Sr. Information Security Officer (QAPCO)
QAPCO
مجموع سنوات الخبرة :19 years, 0 أشهر
• Established, implemented, maintaining, and ensuring continuous improvement of the ISMS based on ISO 27001
• Working cross-departmentally with IT and OT (DCS/ICS) to secure and defend ICS networks and devices ensuring resiliency against cyber threats
• Building a Data-Centric Security Architecture to protect sensitive data both cloud and on premise
• Conducting cyber security incident detection coverage assessment, and improving the detection maturity
• Leading SOC activities throughout the entire security incident handling lifecycle; including an active and continuous security monitoring to identify and respond to security incidents.
• Identify, prioritize and track weak security configurations, and information security vulnerabilities utilizing approved security scanning and vulnerability management tools
• Planning, coordinating and executing penetration testing on information systems
• Establish security hardening baselines based on security configuration best practices such NIST, CIS benchmarks, STIG etc...
• Leading the implementation of Identity and Access Management (IAM) program, including the Privileged Access Management (PAM)
• Perform, manage and run periodic information security audits, monitoring compliance with information security policies and procedures.
• Conduct cloud security assessment for cloud initiatives, and recommending controls in proportion to the identified risks, thus providing assurance for cloud adoption.
• Perform periodic information security architecture review, business impact analysis & risk assessments, and controls selection activities
• Recommend and oversee implementation of security initiatives (enabling business or mitigating security risks)
• Oversee negotiations and administration of vendors, outsourcers and consultants for Information security related engagements
• Leading the implementation of phishing assessment and security awareness program
• Designing disaster recovery plan testing scenarios, coordinating the DR testing and update the DR plan with lessons learned.
• Enforce security controls in projects and change management processes.
• Weekly, monthly, and quarterly reports for Management Review
• Recommend and Implementing security initiatives enabling the remote/working from home
I worked in Nokia Siemens Network (NSN): my position consisted of Information security management, IS Auditing, IT Infrastructure management, design of secure databases, mobile payment systems development, planning and leading development of Telecom Products & Services for Telecom operators in the Middle East and in Europe.
Key Responsibilities:
• Establishing and maintaining Information security governance framework (ISO/IEC 27001:2005, ISO/IEC 27002:2005, ISO/IEC 15408, ISO/IEC 13335, ITIL, COBIT, etc.) to provide assurance that information security strategy are aligned with business objectives and consistent with applicable laws and regulations
• Identifying and managing information security risks to achieve business objectives
• Monitoring compliance with information security policies, procedures, and standards referring problems to the appropriate department manager; and ensuring follow up on action plans.
• Defining security (including IAM) metrics and ensuring compliance in regards to the defined metrics
• Designing, elaborating and managing information security program to implement the information security governance framework.
• Overseeing and directing information security activities to execute the information security program.
• Designing, elaborating, coordinating, maintaining and supervising comprehensive Business Continuity and Disaster Recovery Program, strategies, plans and procedures in order to assist the survival from major interruptions of data processing services.
• Recommending improvements to the business process through innovation and automation
• Planning, coordinating and executing penetration testing and vulnerability assessments on information systems.
• Coordinating with network and application engineering teams to design secure solutions
• Assessing current and planned information systems, identifying security architecture issues, and designing solutions to bridge identified gaps.
• Developing Cloud Strategy, by putting in place a framework for ensuring security in the Cloud
• Providing guidance and work leadership to network engineers and other technical staff and participating in special projects as required.
• Managing, maintaining and administrating security hardware, software and applications including Internet Content Filtering, Security Information and Event Monitoring, etc.
• Recommending new and emerging technologies that add value to the business, by reducing risk or increasing efficiency.
• Planning and leading development of telecom services (IN/VAS, IMS, VOIP) and Mobile Payment system following proper Software Development Life Cycle, considering information security in the Lifecycle Management
• Maintaining SSO Access control based on Kerberos, Centralized Access control based on RADIUS, Remote Access security based on Caller ID
• Setting up Certificate Authority (CA) and generating certificates and keys for VPN servers and clients, for SSH connections, and also for applications running over HTTPS. Revoking certificates when necessary.
• Configuring, troubleshooting and maintaining server virtualization using: VirtualBox, VMWare, OpenVZ, XEN and Eucalyptus
• Performing database administration for Oracle, PostgreSQL and MySQL (Database normalization, replications, backup/recovery, checkpoints, views etc...)
• Installing, configuring, troubleshooting and maintaining LAN-WAN; interconnecting remote LANs through secure VPNs using IPSec and SSL/TLS
IT Infrastructure monitoring using SNMP Protocol, SIEM, logging and auditing Access to critical IT resources
-Benin (branch of MinCom Germany in Benin): I was employed as analyst programmer, I conducted software requirements gathering, requirements analysis, software design/development and testing, I also participated in researches in Voice over IP domain and I was trained for Telecom Services.
As internship, I performed an analysis of a manual workflow process, I conducted requirements gathering for automating the workflow process, and designed/developed the automated solution which provides better support to business objectives; I configured Single Sign On (SSO) solutions for the new developed application.