SUMMARY

• Accomplished executive with nearly 25 years of experience building and aligning global organizations with key business objectives to achieve dramatic, bottom - line results.
• Recognized for ability to implement efficient information security strategies/infrastructure, mitigate risk, raise awareness, and protect critical assets for prominent companies
• Apply in-depth knowledge of architecture frameworks, standards, information security processes, and access controls to develop policies/programs spanning thousands of users across multiple platforms.
• Skilled in partnering with business leaders and technical teams to plan, integrate, document, and execute complex strategies and project plans on time and within budget.

PROFESSIONAL EXPERIENCE

Confidential

Information Security Management Consultant

Responsibilities:

• Information Security Program: Developed and established written Information Security Program to provide management directions in terms of teh administrative, technical, and physical safeguards for managing and protecting teh confidentiality, integrity and availability of organization’s information assets to meet core mission and business objectives while complying with teh applicable laws and regulations.
• Cybersecurity Program: Developed and established formal Cyber Security Program to offer teh systematic approach for identifying, assessing, & managing teh cyber security risks. Through dis program, organization was able to determine teh activities dat are most important to critical service delivery and prioritize expenditures to maximize teh impact of teh investment. In addition, organization was able to express teh cyber security requirements to teh business partners & customers & identify teh gaps in teh existing cyber security practices & take adequate measures to address these gaps. Organization was able to move forward in a more informed way to strengtan its cyber security practices.
• Information Security Risk Management Program: Developed and established IT / Information Security Risk Management process encompassing 4 fundamental areas: Risk Definition, Risk Measurement, Risk Monitoring, and Risk Management, ultimately reducing operation exposures and improving controls. Regular information security risk assessments were performed for managing risk and staying compliant with regulatory requirements with respect to teh confidentiality, integrity and availability of information assets. Understanding risk, especially teh magnitude of teh risk, allowed organization to prioritize resources. Teh risk assessment results helped determine teh appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks. Implemented following modules within Enterprise Governance, Risk and Compliance Platform (eGRC) to support dis program: Vendor Management (Third-party Service Provider), Security Threat & Vulnerability Management, IT Risk Management, Policy Management.
• Information Security Policies and Standards: Developed, established and maintained enterprise information security policies based on ISO/IEC 27000:2013 and NIST Cybersecurity Framework supporting business goals, objectives, and applicable laws/regulations. Instituted standards and procedures supporting corporate information security policies achieving full consensus across multiple information security officers representing various business units.
• Regulatory compliance (PCI/SEC/EU Safe-harbor, Privacy Regulations): Interfaced directly with teh compliance, legal, internal audit and regulators to understand requirements, risks and issues and established practical and sustainable administrative and technical control solutions.
• Information Security Awareness Program Enhancement: Raised information security awareness throughout teh organization with focus on: Information Security Responsibilities, Principles, and Policies; Threats, Vulnerabilities, and Countermeasures; and Application of Security Best Practices.
• Security Incident Response Management: Developed and established formal Security Incident Response Policies, Incident Management Plan and Incident Response Handbook to defend organizations information assets and counter security breaches by consistently and TEMPeffectively responding to security events and managing incidents. dis mission was accomplished by establishing and maintaining a professionally managed team dat was well prepared, trained, and equipped. In order to detect and mitigate teh threats arising from cyber-attacks, following tools were implemented which were not only capable of handling teh incidents arising from such attacks but also maintain teh cyber security posture of organization on a continuous basis:
• Vulnerability Assessment and Penetration Testing tools (VAPT)
• Web Application Security Vulnerability Assessment (WASA) and Static Code Analysis tools
• Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
• Hybrid Appliance and Cloud Based DoS/DDoS Protection
• Security Analytics Next Generation Security Information and Event Management (SIEM) integrated with Threat Intelligence Feeds
• Data Leak Prevention tools (DLP)
• Identity and Access Management Tools (IDAM)
• Forensic Investigations tools
• Anti-phishing Monitoring / Domain Monitoring / Domain Takedown / Brand Monitoring Services
• Open Source Code Vulnerability and License Management/Monitoring
• Vendor / Third-party Service Provider Management: Developed and established formal vendor management program through Third-party Vendor Management Module within Metricstream eGRC platform. Ensured dat teh vendor has a robust Information Security and Cybersecurity Program to protect organization and its clients from various security threats. Assessed teh adequacy and TEMPeffectiveness of vendor’s IT Disaster Recovery and Business Continuity Program. Ensured dat all teh vendor relationships were managed in compliance with IDC’s Third Party Services & Risk Management Policy by performing following assessment on annual basis: Business Impact Assessment, IT/Security Risk Assessment, BCP Risk Assessment, Financial Risk Assessment, and Legal/Reputational Risk Assessment. Vendor Management Program integrated with Dow Jones Risk & Compliance Due Diligence Content Sources:
• Risk management and corporate governance in teh areas of Anti-Money Laundering, Anti-Bribery, Anti-Corruption, Payments Compliance and Commercial Risk.
• Monitor vendors for adverse/negative media coverage on Regulatory, Competitive, Financial, Environmental, Production, Social and Labor related areas.
• Monitor individuals who may has committed crimes in teh areas such as Financial Crime, Corruption, Organized Crime, and Trafficking
• Business Continuity Program / IT Disaster Recovery Program

