SUMMARY:

• IT Security and Audit expert with over 25 years’ experience in IT Security, IT Audit, Risk, Compliance (SOX, PCI, HIPAA, ISO, NIST, etc.), Framework creations (NIST 800 - 53, ISO 27001). Carried out multiple pre-assessments and worked in various industries managing their enterprise wide programs. Served diversified organizations including Confidential MN, PWC (NY and India), Best Buy Corporate (MN), Goldman Sachs (NY), Credit Suisse (NY), ENW (UK), BCBS (RI, MD) and having vast IT, development, technical and banking industry experience.
• Expertise in Enterprise Risk Management and conducting Risk Assessments, risk remediation and monitoring
• Leading Cyber Security and CERT Teams for investigating Cyber breach incidents and its management reporting
• Overseeing and Managing IT Security/Enterprise Security initiatives for GRC, Data Security, Application Security, Cyber security
• Carrying out and preparing for compliance audits for SOX, PCI, HIPAA, ISO 27001, SOC \SAS70\SSAE16, Fed Regulations, etc.
• Managing and Implementing Security tools like SCCM, DLP, SEPM, SIEM, Anti-Virus, Fortify, AppScan, Qualys, SNOW, etc.
• Creating NIST 800-53, ISO and other frameworks and carrying out their implementations and assessments
• Managing and using GRC tools like Archer, Thomson Reuters & PM tools like Microsoft Project, SharePoint, etc.
• Preparing and conducting IT Audits and IT General Controls Reviews, Internal IT Audits, Operational Audits
• Conducting Business Process Control Reviews (process mapping for risks, controls) using COSO, COBIT, AS5 Guidelines
• Creating and implementing Policies, Procedures, SOPs, Guidelines, Frameworks and Security Trainings

PROFESSIONAL EXPERIENCE:

Confidential, Philadelphia

Cyber Security and Application Security Lead

• As lead for Application Security managed security reviews of various organization vide projects under development. Also, reviewed and defined organization level control matrix for different business units for all legal compliances and verified controls.
• Conducted design and code reviews for big projects both waterfall and agile/scrum projects under development
• Prepared methodology for risk assessment during reviews and closure/acceptance of risks that could not be remediated.
• Also worked on multiple projects as security project manager to conduct security reviews, assess risks, suggest security architectural requirements, necessary controls, documented gaps, designed security controls in project designs where missing, and managed their remediation’s including applications with Java, C++, Perl, Oracle, etc.
• Reviewed varied projects with different technologies and platforms verifying perimeter security, network security, cloud security, security at firewalls, load balancers, network zones (end user, mid-tier, DB level)
• Reviewed controls around public and private clouds, AWS, encryptions, IDS/IPS security, etc.
• Reviewed/created technical / architecture documents, network visio diagrams where necessary to document network controls
• Verified security over networks, zones, and recommended / implemented secure web protocols like TCP/IP, IPSec, HTTP, HTTPS, SSL, etc. replacing FTP and other unsecured protocols
• Also recommended network segmentations, various network zones and secure connections between zones and outside parties
• Helped PMO for creating security training program to be published at organization level for introducing security in all programs

Confidential, Maryland

Project Manager

• As a project lead, has managed NIST Assessment Project by creating NIST framework, assessing its compliance, remediating gaps for upcoming NIST compliance audit
• Managed project by tracking progress, milestones, deliverables, issue resolutions, managing team and management reporting
• Used FISMA, NIST 800-37 Rev 1, NIST 800-30 & Risk Management Framework (RMF) for creating Enterprise Risk Framework
• Also carried out risk assessments with various units verifying present vulnerabilities per changing environment, threats to the organization, likelihood, impacts and presented reports with critical/high/medium/lows risks
• Provided recommendations and plans for remediation of critical/high/medium risks, created risk register for tracking remediation’s
• Monitored remediation of risks to bring to the acceptance level or identified compensating controls or followed procedures for acceptance or transfer of the risks by the business units to bring risks to the closure in risk register
• Conducted compliance assessment for NIST, ISO, PCI, SOX controls with various business units to identify current security controls, compliance requirements, documented gaps, and new/compensating controls.
• Suggested and implemented new rules, logs collections, reporting and remediation strategy in QRadar SIEM system as per the NIST requirements for log analysis and reporting
• Interviewed various teams SOC, Applications, IDAM, Facilities, Audit, etc. and reviewed technologies like QRadar, Big Fix, Encryption, Anti-virus, Symantec DLP, Firewalls, VPN, Microsoft PKI, Citrix, Proxy, Cloud Management teams, etc. for compliance
• Created System Security Plan(SSP) with current assessment, Plans of Actions and Milestones (POAMs) and presented to auditors

Confidential, Boston

Auditor, Project & Program Audit

• Assessed Operational controls for IT Programs and Projects lifecycle to verify they are following Program Management Framework
• Defined audit scope, conducted kick off, daily meetings, carried out audit, documented results in Thomson Reuters GRC tool
• Worked with global office in defining controls and test procedures for testing program framework and assed through testing

