Sau Ping Leong

• Lead Design & Validation team (including Third Party Risk Management and Legal &
Regulatory), ensuring the risk assessment and business risk acceptance is completed on
time.
• Review all Cyber Security Business Risk Acceptance report prior sending it to CISO for
approval.
• Ensure the Third-Party Risk Management and Data Privacy Impact Assessment roadmap
activities are planned accordingly and ensure there is sufficient budget to deploy the
respective agreed projects.
• Lead weekly Priortisation Meeting, providing status of risk assessment and discuss with
Business Cyber Security team on the projects which are in the queue list to be prioritized.
• Ensures Finding Management report is produced on a timely manner for the business to
ensure the action plans are closed on a timely manner. Prepares the audit status report to
CS LT on a weekly basis during the audit period.
• Act as the Secretariat and Internal Auditor for ISO 27001 certification for PDSB and
ensure the audit by external auditor is completed in a timely manner for certification
renewal.
• Main focal for all audit activities (Internal, External and JV). Ensures all audit questions
and documentations are provided on a timely manner and coordinate on the action plans if
there are any.
• Ensures the Data Leakage Prevention policy is up to date.
• Ensures the Table-Top exercise (cyber security threat) is conducted for all entities and OT.
• Manage the IAM team to cover the full life cycle of users identity and access
management, including user on boarding, transfer, and off boarding for PETRONAS
Group and PETRONAS Group of Companies.
• Ensure logical mechanism is in place to perform Level1 security access control on
different platforms including business applications and folder access.
• Ensure the team activities are following the guidelines from global security policy and
related regulatory requirements.
• Maintain relationships and collaborate with different stakeholders to establish smooth
workflow.
• Review and understand daily activities, provide guidance and direction for the team
• Identify opportunities to streamline and automate teamwork.
• Analyze and undertake audit and regulatory request regarding the IAM topics.
• Prioritize requirements and provide KPI to management.
• Focal point to internal and external audit on IAM related matters.
• Ensures data leakage is blocked and reviews the policy from time-to-time.
• Ensures that the business remains informed about the latest cybersecurity threats and
conducts tabletop exercises to prepare for potential incidents.

• Manage the IAM team to cover the full life cycle of users identity and access
management, including user on boarding, transfer, and off boarding for PETRONAS
Group and PETRONAS Group of Companies.
• Ensure employee status is synchronized into the IAM and other provisioning platform
• Ensure logical mechanism is in place to perform Level1 security access control on
different platforms including business applications and folder access.
• Ensure the team activities is following the guidelines from global security policy and
related regulatory requirements.
• Ensuring access is provisioned in accordance with global IAM policy, established
standards and procedures.
• Ensure the IAM roadmap activities are planned accordingly and ensure there is sufficient
budget to deploy the respective agreed projects.
• Lead IAM project and provide operational insight for implementation.
• Maintain relationships and collaborate with different stakeholders to establish smooth
workflow.
• Review and understand daily activities, provide guidance and direction for the team
• Identify opportunities to streamline and automate teamwork.
• Analyze and undertake audit and regulatory request regarding the IAM topics.
• Prioritize requirements and provide KPI to management.
• Focal point to internal and external audit on IAM related matters.
• Lead Design & Validation team, ensuring the risk assessment and business risk acceptance
is completed on time.
• Review all Cyber Security Business Risk Acceptance report prior sending it to CISO for
approval.
• Lead weekly Priortisation Meeting, providing status of risk assessment and discuss with
Business Cyber Security team on the projects which are in the queue list to be prioritized.

• Works closely with BAT Management to assist with the design and effective operation of
internal controls.
• Undertakes and Leads Internal Controls Design activity for both Business as Usual (BAU)
and Project or Programme related control changes, with a specific focus on IT application
and general controls.
• Provides IT Internal Controls with expertise, advice and guidance and promotes an
awareness of risk management and control practices across the BAT Group.
• Assess internal controls against industry best practice with a focus on efficient and
effective controls, governance processes, technology and communication.
• Lead the testing and associated reporting of key controls, as detailed in the internal control
monitoring plan (including SOx testing).
• Undertake incident reviews and analysis, including root cause analysis and adequacy of
actions to address identified weaknesses.
• Support in the monitoring and resolution of all reported control issues and identified
actions.
• Contribute to the continuous improvement of the Group Controls function including the
continued development of the BCT methodology to measure effectiveness of controls and
mitigation of risks in the Groups core processes.
• Build and maintain good working relationships with management, including regular
progress meetings with key stakeholders and ensuring any problems or requests are dealt
with promptly.
• Prepares or reviews controls reporting prior to submission to relevant BAT Group
governance forums, e.g. Audit Committees and Programme Boards.
• For the areas of direct responsibility:
i. Work with BAT management to ensure controls are embedded in processes
and operating procedures and adequately mitigate process risks, taking into
consideration internal and external best practices.
ii. Project management, including the creation of accurate and up to date
information for internal reporting to Programme Boards and Audit
Committees.
iii. Execution of stakeholder engagement plan with an aim to improve the quality
of processes and risk mitigation aligned to the organisations risk appetite.
iv. Alignment of activities with other assurance providers (e.g. EH&S, various
compliance teams, Internal Audit).
• Encourage and enable global team collaboration within BCT.
• Coordinate or participate in the delivery of training to Business Controls staff to support
the global delivery of the BCT workplan. Line management responsibility for Senior
Business Controls Analysts and Business Controls Analysts on controls work and Project
Team management responsibility for individual assignments, including timely, clear and
balanced feedback on their performance and development needs.

