R James J.

Finn, CISA, CIA, and CRMA

(mobile) 781.307.7857|
(email) jamesfinn111@gmail.com

I am an experienced internal control professional with a solid understanding of Enterprise, Financial

and Information Systems, Security, Compliance, Audit, and “Risk Assessment / Risk Management”
programs and techniques.
I apply the “Three Lines of Defense” approach for resource allocation and apply either the COSO
framework or NIST 800-30r1 risk management models, and I prefer to work with NIST 800-53r4
internal IT control standards. I have worked with various “Third Party Service Provider” (TPSP)
vendor Risk Assessment and Management techniques. I specialize in Cybersecurity, Agile Project Risk
Management, COSO, SOX and MAR ICFR compliance programs, PCI Compliance, and vendor Risk
Management. I am capable of establishing a complete FISMA Information Systems compliance
program for vendors selling to the Federal government. Deliverables have included developing
workflows and written Risk Management policies, procedures and standards for information systems
security, Agile Projects, and applications security. I have provided InfoSec audit and advisory services
for a Fed RAMP FISMA, “Cloud Service Provider” (CSP) for a SaaS application, and performed
multiple “IT Security Risk Assessments” for John Hancock’s “Investment Funds” major vendors
(Custody and NAV Fund Accounting) using AICPA SOC 1 and SOC 2 reports as well as the
“Standard Information Gathering (SIG) “Shared Risk Assessment” tool.
I completed an information security risk assessment for the Massachusetts “State Auditor’s Office”
focused on PII and PHI / ePHR that combined the best approaches from NIST 800-30r1, 800-39, CMS
guidance, and the HITRUST / HIPAA control standard framework. I have selected and recommended
risk response mitigating controls from HITRUST, ISO/IEC 27002 standards, and NIST 800-53r4
standards to establish commercially acceptable information systems security for compliance with PCI,
Fed RAMP, FISMA, and FFIEC systems security plans (SSP) requirements.

 Designed risk assessment and control architectures at the enterprise, process, and information
systems levels (NIST Tiers) to be consistent with FFIEC, FISMA, HIPAA, HITRUST CSF,
COSO, ISO ERM, MAR and PCI DSS requirements to improve risk management and control
maturity levels.
 Managed information systems projects for banking, manufacturing, financial reporting, and
financial services applications over a 30-year career including designing Risk Management and
control procedures for Agile / Scrum programs.
 During my career I successfully filled the positions of Chief Financial Officer (CFO), Chief
Auditing Officer (CAO), and Chief Compliance Officer (CCO).
 Worked extensively throughout my career as a business information systems project manager

EDUCATION: Northeastern University

MBA, Master of Business Administration
BS, Business Administration, Finance (With Honors)
AS, Associates Degree, Computer Science & Project Management

PROFESSIONAL DEVELOPMENT
CRMA, Certified Risk Management Assessor
CISA, Certified Information Systems Auditor (10-year Gold Member)
CIA, Certified Internal Auditor (Internal Controls)
2011 to 2018: Completed extensive CPE training seminars in Auditing, Risk Management, IT Security
(CISSP review), and the COSO/COBIT Internal Control Frameworks to maintain all certifications
“Active”.

Areas of Expertise
GRC / Enterprise Risk Management: Performed enterprise governance, risk, and control (GRC)
audits and recommended improvements for existing internal fraud control, and information systems
“Risk Assessments” based on commercially accepted Risk and Control frameworks consistent with
ISO 31000, NIST SP 800-30r1 and COSO ERM.
IT Security Risk, Auditing and Management: Assessed process and Cybersecurity risk, and
compliance controls for HIPAA, Sarbanes Oxley (SOX) ICFR. I also audited and improved controls per
HITRUST, Fed RAMP FISMA NIST, and FFIEC standards. I have also applied the “Shared Risk
Assessment“ (SIG) program for vendor technology risk assessments.
Internal Auditing: Applied internal auditing standards at over a dozen companies to audit and
document SOX internal controls and information systems Compliance, and to assess HIPAA, PCI, and
IT security internal control strengths and weaknesses.
Project / Program Management: I have managed multiple banking and manufacturing information
systems projects including a global “conversion” project and have implement internal Risk and Control
programs. I have worked with “Waterfall” and “Agile” Project Management techniques to produce
successful project outcomes.
Business Process Analysis: Over 30 years’ experience analyzing, designing, reengineering, and
documenting “Business Process” workflows.
Financial Analysis: Over 20 years’ experience in financial reporting, Cost/Volume/Profit analysis,
variance analysis, Budgeting, and product / services pricing analysis.

