Tj Pancholi CISSP

2021: Leading Whole Foods Market security, privacy and compliance initiatives (PCI DSS, HIPAA, SOX ITGC, GDPR, CCPA) 2019-2021: Define and influence the secure and compliant design of systems worldwide and drive information security and compliance (HIPAA/HITRUST/GDPR/PCI, etc.) for Amazon’s Healthcare businesses (Care, Pharmacy, Alexa Health), Payments (Global) and initiatives. Founding member of Amazon's Healthcare Governance and Compliance organization Manage compliance and security assessments for Amazon’s centralized governance and compliance program overseeing Amazon business units, subsidiaries and foundational systems Develop strategy and lead cross-functional initiatives to strengthen compliance assessment processes through automation resulting in increased technical depth, assessment quality and efficiency across multiple regulatory frameworks (e.g., HIPAA, PCI DSS, GDPR, NIST 800-53, GLBA, NYDFS, CSSF, RBI) Provide security and compliance advisory guidance to new and existing businesses at Amazon by conducting technical assessments, deep dive into risk areas and develop metrics to continuously measure security and compliance posture

Manage security and compliance engineering and architecture readiness for AWS Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) cloud service offerings Led and coordinated FedRAMP/DoD activities with FedRAMP PMO, Joint Authorization Board (JAB) and DISA in authorizing AWS services/Data Centers at FedRAMP Mod/High and DoD CC SRG IL2, 4, 5, 6. Perform technical security and compliance assessments and audits of network, operating systems, application security and IT processes (e.g., change/configuration management, vulnerability management, access control, incident response, disaster recovery) Evaluate regulatory, security and compliance frameworks (e.g., NIST, FedRAMP, DoD, HIPAA, HITRUST, ISO, SOC, PCI DSS, GDPR) and engage stakeholders with aligning standard operating procedures, controls, monitoring, and reporting with the goal of improving operations, compliance policies, and risk management effectiveness

Led cybersecurity and compliance initiatives in the Cloud & Infrastructure Compliance Operations group supporting all Exelon Utilities: Baltimore Gas and Electric (BGE) Philadelphia Electric Power Company (PECO) Commonwealth Edison (ComEd) Potomac Electric Power Company (PEPCO) Atlantic City Electric (ACE) Delmarva Power and Light (DPL) Exelon Generation Plan mock audits and evidence reviews in preparation for utility specific NERC CIP regulatory audits Interface with auditors during regulatory audit engagements and present enterprise, organizational and business area specific compliance programs and policies including underlying evidence to demonstrate compliance Ensure cloud environments reflect security requirements defined by cyber security policies Enforce cybersecurity and compliance requirements for cyber assets within solar, wind, generation, transmission, distribution and hydro facilities Perform cyber vulnerability assessments by utilizing tools such as Nipper, Nessus, Tufin, Intrusion Detection Systems, Anti-Virus, Tripwire, FireEye among others to detect and mitigate vulnerabilities and threats across all Exelon utilities and track remediation activities through competition Design and implement technical controls to continually improve security posture within critical environments and their underlying cyber assets including virtual environments Research emerging technologies and the overall threat landscape to understand physical and cyber security industry best practices Engage with government agencies (E-ISAC, DHS, Fusion Centers and local law enforcement departments) to improve relationships and understand pertinent threats to the electric power industry

Designed and continually improved IT/OT systems within business units including Corporate IT, Corporate Security, Substations, and SCADA environments by implementing industry best practices and controls aligned with NERC Critical Infrastructure Protection (CIP) compliance Created and maintained governance programs, policies, procedures, and processes to adhere to regulatory compliance with Critical Infrastructure Protection (CIP-002-CIP-014) and 693 Operations and Planning standards Enforce NERC 693/706 compliance across the organization by performing compliance investigations, risk assessments and mitigation action plans Leading CIP-014 Physical Security initiatives by assessing vulnerabilities, threats, risks and safeguards/countermeasures for construction/implementation Designed and implemented preventative, detective and corrective technical and administrative controls to support information security and compliance program objectives Directed periodic compliance reviews and reviewed self-certifications Participated in large and small scale commissioning and decommissioning projects to ensure cyber security and compliance prior to commissioning/decommissioning Implemented AssurX’s Document Management System and EUEM modules to streamline evidence collection for recurring NERC tasks and operational procedure document management Active member of the NATF forum where industry members discuss best practices from around the industry, which allows participants to understand how companies are tackling various projects or what pitfalls have been encountered

As part of my second role at an electric utility I collaborated with internal groups such as System Operations, Key Accounts, Government Affairs, Media Relations and Public Relations to report on commercial and residential customer outage/restoration inquiries and efforts in the District of Columbia, Prince Georges County, MD, and Montgomery County, MD. Prepare for extreme weather conditions or incidents by coordinating with Emergency Preparedness Incident Management Teams. Lead team during extreme weather conditions or incidents and monitor high priority locations and key accounts, analyze conditions and dispatch crews to strategic locations to restore customers

Configured and managed Windows/AIX/Network Devices within a highly controlled SCADA/ICS environment. Activities include: Patch Management - Assess, Track and Install (Windows, AIX, Linux, Firewalls, Switches, Samba, CentOS, Oracle) Patch deployment in Production, Test, and Development environments for all device types Deployed and administered SIEM/IDS/IPS devices Database Performance Monitoring and Tuning Continually assess cyber security risks, threats, and vulnerabilities within the network environments Strong skills in managing multiple technical projects with strict deadlines Implemented and managed Change and Configuration Management tools within SCADA/ICS environments Configured alerting and monitoring mechanisms for critical assets within the environment to ensure security events were reviewed and acted upon in a timely manner Technically aligned SCADA/ICS/EMS environment to meet NERC CIP V3 standards, developed and executed mitigation plans, and collected evidence to demonstrate compliance for the 2012 RFC Audit which led to 0 violations Performed Incident Response drills, Vulnerability Assessments and Penetration Tests Managed the assessment and installation of security patches on various OS (Windows, AIX, Linux, Firewalls, Switches, Samba, CentOS, Oracle) Created, updated, and reviewed internal technical and operating procedures related NERC CIP and routinely made significant contributions to improve existing processes and the quality of evidence

Tested web applications, client-server, and database projects on Windows operating systems, gaining exposure to the complete software development life cycle Proficient in PL/SQL with experience in constructing tables, procedures, indexes, views, synonyms, triggers, functions with the proper grants to all of the users and roles Coordinated and led in the creation of test strategies and test plans including the execution of QA and testing processes, bug documentation and bug tracking, regression testing using IBM Clear Quest and Clear Case Managed the escalation of application defects/bugs and interacted with Team Members, Developers, Business Analysts and Project Management to ensure resolution to limit downtime in production and testing environments with the common approach to problem solving/root cause Supported the test and implementation of database backup and recovery procedures, supplemented by nightly exports Experience with COTS enterprise system and implementation of Oracle Financials

Data modeling to identify potential structural distresses on Frederick County, MD and Baltimore City Roads Developed metrics to enable business decisions

Analyze and process out-of-balance cases for shareholders and process internal requests for account corrections due to incorrect transaction processing, system constraints, or tax reporting problems Review funding availability to process the account adjustment, submit manual check or wire request, and calculate and adjust dividends and/or capital gains Monitor cost center budgets to ensure Sarbanes Oxley compliance and accuracy in financial results and projections

Analysis of Mortgaged Backed Securities Exposure to relevant accounting and financial concepts