Asif Arman Y
acep8m@r.postjobfree.com
Summary
Experienced chief audit executive / privacy audit / global IT risk
management leader with 17 years of proven track record of success with both
large and small Risk/audit teams focusing on providing value-added results,
developing effective partnerships, growing talent, improving processes, and
adding to the bottom-line. Possess extensive security and audit expertise,
including developing, managing, and improving controls for IT
infrastructure, operations and corporate governance and risk. Demonstrate
in-depth knowledge of regulatory compliance matters, including SOX 404,
Privacy audit, SAS70, SOC 2&3, and PCI DSS. Scope of mastery includes:
. IT Risk Management
. IT Governance
. Compliance Negotiation
. 3rd Party Audit Planning and Vendor Risk Assessment
. Information Security Business Process Mapping
. Business Continuity & Disaster Recovery
. Incident Response Training
. Security Training (OWASP)
. Privacy & Security
. Security Architecture
. International privacy
. US Safe Harbor
. HIPAA
. EU data protection
. GLBA, AML, ISO Standard expert
. Data de-identification
. ERP Expert (Oracle and SAP)
Professional experience
Rewards Network, Inc., Chicago, IL
March 2006 - present
Director Data Privacy and Internal Audit
. Designed, implemented, and led information risk management group
. Monitored risk assessment recommendations by scorecard and presented
progress to C level management.
. Implemented and improved existing processes by creating constant
matrices checkpoint within the projects.
. Developed heat maps for risk indicators and provided
explanations/implementation guidance to process owners
. Reduced overall risk by improving and maintaining a robust risk
assessment and implementing best business practices.
. Developed remediation plans and followed closely their implementation
for audit purposes
. Served as the RN Privacy Office's principal point for advice and
compliance for technical evaluations and research for complex solutions.
. Developed and executed 3rd Party/Vendor Audit and Assessments
. Developed and implemented the annual Risk and Compliance Plan and
training materials applicable to risk/privacy portions of the annual
regulatory plan
. Managed and implemented ERP projects
. Coordinated and collaborated closely with the VP of Compliance and SVP
General Counsel to develop long term risk strategies and plan to address
risk management, privacy and security plans
. Provided technical support to RN Legal with respect to internal and
external investigations that are headed by Legal or HR.
. Developed and conducted compliance risk assessments to identified,
assessed and prioritized principal potential compliance risk within RN.
. Performed periodic audit in Operations for Compliance with respect to
monitoring, training and communications needs for OFAC,GLBA and red
flags
. Managed SOX 404 projects
o Developed and tested process flows, risk matrices, test plans
for both Finance and Information technology group
. Conducted companywide Privacy audit
. Developed and implemented corporate-wide Enterprise Risk Management
(ERM) culture
. Conducted and provided PII recommendation to prevent and detect data
breaches and security
. Served as an assistant to senior General Counsel and member of the
Privacy and Security Office, reported to the Director Legal Affairs on
all PII related issues.
. Identified and established effective working relationships with the
privacy compliance officers ensure consistent Corporate-wide compliance
with Customer Privacy Policy and existing federal, state and
international privacy regulations and to resolve compliance issues.
Provided OWASP training to Software engineers
. Managed reporting processes and develops educational materials,
programming and training to maintain updated privacy standards and
continually update segment and business unit leaders, and privacy
compliance officers, about changes in laws and regulations that impact
customer and employee relations
. Implemented BCP Procedures and Script Development using (Back and Front
Offices) and IT areas.
. Provided Privacy audit reports to the General Counsel on privacy and
data protection matters and other PII technical compliance issues as
assigned.
. Assisted in the identification and implementation of a comprehensive,
flexible and scalable privacy and data protection legal strategy to
address global compliance issues, as well client expectations.
. Developed specific privacy disclosures for advertising platforms and
worked with legal to develop privacy templates.
. Implemented COBIT and ITIL framework.
. Made key decisions and judgment calls where policy application and
compliance were involved
. Communicated complex privacy and data issues within the organization and
to external parties
. Kept product disclosures and privacy policies accurate and up to date
. Established and led risk-based internal audit and Sarbanes-Oxley
compliance functions.
. Reported to Audit Committee and Chief Financial Officer
. Collaborated with Management Committee and Audit Committee to define
stakeholder expectations and mission for Internal Audit. Developed
strategic plan and processes for department.
. Implemented technology training and tools for audit staff, enabling more
effective and efficient audits and leading to significant audit
findings.
. Led Enterprise Risk Management initiatives, culminating in assessment by
senior leadership team and members of key business risks and development
of appropriate risk responses.
