James J. Finn, CISA, CIA, and CRM
20 Heath’s Court, Unit 101 | Lynn, MA 01905 | (cell phone) 781.307.7857
(Email) [email protected]
Professional Risk and Compliance consultant in Cybersecurity, Enterprise Risk Management, IT
Security, SOX Internal Control (ICFR), PCI, and “Governance, Risk, and Compliance (GRC)” programs
that included developing policies and procedures to establish adequate control designs and operationally
effective control processes, procedures, and security standards. Experience includes risk management
and compliance auditing and internal control remediation, ISO 27000 compliance, NIST 800r4, and
“Business Continuity / Disaster Recovery” (BC/DR) programs to meet FFIEC requirements. In addition,
I recently provided InfoSec audit and advisory services for a FedRAMP, FISMA, “Cloud Service
Provider” (CSP), and performed multiple “IT Security Risk Assessments” for John Hancock’s
“Investment Funds” major vendors (Custody and NAV Fund Accounting) using AICPA SOC 1 and SOC
2 reports as well as the Santa Fe “Structured Information Gathering (SIG) “Shared Assessment” tool. I
also recently completed an information security risk assessment for the Massachusetts “State Auditor’s
Office” focused on PII and PHI / PHR that combined the best approaches from NIST 800-39, 30, the
CMS guidance, and the HITRUST HIPAA control standard framework. I have selected and
recommended risk response controls from HITRUST, ISO/IEC 27000 series, and the NIST 800-53r4
standards where appropriate for commercially acceptable information systems security, and for
compliance with FedRAMP FISMA information systems security programs.
Designed risk and control architectures at the enterprise, process, and information systems levels to be
consistent with Basel, NIST, FISMA, COSO, ISO ERM, and PCI DSS standards to improve risk
management and control maturity levels.
Managed information systems projects for banking, manufacturing ERP, financial reporting, and
financial services applications.
During my career I successfully filled the positions of Chief Financial Officer (CFO), Chief Auditing
Officer (CAO), and Chief Compliance Officer (CCO).
Worked extensively throughout my career as a business Information Systems Project Manager.
EDUCATION: Northeastern University
MBA, Master of Business Administration
BS, Business Administration, Finance (With Honors)
AS, Associates Degree, Computer Science & Project Management
CRMA, Certified Risk Management Assessor
CISA, Certified Information Systems Auditor (10-year Gold Member)
CIA, Certified Internal Auditor (Internal Controls, SOX ICFR)
2011 to 2016: Completed extensive training seminars in Auditing, Risk Management, IT Security
(CISSP review), and the COSO/COBIT Internal Control Frameworks to maintain all certifications
AREAS OF EXPERTISE
GRC / Enterprise Risk Management Programs: Performed enterprise governance, risk, and control
audits and populated multiple GRC “commercial off the shelf software (COTS) with process safeguards
and controls based on “Risk Assessments” and Internal Control frameworks consistent with NIST, ISO
31000, and COSO IC and COSO ERM frameworks.
IT Security & Risk Auditing and Management: Worked with “Big 4” audit firms to assess process
and Cyber security risk, and compliance controls for Sarbanes Oxley (SOX) ICFR, PCI, and universal
controls. I audited and improved controls per HITRUST, FedRAMP FISMA NIST, and FFIEC
standards. Provided control recommendations for HIPAA PHI and Massachusetts PII data privacy
programs. Applied the SIG “Shared Assessment “program for vendor technology risk assessments, and,
volunteered as an “expert reviewer” of pending “Draft ISO “IT Security Standards” for ISACA covering
cloud and PII Data privacy standards
Project / Program Management: Managed multiple information systems projects including a global
“conversion” project for “DEC” as well as smaller local company focused IT projects to establish
enterprise resource planning and financial reporting, and to implement internal Risk and Control
programs. I have applied “Waterfall” and “Agile” Project Management techniques to produce successful
Business Process and Data Analysis: Over 30 years of experience analyzing, designing, reengineering,
and documenting “Business Process” and information / Data flows and workflows. Use IDEF0
“Structured Systems Analysis and Design” (SSAD) techniques to collect and communicate process
information and merge the COSO frameworks with standards and develop specialized risk and control
architectures for clients.
