SUMMARY:

• Over 10 years hands - on technical experience in network/application security and architecture, wif teh last five years focused on Information/Cyber security, cloud security and Information Systems risk and control assessments. An ISMS auditor wif a strong record of auditing IS internal controls and regulatory compliance requirements.
• Information security/GRC and Information Systems control: Vulnerability remediation tracking, database security, Threat identification/modelling, risk and control assessment, risk response prioritization, Risk controls and regulatory frameworks - NIST RMF, NIST, NIST, FIPS, FedRamp, FISMA, PCI-DSS, GDPR.
• Application and Infrastructure security: security assurance, SAST integration to software development process, Infrastructure scans, OWASP10, CIS benchmark and critical controls.
• Cloud deployment: IaaS, SaaS and PaaS on AWS /Azure cloud platform. DevOps principals and DevOps tools risk assessment.
• Virtualization: VRF Lite, firewall contexts, Virtual Device Context (VDC), Check Point VSX, JuniperVsys, VMware vSphere 5.0
• Infrastructure: Routing, Switching, Network segregation, Forward and Reverse proxy, Load balancers.
• Enterprise Architecture: Architecture definition/development, Identity and Access Management (SSO, SAML 2.0, ADFS, LDAP), PKI, Pattern development and Governance.
• Sec Ops/testing Tools: Qualys, Appscan, Splunk, Codenomicon, Burp suite, Kali Linux, CIS hardening scripts, Nessus, Fortify, Checkmarx, Symantec DLP, Vormetric etc.
• GRC Tools: Archer, RSAM

WORK EXPERIENCE:

Confidential

Information Security GRC analyst

Responsibilities:

• Define Security requirements for teh PCN network, review and approval of project designs for teh process control network. Work wif relevant technical architect to define and approve teh security domain rules based on teh Confidential Network Zoning standard and firewall rules. Define scope, review and approve results of Application and Network layer penetration test in line wif OWASP top 10.
• IT Risk and control assessments on teh use of industrial wireless and virtualization technologies automated and process control systems, detailing network segregation requirements.
• Guiding risk owners in developing and maintaining inventory of automation systems and assigning automation systems and networks to a security level that defines IS controls to be applied and maintained.
• Defining security requirements and security assurance tasks for network architecture, firewall management, security monitoring, user identification/autantication and system hardening in Confidential process control network.
• Security assessment and assurance on Cyber Ark deployment - for privilege account management, non-personal account management and service account management.
• Act as teh security consultants on projects related to Confidential automation systems and control networks, advising projects on security level of automation systems and security controls for safety systems.
• Conducting comparative risk assessments of Public Cloud threats versus traditional IT deployment models, giving insight to control selection (network segmentation/segregation, security monitoring, SIEM, IAM, CM, platform security, encryption).
• Developed methodology for Cloud Service Provider assessment leveraging NIST, ENISA, and CSA guidance.
• Defining protections that enable trust and data protection in teh cloud and developing roadmap for implementation. Examples of such protections are CASB and security as a service suite.
• IaaS hardened Infrastructure build reviews, including use of secured verified software - manually or based on infrastructure as a code.
• Secure architecting of cloud offering such as AWS workspaces, VPCs, ECS2, S3,EBS, RDS, SimpleDB, Elastic Beanstalk, Lambda, ELB and Azure Office 365
• Using teh concept and noledge of regions, availability zones, portability and cloud bursting to drive BCM planning.
• Platform selection and Cloud tool architecture risk assessments - Ansible Tower, chocolatey, artifactory, Gitlab,ELK, Netbackup, Confluence, Jira, McAfee ePO, WSUS, SPLUNK.
• Risk assessment of IAM solutions - SAML, ADFS,OAUTH, IWA
• Cloud deployment threat modeling using STRIDE and DREAD.
• Security assessment of Microsoft Office 365 and Cloud SAP deployments - CSP assessment, DLP, IAM, unauthorized change detection.
• Guiding data owners on teh impact of GDPR on Cloud security and current data handling practices. Planning data discovery and information classification tooling and road map.
• Planning, risk and control assessment of Skyhigh CASB to enhance visibility to user interaction to enterprise data in teh cloud.
• Data protection policy definition and testing enforcement using Sky High Cloud Access security broker.
• Developed hash and PCI - DSS relevant hardening guide for internet IPSEC VPN routers.
• Application vulnerability and patch management for environments under PCI-DSS scope.
• Use of Fortify and Checkmarx for SAST scans and prioritization of remediation activities after risk and control analysis.
• Act as a guide during planning and deployment of automated SAST scans by integration of Fortify into developer CI and IDE environments - Ensuring segregation of duties between software development environment and production operations.
• Worked wif application devops teams in interpreting Fortify code scan results, especially OWASP top 10, elimination of false positives and determining teh true level of risk after existing internal controls were taken into consideration.
• Guided and halped teh application devops teams develop a process of risk assessing static code scan results to achieve repeatable and consistent technical risk prioritization and ability to evidence teh process to appropriate control gate functions.
• Conduct security risk governance activities, assign risk owners, document remediation action plan in teh enterprise risk register, and follow up to closure.
• Producing various IT security and risk artefacts such as: security requirements specification documents, statement of work, Technical Vulnerability Assessments (TVA) and Assessments of Risk and Control.
• Testing of technical control implementation against control objective.
• Assessing implementation of internal and SOX controls in multiple IS domains - Foundation (BIA, CIA, TVA) IAM, Security Monitoring, Platform Security, IT resilience, Change Management and record retention.
• Interpreting controls and guiding application devops teams in collecting and uploading objective evidence for Confidential Internal Audit function’s review.
• Advised IT custodians and asset owners on teh importance of having teh technology and processes in place to achieve teh RPO and RTO recorded in Business Impact Assessments (BIA).
• Conducting UNIX and database infrastructure build reviews, assessing teh use and vaulting of passwords for high privilege and root accounts.
• Evaluating SOC2 reports for application functions outsourced to third parties.
• Use of Jira, Kanban boards and Confluence for task/sprint planning, reporting and documentation.

