Lead IT Auditor
Kuwait Petroleum Corporation - Kpc
Total years of experience :41 years, 11 Months
1. I am an Information Systems Audit and Security professional.
2. I have a total of twenty eight years of professional Information Systems practice and Audit experience out of which I worked for 18 years with professional firms such as Systems Ltd (6 years), Deloitte (6 years) and KPMG (6 years).
3. In these eighteen years I delivered services to more than 110 large clients in Pakistan and Middle East that mainly included IT Audit, IT Security, IT Consultancy, Software development, ERP Implementations, IT Strategy preparation, IT Trainings, Due Diligence Audits, IT Valuation, BCP and DRP development, implementation and maintenance.
4. In the remaining ten years I worked for the Information Systems departments of MNCs and financial institutions as the Head of IT and Lead IT Auditor supporting and implementing the organizations initiatives in CRC, IT Audit and IT Security.
5. At present I am leading the IT Audit function at Kuwait Petroleum Corporation (KPC) in Kuwait for the last two years and auditing the IT implementations of KPC and its 10 subsidiaries worth approximately US $ 45 Billion.
6. In the last 20 years, I have been responsible for senior management / top positions in the Information Systems industry in Pakistan and Middle East.
7. I worked for Deloitte Chartered Accountants (represented by Khalid Majid Hussain Rahman and M. Yousuf Adil Saleem & Co. Chartered Accountants in Pakistan for 6 years) as their Senior Manager for IT Audit.
8. I worked at KPMG Peat Marwick, Chartered Accountants and IT Consultants (represented by Taseer Hadi Khalid & Co. Chartered Accountants in Pakistan for 6 years) as their Senior Manage for IT Audit and consultancy.
9. I worked at Systems (Pvt.) Ltd (leading software development house and IT Consultants in Pakistan and US for 6 years) as their Project Manager and delivered services in IT Consultancy, IT Strategy, software development etc.
Information Security Officer responsible for all IT and Physical Security related policies, procedures of the company, ISO 27001 implementation, BCP, IT Security Policy, Security Management Group Meetings and implementations.
Information Systems Security Audits and Management
Leading the Information Systems Security department at CDC, I am responsible for:
17. Implementation of the ISO 27001 Information Security Management System (ISMS) international standard across the organization in all departments and all areas of IT function and getting certification. We are in the final stages of this achievement.
18. Information Systems Security Policy development, presentation to management, getting approved, creating awareness through presentations, emails, having it implemented by relevant departments, reviewing compliance, reporting variances and continuously improving / adding new policies, procedures and guidelines.
19. CDC is using an in house developed online real time internet based integrated application system that is called Central Depository System. This application is maintaining the record of all Stock Exchange transactions of Pakistan. It is accessed by several hundred users from across the world. We have used the Deloitte Controls Matrix Method (with some variations) to document risks, controls, weaknesses and areas for improvement to test and improve the application controls continuously.
20. In addition to above, we are using Oracle Financials (five modules GL, Fixed Assets, Receivables, Payables, Cash Management), and for auditing and ensuring the security of these modules we use ISACA tools to audit the controls and document and report weaknesses for improvement.
21. We are also using other standalone applications for Payroll and Personnel management.
22. Conducting the vulnerability assessment and penetration testing of all areas of IT infrastructure such as networks, databases, operating systems, LAN, WAN, desktops, laptops, palmtops, corporate website, customers, employees etc. using software and printed checklist tools of ISACA, top 100 hacking and penetration tools and Open Information Security Forums. We created fifteen scenarios from which our internal and external users enter the network and using the hacking and penetration testing tools we tested the vulnerabilities of these paths and reported and improved the weak areas.
23. Conducting audits of the configuration settings of operating systems (CDC is using AIX and Windows 2003), databases (ORACLE 9i), security devices (IPS, VPN, and Firewall), network devices, all applications, configuration management, application development tools, etc.
24. Auditing the physical security of the organization that included the guard’s deployment, bomb disposal policy, fire fighting policy and plan, fire drills, visitors policy, access card and system procedures, hiring of employees processes, employee firing / termination processes, handling disgruntled employees, working after office hours and holidays policy and procedures, cameras deployment and recording, trainings on the bomb, fire, etc.
25. Participating in purchase process and pre audit of the new initiatives of IT investments such as Enterprise Information Security Framework (EISF) deployment (that included deployment of IPS, Firewalls, VPN, Routers, switches) Security Operation Center (SOC) that included six modules, Network Admission Control (NAC), Data Leakage Prevention (DLP), Internet Upgrading Project (IUP), etc.