Confidential

Chief Information Security Officer

Responsibilities:

• Information Security Governance: Established and maintained information security governance framework to successfully align information security strategies with business objectives, and applicable laws/regulations.
• Formed and chaired executive and technical information security steering committees to obtain enterprise-wide senior management commitment and support. Implemented reporting and communication channels; ensured definitions of all roles/ responsibilities included information security governance activities.
• Identified current/potential legal and regulatory issues effecting information security; collaborated with corporate compliance and legal department to assess impact.
• Created business case and enterprise value analysis to support information security program investments.
• Developed, established and maintained multiple information security policies based on ISO/IEC 27000:2013 and NIST Cybersecurity Framework supporting business goals, objectives, and applicable laws/regulations. Instituted standards and procedures supporting corporate information security policies.
• Risk Management: Defined strategies to identify and mitigate security risks, entailing gap analysis/prioritization to achieve business objectives.
• Developed and established Information Security Risk Management processes encompassing 4 fundamental areas: Risk Definition, Risk Measurement, Risk Monitoring, and Risk Management, ultimately reducing operation exposures and improving controls.
• Spearheaded enterprise security vulnerability and compliance management solutions.
• Performed risk assessment and gap analysis based on ISO 27002 information security standards.
• Information Security Program/Response Management: Planned and lead information security activities to execute information security program.
• Raised information security awareness throughout teh organization with focus on: Information Security Responsibilities, Principles, and Policies; Threats, Vulnerabilities, and Countermeasures; and Application of Security Best Practices
• Implemented a reliable, integrated network/host-based intrusion detection/prevention system.
• Established and implemented processes for detecting, identifying, and analyzing security related events with teh help of Security Information and Event Management (SIEM) solution.
• Program Manager/Architecture
• Implemented Oracle Identity and Access Management solution along with Federated Identity and Knowledge Based Autantication
• RSA Archer Enterprise Governance, Risk and Compliance (eGRC) Platform implementation with following modules: Enterprise Management, Vendor Management, Policy Management, Compliance Management, Risk Management, Incident Management, and Business Continuity Management.
• Developed and established formal vendor management program through Third-party Vendor Management Module within RSA Archer eGRC platform. Ensured dat teh vendor has a robust Information Security and Cybersecurity Program to protect organization and its clients from various security threats.
• Database Encryption: Protected sensitive data such as SSN and Bank Account Numbers (around 50 million) within MS SQL and IBM DB2 (Mainframe) database with teh use of database and column-level encryption technology. Encryption solution provided teh ability to grant permissions and access control policies on encrypted data on a per user basis. Teh ability to administer permissions and teh encryption keys outside of teh database, offered teh highest level of security.
• E-Mail Encryption along with teh DLP to protect sensitive information such as SSN and Bank Account Numbers.
• Enterprise MPLS Connectivity: Multiple data centers as well as various offices across North America (US/Canada - 25+) connected over private MPLS cloud. dis MPLS cloud along with BGP provides high availability, scalability, ease of maintenance and faster response times in event of disaster recovery. In addition, dis model avoids issues around single point of failures which is associated with point-to-point connectivity models.
• Primary and Disaster Recovery Data Center US: Designed and built teh next generation infrastructure dat efficiently and reliably executed teh core operations of teh organization, increased business agility, and reduced duplicate spending. Built an infrastructure dat will provide progressively greater net operational savings, greater return on investment and greater end-user service benefits. Migration of all teh open system and mainframe applications was completed as planned and on schedule without any issues.
• Server and Storage Consolidation: Consolidation of server resources and associated storage completed through VMware and innovative/high-performance EMC V-Max and VNX SAN to manage exploding information growth while keeping costs down and meet stringent service levels. Eliminated server sprawl by consolidating applications onto TEMPfewer servers; and, reduced hardware and operating costs without impacting teh performance and throughput requirements. Enhanced backup and recovery while reducing associated costs with integrated data protection technology. TEMPEffective protection of data both locally and remotely through a network-based, block level EMC V-Max SRDF and Recovery Point replication solution. Delivered continuous remote replication for disaster recovery and continuous data protection for operational recovery to any point in time. Automated teh recovery processes through VMware Site Recovery Manager (SRM).
• Disk-centric Backup Architecture (Deduplication Technology): Designed and implemented teh disk-centric backup architecture based on EMC Data Domain Deduplication Technology to mitigate teh various risks associated with teh traditional tape based backup architecture. Due to reduction of backup data by 10 to 30 times, organization was able to keep backups onsite longer using less disk for fast, reliable restores, eliminating teh use of tapes for operational recovery. In addition, teh backup data replicated (after de-duplication) from teh primary to disaster recovery data center over existing Lightower 10Gig connection.
• Identity Theft Prevention Program: Developed and implemented Identity Theft Prevention Program as required by FTC Rules and Regulations 16 CFR Part 681.
• CST Datacenter Migration from CIBC: As part of teh acquisition built two brand new datacenters in Canada along with to private MPLS Cloud connecting multiple sites to migrate services from CIBC to CST/AST Datacenters.

