Information Security Design and Architecture, GRC, Operations expert with 14 years of experience.

• He is an IT Security Design and Architecture professional with expertise in IT Security Architecture, Design and Evaluation, Governance, Risk and Compliance and Security Operations. He is an experienced Security Architect and Security Design Engineer for multiple projects involving cloud service providers, transition to cloud, third party hosting and mobile applications. He has designed, implemented and reviewed IT Risk and Control frameworks for clients and assessed control compliance for SOX, BS7799/ ISO27001, BS25999. He has strong experience in project management. Lead a team of security analysts as part of Managed Security Services responsible for network, system and application security.
• He has expertise in IT Audits, design and development of IT Security policies procedures, formulation of Business Resiliency BR and Disaster Recovery DR Plans. He has hands on technical expertise in Security Incident and Event management, Firewall Management, IDS, Vulnerability Assessments, Application Security, System UNIX, Wintel and Network administration.
• He has worked for various clients across the globe covering a wide cross-section of the industry sectors such as Technology, Retail, Banking and Financial services, Pharmaceuticals, Telecommunications and Networking, Federal and State governments, and IT services.

Key Skill Set

• Security Architecture and Design: IT Security Architecture and design including cloud based and transition to cloud security design, web and mobile applications, network security infrastructure, application security and third party hosting.
• IS Governance: Risk Management Framework development, IT Security policy procedure development, Business Process Analysis, Benchmarking and Regulatory Compliance.
• IT Risk and Control Assessments: Risk and Control Assessments, Data protection and planning, Risk identification and categorization, Qualitative and Quantitative Risk Assessments based on impact and likelihood of risk, Control rationalization relating to Applications, Operating systems, Databases and Networks.
• Disaster Recovery Business Resiliency Plans: Conducting Business Impact Analysis, Identify recovery objectives, develop recovery strategy, plan testing, training and user awareness, and plan review and maintenance for development of business resiliency and disaster recovery plans.
• Security Engineering: Designing, implementing and managing SIEM, Firewalls, IDS
• Frameworks / Standards used: NIST SP 800-53, IRS p1075, TOGAF, SABSA, MODAF, Zachman framework, OSA, COBIT, ISO 27001, SOX, BS25999, FISMA, FEDRAMP, ANZ-4360, PCI, HIPAA, ITIL, STRIDE/ DREAD.

IT Knowledge

• OS and Applications: Unix Sun Solaris, IBM AIX, RedHat Linux , Windows servers with Active Directory, MS Office / Outlook / Visio, Clarity, Remedy, Bwise, Lotus Notes, Galileo,
• Networking Components: Cisco Routers and switches with FWSM, Cat OS , Checkpoint, Cisco PIX Firewalls, IDS ISS Network/ Host , AlertLogic, Snort, Web Sense proxy, IMSS Mail gateway scanner
• Tools Utilities: Cenzic Hailstorm, Veracode, AppScan, Qualys, nCircle, JTest, NGSSquirrel, Tripwire, CIA-CAT, ArcSight, Splunk, ISS DB scanner, System scanner, Nessus, WebScarab, PGP, L0phtcrack, Wireshark Ethereal , MBSA, Archer, Catalyst.

Project Summary

12. KPK Technologies

CONFIDENTIAL

• Responsible for creating a Security Program for a systems integrator offering a SaaS solution along with a cloud based technology service provider as partner
• Implement and operationalize IT Security control framework based on NIST 800-53, IRS p1075 handling Federal Tax Information FTI , PII and other sensitive information
• Provide Security Architecture support, develop Information Security policy framework and procedure to support compliance requirements and implement security controls and monitor compliance to NIST, IRS and PCI requirements
• Develop, operationalize and manage a Vulnerability Management Program including Application testing, Database and Infrastructure security testing, control assessments.

