User:Eric Bonnell

Information Risk Management/Security Professional

Certified Secure Software Lifecycle Professional (CSSLP) #99621, Feb 2009 Certified Information Systems Security Professional (CISSP) #99621, Jan 2007

Information Systems Security Association (ISSA) #3124900 - President Eastern Iowa Chapter

Information Systems Audit and Control Association (ISACA) #431044

Develop and monitor major Information Risk and Information Security program components for AEGON companies, comprised of 20 business units within the US and Canada. Prepare operational and trend reports for presentation to senior management. Partnered closely with Legal, Operation Risk Management and Internal Audit to align processes and procedures.

- Revised and published Information Security Policy to align with ISO 27002:2005 as well as regulatory, statutory and industry requirements (e.g., GLBA, HIPAA, SOX, PCI, CA SB-1386, MA 201 CMR 17.00, etc.).

- Implemented Information Security Policy Request for Change (RFC) process, leveraging existing technology, to effectively capture the due diligence related to the submission, analysis, vetting and version control of policy and program documentation.

- Combined processes and tools for assessment of Information Risk and Information Security Compliance, eliminating redundant information and process steps taken to provide effective high-level enterprise and divisional performance metrics to senior management.

- Consulted regularly with Divisional Information Security Officers, business customers and IT subject matter experts throughout the company to prioritize required control remediation activities based upon business risk, including: - computer hardening controls - enhancements to change management and system development lifecycle (SDLC) processes - classification and management of information assets - development and implementation of awareness and training materials.

- Provided additional program support for: - Information Classification and Management – consulted on assessing business unit implementation of program processes and controls. - Information Security Incident Response – led enterprise-wide Incident Security Response Team when required. - Information Risk Awareness and Training – contributed to quarterly newsletter, on-line training materials and presentations.