Robert Hutchison CISSP CISA CRISC

Experience

• 

  United Way of Oakville

  Jan 1990 - Jan 1996

  Finance Manager

  Managed all aspects of accounting and finance. Responsibilities included general ledger, accounts payable, accounts receivable, payroll, investments and agency allocation management.

• 

  PwC

  Jan 1996 - Jan 2000

  Manager, Technology Consulting

  Worked with clients in North America, Europe and Asia in industries such as Financial Services, Technology, and Government. Initial responsibilities primarily focused on delivery of services. Later years involved team management and client engagements.

• 

  Entrust

  Jan 2000 - Jan 2002

  Senior Project Manager

  Responsible for managing the delivery of public key infrastructure (PKI) projects to clients in North America, Europe, and Asia.

• 

  Deloitte

  Jan 2002 - Jan 2002

  Manager, Enterprise Risk Services (ERS)

  Worked with clients to identify, develop, and test internal control policies and procedures within clients' business process and information technology environments. Provided these services to clients as part of an audit or as individual projects resulting from major organizational changes or implementation of new technologies.

• 

  Canadian Tire Financial Services

  Jan 2002 - Jan 2007

  Manager, IT Risk Governance

  Manage a highly effective team of IT Risk Governance, IT Security and Records Management staff to monitor and measure the control effectiveness for the division. Chaired the Information Security Steering Committee. Responsible for Canadian Tire Bank board reporting on IT risk management compliance. Member of Canadian Bankers Association (CBA) -Computer Incident Response Team meetings.Canadian Tire Bank Project (2002 to 2003) responsibility included writing the original Canadian Tire Bank Information Security Policy, Operating Directives and Standards, Architecture, and Standard Operating Procedures. Show less

• 

  Manulife Financial

  Sept 2007 - Oct 2018

  The role was accountable for the successful delivery of divisional compliance initiatives and ongoing steady state compliance monitoring for several key regulatory programs such as;- Fair Treatment of Customers (FTC) Compliance Program- Anti-Fraud Compliance Program- Accessibility for Ontarians with Disabilities Act (AODA) Compliance Program- Foreign Account Tax Compliance Act (FATCA) Initiative and Compliance Program- Canada's Anti-Spam Legislation (CASL) Initiative The IS Security and Risk Officer was responsible for developing and implementing the IT Governance Risk Management framework for Canadian Division. The role involves working with both Corporate IS Risk Management and business units to assess, monitor and measure IS risks and ensure appropriate risk management practices are implemented. Team leadership included both recruitment and retention of employees, contractors, and co-op students. The Business Unit Security Officer (BUSO) was responsible for ensuring that the business unit IT Controls were complaint with Manulife Financial Information Security Policies. In addition, they must monitor and measure the control practices and take corrective action on IS security risks and audit reports as well as manage and participate in periodic reviews of IT Controls including an annual SOC 2 Audit Reports for clients. While remaining totally independent, the Canadian Division IT Audit Services team is responsible for independent testing of internal controls over financial reporting as per Sarbanes-Oxley. The function provides a service to management by performing management testing and highlighting internal controls deficiencies for resolution. The evidence and testing results were shared with the external auditors for SOX auditing and reporting.

  • Compliance Director

    Oct 2011 - Oct 2018

  • Canadian Division IS Security and Risk Officer

    Apr 2010 - Oct 2011

  • Business Unit Security Officer

    Jan 2009 - Apr 2010

  • Internal Audit Manager

    Sept 2007 - Dec 2008
• 

  BlackBerry

  Oct 2018 - Apr 2020

  Cyber Security Compliance and Governance

  At the direction of the VP, Cyber Security, coordinate the overarching annual audit plan with internal and external auditors to support delivery of multiple, simultaneous audits and certifications within the BlackBerry portfolio. (ISO27K, SOC2, FedRAMP, IRAP, SOX, PCI, Security Essentials)- Delivering audit milestones to ensure audit timelines stay on target by escalating and identifying roadblocks.- Collaborating cross-functionally with functional and business stakeholders to drive, track, and resolve all aspects of compliance readiness and audit execution.- Leading gap assessment, compliance readiness, and compliance monitoring activities.- Interfacing with internal and external auditors for periodic audit activities- Conducting various IT Compliance controls validation and implementation activities- Collaborating with functional and business stakeholders along with other Compliance team members to facilitate remediation and execution of corrective action plans.- Participating in continuous improvement initiatives.- Developing metrics and dashboards for reporting on assigned compliance programs Show less

• 

  OpenText

  Apr 2020 - Oct 2023

  IT Compliance, Global Information Security

  The role was primarily responsible for a series of strategic deliverables, SOC 2 Audits and acquisition integration and new compliance program readiness reviews. The Integrated Control Matrix (ICM) mapped controls, requirements, and evidence. The OpenText Common Control Framework (CCF) was developed and mapped internal controls with ISO, SOC, PCI, FedRAMP, Protected B requirements. The ICM then mapped the evidence with the controls. The GRC Tool was updated with this information from both. This strategic deliverable enabled a single view of controls and requirements but also provided a risk management perspective.The SOC Audit Program Leader was responsible for 28 SOC Audit Reports and a member of the Compliance / External Audit Meetings. The annual audit program included reporting risks and audit findings to management and quarterly management updates. Over a 2 year period, all SOC Section 3 content was gathered, reviewed and updated resulting in consistent and concise content across all reports. Section 4 content was gathered, reviewed, and updated. The GRC Tool was updated and contains the Control Description and is aligned with the evidence and mapped to the various requirements. Throughout the year new compliance programs are requested, acquisitions have compliance programs that need to be transitioned or the business would develop and launch new product or services that they would like audited or certified. Each of these requests undergo a complete internal readiness review including evidence collection and testing. Management is provided with a report recommending approval or includes control deficiencies that need to be resolved prior to integration into the Compliance Program. Many of the requests related to public cloud solution offerings. To assist the business with integration or transition to public Cloud providers such as AWS, Google, Azure, a SOC Control baseline was developed resulting in faster deployment. Show less

• 

  1000949377 ONTARIO INC

  Jun 2024 - Mar 2025

  Information Technology Compliance Manager

  The client contracted my services to assist with a series of strategic IT Compliance initiatives. • To design, implement and configure Vanta Software, a GRC tool they had licensed.• The design and implementation of “Common Controls / Product Specific” controls to reduce overall compliance workload by ~33%.• Assist the organization with transition of PCI-DSS 3.2.1 to 4.0R1.• Assist with the completion of an audit when a key member left the organization.• Lead the first PCI-DSS audit using the Vanta GRC tool. Show less