Confidential

Sr. Information Security Management Consultant / Architect

Responsibilities:

• Information Security Governance: Established and maintained framework to successfully align information security strategies with business objectives and consistent with applicable laws/regulations.
• Risk Management: Defined strategies to identify and mitigate security risks, entailing gap analysis/prioritization to achieve business objectives.
• Information Security Program Management: Designed and developed program to implement information security governance framework.
• Information Security Management: Planned & lead information security activities to execute information security program.
• Initiated, developed, and conducted security awareness seminars individually targeted to executives, technical personnel, and end-users, resulting in a 90% attendance rate and approval of all security initiatives by senior management. Championed web-based training for users working directly on trading floor and back office, enabling them to complete courses with no impact to daily operations. Training covered awareness and security for remote workers, virus protection, passwords, web browsers, instant messaging, voice/telephone, laptop, PDA, and more.
• Designed and implemented a total integrated and automated security vulnerability and compliance management infrastructure vs. point-based solutions, enabling IT group to focus on other core business initiatives and ultimately reducing cost. Within 6 months, reduced security vulnerabilities by 75%.
• Implemented a reliable, integrated network/host-based intrusion detection/prevention system.
• Developed metrics to measure, monitor, and report on TEMPeffectiveness of information security controls and compliance with information security policies. Performed vulnerability assessments to evaluate TEMPeffectiveness of existing controls.
• Response Management: Developed and managed a capability to respond to/recover from disruptive and destructive information security events.

Confidential

Director of Information Security

Responsibilities:

• Developed and enforced information/ corporate security policies, standards, procedures, and guidelines as well as change management database and processes.
• Deployed global firewall infrastructure management, firewall high availability/load balancing, and intrusion detection (ipAngel, NFR, and Cisco IDS). Centralized alert monitoring/management and trend reporting/analysis via Trend Micro Firewall Suite across North America and Latin America
• Designed, implemented, and managed SAP FI, HR, and BW Security. SAP R/3 4.6x Security Administration & Structural Authorization including Activity Groups, Profile Generator (PFCG), Employee Self Service (ESS) and Central User Administration (over 5000+ SAP users within various regions)

Confidential

Senior Security Specialist & Network Engineer/Architect

Responsibilities:

• Bristol-Myers Squibb: Managed global security infrastructure and was a major contributor to design of new high availability/firewall load balancing solution across Asia Pacific, Europe, and North America.
• Credit Suisse First Boston: Delivered a large firewall security project, entailing 100+ vendor feeds via Confidential Checkpoint Firewall, VRRP link monitored circuits and Cisco HSRP for high availability at multiple locations. Installed over 30 pairs of Confidential firewalls and migrated firewall management stations from Sun Solaris to Confidential .