SUMMARY:

• Having 15+ years of Information Technology experience in Information Security Governance & Audit, Project management and Quality management.
• Define information security policies, secondary standards and security review checklists in consultation with stakeholders, implement and monitor for adherence/compliance
• Perform Vendor security audit by reviewing scope of relationship, develop audit plan in consultation with counterparts, visit site, review policies, conduct audit interviews, document observations, report to management and track observations for closure
• Perform Internal infrastructure security audit by planning, executing, reporting, and tracking audit findings for Network devices, Servers, Incident management, Governance and Physical security
• Perform risk assessments on infrastructure changes, network design, implementation of VPN, FTP servers, etc.
• Prepare and submit organization level risk summary matrix & key risk indicator based on information security incidents, audit findings status, compliance status of servers/network devices, security product roll - out status, vendor audit status, etc.
• Prepare and conduct security awareness in information classification, accidental/intentional data leakage & its consequence, secure code practices and information security standards
• Review reported security incidents such as data leakage through email, unauthorized data disclosure through email/web upload and unauthorized access to FTP sites, investigate, prepare and share incident report
• Develop quality check templates for Application Security Testing, Penetration Testing, Risk Assessment, etc. to assess and track quality of deliverable
• Develop competency assessments for information security by creating curriculum documents, questions bank as per Blooms Taxonomy of Learning
• Perform project management for application security like estimate, plan, get security resources assigned, ensure risk assessment and security testing performed for the assigned projects/programs. Prepare business summary detailing outstanding findings for business approval before project/program release
• Review infrastructure changes for security standard compliance & risk, approve or reject changes. The changes include Checkpoint firewall, ASA firewall, Cisco Routers & Switches, Bluecoat Proxy, F5 LTM, Windows 2012 Servers, etc.
• Review requests such as Web access, File upload/Download, Usage of non-company assets, demise of company assets, Installation of non-authorized software, etc. and provide approval considering security standards and risk of approving the request

SKILL:

IT Security Governance: Policy & Standard definition, Consultation, Incident Management, IT Security AuditInternal Security Audit & Vendor Security Audit

Standards/Frameworks: ISO 27001, ISO 31000, COBIT, NIST, ITIL, Confidential

Tools: Archer, NCM, SCCM, Wireshark, Skybox

Microsoft Office: Word, Power Point, Visio

Firewalls: Checkpoint & ASA

Server: Windows 2012

Network Devices: Cisco Switches & Cisco Routers

Network Security: VPN, NAT, PAT, Perimeter Router Security

WORK EXPERIENCE:

Global Network Security Change management

Confidential

Responsibilities:

• Reviewed firewall change control forms for risk exposure, risk impact, security standard and business impact and approve or reject the changes. The changes include introduction of new rules (port opening), modification to existing rules, etc.
• Reviewed change requests for Cisco routers & switches against security standard and approve or reject it
• Risk assessed network project implementations for Mumbai remote access VPN, FTP consolidation for cheque clearing system and commissioning new site
• Allowed white list of URLs in Bluecoat proxy considering data leakage probability and business need
• Defined a standard change control sheet to capture details of firewall changes in consultation with relevant stakeholders, implemented it
• Consolidated country and regional level firewall change control support under a global team and ensured continuous support to all countries/regions
• Conducted technical interviews to recruit new team members, developed plan & budget, conducted their performance appraisal and other oversight tasks

Information Security Risk local support

Confidential

Responsibilities:

