Specialist - Information Systems Auditing
Dialog Axiata PLC
مجموع سنوات الخبرة :12 years, 9 أشهر
I am currently working at Dialog Axiata PLC as a Specialist in Information systems Auditing attached to the Group Internal Audit division. The primary focus has been to manage and conduct reviews as per the audit calendar whilst ensuring the highest quality and effectiveness is achieved. Following are some of the key assignment handled by me, but not limited to:
Team leader of the comprehensive system reviews carried-out for Rating, Mediation and postpaid billing systems. Following key areas / processes were reviewed during these crucial assignments:
• IT General Controls - such as password management, user access management, backup and restoration, change / patch management, incident management, audit logs, segregation of duties, etc.;
• Capacity and Performance management;
• Availability and disaster recovery management;
• Management Reporting;
• Vendor management;
• Master data management;
• Integration with other systems;
• Input, output and processing controls;
• Data validation controls;
• Error handling mechanisms; and
• Revenue assurance controls.
Key team member of the process review conducted for IT Strategic Planning in-line to COBIT processes. Following reviews and activities were carried-out as part of this assignment:
• Define a strategic IT plan;
• Define the information architecture;
• Define the IT processes, organization and relationships;
• Review management of IT investment;
• Review communication management aims and direction;
• Assess and manage IT risks;
• Review project management processes; and
• Monitor and Evaluate IT Performance.
Team leader of the review conducted on the defined scope for the ISMS to assess compliance of security controls to the ISO 27001:2005 standard as per the Statement of Applicability.
Team Leader of a foreign assignment conducted on IT operations and Development process based on COBIT. This included reviews on:
• Strategy management;
• Quality management;
• Risk management;
• Operation & problem management; and
• Monitor, Evaluate and Assess Performance and Conformance.
Carried-out following tasks as a team member in the Regional operations audit:
• Resource management, operations support and readiness;
• Resource trouble management;
• Customer interface management and loyalty;
• Order handling;
• Advertising, Marketing and Selling;
• Collections at outlets; and
• Problem handling.
Team Leader of the compliance assurance audit for Mobile Money. Following key areas were reviewed:
• Compliance management of legal and regulatory requirements given by Central Bank of Sri Lanka, Telecommunications Regulatory Commission and other applicable Acts;
• Compliance management of contractual requirements with custodian bank;
• Adherence to company Mobile Money compliance Policy; and
• Review of the company Compliance Policy and the Business Continuity Plan.
Reviewed the management framework of Governance, systems development process and operation management for Digital services (such as NFC, e-wallets, digital advertising)
Ernst & Young
IT Consultant
I was working at Ernst & Young (Pvt) Ltd as an Information Technology Consultant in the Information Technology Risk & Assurance (ITRA) Department and my primary focus was on managing overall activities and operations involved in maintaining the quality of engagements. My experience includes providing consultancy services on following projects for diversified clients - such as capital market, telecommunication, financial institutes and retailing and manufacturing industries:
Implemented comprehensive Disaster Recovery Plans for a Capital Market leader and multiple Financial Institutes. During these assignments following key activities were handled / supervised by me:
• Conducting business impact analysis to determine the impact of a disruption of a system supporting critical functions and processes;
• Conducting risk assessment on identified critical systems, applications and processes;
• Developing strategic outline for recovery to identify vital records, minimum resource requirements to perform critical functions during disruption, alternative methods of processing, critical human resources including vendor contacts etc.;
• Developing recovery plans;
• Providing consultancy to implement documented recovery plans; and
• Providing guidance to test documented plans.
Team Leader of the engagements carried out for several financial Institutes and Airlines on developing Business Continuity Management System with compliance to BS25999. As part of the implementation process, I was responsible of conducting the following, but not limited to:
• Business Impact Analysis to determine the impact of a disruption of a business process;
• Risk Assessment and Risk Treatment plan for identified risks;
• Determining business continuity strategy to respond and recover from disruptions;
• Implement incident response structure to identify personnel, develop plans and allocate resources to respond to incidents, trigger an appropriate business continuity response and communicate with stakeholders;
• Documenting Business Continuity and Incident Management Plans to manage an incident and recover or maintain activities to a predetermined level; and
• Guiding clients to carry out testing on implemented business continuity plan.
Implemented Information Security Management System (ISMS) for leading Banking and Financial Institutes / Capital Market leaders in line with ISO27001:2005 standard. Below mentioned activities were carried out as a part of these assignments:
• Preparation of information asset inventory;
• Conduct a Risk assessment for identified information assets;
• Create a Risk treatment plan based on a gap analysis;
• IS policy and procedures preparation;
• Providing guidance to clients to implement controls according to policies and statement of applicability; and
• Carrying out internal ISO audits prior to certification audits.
Conducted Network Security reviews for leading Banks and Financial Institutes covering:
• Physical security;
• Authentication & access lists;
• Network management;
• Intrusion detection management;
• Change control;
• Logging and monitoring;
• Password management;
• Configuration management; and
PricewaterhouseCoopers
Analyst - Systems & Process Assurance
I performed IT Systems Audits and Application Control Reviews for diversified clients including telecommunication, retailing and manufacturing industries during my tenure at PwC. Below mentioned aspects were reviewed and provided with recommendations according to industry best practices in these engagements:
Financial and operational applications controls (including ERP systems application controls SAP, Movex, Microsoft Dynamics NAV, AX, Oracle Financials and IFS Financials);
Business process controls;
Database security controls (MS SQL 2000/2005/ 2008, MySQL, Oracle 10g and 11g);
Operating system controls (Windows server 2000/ 2003/ 2008, Unix, Linux and OS400);
IT General controls;
Infrastructure security;
Third party assurance and opinion services;
Due diligence on systems and controls; and
Network security reviews.
B.Sc. (Hons) in Information Technology specialized in Computer Systems and Networking with Second Upper Division Class Sri Lanka Institute of Information Technology - 2011