26. Developing policies, procedures and guidelines for all other areas of the business processes, presenting to management, getting approval, creating awareness, having implemented, reviewing compliance, reporting variances and continuously improving the same.
27. ISO 27001 project included developing Information Assets Classification, Labeling and Handling policies, procedures, lists, risk assessment and having it implemented.
28. This project also included developing process documentation of almost 200 critical processes of CDC and reviewing / ensuring the security and continuity aspects in these processes.
29. One major activity of the ISO 27001 project was the Risk Assessment of all information assets and all critical business processes. This included listing all information assets and relevant risks, taking mitigating measures of reducing, transferring, controlling or accepting risks. In addition to this, we reviewed all critical processes and evaluated risks and took mitigating measures.
30. Another major activity of this project (ISO 27001) was the development of the Business Continuity Management Program (BCM) of the organization, implementing it, conducting drills, training and establishing the BCM. This program confirmed to BCI 10 domains and BS 25999 standards.
31. Developing Security Incidents Management Systems (SIMS) that included developing detailed policies, procedures, guidelines, getting approved from Security Management Group (SMG), creating awareness, having implemented, monitoring variances, investigating information security incidents, reporting to SMG, conducting forensics, updating lessons learnt database and implementing further controls to prevent future recurrence of the security incidents etc.
32. Conducting SMG meetings on monthly basis and apprising the management on all aspect of enterprise security including security incidents reported new policies procedures and updates on all security projects.
34. Reporting to audit committee and regulators (SECP) the observations of external auditors and their risks and management response and implementation schedules.
Information Systems Audit
11. I conducted detailed Information Systems Audit of sixteen clients in Pakistan and Middle East in twelve years (1994-2006) using latest methodologies, questionnaires and software tools of Information Systems Audit and Control Association (ISACA) USA, KPMG Peat Marwick and Deloitte Practices.
12. In these engagements I audited several computerized banking and back office applications and developed their Information Systems Audit Manuals (consisting of Control Matrix, Control Concerns Matrix and Conclusion Matrix) of each application
13. I have also reviewed relevant databases of these applications using Audit Command Language (ACL) by importing the databases in ACL and performing audit queries and printing exception reports.
14. In addition, I have audited twenty to thirty four General Computer Control (GCC) areas as suggested by COBIT, and suggested improvements and recommendations in a Control Concerns Matrix with implications and recommendations.
15. In addition to above sixteen clients, I performed IT Audits of more than 50 clients of KPMG and Deloitte in Pakistan and Middle East. These audits were part of the statutory audits and included reviews of ten to thirty four areas (depending on the requirements and last years audits) of IT practice (as given in COBIT 4.1) and identifying areas for improvement and recommending value added solutions in those areas.
16. The above IT Audits also included detailed reviews of the clients BCP, DRP, BIA, Risk Assessment, BCP strategies development, implementation, testing, maintenance and training, emergency response, crisis management and communication and coordination with external parties, reviews and recommending strategies for improvement in these BCP plans.
Conducting and Attending Information Systems Training
35. As part of my professional career, I have conducted several professional courses of more than 1200 hours, related to Information Systems Audit, Information Systems Security, ISO 27001, GPG of BCI, COBIT, VAL IT, Business Continuity, Disaster Recovery, MIS, management and other computer related topics.
36. I have also attended almost 200 seminars, conferences and training programs on Information Systems related topics such as Information Systems Audit, Information Systems Security, ISO 27001, BCP, DRP, BCM, BIA, Risk Assessment and Treatment, BCP Strategies, Emergency Response, Crisis Management, Physical Security.
Business Continuity and Information Systems Security Consultancy and implementation
37. I provided Business Continuity and Information Systems Security related consultancy and implementation services such as BCP and DRP strategies development, implementation, testing, awareness and training, and maintenance, ISO 27001 Standard implementation and Certification, Vulnerability Assessment and Penetration Testing, Enterprise Security Policy preparation, implementation and awareness, network evaluation and strengthening network security.
Experience on Printed Tools, OS, application development tools, Hardware
38. I have experience working on BIA and Risk Assessment Software of Deloitte, ACL, COBIT, Controls Objectives for Net Centric Technology, Microsoft Basic Security Analyzer, SekChk (Deloitte software tool for assessing network security), IBM OS/400 and utilities, IBM VM and utilities, Windows 2003 and utilities, Unix, Oracle Developer, Oracle Report Writer, RDBMS, SQL Plus, COBOL, Client Server LAN, WAN etc.
