- John LaCagnina is an experienced IT auditor, project manager, and consultant with over 20 years of experience in information security, compliance (SOX, PCI DSS, etc.), and quality assurance. He has worked in various industries including financial services, pharmaceuticals, and hospitality.
- He holds multiple professional certifications including CISA, PMP, CGRCM-IT, CSOXP, and is knowledgeable in frameworks like COSO, CobiT, and methodologies like ITIL.
- He has extensive experience implementing and auditing controls, conducting assessments and gap analyses, ensuring regulatory compliance, and managing projects, audits, and teams simultaneously.
1. John LaCagnina
29 Briar Ct.
Hamburg, NJ 07419
Mobile phone 917-817-0467
johnnylac@aol.com
SUMMARY:
• A Certified Information Systems Auditor (CISA) with 12+ years of experience in internal audit and SOX compliance
in the Financial Services, Pharmaceutical, and Hospitality industries
• Eight years of experience auditing, implementing security controls, and ensuring regulatory compliance with GxP, 21
CFR Part 11, and GDP regulations in the Pharmaceutical industry
• Eight years of experience with Qualification and Validation in the Pharmaceutical industry
• Five years of experience in Vendor Compliance Management
• A certified Project Manager (PMP) with 20+ years of broad experience in a large corporate environment
• Certified Internal Control Management Professional (CICMP)
• Certified IT- Governance, Risk, and Compliance (GRC) Professional/Manager (CGRCM-IT)
• Familiarity with COSO and CobiT frameworks, CMM, and ITIL methodology
• Excellent understanding, and experience in implementation of PCI DSS requirements
• Many years of Customer Service and Customer Relationship Management
• Many years of experience interacting with C level management
• Verifiable process improvement skills, oral, written, organizational, interpersonal, team building, and presentation
skills
• Extremely strong Change Management, process analysis, gap analysis, and documentation skills
• ISACA member in good standing (http://www.isaca.org/) – Strong IT Governance skills, CobiT Foundation certified
and completed the CobiT for Sarbanes-Oxley Compliance course
• Sarbanes-Oxley institute board member (http://www.soxinstitute.org/) - CSOXP certified (Sarbanes-Oxley Institute).
Contributing author and pre-production editor of the SOX guide for Financial and IT professionals 2nd
Edition (Wiley
Publications) and The Sarbanes-Oxley Act – An Introduction (Van Haren Publishing)
• GRC Institute (Governance, Risk, and Compliance) member in good standing (http://www.grcg.com/)
• Experience with data extraction and analysis using IBM’s GRD, Iron Mountain’s DRCi, Remedy, and Service-Now
• Demonstrated competency in management of multiple audits, operational responsibilities, and projects simultaneously
• Excellent leadership ability, client focus, and customer service skills
• Consulting and external client experience – interfacing with C level and senior management, clients, and off-shore
vendors
• Experience in working in environments of constantly changing priorities
CERTIFICATIONS/EDUCATION:
• CISA, Certified Information Systems Auditor
• PMP, Project Management Professional
• CICMP, Certified Internal Control Management Professional
• CGRCM-IT, Certified IT- Governance, Risk, and Compliance
• CSOXP, Certified Sarbanes-Oxley Professional
• CobiT Foundation Certified
• MCSE, MCP+I, CNA
Page 1 of 6
2. City University of NY graduate 1981
• ElectronicComputer Engineering degree
TECHNICAL SKILLS PROFILE:
• ClientServer environment: - Microsoft and Novell certified.
• Experience with the Remedy ARS system, IBM GRD, Service-Now, and Iron Mountain DRCi for data extraction,
reporting, and SLA management
• Familiarity with Business Continuity (BC) and Disaster Recovery (DR) policies and procedures, WAN technologies,
AD, ACLs, encryption technology, etc.
• Ability ranging from proficient to expert using MS Visio, MS Project, MS Excel, MS Word, MS PowerPoint, MS
Outlook, Lotus Notes, SharePoint, Remedy ARS, Peregrine
EMPLOYMENT HISTORY:
Datalynx-US January 2013 to present
VP of Consulting Services – Eastern Region
Relationship Management between Novartis and Datalynx contractors at the East Hanover site. These duties were
performed in addition to the services I provided for Novartis listed below and included the settling of disputes, approval of
personal time off, and other day-to-day management of the account.
Novartis July 2010 to present
Contractor for Datalynx-US providing services for Novartis – IT Quality & Compliance Manager
• Project Quality Manager for 5 Portfolio Transformation MA&D projects, CFEngine, Vblock
consolidation, EVO, and NAS, just to name just a few
• Operational Quality Manager for the Service-Now SaaS – Quality manager for the Validation of new
releases, Change Approvals, and approval of all validation documentation
• Quality Manager for UNIX Gemini Transition, Service Now, and the GIS managed DR Service
• Operational Quality Manager for the UNIXLINUX, Storage, and B&R Global service lines
• Vendor Compliance Management of IBM
• NVS Compliance Officer – interface with IBM management to review and resolve all compliance
issues. Represented GIS in the Incident Management PID renegotiations with IBM
• Qualification Procedure Development – drove and facilitated the creation of the relevant Qualification
Procedures for the Wintel, UNIX/LINUX, Database, and Storage towers.
