- More than 15 years of IT Security, IT Management, PCI DSS Security Compliance and HIPAA, SOX 404, ISO 27001, Security Risk Management and Project Management, experience galvanizing teams in core initiatives while serving as a change agent for efficiency improvements with expertise in Platforms and Interface Management.
- Interfaced with CIOs, CISOs, CFOs, Senior VPs and Directors to determine business strategy and to allocate budget and resources and managed large team of professionals.
- Leader with proven track record of delivering technology solutions using multi-sites and cross-cultural teams.
- Demonstrated ability to identify gaps relating to key IT security processes and implemented industry best IT practices.
- Managed the implementation of IS Security programs in large enterprises
- Wide industry experience including HealthCare, Banking, Financial, Insurance, Retail, Telecommunications, Travel, Legal, IT Security, Manufacturing and Logistics.
- Effective at motivating and leading IT security and compliance professionals. Excellent presentation, communication and negotiation skills.
- Acted as an advisor and provided guidance on system and security architecture,policies & direction.
- Managed the resources and budget & identified the staffing requirements.
- Recruited and managed IT managers, systems, network and security professionals.
- Mentored and coached the managers and the team for technical and soft-skills.
- Proven track record of delivering technology solutions using multi-sites and cross-cultural teams.
- Managed large security, risk and compliance initiatives for PCI DSS ,SOX-404 IT and HIPAA / HITECH, Privacy Act, FFIEC, Federal Trade Commission( FTC ),SAS/70 &ISO 27001
- Extensive experience in IT Security Program, Security Policies & Standards, Risk Management, IT Governance IT Compliance, Incident Management, Vendor Evaluation, Data Discovery & Classification.
- Implemented Enterprise Risk Management Framework; Organized and conducted enterprise-wide security risk assessments; Managed the implementation of large secured networks and systems.
- Established Security Committee & Change Control Committees. Created Security Incident Response Plan; Investigated security breaches;
- Collaborated with key business and IT leaders to develop security policies, configuration standards (NIST), guidelines and procedures to ensure the confidentiality, integrity, and availability based on frameworks: COSO, ISO 27001, ISMS, COBIT, OWASP, SANS, ITIL, 21 CFR Part 11.
- Provided on-going leadership to expand IT Security Posture for the company and implemented new technologies, tools and processes including web application security testing, WAF ( Web Application Firewall ), DLP ( Data Loss Prevention ), FIM ( File Integrity Monitoring ), Arc Sight ( Security Incident and Event Management ) and IDM.
- Managed the implementation of BCP and DRP plans; Integrated security with SDLC Process.
- Program management, Project Prioritization and Team Selection.
- Extensive working experience with IT systems ( IBM Z O/S Mainframe, AS/400, SAP, PeopleSoft Unix, Windows, databases ( DB2,Oracle,SQL ) & network devices ( IDS / IPS / VPN / Firewall / Switches ))
- Vendor negotiation and leveraged global development and delivery models.
- Designed and implemented enterprise wide security solutions and reduced security, compliance and privacy risks; designed risk ranking methodologies; implemented risk based approaches.
- Provided on-going leadership to expand business opportunities beyond short term solutions.
- Managed the implementation of vulnerability and threat management ( Vulnerability scan and penetration testing &security patch management).
- Managed Several Key Security Projects : Network Segmentation; Business Continuity Plan and Discovery Recovery Plan; Identity and Access Management( IAM ); Vulnerability and Threat management; Security Patch Management; Security Configuration Standards; Encryption and Key Management; Data Loss Prevention; File Integrity Monitoring ;Integration of Security into SDLC Process; Web Application Security Testing; Web Application Firewall; FireEye.
- Organized and managed manual and static code review and dynamic web application security testing and recommended solutions.
- Created third party vendor management programs and conducted third party risk assessments.
- Executed timely performance appraisals, and coached and mentored IT security and compliance professionals.
- Trained and mentored IT security and compliance professionals; Designed security awareness training programs;
- Managed complex and large IT security projects with budgets ranging from $500K to $24M and resources from 5 to 40 professionals.
Confidential, Oct 2007 to Till Date
Principal Security and Compliance / Director – Security and Compliance
Managed the design and development of enterprise IT Security Architecture. Managed and delivered IT security and compliance initiatives of PCI DSS, SOX Audit, Enterprise Risk Management (IT Governance), and HIPAA Compliance, SAS/70 and ISO 27001 –Information Security Management Systems (ISMS) frameworks
Security Architecture: Worked as an advisor for creating road map and strategy for Security and compliance. Managed the creation and implementation of IT security architecture and systems, security policies, configuration standards and guidelines. Created and managed information security processes and security control standards for technology and application development.