Internal Auditing: Applied internal auditing standards at over a dozen companies to audit and
document SOX internal control Compliance, and to assess HIPAA, PCI, and IT security internal control
strengths and weaknesses. Audited controls across multiple “Operating Systems” including Unix, VMS,
and IBM. Acquired ICFR audit training from Deloitte, and other leading audit firms while auditing SOX
Financial Analysis: Over 20 years of experience in financial reporting, Cost/Volume/Profit analysis,
variance analysis, Budgeting, and product / services pricing analysis.
The Broad Institute of MIT and Harvard
March 2016 to April 2016
Cambridge MA, IT InfoSec Auditor
Reported to InfoSec department
● Provided management with a summary level review and recommendations for their FedRAMP
“FireCloud Project” based on my independent review and interpretation of their System Security Plan
(SSP) and their Security Assessment Report (SAR) documentation.
● Evaluated FISMA NIST 800- 53r4 SSP information security controls to determine (POA&M)
requirements for achieving the clients “authorization to operate” (ATO) status for their Cloud based
● Worked in a mature Agile Scrum project management environment to assess project control adequacy
and provide information system security support for systems and vendor provided cloud processing for
health and medical research analytics for MIT and Harvard cancer and genome scientists and IT
John Hancock / MetLife Insurance
Nov. 2015 to February 2016
Portsmouth NH, IT Auditor for “Technical Risk Management” (TRM) team
Information Risk Management Div. (IRM)
● Engaged by an IT consulting/staffing firm as an information system “Technical Risk Auditor and
Consultant” to execute a “Shared Assessment” program assessing IT security “Risk and Controls” for
multiple John Hancock Funds critical IT vendor information systems.
● Completed familiarization training on using Archer in their risk assessment and control environment.
● This work was performed using SOC 1 and 2 reports and the “Shared Assessment” Structured
Information Gathering (SIG) tool. My responsibility was to apply my information systems and
technology Risk and Security skill and experience to interpret and assess the vendor IT Security and
technology Risks presented by vendors to John Hancock.
● The vendor IT Security Risk assessments were conducted consistent with ISO/IEC 27000-series IT Risk
and Security standards applying the Santa Fe Groups “Shared Assessment” program.
● Typical vendors assessed included large Financial and Software vendors such as State Street Bank,
Exadel, Charles River Development and Interactive Data Corp.
August to October 2015
Dorchester MA, BCP/DR Auditor in Operational Risk
Business Consultant, Internal Control BIA/BCP
● Engaged by a consulting firm as a Business Consultant to Santander Bank to participate in an audit and
remediation assessment of multiple department and process “Business Impact Analysis” (BIA) for
Business Continuity Planning - focusing on application / process / and vendor dependencies and
● This project was driven by Basel and Dodd-Frank risk and data aggregation requirements, as well as the
Federal Reserve Boards (Boston) CCAR requirements.
● The Operational Risk project was to improve compliance with the Federal Reserve’s CCAR program
(Qualitative MIS deficiency), and the Basel “Principles for effective risk data aggregation and risk
This Risk Assessment process was consistent with the FFIEC Cybersecurity Assessment Tool standard
released on June 30, 2015.
Massachusetts Office of State Auditor (OSA)
April to June 2015
Boston, MA, IT Security Risk and Compliance SME
● Engaged by OSA to complete an IT Risk and Security Assessment that merged NIST standards (800-39,
37, and 30), the 2014 NIST Cybersecurity Framework, and CMS standards with HITRUST standards.
● This information system Risk and Security Assessment program focused on establishing an information
systems security baseline “Risk Assessment” to drive applying the HITRUST control framework and
NIST 800r4 to improve OSA’s IT Security compliance program in health PHI data analytics.
● The information system assessed was used for data analytics, and focused primarily on HIPAA PHI and
PPI Data Privacy security and compliance for OSA / MassIT network confidential data transfers.
BTS Asset Management
Oct. 2011 to Feb 2015
Lexington MA, IT Contract Auditor
Chief Audit Officer (CAO), CCO and Director of Enterprise Risk & Control
Engaged by BTS as a Sr. Auditing Consultant to perform a systems analysis of their IBM iSeries legacy
system, TCP/IP network, database use, and MS Dynamics GP systems as part of a legacy software
review program to improve overall productivity, IT security, data privacy, SEC compliance, and
operational effectiveness of BTS’s business and compliance processes and by applying a FISMA model
based on NIST 800-53r4.
Initiated projects to mitigate SEC Compliance and IT Security risk by improving the effectiveness of
preventive and detective internal control policies and procedures in accordance with SEC Rule 206(4)-7
to meet recent SEC / NIST “Cyber-Security” requirements.
