Cynthia (Cyndi) Callahan

14211 Bear Creek Pass, Austin, TX 78737

512-897-9215
cccda930@westpost.net
Summary
I am an experienced senior manager with an extensive background in IT security,
operations, governance, risk and compliance in the financial industry. I have a
proven track record of utilizing leadership capabilities, team motivation, tech
nical expertise, communication skills, negotiation capabilities and business acu
men to achieve customer, business and corporate focused goals and solutions.
Specialties
IT risk and security management
Identity and Access Management
Change Management
Service Desk Management
Vendor and internal assessment programs
Organization integration and outsourcing
Global governance, risk and compliance programs
Sarbanes Oxley controls and testing
Audit activities including SAS70
Process and performance improvement
Program management
Experience
SVP-Information Security & Risk Management
BBVA Compass Bank (formerly Guaranty Bank)
December 2007 - June 2010
Functional responsibilities included establishment of company wide information s
ecurity policies, standards and procedures that were ISO and regulatory complian
t, vulnerability management program and practices (state and event security mon
itoring, perimeter security and configuration, patch management), computer secur
ity incident response program and team, security architecture definition, inform
ation security/technology risk assessments, identity and access management (acco
unt administration and access certification), disaster recovery, technology vend
or management and purchasing, change management and service desk management.
I established and implemented a State of Security Program based on COSO and Cob
IT control frameworks to mature the information security program and reduce expo
sures over a two year period, established executive reporting on overall technol
ogy risk posture to raise awareness and support of risk programs, implemented an
MSSP security monitoring solution to save 40% of departmental expenses and incr
ease coverage, consolidated security products to better position the overall sec
urity posture, reduced vulnerability exposures by 80% by implementing patch mana
gement, and implemented a formal security architecture program to ensure appropr
iate protection of corporate information assets. Additionally, I defined the SO
X IT controls and ensured IT had proper controls and checkpoints in place to ens
ure a successful SOX program. I was also the Program Manager for the Data Rete
ntion initiative based on FDIC and BBVA Compass' requirements to centralize all
significant electronic data for regulatory retention purposes.
VP-Information Risk Management
JPMorgan Chase - Risk & Security Management
January 2007 - March 2008
Functional responsibilities included establishment of a control framework to ens
ure compliance with corporate standards, ensure a successful SOX Compliance Prog
ram for the Risk & Security Management organization as well as ensure the proper
SOX controls were established across the corporation. These included close wor
king ties with two external audit firms to ensure entity-wide governance control
s were in place along with support of all external and internal testing. It als
o included being a primary contributing member of the Technology SOX Compliance
Work Force to ensure controls were well defined, corporate wide test steps devel
oped along with defining the appropriate testing organizations. In addition, my
role required close alignment to JPMorgan Chase's internal audit department to
assist in establishing the three year audit program of technology with a focus o
n cross-division functions and controls.
I was responsible for the management of a team of IT professionals to enhance th
e overall technology posture and compliance of the Risk & Security Management or
ganization. Risk & Security Management is the end-to-end information security t
echnology organization overseeing and providing direction for all lines of busin
ess within JPMorgan Chase. This is a centralized core organization responsible
for vulnerability management (state and event security monitoring, perimeter sec
urity and configuration, patch management, etc), identity and access management
(account administration, access certification, security configuration, etc. acro
ss all platforms), mainframe system security, Unix and Wintel system security ad
ministration, AS400 system security, HP3000 system security, Tandem system secur
ity, Active Directory, Oracle, Sybase, Lotus Notes email and application develo
pment, and security tools (single sign-on, remote access, desktop encryption, et
c). I also led the activities of information technology and operating risk man
agement team for the Risk & Security Management area which covered the Outside S
ervice Provider Program, establishment and maintenance of IT Policies and Standa
rds, Key Encryption and the corporate technology Sarbanes-Oxley Program.

