- Reply rate:
- -
- Availability:
- Full-time (40 hrs/wk)
- Age:
- 45 years old
- Location:
- Zapopan, Jalisco, Mexico
- Experience:
- 20 years
Carlos Benigno Aguilera de Niz
Phone 1: (-
Phone 2: (-
Email:-
Address: Zapopan, Jalisco Mexico,45030
Visa sponsorship required to work in US
Summary
A senior Cybersecurity GRC and IT Auditor with over 20 years of experience supporting Fortune
500 companies. Proven expertise executing Operational, Business, Information Technology (IT
SOX and Non-SOX) and Cybersecurity Audits. Also, with expertise in IT and Cybersecurity
Governance, Risk and Compliance, Security Assessments and Compliance with statutory
requirements. I have extensive knowledge in the worldwide accepted standards, frameworks, and
regulations such: GDPR, PCI DSS, COBIT, HIPAA, ISO, NIST, CIS, ITIL, SOX, SOC 1 and SOC
2, etc. I also have project management and people skills. Strong background in managing crossfunctional audit engagements across global teams and identifying compliance risks while
delivering business-aligned cybersecurity strategies.
Work Experience
Global Corporations, Remote Global
November 2024 - Current
IT Auditor and Cybersecurity GRC Consultant
•
Provide strategic GRC consulting to multinational clients across different sectors such:
finance, technology, health, etc.
•
Design and implement enterprise-wide IT and cybersecurity policies, standards, and
procedures aligned with Cobit, ITIL, NIST CSF, ISO 27001, and CIS benchmarks.
•
Conduct third-party risk assessments and vendor audits, including SOC 1 and SOC 2
reviews, to ensure regulatory and internal compliance.
•
Lead IT SOX readiness programs including risk-based controls testing, walkthroughs,
and remediation tracking.
•
Manage data protection audits for PCI DSS, GDPR and HIPAA compliance, including
records of processing activities (RoPA), DPIAs, and DLP reviews.
•
Oversee Cyber Risk Assessment and Security Maturity reports for executive
stakeholders.
•
Utilize tools such as Archer GRC, ServiceNow GRC, and OneTrust for policy
governance, issue tracking, and risk scoring.
•
Partner with IT, legal, and compliance teams to address audit findings and ensure timely
remediation.
•
Conduct Segregation of Duties (SoD) audits across enterprise applications such as SAP,
Oracle, and Workday..
Herbalife Nutrition, Tlaquepaque, Jalisco, Mexico
September 2021 – October 2024
Cybersecurity Governance Risk and Compliance Sr Auditor (Manager level)
•
Updated and Published Cybersecurity Policies, Procedures and Standards.
•
Involved in the Policy Exception Request management for the process and suppliers that
are not able to meet the policies, procedures and/or standards. Explain the request and
why is needed for, the possible compensating controls, identifying what policy is not in
compliant with, assigning the proper approvers from business, IT or some other, following
up during the approval process, etc.
•
Prepared a Monthly Security Metrics report for IT and Cybersecurity Management
regarding the performance and compliance of the systems, tools and services.
•
Prepared a GRC Risk Assessments report from the different Cybersecurity regions
across the globe where the company has presence.
•
Performed System User Access Audits to be in IT SOX Compliance.
•
Performed System User Access Audits to be in GDPR Compliance.
•
Performed the IT Audit Controls to be in PCI DSS Compliance.
•
Performed the Segregation of Duties (SoD) Audits.
•
Reviewed the SOC 1 and SOC 2 reports delivered by the external reviewers.
•
Scheduled meetings between IT owners, Auditors, Providers, and the rest of the
responsible teams depend on the engagement and the location as Herbalife Nutrition has
teams over the world.
•
Performed an Audit regarding the software inventory.
Herbalife Nutrition, Tlaquepaque, Jalisco, Mexico
July 2019 - September 2021
IS Compliance and Audit Support Sr Analyst
•
Reviewed the SOX IT Audit requirements from the external auditors.
•
Scheduled walkthrough meetings between IT Control owner and external auditors.
•
Requested the proper evidence internally to fulfill the SOX IT Audit requirements.
