Information Security Management
Resume:
Mahendra Narain
Cell: 647-***-**** Home: 718-***-****
********.******@****.**
CAN START NOW
PROFILE My consulting experience and time with J.P. Morgan, Time Inc., Protiviti Inc., PricewaterhouseCoopers, and other Fortune 100 organizations has given me a great deal of experience, particularly in information security. My computer science background is extensive and I have an in-depth understanding of the industry. I enjoy interacting with people and I have excellent analytical and communications skills. I have a particular strength in liaising between clients, colleagues and management to resolve important issues. My attention to detail is outstanding and a major factor in the success of my previous appointments. I am willing to travel.
OBJECTIVES To obtain a growth-oriented and challenging position within Information Security that will utilize my academic preparation and business skills.
TECHNICAL SKILLS Information Security: Knowledge in leading information security risk, technology audits, data privacy (HIPPA, PCI GLBA) database, vendor assessments and cloud computing. Utilizing tools, but not limited to: AppDetective, WireShark, Nesses, Nmap, GFI LANGuard, Archer, Qualys (Certified), eDiscovery (EnCase), DLP Tools and IBM AppScan. Programming: Detailed knowledge of programming / scripting languages and web technologies: C/C++, and Java via UNIX or Windows. Databases: Detailed knowledge of database technologies: Oracle.
PROFESSIONAL FOLLOW THE SUN CONSULTING
EXPERIENCE
Ontario’s Government(s), Toronto May 2015 - Present Snr. Security Risk Consultant
Lead Business / Security and project manage security initiatives;
Enhance firm understand of PCI to LoB’s and develop PCI gap assessment
Develop and validate PCI controls, collaborate with the IT and Applications teams on PCI DSS requirements for the existing infrastructure, applications and new technologies and applications;
Advise teams in the development of policies, processes and supporting documentation for PCI DSS;
Based on the three lines of defence, help drive; produce client ready Harmonized / Treat Risk Assessment (H/TRA) Reports for senior management and project team(s);
Lead HTRA Assessment(s) and apply all Cyber Security methodologies;
Technical knowledge of security domains, not limited to: Information Security Governance and Risk Management, SDLC, Cryptography, Security Architecture and Design, Operations Security, Business Continuity and Disaster Recovery Planning, Legal, Regulations, Investigations and Compliance, and Physical security;
Work closely with stakeholder (Architecture, Infrastructure, Development and Business Lines) to identify critical business processes and functions (2nd Line);
Work closely with stakeholder (Architecture, Infrastructure, Development and Business Lines) to identify critical assets and dependencies;
Plan and facilitate all client workshops; and
Develop, finding, recommendations for draft reports; Deliver and present client final deliverables/reports (Executive Summary, Risk Mitigation and Residual Risk results) to senior management and project team(s).
PwC LLP, New York. USA March 2015 - May 2015
Snr. Security Consultant
Information Security Consultant
Support 2nd line of defence. Produce client ready Treat Risk Assessment (TRA) Reports for senior management and project team(s);
oDatabase Security
oData Security/Privacy – HIPPA, GLBA, Governance, Classification, Leakage, Vendor Management, Encryption / Cryptography
oVulnerability/Penetration Testing, Code Review – Infrastructure, Application, Network, Database, and Mobile
oeDiscovery Computer Forensics (EnCase) – UK and US Government
Lead Security and project manage Security initiatives.
TD Bank, Toronto December 2012 – March 2015
Information Risk Officer, Mergers & Acquisitions (M&A)
Lead Security and project manage Security initiatives based on TD’s SDLC;
Demonstrate extensive change agility, especially the ability to analyze data, reporting trends/key Information Security risk to C-level management; help improve processes to better meet client needs and highlight compliance processes to align with regulatory and business changes.