39. I have some experience on reviewing the configurations of Routers, IPS, managed switches, several security software and hardware devices.
40. I have experience developing IT Security Strategy, Security Policy.
Due Diligence Reviews
43. I conducted Due Diligence of National Refinery of Pakistan Limited Information Systems.
44. I conducted Due Diligence Review of Information Systems of several clients including Allied Bank of Pakistan (700 branches) and submitted a report containing recommendations for implementing new ERP systems in next five years at a cost of Rs. 2.6 Billion.
Valuation of Information Systems
45. I also conducted valuation of Information Systems of Karachi Stock Exchange Guarantee Ltd. This client has one of the most expensive and latest IT setup in Pakistan. I used internationally used valuation methods, as used by Deloitte, and presented a report valuing the existing Information Systems infrastructure.
Information Systems Strategies
46. I prepared, presented and implemented Information Technology Strategies for four clients that also included broad guidelines on BCP, DRP, Risk Assessment, BIA, etc.
47. I have also prepared and presented several proposals to large institutions and banks (such as Pakistan Petroleum Limited, Pakistan National Refinery Limited, Pfizer Labs, Central Depository Company of Pakistan, Saudi Pak Commercial Bank (200 branches), Security Papers, National Bank of Pakistan (1200 branches), Institute of Business Administration, Bank Al Falah Ltd. (250 branches)) that involved reviewing their existing Information Systems setup, including BCP and DRP and proposing / presenting improvements and directions for future to Board members and top management.
48. I am one of the Directors of the Board of ISACA Karachi Chapter (CISM Coordinator) and a member of IT Sub Committee of Institute of Chartered Accountants of Pakistan.
49. I am also a visiting faculty at the Institute of Business Administration (IBA) University of Karachi for several Information Systems related courses and give them 3 hours per week. IBA is one of the oldest (since 1955) and largest business administration institutions outside North America.
Information Systems Audit Assignments
I conducted detailed Information Systems Audit of following sixteen clients in Pakistan and ME for twelve years (1994-2006) using latest methodologies and software tools. While auditing these clients, I also reviewed their BCP that included their impact analysis, risk analysis, BCM strategies, emergency response procedures, awareness and trainings programs, maintenance of BCP, crisis management and coordination with external parties.
Name of Client No. of applications
United Bank Limited Pakistan (800 branches) 24 applications Muslim Commercial Bank Pakistan (1200 branches) 12 applications
Bank AL Habib Limited Pakistan (200 branches) 6 applications
Bank Al Omani AL Fransi based in Muscat, Oman (10 branches) 2 applications
Diners Club Pakistan 5 applications
ANZ Grindlays Bank Pakistan. (500 branches) 11 applications
Soneri Bank Pakistan ( 70 branches) 6 applications
Pak Oman Investment Company Ltd. (3 branches in Pakistan) 6 Applications
NBP Exchange Company Ltd. Pakistan 4 applications
Pak Suzuki Motors Company Ltd. Pakistan 12 Applications
Pakistan International Airlines Pakistan (Inventory Management System) One
Arenco Real Estate based in Dubai.
General Civil Aviation Authority of UAE based at Abu Dhabi
Saatchi & Saatchi Advertising based in Dubai
Liwa Trading Chain Store based in Abu Dhabi.
Petrochem Middle East based in Dubai.
IT Audits as part of Statutory Audit
I conducted IT Audits of following clients as part of statutory audit. This involves reviewing the 20 technology areas of the client such as application systems, computer hardware, operating systems, local area and wide area networks, databases, relationships with vendors, BCP, DRP, IT Security of equipment and databases, physical and logical security, etc. We then prepare the recommendations for improvements in the areas that require improvements and discuss with the client IS management and present to audit committee for implementation.
State Bank of Pakistan
National Bank of Pakistan
Pakistan International Airlines Corporation
Muslim Commercial Bank Limited
NIB (NDLC - IFIC)
Proctor & Gamble Pakistan
Dawood Leasing Co.
Al Zamin Leasing Co.
Adamjee Insurance Co.
State Life Insurance Corp.
Siemens Pakistan
Alstom Pakistan
Lucky Cement
BSJS
Credit Agricole
IUCN Pakistan
Allied Bank of Pakistan Ltd.
Saudi Pak Commercial Bank.
My Bank
Hong Kong Shanghai Bank
Mind Share
Quality Aviation
Oxford University Press
Employees Old Age Benefits Institution Pakistan
Gillette Pakistan
BASF
AES Lalpir Power Generation Co.
HUBCO Power Generation Co.
