Sara Gaylord - Senior IT Risk Analyst, ABM Industries

Feedback from Sara’s ex-colleagues

Let me see

Keep in touch with meI'm using Intch to connect with new people. Use this link to open chat with me via Intch app

Work Background

OktaStaff Security Risk Analyst

Mar. 2023Piedmont, Oklahoma, United States• Leverage knowledge of enterprise governance to improve compliance in Okta’s multi-provider cloud environment. • Engage across business units, including Executive Management, Legal, IT, Human Resources, DevOps, Information Security, and Internal Audit to conduct the annual IT risk assessment. • Partner with business and technical teams to identify remediation plans for risks and issues identified. • Develop risk management metrics and reporting to provide improved oversight to risk owners and executive leadership. • Refine Okta’s Risk Registry and analyze existing data for completeness and accuracy. • Refine Okta’s Issue Registry and analyze existing data for completeness and accuracy. • Serve as a highly trusted advisor to Legal, Human Resources, and DevOps teams, delivering guidance and information regarding privacy, risk, and compliance requirements. • Frameworks in use include SOC 2, ISO 27001/27002, ISO 27701/27017, and PCI-DSS. Privacy requirements include GDPR, CCPA, Illinois Biometric Information Privacy Act (BIPA), and other international, state, and federal privacy regulations.

GongGovernance Risk Compliance Staff Specialist

Aug. 2021 - Mar. 2023• Leveraged knowledge of enterprise governance to improve compliance in Gong’s multi-provider cloud environment. • Engaged across business units, including Executive Management, Legal, IT, Human Resources, DevOps, Information Security, and Internal Audit to normalize IT controls across Gong’s compliance landscape. • Performed gap analyses for new international and domestic regulatory requirements and existing frameworks/certifications revisions. • Evaluated privacy laws and regulations for gaps with current Gong policies and procedures. • Partnered with Internal Audit to position Gong for IPO readiness and SOX compliance/SOC1 audits. • Utilized specialist knowledge and expertise to identify data governance improvements through reducing data redundancy and appropriate data reuse. • Identified and remediated data privacy issues including data collection, handling, compliance, and sanitization. • Revised Gong’s policy stack and supporting documentation, ensuring alignment of policies and controls to frameworks, business objectives, and regulatory requirements. • Refined Gong’s Risk Registry, developed an enterprise-wide risk quantification approach, and developed a risk exception documentation procedure for the enterprise. • Served as a highly trusted advisor to Legal, Human Resources, and DevOps teams, delivering guidance and information regarding privacy, risk, and compliance requirements. • Developed and deployed comprehensive privacy and security awareness training for onboarding and ongoing training; this training includes HIPAA, privacy, phishing, current attack vectors/security threats, privacy/security by design, mobile device security, data handling, and policy refresher training. • Frameworks used included SOC 2, ISO 27001/27002, ISO 27701, PCI-DSS, and HIPAA. Privacy requirements include GDPR, CCPA, Illinois Biometric Information Privacy Act (BIPA), and other state and federal privacy laws.

