SUMMARY

• Around 15 years of information security experience, including resolving vulnerabilities in and hardening of applications, databases, infrastructure, networks, and cloud - based solutions. Experience in IT and Security reviews, Audits, and General Computer Controls.
• Extensive experience in IAM, Identity and Access Management.
• Experience in developing and deploying PKI and SSL based solutions.
• Knowledge, understanding and training in DevOps, DevSecOps, and CI/CD pipelines.
• Experience, knowledge and understanding of security frameworks, guidelines, and common vulnerabilities and exploits as provided by OWASP, NIST, HIPAA, HITRUST, CVE, and CWE.
• Experience guiding management and teams on secure and resilient infrastructure and solutions, and developing, implementing, and enforcing security policies and procedures.
• Comfortable writing security related Shell scripts.
• Experience providing continuous awareness and training on information security. A track record of helping, guiding, training, and mentoring team members to learn technologies and excel in providing secure technology solutions.
• A strong sense of ownership, and not afraid to roll up my sleeves to understand, guide and execute to get the job done. And, I LOVE to learn and push the boundaries of my technology and security skill-set.
• As part of my learning, I have also implemented tools like BurpSuite, Wireshark, Docker, VirtualBox, Hyper-V, PowerShell ISE, Metasploit, OWASP ZAP, hsecscan and Kali Linux to practice monitoring of network and application related traffic (TCP/IP, UDP, ICMP, HTTP, HTTPS etc.) and scanning/testing for application and network vulnerabilities, and to understand penetration testing and vulnerabilities exploitation from an information security perspective.

PROFESSIONAL EXPERIENCE

Information Security Architect

Confidential

Responsibilities:

• Assist development and operational teams in the appropriate application of security best practices and the use of advanced security technologies.
• Work with development teams to help architect solutions that are inherently secure, viz. Security & Privacy by Design.
• Perform detailed application security reviews to ensure designed components are being securely implemented.
• Provide technical assistance for understanding vulnerability management and serve as a subject matter expert on remediation.
• Security events monitoring using Splunk (SIEM).
• Review and guide solutions towards compliance with Security Policies, and HIPAA, NIST CSF, SOD, and ISO frameworks/requirements.
• Provided guidance on creating a secure Microsoft AD based solution for processing data using a PowerShell script.
• Provided guidance on using SSL certificates to create secure and trusted integration with hosts. Documented process of using SSL certificates for trusted connections.
• Evaluated business requirement for publishing real-time reports on PowerBI dashboard, and guided customer on aspects of the security architecture for such a solution. Involved AWS Workspaces, health-data datastores and views, PHI / PII data, and PowerBI.
• Provided guidance and approval for media sanitization, while decommissioning obsolete media, based on NIST 800-88r1 Guidelines for Media Sanitization.
• Created a SOD (Segregation of Duties) matrix for the Operations Team to meet SOX Compliance
• Working with Development team to create a security architecture for Snowflake based solutions in Azure, including SAST using Fortify / Whitesource.
• Created Procedure for Log Monitoring and also created SQL queries for log monitoring for Privileged Access Accounts, User and Service Accounts, and Database Activity monitoring.
• Perform threat modeling using the Microsoft Threat Modeling Tool as required for changes to existing solutions, and for new solutions as part of security and privacy review process.
• Provided guidance regarding deterministic and random initialization vectors for format preserving encryption for data/columns with small domains (NIST SP800-38Gr1).
• Worked with Sr. Development Engineer to provide solution guidance for handling of encryption keys and encryption process for PHI/PII data that complies with Security Policies and uses AWS KMS and IAM.

Confidential

Information Security, Risk and User Account Life Cycle Management

Responsibilities:

• Led application projects in the area of User Account Life Cycle Management / Identity and Access Management (IAM), in compliance with Information Security’s Account Security requirements, by working with Information Security, Compliance (including SOX), IT, Internal Audit, and Business. Created flow diagrams to demonstrate systems integration, data flow, and processes.
• Extensive experience implementing User Requested and (Birthright) Auto-Provisioning (by integrating with Directory Services) of 100s of thousands of User Accounts in target SAP Systems.
• Project managed the implementation of TLSv1.2, as part of Information Security requirement, for the SAP GRC System integrated with IAM and SAP Systems to manage Identity and Access Management for 100s of thousands of users in various SAP Systems / Applications. Developed systems integration diagram to demonstrate and explain the change to stakeholders (Information Security, Technical, Business, and UAT teams), and to provide guidance on IT and UAT testing.
• Developed vulnerability assessment / scanning Bash (Unix/Linux) shell script application / tool with ability to scan 100s of hosts for open ports, and to check for ports that support SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2. Information Security required all other TLS versions except TLSv1.2 to be discontinued. Provided the report to management for corrective action. Perform ongoing re-scans to confirm TLS related vulnerability remediation.
• Worked on multi-tier architecture deployment, as part of Defense in Depth posture in compliance with Information Security policy.
• Led a technical team to analyze and mitigate networking, application, and host level vulnerabilities in SAP Systems, including requirement of enabling SSL certificate based authentication and communication (integration) between systems as part of Information Security requirements.
• Led the development and implementation of in-built software based SOD checking and approval of customized IT and Business transaction codes in compliance with SOD rule sets, and approved by Information Security.
• Managed other small to large user account life cycle management projects (around 15+) for various SAP systems and applications, thereby automating user account life cycle processes and strengthening account security as per Information Security policy and requirements.
• Worked with Production Support Team to deliver solution into Production, and provide KT (Knowledge Transfer) to the
• Point of contact for information security reviews and guidance on issues (vulnerabilities) resolution. Created documentation for information security engagement and reviews.