. Reassigned 20% of IT OPEX annual spend to more effective vital needs
. Eliminated 15% of IT OPEX through contract negotiation and elimination
of non-essential services
. Rebuilt Rewards Information Security and compliance initiatives from
Security Policies, Change Control, event management, and more
. Improved Rewards customer network availability from 90% to 99.9%
. Achieved four years of PCI and SSAE 16 compliance status
. Significantly reduced overall Risk exposure from operational and
security threats
. Oversaw the complete technical re-alignment with current business needs
of Rewards infrastructure and modernization of communications, storage,
and server processing
. Achieved a 95% virtualization status eliminating 20 racks of computer
equipment
. Established and maintained on-going responsibility for the Rewards
Security function, including firewalls, VPN systems, device encryption,
Identity Management, Application Access Controls, IDS/IPS, Security
Policies and Procedures, Risk Assessments, and management security
reporting systems
Key Projects:
1. Virtualization project reduced physical server count from 200+ down
to 16. Including 32 instances of Microsoft SQL server being
redeployed on 3 high power IBM X5 servers under a Microsoft EA
using MS DataCenter for SQL
2. Replaced internal site to site VPN with MPLS network. Simplifying
communications, reducing bottlenecks, and removing internal traffic
from the external customer facing network. This project was cost
neutral to the OPEX budget.
3. Deployed Rewards first true DR data center with i-Series, SAN, Web,
and internal app processing capability.
4. Redesigned the Rewards web load balancing technology from a Cisco
CSS to a Big IP F5 system. This allowed for Rewards to deploy a
new Mobile Application and new Content Management system quicker
and with overall higher load and response capabilities
Protiviti. Chicago IL Sep 04 - April 06
Sr. Manager Internal Audit
. Provided consulting services for multiple clients for SOX
internal controls processes to external Audit group, created documentation
and implemented various functionalities as prescribed in compliance with
Sarbanes-Oxley Section 404.
. As a contractor/consultant, provided expertise to many Fortune
500 companies on the following areas:
o Vendor Management, reviewed policies and procedures for
BCP
o Conducted Quarterly Testing for DR and breach.
o Coordinated with all level of senior management
for BCP/DR requirements
o Conducted Risk and Compliance review for financial
regulators, OFAC and AML etc.
. Consulting firm providing technology risk assessment services
to clients required complying with various regulations, including SOX,
HIPAA and GLBA.
. Provided IT risk assessment consulting services using
vulnerability assessment, social engineering, wireless, network and
application penetration testing, control audits, and maturity
assessments in support of SOX, GLBA, HIPAA, and other regulations for
various industries. Employed COBIT, COSO, ITIL, OSSTMM, and CMM
frameworks.
. Defined penetration testing methodology used by all technology
consultants.
. Sustained penetration testing tools image.
CTA, Chicago, IL April 2002 - August 2004
Manager
. Developed, managed and communicated financial and accounting controls
throughout the organization, operating within a $600M budget.
. Managed, supervised and directed activities related to the G/L,
including payroll, A/R, A/P, revenue recognition, account analysis,
purchasing policies and month end closings.
. Coordinated 3-year audit from inception, preparing the company for its
next stage of growth.
. Coordinated and managed the worldwide yearly and quarterly
expense/headcount plans.
. Developed and implemented audit programs to evaluate the effectiveness
of IT controls, accuracy of system generated records, efficiency of IT
operations and Business Continuity Plans and Disaster Recovery Plans.
. Examined records of IT departments and interviewed employees to ensure
recording of transactions and compliance with applicable internal
standards and industry best practices.
. Inspected in-house developed systems to determine their efficiency and
user acceptance.
Fimat USA, Chicago, IL/Paris, France March 2001 - March 2002
AVP - Audit
. Responsible for managing the reconciliation, investigation,
resolution, and reporting of Cash, statistical and balance sheet
accounts across treasury and derivative products.
. Managed financial accounting and management /regulatory
reporting processes; managed internal audit department
. Designing and documenting IT controls following the COBIT
framework
. Planning and testing of key controls
. GAP analysis and remediation of failed controls
. Segregation of duties analysis- Analyzed SOD component for
major business cycle Order to cash, procure to pay, Asset accounting,
HR, GL, Project system, and issued the report to the client's SAP
security team for remediation.
E-APPS, Chicago,
IL October
1993 to February 2001
E-APPS were an $800M international provider of financial services,
predominantly information technology, to clients with server and hardware
matters. Company went bankrupt in 2001.
Manager - Internal Audit
. Defined process to comply with customer and IBM corporate
security policies, assessing system control compliance, performing
vulnerability scanning, and administrating user process.
. Planned and created infrastructure for, supported, and managed
IBM AIX environments. Conducted presentations to executive management,
evaluated computing environments, generated technical advisory reports, and
performed risk analysis. Developed architecture and consolidated servers.
Coordinated hardware and software recommendations, along with managing
installing hardware and software relationships.
. Managed 2 UNIX-based web portal projects supporting Fortune
500-1000 customers, including cost estimation, planning,
implementation, and post-implementation activities.
. Reduced manual labor costs by 2 full-time employees through
replacing manual processing with web portal automation.
. Designed, led development of, and directed team that supported
web portal that provided coordination and compliance around user
requests. Portal also provided vulnerability remediation for Discover
Financial Services, Sears, AT&T, Morgan Stanley, and other clients
supporting 200+ systems with 20,000+ users.
. Played key role in design of IBM standard web portal, HelpNow,
for user and issue management as well as basic customer policy translation
tool used by all IBM hosting services teams across world to ensure
compliance with contractual obligations
EDUCATION
1992 Central London College - Bachelor of Science in Finance and
Information Technology (NC)
Certifications
CPA, CIPP, CIA, CISSP, PMP and CISA - NA