Based on the three lines of defence, help drive the Information Security risk governance and control framework for the Credit Card portfolio. Document processes and lead assessments (security and audit (ITCG)) for identifying, assessing, and documenting information security risk. Provide early warning of potential failure to meet information security requirements; Provide security leadership and communicate security issues and recommendations to management
Lead Application Security for the Enterprise Credit Card Program (Vulnerability/Database and Penetration Assessments); Understand OWASP;
Managed and provide oversight to the ISOs regarding Information Security frameworks/processes (e.g., Information Security Assessments, Reviews, VA’s, PenTest- AppScan…etc.) ensuring key risks highlighted and controls identified and implemented to mitigate risk;
Provide consulting and participate in business security initiatives; worked with Credit Card leadership, senior management and key stakeholders (Architecture, Infrastructure, Development and Business Lines) on enterprise initiatives to improve overall security posture;
Provide relationship management to the Credit Card portfolio LoB’s, vendors and key stakeholders; evaluate and assess emerging security threats and vulnerabilities in portfolio; work with team and portfolio personnel to identify appropriate controls and/or develop strategic solution(s); and
Comprehensive experience with SDLC processes (TD and Agile) to help drive continued development.
J.P. Morgan, New York City, USA May 2010 – October 2012
Vice President, Global Technology Infrastructure – Technology Risk Management
Worked closely with management to provide risk based expertise across the firm (Investment Banking, Asset Management, Commercial Banking, Treasury & Worldwide Securities);
Lead Security and project manage Security initiatives;
Assessed firm risk whereby continuously understand firm strategy for ITRM business lines: Information Technology Risk & Security Management (ITRSM) – Applications Security and ITRSM – Risk Assessment; help business lines meet best practice to reduce risk expose at the early stages by applying governance and controls; recommend mitigation strategies to business leaders;
Worked with ITRSM – Risk Assessment Team to perform Risk Assessments for cross-LoB Infrastructure / Application components;
Acted as a SME on Application Information Security topics for Audits;
From an audit perspective, own ITRM and Global Service Operations (GSO) business line relationships such as: ITRSM – Application Security and L1/L2 (infrastructure/client), Problem / Incident Management;
Participated in Information Security working groups for firm wide ITRSM business initiatives;
Partner with cross–functional relationships with risk experts in the APAC, EMEA, and the America’s to better understand cross-business impact as well as develop solutions that reduce or mitigate ITRSM operational risk;
Comprehensive knowledge of relevant standards, practices and their implications (e.g. ISO 2700x, GLBA, SOX, PCI, Basel II, European Security / Privacy regulations);
Lead technology audits; Drive planning, execution, risk evaluations, final report(s), and determine effectiveness of the risk mitigation plans; Develop final reports for fellow clients, stakeholders, senior management, audit committee(s) and the firm executive board;
Managed relationships with internal/external auditors as well as firm clients and other key stakeholders;
Provided a consulting and advisory approach throughout the position.
Time Inc., New York City, USA May 2008 – May 2010
Lead Information Security Engineer, Information Risk Management;
Worked closely with management and C-level leadership to drive firm wide information security initiatives;
Lead Security (Application Security) and project manage Security initiatives;
Provided information security expertise across the organization (e.g., development, infrastructure, BCP, regulatory) as well as management to influence security awareness, improve security controls as well as foster change;
Provided co-ordination and oversight of Application Security testing firm wide;
Provided oversight, development, and implementation of the application risk ranking process;
Foster the maturity of processes for identifying, analyzing, and actively managing the application risk portfolio for the US, UK and Mexico;
Managed and ensure all pertinent Information Risk and Control regulatory requirements and applicable firm wide policies are understood by Line of Business (LoB) clients, technologists, and Information Risk Management (IRM) team members, and that these policies are implemented and monitored successfully;
Managed AppScan, SOX and PCI-DSS for Time Inc and subsidiary publications in the US, UK, The Netherlands, and Mexico. Aligned risk with information security standards and frameworks;
Key leader on new information security products and solutions;
Managed new information security initiatives (e.g., Data Privacy/DLP (Vontu), Archer, Vendor, Governance, Risk Management & Compliance (GRC)). Define business requirements, obtaining C-Level business acceptance, managing implementation(s), budgeting, proof of concepts, and final purchase;
Built and maintained strong business and vendor relationships;
Managed direct reports for various skill sets (e.g. penetration testers, compliance). Coach and define projects for staff;
Comprehensive experience with SDLC processes (Agile); and
Provided information security incident response support and management; manage critical monitoring and infrastructure concerns as they arise.
