Vimala Erothi

Successfully delivered multiple projects including Third- Party or Vendor Risk Management (TPRM), ITGC SOX Control Testing (TOD &TOE), Cloud AWS Security Assessments. Performed Internal Audits, Secondary Audits to validate compliance with internal and external audit findings, ensuring the effectiveness of remediation efforts.

Third-Party Risk management (TPRM)

Risk Management: Expertise in conducting risk assessments and developing risk management strategies to prioritize and address potential security threats. Proactive approach to identifying and mitigating risks through the implementation of risk mitigation measures and continuous monitoring.

● Executed Third-Party assessments, including Vendor Onboarding, Periodic Reviews, and Physical Security Audits, ensuring compliance with contractual and regulatory requirements.

● Performed due diligence checks, including reviews of Vendor Policies, Controls, and Certifications (e.g., ISO 27001, SOC2, PCI DSS, HIPPA), ensuring alignment with organizational and regulatory requirements.

● Conducted Risk-Assessments to evaluate third-party control environments across domains such as Information Security, Data Privacy, Business Continuity, and Physical Security.

● Reviewed third-party service agreements, SLAs, and risk documents to identify potential gaps and compliance issues.

● Performed onsite and remote vendor audits, including physical security checks, access controls and surveillance systems, ensuring adherence to established security standards.

● Monitored and reported key metrics related to vendor risk, including high-risk vendor statuses and remediation timelines, to stakeholders and leadership.

● Assisted in the development and implementation of TPRM frameworks, policies, and workflows to enhance third-party risk management processes.

● Collaborated with vendors to design and monitor risk mitigation strategies for identified control gaps and tracked the closure of findings through secondary reviews.

SOX (Sarbanes- Oxley ACT) ITGC Control Testing

Sox Control testing- Experience on SOX (Sarbanes-Oxley Act) ITGC controls testing in alignment with the COSO framework, focusing on Test of Design (TOD) and Test of Effectiveness (TOE) and led walkthrough with control owners to assess control processes and gathered samples based on sampling methodologies. Evaluated control effectiveness and provided actionable recommendations for areas of improvement.

● Conducted IT General Controls (ITGC) testing for SOX compliance, focusing on Access Management, Change Management, Segregation of Duties, And Backup and Recovery Controls.

● Performed Test of Effectiveness (TOD) to evaluate the adequacy and appropriateness of control designs, ensuring alignment with regulatory requirements and industry best practices.

● Executed Test of Effectiveness (TOE) by obtaining and reviewing evidence to validate the operational effectiveness of controls, identifying deficiencies, and recommending remediation plans.

● Reviewed key controls in the SDLC, including Source Code Management, Test Evaluation Reports, and approvals for system changes, ensuring compliance with SOX compliance with SOX requirements.

● Assessed Use Access Management Processes, including provisioning, de-provisioning, and periodic access reviews for critical systems, to validate adherence to established policies.

● Validated controls related to privileged access management (PAM) and password policies to ensure compliance with SOX ITGC standards.

● Collaborated with stakeholders to document control processes, test results, and identified deficiencies, providing detailed reports and recommendations for improving control environments.

Cloud Security Assessment (AWS)

● Conducted AWS Security Application assessments to ensure control effectiveness align with regulatory requirements such as (GLBA. HIPPA, GDPR, and PCI DSS)

● Assessed the implementation of AWS security controls, including identify and access management (IAM), data encryption, logging, monitoring, and vulnerability management, to ensure compliance with industry standards and frameworks.

● Evaluated Cloud-based controls and configured against leading benchmarks such as CIS AWS Foundation Benchmark to identify gaps and propose remediation measures.

● Designed and executed tailored audit procedures to validate compliance with multiple regulatory regimes, ensuring adherence to privacy and data protection mandates.

● Reviewed AWS environments for security misconfigurations and provided detailed recommendations to strengthen cloud security posture.

● Collaborated with cross-functional teams to develop and implement risk mitigation strategies for non-compliant AWS resources.

● Prepared detailed reports and dashboards to communicate assessment findings and recommendations to stakeholders, ensuring transparency and continuous improvement.

• Conducted AWS Security Application assessments to ensure control effectiveness align with regulatory requirements such as GLBA, HIPPA, GDPR, and PCI DSS.
• Assessed the implementation of AWS security controls, including identity and access management (IAM), data encryption, logging, monitoring, and vulnerability management, to ensure compliance with industry standards and frameworks.
• Evaluated Cloud-based controls and configured against leading benchmarks such as CIS AWS Foundation Benchmark to identify gaps and propose remediation measures.
• Designed and executed tailored audit procedures to validate compliance with multiple regulatory regimes, ensuring adherence to privacy and data protection mandates.
• Reviewed AWS environments for security misconfigurations and provided detailed recommendations to strengthen cloud security posture.
• Collaborated with cross-functional teams to develop and implement risk mitigation strategies for non-compliant AWS resources.
• Prepared detailed reports and dashboards to communicate assessment findings and recommendations to stakeholders, ensuring transparency and continuous improvement.

• Conducted Physical security Assessments during vendor audits, including surveillance system reviews, access controls, and security infrastructure evaluations, ensuring compliance with organizational standards.
• Assessed and monitored the implementation of physical security controls like badge access systems, CCTV Monitoring, and Secure Storage Mechanisms for sensitive assets.
• Performed on-site audits to verify compliance with physical security policies and procedures, identifying gaps and recommending mitigation strategies.
• Planned and executed Internal Audits to evaluate compliance with organizational policies, IRDA regulatory requirements, and industry frameworks such as ISO 27001 and NIST, COBIT.
• Conducted risk-based assessments of IT and business processes to identify control deficiencies and provide actionable recommendations for improvement.
• Reviewed evidence for audit findings, prepared detailed reports, and presented results to senior management and audit committees.
• Designed and implemented Business Continuity Plans (BCP) and Disaster Recovery (DR) strategies, ensuring alignment with ISO 22301 and organizational policies.
• Conducted Risk Assessments and business impact analysis (BIA) to identify critical business functions and recovery priorities.
• Developed and tested DR Plans, reviewed backup and restoration processes to validate the (RPO and RTO) for critical systems.
• Reviewed control activities and evidence to validate compliance with Service-level agreements (SLAs) and organizational commitments.
• Evaluated third-party service providers SOC reports as part of Third-Party Risk Management (TPRM) to ensure compliance with contractual and regulatory requirements.

• Conducted through Know-Your Customer (KYC) checks to verify customer identifies and assess the risk of fraudulent activities during the credit card application process.
• Reviewed and validated customer documentation, performed due diligence checks using internal tools and third-party systems to identify red flags, inconsistencies.
• Monitored and flagged suspicious transactions or activities for further investigation by fraud prevention teams.
• Ensured data accuracy and confidentiality while maintaining compliance with data protection regulations.
• Tracked and updated KYC records for periodic reviews and regulatory reporting requirements.
• Prepared and presented detailed reports to managers and senior leadership, summarizing KYC checks to process the approvals.