Senior Information Security Risk & Assurance Manager
Bank Aljazira
Total years of experience :24 years, 10 Months
Basic responsibilities include the following:
▪ Conducting information security risk assessments on all applications/systems and
communicating risk assessment reports to management and stakeholders.
▪ Developing, updating and maintaining the IS (information security) risk register.
▪ Following up with the risk owners and ensuring that the risk remediation actions are
completed in a timely manner.
▪ Conducting all information security risk assessments (ad hoc, annual, product/project-
based, 3rd party service providers etc.)
▪ Ensuring that all risk review and treatment activities are performed on a regular basis.
▪ Ensuring that all IS risk management activities are carried out in alignment with the
regulatory requirements and as per information security best practices.
▪ Ensuring that the IS risk management policy and procedure are documented, approved,
maintained and kept up to date.
▪ Providing support to GRC team members in governance, compliance, awareness and other
IS-related activities.
▪ Provide support to SOC monitoring and Security Incident/Threat management teams in
identifying and registering IS risks related to the Bank.
▪ Provide updates to higher management (ISMC (Information Security Management
Committee) on all IS risk management related activities on a quarterly basis.
▪ Define and report on KPIs and KRIs related to IS risk management on a regular basis.
Currently working as Acting Manager, Information Security Governance Section, reporting to the CISO.
Basic responsibilities include development and management of the information security policies, procedures and processes; provision of information security awareness across the organization using a variety of delivery methods, conducting security risk assessments on critical systems/applications, reporting the organization’s overall security posture to management etc.
Previously worked as Senior Officer, Information Security Governance in the BCISM (Business Continuity and Information Security Management) Department of the National Commercial Bank, Jeddah.
Basic responsibilities included the following:
Establishing the Information Security vision, strategy and developing the Information Security Governance framework for the Bank
Developing, reviewing and updating the Information Security Management Policy and other relevant policies, procedures and processes, as per international information security standards
Conducting gap analysis of the Top 20 Critical Security Controls (SANS) and ensuring successful implementation
Conducting information security risk assessments on identified critical systems and communicating risk assessment reports to management
Ensuring that awareness on information security is provided to all staff and stakeholders through a variety of communication channels (e.g. email, live sessions/training, videos etc.) on a regular basis
Providing support to management in reviewing and maintaining the Bank’s overall information security posture at an acceptable level
Developing and preparing Information Security Advisory alerts to be communicated to staff in emergency cases and as required
Providing support in closing and following up on audit findings (external and internal) related to Information Security Governance
Previously worked as a Senior IT Risk Officer, Services Risk and Compliance in the BCISM Department of the National Commercial Bank, Jeddah.
Basic responsibilities included the following:
Conducting risk assessments/evaluations for risk assets (IT systems, processes, services etc.)
Estimating and identifying the relevant risks, their corresponding probabilities and business impacts
Studying and assessing the appropriate risk response options for each risk
Managing the risk registers for assigned IT departments
Conducting risk analyses on assigned IT projects as a Risk Analyst
Developing, managing and reporting KRIs for the Bank’s IT Division
Conducting pre-audit sessions with IT departments in preparation for the actual audits
Coordinating with Incident and Problem management teams to identify and manage potential risks
Preparing and submitting comprehensive risk evaluation reports/ summarized risk profiles to Management
Managing and administering the Information Risk Management tool (RSA Archer eGRC, SAS OpRisk Monitor, Citicus One) (e.g. registering all identified risks/incidents, reviewing adherence to relevant standards & policies, creating and generating reports using the tool etc.)
Coordinating with internal/external auditors, facilitating their activities and assisting the various IT departments in understanding and closing/mitigating the highlighted issues/risks
Providing support in managing and maintaining the Bank’s compliance to ISO 27001 and PCI DSS certifications
Developing and reviewing relevant documentation (e.g. policies, procedures, processes, cross-functional diagrams etc.)
Basic responsibilities included the following:
Coordinating with and providing support to vendor in deploying a 24x7 security monitoring service for the Bank which included monitoring of the network, firewalls, IDSs, production systems (Windows, UNIX); correlation of logs/alerts; detailed analyses and report generation.
Coordinating with and supporting vendor in providing the anti-phishing/online brand protection services to protect the Bank from phishing attacks and other cyber threats.
Providing support in carrying out security assessment reviews for units/departments and recommending risk mitigation actions.
Submitting security monitoring, anti-phishing and information security status reports (monthly, annually) to top management.
Improving security monitoring coverage and developing the security monitoring policy and procedures.
Providing support to the security incident management team in identifying and isolating the root cause of security incidents.
Evaluating different security monitoring solutions and participating in ongoing penetration tests.
Ensuring compliance with SAMA (Saudi Arabian Monetary Agency) requirements.
Providing support in and facilitating information security awareness sessions for the Bank.
Participating actively in the SIRT (Security Incident Response Team) of the Bank
Have also worked in the same department as an Information Security Relations Officer where basic responsibilities included the following:
Reviewing and updating information security policies, procedures, standards and guidelines as per the international security standards (BS-7799) and best practice recommendations (ITIL).