PROFESSIONAL EXPERIENCE

Homesite Insurance (an AmFam firm) October 2016 to Jan. 2018

Boston MA, IT InfoSec /PCI Sr. Compliance Auditor & SME
Reported to IT Risk and Audit manager (Embedded in IT dept.)

 Extensive NIST SP 800-30r1 and 39 Risk assessment / Risk Management development

 Responsible for establishing a PCI Risk Assessment and management program for on-going
PCI Risk assessments, and Cybersecurity control design for PCI compliance
 Designed and established GRC risk management for a commercial insurance subsidiary using
“Agile” project management as well as assessing the use of Waterfall internal controls.
 Evaluated PCI Cybersecurity strength of the P&C insurance and Commercial insurance IT E-
Commerce group through interpretation of assessment reports covering all aspects of their
Cybersecurity information security and control program.
 Provided comprehensive third-party service provider (vendor) risk assessments for compliance
 During November 2017, I presented a course as a guest speaker for the MIS Training Institute
(MISTI) titled “Linking Enterprise Risk Management to IT Risks.

The Broad Institute of MIT and Harvard March 2016 to April 2016
Cambridge MA, IT InfoSec Auditor
Reported to InfoSec manager
  Provided a summary level review with recommendations for their Fed RAMP “FireCloud
Project” based on an independent review and interpretation of their System Security Plan (SSP)
and their Security Assessment Report (SAR) documentation.
 Evaluated FISMA NIST 800- 53r4 SSP information security controls to determine POAM
requirements for achieving the clients “authorization to operate” (ATO) status for their Cloud
based SaaS application.

John Hancock / MetLife Insurance Nov. 2015 to February, 2016

Portsmouth NH, IT risk assessor for “Vendor Technical Risk Management” (VTRM) team
Information Risk Management Div. (IRM)

 Engaged by an IT consulting/staffing firm as an information system “Technical Risk Auditor

and Consultant” for major vendors to execute a “Shared Assessment” program assessing IT
security “Risk and Controls” for critical IT vendor information systems used by multiple John
Hancock “Wealth Management” Funds.
 This work was performed using SOC 1 and 2 reports and the “Shared Assessment” Structured
Information Gathering (SIG) tool.
 The major vendor IT Security Risk assessments were conducted consistent with ISO/IEC
27001, 2 series IT Risk and Security standards applying the Santa Fe Groups “Shared
Assessment” program.
 Typical critical major vendors assessed included large financial services and Software vendors
such as State Street Corp., Exadel, Charles River Development and Interactive Data Corp.
 Provided recommendations for control process and procedures improvements.

Santander Bank August to October 2015

Dorchester MA, BCP/DR Auditor in Operational Risk
Business Consultant, Internal Control BIA/BCP
 Engaged by a consulting firm as a Business Consultant to Santander Bank to participate in an
audit and remediation assessment of multiple department and process “Business Impact Analysis”
(BIA) for Business Continuity Planning - focusing on application / process / and vendor
dependencies and recovery times.
 This project was driven by Basel and Dodd-Frank risk and data aggregation requirements, as well
as the Federal Reserve Boards (Boston) CCAR requirements, and OCC “Guidelines Establishing
Heightened Standards and the Three Lines of Defense risk management model.

Massachusetts Office of State Auditor (OSA) April 1st to June 30th 2015
Boston, MA, IT Security Risk and Compliance SME
IT Risk and Security Compliance SME

 Engaged by OSA to complete an IT Risk and Security Assessment that merged NIST
standards (800-39, 37, and 30), the 2014 NIST Cybersecurity Framework, and CMS standards
with MassIT department guidelines.
 This information system Risk and Security Assessment program focused on establishing an
information systems security baseline “Risk Assessment” and control gap analysis to drive
applying the HITRUST control framework to improve OSA’s IT Security compliance program
in health PHI data analytics.
  The information system assessed focused primarily on HIPAA PHI and PPI Data Privacy
security and compliance for OSA / MassIT network confidential data transfers.

