Summary

• More than 15 years of IT Security, IT Management, IT Audit,PCI DSS Security,GRC, HIPAA, SOX 404, ISO 27001,security risk and project management and security management experience galvanizing teams in core initiatives while serving as a change agent for efficiency improvements with expertise in Platforms and Interface Management.
• Interfaced with CIOs, CISOs, CFOs, Senior VPs and Directors to determine business strategy and to allocate budget and resources and managed large team of professionals.
• Leader with proven track record of delivering technology solutions using multi-sites and cross-cultural teams.
• Demonstrated ability to identify gaps relating to key IT security processes and implemented industry best IT practices.
• Managed the implementation of IS Security programs in large enterprises
• Wide industry experience including HealthCare, Banking, Financial, Insurance, Retail, Telecommunications, Travel, Legal, IT Security, Manufacturing and Logistics.
• Effective at motivating and leading IT security and compliance professionals. Excellent presentation, communication and negotiation skills.
• Acted as an advisor and provided guidance on system and security architecture, policies direction.
• Managed large enterprise projects ,resources and budget identified the staffing requirements.
• Recruited and managed IT managers, systems, network and security professionals.
• Mentored and coached the managers and the team for technical and soft-skills.

Professional Experience

Confidential

Principal - Security and Compliance

Client Companies:

• Technology: Confidential. Confidential Cloud Services, ISO 27001 Compliance, SaaS Security
• Manufacturing: Confidential Risk Security and Compliance
• Finance and Mortgages: Confidential Risk Management Enterprise Security Solutions
• Finance and HealthCare: Confidential PCI DSS Security and Compliance
• Retail Sector: Confidential PCI DSS Security Compliance and FFIEC Security
• Travel: Confidential Enterprise Security and PCI DSS Security and Compliance
• Health Care System: Confidential PCI DSS Security, SAP System Security Tokenization
• Health Care System: Confidential Web Application, PCI DSS Security HIPAA Security
• Banking Sector: Confidential PeopleSoft Application and HIPAA Security
• Banking Sector: Confidential PCI DSS, Enterprise Security and Web Application Security
• Finance and Healthcare: Confidential PCI DSS,HIPAA, IBM Z O/S Security and Enterprise Risk Management
• IT Security: Confidential Governance Enterprise Security Risk Management GRC
• Legal and Storage Service: Confidential SAS/70 and ISO 27001 and PCI DSS Security

Confidential:

• Worked as a program manager and created a road map for entire PCI DSS compliance program and managed more than 20 resources security managers, project manager and security architects etc., with the project cost of more than Confidential. Managed entire global PCI DSS compliance programs for Confidential. Provided architecture guidance for security and direction. Defined global Confidential compliance roadmap. Managed the implementation of security solutions IBM Z O/S Mega Crypt encryption, key management, data loss prevention DLP and file integrity monitoring and IDM and safeguarded the credit card data, Private Identifiable Information PII , company confidential information. Designed and implemented enterprise wide security solutions and reduced security, compliance and privacy risks.

Confidential

• Worked as an advisor for creating a road map and strategy for Security and compliance. Provided security architecture solutions for mission critical systems. Managed the creation and implementation of IT security architecture and systems, security policies, configuration standards and guidelines. Created and managed information security processes and security control standards for technology and application development.

Confidential

• Managed the creation of security roadmap for cloud security services. Managed the security review of OpenStack architecture and components Keystone, Nova,Glance,Quantum etc., and implemented Infrastructure as a Service IaaS , VPNaaS, and FWaaS services etc.,

Confidential:

• Created third party vendor management policy and process documents. Created two types of security risk questionnaires light and heavy for ten domains of IT security based on ISO 27001 security COBIT and NIST standards. Conducted 3rd party vendor security risk assessments for vendors and service providers and identified gaps and worked with them to mitigate the security gaps. Worked with corporate lawyers and included information security and audit requirements in third party contract agreements

Confidential

• Managed audit of systems related to storing and processing of customer and associate information. Identified the requirements of Confidential to evaluate the effectiveness of controls.

Confidential

• Conducted IT Security due diligence for newly acquired companies merger and acquisitions .

Confidential:

