AVP - Manager Internal Control (Information Systems)
Bank
Total years of experience :17 years, 11 Months
Implementing & Evaluating ICFR (Internal Control Over Financial Reporting) over COSO (Committee of Sponsoring
Organizations of the Treadway Commission) Information systems (ITGC, Application Controls) areas throughout the
Bank.
• Implementing State bank of Pakistan (SBP) regulatory framework of “Enterprise Technology Governance
& Risk Management Framework for Financial Institutions”.
• To assist in the complete documentation of the Bank’s internal control processes related to information systems (Both at entity level & at activity level) in the form of process level work flows.
• Assist in risk assessment of the information systems business sub processes/sub cycles for entity level & activity level by developing Risk Control Matrices.
• Assist in validating the information systems Process level Work Flows & Risk Control Matrices documentation from the respective department /branches.
• Assist in developing Testing Plans of operations related to information systems of the bank both entity level & activity level.
• Assist in conducting internal control reviews related to information systems for bank’s operations. The review covers all the activities/operations at Head office level and at branch level.
• On the basis of internal control reviews related to information systems, develop and submit ‘Gap analysis Report’ and respective recommendations to your Head.
• Assist in conducting Quality Assurance Exercise for the gap validation.
• Assist in preparing Remediation Plan and conduct follow ups for the remediation of Gaps.
• Team member in conducting the full scope reviews at branches to the effectiveness of key information systems controls.
• Liaison with the external auditors / consultants and regulators.
• Scanning and analyzing the end-to-end system for vulnerabilities.
• IT/IS Control reviews and preparation of risk based report to present in ICC (Internal Control Committee) and in BAC(Board Audit Committee).
• Advisory member of Cyber Threat Intelligence Unit (CTI-U) of the Bank.
• Developing and formulating IT/IS policies and procedures.
• Apply the information security strategy that there is quantifiable progress in applying the strategy.
• Monitor industry trends, evolving threats, vulnerabilities and control techniques.
• Risk Management, IS risk assessment and treatment Plan
• Scanning and analyzing the end-to-end system for vulnerabilities
• IT/IS Audits
• Develop and maintain; IT/Information Security Standards, Policies and Procedures.
• Develop and Maintain; Mandatory and non-mandatory documents regarding ISO/IEC 27001:2013 Certification Program.
• IS risk assessment and treatment Plan
• IT General Controls and IT Management Process Reviews (covering IT strategy, IT Resource Planning, IT Operations, Information Security, Applications / Networks / Hardware / System Software Change Management, Software Licenses and Business Continuity/Disaster Recovery).
• Prepared Annual Internal Audit Plan.
• Conduct Internal IT Audits and create exceptions report and present to Management.
Operational / Functional Responsibilities at TPL Holdings
• Ensure that an objective, independent review and approval process exists for both security plans and procurement requests to validate the adequacy of proposed security safeguards.
• Establish and maintain an information security certification/accreditation program. This includes ensuring that all systems have completed and maintained security plans, risk assessments, and security self-assessments.
• Act as a liaison between the IT Departments on Department-wide security initiatives, incident response activities, and on fulfilling information security reporting requirements.
• Develop and maintain; Information Security Standards, Policies and Practices.
• Define Security Matrices and Configuration Management planning.
• Based on review and evaluation of current/active security controls, access potential risk and exposure to the information assets; prepare detailed security review program includes tests to be performed. This review is also used for performance enhancement of IT assets.
• Research on publically available tools, exploits and framework as a proactive approach to information security.
• Conduct internal IT Audits and create exceptions report and present to the board of directors.
• Near real-time log analysis and monitoring using IBM QRadar SIEM
• Design and Implementing Data Loss Prevention, using Symantec DLP.
• Involved in planning, maintaining and executing organization wide Business Continuity and Disaster Recovery Initiatives, and related projects.
• Implementing Symantec whole disk encryption to all critical terminals / nodes nationwide.
• Conducting Security Awareness Training Program.
• Various penetration testing and vulnerability assessments, on Application and Network layers.
• Designing and developing risk assessment methodology for nationwide information risk management.
• Designing and Implementing Security Visualization techniques for Security Operations Center.
• Designing and Developing Information Security Policies and process according to ISO 27000 standards, along with 27002 controls implementation.
Management Responsibilities at TPL Holdings
• Planning, budgeting and managing nationwide IT Security projects.
• Create and Maintain Statement of Applicability matrix for all critical IT Assets
• Create and maintain an incident response capability. Assist in the forensic analysis/investigations in the event of information security incident.