Cadbury Pakistan
SGS Pakistan
JP Coats Pakistan
Corssby Dragon Fund
Contact Plus Advertising
Interflow Advertising
Pyramid Productions
Evion Fats and Oil
Ibrahim Fibres
Shifa International Hospital
Oil and Gas Development Corporation
Indus Dyeing
Kings Apparel
Motif Leather
MCR Pizza Hut
Tata Group of Companies
NP Spinning
IT Strategy Preparation
I prepared and implemented IT Strategy for following organizations by studying and documenting the existing infrastructure of the client and suggested appropriate computer hardware, application software, systems software, application development tools, personnel requirements, BCM Strategies, DRP requirement, Risk Assessment, their training needs and communication hardware and software specifications.
1. First Leasing Corporation
2. Karachi Port Trust (KPT)
3. National Investment Trust (NIT)
4. Sui Northern Gas Pipelines Limited (SNGPL)
Tools, OS, development tools, Hardware
20. I have experience working on ACL, COBIT, CONCT, MBSA, SekChk, Routers, IDS, managed switches, Concentrators, several security software and hardware, Security Strategy, Security Policy, OS/400 and utilities, IBM VM and utilities, Windows 2003 and utilities, Unix, Oracle Developer, Oracle Report Writer, RDBMS, SQL Plus, COBOL, IBM AS/400, IBM 4331, 4341, Client Server LAN, WAN etc.
Hardware Selection
Selected and installed Computer Hardware for following companies:
1. Saudipak Leasing Company Limited
2. Dollar Industries
3. Pakistan Customs
4. Agfa Gevaert Pakistan Limited
ERP Implementations
I selected and implemented ERP software for following organizations:
Dollar Industries Oracle Financials (5 Modules) -- 1998
Brook Bond Pakistan Limited Manufacturing and Distribution -- 1988
Philips Electrical Company of Pakistan Limited JD Edwards Sales, GL, Receivables -- 1983
Website Development
Developed (with a team) website for Saudipak Leasing company Limited www.saudipakleasing.com
Tariq Mahmood
92 300 820 8921, Res. 921 453 3541
Application Systems designed, developed and implemented
41. I part of my job at Systems Ltd. I studied, designed, developed and implemented more than 40 commercial application systems for 15 large clients using various computer hardware, operating systems, databases and application development tools.
42. As Project Manager, I led a team to implement Oracle Financials (5 modules) at two manufacturing concerns using AIM and Deloitte Express Method.
Information Systems Analysis, design, development and implementations
I developed and implemented application systems for following organizations while working for software houses and Chartered Accountants:
1. Leading the Information Technology Division of Saudi Pak Leasing Company Limited, I supervised the development and implementations of 5 main leasing applications and 13 supporting smaller applications on client server under UnixWare 7.0 and Windows NT 4.0 using Developer 6i and Oracle 8i RDBMS.
2. Implemented Oracle Financials (5 Modules, GL, Order Entry, Inventory, Fixed Assets and Accounts Receivables) with a team of 10 consultants at Dollar Industries.
3. Implemented online real time off-site Inter Branch Reconciliation system for 1500 branches of National Bank of Pakistan (NBP) with a team of 3 consultants on IBM AS/400 using COBOL/400.
4. Implemented online real time reconciliation system for House Building Finance Corporation for transactions at 600 branches of disbursement and collection for two banks.
5. Designed and supervised the development of five commercial applications for College of Physicians and Surgeons Pakistan on client server environment.
6. Designed, developed and implemented Procurement, Material Receipts and MIS application systems on IBM AS/ 400 using COBOL/400 for Pak Arab Fertilizers.
7. Developed and implemented the Imports, Exports, Bank Guarantee, Inventory, Bonded Ware house systems on IBM AS/400 using COBOL/400 heading a team of 22 consultants for Pakistan Customs.
8. Implemented a package of five applications i.e. Inventory, Purchases, Budgeting, General Ledger and MIS Systems on IBM AS/400 with a team of three consultants for Brook Bond Pakistan Limited.
9. Developed and implemented Inventory, Purchases, Library, Budgeting, General Ledger, Payroll, Personnel and MIS Systems on IBM 4361 using Cross System Product with a team of five consultants for SUPARCO.
Soft Skills
50. I am a team builder and champion in interpersonal skills and motivating my team.
51. One of my greatest strengths is presentation and written communication skills. I have been a faculty member at the university level and I am rated as one of the best faculty at the University.
52. In addition to being excellent in English reading, writing and speaking, I can read and understand Arabic quite well however I need to develop my Arabic speaking abilities that I will be able to develop in few months.
