PROFILE

• Results driven, motivated, and business-savvy cyber security professional with strong regulatory and hands-on expertise in IT Security and System Integration.
• Proven track record in enabling clients to achieve their critical business goals.
• Decade-long experience contributing key advice and providing technical lead on enterprise-level projects resulting in measurable security improvements and positive recognition.
• Strong background in navigating intricate organizational relationships and guiding complex technical projects involving multiple organizations with competing priorities.
• Fifteen years of extensive experience in designing, integrating and managing IT systems, creating policy and managing large projects.
• Significant Risk Assessments expertise evaluating financial services firms, multinational corporations and third party service providers with the focus on IT Systems and supported business processes. Strong understanding of risk assessment standards NIST SP 800-30 .
• Experience providing services to help clients with their risk management issues, including identification and prioritization of enterprise-wide risks and development of the tools and processes needed to build a robust and sustainable risk management program.
• Performed numerous technical security risk assessment and vulnerability assessments covering technologies such as iPhone, iPad, cloud, web servers, hosts, database, routers, switches, and firewall.
• Over ten years of experience in cyber security research. Wrote papers in the area of technical run-book, incident response and security technology evaluation. Routinely made recommendations for the research-based technology acquisitions.
• Established enterprise security architectures and provided solutions to compliance, privacy and regulatory needs such as SOX, FFIEC, GLBA, PCI, ISO, NIST, and GAPP for financial services firms and large public multinational corporations Lehman Brothers, JPMorgan Chase, State Street Corporation, Microsoft Corporation, Time Warner . Writes winning technical reports focused on enterprise risk management.
• Recognized by the U.S. National Security Agency NSA as an Information Systems Security INFOSEC Professional as outlined in the 4013 U.S. Government Standards. Recognized as a Computer Network Defense Service Provider Security Certification by Department of Defense DOD Directive 8570.

KEY STRENGTHS

TECHNICAL SKILLS KNOWLEDGE

Operating Systems: - Red Hat Linux, Sun Solaris, Cisco IOS, Microsoft Windows, UNIX

Protocols/Services: - TCP/IP, UDP, FTP, HTTP, HTTPS, ICMP, Telnet, SNMP, SSH, SSL, IPSec

Programming: - UNIX Shell script, BASIC

Software/Services: - MS-Office, VMware, Microsoft SQL, Oracle, AD Group Policy Objects GPO , Active Directory

Security Technologies/Tools:- eTrust Access Control, Check Point and Juniper FireWall, Dragon IDS, Symantec SEP, AlgoSec, Websense Web Filter, Sourcefire and TippingPoint IPS, RSA SecureID, QualysGuard, Nessus, SuperScan, eEye Retina, RSA Archer, Arcsight, Cisco PIX, Cisco ASA, Tripwire, Snort, ISS Internet Scanner, Vontu Data Loss Prevention, Citrix Presentation Server, McAfee Anti-Virus ePolicy Orchestrator, Safeword Multi-Factor Authentication, RSA Archer, Cisco Ironport

Standards and Regulations: - ISO 27000, Sarbanes-Oxley SOX , PCI DSS, FISMA, NIST 800 Series, OWASP, COBIT, GAPP, FFIEC, HIPPA, SB 1386, US-EU Safe Harbor, SAS-70

Hardware: - Cisco Routers and Switches, SUN Workstations, Enterasys Dragon Sensors and Servers

EMPLOYMENT HISTORY

Confidential

• Built and led an enterprise IT risk management program from the ground up. Developed an IT risk management program to measure risk across all CIT business lines and processes.
• Coordinated and conducted risk assessments to identify key security exposures and Produced risk management-oriented security metrics which measure the success of our controls and defenses and assist management with decision support.
• Participated in developing, documenting, and maintaining IT policies, standards and guidelines to ensure a sensible security posture and compliance with legal and regulatory obligations.
• Acted in role of Senior SOX Internal Auditor in testing of SOX critical financial database servers. Worked with business users to research and document SOX key controls, classify their risk to the company and effectively wrote required documentation and test plan.
• Served as a Senior Security Advisor to the CIO on tasks related to compliance and privacy assessments.

Confidential

Security Consultant

• Conducted numerous third party vendor security assessments for one of the oldest financial services firms in the world and leader in financial services, to support their IT Risk Management program that addresses the requirements of the Gramm-Leach-Bliley Act and other applicable data privacy laws and SOX regulations. The Scope includes onsite risk assessment of 25 control/process areas that has identified as important to risk prevention, those includes but not limited to Security Policy, IT Security Awareness Training, Vulnerability Management, Change Management, Incident Management, Mobile technologies such as iPad, iPhone and other key areas.
• Designed the audit questionnaire based upon Financial Institution Shared Assessment Program to support their Information Technology Risk Management program. Offered efficiencies and cost savings to the financial institution and service providers through an innovative and comprehensive alternative to traditional service provider assessment methods.
• Prepared Control review documentation comprising of business background information, scope of review, overview of the IT environment, summary of categorization of control areas, control category descriptions and detailed findings.

