BALAJI PASKANTI CISA CEH v* ISO ***** LA
INFOSEC AUDIT, COMPLIANCE & GRC PROGRAM MANAGEMENT
E-mail Id ac1ss2@r.postjobfree.com Mobile +91-990******* / 982-***-**** LinkedIn http://in.linkedin.com/in/balajipaskanti
“Mayfair Anthem” Apartment, B Block, Flat No. 3019, 2nd Floor, Boganahalli Village Road, Behind ETV Park, Gear School Road, Bangalore - 560103.
Veteran Information Security Program Management professional enriched for IT/IS Governance, Risk & Compliance.
OVERSEAS/ONSITE OFFICIAL VISITS – SHANGHAI & SINGAPORE
HANDS-ON EXPOSURE – Domains viz.., IT Products Organizations, IT Services, BFSI and Risk Assurance & Consulting.
LOCATION PREFERENCES
INDIA: Pune, Bangalore, Hyderabad & Navi Mumbai GLOBAL: APAC, AUSTRALIA, NEW ZEALAND, CANADA, U.S. and U.K.
PROFESSIONAL SNAPSHOT
Total experience sums to 13.6 years; core Information Security domain is 10.10 years, including InfoSec Program Management, Compliance, end to end IT/IS Audit & Consulting Assignments (Third Party Auditor) & User Access Control management.
CURRENT EMPLOYER
In capacity of InfoSec Program Manager with CISCO SYSTEMS INDIA PVT. LTD.
EMPLOYMENT HISTORY
Senior Information Security Specialist in Commercial & Managed Cybersecurity Services with CSC – Computer Sciences Corp.
Consultant – I.S. Auditor & Information Risk Management in Assurance Process Group with ANB Solutions Pvt. Ltd.
Operation Executive - Information & Technology Access Control division with The Bank of New York Mellon.
Assistant IS Auditor - Sachin S. Bhattad Co. & as an Administrative Assistant - Pandhare & Co. Chartered Accountants firms.
INFOSEC EXPERTISE & ACQUAINTANCES
Substantive understanding of IS Auditing Standards, Guidelines, Benchmarking and Best Practices.
Extensive exposure on ISO 27001:2005/2013 ISMS security requirements, clauses, domains, controls and control objectives.
Full life cycle implementation in line with Risk Management processes viz., Gap Analysis, Risk Assessment & Risk Mitigation.
INFOSEC COGNIZANCE - LAWS, ACTS, & STANDARDS REQUIREMENTS
Considerate and comprehensive understanding of ITGC, EU Data Privacy, SOX, SAS 70 i.e. SSAE 16, COBIT, HIPAA & PCI DSS.
ORGANIZATIONAL SKILLSETS
Leadership and communication skills: Demonstrated an ability to set direction, generate a sense of urgency & purpose.
BAU (Business as usual) Knowledge & Partnership: Built and leveraged effective coalitions across technical and business community and ability to anticipate and adapt processes in support of changing business conditions.
Planning and Project Management: Strong project management and planning, outstanding influencing and negotiation skills.
CORE COMPETENCIES
INFOSEC PROGRAM MANAGEMENT INFOSEC AWARENESS – TRAINING & EDUCATION
SDLC METHODOLOGIES – WATERFALL & AGILE SECURE DEVELOPMENT LIFECYCLE METHODOLOGY
EXTRANET GOVERNANCE - VENDOR RISK MGMT EXTRANET SECURITY METRICS & MEASUREMENT
ISO 27001 COMPLIANCE AND IMPLEMENTATION IT GENERAL COMPUTER CONTROLS AUDIT & COMPLIANCE
RISK MANAGEMENT – ASSESSMENT & MITIGATION BUSINESS CONTINUITY & DISASTER RECOVERY PLANNING
USER ACCESS CONTROL MANAGEMENT DATA CENTER - PHYSICAL & ENVIRONMENTAL SECURITY
CERTIFICATIONS, STANDARDS & TRAININGS
CISA Certified (16127701) Good Standing Certified Information Systems Auditor, ISACA, USA.
ISO 27001 Lead Auditor BSI Management Systems, Pune, INDIA.
CEH v7 EC (E-Commerce Consultants)-Council, USA.
Pursuing CISSP Certified Information Systems Security Professional, ISC2, USA.
PMP Training PMP Preparatory Session CSC, Hyderabad, INDIA.
ITIL v3 Foundation Training ITIL Preparatory Session CSC, Hyderabad, INDIA.
InfoSec Ninja White Belt Certification Cisco InfoSec Training cum Certification, Bangalore, INDIA.
