Shelby Cannon

  • Director of Governance, Risk, and Compliance
  • Chicago, Illinois 60615
  • Jul 18, 2017
Full time Information Technology

Personal Summary

Solutions-oriented, highly skilled, and multifaceted IT professional, offering extensive experience in information security and operations management, risk analysis and governance, and strategic planning.

Skilled at managing global resources and programs and providing enterprise solutions to complex projects. Effective at leading organizations toward business growth and development by determining improvement needs; improving business operations; employing standards, policies, and procedures; and minimizing project costs. Articulate communicator with conversational proficiency with Spanish and American Sign Language.

Work Experience

Senior Manager Information Security Compliance, Policy and Awareness
  • Lead the establishment of a governance framework to develop, maintain, and approve all information security foundational documentation, which includes policies, standards, procedures, and work instructions

  • Ensure accuracy in drafting and publishing Tenneco’s information security policy documentation in compliance with ISO 27001 (2013)

  • Prepare and implement a communication plan in alignment with the corporate Office of Change Management (OCM) to ensure proper execution of enterprise information security activities

  • Serve as co-sponsor for employing security reviews and risk assessments into the Vendor Management Office evaluation process regarding new vendors, new services, and contract renewals

  • Effectively educate members of the extended Information Security Incident Response (ISIR) Team regarding their tasks by formulating the training strategy on Tenneco’s ISIR procedures

  • Take charge of enforcing a risk evaluation process into the Project Management Office (PMO) to guarantee compliance of the level of risk with Tenneco’s acceptable parameters before implementing projects

  • Implemented the audit liaison program within the Information Technology Department which streamlined the audit process to ensure on-time verification of approved timelines

Notable Accomplishments:

  • Completed the development and deployment of the company’s Global Data Classification Program to consistently and correctly identify, label, and protect all Tenneco data throughout the enterprise

  • Worked with the Compliance Team in establishing an external data compliance framework based on information produced and managed by the company; including the Federal Trade Commission (FTC), Automotive Industry Action Group (AIAG), The Payment Card Industry Data Security Standard (PCI-DSS), Privacy Shield and General Data Protection Regulation (GPDR)

  • Enhanced the security configuration of Tenneco’s SAP environment by sponsoring a 3rd party SAP security assessment

  • Established the Customer Compliance Program, which provided a centralized response to external customer and original equipment manufacturer (OEM) requests regarding the protection of the customer and Tenneco’s information to validate data protection by establishing the Tenneco Customer Audit Requirements Program

Director Information Technology Governance, Risk and Compliance
Xylem Inc.
  • Conceptualized and managed the requirement monitoring and improvement activities to ensure adherence to all internal security policies as well as to applicable global laws and regulations

  • Cultivated and sustained business and functional relationships to determine and resolve risk mitigation strategies external to IT

  • Ensured consistent reporting of security incidents by defining service levels and enforcing key process indicators

  • Formulated and employed an information security governance framework that addressed key risk decision areas

  • Led and implemented a comprehensive security training and awareness program for all levels and functions within the organization

  • Enabled the automation of process within Remedy for information security exception requests; which included blocked content, elevated rights, remote access for third parties, firewall modifications, and security policy exceptions

  • Performed publishing of global acceptable use of information technology resources policy which summarized the appropriate use of IT resources by company employees and 3rd parties

Notable Accomplishments:

  • Built the Xylem’s Data Compliance Program, which consisted of both internal and external requirements to comply with all regulations defined by Xylem’s area of business; including Health Insurance Portability and Accountability Act (HIPAA), PCI-DSS, Sarbanes-Oxley Act (SOX), Basel II, Global Privacy Mandates, and CIKR (Critical Infrastructure) Directives

  • Served as the point of contact, responsible for conducting internal and external auditing for all IT-related assessments, including SOX, attack and penetration, and enterprise risk assessments charged with resource allocation, schedule management, as well as tracking and reporting of the remediation of identified deficiencies

  • Pioneered and managed the enterprise Disaster Recovery Program which offered deliverables, process documentation, and assessments for significant IT sites within the corporation

  • Served as information security representative on several corporate councils; such as Global Trade and Compliance, Global Privacy, Global Physical Security and Business Continuity, and Global Environmental Health and Safety

Divestiture Data Management Security Work-Stream Lead
ITT Corporation
  • Served as security liaison across major corporate functions while ensuring proper response to divestiture project plans, tasks, and schedules

  • Protected and guaranteed the safety of data in motion and at rest by contributing global protection requirements to the application transition work stream

  • Assessed the risks of legacy ITT exchange and messaging environments to prevent the same critical errors in new company configurations

Notable Accomplishments:

  • Generated the scheme used in categorizing, separating, and destructing all data within ITT to ensure that the new companies after corporation’s split only had access to their required and approved data

  • Actively participated in the Privacy Council responsible for complying with the Safe Harbor and other global privacy principles by providing information security standards and requirements

  • Allowed the access of all third party users to the legacy ITT network by creating an abbreviated process which expedited account process and implementation time while maintaining security controls

Regulatory Compliance Architect
ITT Corporation
  • Worked as a security point of contact, responsible for the design of platform and infrastructure, consolidation of business requirements, and assessment of the overall system architecture for Project Connect, ITT’s corporate-wide web 2.0 initiative

  • Provided corporate approval for all exception requests to security policies and standards

  • Offered support in formulating risk assessment methodology and security architecture scheme for the entire corporation

  • Ensured accuracy in preparing and revising corporate security policy in accordance to ISO 27002 specifications

Notable Accomplishments:

  • Supervised and guided the Project Team in establishing and employing a singular schema to classify data comprising both Defense and Commercial requirements and making it applicable to all major data types and business areas

  • Spearheaded the implementation of a regulatory compliance framework for all new global IT projects and initiatives, identifying applicable regulatory requirements within the project definition phase and providing help in complying with the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR); United States and European data privacy guidelines; and PCI-DSS standards

Senior Consultant | Associate
Booz Allen Hamilton
  • Acted as program manager for the Comptroller of the Currency (OCC) Information Security Office (ISO) program support, responsible for developing and expanding the business and a centralized security program

  • Maintained direct interaction with clients as well as facilitated and conducted presentations on meetings regarding project scope and requirements

  • Took charge of tracking all financial project data and reporting the project status as well as in creating project schedules and enforcing client delivery plans

  • Consistently complied with the policies and procedures of the Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST), and Department of Treasury

  • Managed the $7M budget and profitability forecasting for five programs within the Treasury Department

  • Guided and trained 10 direct reports and junior staff members

Notable Accomplishments:

  • Developed and implemented the following:

    • Plan of actions and milestones (POA&M) processes

    • Weakness remediation and mitigation strategies

    • Standardized internal and external reporting tactics

    • OCC Certification and Accreditation (C&A) process

  • Implemented the system and led the alignment with established OCC System Development Lifecycle (SDLC)

  • Completed the successful restructure of preparation controls for the annual GKA Financial and SOX audits, thus guaranteeing the overall precision of reporting metrics for auditors

  • Functioned as information system security officer (ISSO) for three federal management system (FMS) financial applications and accomplished training on Office of Management and Budget (OMB) and Department of Treasury policies

  • Rendered oversight to the recertification project; with responsibilities of handling and allocating resources, tracking financials, and ensuring the quality of all client deliverables

  • Brought major contribution in designing and implementing HIPAA Security Rule service offering within U.S. Department of Health and Human Services, Health Resources and Service Administration (HRSA) Division


Master of Science in Criminology
Florida State University
Bachelor of Science in Criminology and Criminal Justice, Minor in Computer Science
Florida State University