SUMMARY

• Cyber Security Strategist with more than twenty years of professional experience architecting and implementing technologies to secure medium and large scale environments including cloud migration, big data platform, and providing expertise in application, infrastructure, cyber and data security.
• Experience with conducting assessments and mitigating risks related to regulatory compliance standards, especially the IT/technical specifications of NIST 800 series, NIST cyber security framework, Cyber Resilience and BS 7799/ ISO 17799/ISO 27001/2
• Held Architectural and Program management positions in implementing information technology solutions and cyber security solutions for complex application and infrastructure portfolios to meet compliance standards such as PCI, SOX, FFIEC, HIPAA, GLBA, Regulation SCI, GDPR, EU data privacy guidelines.
• Possesses expertise in IT Security Framework Implementations with a strong background in all phases of the Software Development Life Cycle, including System Design and Development.
• Expertise conducting gap analysis on existing security practices and documenting and recommending solutions to meet regulatory needs for data center, Infrastructure and application security needs.
• Performed numerous internal and external application security assessments, leveraging threat modeling, source code reviews, and penetration testing and functional security analysis.
• Performed several infrastructural vulnerability assessments and developed risk ratings.
• Developed tactical and strategic risk mitigation solutions involving big data environment, application architecture and design enhancements as well as redefining technology processes and procedures.
• Developed and implemented risk based framework integrating security activities to systems development lifecycle (SDLC) phases in order to manage application security vulnerabilities along with generating risk based metrics reporting.
• Implemented methodologies in determining and mitigating risk from assets, vulnerabilities and cyber threats for numerous infrastructures servers, application, and endpoints.
• Involved in qualitative and quantitative risk analysis solutions for enterprise systems, third parties based on industry standards.
• Managed PCI Remediation efforts to meet guidelines, includes, PCI application protections by network segmentations, endpoint protection, tokenization, PKI.
• Managed several security assessments, vulnerability assessments, penetration testing, secure SDL implementation and identity and access management projects.
• Experienced in all phases of project lifecycle, from feasibility to closure with contributions to proposal development, pricing estimation, client presentations, project management and quality control.

TECHNICAL SKILLS

ERP: Oracle Applications Fin, SAP Time and Benefit

Planning Utilities: MS Excel, MS Project, Primavera, Planview, Rally, Axosoft

Compliance Tools/Guidelines: BS7799, ISO27001/2, ISO/IEC 21827/ SSE - CMM, NERC-CIP V3, GLBA, BASEL II, SOX, PCI v2,v3, HIPAA, COBIT 4.X/5.0, ITIL, HITRUST CSF, FEAF, SABSA, ISF, MARS-E v1, ISO 2, BSIMM, Regulation SCI, ISAE 3402, ASPR, IISF, NYCRR, GDPR.

Governance: Archer, Symantec enterprise vault, Zantaz, Orchestria, CiscoWorks Network Compliance

Risk Assessment: Octave, STRIDE, CRAMM, NIST RMF, CERT Resilience Management Model

Architecture: Oracle Coherence Security, Java Security Architecture (J2SE), Togaf, Zachman Framework, SAFe (scaled agile framework), Ethereum

Illustrative Toolkits: Kali, WhiteHat, fortify, AppScan, BurpSuite, Nessus, Nmap, GFI Languard, OpenVas, Metaspoilt

PROFESSIONAL EXPERIENCE

Confidential, NY

Principal Consultant

Responsibilities:

• Led Datacenter cyber security protection program.
• Network segmentation and security control design.
• Proposal development and client presentation for application security current state assessment.
• Threat modeling and risk assessment of current design and developing roadmap.

Confidential, NY

Principal Consultant

Responsibilities:

• Responsible for creating alternative strategy for DDOS, WAF protection.
• Led SIEM Symantec SSIM to Arcsight migration from efforts.
• Responsible for running DDoS protection program.
• Involved in PCI security testing using trustwave.
• Responsible for creating intrusion detection system re-enablement strategy.
• Responsible for vendor capabilities reviews for various security tools for DDos/WAF/DAM products. Environment: Axosoft, Archer, CISCO, Arcsight, Akamai Kona, mainframe, Firesight, IBM ecommerce, Imperva.

Confidential, NY

Acting Director Security and Compliance

Responsibilities:

• Responsible for design and implementation of Secure Software Development Life Cycle with source code review process for agile environment.
• Led PCI attestation of compliance for PCI DSS Level 1 compliance.
• Responsible for creating security vision 2016 that aligns with business roadmap with budgetary projections.
• Responsible for creating cloud readiness strategy to enhance security posture.
• Responsible for cloud migration identity-as-a-Service strategy to save business money, improve employee productivity, which aligns with organizational roadmap.
• Responsible for cloud Tokenization-as-a-Service strategy and security reference architecture for the same.
• Working on Cloud migration strategy for Logging-as-a-Service strategy and Monitoring-as-a-Service.
• Led penetration testing remediation and designing roadmap to avoid future reoccurrences.
• Led Application security testing and secure code analysis for .net application using DAST/SAST/IAST tools.
• Created selection criteria for Application security tool and vendor presentations for HP fortify, Veracode, IBM AppScan.
• Responsible for vendor capabilities reviews for various security tools for logging and monitoring, tokenization, firewall management, Data leakage presentation solutions.