• Conducted annual Maturity Assessments and HLBIAs for the Wintel, UNIX/LINUX, Database, and
Storage towers
• Participate on quarterly and annual SOX and Vendor Compliance Audits including hands-on
participation in Switzerland and Argentina
• Technical Writer for the Exadata initiative
• Continuous improvement of existing quality systems to meet and sustain compliance with internal and
external regulatory requirements
• Conduct Quality Reviews to evaluate if processes and deliverables fulfill the requirements for quality, to
uncover errors or deficiencies in processes and deliverables, and to identify strengths and opportunities
for improvement
• Interface with other quality and compliance stakeholders to ensure customer practices are aligned with
regulatory expectations and industry best practices
Page 2 of 6
3. Hermes of Paris May 2010 to July 2010
Consultant – PCI-DSS Compliance Project Manager
Responsible to drive the PCI/PA-DSS compliance initiative. This was a Cegid POS and ICVerify database environment.
In this role I performed these duties:
• Monitor and control project
• PCI SME to assist in updating and maintaining their SAQ based on version 1.2 of the PCI DSS
• POC with the QSAs (Coalfire) providing them with evidence of compliance and arranging interviews, meetings,
pen testing, etc.
• IT Auditor to identify compliance gaps and compensating controls ensuring HOP’s compliance
• Security Analyst to ensure that HOP was secure as well as compliant
• Acted in an advisory capacity in choosing the QSA and security solutions
• Documentation SME to review, update, and perform a gap analysis of their existing Security and Incident
Management documents
I interacted daily with the VP of Information Services, Director of Audit and Operations, IT Operations Manager,
Information Security Officer, Cyber-Security SME, Security Engineers, Network Admins, and the on-site security
vendor (Reliant Security) to achieve PCI-DSS compliance. I also provided weekly and ad hoc status reports to the
CFO.
WYNDHAM HOTEL GROUP July 2009 to December 2009
Consultant (returned by request) – Sr. IT Auditor / Security and Compliance Specialist
Returned by request to the Wyndham Hotel Group in the IT Security and Risk Management group to perform the audit
and testing for their 2009 SOX audit initiative as well as managing their 2009 recertification initiative, and requirements
and documentation gathering for their PDI-DSS certification initiative. The areas of audit and testing are as follows:
• Host Security for Windows, UNIX, LINUX, Network Devices
• Database Security for Oracle and DB2
• Security Administration of CHIME, Clarity, EDW, Wyndham Rewards
• Physical Security
• Backup and Recovery
• Change Management
• In addition, interacted with the external auditors to complete the audit and subsequent remediation.
TREC GLOBAL BUSINESS PROCESS SOLUTIONS Feb. 2009 to July 2009
Consultant - Business Analyst
• TREC Global Solutions provides outsourced business solutions and call center services. Process analysis as part of
the discovery process in the Program Management group for Pre-Business Development. Performed analysis of
business objectives, strategies, timelines, performance targets, budget limitations, and overall scope of work. Details
are as follows:
• Interfaced with the client to determine business needs, review existing business processes, perform Test of Design
and Test of Effectiveness, and identify performance metrics. Acted as a single point of contact to ensure the end-
to-end execution for the campaign.
• Consulted with Business Development team to report findings of discovery phase, determine solutions, establish
transition process, and provide client specific training.
• Assisted Quality Assurance team in conducting routine quality audits and reporting findings to senior
management.
Page 3 of 6
5. WYNDHAM HOTEL GROUP July 2008 to Jan. 2009
Consultant – Sr. IT Auditor / Security and Compliance Specialist
• Wyndham Worldwide engagement as part of the Wyndham Hotel Group in the IT Security and Risk Management
Group. Performed as many as four concurrent audits to ensure regulatory compliance of their SDLC, PMLC and
Change Management processes, as well as the Security Administration of their Windows, UNIX, and Database
environments. Major responsibilities included extensive SOX testing and subsequent interaction with external
auditors, management of the annual user recertification process, and assisting them in their PDC-DSS Self-
Assessment Questionnaire. Details are as follows:
• Security Administration for Windows, UNIX, Oracle, DB2, Informix, and the Electronic Data Warehouse (EDW)
• Authentication Administration, Security Patching, System Hardening, Logging, Password Administration,
ACLs
• Security Administration of Applications – CHIME, Clarity, Informatica, My Portal, Oblix
• SDLC and PMLC policy
• Change management, Change control, Version control, Segregation of development, test, and production
environments, Adherence to the funding and approval process, Unit and system testing, Data conversion
• Annual User ID Recertification report for SOX compliance
• Obtain verification of status and permissions of all end users from their respective performance managers
• Administrative
• Creation and Maintenance of directory structure in SharePoint for storing and sharing reports and artifacts
• Daily and weekly status reports to leadership
• Scheduled and led meetings with auditees for acceptance and remediation of findings
• Participated in remediation meetings with external auditors and provided evidence of compliance.
