Quality Assurance Manager
Resume:
Nish Gokli CISA, CIA
San Ramon, CA 94582
Phone 408-***-**** Email:****.*****@*****.***
[pic]
Compliance & Risk Management Executive
A dynamic, results-oriented leader with a track record of success in
development, consulting, and auditing.
SOX 404 Compliance / Banking Regulatory Compliance (FFEIC, OTS) / PCI DSS
Compliance, GLBA Compliance / Infrastructure Security / Penetration
Testing / Physical Security / Application Security / Technology Operations
/ Technology Due Diligence / Data Analytics
[pic]
Compliance SOX, PCI-DSS FFIEC, OTS, GLBA
Regulations
Frameworks & COBIT, ITIL, ISO 27001, ISO 27002, NIST 800-53, SDLC,
Methodologies PDLC, COSO, COSO ERM,
Tools: ACL, TeamMate, AutoAudit, SekChek, Vantos, Mandiant,
Archer, Qualys, Vontu, AppDetective, AppScan, NetIQ
Platforms: Windows, Linux, UNIX (Solaris, AIX), AS/400, OS/390,
MVS (RACF, Top Secret), Firewalls (CISCO, PIX),
Networking (routers, switches, protocols), Symantec
Security Operations Center (SOC)
Databases: Oracle, SQL Server, DB2, MySQL, MS Access
[pic]
Professional Experience
PayPal - San Jose, CA
05/10- Present
Senior Manager Seller Risk Management Policy Assurance
. Lead the SRM policy assurance function responsible for implementing a
quality assurance function to manage seller risk such that PayPal can
confidently and profitably provide payment acceptance services to any
legitimate seller.
. Assess the effectiveness of the key processes in the merchant on-
boarding, monitoring, and collections to proactively manage PayPal
loss from sellers, while supporting PayPal's brand promise and
strategic growth imperatives.
eBay - San Jose, CA
Apr-07- May-10
Senior Manager Technology Audit
. Global responsibility for IT audit function at eBay, Skype, and
businesses located in US, Europe, and Asia Pacific regions.
. Managed an "insider threat assessment" to test the ability of a
"Trusted Insider" to obtain unauthorized access to restricted data for
compliance with PCI-DSS and GLBA regulatory requirements.
. Assessed the effectiveness and efficiency of the Vendor Security (VS)
processes for assessing vendor ability to obtain unauthorized access
to restricted data for compliance with PCI-DSS and GLBA regulatory
requirements.
. Performed a security and operational assessment of the production
Oracle database environment. Scope included using the "AppDetective"
tool to compare the security configurations against the CIS benchmark
standards.
. Supported the SOX Project Management Office to provide testing of
"Key" Controls to ensure compliance with Sarbanes Oxley legislation.
1. Assessed the effectiveness of the threat and vulnerability management
process. Scope included evaluation of the process to identify and
remediate vulnerabilities, track closure, management reporting, and
the interface with the configuration management process
2. Assessed the effectiveness of the security incident management
process. Scope included evaluation of the process for detection,
triage, analysis, reporting, and response for security incidents.
. Collaborated with the Financial and Operational Audit team to manage
integrated audits of "Paid Search" marketing, and Affiliate Marketing
process.
Nationwide Insurance - Columbus, OH
2004 - 2007
AVP Information Systems Audit
3. Officer leading the IT audit group for one of the largest insurance
and financial services company with more than 148 Billion in statutory
assets and net revenues of over $20 Billion.
4. Member of a formal governance team which consisted of Audit, Legal,
Privacy, ERM, and Information Risk Management to ensure that PCI-DSS
and GLBA requirements are met.
5. Assessed the maturity of the Nationwide Privacy Compliance program by
understanding level of exposure, key policies and procedures in place,
the current implementation of processes and controls to support the
standards, and detailed testing of privacy controls to ensure
continued compliance with changes in business model.
6. Led the effort to develop the risk based Internal Audit plan. Develop
and execute yearly risk management plan (with the concurrence of Audit
Committee). Provide feedback on control environment of the company to
Senior Management and the Board. Collaborate with external auditors to
address and resolve corporate control issues.
7. Enhanced the capability of the Internal Audit team via the
implementation of data analysis software (ACL) for department. ACL
was used to uncover fraudulent insurance claims, employee expenses,
and non-compliance with procurement policies.
8. Managed pre-implementation reviews of development projects to ensure
effective project management oversight, appropriate application,
logical access, and security controls, adequacy of the development
process (functional and technical design reviews, testing), and
training of end users to support the changes.
