Zeeshan Qader

Implementing & Evaluating ICFR (Internal Control Over Financial Reporting) over COSO (Committee of Sponsoring
Organizations of the Treadway Commission) Information systems (ITGC, Application Controls) areas throughout the
Bank.
• Implementing State bank of Pakistan (SBP) regulatory framework of “Enterprise Technology Governance
& Risk Management Framework for Financial Institutions”.
• To assist in the complete documentation of the Bank’s internal control processes related to information systems (Both at entity level & at activity level) in the form of process level work flows.
• Assist in risk assessment of the information systems business sub processes/sub cycles for entity level & activity level by developing Risk Control Matrices.
• Assist in validating the information systems Process level Work Flows & Risk Control Matrices documentation from the respective department /branches.
• Assist in developing Testing Plans of operations related to information systems of the bank both entity level & activity level.
• Assist in conducting internal control reviews related to information systems for bank’s operations. The review covers all the activities/operations at Head office level and at branch level.
• On the basis of internal control reviews related to information systems, develop and submit ‘Gap analysis Report’ and respective recommendations to your Head.
• Assist in conducting Quality Assurance Exercise for the gap validation.
• Assist in preparing Remediation Plan and conduct follow ups for the remediation of Gaps.
• Team member in conducting the full scope reviews at branches to the effectiveness of key information systems controls.
• Liaison with the external auditors / consultants and regulators.
• Scanning and analyzing the end-to-end system for vulnerabilities.
• IT/IS Control reviews and preparation of risk based report to present in ICC (Internal Control Committee) and in BAC(Board Audit Committee).
• Advisory member of Cyber Threat Intelligence Unit (CTI-U) of the Bank.

• Developing and formulating IT/IS policies and procedures.
• Apply the information security strategy that there is quantifiable progress in applying the strategy.
• Monitor industry trends, evolving threats, vulnerabilities and control techniques.
• Risk Management, IS risk assessment and treatment Plan
• Scanning and analyzing the end-to-end system for vulnerabilities
• IT/IS Audits

• Develop and maintain; IT/Information Security Standards, Policies and Procedures.
• Develop and Maintain; Mandatory and non-mandatory documents regarding ISO/IEC 27001:2013 Certification Program.
• IS risk assessment and treatment Plan
• IT General Controls and IT Management Process Reviews (covering IT strategy, IT Resource Planning, IT Operations, Information Security, Applications / Networks / Hardware / System Software Change Management, Software Licenses and Business Continuity/Disaster Recovery).
• Prepared Annual Internal Audit Plan.
• Conduct Internal IT Audits and create exceptions report and present to Management.

• Establish and maintain an information security certification/accreditation program. This includes ensuring that
all systems have completed and maintained security plans, risk assessments, and security self-assessments.
• Act as a liaison between the IT Departments on Department-wide security initiatives, incident response
activities, and on fulfilling information security reporting requirements.
• Develop and maintain; IS/Cyber Security Architecture and Standards, Policies and Procedures.
• Define Security Matrices and Configuration Management planning.
• Based on review and evaluation of current/active security controls, access potential risk and exposure to the
information assets; prepare detailed security review program includes tests to be performed. This review is also
used for performance enhancement of IT assets.
• Research on publically available tools, exploits and framework as a proactive approach to information security.
• Conduct internal IT Audits and create exceptions report and present to the board of directors.
• Near real-time log analysis and monitoring using IBM QRadar SIEM
• Design and Implementing Data Loss Prevention, using Symantec DLP.
• Involved in planning, maintaining and executing organization wide Business Continuity and Disaster Recovery
Initiatives, and related projects.
• Implementing Symantec whole disk encryption to all critical terminals / nodes nationwide.
• Conducting Security Awareness Training Program.
• Various penetration testing and vulnerability assessments, on Application and Network layers.
• Designing and developing risk assessment methodology for nationwide information risk management.
• Designing and Implementing Security Visualization techniques for Security Operations Center.
• Designing and Developing Information Security Policies and process according to ISO 27001 standards, along
with 27002 controls implementation.