• Worked as a program manager and created enterprise wide security risk assessments with the project cost of more than Confidential Million dollars. Developed IT Security Governance and Enterprise Risk Management Framework using RSA Archer. Managed and tracked the enterprise security risk, threat, vulnerability and security issues and status of remediation plans. Prepared high level/dash board reports and presented them to senior management. Created high level risk assessment scoping questionnaire and interviewed senior management team to collect the responses for the questionnaires and calculated / weighed risk factors for each and every applications and systems to identify the critical assets for the company. Created control objectives and controls based on ISO 27001 and COBIT framework and conducted risk assessments to identify inherent risks in the company and recommended practical solutions to remediate the issues. Managed and tracked the enterprise security risks, compliance related issues SOX, HIPAA, PCI DSS etc., and status of remediation using Archer GRC tool.
• Compliance and SaaS Security Review: Conducted gap analysis and recommended the best practices including policies and controls that are required for SAS/70 , ISO 27001 and SaaS Security Assisted in creating ISMS framework including security policies, processes and procedures. Implemented the controls that are required to comply with ISO 27001 , SAS/70 SSAE16, SOC1,SOC2 andSCO3 , and Software as a Service SaaS security.
• IT Audit: Worked as an IT audit advisor to manage and review the work papers and test plans for Deloitte and PWC Big 4 Auditing Firms and provided advice and recommendations on key controls and processes. Audited the systems of IBM Main Frame, ERP Systems SAP R/3 and PeopleSoft Purchase, Material Management, Inventory, HR, Finance, Payroll etc., , Unix, DB2, Oracle, Windows and network systems. Assisted process owners to create and implement security policies, processes and controls based on COSO/ COBIT controls. Reviewed entity level controls, IT general controls and identified issues and recommended solutions.
• IT Security Projects: Network Segmentation Tokenization Identity and Access Management IDM and IAM CA and Tivoli Web application security SIEM /ArcSight Implementation Security Configuration Standards Encryption and Key Management Data Loss Prevention File Integrity Monitoring Fire Eye Tool for preventing of zero-day and APT attacks Vulnerability and Patch Management Data base logging
• HIPAA Compliance: Acted as an advisor / subject matter expert and provided advices and activities related to all aspect of HIPAA as it applies to technology, policy and interpretation of HIPAA regulations related to private health information PHI . Assisted in creating HIPAA privacy and security program and introduced policies promoting compliance. Audited and reviewed technical controls and security policies relating to HIPAA.
• Web Application Security: Established security risk assessment framework and processes and integrated security into SDLC process. Managed the implementation of web application firewall WAF , manual and static code review and dynamic web application security testing tools Web-Inspect, Fortify, Veracode . Conducted training for programmers on secure coding practices and new SDL process. Managed and reviewed web application security test results and provided practical recommendations based on OWASP and SANS. Established threat modeling process DREAD and CVSS and risk ranking methodologies to prioritize and rank the security risks.
• Security Incident Response Team and Plan CSIRT: Formed a security committee with members of senior management and created a formal security incident response team and plan. Worked closely with the Investigations Forensics Team, Security Operations Center, Vulnerability Management and Legal and HR team to respond and mitigate computer security breaches and cyber related incidents.

Confidential

• Managed the implementation of ArcSight, RSA Envision and Splunk SIEM event correlation tools. Created and implemented log management policy and procedures. Managed the identification and evaluation of critical security incidents using numerous tools like event correlation and log management tools Arcsight ,RSA envision and Splunk etc., ,IDS/IPS, vulnerability scanning tools Nessus,Qualys , anti-virus, File Integrity Monitoring tool Trip Wire , web application security tools Fortify, Web-inspect, IBM APPScan Veracode and penetration testing tools. Collected systems and security logs from all business critical systems .Reviewed the critical security incidents to find out whether the systems are compromised. Escalated the critical events and followed up with process until the issues are mitigated .
• Identity and Access Management: Managed projects for implementing identity access management solutions using CA or IBM Tivoli or Oracle Identity Management tools. Integrated several systems' access provisioned user access to various systems using comprehensive IAM tools solutions also introduced single sign-on solutions.
• Vulnerability Scan/Penetration Testing/Ethical Hacking: Streamlined and consolidated the processes relating to vulnerability scans, penetration testing and security patches. Created security patch management, vulnerability management and penetration testing process.
• Managed and reviewed vulnerability scans using vulnerability scanning tools e.g., Qualys, Nessus, Nexpose . Managed and reviewed network and application-based security vulnerability assessments and penetration tests. Reviewed test scripts and procedures based on exploitation frameworks e.g., MetaSploit etc., Introduced risk-based approach and risk ranking tools CVSS for addressing the security issues based on tools. Worked with process owners to remediate the issues.

Confidential

Senior IT Audit Manager

Project Manager Security and Compliance

• Managed security and compliance team and implemented IT Security programs for the entire corporation, including locations in Confidential.
• Confidential: Formed Security Committee with the help of Confidential to review and approve system, security architecture, risk management process, security policies, configuration standards procedures and prioritize the security risks and resources.
• Confidential: Audited and tested controls for AS/400, SAP, PeopleSoft, JD Edwards, Oracle, DB2, MS/SQL, Infinium, AIX6000, UNIX Sun Solaris , IT security, systems, applications.
• Confidential: Managed business continuity and disaster recovery project, BIA, identified RPO and RTO and coordinated with various teams and implemented them.

Confidential

International Project Manager Security and Compliance

• Managed the implementation of global data centers for VOIP networks in Confidential.
• Confidential: Project managed the design and deployment of IT Security systems Confidential
• Confidential: Implemented secured systems and processes to secure the credit card transactions based on CISP PCI DSS Security Compliance security programs.
• Web Application Security: Managed the development and implementation of web ecommerce security for VOIP application.

Confidential

Lead Network and Security Consultant/Project Manager

• Designed and managed the implementation of Layer 3 network for Confidential wireless for 90 locations in Confidential Team Size: 20 Network Engineers/Analyst

Confidential

Network Manager / Controller

• Managed network operations center NOC with team of network and security professionals and designed and implemented network systems for 120 locations in Confidential. Migrated applications from legacy IBM AS/400 systems to SAP R/3 System.

Confidential

Assistant Automation Manager