9. Member of steering committee responsible for establishing internal
controls to ensure compliance with Sarbanes Oxley (404) legislation.
Internal Audit team provided support by testing key controls which
were relied upon by the external audit team.
10. Managed information security and risk management audits to ensure
protection mechanisms and controls throughout the enterprise are in
place and working effectively. (Included Infrastructure audits of
UNIX, Windows, AS/400, MVS, RACF) as well as Information Risk
Management activities (Security Exception Process, Software License
Compliance).
AT&T - Bridgewater, NJ
2003 - 2004
Director Integrated Audit (Procure to Pay Process)
. Global responsibility for AT&T Business Services (ABS) & AT&T Consumer
Services audits and special projects for customer care and global
network technology solutions organizations. Responsibility included
almost every aspect of the company's operations and functions such as
ordering, provisioning, credit, billing, statutory and legal
compliance, customer and vendor contracts, due diligence, network
operations and maintenance, and infrastructure investment management.
. Responsible for working with the external auditors, finance and
technology leadership team, and controls owners to document the key
financially significant business processes, the relevant technology
supporting those processes, validation of the key controls, and
testing of the key controls in support of initial compliance activity
for SOX.
. Developed an integrated audit approach which uses a multi-disciplinary
approach to risk management and is adaptable to changing operating
model of the company.
. Assessed the effectiveness of the Vendor Management (VM) processes
including processes for determining vendor selection, request for
proposal (RFP) processes, contract review, service Level agreement
(SLA) compliance, and performance review; invoice validation and
payment approval
Outsourcing Partnership LLP - Moorestown, NJ
2001 - 2003
Senior Manager Technology Audit
. Outsourced IT audit support for multiple regional banks in NY and NJ
to ensure compliance with regulatory requirements (FFIEC, OTS).
Responsibilities included performing the risk assessment, conducting
the audit, and reporting the results to the Audit Committees.
Ernst & Young LLP - New York, NY
(1997-1998 & 1999-2001)
Manager Security and Technology Solutions
. Assisted a financial services company to design and implement a global
technical architectural solution. The engagement entailed product
selection, prototyping the solution and working with the client to
implement the solution as a pilot in London.
. Assisted a financial services company to identify process changes and
technology solutions to modify their stock options administration
business. The engagement entailed the client to achieve efficiencies
ranging from 67 to 90 percent.
. Assisted financial services & publishing company to identify the gaps
in their information security program and recommended technical and
organizational changes to address the gaps. Authored security
policies, standards and procedures to facilitate security
administration of their computing environments.
. Performed and managed many information technology due diligence
efforts for Mergers & Acquisitions (M&A) and Initial Public Offerings
(IPOs). This entailed analysis of the following: existing systems,
information technology integration plans, year 2000 exposure, and
analysis of the data center personnel.
. Experience in Software Quality Assurance services, which include pre-
implementation reviews, assessing Quality Assurance departments,
developing system test strategies and plans, and evaluating and
designing system controls, in both the mainframe and mid-range
environments.
Pricewaterhouse Coopers LLP - New York, NY
(1998 - 1999)
Manager Technology Risk Services
. Managed logical and physical attack and penetration projects
associated with Client/Server Platforms, Telecommunication
Environments, Local Area Networks, and the Internet.
. Managed information technology feasibility study for migration of the
Accounts Receivable (A/R) package from a legacy to a client/server
platform. This entailed analysis of the requirements, the possible
alternatives, and the risks associated with the different options, and
product selection based on the technical, economic, and timing
constraints.
IBM - Kingston, NY
(1987 - 1996)
Staff Engineer
. Developed firmware for the IBM (ES9000, 9121) using Software
Development Life Cycle (SDLC) methodology (requirements gathering,
analysis, design, development, testing, quality assurance, and
maintenance).
[pic]
Education and Credentials
New York University - New York, NY
Master of Business Administration (Finance/Marketing) 1997
Polytechnic University - New York, NY
Master of Science (Computer Science) 1992
Bachelor of Science (Electrical Engineering) 1987
Technical Certifications
Certified Internal Auditor (CIA)
Certified Information Systems Auditor (CISA)
Affiliations
Member, Information Systems Audit and Control Association (ISACA)
Member, Institute of Internal Auditors (IIA)
Patent
United States Patent 5754810: Specialized millicode instruction for
certain decimal operations
Contact this candidate