• Responsible for ensuring PETRONAS data entrusted with Third Parties remains secure and all
risks, vulnerabilities and defects are managed, tracked and remediate according to the framework
and guidelines.
• Enhancing formal IT service provider risk management and oversight program; including
identification of cyber security risks to confidential data accessed by the service provider.
• Monitor performance of the IT service providers against Service Level Agreements (SLA) and
assessing the functionality of key information security and privacy controls.
• Develops risk-based processes for evaluating third parties by leveraging industry best practices
and other leading practices.
• Partners and build strong working relationships with PETRONAS Supplier Management,
Procurement, Legal and Finance departments to develop an assessment approach which meets
regulatory, compliance and business needs.
• Serves as a risk leader by helping business partners understand the risks associated with their third
parties and recommends strategies to mitigate risks to an acceptable level.
• Develop Cyber Security contract clauses to ensure all System Assets and Services are protected.
• Provide Enterprise Framework & Risk Management Guidelines training to all staff and
contractors and Business System to all Business System Owners.
• Lead task force on Privileged Account Management and lead any incidents related to SAP
application.
• Lead Design & Validation team, ensuring the risk assessment and business risk acceptance is
completed on time.
• Review all Cyber Security Business Risk Acceptance report prior sending it to CISO for approval.
• Lead weekly Priortisation Meeting, providing status of risk assessment and discuss with Business
Cyber Security team on the projects which are in the queue list to be prioritised.

• Manage a team of 6 for global IT Security Operation services and SAP Security team.
• Assist the IT Security Strategy Lead in shaping the IT Security Operation team services and
provide control guidelines for the services provided (including SAP Security controls).
• Provide guidance and support to the Governance team with the Baseline controls requirement.
• Providing any technical leadership required to the team members who provide
consulting/remediation support to the respective teams.
• Working with the vendor and internal infrastructure teams to coordinate the resolution of
incidents and security event notices.
• Design, coordinate and oversee monitoring capabilities to verify the security of systems,
networks, databases, user behavior, file integrity, and cloud environments, and manage the
remediation of identified risks and vulnerabilities.
• Ensure audit trails, system logs and other monitoring data sources are reviewed. periodically
and are in compliance with policies and audit requirements.
• Ensuring the quality of incident response tickets.
• Liaise with the Legal team and Chief Data Privacy Officer for activities which have impact on
GDPR (e.g. User profiling).
• Liaise with business on Data Leakage Prevention (DLP) requirements and introduced Data
Classification and Records Management to the business and Governance team.
• Providing an incident response to other teams to perform vulnerability analysis in direct
response to major incidents.
• Participating in Continuous Improvement activities driven by the strategy manager.
• Re-design and streamline the existing roles in SAP systems (S4HANA, BW, ByDesign, SCM,
etc) for ease of role maintenance and standardization across all SAP systems.
• Liaise with ILT members in aligning job titles across all MOs with the SAP roles for
integration with Workday and SAP for new user creation process.
• Revamp the SAP user request approval and review process for Shared Services users.
• Redefine the SAP Security controls together with the Governance team.
• Liaise with SAP Application owner to automate SoD checks.

• I am fully responsible for the Corporate Centre and Asia region IT audits and stakeholder
management. Assist CEE countries and America IT audits when required.
• Develop the IT audit programme applicable to the agreed scope of a particular audit.
• Contribute IT audit expertise to the development of the audit programme with respect to IT risk
matters relevant to the scope of business, IT and financial audits.
• Assist non-IT auditors on IT audit procedures, identifying and defining issues which constitute
controls weaknesses for Shadow IT audits.
• Review and analyse audit evidence and document identified IT control weaknesses and co
develop effective suggested improvements to mitigate the business risks.
• Data analytics champion - Assist in setting up data analytics requirements for IT audits.
• TeamMate Global Administrator - Perform global administrator tasks and assist local Business
Unit administrator on daily issues/tasks.
• Apply independent judgment in the evaluation of the effectiveness of IT controls and working
collaboratively with management to identify remedial actions where controls weaknesses pose a
material to the business.
• Review IT General Controls Framework which was put in place in 2018 and provide advisory to
ensure the framework is complete which also includes Cyber Security, Data Privacy, Cloud
hosting and Third-Party Vendor.
• Communicate the results of audits via written reports and oral presentations to senior
management and the EVP Internal Audit.