•
Reviewed the evidence gathered before been provided it to the external auditors.
•
Reviewed the procedures and workflow diagrams for the SOX IT Audit requirements
process.
•
Performed System User Access Audits for IT SOX Compliance.
•
Scheduled meetings between IT owners, Auditors and the rest of the responsible teams
depend on the engagement and the location as Herbalife Nutrition has teams over the
world.
Hewlett Packard Enterprise, Tlaquepaque, Jalisco, Mexico
September 2015 - June 2019
Senior IT Internal Auditor
•
Performed IT Audits to be in SOX Compliance.
•
Performed Periodic System User Access Audits.
•
Performed Operational Audits.
•
Performed Client Services Audits.
•
Performed Data Center Physical and Environmental Security Audits.
•
Performed Cybersecurity Audits.
2
•
Reviewed the SOX IT Audit requirements from the external auditors.
•
Scheduled walkthrough meetings between IT Control owner and external auditors.
•
Requested the proper evidence internally to fulfill the SOX IT Audit requirements.
•
Reviewed the evidence gathered before been provided it to the external auditors.
•
Prepared the IT Audit reports for IT Owner and Audit Management.
•
Scheduled meetings between IT owners, Auditors, Providers, and the rest of the
responsible teams, depend on the engagement and the location as HPE has teams over
the world.
Grupo AS, Guadalajara, Jalisco, Mexico
December 2012 - September 2015
IT Corporate Auditor
•
Developed and Implemented Corporate IT Policies and Procedures based on best
practices and main regulations.
•
Implemented the IT inventory assets process.
•
Performed the IT inventory assets audits.
•
Reviewed the IT inventory assets within the database used (CMDB).
•
Performed IT Audits to some companies members of the group.
•
Prepared the IT Audit reports for Management.
•
Overseed the construction of a Data Center TIER 2 (Double redundancy).
Galaz, Yamazaki, Ruiz, Urquiza (Subsidiary in Mexico of Deloitte and Touche), Guadalajara,
Jalisco, Mexico
September 2005 - December 2012
Senior Consultant Enterprise Risk Services / Control Assurance
•
Planned the IT Audit (SOX and Non-SOX) along with the Financial Audit team.
•
Prepared the budget for the IT Audit (SOX and Non-SOX).
•
Assigned the personnel to perform the IT Audit based on number of controls to be tested,
time and budget.
•
Selected the IT Controls to be tested during the IT Audits based on the type of
engagement and the statutory requirements that needs to be in compliance with (SOX,
Non-SOX, GDPR, PCI DSS, etc).
•
Sent the proper communications to the company that was to be reviewed. The
communications before, during and at the end of the engagement.
•
Prepared the Initial letters and presentations for the reviewed company.
•
Scheduled the proper meetings (Initial, walkthroughs, touch points, pre closing and
closing).
•
Delivered the IT Audit requirements to the main contact assigned to attend the review
depend on the system used, operative system used, servers and some other
considerations.
3
•
Performed the IT Audit (Testing the IT Controls selected based on the engagement SOX,
Non-SOX, etc) in over 50 companies from the different type of industries and with
worldwide operations. Some of the companies audited were: Flextronics, Pepsi,
Gatorade, Tequila Don Julio, Heinz, Ferrero, Sheraton, Technicolor, etc.
•
Prepared the IT Audit reports for Company Management and Deloitte and Touche
Management.
•
Performed Segregation of Duties (SoD) reviews.
•
Performed SSAE16 reviews.
•
Performed IT Risk Assessments.
•
Performed Business Cycle Controls (BCC) evaluations.
•
Performed IT Internal controls evaluations.
•
Developed and Implemented IT Policies and Procedures.
•
Performed Special IT Audit for closure project for Microsoft.
•
Performed special project in Tequila Don Julio to implement policies and procedures to
safeguard the Personal Information of clients and employees to be in compliance with
federal laws similar to PII Laws in US and General Data Protection Legislation (GDPR)
from the European Union (EU).