CONFIDENTIAL

• Provide risk treatment support to customers and technical teams to remediate findings from security assessments and recommend appropriate risk remediation
• Interact with cross functional teams to review and analyze complex issues from technical assessments and guide teams to reach an acceptable resolution
• Modify and improve risk remediation work flows in Archer EGRC tool to better facilitate risk remediation process

CONFIDENTIAL

• Worked as a consulting security architect to multiple project teams involving cloud service providers, transition to cloud, security infrastructure, web portals, and mobile applications to develop secure solutions by design including access control, network security, application and data security
• Analyzed business requirements, evaluated security posture of the solution and created a risk profile for the project with draft security requirements
• Participated in application design review sessions and advised on security architecture and design considerations to help meet security requirements
• Conducted security tests web application scans, infrastructure scans, code review and analyzed reports, identified false positives, and discussed with project teams and worked towards remediation of identified findings

CONFIDENTIAL

• Worked on multiple projects providing information security design and architecture support over multiple years that were hosted internally and on cloud, third party hosting locations, across multiple geographies Americas, Europe, Asia
• Architected data protection solutions and improvised Information Security Risk and Compliance Review process, implement remediation planning review, tracking and reporting process
• Responsible for Security Risk remediation planning and management and lead a team of three risk management consultants
• Reviewed and approved remediation plans during the design stage and assisted in developing a post implementation audit process
• Developed business requirements for transition to Archer risk management tool for security review, waiver and addendum process

CONFIDENTIAL

• Independent assessment of control design and operational effectiveness of security controls for network and security infrastructure
• Audit planning, risk matrix development, scripting control test plans and test procedures
• Compliance gap analysis of existing security architecture with NIST 800-41 rev1 guidelines
• Conducting technical field work, evidence gathering, analysis and issue reporting
• Coordinating closely with business management team on identified issues, remediation steps and follow-up
• Audit Tools: AutoAudit

CONFIDENTIAL

• Independent auditor for testing operational effectiveness of IT General controls internal controls over financial reporting relating to SOX 404 compliance
• Key control rationalization, sampling methodology, design and review of control test plans and test procedures
• Coordinating closely with business management team on identified issues, remediation steps and follow-up
• Reviewed security configurations for Operating Systems including Sun Solaris 8, IBM AIX 5.3, Windows 2003 server with Active Directory
• Reviewed RBAC Role based access controls for IT Applications include SAP PeopleSoft Application access control, profile authorizations, configuration reviews. Treasury Application Access provisioning and entitlement management
• Reviewed security design and configuration files/ documents for network devices including Juniper/ Netscreen firewalls, Snort IDS, Cisco switches, routers, physical security and data center IT general controls.
• Reviewed process integration and recommended improvements
• Documented findings and prepared audit reports for the management
• Risk Management Tools: Archer, BWise and Galileo
• External Auditors: KPMG

CONFIDENTIAL

Senior Technology Risk Management Consultant

• Conducted quarterly RCSA Risk and Control Assessments to ensure compliance to IT General Controls and company security standards for Applications including SDLC processes, networks, OS Solaris, Wintel , databases Oracle and IT service support
• Control rationalization on a periodic basis to improve effectiveness of IT General Control framework using Archer Risk management tool
• Worked on special projects relating to RBAC role based access controls , developed information security processes and procedures relating to SDLC developer access to production, sensitive data in non-production environments and Application security Identity and access management , software license reviews and export licensing compliance
• Control automation for Risk Acceptance and Third Party Information Security Assessment management processes using eTools
• Security incident management, reporting, trending and technical analysis.
• Performed Risk assessments for infrastructure and applications, entitlement reviews among other responsibilities
• Member of corporate network perimeter security committee representing business unit responsible for actions relating to network security policy
• Developed information security dashboard and streamlined management reporting process

CONFIDENTIAL

As part of the Enterprise Risk Management team, provided consulting services to clients in the area of IT Security management. Developed ISMS methodology for establishing IT Risk management framework based on BS7799/ ISO

27001, helped create a tool for conducting Risk Assessments.

