SUMMARY:

• A versatile and result oriented individual, with expertise in implementation of continuous improvement initiatives. This includes 11+ years of experience in GRC (Governance, Risk & Compliance), assessments, audits and implementation of ‘Information
• Security frameworks’ like ISO 27001, ISO 27002, PCI - DSS, SOX, SSAE-16 and HIPAA (including design, engineering, analysis, testing and monitoring of security controls).
• Additionally, possess knowledge of FISMA (FIPS, NIST ), ISO 22301, ISO 31000, ISO 27017, ISO 27018 and web application security open standards like OWASP.
• Additionally, my experience includes assessments, audits and implementation of ‘Quality Management Systems’, standards and process improvement models’ like ISO 9001 and CMMI (Capability Maturity Model).
• I possess the skill set and hands-on experience necessary in implementation of continuous improvement initiatives.
• I have worked as an individual contributor without active supervision. In addition, as a Project Manager, my responsibilities included team leadership, team handling, hiring team members, coordination
• Collaboration with various functions, risk management, change management, communication management, project management, schedule tracking and progress monitoring.
• I am capable of delivering projects on time and on budget by effectively collaborating, facilitating, leading and coaching Scrum teams.

PROFESSIONAL EXPERIENCE:

Confidential

Information Security Manager

Responsibilities:

• Managed, developed and implemented the organization wide Corporate Information Security Program/ Management System (CISP/ISMS) including documentation of manual, policies, procedures, plans, guidelines, checklists and forms.
• Developed the ‘Statement of Applicability (SOA)’
• Managed and implemented ‘Document Control’, ensured all revisions were managed, controlled, and maintained as separate configuration items.
• Managed and implemented ‘Communication Management’, dissemination of information/changes to relevant stakeholders (internal/external).
• Overseen the implementation of different security controls (physical/logical).
• Planned and monitored the implementation of the ‘Annual Security Plan’.
• Managed and facilitated ‘Enterprise Business Continuity/ Disaster Recovery Drills’ (test of the recovery/resumption plans).
• Effectiveness Metrics - defined critical measurement indicators/ metrics to monitor the implementation effectiveness of processes.
• Developed a quantitative ‘Enterprise Risk Management System’. pliance audits for ISO 27001, PCI-DSS, SOX, SSAE-16 and HIPAA. (‘implementation’ included identification and documentation of controls, implementation across the organization and audits to check their effectiveness)
• Overseen and implemented internal ‘Incident Response Program’. The various stages of ‘incident management’ were - identification of security incident, incident classification, prioritization & escalation, incident handling & response, incident investigation/ causal analysis and collection of evidences.
• Served as the primary contact between the external auditors, third-party auditors for all information security audits and reviews. In addition, coordinated closure of audit findings.
• Planned and monitored the execution of ‘Internal Audits’
• Managed and coordinated closure of action items resulting from ‘External Vulnerability Assessments and Penetration Testing’ from outsourced vendors.
• Managed ‘Awareness Initiatives’ - planned and implemented annual programs using gamification techniques and interactive elements (mailers, quizzes, s, huddles etc.)

Confidential

Senior Security Analyst

Responsibilities:

• Developed the ‘Statement of Applicability (SOA)’
• Participated in development, review, and release of Corporate Information Security Program/ Management System (CISP/ISMS) elements (manual, policies, procedures, plans, guidelines, checklists, forms).
• Implemented ‘Document Control’, ensured all revisions were managed, controlled; and maintained as separate configuration items.
• Implemented ‘Communication Management’, dissemination of information/changes to relevant stakeholders (internal/external).
• Conducted ‘Risk Assessments’ in coordination with various departments/projects. This included risk assessments for software business applications, business processes, technical infrastructure, physical infrastructure and service providers.
• Served as a member of the Incident Response Team, Security Focus Group and Operational Risk Management Team.
• Participated in ‘Disaster Recovery and Business Continuity Planning’.
• Coordinated and facilitated Enterprise Business Continuity/ Disaster Recovery drills (test of the recovery/resumption plans).
• Participated in external audits/ customer audits/ third party audits.
• Participated in ‘Internal Security Audits’ as an ISO 27001, PCI-DSS and HIPAA auditor. In addition, coordinated with project/department team members to ensure that audit non-conformances were closed timely with proper implementation of correction and corrective actions; and verification of closure of audit non-conformances.
• Performed ‘Security Incident Management & Analysis’ carried out investigation and causal analysis to identify root causes of incidents.
• Performed ‘Biometrics Log Review’.
• Performed ‘CCTV Camera Reviews’.
• Conducted ‘Awareness Initiatives’ - mailers, quizzes, s, huddles etc.
• Prepared material and imparted awareness s.
• Coordinated ‘Emergency Evacuation Drills’.
• Conducted ‘Workstation Audits’.
• Coordinated and performed ‘Change Management’ reviews.
• Implemented ‘Document Control’ - Management and maintenance of ISMS library.
• Planned, managed and participated in annual ‘ISMS Documentation Reviews’.
• Participated in vendor evaluation and selection for outsourcing and vendor performance management.
• Planned, managed and participated in conducting ‘Internal Vulnerability Assessments’ using tools like Nessus.
• Coordinated closure of action items resulting from ‘External Vulnerability Assessments and Penetration Testing’ from outsourced vendors.
• ISMS Effectiveness Metrics - defined critical measurement indicators/ metrics to monitor the implementation effectiveness of processes.