Guadalajara Chamber of Commerce, Guadalajara, Jalisco, Mexico
March 1997 – September 2005
Coordinator of Mariachi Festival and Tequila Express
•
Planned the activities to be performed during the festival
•
Submitted the proper documentation to immigration to obtain the Visas for the members
of the Mariachi groups that required that permit (around 150 persons) based on the
country of citizenship.
•
Planned the agenda for the Mariachi groups during the days of the event.
•
Managed over 100 persons as coordinators for each mariachi group that accompanied
the group during the days of the event.
•
Managed the beverages during the train tour Tequila Express every Saturday and
Sunday
Education
Bachelor´s in Computer Engineering
University Guadalajara Lamar – University of Guadalajara
Languages
Spanish: Native Language
English: Advanced Listener, Speaker, Reader and Writer
Membership in Professional Association
Information Systems Audit and Control Association (ISACA)
Trainings
4
•
IT Control Objectives for Sarbanes-Oxley (SOX Regulation for companies in Stock
Market)
•
Sarbanes-Oxley (SOX) Section 404 - A Guide for Management
•
Sarbanes-Oxley (SOX) Information Security Professional
•
Cybersecurity Governance, Risk and Compliance
•
How to perform and prepare a SSAE 16 (Former SAS70) certification
•
System and Organization Controls (SOC 1 and 2) report
•
Segregation of Duties (SoD)
•
ISO 27001
•
Information Security Management System (ISMS)
•
National Institute of Standards and Technology (NIST)
•
Center for Internet Security (CIS) (formerly known as Critical Security Controls):
Recommended set of Actions for Cyber Defense
•
Internet Security
•
Business Continuity Plan (BCP)
•
Disaster Recovery Plan (DRP)
•
Disaster Recovery Plan (DRP) Main points to take in consideration
•
Payment Card Industry Data Security Standard (PCI DSS)
•
General Data Protection Regulation (GDPR)
•
Moving Your Enterprise Systems to the Cloud
•
The IT Audit Approach
•
Internal Control Over Financial Reporting (ICFR) Attestation Instructions, Guidance and
Considerations
•
Business Cycle Controls (BCC)
•
Risks, Controls and Policies and Procedures
•
Risk and Control Process Map – Manufacturing Business
•
How to Report a Finding/Issue
•
The Remediation Process
•
Design and Control Tests: Speaking about Internal Control.
•
How to document the testing of an IT control
•
IT Controls Assurance:
o
Module 1 Intro to IT Controls Assurance (IT CA)
o
Module 2 Planning Engagement
o
Module 3 Internal Controls
o
Module 4 Internal Control Weaknesses
o
Module 5 Bringing IT All together
•
Basic Accounting and the Accounting Process
•
How a Risk is Mitigated
5
•
•
Control Objectives for Information and Related Technologies (COBiT) Versions 4.1 and
5:
o
PO: Plan and Organize
o
AI: Acquire and Implement
o
DS: Deliver and Support
o
ME: Monitor and Evaluate
o
Framework.
o
Process descriptions.
o
Control objectives.
o
Management guidelines.
o
Maturity models
Information Technology Infrastructure Library (ITIL) Version 3 and 4:
o
Service Lifecycle Introduction to ITIL
o
Service Strategy.
o
Service Design.
o
Service Transition.
o
Service Operation.
o
Continual Service Improvement.
•
Aligning COBiT-ITIL-ISO27002 for Business Benefit
•
Differences between COBiT and ITIL
•
COBIT 5 – Change Log for Web
•
Questionnaire to dimension a Disaster Recovery Plan (DRP) Project
•
Cybersecurity Framework
•
Microsoft Licensing – How to be in compliance with license requirements and reviews
•
Guide for Software Managing
•
IT Governance
•
IT Compliance
•
IT Risk Assessments
•
Information Technology Assurance Framework (ITAF)
•
How to Map the Processes within an Organization
•
How to perform an effective Walkthrough
•
The basic controls for Network Security
•
Introduction to General Computer Controls (GCC):
o
Policy and Procedure
o
Organizational Structure
o
External Suppliers
o
Data Centers
o
Network
6
•
o
Physical and Logical Security
o
Backups
o
Help Desk
o
Antivirus
o
Software
o
Hardware
How to define IT Requirements during an IT Audit
7
