Cybersecurity Risk Consultant
Risk Management Group
مجموع سنوات الخبرة :19 years, 3 أشهر
January 2017 - Present
Cybersecurity Risk Consultant, Risk Management Group, Toronto, Canada
Identified IT risk and contributed to the execution of the IT risk management strategy supporting business objectives and aligning with the enterprise risk management (ERM) strategy
Analyzed and evaluated enterprise risk to determine the likelihood and impact on business objectives and enabled risk-based decision making
Determined risk response options and evaluated their efficiency and effectiveness to manage risk in alignment with the business objectives
Continuously monitored and reported on IT risk and controls to stakeholders and ensured continued efficiency and effectiveness and reporting on KRIs and KPIs
Successfully delivered on the following requirements for our clients as Managing Consultant
Threat & Risk Assessment - TRA
Responsibilities:
TRA Identifying the Scoping Criteria
Planning the Objectives and TRA Approach
Identifying Assets & Business Value
Threat, External & Internal Factors
Threat/Risk Modeling using CVSS, STRIDE, ISO 31000
Risk Evaluation & Prioritization based on Likelihood and Impact
Risk Evaluation of Controls in place to calculate Residual Risk
Prioritized Recommendations & Solutions to Address Risk
Executive & Technical Reports
Delivered most TRAs using ISO 27000, ISO 31000, SANS Top 20, NIST 800-53
Information Security Assessments
Responsibilities:
Enterprise Security Assessments
Applications Security Program Management
Security Architecture Reviews
Controls Assessments - ISO 27001/27002 Frameworks SANS Top 20 Critical Controls
Technical Assessments - Vulnerability Assessment, Penetration Testing
Technical Reviews - Firewalls Reviews, IPS Review, SIEM Review DLP Review
Endpoint and Mobile Reviews
Post Assessment - Hardening & Remediation activities
Benchmark Reviews CIS and NIST Framework
Professional Services Deployment - File Integrity Monitoring (Tripwire), SIEM
Awareness & Training
Delivered Corporate trainings for vendor certifications - AlienVault, Securonix, and Council Course (CEH)
Established and maintained an information security governance framework along with its supporting processes and ensured that the information security strategy is aligned with the organizational goals and objectives, information risk is managed appropriately, and program resources are managed.
•Managed information risk to acceptable levels while meeting the business, legal and compliance requirements of the organization by establishing processes, identifying legal and regulatory requirements, evaluating information security controls, identifying gaps, monitoring existing risks and reporting on noncompliance to assist in the risk management decision making process.
•Established and managed the information security program in alignment with the information security strategy by ensuring alignment between IS program and other business functions, establishing awareness and training programs, and periodically reporting program management and operational metrics
•Planned, established and managed the capabilities to detect, investigate, respond and recover from information security incidents to minimize business impact by establishing incident response plans, implementing processes for timely reporting on incidents, maintaining escalation and notification processes, communicating incident response plans, conducting post-incident reviews and post mortems to determine root cause, and maintaining integration among IR, DRP and BCP
Coordinated the development, implementation, assessment and monitoring of cybersecurity controls.
•Created, optimized and managed enterprise vulnerability and patch management program with monthly metrics to measure improvement.
•Identified gaps, conducted risk assessments, provided remediation solutions and oversight of implementation of controls for internal CF assets, to comply with corporate internal information security policies and standards and SANS 20 controls.
•Developed solutions and strategies for facilitating effective and continuous asset management.
•Developed cybersecurity processes and procedures, technical vendor compliance policies, roles and responsibilities (RACI) matrices to meet cybersecurity controls.
•Created and documented standard operating procedures for IT operations and security teams.
•Liaised and interviewed multiple personnel across teams and departments in order to facilitate corporate security posture.
Conducted risk analysis, prepared risk registers, created reports for key risk matrices, alignment of risk appetite with business objectives.
•Prepared Security Assessment Plans (SAP) for analyzing vulnerability of networks and devices, providing cost benefit analysis of a secure versus insecure framework, revisiting significance of government compliance; thereby convincing clients to implement effective security architecture in their organizations and acquiring potential contracts for cybersecurity Umbrella.
•Developed Plan of Action and Milestone (POA&M) to execute a structured vulnerability assessment plan, thereby increasing efficiency of their business by 30%.
•Assisted in conducting system security assessments hence minimizing security gaps between current program design and corporate security policies.
•Preformed network discovery: host/device, using NMAP and other tools, reducing irrelevant set of in scope IP addresses into a list of active targets, therefore decreasing assessment time and production impact by 30%.
•Monitored and analyzing network traffic (using Wireshark), established baselines, documented anomalies, implemented appropriate measures to minimize security breaches and network downtime by 40%.
•Assisted in developing, coordinating and implementing security standards, procedures and policies to facilitate organization’s success strategy.
•Provided detailed status updates on existing cyber security incidents prioritized with severity regularly, including follow up with client/customer, ensuring satisfactory resolution of issues.
Information Systems Software Development Network Administration Systems Administration Technical Analysis