EDUCATIONAL QUALIFICATIONS
B.Sc. Mathematics Bachelor of Science, Shivaji University, Kolhapur, INDIA.
PROFESSIONAL EXPERIENCE
ORGANIZATION www.cisco.com
CISCO SYSTEMS INDIA PVT. LTD.,
BANGALORE, INDIA.
DESIGNATION
DIVISION
TENURE
InfoSec Program Manager
Global Extranet & InfoSec Compliance
Security & Trust Organization
April 2013 – Present
IMMEDIATE LINE OF REPORTING – INFOSEC DIRECTOR
TEAM MANAGED – 5 REPORTEES
PROFILE & KEY ACCOUNTABILITIES - FIREWALL ACL RULES AUDIT & AUTOMATION, SERVICE COMPLIANCE – AUDIT, ASSURANCE & AUTOMATION, ISO 27001 INDIA SITES END TO END PROGRAM MANAGEMENT, IT SERVICES BCP/DRP, INFOSEC GOVERNANCE & EXTRANET RISK MANAGEMENT
SERVICE COMPLIANCE – AUDIT ASSURANCE AUTOMATION
-Devised end to end audit process flow procedure and simplified to justify why, how & what rationales behind audit strategy
-Established scope of audits for Firewall FDCS, Labs, Extranet, Engineering Access, & Awareness services within InfoSec
-Driven audit services, published the dashboards on gaps/issues, scheduled the governance meetings & remediated the gaps
FIREWALL ACL RULES – AUDIT ASSURANCE AUTOMATION
-Devised requisite problem statement, current state, proposed remediation, challenges & future state
-Brainstorming of ACL rules/lines to interpret into structured data & blocks to qualify for writing automation scripts
-Chalked out RACI matrix to ensure proper segregation of duties, independence and transparency of roles
-Ownership of reviews, publish the dashboards on gaps/issues, schedule the governance meetings & remediation
-Prioritized the criticality of Firewall ACL rules based on the current cyberattacks and threat landscape
-Defined Tier wise approach to focus on high risk ACL audits and ensure the clean-up activity for dormant & expired ACL rules.
ISO 27001 PROGRAM MANAGEMENT END TO END - Audit, Compliance, and Governance & Facilitated Implementation.
-Strategized the global ISO 27001 Programs alignment w.r.to. current state representation, roadmap, future/maturity state, transition and maintain continuous service improvements – APJC regions
-Drafted the APJC – ISO 27001 Updates Dashboard to the senior leadership and executive management
-Introduced ISO 27001 Program as a service offerings through Standard Service Catalogue mode for new site additions
-Derived service review metrics and business cost model for new site ISO 27001 Framework Establishment for implementation effort/ballpark estimation, gap assessment and extension to the scope of ISO 27001 Global sites
-Revamp of Risk Assessment methodology by adopting the 27005 & ISO 31000 Risk Management best practices
-ISO 27001 Program INDIA – Planned, Initiated, Executed, Monitored till the Project Closure phase.
-Enforcement and introduction of new initiatives for ISO Program activities and phases to depict the overall effectiveness and to deliver value to the business
-Sought buy-in from senior leadership on focus areas for ISO 27001 program activities to improvise overall InfoSec posture
-Organized, conducted, drafted and communicated internal audit and risk assessment reports for assessed business units/functions and also proposed technical/process based solutions to reduce the risks of data loss as remediation steps.
-Addressed security risks pertaining to all information assets identified during risk assessment phase and recommended appropriate security controls as per risk mitigation strategy.
-Created and managed two intranet community sites for publishing ISO 27001 Program planned activities via dashboards, announcements and status updates to Management Information Security Forum, InfoSec teams, Global ISO 27001 Program team, all regular and partner employees
-Communicated trend analysis of InfoSec metrics health report and kept updated the Business Unit/Functions POC’s & Senior Leadership Team and to concerned management information security forum, senior leadership and global team abreast of any changes to the standard requirements, program updates, and about the new initiatives from time to time.
-Organized MRM (Management Review Meeting) and communicated the MOMs to Business Unit & Senior Leadership Teams.
-Responded to client RFP’s and Information Security Questionnaires liaising with Business Development Sales team.
-Responsible for meeting customer ISMS audit compliance and also support compliance for Safe Harbor (EU Data Privacy and Protection), HIPAA, SAS 70 (SSAE 16) & SOX.
-Established influential relationships with the cross-functional teams i.e. product engineering, services, IT applications & Infrastructure Services business units, support functions and senior executive leadership team.
