Thomas E. Yorke
Details
Network and Communication Managament
DeVry University
2010 : 2012
Computer Science and Electrical Engineering
Rutgers University
1993 : 1997
1) Provide Leadership and Governance in programmatic use of SOC II Type II audits to satisfy program and regulatory requirements for third party suppliers. Responsible for mapping Citi IS controls to the SOC II Type II. Tracking., Metrics and Analytics responsibilities related to this role
2) Lead and Drive complex risk assessments of our third party suppliers, concentration on information security, technology, cyber risk, physical security in accordance with Citi standards. Evidence based audits of our supplier's capabilities to secure Citi data.
2021 : Present
Citi
VP, Information Security, Third Party Risk Management
Security of Client Data is becoming a top concern as all industries seek to optimize their business processes. When a critical business process flow is shifted to Third Party Service Providers, it must be recognized that there are inherent risks with this decision and balance that with the benefits.
Third Party Risk Management includes several processes that work to understand what those risks are and what mitigation needs to be put in place to bring the residual risk to an acceptable level. Those processes include reviewing and advising the organization on the state of the existing program, assessing the vendors directly, and performing risk analysis across the third-party portfolio.
My journey in TPRM started with an opportunity in 2011 to use my technical background and review third-party organizations. Since then, I have assessed hundreds of organizations, some of the largest technical companies in the market. I have built TPRM processes, materials, procedures for clients, and training for my teammates. I have partnered with third-parties to work on mitigations to risk gaps. I push forward every day to reduce client risk and help my colleagues around me grow.
2015 : 2021
Deloitte
Senior Business Analyst Lead - Cyber Risk Services
The responsibility to manage and secure customer information does not end with the outsourcing of operations processes. As it pertains to financial, retail, or medical institutions, information security control requirements are a top concern, regardless of where or how the work is performed.
To this end, Vendors must be managed effectively. Assessments of their information security controls must be performed. Gaps identified and remediation plans executed timely.
The scope of controls investigated includes physical security, operational security and resilience, Technical control effectiveness (NIST, ISO, HIPAA) Typical domains included but not limited to Firewalls and network design, Data Network Storage, Active Directory, Email Platforms such as Exchange, vBSIMM (software) SDLC, Typical enagagements required report writing based on 180-320 controls, depending on risk level.
2011 : 2015
JPMorgan Chase
Information Security & Risk - Vendor Management
Production Assurance and Incident Management are disciplines that require a combination of technical knowledge, business skills, market awareness, and communication, both written and verbal. Success is acheived through the ability to coordinate resources and people, leverage documentation and process, and maintain customer focus as the compass.
Partner with infrastructure teams in server, network, desktop, mainframe, application development disciplines. Govern the resolution of technology platform incidents, execute command and control. Provide clear, concise, targeted written and verbal communication, crafted for the target audience.
2005 : 2011
JPMorgan Chase
Production Assurance & Incident Manager
Resolved trading platform technology issues for clients of the Investment Bank.
Managed access to account, domain, printing, share, and data archive resources.
2001 : 2005
JPMorgan Chase
Trading Technology Support
Skills
cisco routers, cisco routing & switching, data center, disaster recovery, enterprise risk management, incident management, information security, Information Technology, ios firewall, linux firewalls, Management, networking, operating systems, structured cabling, tcp/ip, Third Party Risk Management (TPRM), unix, vendor management, Enterprise Risk, itil, Cisco Routing
About
Focused on Cyber Risk and Information Security, Third Party Risk Management. My Clients need assistance in determining if their vendors are protecting their data. Larger scale operations may need a TPRM program refresh, in tools, standards, or process. Sometimes it is really as simple as Are we asking the right questions? To be effective in TPRM, you need to be adept in endpoint, network, server, application, and security monitoring layers. You must be able to bring the client's requirements and the vendor's environment together. You have to Actively Listen. You have to deal in facts and evidence, You must be able to communicate those facts in a way to build up the partnership between the client and vendor. TPRM is truly part science, part artistry. Every third-party engagement is unique, comprised of a tapestry of software, network connections, interactions, and the people who manage those factors.
Industries: Financial, Healthcare, Commercial. I hold a B.S. in Network and Communication Management and am a Certified Third Party Risk Professional (CTPRP) and AWS Cloud Practitioner certified(June 2021). Prior to Citi, I worked at Deloitte from 2015 to 2021 in Cyber Risk Consulting and TPRM. Previously worked for JPMorgan Chase from 2001 to 2015 in Trading Floor technology, Global Incident Management, and Supplier Risk Management.
Most often used standards: NIST ISO HIPAA SOC 2
Profile Photo