Protiviti Inc., New York City, USA August 2006 – May 2008
Senior Information Security Consultant, Security & Privacy Management
Provided specialized information security consulting for major financial services firms;
Managed and performed a variety of Data Privacy projects with the overall goal of understanding data leakage;
Enhanced reporting by monitoring corporate network traffic with tools such as Vericept and Vontu;
Implemented Data Privacy roadmaps to help clients streamline initiatives and/or remediate Information Security concerns; Managed and perform technology / application risk vulnerability assessments;
Support 2nd / 3rd lines of defence with process design and process re/engineering of internal operations;
Drive audit approach by documenting operational business processes, deriving narratives and findings; communicate with operational risk groups about process breakdown and operational in/effectiveness;
Lead international Information Security SOX and ITGC audits (with the use of associated security tools) where necessary;
Managed technology internal and external penetration assessments. Experience with tools, but not limited to: Nessus, Nmap, WebInspect, AppDetective, RedSeal, GFi LANGuard and other auxiliary utilities for UNIX and Windows platforms;
Managed direct reports. Managed teams to complete necessary Information Security projects. Coached staff. Provided project evaluation(s) to all team members at each stage of the project;
Managed and performed a variety of security vendor assessments for financial organizations to understand key Information Security risks and/or concerns;
Performed on-site Payment Card Industry (PCI) Remediation. Recommend, planned, and executed enhancements to the infrastructure, application architecture, policy, procedures and processes in order to address compliance gaps. Conducted on-site vulnerability scanning for PCI remediation where necessary;
Conducted Data Privacy reviews utilizing ISO-27001/2 framework to baseline clients Information Security risks; developed remediation strategy to yield full compliance.
For all projects, developed, drafted and finalized reports for both clients and Protiviti Inc. leadership;
Worked closely with leadership to draft and finalize proposals for potential and existing clients, prepare project budget forecasting, prepare project plans, create Master Services Agreements (MSA) / Statement of work (SOW), draft and finalize client deliverables; and
Build the Information Security practice by responding to Request For Proposals (RFP) as well as drive other key business development efforts.
PricewaterhouseCoopers LLP, New York City, USA December 2003 – August 2006
Information Security Consultant, Global Risk Management Services
Provided specialized information security consulting for key financial services firms;
Support 2nd / 3rd lines of defence with process design and process re/engineering of internal operations;
Drive audit approach by documenting operational processes, deriving flows,narratives and findings; communicate with operational risk groups to discuss process breakdown and operational in/effectiveness;
Managed international technology audits / assessments (e.g. networks, firewalls) and streamlined work programs; worked with upper management to provide client status reporting;
Lead Information Security vulnerability assessments reviews (e.g. Operating Systems (Windows, UNIX)); finalized engagement with client ready deliverables and reports;
Managed SOX ITGC projects. Thus, developing narratives, performing comprehensive testing of control objectives, identifying issues/exceptions/gaps, and developing solutions/recommendations based on best practices; Also baseline against CoBit and or / ISO27001x standards;
With client leadership approval, manage social engineering exploits; measure and define risks and report all finding;
Managed direct reports; coached staff; provided project evaluation(s) to team member(s) at the end of the project;
Member of the Database Core Team and the Network Core Team; developed client ready database audit work programs for the firm. Provided first level to support information security staff nationally;
Collectively provide information security governance, strategy, and architecture frameworks; Performed Data Security compliance reviews utilizing ISO-27001/2 governance framework
Developed professional relationships with clients, through interviews, and internal & external meetings. Formulated and followed-up on project enhancements and/or additional tailored solutions to PwC management.
IBM UK, Surrey, United Kingdom / USA July 1999 – December 2003
Security Consultant/Technical Support, Data Management Solutions
Provided security consulting for major IT and financial services firms;
Provided technical support to clients and identified problems/vulnerabilities;
Configured/debugged Informix/IBM DB/2 databases and provided access security controls;
Configured, tested, evaluated and setup database engine(s) securely;
Evaluated and reproduced customer queries/problems using a variety of programming languages (Java, PL/SQL) and supported utilities for a variety of platforms; Tested and debugged client code, and developed small patches (if needed) as temporary fixes;
Managed optimized, and tuned database technologies for leading telecom companies to re-enforce security;
Produced client reports for upper management; and
Collaborated and provided guidance to other teams, whereby producing technical reports.
EDUCATION Royal Holloway, University of London
Dept. of Mathematics – Masters of Science, Information Security, 2002
Contact this candidate