GOVERNANCE FRAMEWORK - EXTRANET INFOSEC RISK MANAGEMENT
-Proposed revisions in the Extranet InfoSec Risk Management Framework, process and guidelines for all extranet partners
-Streamlined lifecycle for Extranet New Site Engagement, Site Setup/Implementation, Site Operational and Site Decommissioning stages.
-Proposed enhancements/changes to close gaps and address challenges to extranet risk management process
-Extranet Security Metrics – Consolidated Risk Register conceptualization, data source attribution and implementation
BCP/DRP - BUSINESS CONTINUITY PLANNING & MANAGEMENT - IT SERVICES
-Liaising with Global BCP Program Team - kick off meeting to closure on BCP
-Review existing BCP for the IT services, Identification of IT services & Prioritization of Services (BIA workshops)
-Individual BCP of IT services - Propose separate BCP’s for Services which do not have a BCP in place
-Efforts to establish comprehensive BCP for all critical IT services
ORGANIZATION www.csc.com
CSC - COMPUTER SCIENCES CORPORATION,
HYDERABAD, INDIA.
DESIGNATION
DIVISION
TENURE
Senior Information Security
Specialist
Commercial & Managed
C Cybersecurity Services
Oct 2011 – Apr 2013
IMMEDIATE LINE OF REPORTING – INFOSEC SENIOR MANAGER AND CISO
PROFILE & KEY ACCOUNTABILITIES - ISO 27001 AUDIT, COMPLIANCE & IMPLEMENTATION
Internal functions/departments audited
Corporate Services, Human Resources, Building Management System, Data Center -Environmental security controls, Procurement services, Training-Learning and Development, IT Audit (Network & Server support) and Project Support (Logistics & IT Help Desk Support), Third party vendor audits of Drinking Water supplier, Base Kitchen Caterers and Security personnel/guards Services.
-Conducted SCI (Security Compliance Index) Audit for all prime accounts/projects for evaluating the effectiveness.
-Delivered ISMS induction trainings, Project specific ISMS coordinators training and information security awareness sessions.
-Conducted vendor risk management review for contractual agreements & compliance in line with ISO 27001 security controls.
-Provided the approval for the movement of the computing peripherals and devices from the clients and within organization.
-Responsible for compliance and reviewing clients MSA (Master Service Agreements) & SOW (Statement of Work).
-Responded to client RFP’s, Information Security Questionnaires & devised CSA (Client Security Analysis) sheets.
-Actively participated in MRM (Management Review Meeting) and communicated the MOMs to concerned stake holders
-Fine tuned and also implemented the Information Security policies and procedures across the organization.
-Facilitated and proposed solutions as an internal auditor and also responsible for submitting information security metrics, CAPA (Corrective/Preventive Action Plan) report and internal security audit report to CISO.
-Facilitated surveillance/external audit for compliance and CAPA tracker for open items.
-Responsible for meeting customer ISMS audit compliance and also support compliance for HIPAA, SAS 70 & SOX.
-Planned and imparted periodic information security awareness training programs across organization.
RISK MANAGEMENT
-Conducted and reviewed Risk Assessments for the entire key projects/accounts and support teams.
-Addressed security risks pertaining to all information assets of the company and risk mitigation across organization.
BUSINESS CONTINUITY MANAGEMENT
-Responsible for BCP compliance pertaining to ISO 27001 and conducted BCP audit and closed the gaps identified.
-Ensured the implementation, execution of fire evacuation and mock drills periodically.
ORGANIZATION www.anbglobal.com
ANB SOLUTIONS Pvt. Ltd., MUMBAI,
INDIA.
DESIGNATION
DEPARTMENT
TENURE
Consultant – I.S. Auditor
Information Risk Manage-
-ment & Assurance Process
Mar 2011 – Oct 2011
IMMEDIATE LINE OF REPORTING – SENIOR MANAGER & DIRECTOR
PROFILE & KEY ACCOUNTABILITIES – IT / IS AUDITING & CONSULTING
-Client interaction via oral and written mode for business process understanding & audit requirements.
-Review of various areas like ITGC, Application and Password security, Backup and recovery, Change management & BCP/DRP.
-Process walkthrough, gap analysis, risk assessment & process definition as per mandated guidelines.
-Preparation of checklist, process flow diagrams and procedure manuals as per the audit scope.
-Identifying gaps, categorizing risk, implications and simultaneously recommending solutions.
-Drafted policies and standard operating procedures to adhere functional and control requirements.