PCI DSS Security Compliance Projects:
Worked as a program manager and created a road map for entire PCI DSS compliance program and managed more than 20 resources (security managers , project manager and security architects etc.,) with the project cost of more than $24 Million dollars. Managed entire global PCI DSS compliance programs for USA, Europe, Asia and Latin America. Provided architecture guidance for security and direction. Defined global PCI compliance roadmap. Managed the implementation of security solutions (IBM Z O/S Mega Crypt encryption, key management, data loss prevention (DLP) and file integrity monitoring and IDM) and safeguarded the credit card data Private Identifiable Information (PII), & company confidential information. Designed and implemented enterprise wide security solutions and reduced security, compliance and privacy risks. Managed the implementation of enterprise-wide security policies & processes relating to FFIEC.
Managed and Implemented Several Key Security Projects: Network Segmentation; Tokenization; Identity and Access Management ( IDM and IAM ) ( CA and Tivoli ); Web application security ; SIEM /ArcSight Implementation ; Security Configuration Standards; Encryption and Key Management; Data Loss Prevention; File Integrity Monitoring; Fire Eye (Tool for preventing of zero-day and APT attacks)
Web Application Security: Established security risk assessment framework and processes and integrated security into SDLC process. Managed the implementation of web application firewall (WAF), manual and static code review and dynamic web application security testing tools (Web-Inspect, Fortify, Vera code). Conducted training for programmers on secure coding practices and new SDL process. Managed and reviewed web application security test results and provided practical recommendations based on OWASP and SANS. Established threat modeling process (DREAD and CVSS) and risk ranking methodologies to prioritize and rank the security risks.
IT Security Governance / Enterprise Risk Assessment: Worked as a team lead and created enterprise wide security risk assessments with the project cost of more than $22 Million dollars. Developed IT Security Governance and Enterprise Risk Management Framework for the company. Managed and tracked the enterprise security risk, threat, vulnerability and security issues and status of remediation plans. Prepared high level/dash board reports and presented them to senior management.
IT Security Risk Assessment: Managed and conducted a security risk assessment to identify the security issues. Created risk management strategies and risk-based approach for prioritizing the security issues and resolved them.
HIPAA Security: Managed the team of IT security professionals and implemented security controls required for HIPAA Act.
SIEM- Event Correlation / Log Management / Incident Response Plan: Managed the implementation of ArcSight and Splunk (SIEM) event correlation tools and implemented incident response plan and procedures.
Vulnerability and Threat Management: Streamlined and consolidated the processes relating to vulnerability scans, penetration testing, security patches. Introduced risk-based approach and risk ranking tools (CVSS) for addressing the security issues.
Senior IT Audit Manager Mar 2005 to Sep 2007
Project Manager – Security and Compliance Aug 2004 to Mar 2005
Managed security and compliance team and implemented IT Security programs for the entire corporation, including locations in Europe, Asia, Australia, Canada and USA.
Security Committee: Formed Security Committee with the help of CIO to review and approve system, security architecture, risk management process, security policies, configuration standards &procedures and prioritize the security risks and resources.
SOX 404-IT Compliance: Audited and tested controls for AS/400, SAP, PeopleSoft, JD Edwards, Oracle, DB2, MS/SQL, Infinium, AIX6000, UNIX (Sun Solaris), IT security, systems, & applications.
Business Continuity and Discovery Recovery Plan: Managed business continuity and disaster recovery project, conducted business impact analysis and identified RPO and RTO and coordinated with various teams and implemented them.
ISO 27001 Security Certifications:
Managed the process of implementation of ISMS framework and security controls and obtained certifications for numerous locations including Australia, USA and India.
Confidential,Massachusetts April 2001 to Aug 2004
International Project Manager (Security and Compliance)
Project managed the implementation of global data centers in Europe, Asia and Americas.
Global IT Security: Project managed the design and deployment of IT Security systems (Firewall, router, switches, IDS/IPS & VPN) across the globe (Paris, Amsterdam, London, Hong Kong, Tokyo, Frankfurt and Singapore)
CISP (PCI-DSS Security Compliance) Security: Implemented secured systems and processes to secure the credit card transactions based on CISP (PCI –DSS Security Compliance) security programs.
Web Application Security: Managed the development and implementation of web & ecommerce security.
Certification in Progress:
- CISSP Certified Information Systems Security Professional
- CISSP Certification Course - IT Security Course - ISC2
- CPISM – Training on Certified PCI Security Manager
Immigration Status: US Citizen