Confidential, RI

Global Risk and Compliance Officer

• As Lead for Cyber Security headed CSIRT Team (Computer Security Incidence Response Team) for Cyber Security Incidents.
• Managed all CSIRTs related to cyber incidents across globe and led efforts for their investigation, possible threats, verified controls and secured organization by implementing additional controls for these new threats, interacted with LEA for new threats
• Led daily meetings with CIO for major CSIRTs updates, monthly Security Operations meetings with CISO, CIO and MD’s, weekly meetings for all cyber incidents, managed entire security posture of the organization
• Co-ordinated among various business units like Information Security, Legal, Human Resources, Privacy, Compliance, law enforcement, audit, Infrastructure, IT Operations for investigating and remediating possible cyber-attacks
• Led Enterprise Risk remediation program, used Archer, maintained risk register and led multiple projects for risk remediation
• Managed tools Qualys Guard, Firewalls, IDS, SEPM, AWS, AV, Encryption, DLP, Big-Fix, SCCM, SNOW, HP ArcSight, Email
• Headed project for setting up Qualys, ArcSight tool implementation, Log collection from tools, OS, applications, correlations, rule set as per organizations risk portfolio, reviewed daily/weekly reports and managed remediation by coordinating with client, ITOps team, Infrastructure team, etc. and other log sources and tuned system to analyzes the data for signs of malicious activity
• Managed all alerts, reporting, investigations, incident analysis, remediation and additional control implementations
• Headed huge projects for risk remediation of Qualys vulnerabilities, Patching, Failed logins, Version upgrades, etc.
• Managed security rules configurations, upgrades, OS hardening, server hardening risk for windows, Linux, Mainframes, etc.
• Designed and imparted trainings for phishing, security awareness etc. and documented many new policies and procedures, etc.
• Managed various audits and issue remediation’s e.g. Model Audit, AD Audit, Network Audit, etc.

Confidential, MN

Experience Manager

• As Engagement Manager, led multiple audit engagements, Managed staff of 20 people with a total revenue of over 2 million
• Piloted unique offshoring strategy to address onsite resource constrains resulting in huge cost savings
• Adopted COSO, COBIT, AS5 standards and Confidential Methodology and SEC guidelines for conducting audits
• Conducted IT General Control Audits, Internal Audits, Process reviews, SAS70/ SOC compliance assessments (Type I and II)
• Introduced Control Assurance Framework for new FDA Draft Regulations first audit, reviewed standards like FIPS 140/180-3/186-3 , FCC guidelines, NERC-CIP and other Fed Regulatory compliances
• Provided advisory services to the various clients Internal Audit teams for defining internal controls and testing
• Conducted process audits, operations audit in support of IT Audit functions on various client’s engagements during their changes
• Managed multiple SOX assignments for conducting SOX audits, TOD (test of design) and TOE(test of control effectiveness)
• Have successfully interfaced with various Regulators, Boards of Directors, Comptrollers, Financial auditors during various audits
• Have provided coaching, technical guidance, trainings and strategic thought leadership and direction to the team

Confidential

Enterprise Security Lead

• Headed Security team for Wipro and was Security Lead for Wipro on Leadership Committee at Best Buy
• Have introduced and designed new Integrated Security Engagement Model (ISEM) to embed security during development, liaised with various project managers to embed security in their projects and bring them under security's portfolio
• Led Application Security team of 21 people, introduced Secure SDLC into all new projects to conduct security reviews during design, coding (SAST reviews) and dynamic testing (DAST reviews) prior to implementation of all newly developed applications
• Used AppScan tool for application code reviews and verified OWASP Top 10 and Secure Coding standards during assessments
• Reviewed 135 projects developed both on Agile and Waterfall methodologies for application security in span of 10 months
• Managed Vulnerability Scanning Program and coordinated remediation of gaps with various levels of management at global offices
• Established various policies, procedures and SOP's for compliance by various business units and coordinated external audits
• Designed Security Training and imparted training to all onsite and offshore staff at Best Buy as required for PCI compliance

Confidential

Systems Manager

• Managed various big and small IT Development, Security and Audit projects managing entire SDLC and Security Assessments
• Reported directly to CISO, was member of IT Steering Committee, Frauds Prevention, System & Procedures Committee, etc.
• Headed new Security Policy development project, developed various policies & procedures and headed various Internal IS Audits
• Developed various new Electronic Fund Transfer solutions with third parties resulting in $40 million revenue gains or cost savings.
• Used various coding languages C, C++, Java, VB, SQL+, DB systems like Oracle RDBMS, B-Trive, etc. implemented various OS like Linux, Unix, Microsoft LAN servers, GroupWise and VSAT communications and networks
• Carried out development for bank applications in C, C++, Java, VB, SQL+, used Oracle RDBMS, B-Trive, implemented various OS like Linux, Unix, Microsoft LAN server, used communication systems for global connectivity like GroupWise, VSAT, etc.