BTS Asset Management, MA Oct. 11, 2011 to Feb 2015

Lexington MA, IT Contract Auditor
Chief Audit Officer, CCO and Director of Enterprise Risk & Control

 Engaged by BTS as a Sr. Compliance Audit & “Risk” Consultant to perform a system audit of their
IBM AS-400 / iSeries legacy system and legacy RPG applications, TCP/IP network, DB2 and SQL
database use, and MS Dynamics GP application as part of a legacy software review program.
 Initiated projects to mitigate SEC Compliance and IT Security risk by improving the effectiveness
of preventive and detective internal control policies and procedures in accordance with SEC Rule
206(4)-7 to meet recent SEC / NIST “Cyber-Security” requirements.
 Assessed GLBA and PPI data privacy compliance and IT Security procedures and assessed existing
data input workflows and NIST 800-53r4 (j) controls and assessment models.
 Expanded my role to improving BTS’s Enterprise Risk Management (ERM) program.
 Performed Business Impact Assessment (BIA) audits, and Business Continuity Planning (BCP) /
Disaster Recovery (DR) audits as a part of the BTS SEC compliance improvement project.

Wright Express Corp., S. Portland ME (now WEX Inc.) Dec. 2010 to Feb. 2011
Sr. IT Project Manager, Tax Compliance project
Credit Card, payment & Settlement Processing Company

 Researched information systems and document imaging solutions to develop an IT application

for IRS reporting and PCI security compliance based on an audit of what existed and the new
legal requirements (what needed to be done).
 I established technical specifications (How IT security and technology will be applied) for the
tax compliance application that would integrate new requirements with existing legacy
accounting and merchant payment systems.

FedEx, Memphis TN April 2010 to June 2010

Overnight Express Company
IT Compliance Consultant (SDLC)

 Engaged as an IT security compliance internal control Subject Matter Expert (SME) on a

specialized consulting project team to review and remediate their Application Lifecycle
Management (ALM) / Systems Development Life Cycle (SDLC) program. The program was
required for SOX and PCI Compliance.
 I authored a first draft total rewrite of the SDLC / GDP compliance procedures to establish
additional “Universal Regulatory Compliance Controls”.

Mass Mutual Financial Services Group, Springfield MA June 08 to Feb 09

Conglomerate financial services and Insurance provider
InfoSec Risk / SOX Compliance Auditor (SOX, ISO-27000, ISO-IEC 17799)

 Engaged by Mass Mutual information security department (InfoSec) as a Sr. IT Security

Compliance Auditor to provide independent SOX IT security control testing.
  This compliance program required IT security auditing, process control consulting, deficiency
remediation, RCM documentation, and compliance auditing services across a wide range of
information systems including Unix OS, VMS, and IBM mainframe operating systems.
 The assessment included application controls for legacy custom applications as well as SAP
applications. I also verified and validated application security information in a database
application (Archer).

Compliance, & IT Auditor and Consultant June 2002 to June 2008

SOX / IT General Computer Controls (ITGCC) Auditor and consultant
Engaged for SOX projects by over a dozen companies including:

Microsemi Corp. Liberty Mutual Financial Group

Eaton Vance TYCO Corp
Iron Mountain TRC Corp
Gem-Plus (now Gemalto) Boeing Aircraft Co

Dynagraf Inc., Canton MA Dec. 1993 to June 2002

Commercial printing company
CFO, VP IT & Administration
 I was responsible for establishing and managing the corporate General Ledger and
financial reporting system, internal financial management reporting, financial planning
and budgeting, as well as for internal financial control procedures.
 I was responsible for IT operations and was the project manager for implementing two
generations of ERP software applications and systems.

Multiple Organizations 1976 to 1993

Self-employed Financial reporting and IT Security Consultant
 I was responsible for acquiring, establishing and maintaining Financial GL accounting and
reporting automated processes and systems, IT Security processes, management reporting,
financial planning / budgeting, and internal operating control procedures.
 I was the corporate project manager responsible for implementing multiple manufacturing
ERP and accounting software applications and systems.
 Direct positions included “Corporate Controller, and MIS / Project Manager.

First National Bank of Boston; 1972 to 1976

Management Trainee, and Special Projects analyst
 As a Management Trainee, I completed their commercial loan credit-risk training program
for credit and commercial loan officers.
 As an analyst for the Profit Planning Dept. of the First National Bank of Boston, I was
responsible for cost analysis, financial and economic risk and profitability modeling, and
reporting to top management economic risks related to capital adequacy.
Publications
• Published an analysis of SOX compliance and PCAOB AS-2 titled “The Great SOX Caper” See
http://tinyurl.com/ybwp6tp This paper focuses on the difficulties gathering relevant information on
“As-Is” conditions for internal risk and control design.
• Authored and published a statistical “White Paper” on “Internal Auditing Sampling for Compliance”
(See Link www.scribd.com/doc/18341733/Sampling-for-Audit-SOX-MAR-Compliance)