- 16+ Years of experience in IT Industry in Compliance, Security Analysis, Design, Development, Implementation, Testing & Auditing of IT and Business processes.
- Highly skillful in GAP Analysis, developing and executing Risk Assessment Process, Risk mitigation plan, Business Impact Analysis (BIA), Business Continuity (BCM) and Disaster Recovery (DR).
- Expert in designing appropriate IT And Business processes to meet Compliance for ISO 9001, ISO27001, SAS 70, SOX, PCI-DSS, HIPAA, NIST, Cobit, FISMA, GLBA & FFIEC and to achieve certifications for these compliances.
- Adept in written correspondence, reports, implementation requirements, project status reports, oral presentations and email, to keep executive staff and team members apprised of goals, project status, and resolving issues and conflicts. Sound Knowledge of Security, RISK & Quality models like ISO 9001, ISO 27001, OCTAVE, CRAAM, BS 7799, SEI-CMMI, TQM, ITIL.
- Extensive experience in Gathering Requirements, analyzing them, modeling Business Process Flows, writing Business Requirements Document (BRD), Use case Specifications, Functional/Systems Design/Systems Requirements Specification (SRS), Data Dictionary, Business Continuity Plan (BCP), Workflows using UML.
- Expert in Information Security & Quality audits and Consulting with 200+ audit days of ISO 27001 third party audits, 60+ days in BS 7799, 70+ days in ISO 9001 & numerous days in SOX, SAS 70, IT technology internal audits.
- Highly experienced in Developing, reviewing and re-engineering security and business processes and policies, standards, procedures and guidelines.
- Good Process, Metrics, Presentation Skills and Great People Management Skills with the ability to mentor and guide with a vision and leadership to a good size team
- Ability to manage multiple tasks & prioritize work appropriately. Passion for Quality, Customer Empathy and Results-oriented.
- Sound knowledge of Business flow and Industry standards. Exposure to Non-IT sector and Industrial processes. Good understanding of commerce arena like production, engineering, Finance, Mortgage, Banking, Health Care, Resource Planning, Production and Securities.
- Good at keeping timely delivery of projects with strict adherence of quality by defining, creating and maintaining project plan.
EDUCATION AND CREDENTIALS: Bachelor of Engineer [BE] in Electronics & Communications.
PROFESSIONAL TRAININGS AND CERTIFICATIONS
- CRISC - Certified in Risk and Information Security Controls- ISACA
- Certified Auditor Information Security ( CISA) for ISO 27001/ ISO 17799
- Certified Auditor Quality Management System( ISO 9001),
- Certified Auditor IT Service Management System (BS 15000 / ISO 20000)
- Certified Ethical Hacker (CEH) from EC-Council
- ITILf Certified
- Certified Internal Information Security Auditor [CIISA]
- Certified Software Quality Professional [CSQP]
- Certificate of Merit for training Project Management Body of Knowledge "PMBOK" from PMI with 35 hours of learning credit
- Qweb Assessor
- CMM intro trained.
- Lead Tutor for ISO27001, ISO 20000 workshops
- Trained at SEI CMU Cert-US on
- IT / Information Security/Incident handling
Confidential, Livingston, NJ Mar 2011- till Date Title: Senior Consultant IT Risk
- Operationalized IT Risk Assessments across multiple locations of CIT and all Business units. Harmonized all the Information Security policies, procedures, guidelines
- Established IT Risk Assessment process and Risk mitigation plans
- Prepared the Organization for FED examinations
- Developed Metrics and Benchmarking process for all Business units
- Developed and maintained RISK Register
- Developed IT Risk metrics and presented to senior management
- Performed Risk Assessment for SOX in-scope (100+) various applications and Infrastructures
- Implemented Third Party/ Vendor Security Assessment Process
- Performed IS policy assessment for all Business units
- Implementation of Internal controls to close the identified Gaps
- Presentation Assessment reports to Senior Management and Enterprise Risk Committee
- Implemented Archer and home grown tool for effective GRC
Confidential- Stamford, CT Jan 2010 - Mar 2011 Title: Senior Consultant IT-Security & GRC Program
- Spearheaded IT security and GRC initiatives across multiple locations of GE Capital. Harmonized all the Information Security policies, procedures, guidelines and played a pivotal role in drafting and implementing new processes in the organization
- Established IT Risk Assessment process and Risk mitigation plans.
- Prepared the Organization for SOX, FFIEC and ISO 27001 (ISO 17799/ ISO27002) examinations.
- Developed Benchmarking process for all Business units within GE Capital.
- Developed RISK Compliance Radar.
- Implemented Incident Management.
- Implemented Exception Management
- Application Security (for all SOX in-scope)
- Implemented Third Party Security Assessment Process.
- Presentation to Information Security Council
- Initiated Metrics Measurements for all domains of ISO 27001/ ISO 17799 across the GE Capital
- Performed Gap assessment for all Business units of GE Capital
- Implementation of Internal controls to close the identified Gaps
- Managed GRC (Archer) tools and home grown tools for workflow and risk assessment purpose.
Confidential Aug 2007 to Dec 2009 Title: Business Leader - IT Security, Risk & Compliance Role: To Lead Information Security/ IT Security process, Risk & Compliance process at Confidential Cambridge MA & confidential locations. Key Performance Indicators:
- Driving Enterprise IT security frameworks and initiatives for multiple locations of Patni Americas and Patni Computer Systems global. Re-engineered all the Information Security & Quality policies, procedures, guidelines. Played a pivotal role in drafting and implementing new processes in the organization and developed Integrated Business Management System which is a common framework to address different processes in the organization.
- Performed IS audit by interviewing people from HR, Facility, Operations, Production and Technology departments to verify ISMS frameworks compliance at multiple locations of Patni Americas and Patni Computer Systems global.