53. One of my greatest strengths is that I am an early riser and jog and exercise after my prayer that keeps me strong and healthy physically, mentally and spiritually for work pressures.
As you will appreciate that my educational and professional qualifications, certifications and experiences exceed or closely match the captioned job requirements of an IS Auditor / IT Security Professional, I feel very confident that I can do the job very well. I will appreciate if you could provide me an opportunity to discuss in detail why I can do the job best.
I look forward to a positive response.
Sincerely
Three days course
One week course on BCM by ME.
Passed all exams
Attended the four coursed of CCSP however did not attempt to qualify as CCSP
During my employment at Deloitte and KPMG, I attended several trainings on their proprietary tools and methods. I have listed only some of these. 1. Deloitte Express Methodology for Project Management (printed version), 2. Deloitte SekChk for Information Security Assessment and reporting, (software tool) 3. ACL for data extraction and manipulation, (Deloitte uses ACL world wide). 4. Deloitte BIA software tool used for Business Impact Analysis and reporting, (MS Access based software tool) 5. Deloitte Risk Assessment software tool for assessing the risks of the Information Assets and providing mitigating controls, and risk treatment strategies. 6. Deloitte Valuation Method of IT Investments. 7. Deloitte IT Strategy Preparation Method. 8. Deloitte Applications Controls Matrix that is used for the applications audit. Using this method we list the Risks of the application, the controls implemented to mitigate the risks and the missing / expected controls that should have been implemented and evaluate them against the risks and conclude whether the identified risks have been appropriately mitigated or not. 9. Deloitte Networks Security Controls Matrices that are used (in the similar fashion as Applications Controls Matrix) and it is used for Networks Devices, Operating Systems, Security Devices, Databases, and Application Development Tools etc. 10. Deloitte Business Continuity Management (BCM) Methodology that essentially covered all aspects of BCM (printed version).
11. Deloitte AS / 2 (Audit System / 2) Software tool that covered all aspects of Financial and Information Systems Audit method. This tool also provided several software based audit programs for auditing information systems depending on the infrastructure of worldwide clients including several Operating Systems (such as Unix, Windows, Novell, Linux, VM), Databases (such as Oracle, DB2, Informix), Networks, ERPs (such as Oracle Apps, SAP, People soft), Security Devices (such as IPS, VPN, Firewall), Network Devices (such as Routers, Switches, Network Analyzers, Anomaly Detectors), Internet / Intranet, Configuration Management, Data Center Review, IT Operations, Physical Security, Logical Security, Business Continuity (preparation, implementation, and testing tools and guidelines). 12. AS / 2 presents a standard questionnaire to input the IT Infrastructure of the client and the consultant inputs the basic IT setup. Based on this input, AS/2 provides audit programs and the consultant runs audit programs with the client and input answers of these audit programs taken from client and again based on our responses AS /2 asks further questions interactively to further investigate the client setup and then AS / 2 prints the draft audit report to identify vulnerabilities and possible best solutions. The consultants discuss the report with the client and based on this discussion consultant modifies the report and produces the final report. 14. Deloitte Auditors Independence establishment and maintenance system that included the trainings of auditors to maintain independence and conducting interactive network based tests for the national practice and reporting results to the Parent Office. 15.Deloitte Information Security Awareness and implementation system that included network based trainings on Information Security and then conducting online tests of the knowledge and practice of the security systems and reporting results in the annual appraisals.
17. Deloitte Winning Proposals writing method. 18. KPMG Selection and Implementation of Integrated Packaged Software such as ERP. (SiiPs). 19. KPMG Image System that contained standards for all reports, documents, stationary, marketing material etc. 20. KMPG IT Audit and IT General Controls Review Level 3 courses. 13. Deloitte Image System and how to implement that at a new practice. I was also responsible for this implementation. All of the above tools were upgraded on yearly basis with additional tools and checklists and guidelines. These tools were provided to practices world wide through CDs and the Knowledge Network (based on Deloitte VPN). Being the consultants we were able to search and download the relevant updated tools on the relevant areas for engagements.
I have attended several seminars / short courses on COBIT, VAL IT, BCP, DRP, BCM, BIA, Risk Assessment, Security Incident Management Systems, Information Classification, Retention, and Purging etc.
B + Grade, Internship at IBM Pakistan for six months.
B Grades
Course conducted by Many universities in Pakistan
MBA CISA CISM CGEIT CRISC CRMA MBCI
MBA, CISA, CISM, CGEIT, CRISC, MBCI, CRMA,