• Information leakage through email or web upload are monitored by Mcafee Email Gateway & Bluecoat proxy SG and reported to incident management team by creating an archer ticket. For each created incident, carried out investigation by reviewing the email content or uploaded web content, validated information classification with violator’s functional manager, probed the rational behind this data leakage, documented the observation in incident report and closed the incident.
• Managed and executed Internal Annual security audit for 4 sites (2 sites in India, China and Malaysia).
• Decided scope of audit after discussing with stakeholders, developed audit plan, assigned technical member to conduct audit, drafted audit findings and shared audit report with management.
• The audit scope includes, Network devices, Servers, Incident management, Access management, Database, Governance and Server rooms. Post reporting audit findings, provided technical consultation to close the findings, and tracked the findings for closure
• Conducted information security awareness sessions to employees through meetings and discussion forums.
• During these meetings, ascertained the need for right information classification and information disclosure risk.
• Conducted Vendor security audit for Confidential & Confidential by coordinating with counterparts prepared audit plan, visited site, reviewed information security policies, secondary standards, interviewed Server support, Network support, Project Teams, Facility admin, Physical security, Data center support staff, department for ISR awareness, and HR for on-boarding and off-boarding of resources. Conducted audit opening and closure meetings, documented observations and shared with senior management.
• Reviewed change requests for Servers, Network Devices, and Applications and approved/rejected changes considering the risk and compliance.
• Monitored Information security mailbox for requests/queries raised by project team, provided consultation from ISR perspective

ISR Business improvement

Confidential

Responsibilities:

• Lead competency assessment team to design and develop competency assessments for Network Security, Platform Security, Application security testing, and vendor review. Created curriculum documents containing topics and sub-topics which were to be assessed as part of assessment with question banks, learning path and question distribution among topics and sub-topics.
• Designed quality checklist for Application testing, Infrastructure security, Penetration testing, Risk assessment in consultation with stakeholders, implemented and tracked quality level of deliverable.
• Conceptualized process index concept to assess level of process adherence for IT Security domains, collected metrics against parameters, analyzed and arrived at process index for each domain & ISR department
• Lead lean six sigma project for automating DB scan checklist for SQL server and reduced the review completion time from 16 hours to 4 hours.
• Monitored piloting of developers secure code to selected projects, collected security observations of before and after project releases, analyzed trend and reported to management to ascertain the benefits of secure code

Product Delivery Management & Deployment Support

Confidential

Responsibilities:

• During project/product development, Application security team to perform security design review & security testing, find vulnerabilities and report to project team for their action. As a product delivery manager, coordinated with project teams to understand scope of release, schedule & time estimate, arrived at security review time estimate & schedule, get security engineer/tester assigned to the project, ensured project/product is security reviewed, and reports are produced and shared with project team for action.
• Created business summary document detailing outstanding security findings and obtained business risk approval before releases
• The identified security findings could be Inherited from previous code release or current code change. The findings from previous code release would be in live production environment in deployed regions or countries. As part of deployment support, coordinated with respective country ISR/Management to get those fixed before being exposed.

Build, Deployment & Websphere Application server support

Confidential

Responsibilities:

• Performed build, deployment to Integration testing server, Staging server and Production server through deployment scripts
• Performed first level support for Webpshere application servers issues
• Managed team of build and deployments for many region and ensured SLA adherence and service support coverage
• Worked part of Confidential (Software Engineering Process Group) team to ensure process adherence by project teams
• Developed requirement elicitation process and supporting checklist
• Was part of Confidential level 5 assessment audit team, prepared audit questionnaire, conducted audit interview, collected evidences and drafted audit observations.
• Lead commercial banking product production support team. Investigated customer reported issues, replicated it in test environment, provided short term fix, developed solution proposal, and created minor release to fix issues.
• Worked part of Confidential team, created process document for project management and Estimation, along with supporting templates and checklists
• Conducted organization wide awareness sessions on project management and Estimation
• Worked as a process consultant for assigned projects, performed monthly process checks, provided guidance on process compliance
• Was part of Confidential level 3 assessment team, developed audit questionnaire, conducted interview, collected evidence and reported findings

Software development

Confidential

Responsibilities:

• Developed emulator for a real system through VB and web document archive system through Coldfusion
• Developed Distance student information system for Annamalai University using Developer 2000 and forms 4.5