Karthick Gnanaprakasam

• Manage information security function across 4 geographic locations
• Developed and maintained security controls frameworks and guidelines to ensure consistent application of security controls
• Partnering with business stakeholders bank-wide to establish, implement, and maintain security governance, risk management, and compliance program mitigating risk and improving the security posture of the bank
• Performing risk assessment and control gap analysis, managing associated remediation plans to minimize risk to an acceptable level
• Ensuring information security compliance and regulatory requirements (Swift compliance, PCI DSS, ISO 27001, CBK CSF)
• Developed and implemented information security policies and standards, mapping to industry standards (ISO 27001, PCI DSS)
• Developed security roadmap and projects bank-wide, including working with teams across the bank to incorporate security initiatives
• Leading complex, cross-functional security and compliance initiatives including, designing and maintaining continuous vulnerability management programs, continuous security monitoring capability using SIEM and developed security use cases for monitoring, information security training, and awareness, user access controls, third party security reviews, incident management, penetration testing
• Part of business continuity management and plan and ensuring regular BCP drills are conducted according to the BCM policy
• Ensuring IT disaster recovery exercises are performed according to policy and recommend improvements to meet MTD, RTO, and RPO
• Performed data privacy assessment according to regulatory requirements
• Assess current technology architecture for vulnerabilities, weaknesses and for possible upgrades or improvement
• Implement and oversee technological upgrades, improvements, and major changes to the information security environment
• Managing internal and 3rd party audits and ensuring the gaps are addressed within the timelines
• Part of the evaluation and selection committee of information security products and solutions and recommend key controls
• Designed metrics to show continuous program improvement and regularly communicated program status to stakeholders, executive management, and board risk committee

I have to play a role of project delivery and project management.
Few of my projects are mentioned below,

1. Conducted comprehensive Cyber Security assessment for the Kuwait National Petroleum Company (KNPC) which covers 3 refineries and 2 depots. The scope includes gap assessment based on ISA 99 / IEC-62443-2-1 standard, technical assessment such as network security architecture review of IACS network and corporate IT network, configuration reviews of network devices, IACS servers, workstations and internal vulnerability assessment for IACS systems and workstations.

2. Performed IT risk and technical assessments for the banks based out of Saudi Arabia as per SAMA guidelines. As per SAMA compliance requirement, I reviewed banks IT policies, procedures, risk assessment sheet, risk treatment plan to ensure the effectiveness of their alignment with their business and recommended the identified the gaps.

3. Conducted IT Security and Process Control Network audit for one of the petrochemical company in Kuwait. The audit includes Management Control, Operational Control and Network Security Controls. Performed internal vulnerability assessment, configuration review for database, network and operating systems. The audit observations were mapped against ISA99 / IEC-62443 Standards.

4. Conducted internal vulnerability assessment, network & web application security assessment, wireless audit & penetration testing, conducted risk assessment on IT business application, Enforcing IT operations team with organization security policy and global security standards, user access control review, prepared & rolled-out minimum security baseline, (Windows, Unix, Networks), assisting IT team for new projects with organization security policy for the leading Telecom company in Kuwait.

5. Conducted incident analysis for a Government Ministry in Bahrain identifying a financial fraud in the Government investment department.

6. Reviewed and identified the gaps of IT security policies and procedures for the regulatory body in Saudi Arabia. Reviewed and identified the OPEN vulnerabilities from external penetration testing and internal vulnerability assessments reports. Reviewed the network device configuration, architecture and operating system.

7. Conducted internal IT Security Assessments such as web application security assessment, internal vulnerability assessment, and role based access audit, Oracle database security audit for an investment company in Kuwait.

8. Conducted monthly external network and web penetration testing for a Middle East based bank for its 8 entities across Middle East and London based on PCI DSS standards. Conducted internal web application penetration testing for business critical applications. The testing includes black and grey box approach.

9. Conducted vulnerability assessments and penetration testing exercises on business critical applications, and systems such as Internet banking applications (Retail and Corporate), Trading applications, ERP systems, etc. for various organizations such as Government and Private leading banks, Stock Exchanges, Oil, Gas and Petrochemicals companies.

10. Conducted IT risk assessments, Gap assessments, Access control audits for various applications such as core banking, card applications, Oracle ERP application modules for many organizations in the Middle East including Banks, Governments, Investment Firms, etc.

1. Performed technical security assessments such as web application penetration testing (Gray Box and Black Box), network penetration testing and vulnerability assessments for a leading international Hotel which has its presence across the globe.

2. Reviewed internal security policies and procedures based on ISO 27001 guidelines.

1. Making sure that IT General Controls and IT Application Controls are evaluated, monitored, logged, and auditable. Ensured internal PCI IT controls are operating effectively and all documentations are available for Internal and External Auditors.

2. Performing, participating in, and overseeing information security reviews, evaluations and risk assessments and raising information security risks to the business owners, Chief Information Security Office, and other executives or management committees, as appropriate.

3. Acting as a liaison for IT Security matters with respect to business functions and initiatives among all organizational departments and divisions.

4. Educating and providing interpretation and guidance to Associates and contractors working in the Information Technology Department regarding IT Security.

1. Performed Security Testing and Assessments such as
a. Web / Network Penetration Testing (Gray Box)
b. Vulnerability Assessment
c. Wireless Audit
d. Technical Audit
e. Oracle Database Audit
f. Technical audits as per the PCI DSS Standards
g. Participated in PCI-DSS Audit
h. ISO 27001 Audit & Implementation
i. Follow-up with respective units for closure of audit observations

2. Auditing IT control systems as per ISO 27001 and PCI DSS requirements.

3. Conducted pre-sales meetings and presenting about services offered, identify and define the scope of the assessment and project, Project Management, Project Planning and Reporting.

1. BS7799 / ISO27001 Internal Audit for Sify Datacenter Ltd:

a. Review the current security policy and develop customize security policy document.
b. Existing IT process and Controls were tested and weaknesses were documented.
c. Conducted Risk assessment to measure the level of risk through analyzing threat to the assets and assess the impact of the threat and probability of occurrence.
d. Conducted Physical Security Audit for Sify Ltd.
e. Conducted Antivirus Policy Implementation and Internal Audit for Data Center.
f. Preparation Exceptional forms for respective machines.
g. Succeeded in driving the organization towards secure culture and BS7799 / ISO27001 certification.

2. Vulnerability Assessments for Sify and Customer servers

a. Vulnerability assessment will be carried out for the internal servers on monthly basis to find the vulnerability according to the server up-gradation.

3. Patch management for all Sify Locations

a. Involved in the Patch Management Process, Project for Sify “Sify Desktop Manager”
b. Testing of Microsoft Patches/Service Packs in the Test lab whenever released
c. Deploying the Patch in the Back end and testing the Application of the Patches for respective Operating Systems.
d. Uploading of the Patches and Service Packs to the centralized server.
e. Activation of the Patches through the Console.

4. Antivirus Implementation

a. Administering Trend Micro Office scan Enterprise Anti-virus Suite for all Sify Cybercafés throughout India.
b. Server Installation, Configuring and Hosting in Datacenter
c. Configuring Clients all over India for all Sify Locations including Broadband & Cybercafés Users.
d. Monitoring that all the Clients are updated with the latest pattern file.

e. Creating report based on the virus pattern file update in the Client machine.

5. Penetration Testing for SIFY & Customer Servers

a. Conducting Penetration Testing on Sify servers (www.sify.com, www.shopping.sify.com) and customer servers.
b. Customers will be informed prior to the Penetration Testing process.