VP - Information Risk Management

JPMorgan Chase -Corporate Information Technology Risk Management
November 2004 - January 2007
Functional responsibilities included the establishment of the Information Risk
Management function for the Information Technology Risk Management division at t
he corporate entity level. The risk agenda focused on compliance with all inter
nal corporate standards and all external regulatory bodies globally (OCC, Federa
l Reserve, Japan FSA, etc), legislative requirements (GLBA, SOX, etc), and creat
ion and maintenance of the JPMorgan Chase IT Policies and Standards. This requi
red a vision and strong strategic position to achieve results over a three to fi
ve year period with annual milestones.
I additionally developed and implemented a maturity model to enhance the effecti
veness and efficiency of the corporate wide IT security program along with manag
ed and communicated the corporate IT security vision and strategy to senior exec
utive management and staff.
VP - Information Security Manager
IBM Global Services
April 2003 - November 2004
JPMorgan Chase consolidated all technology from within various lines of business
into the corporate level. This was done to ease the outsourcing of technology
functions to IBM in April 2003. As part of this consolidation and the subsequen
t movement to IBM, I moved to the corporate entity level and managed a division
of Information Security for JPMorgan Chase then IBM. The division consisted of
70 IT security engineers and professionals supporting Unix and Windows environme
nts and major business applications along with a compliance organization and pro
cess improvement team. The base functions of the area were developing security
solutions and providing security engineering, system security and application as
surance and monitoring, identity and access administion (security administration
) for systems and applications and security tool deployments, information securi
ty risk assessments, quality control reviews along with process improvements acr
oss full technology division based on audit results, compliance reviews, etc.
I was responsible for all facets of this division from the ground up starting wi
th its inception and growth until the contract was cancelled with IBM and all te
chnology was brought back to JPMorgan Chase in November 2004.
I managed a mulit-million dollar budget with full financial planning responsibil
ities, staff hiring, training, growth and performance metrics, senior management
reporting to show value and support of corporate goals and initiatives. It als
o included monthly meeting with JPMorgan Chase executive management to review me
trics ensuring service level agreements were being made, risks were being addres
s, and obtain JPMorgan Chase executive management buy-in on IBM future direction
. I was also resposible for all interfaces with audit groups including IBM inte
rnal audit, JPMorgan Chase internal audit, OCC, Federal Reserve and external aud
it firms when audit scope covered technology components, processes and/or proced
ures. I also established SAS70 Type II control objectives and supported subsequ
ent testing as part of contractual requirements between IBM and JPMorgan Chase
VP - Information Security & Risk Management
JPMorgan Chase-Chase Home Mortgage
January 1989 - April 2003
Functional responsibilities included the establishment of the Technology Risk Ma
nagement division for Chase Home Mortgage, the mortgage line of business within
JPMorgan Chase. The base functions included information security and technology
risk policies/standards/procedures, information security risk assessments, risk
and compliance assessments, identity and access management (access administrati
on, access certification) for all systems and business applications, system secu
rity and application monitoring/analysis, change management, version control and
code distribution of business applications, disaster recovery, Lotus Notes ema
il database development, and technology help desk functions. I was responsible
for all facets of this division from the ground up starting with its inception a
nd growing it to its full capacity.
I managed a multi-million dollar budget with full financial planning responsibil
ities, staff hiring, training, growth and performance metrics, senior management
reporting to show value and support of corporate goals and initiatives along wi
th all in-house technology control assessments to ensure compliance with GLBA or
other regulatory requirements. I was also responsible for audit group interact
ions including internal audit, OCC, Federal Reserve and external audit firms whe
n audit scope covered technology components, processes and/or procedures.
AVP -Secondary Marketing Manager
JPMorgan Chase-Chase Home Mortgage
November 1988 - January 1989
Functional responsibilities were the management of secondary marketing pricing f
or Chase Home Mortgage. The function was responsible for mortgage origination p
ricing offered to internal loan originations, wholesale originations and corresp
ondent lending. This was a new function based on the movement of the Chase Home
Mortgage relocation from New Jersey to Florida.