Senior Security Advisor
National Bank of Canada
Total years of experience :20 years, 3 Months
* Act as integrator of security services and coordinator of security activities for various IT initiatives.
* Participate with Enterprise Architecture group in defining strategic directions of IT operations.
* Conduct static and dynamic code analysis and network penetration testing for new IT projects
* Prepare RFPs and security controls and evaluate security compliance of software and cloud vendors.
* Perform risk and threat analysis based on data classification and business impact analysis and recommend security controls in line with security policies and applicable regulations.
* Advise business and IT units on application, information, operational and cloud security.
* Produce hardening manuals for new technologies and maintain security frameworks with partners.
* Planned and performed regular security audits to evaluate the security controls in the IT environment and assessed and mitigated technical risks.
* Conducted white-box penetration tests on web applications, web and SQL servers using Metasploit and Backtrack security suites to detect and report vulnerabilities.
* Analyzed and monitored network traffic and system logs using Fortigate UTM and Splunk.
* Led the IT team in a full-scale virtualization of a medium-sized physical IT infrastructure leveraging VMware vMotion for High Availability, and vShield for Data Loss Prevention.
* Implemented and managed Microsoft System Center for asset monitoring and management, and Team Foundation server for code release and change control management.
* Developed and maintained a BCP/DRP plan using ISO/IEC-27031 and ISO/IEC 24762 frameworks.
* Set up a disaster recovery hot site in Waterloo for live replication of mission-critical virtual machines.
* Set up redundant Domain Controller and DNS servers, and configure Active Directory services.
* Deployed PKI on Windows Server 2008 R2 and established a root CA for internal digital certificates distribution and management.
* Applied OWASP standards in designing and developing an identity management and access control web services solution using WS-Security over SSL.
* Managed a team of developers in reverse engineering and refactoring legacy ASP.NET web services into secure WCF services using Microsoft Security Development Lifecycle (SDL) for Agile.
* Led the implementation of several data conversion projects for multinational clients while ensuring the confidentiality and integrity of sensitive cardholder data per the PCI DSS standard.
* Developed and maintained back-end code using Oracle PL/SQL in compliance with the latest PCI DSS requirements.
* Participated in the periodic evaluation and certification of the credit card management system to ensure compliance with the latest PCI DSS mandates.
* Provided on-site incident response for processing clients in the UK-based data center during development, data migration, and implementation phases of the SDLC.
* Enabled multi-tenancy for secure data segregation on Oracle databases deployed in data processing environments by employing various partitioning strategies (Range, Hash, List).
* Designed and implemented secure SOA-based payment processing services and a web-based management interface using ASP.NET web services and MVC frameworks.
* Promoted concepts of abstraction and layering by following a multi-tiered architecture in the design and implementation of the card management system.
* Participated in the development of role-based access control system to enforce need-to-know and least-privilege principles over access to cardholder data.
* Used Oracle wrapping utility to encrypt stored procedures and PL/SQL source code prior to deployment to client database servers.
* Implemented technical controls to protect cardholder data both in motion (SSL over networks) and at rest (data masking, encryption, archiving and disposal in storage).
* Secured sensitive database information by encrypting connection strings stored in configuration files on web servers.
* Conducted on-site training on the secure operation of the card management system.
* Managed a multinational agile team across multiple time zones, and participated in code reviews and change control management in line with the organizational security policies.
* Followed the secure SDLC in reviewing code deliverables submitted by team members and verified the successful unit and integration testing prior to committing to the version control system.
* Implemented client-side and server-side input validation in various multi-tier web applications to protect against common web attacks (XSS, CSRF, SQL injection, and session hijacking)
* Participated in the development of a VoIP telephony and a real estate e-commerce web applications using Object-Oriented Programming concepts (encapsulation, inheritance, and polymorphism).
* Participated in the design and development of a role-based access control solution that implements security groups and users and provides granular access rights control.
* Designed and developed a web-based license management system using ASP.NET Forms Authentication and SSL which allows customers to securely authenticate and manage their licenses.
* Created and deployed strong-named .NET assemblies using a public/private key pair to promote trusted development and application environments.
* Applied the industry’s best practices, and used open source .NET libraries and MS Application Blocks to leverage time-tested and community-reviewed secure components.
* Planned, analyzed and designed a telephone call management system (CARLA), and a Hospital Management System (HMS) using Visual Studio .NET and SQL Server 2000.
* Led a technical support team in implementing the accounting interface with various ERP systems.