI DSS, HIPAA, HITRUST, NIST, FFIEC, BASEL II, NERC, EUDPD

Information Security Management @ Hired to take on the challenge of leading the company’s information security function within the highly regulated healthcare environment and creating information security foundations that align to the regulatory requirements of HIPAA/HITECH and best practices; Addressed these goals through the championing of information security and driving of best practices via the following: • Chaired the Information Security Committee Board which provides senior leadership and guidance on information security initiatives and decisions impacting the company • Led corporate-wide initiative to create a corporate Information Security program consisting of a written program framework, updated user training and revised policies, procedures and standards to align with HIPAA/HITECH, NIST, ISO 27002, PCI DSS and general best practices • Ensured compliance with HIPAA/HITECH by conducting annual risk assessments and remediating gaps identified • Gained buy-in to transform the company into a HITRUST certified organization since this demonstrates the company’s commitment to securing ePHI • Became change agent for improvements in security, compliance and audit of business critical processes (identity and access management; data leakage prevention; IT asset management, software escrow; centralized security incident management and vulnerability management) • Undertook challenge to determine the feasibility of adopting a corporate-wide Bring Your Own Device (BYOD) initiative for the workforce (P&Ps; MDM Framework; Endpoint Security) • Led corporate-wide annual DR planning efforts; Worked with business units to create BIAs which defined the critical information needed for the overall contingency plans • Assessed vendor security risks, an integral part of the corporate-wide Vendor Oversight Committee function to provide appropriate oversight and risk management of 3rd party relationships • Collaborated with auditors/regulators to support gap remediations and development of corrective actions From May 2012 to Present (3 years 8 months) IT Audit Project Manager @ A thorough understanding of the impact of technology risks and knowledge of audit professional standards, regulatory requirements and best practices frameworks is required to provide advisory services. Duties included: • Adopting and executing a risk-based audit approach • Leading complex technology and business process audit engagements • Developing detailed audit programs in both core IT and integrated IT areas • Testing areas under review and deriving sound results from which opinions on the state of controls can be developed • Drafting detailed audit reports for executive management and regulator consumption • Establishing and maintaining close working relationships across all levels of audit client management and staff • Ensuring audit projects are completed on time and on budget General Counsel’s Office, Privacy Office Secondment, 2011 I was nominated to participate in a DTCC initiative, which was also a department goal to foster mobility within the company. My secondment allowed me to form new relationships, learn more about the DTCC businesses and refresh my regulatory/compliance knowledge. Some duties included: • Conducting privacy risk assessments across all business areas • Developing and delivering targeted privacy educational/training (i.e., for high, medium and low risk business areas) • Providing input to enhancing the data loss prevention (DLP) program to prevent insider data theft from voluntary and involuntary employee terminations and overall enforcement of DTCC’s corporate information security policies • Developing policies for social media usage • Participating in privacy and security breaches • Providing guidance to management and staff on corporate privacy issues From April 2007 to May 2012 (5 years 2 months) Senior Information Security Specialist @ Expert level understanding of formal methodologies and best practices to provide guidance on security; privacy; policy development; compliance; governance; vendor management; contingency plans; risk assessments and internal risk management processes; and implementation issues for clients across several vertical channels. Duties included: • Leading engagements for the professional services practice and being responsible for the deliverance of successful projects • Conducting security audits and vulnerability assessments using industry standard frameworks including, but not limited to, ISO 17799, COBIT, COSO, PCI DSS (formerly VISA CISP), SOX, HIPAA • Conducting risk reviews and working with external clients and internal business teams on specific risk issues and concerns • Writing detailed reports that include findings, implications, and recommendations. • Providing senior level executives guidance aimed at identifying gaps and remediation expertise to improve compliance levels • Researching and maintaining up-to-the-minute expertise in current information security standards and other regulatory compliance requirements • Ongoing analysis of regulatory, federal and state trends as it relates to current and planned regulations, laws, and guidelines • Analyzing and developing proprietary best practices applicable to information security • Analyzing new offerings in-line with business need and market direction along with the cooperation of internal business teams • Developing a content knowledgebase in order to identify and map intellectual assets within the organization and generate new knowledge for competitive advantage • Developing value-added white-papers, published reports, and articles which impacted internal clients such as Professional Services, Sales, Marketing, and senior management in the understanding of the business impact of information security, regulatory compliance and risk management practices From March 2004 to December 2006 (2 years 10 months) Information Security Officer /IT Security Analyst @ Membership in a privately-held consulting consortium that audits, designs, and implements E-business security intelligence solutions allowed combination of varying tasks. Dual roles included: Information Security Officer • Developing and implementing information security, governance and risk management policies, procedures and guidelines to meet security objectives in compliance with HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley Act and other regulations • Coordinating risk acceptance and other control related efforts with the business, controls, compliance functions, and disaster recovery procedures • Conducting information security risk assessment and business continuity evaluations • Providing periodic reporting on information security issues to senior management • Identifying opportunities for continuous improvements • Assisting in coordinating contingency plan tests • Coordinating security orientation and security awareness programs IT Security Analyst • Testing and analyzing vendor software & hardware IT security products • Performing security audits and penetration tests • Assisting in the investigation of security breaches and/or potential breaches From July 2003 to March 2004 (9 months) Network Engineer @ Solid contributor within a leading, global enterprise included transitional roles such as: - Project Engineer - On-Site Network Management Specialist - On-Site Network Engineer From July 1997 to December 2002 (5 years 6 months)

M.S., Information Systems, Graduate School of Engineering @ Northeastern UniversityB.S., Management Information Systems @ St. John Fisher College Nicole Christopher is skilled in: Information Security, Security, Disaster Recovery, Business Continuity, PCI DSS, CISSP, Network Security, Vulnerability Assessment, ITIL, CISA, IAM, Data Privacy