Coordinating with other IT departments to facilitate integration and implementation of security requirements in ongoing projects in the Bank.
Conducting security assessment reviews of systems.
Responding to information security concerns of the end-users (virus alerts, hoaxes etc.).
Assisting system administrators in developing and documenting procedures.
Worked with SBM (Saudi Business Machines), on a sub-contract basis, as a Network Engineer/Consultant. Basic responsibilities included providing network administration, management, implementation, installation and related technical support (Cisco and Microsoft related) to clients as per project requirements.
December 2003 - February 2004:
Worked on a project for SEC-SRB (Saudi Electric Company-Southern Region Branch) through SBM. This project was an extension of the previous project I had worked on with SEC-SRB at their head office in Abha. I was basically responsible for the installation and configuration of all the Cisco devices (routers, switches, wireless access points/bridges) at all the administration buildings and electric units of the SEC-SRB offices in Abha, Khamis Mushayt, Al Baha, Bisha, Qunfudah, Najran and Jizan.
Listed below are some of the tasks I had accomplished during this period:
Configured and installed the Cisco routers (3725, 3745), switches (3550, 4507, 2950G) and wireless access points/bridges (Aironet 350 series) at all the main sites and their units.
Created VLANs on the appropriate Layer 3 switches, as per requirements.
Upgraded the Cisco IOS images on all the routers, enabling them to run the DLSW protocol, as per requirements.
Checked and verified the WAN links between the routers at the electric units and their corresponding administration buildings.
Repaired Cisco routers (password-recovery, hardware problems etc.) as required.
Made sure the network was always up and running.
February 2002 - February 2003:
Was involved in a project for SEC-SRB, Abha, Saudi Arabia being responsible for a 250+ users TCP/IP network running on a Windows 2000 platform with a fiber backbone implemented using 10 Catalyst 2948G-L3 switches, 2 Catalyst 4006 switches and 3 Cisco routers 2620, 3640 and 7204 VXR for two WAN links to other branches and an Internet access through a leased line.
Listed below are some of the tasks I completed at SEC-SRB:
Configured and installed all the Cisco switches (4006, 2948G-L3) at the SEC-SRB Head Office, Abha.
Installed CiscoWorks2000 on the network management server and configured it for proper usage and management of the network.
Configured all the Cisco devices with SNMP protocol and appropriate community strings enabling them to be used with CiscoWorks2000.
Assisted another Cisco certified professional in diagnosing and solving a technical problem with the Cisco 7204 VXR router.
Supervised all site surveys, cabling and node installations.
Supervised installations and distribution of IBM (Netvista) workstations.
Installed Windows 2000 Server on several IBM e-Server (xSeries 220) machines.
Added clients/workstations (Windows 98, Me, XP, 2000) to the network.
Created new users/mailboxes (250+) on Exchange 2000 server.
Implemented Internet-usage reports and site/protocol rules on ISA server.
Created a lab environment (CCNA-level) using two Cisco 2620 routers for training/experimental purposes.
Provided individual training to the higher management and also conducted seminars on using the network effectively.
Main responsibilities included maintenance and troubleshooting of all Cisco devices. Other responsibilities included administration of CiscoWorks2000, Exchange 2000 and ISA Server as well as providing technical support to all network-related issues and troubleshooting other computer-related problems in general.
Achieved CCNP certification by passing all of the 4 exams from New Horizons, Jeddah, KSA. All exams and training expenses were covered by the company.
Worked with Mubarak Al Zarwi Est. as a Network Engineer/Administrator. Responsibilities
included all network-related issues including cabling, installation, administration,
troubleshooting, email and Internet configuration, upgradation and all other computer
hardware/software related work.
CCNA, CCNP, CCIE-written - Achieved CCNA certification on March 10, 2000, after completing a 2-month company-sponsored training course from Softnet Education Center, Karachi, Pakistan. Also completed a 4-month company-sponsored training course with labs for advanced Cisco certifications (CCNP, CCIE) at UNSCOM, Karachi, Pakistan. The training course included hands-on practice work with Cisco routers (1605, 2501, 2620), Cisco Catalyst 5000 Switch, Cisco 2924 Ethernet Switch; full configuration of protocols RIP, IGRP, EIGRP, OSPF, BGP; access-lists; remote access using PPP with PAP and CHAP authentication modes; configuration of ISDN and Frame Relay, VLAN switching, HSRP, password recovery.
7 months of work (August 1999 to February 2000) was during the company-sponsored training for the various NT-based certifications, including MCP, MCSE, MCSE+I and MCDBA at ICE and CTTC in Karachi, Pakistan. The training course included installation and configuration of TCP/IP, IP addresses; subnetting of networks, creating new users, local/global groups; DNS, WINS, DHCP configuration and overall troubleshooting using NT tools; planning and installation of organizations, sites, servers and mailboxes, directory synchronization; setup, installation, configuration of automatic scheduled backups; basic programming with T-SQL; usage of the query analyzer, troubleshooting SQL-related problems and debugging T-SQL queries.