- More than 12 years of IT Management, IT Security, PCI DSS Security Compliance, SOX 404, Security Risk Management, Compliance, and Project Management, experience galvanizing teams in core initiatives while serving as a change agent for efficiency improvements with expertise in Platforms and Interface Management.
- Interfaced with Senior VPs and Directors to determine business strategy and to allocate budget and resources and managed large team of professionals.
- Leader with proven track record of delivering technology solutions using multi-sites and cross-cultural teams.
- Demonstrated ability to identify gaps relating to key IT security processes and implemented best IT practices.
- Managed the implementation of IS Security programs in large enterprises
- Wide industry experience including Banking, Financial, Insurance, HealthCare, Retail, Telecommunications, Manufacturing and Logistics.
- Effective at motivating and leading IT security, IT auditors, and compliance professionals. Excellent presentation, communication and negotiation skills.
- Proven track record of delivering technology solutions using multi-sites and cross-cultural teams.
- Extensive experience in Security Program, Security Policies & Standards, Risk Management, IT Governance IT Compliance, Incident Management, Vendor Evaluation, Data Discovery & Classification.
- Implemented Enterprise Risk Management Framework; Conducted enterprise-wide security risk assessments and third party vendor security risk assessments; Managed the implementation of large secured networks and systems.
- Defined and managed the implementation of PCI DSS Security compliance.
- Managed certification and compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) for numerous companies including Wachovia Bank.
- Completed several annual PCI DSS Self-Assessment Questionnaire (SAQ)
- Enabled and assisted internal business units to build and maintain PCI certified systems and infrastructures; Provided guidance on PCI DSS requirements
- Provided status reports for consistent findings and proposed solutions; Created executive level dashboard reports.
- Managed the large security, risk and compliance initiatives of SOX-404 IT, PCI DSS and HIPAA/HITECH, Privacy Act, FFIEC, FTC including security policies, procedures and controls.
- Collaborated with key business and IT leaders to develop security policies, standards, guidelines and procedures to ensure the confidentiality, integrity, and availability based on frameworks: COSO, NIST,ISO 27001,ISMS,COBIT , OWASP ,SANS, ITIL , 21 CFR part 11.
- Established Security Committee & Change Control Committees. Created Security Incident Response Plan; investigated security breaches; recommended asset management system & resolved piracy issues.
- Managed the implementation of BCP and DRP plans; Integrated security with SDLC Process.
- Program management, Project Prioritization and Team Selection.
- Vendor negotiation and leveraged global development and delivery models.
- Managed the implementation of vulnerability and patch management.
- Conducted and reviewed security risk assessments; conducted vulnerability assessment and Penetration testing using Qualys,Fortify, Appscan, Nessus and Rapid7.
- Conducted manual and automated web application security testing.
- Trained and mentored IT security and compliance professionals; Designed security awareness training programs
- Managed complex and large IT security projects with budgets ranging from $500K to $7M and resources from 5 to 40 professionals.
Education / Certifications
- MBA - Technology Management
- CISM – Certified Information Security Manager-ISACA
- PMP- Project Management Professional - PMI
- CISA-Certified Information System Auditor -ISACA
- CRISC- Certified in Risk and Information Systems-ISACA
- CCDA and CCNA – Cisco Certifications
- CISSP Certification Training Course - IT Security Course - ISC2
- CPISM – Training on Certified PCI Security Manager
Client Name:Confidential, SouthBoro, MA April 2011 to till date
Senior IT Security Risk Consultant
IT Governance and Enterprise Risk Management (ERM): Develop IT Governance and Enterprise Risk Management Framework for the company. Identify the company assets and create ranking and scoring methodology to finalize the critical or high value asset. Create high level scoping questionnaire based on key categories and create risk assessment questionnaire. Conduct enterprise wide IT and security risk assessments & audits for the critical assets. Create findings matrix with issues and recommend strategies for remediation. Manage and track the enterprise risk, threat, vulnerability and security issues and status of remediation plans using Archer GRC tool. Prepare high level/dash board reports using Archer and present them to senior management.
Web Application Security Testing, Risk Assessment Framework and Security Architecture Design: Establish security risk assessment framework and process to integrate security into SDLC process. Design security architecture for web applications. Conduct security testing using vulnerability and threat analysis tools ( Qualys) & identify the security risks and gaps between security requirements and architecture design and provide practical recommendations based on OWASP and SANS.
Secure Configuration Standards and Enforce Security Policies: Developed secure configuration standards for UNIX, LINUX and Windows server based on NIST & enforced security policies.
Client Name: Confidential, Nov 2010 to Jan 2011
Consulting Manager (Security and Compliance)
Systems and Web Application Security: Managed the team of security professionals and designed a secured infrastructure and web applications. Integrated the best application practices (OWASP) and security into SDLC processes.