• Auditing of General Controls including SoX Controls and Application Embedded Controls (AEC),
ITIL, Business Continuity Plan, Disaster Recovery Plan, Joint Venture Review, Crisis
Management, Data Privacy, Cyber Security, SAP Baseline for ECC, BW/BI, BO, HANA, etc.
• Develop the IT audit programme applicable to the agreed scope of a particular audit. Lead or focal
point for SAP audits.
• Contribute IT audit expertise to the development of the audit programme with respect to IT risk
matters relevant to the scope of business, IT and financial audits.
• Lead a team of business, finance and IT auditors to execute the agreed audit work programme.
• Perform and assist other team members to perform IT audit procedures, identifying and defining
issues which constitute controls weaknesses.
• Review and analyse audit evidence and document identified IT control weaknesses and co-develop
effective suggested improvements to mitigate the business risks.
• Apply independent judgment in the evaluation of the effectiveness of IT controls and working
collaboratively with management to identify remedial actions where controls weaknesses pose a
material to the business.
• Communicate the results of audits via written reports and oral presentations to senior management
and the Chief Internal Auditor.
• Pursuing professional development opportunities, including external and internal IT and audit
training and professional association certification, and sharing information gained with colleagues.
• Adhere to IT audit professional standards and norms.
• Contributes to the development of IT audit skills within Shell Internal Audit.
• Data analytics ambassador - Gather information required for the respective audits and generate the
reports from the target system and highlight the exceptions. Assist the audit team (mainly SAP
applications) in focusing on the key risks area from the generated report.

• Manage a team of 20+ people on IT Operational activities (support and development) in SAP
Security area which includes, ECC, iPortal, SUS, BW/BI and BO.
• Manage stakeholders from all supporting OUs via monthly meeting or as when requested.
• Manage team budget to ensure it does not go over the limit by the end of the year.
• Full responsibility to ensure the technical design of EP Blueprint Access security design is
properly applied based on the Global design and Application Owner of SoX Security Controls.
• Resolving issues / principles with OUs regarding application of the design.
• Global coordination of work on all design changes and address issues arising from a SOX
perspective.
• Supporting OUs with day-to-day issues as well as design changes to meet local as well as global
business control.
• Reviewing Change/Data Requests having potential Security & Profiles implications.
• Coordination of compliance reports for the various systems.
• Ensuring all business requirements are met and the design is a well-controlled but flexible
building
• Fully responsible for the roll out of the design to implement OUs
• Implement, document and ensure all development & support work is carried out as per the
procedures for SOX and audit compliance
• Manage support issues and ensure that open tickets are assigned to team members and completed
• Ensure Service level agreements are met in a timely manner.
• Manage any relevant projects relating to Access security Responsible for new tools/applications
within Upstream International which have security implications.
• Ensure sound and appropriate challenge on any proposed access security / role changes.
• Ensure Access security team resources and expenditure are in line with agreed budgets
• Provide appropriate learning and development opportunities for Access security team members.
• Transition local security activities and manage all user administration and any business-related
security issues
• Ensure all documented procedures are being correct followed for audit & sox compliance
• Liaising with the local controllers / Governance Risk and Assurance team to resolve segregation
of duty issues
• Control Owner for Security ACD and ensuring all requests are compliance with the controls.

• Resolve Security issues (problem tickets) efficiently and in a timely manner as stipulated in the
Service Level Agreement to ensure operational service delivery.
• Implement Change Requests as specified in the client approved estimate.
• Provide advice to OUs local security officer and admin on role design (R/3, BW, EBPro and
SEM).
• Devised action plans in addressing audit findings.
• Perform user administration task in Central systems.
• Monitoring/completion of service centre tickets.
• Manage and implement access control for various activities:
i. DSO development team for Cutover activities.
ii. OU conversion team.
• Role build for R/3, BW, EBPro and SEM systems for implementing OUs.
• Assist first line support (SAP Assist) in resolving profiles/authorization issues raised by OUs
and functional support team.
• Security Focal Point for Salym, Oman and America.
• Prepare month end report on DSO access in Production system (R/3, BW/ EBPro and SEM).
• Involved in implementation of BeX in BW system.
• Focal Point for BW SIGMA (SEM) split landscape project.
• Focal Point for BI 7 upgrade (SEM).
• Involved in analyzing Business Process across regions.
• Security Focal Point for New Zealand, Australia and Canada implementation.
• Based in Houston for 2 months to perform support task for BI7 upgrade.
• Focal Point for internal and external audit.

• Planned teamwork assignments and schedules, while guiding and monitoring work performance
• Provide technology consulting and analytical services to various business units
• Defined methodologies to lower cost and time requirements associated with technology rollouts to
increase project efficiency and reduce downtime
• Provide training to the users and conduct parallel testing at the clients place. Train users, migrate
data from legacy systems and assist the customer in user acceptance testing and parallel runs