Assessed GLBA and PPI data privacy compliance and IT Security procedures, and assessed existing data
input workflows and NIST 800-53r4 (j) controls and assessment models.
Expanded my role to improving a BTS’s Enterprise Risk Management (ERM) program.
Performed Business Impact Assessment (BIA) audits, and Business Continuity Planning (BCP) /
Disaster Recovery (DR) audits as a part of the BTS SEC compliance improvement project.
Wright Express Corp., S. Portland ME
Dec. 2010 to Feb. 2011
Credit Card, payment & Settlement Processing Company
Sr. IT Project Manager, Tax Compliance audit project
● Researched information systems and document imaging solutions to develop an IT application for IRS
reporting and PCI security compliance based on an audit of what existed and the new legal requirements
(what needed to be done).
● Established technical specifications (How IT security and technology will be applied) for the tax
compliance application that would integrate new requirements with existing legacy accounting and
merchant payment systems.
FedEx, Memphis TN
April 2010 to June 2010
Overnight Express Company
IT Compliance Auditor / Consultant (SDLC)
● Engaged by PRTM Consulting as an IT security compliance internal control Subject Matter Expert
(SME) on a specialized consulting project team to review and remediate FedEx Application Lifecycle
Management (ALM) / Systems Development Life Cycle (SDLC) program. The program was required
for PCI DSS and SOX Compliance.
● Authored a first draft total rewrite of the SDLC / GDP compliance procedures to establish additional
“Universal Regulatory Compliance Controls” that combined HIPAA (NIST) standards, SOX, and PCI
DSS control requirements.
Mass Mutual Financial Services, Springfield MA
June 08 to Feb 09
Conglomerate financial services and Insurance provider
InfoSec Risk / SOX Compliance Auditor (SOX, ISO-27000, ISO-IEC 17799)
Engaged by Mass Mutual’s information security department (InfoSec) as a Sr. IT Security Compliance
Auditor to provide independent SOX IT security control testing. This compliance program required IT
security auditing, process control consulting, deficiency remediation, RCM documentation, and
compliance auditing services across a wide range of information systems including Unix OS, and VMS,
and IBM mainframe operating systems.
The assessment included application controls for legacy custom applications as well as SAP
I also tested and validated application security information for an Archer database.
Prepared documentation for their external auditors for a SAS-70 service audit (now SOC 1, or 2) audit.
Compliance, IT Auditor and GRC Consultant
June 2002 to June 2008
Audited SOX / IT General Computer Controls (ITGCC), and implemented risk and control processes
into multiple vendor GRC software. Consulting services engaged by:
Gem-Plus (now Gemalto)
Liberty Mutual Financial Group
Boeing Aircraft Co
Dynagraf Inc., Canton MA
Dec. 1993 to June
Commercial printing company
CFO, VP IT & Administration
I was responsible for establishing and managing the corporate General Ledger external
financial reporting, internal financial management reporting, financial planning and
budgeting, and all internal financial controls.
I was responsible for all business IT operations and, was the project manager responsible
for implementing two generations of ERP/GL software applications and systems.
1976 to 1993
Self employed Financial and IT Security Consultant
I was responsible for acquiring, establishing and maintaining Financial reporting automated
processes and systems, IT Security processes, financial analysis, management reporting,
financial planning / budgeting, and internal controls.
I was a project manager implementing multiple manufacturing ERP software applications
Direct positions included “Corporate Controller, and MIS / Project Manager.
First National Bank of Boston;
1972 to 1976
Management Trainee, and Special Projects analyst for BoD and CEO
As a Management Trainee, I completed their commercial loan credit-risk training program for
credit and commercial loan officers.
As an analyst for the Profit Planning Dept. of the First National Bank of Boston, I was
responsible for cost analysis, financial and economic modeling, and reporting to top
management economic risks related to capital adequacy, financial leverage, and credit
modeling for commercial loans. Also evaluated the banks information systems operations and
• Published an analysis of SOX compliance and reasons for project failures titled “The Great SOX
Caper”. This paper focused on the management obstacles to gathering relevant information on
organizations “As-Is” conditions for compliance, governance, and internal risk control management.
• Authored and published a “White Paper” on “Internal Auditing Statistical Sampling”; Additional
research on Bayesian Risk “Likelihood” statistical sampling plans.