Governance, Risk, and Compliance Analyst
Deakin University
مجموع سنوات الخبرة :18 years, 0 أشهر
• Contributed to the development and maintenance of policies and procedures and aligning with regulatory requirements and best practices for the higher education industry.
• Managed the information security risk register, engaging continuously with risk owners to achieve acceptable risk levels for the business.
• Conducted risk assessments to identify potential risks and vulnerabilities in the organizations key systems.
• Collaborated with relevant teams to develop and implement risk mitigation strategies and controls.
• Planned and conducted regular compliance audits to assess adherence to regulatory requirements and internal policies, implementing corrective actions to address compliance deficiencies.
• Provided training and awareness programs to employees regarding Cyber Security related policies, procedures, and best practices.
• Utilized GRC software and tools to streamline and automate governance, risk, and compliance processes.
• Identified process improvement opportunities within the GRC framework.
• Participated as a security resource in the planning phase of IT projects, and conducted risk assessments and architecture reviews and provided recommendations to the project team.
• Assisted the application development team in implementing security best practices in their CI/CD pipeline.
• Main achievement: Managed and coordinated the ISO 27001 certification project for BGL, and delivered it on time and within budget (Feb 2019 to Dec 2019).
a. Identified certification requirements, and the required internal policies and procedures.
b. Obtained senior managements support, endorsement, and dedication to the project.
c. Conducted a risk assessment to identify the current standing, and then conducted a gap analysis to identify the shortcomings.
d. Identified risks and ensured that they were recorded, treated, and reviewed.
e. Developed an internal audit procedure, and control measurements procedure to help identify effectiveness of controls and their suitability.
f. Developed a management review procedure where findings and recommendations are reported to senior management.
g. Developed a corrective action procedure to ensure management decisions on improvements are recorded and implemented.
• Submitted weekly updates to the CTO on the progress of the ISO Certification.
• Developed a training program in security awareness program to ensure that all BGL employees are on board with the ISO 27001 requirements, and to ensure that they understand the common security risks, and that they are informed of the required actions to keep BGL secure.
• Liaised with department heads and management to identify all critical information security risks and ensured that they are treated and mitigated.
• Documented the needs and requirements of interested parties and regulatory bodies in the interested parties document and the risk register, and treated those risks in accordance with the business strategy and business risk tolerance.
• Developed a business impact analysis: Liaise with business managers and senior management to identify the critical business processes and identify the impact on the business if those processes are affected due to an incident.
• Completed Third Party Risk Assessment questionnaires for prospect and current clients and was a focal point of contact for any follow up security enquiries.
• Developed a Third Party Risk Assessment program for BGL to assess suppliers, and to assess partners security postures before engaging or integrating with them.
• Developed an incident response procedure and was a member of the incident response team as a communications coordinator and a documentation lead.
• Conducted internal audits on routine basis to ensure proper implementation of the ISMS
• Measured the effectiveness of the policies, and proposed corrective actions when necessary.
• Liaised between the penetration testing service provider and the BGL product teams on the scope of the test and the time schedule. Reviewed the results of the tests with a committee, then included any discovered vulnerabilities to the risk register and followed up with the relevant teams on treating those risks.
• Maintained, and managed the on-premise IT infrastructure.
• Administered the Microsoft server active directory user accounts and updated user account security privileges according to the employees role in their department.
• Performed scheduled system data backups.
• Ensured that internal and external SLAs are being achieved.
• Designed, planned, implemented, maintained, and managed the IT data centre infrastructure.
• Audited and evaluated hardware maintenance plans and contracts.
• Initiated and implemented efficient cost saving plans.
• Maintained and audited the compliance of IT procedures and policies within the company.
• Lead the IT operations team (five IT engineers, six LAN admins, one helpdesk admin, and two technicians) to ensure that all IT infrastructure operations at headquarter office and five remote offices are running smoothly.
• Managed the IT infrastructure environment which includes around eight hundred computer desktops, thirteen physical servers, and twenty six virtual servers.
• Provided adequate supervision and training for the IT Operations team and ensured that working practices were fully compliant with the IT quality procedures.
• Managed the IT demobilisation process from five remote site offices and ensured that the process was smooth and according to plan.
• Managed the IT infrastructure at the UAE headquarter office, and the IT setup, mobilisation, and support of new project offices at remote sites.
• Managed the IT infrastructure environment which includes around six hundred computer desktops, ten physical servers, and thirty virtual servers.
• Administered multiple ASA firewalls (5500) throughout WAN and ensured the integrity of the LAN from external threats.
• Installed, configured, and managed the Barracuda Spam and Virus Firewall 400.
• Implemented 802.1x authentication on LAN (configure, manage, and monitor IAS servers).
• Troubleshot TCP/IP LAN and WAN connectivity issues.
• Monitored bandwidth and network activity by analysing information provided by MRTG.