Manager Information Security and Risk Management
Gulf Air
Total years of experience :20 years, 3 Months
Information Security:
• Development and Implementation of the Information Security and IT risk management policies and procedures.
• Implementation and improvement of the implemented Information Security Management System based on ISO 27001:2013 standard.
• Implementation of information security controls for the PCI DSS compliance.
• Maintenance of the Gulf Air’s ISO 27001 certification and liaison with the ISO external auditors.
• Implemented enterprise level information security awareness initiatives including classroom training, online exercises and periodic newsletters.
• Development and implementation of social media security standards.
• Performing security assessments on the LAN, DMZ and assets facing the internet.
• Implementing security controls related to the BYOD principle.
• Performing security log reviews and monitoring of directory services, operating system events, antivirus activity and networking devices on daily, weekly and monthly basis.
• Implementation of centralized SIEM solution
• Implementation of centralized privileged access management solution
• Working in different enterprise level and IT committees to identify, implement and oversee information security controls on the new and current services and initiatives
• Other projects include working for the implementation of disaster recovery, business continuity, service management and quality management system implementations
Risk Management:
• Designed and implemented IT Risk Management Policy and Methodology.
• Perform IT Risk assessment exercises on annual and ad-hoc basis.
• Communicate the Risk environment and risk status to the management.
IT audits: Performed external Information technology based audits for major banks, government organizations, financial organizations, insurance companies and an international airline based in Bahrain. Performed Internal IT based audits for major banks, a big investment company.
ISO 27001 Internal audits
Performed ISO 27001 internal audit for a banking group based in Bahrain.
Performed ISO 27001 internal compliance audit for a large investment bank based in Bahrain.
External and Internal penetration testing:
Performed tests on infrastructure and web applications of: A leading regional bank based in Kuwait. A leading consumer bank in Bahrain with its entities located within Middle East and European region. A leading Investment bank having entities in Bahrain and Saudi Arabia. A leading investment company based in Bahrain. An insurance group based in Bahrain. A large petroleum exploration and marketing company based in Oman. A leading consumer bank based in Oman. A government entity in the Bahrain. A leading Investment bank based in Saudi Arabia. A leading investment company based in Bahrain. Middle East based offices for large tobacco company. A large petroleum exploration and marketing company based in Oman. A leading consumer bank based in Oman. A government entity in the Bahrain.
Security reviews Performed security log reviews and monitoring engagements for large banks in Bahrain. Potential security risks and activities observed on the perimeter devices were also monitored and reported on a periodic basis. Application logs for the core banking application were also reviewed and security events were reported according to their priority
IT Advisory: Designed and developed procedures related to DR and BC of IT related functions of a large regional bank. Setup of business continuity center having Business Continuity locations for international and regional banks and financial institutions.
Worked as a Network and System Administrator in the IT Department, with the following job responsibilities
Network Administration:
• Managing the company network on two geographically separate locations (Factory at Hub, Baluchistan and City Office at Karachi) using a Frame Relay based Wireless link.
• Management of 100+ nodes of LAN with WiFi Hot spots at various locations.
System Administration:
• Configuring and Management of Microsoft 2003 Domain Environment.
• Dedicated Servers administration for ISA, IIS, Active Directory, DNS, DHCP and MDaemon (Email Server) services.
• Ensuring data availability in the wake of a disaster, by timely backups and disk imaging techniques.
• Managing Centralized Antivirus to protect Users from the ever -emerging Virus threats.
Telephony Administration:
• Implementation and management of a Central VoIP based Open Source PBX “Asterisk”, with Linux OS (Debian flavour), replacing the legacy TDM based PBX at both the locations.
• Addition / customization of new features into the PBX for facilitation of the Users.
Other Responsibilities:
• Management and Support of organization wide IT resources like PCs, Servers, IP Phones, Printers, Handheld PC’s etc.
• Procurement and Purchasing of IT related equipment.
• Liaison with the ISP and other vendors
Network Administration:
· Management, Support and troubleshooting of the Office LAN, comprising of 70+ computers and 3 servers.
· Internet (via an ADSL connection) and Email (server-side) administration.
· Taking Daily and Event-wise backup of the database and other critical data and restoring it as per requirement.
· Making sure that the Office computers are free from any virus threat / unauthorized activity, with up-to-date virus updates and protections.
· Remote Access of the software application for the clients using Remote Access Control (RAC) services and Virtual Private Network (VPN).
· Hardware maintenance and software installation.
· Maintaining liaison with the ISP, Hardware and Software Vendor.
Software Development:
· An active member of the team that developed and implemented the Shares Flotation (IPO) Software and Shares Accounting Software.
· Development of Forms and Reports using the Oracle Developer 6i tool.
· Reports include both Laser and Character based reports, ranging from simple parameters to lexical parameters.
· The development process was also accompanied by the documentation process and a set of comprehensive System and User Manuals for each software were also prepared.
Other Responsibilities:
· Also managed the technical side of the IPO ’s of the Shares of Dewan Farooque Spinning Mills, Eye Television Network Ltd, Chenab Limited, PICIC Energy Fund and Term Finance Certificates of Naimat Basal Oil and Gas Securitization Co., Searle Pakistan, OGDCL.
Microsoft Certified Information Technology Professional – Enterprise Administrator (MCITP) : Track includes Windows 2008 Enterprise Server Administration, Windows 2008 Network Infrastructure, Windows 2008 Active Directory, Windows 2008 Application Infrastructure and Configuring Windows 7.
B.Sc. (Hons.) in Computing from Asia Pacific Institute of Information Technology – Pakistan (APIIT-Pak), degree awarded by Staffordshire University, UK. Major subjects include Computer Networks, Information Systems, Software Engineering, Multimedia Application Development, Project Management, Databases and Computer Programming.