Confidential

• Performed penetration testing and network audit for U.S. based financial services holding company which is located in the Financial District area of Boston. The scope of engagement includes core internet backbone comprising of Juniper Netscreen firewall, Cisco routers and switches. Reviewed AlogoSec Firewall Analyzer reports to identify risky firewall rules and recommended corrective actions. Efforts led to mitigating the risk and enhanced overall security posture.
• Exceeded client's expectation by identifying major findings on firewalls and routers which were missed during their 2008 audit and went out of the way to mentor one of their audit consultants on other IT control areas.
• Developed and presented the final audit report to the management. Instrumental in drafting a plan to mitigate the risk identified during the engagement. Efforts led to KPMG winning additional IT infrastructure audits to improve their overall security posture.

Confidential

• Led and performed IT security assessment for a public multinational corporation based in USA, for their data center based upon on Generally Accepted Privacy Principles GAAP requirements. Identified strengths of the existing information security program, potential weaknesses/risks and provided recommendations for potential improvement opportunities, which facilitated management decision making.

Confidential

Lead Security Engineer

• Recommended and assisted network services team to upgrade existing CISCO ASA 5510 from version 7.2 to 8.0 to leverage its Web based SSL VPN clientless feature to provide secure access for the vendors on the isolated network, which resulted in substantial savings to the firm by avoiding a potential buy-in.
• Identified the existence of data leakage through personal storage sites which resulted in thorough research and evaluation of content filtering solutions and recommended Websense Web filter to the senior management as a leading choice. Documented Websense network design options: Pass-by and Pass-through technologies and presented to the IT infrastructure team.
• Performed over 100 vulnerability assessments for about 10,000 hosts, servers and network devices and HBO's iPhone application using QualysGuard scanning tool. Efforts led to the development of an infrastructure that enhanced information security posture, and advanced the division's mission towards VISA/MasterCard PCI compliance.
• Created evaluation guide for Intrusion Prevention System IPS to assist in understanding the essential criteria to select IPS for deployment. Instrumental in management's decision to consider Sourcefire and TippingPoint IPS as a potential solution.
• Participated in security architecture reviews and as a subject matter expert worked with IT infrastructure, application owners, HR, compliance and legal teams to ensure compliance with stated security requirements, policies, standards and government regulations.
• Documented technical security standards, guidelines, and procedures required to reinforce information security policies. Conducted necessary research to ensure these standards, guidelines and procedures adhere to current best practice guidelines and information security industry standards such as ISO 27001 and NIST.
• Conducted numerous 3rd party security reviews to determine the security posture of companies that host/store on behalf of Time Warner. Eliminated redundancies and created efficiencies, giving all parties a standardized, consistent, faster, more rigorous, more efficient and less costly means of conducting security, and privacy assessments.
• Succeeded in preventing a possible infection by Conficker worm, accomplished this by drafting a risk mitigation plan including confirming that Symantec End Point protection 11.0 has the latest release definitions for protection and drafted a plan to scan the systems using a newly created QualysGuard scan policy for detecting the presence of worm.
• Presented quarterly metrics to the senior management related to Check Point firewall and Dragon IDS security threat events gathered through Symantec portal, and also provided metrics for vulnerabilities based upon severities gathered through Qualys scan results.
• Trained security operators and created procedure manual on vulnerability management process, tools and how to respond to Security Incidents such as worms, and virus.

Confidential

• Part of security engineering team to design, implement and manage eTrust access control on 4,000 UNIX and Linux servers across Americas, Europe and Asia.
• Established an excellent rapport with the developers and the application owners to investigate, analyze and rectify permission issues. Efforts led to the development of an infrastructure that enhanced information security posture, and advanced the division's mission towards Sarbanes-Oxley SOX regulatory compliance.
• Awarded Lehman Brother's exceed expectations employee rating for outstanding performance in locking down 4000 Unix servers belonging to Equities, Fixed-Income and Investment banking business units and accomplishing division's mission towards SOX compliance by working efficiently with external auditors.
• Worked on weekends for critical security changes such as enforcing restriction on services such as SSH, FTP and RSH on the production environment and locked down login access on mission-critical and production environment such as Trading platforms, Derivatives, Lehman Live web portal and CVS source code servers, based upon initial data log reviews, and analysis.
• Performed security system configuration and policy database changes, provided training to IT security operations team, know-how, and documented a technical run-book thereby eliminating the need for recruiting additional consultants which resulted in annual savings of more than 250,000 to the firm.
• Deployed and configured Unix Sudo configuration across the global enterprise comprising of 18,000 Unix servers in 3 geographic regions, which improved system turn-around time by more than 50 for developers, database system administrators.
• Automated routine works using UNIX shells for policy creation updates, user account management, log analysis and technical troubleshooting thereby accomplishing the work previously required of two full-time employees.
• Reduced maintenance costs on security technology 50 annually by successfully limiting the scope of access control implementation to business critical servers, centralizing all applications and reducing client problems.
• Configured eTrust system logs to monitor critical binaries and executable belonging to 100 mission critical applications spread across 3 geographic regions, which helped for troubleshooting, legal and SOX compliance requirements.