Sr information protection analyst (Acting as head of information protection and privacy until Feb22)
QatarEnergy
مجموع سنوات الخبرة :26 years, 1 أشهر
I am responsible for leading the Privacy program, Data protection activities (classification, leak prevention, Dashboard, KPIs), Data leakage incident management and (information protection & Privacy) team. My focus is on ensuring that data protection capabilities and controls are efficient and effective. In addition, to aligning Privacy activities with stakeholders’ expectations as a business enabler. I manage a team of 2 SMEs.
Highlights worth mentioning:
• Set the Privacy program framework in accordance with Qatar PDPPL which resulted in aligning the required pillars such as ROPA, LIA, PIA, Breach mgmt. system, Subject request system.
• Identified Privacy business stakeholders across the organization and started to roll out the Privacy program as per the established roadmap with monthly status Privacy matrix updates to senior management. In one year, Privacy requirements completion was 60% for HR, 70% for medical and 80% for IT.
• Established the Data protection plan and initiatives for 3 years.
• Successfully managed to automatically label all system generated emails (around 900K monthly) with the appropriate classification label. This was an out of the box approach that was implemented in 3 months’ time.
• Effectively built Data protection dashboard which provides an overall insight about the data protection posture across the organization. It contains indicative live measurable KPIs with proper attributes and operational procedure to mitigate. Dashboard designed from scratch and built by my own efforts through PowerBi and connectivity to Azure in 2 months’ time.
When I joined the company there was no independent info sec section function so I had to build and develop the function from scratch starting from recruitment, governance to technical security controls. I was the management representative for the integrated management system composed of 4 ISOs standards that covers the complete IT function processes. As Head of information security, I was responsible for info sec governance, IT risk management, Infrastructure security, applications security and compliance. In addition, I was responsible for managing the technical security controls and security operations. Despite having a small team of 3 SMEs, I successfully led and managed the section by properly structuring the function mandate with clear governance.
Highlights worth mentioning:
• Led the implementation and certification of four ISO standards through one integrated management system and successfully maintained and managed the formal certifications for 3 consecutive years. The four ISOs are: ISO27001:2013 - Information security management system, ISO22301:2013 - Business continuity management system, ISO20000-1:2011 - IT service management system and ISO9001:2008 - Quality management system
• Successfully introduced information security education and awareness program across the organization. Conducted customized training/workshops, phishing campaigns, and bi-yearly CBTs. KPI percentage of users that fell for the phished emails reduced from 52% (2017) to 12% (2020).
• Established info sec governance system. Written and developed ISMS policies - procedures, that also take into consideration business continuity and IT service management aspects.
• Successfully established data classification and data leak prevention frameworks from governance perspective and implemented the associated technologies.
• Set-up info sec risk management framework - ISO27005 - contributing to the corporate risks from strategic and operational focus based on the risk exposure.
· Responsible for managing and administrating all the security technical controls such as Firewall, email gateway, proxy, IPS, Zero day, Endpoint protection, SIEM, WAF, load balance, Remote access, Network access control, application code scanning, 2FA, DLP, DC……etc. Manage the regular VAPT exercise, White box and Black box activities and make sure all findings are mitigated.
· Establish secure architecture and design for cloud hosting services, Websites and internally.
· Developed an effective info sec dashboard that provides a real time security posture and reported on monthly basis to senior management. This was done through SIEM which connects all security controls and other indicative infrastructure and application components.
• Supported Legal for MuntajatBV GDPR requirements, a large pragmatic initiative that addressed GDPR compliance and closing other Legal & Regulatory related compliance gaps in Muntajat IT.
• Acted as IT audit focal point, contributed to various initiatives (Audit, HSE, Corporate Risk, Legal)
• Set-up and facilitated the Information security committee meeting, chaired by CEO, to validate and calibrate information security with other functions.
As senior engineer I was responsible for managing the security controls that mitigate relevant cyber security risks in IT.
Highlights worth mentioning:
• Played vital role in protecting QP against the sever Shamoon cyber-attack that hit the oil and gas industry in 2012, by introducing the Zero day malware concept and implementation for email and Internet gateways.
• Managed and responsible for Internet security controls such as content filtering, URL re-writing, reverse proxy, antivirus.
• Managed and responsible for managing endpoint security such as antivirus, host IPS, firewall and device control.
• Implemented and managed host firewall on end users’ machines
• Redefined the architecture of security controls for DMZ as part of defense in depth methodology.
• Contributed by introducing metrics, key performance indicators & service level agreements for security operations improvement
• Although not part of my job description, management decided to assign me as project manager for migrating email service from IBM Lotus to Microsoft. I developed the business case, blue print and plan; in addition to managing 10 internal team members and coordinating with Microsoft and other third party vendors.
In this role I was the Network administrator responsible for managing the complete infrastructure of the head office and remote locations. When I joined the company there was no LAN, no servers, just a mainframe. I built the head office Network (LAN), remote offices connectivity (WAN) and Servers (AD, Email..etc) from scratch.
Highlights worth mentioning:
• Developed and maintained robust and well-managed IT environment from scratch
• Responsible for the IT support for the head office and remote offices
• Managed the infrastructure components (active directory, email, endpoint, proxy, VPN, switches, routers, Firewall, IPS, Remote access….etc)
• Established and designed the disaster recovery site
• Implemented WAN between head office and branches
• Daily System operator activities for IBM AS400 mainframe (end of day/month, backup, restore, user….etc)
• Developed all policies and procedures for the IT department.
• Connected all branch offices to head office and provided IT services email, Internet, Telephony, Systems, etc