Confidential

Cyber Security Architect

Responsibilities:

• Functional and nonfunctional requirement gathering, sizing and platform selection for teh forward proxy service.
• Global forward proxy rollout using Cisco WSA, F5 Viprion GTM/LTM for a fault tolerant architecture, Check Point UTM blades and Sourcefire IDS for network segmentation/perimeter defence and threat intelligence.
• Risk assessment and architecture of 10G infrastructure backbone for connecting public Cloud providers to on premise data center using high end Cisco devices, Check Point 41000 hardware (running R76SP code), F5 Viprion (LTM/GTM) and Cisco WSA proxy.
• BGP AS number and IP address planning wif various Cloud providers.
• Architecting internet gateway infrastructure stack for Confidential South African region using CheckPoint and Juniper firewalls, WSA forward proxy servers, F5 BIP-IP ASM, Sourcefire IDS and Cisco switches.
• Upgraded teh global Check Point firewall estate from R7 .10 on Gaia, VPN termination on Check Point gateways.
• Migrated Check Point standalone management security servers to CMAs on Checkpoint MDS architecture.
• Check Point high availability feature configuration - Cluster XL and VRRP on GAIA
• High availability configurations on Juniper, Check Point and Cisco firewalls.
• Template creation and configuration guides for rollout of 802.1x network access control using Cisco ISE.
• Template creation and rollout guides Wireless security using WPAv2 (personal and enterprise) and based autantication using EAP-TLS on Cisco WLCs.
• Mitigating DDOS attacks by deploying packet filters at teh internet edge and peering.
• Conducting firewall service security reviews and identification of risky permissions.
• Mentoring Junior and Senior consultants.

Confidential

Security Architect

Responsibilities:

• Database reviews and data security wif Symantec DLP.
• Developed configuration templates for routers and switches to prevent common OSI layers 1-3 attacks on converged IP networks e.g. Man in teh Middle attacks, ARP table poisoning, IP spoofing, DHCP related attacks, broadcast controls, and routing table poisoning.
• Responsible for extranet IP addressing design and connection requirements e.g. IPSEC VPN (IKEv1 and 2) parameters definition and Network Address translation (NAT) requirements.
• Network segmentation using firewalls (Check Point, Palo Alto), DMZ creation and use of IDS for intrusion detection.
• Check Point policy template setup.
• P2P IPSEC VPN termination/troubleshooting between sites and extranet partners - Check Point, Cisco ASA and Palo Alto.
• DMVPN setup and troubleshooting.
• Enabling routing protocols on Check Point firewalls, route redistribution on Check point firewalls.
• Setting up Check Point security gateways and management server from ground up, establishing SIC between management servers and security gateways, policy management using CMA or standalone management servers.
• Check Point distributed or standalone architecture setup.
• Versatile use of Check Point smart console applications - Smart Dashboard, Smart View monitor, SmartView Tracker.
• Check Point, Juniper and Palo Alto IPSEC VPN troubleshooting using command line.
• Firewall Filtering and VPN termination on JunOS.
• Multi context / virtualized firewall design and implementation wif Cisco ASA, Check Point VSX and Juniper VS.
• Maintained, operated, and optimized security information event monitoring platforms - Splunk and QRadar.
• Management of tools such as Algosec, Splunk, Symantec DLP, Tripwire, Nessus, McAfee DLP, RSA MFA token.
• Documentation of workflows and standard operating procedures.
• Network device and firewall audit log reviews bimonthly.
• Check Point and Cisco firewall policy review and audit.
• Drawing Visio diagrams to depict old and new traffic flows as well as enforcement points on Whirlpools network.
• Attend escalated severity 1 firewall related incident (4th level support) Conference Bridge and provide technical guidance to restore/maintain customer confidence in AT&T capability in resolving outages.
• Versatile use of AT&T tools like Maximo, Service Now, NCS Prime, VitalSuite, AOTS, Poller and BERT.
• Liaising wif ATT GCSC and other units to onboard devices to support.

Confidential

IP Security Engineer

Responsibilities:

• Maintained network security infrastructure globally including routing architecture, firewalls, IPS/IDS tuning, WAN optimization, distributed denial-of-service (DDOS) mitigation, virtual private network (VPN), and remote access.
• Migration of Check point management servers to CMA architecture.
• Datacenter design and resilience wif dual internet feeds.
• Various technical implementation supporting data center projects, including Cisco, Juniper and Check Point firewalls, F5 and Cisco load balancer, Cisco and Juniper routers and switches.
• Routing protocol design and route prioritization using OSPF, IS-IS and BGP.
• MPLS design and troubleshooting MPLS L2 and L3 VPNs wif multiple VRFs in a MPLS core serving 10 million customers.

Confidential

IP Security Engineer

Responsibilities:

• Designed and implemented teh use of Cisco GSS at teh Internet edge and Citrix Netscaler on teh WAN edge for GSLB and intelligent routing between teh Data Centers.
• Designed and integrated FEX 2148T to extend teh 1G port capacity of teh Nexus switches using vPCs
• VDC and VRF design on Cisco Nexus switches for traffic segregation between different business streams.
• Server load balancing using virtualized Cisco ACE module and Cisco ACE appliance for traffic segregation between different business streams.
• SSL termination and session persistence configuration using ACE load balancer.
• Fiber Channel over Ethernet design using Cisco Nexus 5k.
• High availability design and implementation using routing protocols (OSPF) and HSRP
• Produced HLD and detailed low level documents for teh project
• Low latency and Multicast design trading for Tesco Bank trading floor
• VLAN, VTP, PVSTP, LACP design and implementation.
• Designed and integrated OSPF and EIGRP routing domains by mutual redistribution.
• Designed and implemented secure wireless solution using Cisco wireless LAN controller
• Configured and installed Cisco Light weight Access Points
• Designed and implemented Wireless Service Module (WiSM) on Cisco 6500
• Configuration of Cisco ACS to support AAA of teh enterprise network
• Designed and implemented 802.1x wireless security.

Confidential

Security Engineer

Responsibilities:

• Provide technical and sales support.
• Enterprise IP telephony and VoIP deployments
• Troubleshooting High end network issues
• End to End Quality of Service
• Implementation of IPSEC VPN using pre-share Keys and Authority.
• Remote VPN implementations
• Design Implementation and Support of all Enterprise Security Solutions.
• Implement Checkpoint and Netscreen firewalls
• Design Implementation and Support of all Enterprise Switching and Routing Solutions.
• Implementation of Cisco Unified wireless solutions.
• Implementation of Application Acceleration and Optimization Solutions
• Performance Tuning for Wide Area Networks and Campus Networks
• Design Implementation and Support of Highly Available Networks especially at teh Campus and Internet edge.
• Design Implementation and Support of all Cisco Network Admission Control Solutions; including centralized L3 OOB Real IP Gateway deployment for Complex Internetworks.
• In charge of Proof of Concept deployments