PCI DSS Security and Compliance: Managed the team to identify the security risks relating to PCI DSS. Provided guidance on PCI DSS requirements. Enabled and assisted internal business units to build and maintain PCI certified systems and infrastructures;
Confidential, Nashua, NH Oct 2007 to Oct 2010
Principal Consultant / Director – Security and Compliance: Direction and Leadership for the IT Security and Compliance practice of the company. Developed IT security program and policies. Developed policy frameworks and methodology for service delivery. Managed and delivered IT security and compliance initiatives – Enterprise IT Security program, ERM, SOX, PCI,PII, HIPAA/HITECH, and ISO 27001 for several fortune 500 companies including:
Confidential, Cary, NC
PCI DSS Security: Acted as PCI DSS advisor; Defined and implemented global PCI compliance roadmap; Managed teams and designed the IT security solutions for safeguarding the customer and credit card data. Identified secure systems for processing the credit cards.Completed annual PCI DSS Self-Assessment Questionnaire (SAQ) for Siemens.
SOX -404 -IT Security (SAP, UNIX and Oracle Database Security): Managed the implementation of secure configurations in SAP, UNIX and Oracle Databases based on NIST standard
Confidential, Mountain View ,CA
PCI DSS, SAS 70 and ISO 27001 Security: Managed teams to develop and implement ISMS framework and prepared the company for SAS 70 and ISO 27001 security certifications.
Web Application Security: Developed security risk assessment framework and integrated security with SDLC process. Managed web applications( C+,Java ,.Net) security reviews for 23 key business applications using Fortify and Appscan. Identify the issues based on OWASP and SANS.
HIPAA and PCI DSS Security: Managed the team of IT security professionals and identified the security gaps relating to HIPAA and PCI DSS.
Confidential, Framingham, MA
Payment Card Industry (PCI) Data Security Standard (DSS): Managed five security and compliance professional and executed programs for PCI-DSS in TJX corporate offices in USA, Canada and Europe. Defined and implemented global PCI compliance roadmap for TJX . Identified and implemented policies, security configuration standards, guidelines, processes and controls that are required to comply with PCI Data Security Standards (DSS). Reviewed the security controls relating to IDS/IPS,VPN, firewall, event correlation tools, identify management (authentication, authorization) cryptography and key management.
Federal Trade Commission (FTC) Privacy Act:. Identified the requirements of FFIEC –Information Security IT Examination hand book and evaluated the effectiveness of controls.
Security Incident Response Management: Created security incident response policies & formed Computer Security Incident Response Team (CSIRT). Collected system logs and events in event correlation tool and identified the impact of issues and escalated them.
Confidential - Washington DC
SOX-404-ICFR (PeopleSoft and SAP Systems Security)
Managed and conducted security review of for ERP (People Soft and SAP) systems. Identified security gaps and deficiencies in applications and systems and mitigated the risks.
HIPAA Security: Conducted security review for HIPAA and identified the deficiencies.
Confidential -Des Moines, IA
IBM (390 z/OS ) Mainframe Security: Conducted security review of IBM system/390 (MVS/RACF) GDPS/XRC data mirroring, storage systems and other systems and recommended the best practices.
Firewall and Security: Reviewed firewall/IDS/IPS & security configuration &identified the security issues.
PCI Compliance and GLBA Acts: Conducted system audits to comply with PCI DSS and GLBA acts.
Provided status reports for findings and proposed solutions; Created executive level dashboard reports.
Confidential, Boston, Massachusetts
Senior IT Audit Manager Mar 2005 to Sep 2007
Project Manager Consultant Aug 2004 to Mar 2005
Managed IT audit and Security programs including SOX-404 with five IT auditors for the entire corporation, including locations in Europe, Asia, Australia, Canada and USA.
SOX 404-IT Compliance: Audited and tested controls for AS/400, SAP, PeopleSoft, JD Edwards, Oracle, DB2,MS/SQL, Infinium, AIX6000, UNIX (Sun Solaris),IT security, systems, & applications.
ERM /IT Governance: Developed Enterprise Risk Management framework/IT Governance and conducted enterprise wide risk assessment and identified key issues.
SAS/70 and ISO 27001 Security Assessment: Assisted in developing security controls required for SAS/70 and coordinated with external auditors to obtain SAS/70 and ISO 27001 certifications.
Security Incident Response Management: Formed Security Committee & Computer Security Incident Response Team (CSIRT).Created security incident response policies & procedures.
Confidential, Burlington, Massachusetts April 2001 to Aug 2004
International Project Manager (Security and Compliance)
Project managed the implementation of global data centers in Europe, Asia and Americas.
Global IT Security Projects: Project managed the design and deployment of IT Security systems (Firewall,gateways,router,switches,IDS/IPS and VPN) across the globe ( Paris, Amsterdam, London, Hongkong,Tokyo,Frankfurt and Singapore)
Web Application Security: Managed the implementation of web application and ecommerce projects
Client Name : Confidential, Pittsburgh, Pennsylvania Mar 2000 to April 2001
Project Manager (Network and Security Management)--Consultant
Confidential, Dubai,UAE Mar 1996 to Mar 2000
Network and Security Manager/ Network Controller
Confidential, April 1995 to Mar 1996
Assistant IT Manager
Volunteer Work: Work as a volunteer in Soup Kitchen and Cultural Organizations
Immigration Status: US Citizen