- Ensured HIPAA / CMS and EDI& e-PHI compliance for US healthcare & insurance clients like UAFC, Prudential, Emdeon and many more. Mapped ISO 27001 controls ( 100+) to address the compliance for HIPAA & EDI. Developed framework for HIPAA as per ISO 27799 and CMS requirements.
- Performed Third party Vendor assessments based on MSA, agreed policies and international standard like ISO 27001.
- Consulted DOHA Bank, US Commerce Bank, Synovous Bank, CITI group, Fidelity financial services and implemented compliances with respect to Information Security, Mitigation of Risks and other regulatory requirements like PCI-DSS & GLBA et la.
- Performed Technology Risk assessment, BIA (Business Impact Analysis) for Mercer US, UK, Ireland, Australia (HRO client), developed Risk assessment report and risk mitigation plan for the processes.
- Front ended Clients like Serco UK, Mercer US & Australia, Tiscali UK, UAC, Emdeon, Prudential ... from Risk Assessment, Data protection, Data Privacy and Business processes.
- Competent in conducting IT security assessments; mentoring and leading Business and Technology team to implement proper processes for Active Domain controller server, strong password, firewall management, web content filtering, configuration management, change management, user access management et la.
- Lead to successful certification of SAS 70 type II, SOX, PCI DSS, and ISO 27001 for 2007, 2008 and 2009.
- As a key member of the Governance & Compliance team, works with Audit, Legal, Procurement, HR, Development, Network, Infrastructure, Facilities, Physical Security and Information Security to develop and implement effective policies and procedures to ensure compliance with all applicable federal, state and local laws and regulations.
- Developed an Enterprise Risk Management (ERM) methodology and BIA (Business Impact Analysis). Implemented Archer (GRC Tool) solution to automate the risk assessment process, creating user roles, automating the assessment workflow, documenting procedures and assisted the business in conducting the Risk analysis.
- Managed SAS 70 type II assessment for IT GCC and obtained an "unqualified report" for 3 years in row consistently, achieved and maintained ISO 27001 certification.
- Developed BCM based on BS 25999, Steered IT DR/BCP documentation.
- BCP test schedule released and monitoring of adherence to test plan and maintenance of test results.
- Consulted Vulnerability Assessment /Penetration Test team, review of VA /PT results and recommended appropriate corrective actions to harden server, firewall change management.
STQC IT Services May 1994 to Jul 2007 Title: Additional Director- IT / Information Security function Role:
- Lead Implementer in ISO 27001/ ISO 9001/ ISO 20000 and IT Security/ HIPAA/ SAS 70 ( SOX)
- Lead Tutor for Lead Assessor training for ISO 27001/ ISO 20000
- Lead Auditor for ISO 27001/ ISO 20000/ ISO 9001 - Process Audits
- To develop, establish, and maintain IT Security programs, policies, processes, procedures, and controls based on past experience, industry best practices, and emerging trends for model basedprocessimprovements, to establish and manageprocessdocumentation repository.
- Documented Information Security Policy Manual as per ISO 27001 and SOPs and other templates to capture process metrics. Coordinated and managed compliance awareness education, training program, materials.
- Evaluating of compliance processes and artifacts for adherence to standards, process documentation and completeness.
- To perform Vendor risk assessments, gap assessments and follow up to meet the controls, policy requirements.
- Implementation of GRC using tools like CRAAM, R-SAM, COBRA and few home grown tools.
- Project Management Skills: Ability to plan, organize, and direct the testing of emergency response, recovery support, and business resumption procedures. An effective leader with distinguished abilities in end-to-end project management, giving onsite and offsite presentations.
- Executed against the defined strategy by performing network and application level vulnerability assessments using the various tools Nmap, Nessus, Qualys, & Nipper to keep organization consistent with PCI Compliance effort.
- Effective implementation of SAS 70 type II, SOX, PCI DSS, and HIPAA
- Collect, validate and analyze measurement data from the projects, Present metrics analysis data to the relevant stakeholders, Conduct internal audits and reviews to ensure programs maintain defined compliance levels and provide recommendations to improvements
- Evaluate, assess, inform and provide recommendations on risk exposure in the areas of information security, regulatory compliance, operational and financial applications.
- Alignment of IS Audit objectives with bank’s internal audit objectives, Conduct Risk Assessment for all banking applications
- Possess broad competence in strategic management of technical matters with the distinction of driving new IT initiatives, re-designing IT infrastructures and achieving organizational objectives.
- Risk Assessment / Business Continuity Planning
- Interacting with Risk team to perform risk analysis for corporate areas to identify points of vulnerability and recommending risk reduction strategies.
- Working with business units to understand current environment and to advise them on alternative techniques that can be implemented to accomplish their defined yet flexible recovery plans.
- IT Security Management
- Ensuring compliance with Information and IT Security Policies.
- Monitoring compliance with security requirements via design reviews, vulnerability testing and penetration testing; auditing and testing systems redundancy and disaster recovery procedures.
- Designing, developing, maintaining, and exercising (testing) of the overall disaster and business resumption plans for each critical functional area of the organization.
- Quality Management System (QMS) and Process Improvement
- Process Definition & improvement, audits & compliance checks of all IT processes
- Implementing quality systems to bridge the gap between control requirements, technical issues and business risks
- Provide expertise and guidance in interpreting specifications, requirements, guidelines, and policies to assureprocessand product compliance, Interfaces with project personnel, engineering, customer, vendor, and subcontractor representatives to review and establish product quality criteria Ensure that the project measurement objective align with the organization*s quality objectives
- Over 300 man days audit and consulting experience in ISO 9001,ISO 27001 below are few clients to name for whom I Designed & Documented Information Security Management Policy manuals, SOPs, Forms and Formats to capture records.