• Prepare a report on findings (in security review) and gather & compile sufficient and appropriate evidences to support such findings
• Makes sure that the analysis, design, and development of in-house software/systems have been performed according to information security best practices.
• Assisting network and software departments for implementing Organization wide IT operations in Heterogeneous Operating environments.
• Evaluate proposals and solutions from vendors for the procurement of various initiatives for the organization wide IT Infrastructure.
• Analyzing the organization overall security risks and requirements. Providing technical security insight, perspective and assessments on various technologies, products and resources.
• Facilitating the reassessment of the current technology architecture, analyzing system gaps and implementing a new technology roadmap to meet future needs.
• Developing, implementing and enforcing organizational information systems security policies and procedure
• ISO 27001 implementation.
• Vulnerability assessment and penetration testing.
• Business risk analysis, security testing and benchmarking.
• Security strategy, governance, compliance and risk management.
Worked in Burj Bank Limited as Manager IT/IS Audit in Internal Audit Department (IAD) reporting to Head of Internal audit performing:
•Planning and managing staff conducting IS audits as per audit plan as an independent entity according to
well-established and globally recognized audit standards and guidelines.
•Evaluating the IS Strategic Plan of bank and alignment with the business objectives
•Evaluating the IS Organizational Structure and Management.
•Evaluating the IS Policies, Standards, Procedures and Business processes.
•Ensuring IT is included in the audit universe and annual plan.
•Ensuring that audit planning considers IT issues for each audit.
•Developing and performing risk-based IS audit.
•Reviewing and evaluating the IT (hardware, software, networking etc.) Acquisition process, installation reports of
individual systems or part of the system or complete system as a whole, maintenance and service level
agreements and technology infrastructure.
•Determining what constitutes reliable and verifiable evidence and obtaining sufficient, reliable and relevant
and useful evidence to achieve the audit objectives.
•Evaluating business application systems development, acquisition, implementation, and maintenance.
•Performing IT enterprise-level controls audits.
•Performing IT general controls audits.
•Performing IT applications controls audits.
•Performing specialist technical IT controls audits.
• Evaluating the effectiveness of Disaster Recovery and Business Continuity plan.
• Making effective and efficient use of automated computer based audit techniques to assist the audit processes.
during systems development or analysis activities, operating as Independent experts who understand how
controls can be implemented & circumvented and provide opinion on the strength of controls.
• Helping to monitor and verify the proper implementation of activities that minimize all known and documented
IT risks.
Worked in Deloitte Touche Tohmatsu as Information Systems Consultant/Auditor in Enterprise Risk services department.
External Audit: Performed Information System Audit and CA (Control Assurance)Reviews of Allied Bank Ltd (ABL), MyBank Ltd, Arif Habib Bank Ltd, NIB Bank, Optimus Limited, Arif Habib Investments, TATA Textile, Procter and Gamble.
UAE Clients: National Bank of Umm Al Qaiwain, Air Arabia, RMD KIWKFORM, Univest Brokerage, Darahem Brokerage, Al-KAYAL for Shares & Stocks and FAL Oil.
Internal Audit: BC/DRP (Business Continuity/Disaster Recovery Plan), Access to Sensitive Data by IT Staff (covering Data Networks, Operating Systems: Windows 2003 Enterprise Server, Sun Solaris 9/10, Red Hat Linux Enterprise Edition) and Website review of Karachi Stock Exchange (Guarantee) Ltd (KSE), GCC (General Computer Control) review of UBL fund Manager, IGI Funds, Standard Chartered Modarba.
Specialized in network Security & Architecture, including planning, development, and implementation of IT Solutions Performed IT audit Projects; provided consulting services to the organization’s management and staff; developed Annual Audit Plan and Audit Program.
Areas of expertise include IS Governance, Risk Management, Business Continuity/Disaster Recovery Planning, IT Security Policy Development, Information System (IS) audit, Security Control Assessment etc.
Good Knowledge of international standard like ISO/IEC 17799, COBIT, BCI, DRI, Deloitte, NIST (National Institute of Standards and Technology).
Strong Knowledge of Vulnerability Scanning & penetration testing for assessing risk of information systems
Performed General Computer Controls and Business Cycle Controls review for Banks, asset management and utility Companies to provide reliance on IT Systems for Financial data.
Development of Specific audit program related to IT using international Standards. Hands on Audit System 2 Release 3.4 Developed by Microsoft for Deloitte and its member firms and ACL
Supervison of deployment of Radio Links, E1 and fiber optics all over Pakistan branches, implementation of voice network all over Pakistan, Cisco Routers configuraions, firewall configurations and Avaya PABX Configurations and Vendor Coordinations.
Network and Systems Deployment and Connect Coporate Offices through VPN