Environment: Rally, Redis, MongoDB, SQL server, msmq, ember.js, ASP.net, OAuth, SAML, SOAP, WhiteHat, BurpSuite, Nessus, OSSEC, AlertLogic, Kennasecurity, Cent OS, Jenkins, Azure, VisualStudio 2015

Confidential, NY

Senior Security Advisor

Responsibilities:

• Designed security roadmap to enhance security posture using ISO 27001/2 for CDW data warehouse and Hadoop analysis platform.
• Created strategy for securing data around big data environment.
• Defined cyber threat defense/intelligence capabilities to enhance gateway security.
• Initiated a process to map current state against NIST cyber defense framework.
• Evaluated and implemented 2FA authentication solution. This solution was implemented for application access integrated with open source identity and access management solution.
• Responsible for vendor capabilities reviews for various tools for Hadoop, SIEM (IBM Q radar, Splunk, Intel Security), firewall, Data leakage presentation solutions.

Environment: IBM HPC, Hadoop, 2.2, Oracle 11g, Redhat enterprise 6, Github, Zabbix, CIS - CAT, OpenVas, Metaspoilt, Symantec. FreeIPA, TrueCrypt, VeraCrypt, D3.js, OpenSSL, OpenID, SAML, Mapbox.com/CartoDB, Leaflet Data Visualization Framework (DVF), RSA, Palo Alto (POC), Splunk (poc), Azure, Azure CitiNext, AWS, GCP BigQuery, Security Onion.

Confidential, NY

Manager IT Risk Advisory Services

Responsibilities:

• Responsible for Payment card industry (PCI) risk evaluation of POS application, infrastructure and tokenization solution.
• Responsible for reviewing current state against Security Program Management (SPM) framework and defining future state.
• Reviewed applications, which hosts global employee sensitive data.
• Assisted client in drafting policies and standards based on NERC-CIP, ISO 27K and Cobit 5.0 controls.
• Assisted chemical and petroleum client in development of Information Security and Training Program.
• Advised client by understanding Identity and access management current state and defining future state.
• Assisted CPG client in security product total cost of ownership metrics and RFP preparation.
• Assisted insurance processing client with current state using framework for meeting HIPAA-Hitech requirements.
• Advised client on risk associated with processes associated with firewall management and risk associated with firewall configuration.
• Advised client in creating rating criteria and running effectiveness of Windows infection removal tools.

Confidential, NY

Information Security Architect

Responsibilities:

• Involved in prototyping, reviewing and implementing Nodus CCA with key management / encryption solution (PCI data) for PA-DSS compliance.
• Responsible for log reviews for services, protocols (UDP/TCP) and developing correlation rules for user access /behavior analysis for the key PCI servers.
• Implemented PCI device compliance monitoring solution.
• Handled installation, configuration and log reviews.
• Involved in SIEM agent installation, configuration to ship logs from hosts to SIEM solution for log aggregation.
• Involved in DNSSEC.
• Involved in content filtering architectural review and latency troubleshooting.
• Involved in Metrics creation, review and support.

Environment: Distributed, StillSecure NAC, PGP Desktop, McAfee ePolicy Orchestrator, McAfee Antivirus, BigFix, WebSense, ClearPoint Metrics, Imperva, Checkpoint r62, Checkpoint r71, CISCO ASA, CiscoWorks Network Compliance Manager (NCM), Postini, Phone Factor P-Synch, ID-Sync, RSA SecurID, MOVEit Central, MOVEit DMZ, GFILanguard, Nortel VNP, IPSEC, RSA enVision, BigFix, ISS Proventia, InfoBlox, Birt eclipse Report Designer.

Confidential

Responsibilities:

• Recommended best practices to enhance security posture to include source code review, application availability Checkpoints and data protection checkpoints.
• Managed application design review implementation; during SDLC design and construction phase, reviewed and compared against Information Security Standard set by organization for compliance with security standard ISO 17799/27001/2.
• Managed Gap analysis and provided recommendations for best practices after reviewing Security Programs.
• Provided guidance on various regulations such as GLBA, BASEL II, SOX, PCI compliance and using best practices.
• Reviewed and implemented source code analysis process as a service to bring out source code vulnerabilities using tools and providing guidance to development organization on how to fix those exploits.
• Recommended TPISA (Third Party Information Security Assessment) and reviewed vendor risk reports.
• Managed design, development, and implementation of qualitative security risk management.

Environment: Mainframe, Distributed, CICS, DB2, Oracle, AIX, MQ, J2EE, XML, Siteminder, SAML based authentication, RSA Key manager, Sterling Commerce Connect Direct, Apani Centry, McAfee ePolicy Orchestrator, SOA, Tibco, Encryption, PKI, SSL Ldap.

Confidential, NJ

Specialist

Responsibilities:

• Managed successful implementation of Security programs to deliver Security Projects IDM, Penetration test Remediation, UserID Provisioning.
• Managed for Vulnerability Assessment for 1000+ nodes using Nessus, NMAP, and Qualys tools.
• Lead Assessor, Responsible for Risk Assessment, analysis, and Business Improvement for both corporate and departmental policies, procedures and standards specifically in response to regulations, and performing Gap Analysis against BS7799-3/ISO 17799/ISO 27001/2.
• Coordinated the company-wide compliance documentation project and documented policies and procedures for regulatory compliance.
• Created a master list of all policies and procedures, with versioning, for use by the company, in accordance with ISO standards.
• Created tools for intranet site maintenance, documentation maintenance, and version control.
• Designed and managed technical leadership to the enterprise for reviewing and implementing the information security programs.

Environment: Mainframe, AIX, HPUX, Tipping point, Linux, DB2, Oracle, Windows, Checkpoint Firewall, Cisco Routers and Switches, MIIS, Tivoli Access Manager