PaycomTeam Lead, IT Governance Risk and Compliance/ Enterprise Data Governance

Feb. 2016 - Aug. 2021Oklahoma City, Oklahoma Area• Developed the IT GRC and Data Privacy Teams from inception and oversaw the day-to-day activities of 11 direct reports. Developed KPIs for both teams and reported across multiple levels of management, from executives to individual contributors, and across various technical and non-technical audiences. • Designed and implemented the workflows for IT GRC and Data Privacy, aligning all IT controls across the entirety of Paycom’s compliance frameworks and programs, including SOX, SOC 1, SOC 2, ISO 27001, ISO 27701, ISO 22301, PCI-DSS, FedRAMP, PrivacyShield, WCAG AA, and HIPAA. • Served as a highly trusted advisor to Legal and Development teams, delivering guidance regarding privacy, risk, and compliance requirements and technical capabilities for issues, projects, and proposed functionality. • Participated in meetings with clients and prospective customers to address security and privacy concerns. • Used specialized knowledge and expertise to identify improvements by reducing data redundancy and appropriate data reuse. • Identified and remediated data privacy issues including data collection, handling, compliance, and sanitization. • Strengthened and developed the IT Audit and Compliance, IT Risk Assessment/Management, Data Privacy and Governance, Change Management, Business Continuity and Disaster Recovery, Crisis Management and Response, Vulnerability Mitigation, Information Security and Privacy Awareness Training, Vendor Risk Management, and WCAG/Accessibility Compliance programs. • Contributed significantly as a highly trusted advisor to Legal and Development teams, delivering guidance and information regarding privacy, risk, and compliance requirements and technical capabilities for issues, projects, and proposed functionality. • Frameworks in use included SOX, SOC 1, SOC 2, ISO 27001, ISO 27701, ISO 22301, PCI-DSS, FedRAMP, WCAG AA, and HIPAA. Privacy requirements included PrivacyShield, GDPR, and all state and federal privacy regulations including BIPA.

Devon EnergySenior IT Risk Analyst

Dec. 2013 - Feb. 2016Oklahoma City, Oklahoma Area• Governed the execution and continued development of the program as the Program Lead for Devon’s IT Risk Management program. • Developed specific use-case risk assessments, tracked mitigation efforts, and developed risk metrics and risk reports. • Carried out risk assessments to identify current and future security vulnerabilities. • Facilitated the continual assessment of program processes and procedures to ensure consistency and correctness in the risk registry, application/system risk assessments, SOX/PCI/HIPAA compliance, and asset vulnerability management. • Monitored current and proposed laws, regulations, industry standards, and ethical requirements related to information security and privacy to ensure compliance with business requirements in the USA and Canada. • Formulated 65% reduction in successful phishes and a 110% increase in the reporting of suspicious emails following the implementation of routine end-user phishing exercises with follow-up training for recipients who failed the initial exercise. • Doubled voluntary attendance of information security awareness training over two years, with 100% positive feedback from attendees. • Steered a 15% reduction in risk through the design and implementation of legal risk assessment functionality in Devon’s GRC tool. This assessment tool enabled Devon’s legal department to quantify risks to Devon data presented by partner firms. • Slashed the incident documentation time by 35% following the design and implementation of Incident Response documentation capability within RSAM (now Diligent). This new implementation also ensured standardization of documentation for each incident, as well as ongoing compliance with established incident handling procedures.

DISAInformation Assurance Manager/Security Manager

Nov. 2009 - Dec. 2013Tinker Air Force Base, Midwest City, OK• Implemented highly efficient strategies to ensure 100% compliance with U.S. Cyber Command (CYBERCOM) vulnerability monitoring requirements for 2012-2013 while serving as Technical Lead for IA Compliance Team. • Governed overall aspects of system compliance with all applicable Department of Defense (DoD) and DISA security requirements across enterprise systems, including 4,500+ servers. • Performed dual roles as both the Personnel Security Manager and one of three Information Assurance Managers. • Delivered technical knowledge regarding logical and physical security awareness to staff and visitors/customers. • Identified and remediated knowledge gaps regarding policies and procedures and provided annual training and education for internal personnel regarding security awareness. • Ensured the cost-effective provision of a professional Security Assurance response service. • Received multiple performance awards for individual contributions within DISA during 2010, 2011, and 2012. • Served as the local project manager for the DISA Records Management/NARA Compliance Project. Shaped the strategic direction for the project that resulted in nomination of the project for the 2013 DISA Excellence Award. • Delivered substantial support as a Project lead for the DECC accreditation project, including the development of all accreditation documentation. The documentation included a complete rewrite of the DISA Oklahoma City SSP and the development of the DISA Oklahoma City S.A. Guide. The quality of accreditation materials resulted in DECC OKC being the only DISA DECC to receive a full three-year accreditation certification. • Reduced onboarding time of new employees and contractors by 75% by streamlining the personnel security processing procedures for DECC Oklahoma City. The initiative allowed DECC Oklahoma City to dispose of thousands of printed pages of personnel files, and dramatically improved employee privacy and security by storing personnel data in a secure database.