-Preparation of audit report and risk heat map sheets accordingly.
PROJECTS HANDLED
Clientele
Mandate/
Statute
Industry/Vertical
Assignments
IDBI Federal
Insurance
IRDA
Insurance
Windows Server Audit and Privileged User Identity Management SOP review & Data Center – Physical & Environmental security
ICICI Bank
RBI
Banking
Proactive audit – OS & Server hardening review
Kotak Life
Insurance
IRDA
Insurance
Data Center - Physical & Environment Security, SOP review, BCP and DRP
AEGON Religare
Life Insurance
IRDA
Insurance
BCP and DRP, Data center – Physical and Environmental Security, SOP review, Media Disposal, Antivirus & Change management
CCIL – Clearing
Corporation of
India Ltd.
RBI and SEBI
Securities Exchange & Settlement Body
Server Audit, Access Control Matrix review, Application Audit - IT controls testing, Change management & Back Up and Recovery process review. Data Centers – Physical & Environmental security.
ORGANIZATION www.bnymellon.com
THE BANK OF NEW YORK MELLON,
PUNE, INDIA.
DESIGNATION
DIVISION
TENURE
Operation Executive
ITAC - Information & Technology
Access Control Division
Oct 2007 – Mar 2010
IMMEDIATE LINE OF REPORTING – ASSISTANT MANAGER & GROUP MANAGER
PROFILE & KEY ACCOUNTABILITIES - USER ACCESS CONTROL MANAGEMENT
-Ensured security rules devised by IT Risk and security department are intact, applied and functional.
-Administered user access controls as per security levels prescribed in ACLs (Access Control Lists) & SOD Matrix.
-Articulated access provisioning process flowcharts, drafted procedure manuals, prepared presentations and checklists
-Prioritized and retained KPI parameters viz., TAT (Turn around time), AHT (Average handling time) and accuracy checks (internal and external quality) thresholds of access provisioning projects.
-Provision of evidences to ensure compliance reviews conducted by internal and external audit teams.
-Performed periodic reviews of provisioned access requests as per application & systems to avoid errors and omissions.
-Aligned the user access controls in adherence to agreed service level and as per information security policies.
COMPANY/FIRM
SACHIN S. BHATTAD Co., Chartered Accountants,
SOLAPUR, INDIA.
DESIGNATION
TENURE
Assistant IS Auditor
Jan 2006 - Sept 2007
PROFILE & KEY ACCOUNTABILITIES – INFORMATION SYSTEMS AUDITS
-Performed audit of IT General Controls and Information Security Controls.
-Carried IS/IT audits by applying process walkthroughs, fieldwork, interviews, observations and client site visits.
-Determined the reliability and design effectiveness of internal controls of the existing systems.
-Ensured and assessed the conformance to prescribed policies, procedures & regulatory guidelines.
-Followed-up with management for status of audit recommendations till the closure of the audit engagement.
COMPANY/FIRM
Pandhare & Co., Chartered Accountants,
SOLAPUR, INDIA.
DESIGNATION
TENURE
Administrative Assistant
Jun 2003 - Dec 2005
PROFILE & KEY ACCOUNTABILITIES – ACCOUNTS, AUDIT & ADMINISTRATION
-Planned and assigned audit & taxation work by means of relevant audit resources.
-Assisted in the preparation of supporting schedules for auditors during audit planning phase.
-Monitored and controlled the inflow & outflow of funds for claims to clients and auditors.
-Liaised between client & auditors by recommending improvements to audit process flow and procedures.
FAMILY BUSINESS
GOVERDHAN MEDICAL & GENERAL STORES, CHEMIST & DRUGGIST, SOLAPUR, INDIA.
Apr 2002 to May 2003
TECHNICAL SKILLS
Operating Systems Windows XP, 7, Server 2K, 2K3 & 2K8.
Programming languages C & Visual Basic.
Office automation tools MS Office Suite.
DIPLOMAS & COURSES
Diploma in Software Testing Seed Infotech, Pune.
Diploma in Computer Management Passion Computers, Solapur.
MEMBERSHIPS AND AFFILIATIONS
ISACA, USA. Information Systems Audit and Control Association, USA.
ISACA Bangalore Chapter Bangalore, INDIA.
PERSONAL PROFILE
Name Balaji Ambadas Paskanti.
Date of birth 14th July, 1980.
Permanent Address Ashray Bungalow, Plot No. 53, Shriram Nagar, Behind Laxminarayan Theatre,
Solapur – 413003, Maharashtra.
Marital Status Married
Passport details Valid up to Oct 2017