Information Security Officer
Qatar Steel
Total years of experience :20 years, 4 Months
Experienced in the field of Information security with 12+ years of experience and have worked in the following domains
- Information Security
- ISO 27001- Implementation
- Audits (Internal, External and Regulatory)
- Patch Management
- Vulnerability Management
- Anti Virus Management
- Security Incident Management
- Physical Security Audits
- Risk assessments for Change Requests
- Industrial control systems and SCADA Security
- PCI DSS
- Applications Security
Experienced in the field of Information security with 9+ years of experience and have worked in the following domains
- Audits (Internal, External and Regulatory)
- Patch Management
- Anti Virus Management
- Security Incident Management
- Physical Security Audits
- Information Security Generalist
- Risk assessments for Change Requests
IBM Global Process Services Jul' 2010 - Jul' 2012 Assistant Manager (Information Security)
➢ Perform vulnerability assessment and penetration testing by using Nessus & ISS. (Servers and Network devices)
➢ Perform System health checks using Tivoli compliance manager.
➢ Carry out Manual Health checks for devices in Redzone/Customer dedicated network as per compliance requirement.
➢ Responsible for Patch Management process for PAN India, which includes publishing advisories for Servers, Network devices and Desktops using Bigfix reports and ensure compliance to timelines defined by CIO Office.
➢ Carry out privileged ID validation/reconciliation on quarterly basis.
➢ Perform portable media audit and re-conciliation on a half yearly basis.
➢ Management and Administration of Websense (Content filter solution) and Symantec End Point protection (Anti-virus solution) to meet compliance requirements.
➢ IPS - IBM Site protector - Monitor and report alerts to network team for RCA and closure.
➢ Ensure antivirus compliance on all servers and desktops, and work closely with IT team for closure of deviations.
➢ Conduct Internal audits every quarter and highlight deviations to process owners for risk mitigation.
➢ Ensure audit readiness for various standards and validate the required controls prior to audits.
➢ Face external auditors for ISO 27001, PCI and HIPAA audits for answering any queries related to these audits and also provide compliance artifacts.
➢ Conduct Physical security audit as per contractual obligations.
➢ Conduct surprise audits on production floor to check compliance to policies.
➢ Information security SPOC for domestic and international processes responsible for coordinating with client and process owners for security related issues on an ongoing basis.
➢ Perform and complete all security calendar activities within specified timelines.
➢ Audit compliance for clients based on SOW/DOU and contracts, highlighting any deviations/risk to IBM management and compliance teams.
➢ Work closely with various teams to ensure IBM ITCS 401 and IBM ITCS 300 Security Compliance Standards are adhered to and deviations are closed in timelines specified by CIO Office.
➢ Responsible for Implementation of any new directives from CIO office.
➢ KCO audit SPOC (This is IBM Specific Compliance Audit carried out by CIO Office)
➢ Review, validate and approve change requests from Risk and Information security perspective.
➢ Conduct Information Security awareness sessions for users and managers.
➢ Responsible for Security Incident management - Initiate incident process, document, investigate and formally report to incident and privacy team (looping respective HR manager)
➢ Security incident Management (Investigations, RCA, Report out to Management, Recommend mitigation strategies.
➢ Reivew and validate Changes to environment from risk perspective during change management.
➢ Validate and audit logs for critical devices as per compliance requirement (Network devices and Servers)
➢ Conduct Information Security awareness training for internal teams on a regular basis.
Professional Experience: 3 - at Genpact - formerly GE Capital
Genpact India Feb' 2004 - Jul' 2010 Senior Security Engineer
➢ Responsible for change request's as part of Change Request management for privilege accesses, Establishment/Decommissioning of service, Installation of Applications, Network changes, Patch management and process as per the policies of the organization and thus assuring compliance adherence and implementation.
➢ Responsible for Security Incident Management involving co-ordination with multiple teams for investigation into violation of security controls and perform root cause analysis to remediate and prevent recurrence.
➢ Report problems to Problem Management Team for its Root Cause Analysis involving active participation along with respective onsite Workstation Management Team and Server Management Team.
➢ Prepare documentation/Standard Operating Procedure's and explain technical details in a concise & understandable manner
➢ Ability to oversee and enforce security controls to ensure client account information security compliance and assurance
➢ Regular interaction with clients and internal processes (IT COE) to understand their security requirements w.r.t (Applications, Network connectivity, Compliance, Data privacy) and conceptualize / design security controls to ensure the cost of protection is commensurate with the value at risk.
➢ Analyzing and proposing new technologies/tools/devices to improve the level of security, Conduct POC of security devices (End to End process till completion)
➢ Manage the RFPs process, review and compile RFP templates.
➢ Identifying areas of improvement to add value to the organization / client account.
➢ Performed Risk assessment and Risk treatment of the business critical assets for ISO 27001 audits.
➢ Conduct Internal Audits in various sites including surprise audits to assess the adequacy of the security controls on regular intervals and close the gaps in co-ordination with operations and sys admin team.
➢ Identify and recommend the remediation solution to address external / internal audit findings.
➢ Face external auditors during various audits for queries, evidence and information related to Information security and compliance.
➢ Auditing PDMZ servers and signing off prior to implementation.
➢ Proactive in familiarizing with any industry specific regulatory or compliance requirement as required by the client accounts.
➢ Delivering presentations for Information Security awareness and compliance on a weekly basis for various internal processes and for new hire orientation.
➢ Facilitation of fortnightly Information Security Council call.
➢ Manage and co-ordinate project tasks individually and as a team to meet stringent deadlines.
➢ Coordinating operations with the Corporate Network security team which comprises of: NIDS, IPS, Firewalls and End Point Security.
➢ Risk Assessment of in-house developed Applications and recommend suitable controls to the Application Development team.
➢ Ensuring that security is invoked in the initial stage of Application development and the team follows security Toll-gate review process and signing off once the desired requirements during Initial, Development and UAT stages.
➢ Research and review software's (Licensed/Freeware/Shareware) for vulnerabilities and related risks post which recommend usage in our environment as per findings.
➢ Review of Firewall change requests post risk assessment as per Compliance and Network Architecture on a weekly basis.
Hands on Experience on the following Security Tools:
Nessus (Windows)
N-Stalker
Nmap
Websense
Symantec Antivirus (Administration Console and Live update Manger)
Intrusion prevention systems - IBM - Site Protector
Bigfix
ISS Scanner (IBM)
Tivoli Security Compliance Manager
Tivoli Compliance Insight Manager
TACACS
Net stumbler
GFI Event Manager
Spider (for PCI Compliance)
Professional Experience: 4
➢ Post Graduation - Master of Arts (Sociology) - (Andhra University - 2001)
➢ Graduation - Bachelor of Arts (Andhra University - 1998)