PFIZER Feb. 2008 to June 2008
Consultant - Sr. IT Auditor / Security and Compliance Specialist
• Pfizer engagement as part of the Shared Applications Management Services group in the IT Security and Compliance
department. Major responsibilities include:
• Continuous Improvement – review and update existing Change Management policies, process documentation, and
related process aids stored in SharePoint.
• Audit –Manage a team of off-shore auditors in the completion of 7 process, 5 application, and 5 ad hoc internal
audits monthly. Responsible for scheduling of audits and conducted meetings with auditees for agreement on
scope and approach, and agreement with auditees on audit findings.
• Security – Management, implementation, monitoring, and control of the Security Incident and Root Cause
Analysis process and documentation.
• Compliance – participate in quarterly SOX audits
• Review RCM
• Review internal control objectives
• Test internal controls
• Report on findings
• Meetings with auditees for agreement on findings and scheduling remediation
Page 5 of 6
6. KPMG, LLP May 1998 to Feb. 2008
Project Manager Information Technology
• Responsible for project management, Change Management, internal SOX compliance implementations, internal client
relationships, presentations, reporting, and team mentoring and development. Major deliverables included:
• National Infrastructure Change Management project – member of the committee to evaluate existing procedures
and write the initial documentation using ITIL methodology
• Enterprise Management internal SOX audit and process documentation project. Development and implementation
of the Change Management policy using ITIL methodology for the EM group.
• SAS 70 Type I readiness assessment - liaison to service auditor as IT SME for SOX compliance. Duties included
assisting in preparation of scope and approach, preparing the PBC list, and assisting in completing the appropriate
work papers.
• Annual IT CSA Audits – Performed and managed General and Operational internal controls audits for the IS SOX
Compliance Self-Assessment internal audit
• Managed a matrixed team of 6 to bring KPMG’s NY office’s Data Center into compliance
• Performed process verification, testing, risk Identification, gap analysis. Scheduled and lead meetings with
auditees for remediation of findings, metrics, and progress reporting for the agreed upon remediation
• National Disaster Recovery project – performed asset valuation and identification of BC3 applications, services,
and dependencies
• Managed the Tax Data Asset Preservation Compliance Project for the New York Office
• Project Manager for new Construction buildouts, datacenter move, and user relocation
• Performed ongoing SLA Audits to ensure SLAs were met and adherence to ITIL Standards
• Managed issues, escalations, and expectations for the Office of the Chairman, the Office of the General Counsel,
and the Department of Professional Practices
THE CAREER CENTER Jan. 1997 to July 1998
Part-Time Technology and Applications Trainer
• Provided classroom training in Microsoft Office products, Windows 95, NT, and Novell operating systems.
• Built an NT classroom, saving the company over $10,000 in consulting costs.
ALTERNATIVE RESOURCES CORP. April 1994 to May 1998
Desktop Specialist and Team Leader
• Clients included NY Mercantile Exchange, CitiCorp, KPMG, Chase, Minet Insurance Co.
Page 6 of 6
7. KPMG, LLP May 1998 to Feb. 2008
Project Manager Information Technology
• Responsible for project management, Change Management, internal SOX compliance implementations, internal client
relationships, presentations, reporting, and team mentoring and development. Major deliverables included:
• National Infrastructure Change Management project – member of the committee to evaluate existing procedures
and write the initial documentation using ITIL methodology
• Enterprise Management internal SOX audit and process documentation project. Development and implementation
of the Change Management policy using ITIL methodology for the EM group.
• SAS 70 Type I readiness assessment - liaison to service auditor as IT SME for SOX compliance. Duties included
assisting in preparation of scope and approach, preparing the PBC list, and assisting in completing the appropriate
work papers.
• Annual IT CSA Audits – Performed and managed General and Operational internal controls audits for the IS SOX
Compliance Self-Assessment internal audit
• Managed a matrixed team of 6 to bring KPMG’s NY office’s Data Center into compliance
• Performed process verification, testing, risk Identification, gap analysis. Scheduled and lead meetings with
auditees for remediation of findings, metrics, and progress reporting for the agreed upon remediation
• National Disaster Recovery project – performed asset valuation and identification of BC3 applications, services,
and dependencies
• Managed the Tax Data Asset Preservation Compliance Project for the New York Office
• Project Manager for new Construction buildouts, datacenter move, and user relocation
• Performed ongoing SLA Audits to ensure SLAs were met and adherence to ITIL Standards
• Managed issues, escalations, and expectations for the Office of the Chairman, the Office of the General Counsel,
and the Department of Professional Practices
THE CAREER CENTER Jan. 1997 to July 1998
Part-Time Technology and Applications Trainer
• Provided classroom training in Microsoft Office products, Windows 95, NT, and Novell operating systems.
• Built an NT classroom, saving the company over $10,000 in consulting costs.
ALTERNATIVE RESOURCES CORP. April 1994 to May 1998
Desktop Specialist and Team Leader
• Clients included NY Mercantile Exchange, CitiCorp, KPMG, Chase, Minet Insurance Co.
Page 6 of 6