CONFIDENTIAL

Information Security Consultant

• Conducted risk assessments and BS7799 compliance audits for Asia Pacific locations
• Developed Business resiliency and pandemic preparedness frameworks
• Designed program scorecards for security program management
• Benchmarked Business continuity framework with industry best practices such as BS25999
• Document and create gap analysis reports with recommendations to management
• Project management and co ordination across business functions

CONFIDENTIAL

Information Security Consultant

• Conducted application security audit and IT general control review for the Punjab state lottery application systems
• Reviewed Identity and Access management, change management, SDLC processes and provided recommendations
• Conducted network security, data center and OS RedHat Linux, Windows , database MySQL audits
• Document and create gap analysis reports with recommendations to management

CONFIDENTIAL

Information Security Consultant

• As part of IPP Information protection and planning assessments relating to IT General controls, reviewed existing information security practices, prepared Gap analysis and remediation plans to ensure compliance to Pfizer security standards.
• Conducted business process walk through meetings with business owners, technology managers and documented business processes
• Identified required IT controls, conducted gap analysis and developed remediation plans to ensure compliance with Pfizer security standards and documented the Information protection plans
• Designed and developed Business continuity and Disaster recovery plans for Pfizer Russia PGP, PCH, PAH .

CONFIDENTIAL

As part of the Information Security practice, worked for various clients in the area of IT security leading teams of security analysts. Responsibilities included implementing and managing various security products, conducting security audits, vulnerability assessments.

CONFIDENTIAL

Team Leader, IT Risk Management Team

• Responsible for the MSS Security operations team of 10 security analysts, project transitioning, audit reporting and implementing security controls and processes
• Administered security incident and event management, monitoring intrusion detections and analysis
• ArcSight ESM based Security incident and event management, monitoring and Intrusion Analysis
• Ensure compliance with Deutsche Bank security policies, prepare security related audit reports
• Network security compliance management using Securify
• Liaison with auditors relating from the team.

CONFIDENTIAL

Security Consultant

• Responsible for securing the bank Internet banking network security infrastructure and lead a team of 4 security engineers.
• Managed Checkpoint HA firewalls and performed firewall policy audits
• Performed vulnerability assessments for OS Windows , web server IIS , databases Oracle, SQL and fixed vulnerabilities on mission critical servers
• Conducted application security control reviews and reported any recommendations to management
• Designed and implemented business continuity plans for mission critical systems
• Analyzed intrusions and took preventive steps to thwart malicious attacks
• Updated and audited security policies
• Mail gateway scanning protection using IMSS with Spam Prevention Engine

CONFIDENTIAL

Security Engineer

• Checkpoint firewall policy enforcement
• Performed impact analysis and change management for firewall policies
• Password Strength Enforcement Vulnerability Assessment using ISS System Scanner
• Automated account administration activities with Perl scripts.
• Application security and Identity and access management for applications using Siteminder
• Reviewed security policies and recommended modifications
• Implemented Six sigma quality procedures in all activities

CONFIDENTIAL

Network Engineer

• Configuration of Cisco Routers to provide interconnectivity between TATA Public Internet Cafes and the TATA ISP enabled ACL's on the router for traffic filtering
• System Integration in heterogeneous networking environment Unix/AIX, Solaris, Linux, and Windows
• Designed and implemented LAN of 200 nodes
• Network auditing using Fluke Network Analyzers
• Vendor coordination and peer coordination across the locations
• Implementing quality system procedures for ISO 9002

CONFIDENTIAL

Network Engineer

• Responsible for the Fiber Channel Disk Sub System Clarion 5300/5400 .The network size is 225 nodes which include AIX, Solaris, Linux and Windows NT platforms
• Worked with Brocade Communications Fiber Channel Switch to connect servers with the storage disk sub system
• Implemented RAID and managed and monitored the storage sub system through Navisphere software
• Maintaining the IBM RS6000, Sun E450, Gateway 5250 systems are connected to the Fiber Disk sub system
• Implemented preventative maintenance plans
• Coordination with the vendor for hardware support

CONFIDENTIAL

Systems Administrator

• Network administration and support of Windows NT LAN/WAN environment
• System administration for Unix platforms Solaris, AIX, RedHat Linux
• Ensured compliance to established procedures with regard to operational and application documentation.
• Planned and implemented backup strategies
• Trained new recruits in systems and applications
• Patch Management and server upgrade

CONFIDENTIAL

Network Specialist

• Troubleshooting dial up connection problems for the customers
• System integration and Internet connectivity through routers
• Troubleshooting network and hardware issues
• Trained on Linux, mail servers sendmail/qmail and network management software CA Unicenter TNG