• Analyzing the organization overall security risks and requirements. Providing technical security insight, perspective and assessments on various technologies, products and resources.
• Facilitating the reassessment of the current technology architecture, analyzing system gaps and implementing a new technology roadmap to meet future needs.
• Developing, implementing and enforcing organizational information systems security policies and procedure
• ISO 27001 implementation.
• Vulnerability assessment and penetration testing.
• Business risk analysis, security testing and benchmarking.
• Security strategy, governance, compliance and risk management.

in Internal Audit Department (IAD) reporting to Head of
Internal audit performing:
• Planned and managed staff conducting IS audits as per audit plan as an independent entity according to
Well-established and globally recognized audit standards and guidelines.
• Pre and Post Implementation audit review of Core Banking System (CBS) iMal.
• Pre and Post audit review of development and implementation of BCP/DRP.
• Evaluating and observing ICFR (Internal Control Over Financial Reporting) and COSO (Committee of Sponsoring
Organizations of the Treadway Commission) implementation.
• Evaluated the IS/Cyber Security Strategic Plan of bank and alignment with the business objectives
• Evaluated the IS Organizational Structure and Management.
• Evaluated the IS/Cyber Security Policies, Standards, Procedures and Business processes.
• Ensured IT is included in the audit universe and annual plan.
• Ensured IT risks are considered when assigning resources and priorities to audit activities.
• Ensured the existence of well-defined IS Audit Manual.
• Developed and performed risk-based IS audit.
• Reviewed and evaluated the IT (hardware, software, networking etc.) Acquisition process, installation reports of
individual systems or part of the system or complete system as a whole, maintenance and service level
agreements and technology infrastructure.
• Determined what constitutes reliable and verifiable evidence and obtaining sufficient, reliable and relevant
and useful evidence to achieve the audit objectives.
• Evaluated business application systems development, acquisition, implementation, and maintenance.
• Performed IT enterprise-level controls audits.
• Performed IT general controls audits.
• Performed IT applications controls audits.
• Performed specialist technical IT controls audits.
• Vulnerability assessment
• Evaluated the effectiveness of Disaster Recovery and Business Continuity plan.
• Effective and efficient use of automated computer based audit techniques to assist the audit processes.
during systems development or analysis activities, operating as Independent experts who understand how
controls can be implemented & circumvented and provide opinion on the strength of controls.
• Helped to monitor and verify the proper implementation of activities that minimize all known and documented
IT risks.

Worked in Deloitte Touche Tohmatsu as Information Systems Consultant/Auditor in Enterprise Risk services department.
External Audit: Performed Information System Audit and CA (Control Assurance)Reviews of Allied Bank Ltd (ABL), MyBank Ltd, Arif Habib Bank Ltd, NIB Bank, Optimus Limited, Arif Habib Investments, TATA Textile, Procter and Gamble.
UAE Clients: National Bank of Umm Al Qaiwain, Air Arabia, RMD KIWKFORM, Univest Brokerage, Darahem Brokerage, Al-KAYAL for Shares & Stocks and FAL Oil.
Internal Audit: BC/DRP (Business Continuity/Disaster Recovery Plan), Access to Sensitive Data by IT Staff (covering Data Networks, Operating Systems: Windows 2003 Enterprise Server, Sun Solaris 9/10, Red Hat Linux Enterprise Edition) and Website review of Karachi Stock Exchange (Guarantee) Ltd (KSE), GCC (General Computer Control) review of UBL fund Manager, IGI Funds, Standard Chartered Modarba.
Specialized in network Security & Architecture, including planning, development, and implementation of IT Solutions Performed IT audit Projects; provided consulting services to the organization’s management and staff; developed Annual Audit Plan and Audit Program.
Areas of expertise include IS Governance, Risk Management, Business Continuity/Disaster Recovery Planning, IT Security Policy Development, Information System (IS) audit, Security Control Assessment etc.
Good Knowledge of international standard like ISO/IEC 17799, COBIT, BCI, DRI, Deloitte, NIST (National Institute of Standards and Technology).
Strong Knowledge of Vulnerability Scanning & penetration testing for assessing risk of information systems
Performed General Computer Controls and Business Cycle Controls review for Banks, asset management and utility Companies to provide reliance on IT Systems for Financial data.
Development of Specific audit program related to IT using international Standards. Hands on Audit System 2 Release 3.4 Developed by Microsoft for Deloitte and its member firms and ACL

Supervison of deployment of Radio Links, E1 and fiber optics all over Pakistan branches, implementation of voice network all over Pakistan, Cisco Routers configuraions, firewall configurations and Avaya PABX Configurations and Vendor Coordinations.

Network and Systems Deployment and Connect Coporate Offices through VPN