Computer System DesignersSenior Database Administrator/Database Information Assurance Officer

Oct. 2003 - Nov. 2009Tinker Air Force Base, Midwest City, OK• Ensured 100% compliance with all DoD/DISA policies related to database implementation and management. • Provided expert guidance and interpretation for customers and DISA DBAs regarding required DoD/DISA policies and security requirements. • Reviewed and documented processes and procedures for database auditing and finding remediation. • Communicated security vulnerabilities and risks to customers on behalf of DISA DBAs and negotiated remediation plans. • Received Outstanding Performer Awards for customer service on multiple projects.

Kerr-McGee CorporationTechnical Analyst

Jan. 2000 - Sep. 2003Oklahoma City, Oklahoma, United States• Achieved 100% compliance with established Service Level Agreements (SLAs), with 98% approval ratings in customer surveys, resulting in improved customer satisfaction, reduced downtime, and increased availability. • Researched, implemented and managed Ringmaster software for Oracle patch management. This implementation resulted in improved patch application and tracking, saving $40,000 annually in costs and reducing downtime by 15%. • Partnered with Internal Auditing to establish change control procedures for Oracle databases and related servers. • Implemented, documented, and trained Oracle support personnel regarding the new procedures; implementation resulted in reduced downtime, improved tracking of changes, and improved efficiency in promoting changes to production environments. • Partnered with Security Team to re-engineer and document processes for granting third-party vendors access to required Oracle databases; this effort resulted in a reduction in setup time from two business days to less than four hours and an average cost savings of $10,000 per user. • Assisted Common Operating Environment Team in the installation and maintenance of Oracle applications and tools for new Windows 2000 workstations. Joint efforts resulted in nearly seamless deployment of Win2000 workstations (replacing WinNT), reduced end-user downtime by 60%, and cut support costs by 35%. • Led project team of five members to improve application integration among newly acquired business groups. Project was completed on time and under budget, and long-term support costs were reduced by 35%. • Technologies used: Windows NT Server, Windows 2000 Server, HP-UX, Solaris, Oracle 8.1.7, Novistar-P2ES oil and gas applications, Oracle Financial Analyzer, Ringmaster Patch Management Software.

Self-employedNetwork Administration/Y2K Consultant

Oct. 1999 - Jan. 2000Designed and installed servers and network hardware for various small business clients. Researched Y2K impacts for various clients and provided remediation as required. Developed and implemented disaster recovery procedures for clients. Technologies used: Novell NetWare 4.11, Windows NT Server, Windows 95/98/NT workstation, client software as required.

Grady County ConsortiumNetwork Administrator/Desktop Support

Jan. 1998 - Jan. 1999Designed LAN/WAN configurations and installed required hardware for Amber-Pocasset, Rush Springs, Alec and Ninnekah Public Schools. Provided training for teachers and students as required. Developed and implemented network security procedures to safeguard student data from unauthorized access. Provided end-to-end support for routers, switches, hubs, PCs, printers and all other hardware at each school. Designed and implemented encryption and security procedures for transfer of student records from each school to and from Canadian Valley Vo-Tech, reducing delays in administrative action and permitting collaboration between staff at each institution. Technologies used: Novell NetWare 4.11, Windows 95/98/NT, Cisco routers and switches.

Conseco CorporationIntern

Jan. 1996 - Jan. 1998Assisted in the development of inventory control procedures for new hardware and software, reducing loss by 45% and saving $35,000 annually. Performed hardware maintenance tasks for end-users, such as component replacement/repair and upgrades. Assisted in the deployment of new applications and anti-virus updates campus-wide. Technologies used: Novell NetWare, Windows NT Server, McAfee Anti-Virus, Windows 95/NT workstation, Conseco-specific applications as required.