Thomas T. McDonald has over 17 years of experience in information security and risk management. He currently serves as Vice President of Technology Risk Management at First Niagara Bank, where he creates strategic alliances to align security with business initiatives and ensures compliance. Previously, he was Director of Information Systems & Technology Security at Kaleida Health, where he established their security program and implemented controls to meet HIPAA and other regulatory requirements. He has expertise in cyber security, vulnerability assessments, identity management, and compliance with standards such as PCI DSS, SOX and HIPAA.

1. THOMAS T. MCDONALD, CISA, MBA
www.linkedin.com/in/ThomasTMcDonald
Tom.T.McDonald@gmail.com 716-474-8869
PRO F E S S IO N AL SUM M ARY
Director, Information Systems Security with 17 years of experience creatingstrategic alliances with organization
leaders to effectively align with and support key business initiatives. Establish,plan,and administer policies,
procedures and programs for the information security function and evaluatecyber security risk.
Industry Experience
Health Care, Manufacturing,Banking
Functional Experience
Cyber Security,Risk Management, Project/Program Management
Information Security Expertise:
• Vulnerability Assessments • Single Sign On • Identity Management Systems
• Mobile Device Management • HIPAA Standards • PCI/Data Security Standard (PCI DSS)
• EPCS Security • Incident Response • Vendor Risk Management
• Contract & Vendor Negotiation • Security Architecture • Disaster Recovery Enterprise
PRO F E S S IO N AL EX P E RIE N CE
FIRST NIAGARA BANK, Buffalo, New York 6/15 - present
Top 25 US bank with 37 billion in retail and commercial assets.
Vice President, TechnologyRisk Management
Created strategic alliances with organization leaders toeffectively align with and support key business
initiatives.
 Independent validated and tested information security controls to ensurecompliance with Sarbanes-
Oxley and Gramm-Leach-Bliley regulations.
 Independent validated, tested and implemented information security controls.
 Participated in development and analysis of information technology risk control self-assessment, and
reviewed and developed information technology policies, standards,and guidance documents.
 Identified and mitigated information technology risk.
 Independent validated, tested and implemented information security controls.
 Identified and mitigated information technology risk.
KALEIDA HEALTH, Buffalo, New York 1998 - 2015
Healthcare provider serving eight counties with state-of-the-art technology and comprehensive healthcare services.
Director, Information System & TechnologySecurity – HIPAA Security Officer
Established, managed, and maintained a corporatewideinformation security program toprotect information
assets.Identified, evaluated and reported on information security risks tomeet compliance and regulatory
requirements.Proactively worked with business units to implement practices; documented policies, procedures
and standards for information security.
 Implemented Information Systems & TechnologySecurity Program for the organization.
 Hired a successful support staff to implement IT controls and safeguards.
 Identified security risks, threats and vulnerabilities on the networks,operatingsystems,applications and
new technology initiatives.
 Provided technical analysis in the development, testing and operation of firewalls,intrusion detection
systems IPS/IDS, enterpriseanti-virus,data lost prevention,vulnerability management and EPCS Security.

2. Thomas T. McDonald Page 2
PRO F E S S IO N AL EX P E RIE N CE (CO N T IN UE D )
 Implemented Single Sign On solution using proximity badges (HealthCast/Imprivata).
 Implemented Identity ManagementSystem (Courion) for provisioningrole based access, password synch,
password resets and terminations.Implemented internet filteringsoftware(Websenseand Forefront).
 Reviewed/audited operational configurations and security controls for applications and operating systems.
 Designed and executed vulnerability assessments, penetration tests,security audits and implemented PCI
Data Security Standards.
 Developed a Mobile Device Management policy and implemented MDM softwaresolution.
 Implemented two factor authentication (2FA) access solution (Anakam).
 Implemented workstation encryption software solution and SFTP.
 Chaired HealtheLink Health Information Exchange’s Security Committee since 2006.
 Led in the governance process to influence projects toadhere to HIPAA Security Rule, HITRUST Common
Security Framework,PCI DSS requirements, Sarbanes-Oxley Act (SOX), stateand federal regulations.
 Supported Legaland Compliance & Audit Departments eDiscovery requirements.
GOODYEAR DUNLOP TIRE CORPORATION, Buffalo, New York 1993 - 1998
Part of Goodyear Tire & Rubber Company that makes tires bearing the Dunlop brand name.
Information Systems Auditor
Developed, documented and maintained information system audits plans for corporateInformation Technology
Department. Identified information security weaknesses and developed gap analysis and remediation plans to
resolve issues. Worked with external auditors on analyzinginformation system controls and safeguar ds.
 Developed, designed and implemented UNIX based networks, NSF security,ftp controls, trusted hosts,r-
tools, and file permissions.
 Audited mainframe and distributed platforms as well as Windows,UNIX, RACF and Relational Database
Management Systems.
 Effectively managed information security projects; assessed financial/operational impact and systems risk.
HSBC (MARINE MIDLAND BANK), Buffalo, New York 1991 - 1993
British multinational banking and financial services company headquartered in London,
EDP Audit Officer
Oversaw a team of staff auditors performingEDP audits on: MVS, CICS, DB2, IDMS, IMS, ACF2, Data Center,
High End Processor,and LANs, IBM Mainframe, Tandem’s Wire,Unisys ACH Electric Data Interchange(EDI).
Worked with line management to minimize riskand instituteproper controls.
 Developed system flow charts, performed risk analysis,and defined audit controls criteria and objectives.
NATIONAL CITY CORP, Cleveland, Ohio 1990 - 1991
Regional bank holding company based in Cleveland, Ohio
EDP Auditor
ED UCAT IO N
CANISIUS COLLEGE ST.BONAVENTURE UNIVERSITY
Master Business Administration, MBA Bachelor Business Administration, BBA

3. Thomas T. McDonald Page 3
C E RT IF ICAT IO N
Certified Information System Auditor, CISA
TRAIN IN G /DE VE L O P M E N T
Cyber Security Evaluation Tool CSET, Intrusion Detection Systems IPS/IDS, HIPAA, Identity Management
Systems,Privacy Auditing
AF F IL IAT IO N S
Information Systems Audit and Control Association ISACA WNY, FBI Citizen Academy Buffalo,
InfraGard Buffalo, Sandy Beach Park Club, Sandy Beach Yacht Club