Farzad Kanani (MITS, CISM, GDPR, ISO ***** Lead Implementer, ABCP, ex_PCI-QSA, CDPSE)

Willow Beach, Ontario, L0E 1S0

ad4yww@r.postjobfree.com 647-***-****

linkedin.com/in/farzad-kanani-746b5017/

Cyber Risk & Security Practice Advisor

Technically minded professional with 10+ years’ experience devising and implementing enterprise cyber security and technology risk controls and processes as well as developing key risk indicators to measure cyber and technology risk

Hands-on practitioner with leadership skills and expertise in improving organization’s risk and security posture and development of enterprise policies and standards pertaining to cyber and technology risk. Proven success in developing governance and IT security programs, conducting audit, executing information security strategy, maintaining data privacy, and ensuring regulatory and internal compliance. Expertise in implementation of best practices and standards such as (ISO17799/27001-2, NIST, PCI DSS, SOX, GDPR, PIPEDA, HIPAA and international privacy laws) and IT frameworks (COBIT / COSO, ITIL, SOC2/1). Exhibit excellent communication, collaboration, and coordination skills at all levels. Possess in-depth knowledge of global financial institutions, money service business, and banking compliance, including significant understanding of anti-money laundering, data protection, anti-corruption, and consumer protection regulations.

Highlights of Expertise

●IT Governance & Risk Management

●Information Security Planning

●Audit based on PCI DSS & ISO27001/2

●Technology Implementation

●Security Awareness & Coaching

●Business Continuity & Disaster Recovery

●Threat Risk Assessment & Mitigation

●Regulatory Compliance

●Policy & Process Design

●Incident Response

●Team Building & Leadership

●Team Performance Management

Career Experience

Cybermatic Solutions Inc, Toronto, ON (July 2019-Present)

Lead the Security Services portfolio in terms of technology currency, business agility,

technology evolution, business fit, opportunities to improve efficiencies and TCO Achieve

Professional Services margin objectives by ensuring the following:

●Define end-to-end Cyber Security solutions that take into account the security architecture

strategies to address current state environments and evaluating constraints for organizations of various sizes and verticals.

●Analyze the viability of the solution to meet product timelines, budget and quality.

●Conduct Threat Risk Assessment (TRA) to identify any potential security gaps associated with new initiatives.

●Support internal and external audit processes for relevant compliance concerns including PCI-DSS v4.0, ISO 27001, SOC2 Type I & SOC2 Type II

●Act as the SME risk and security professional to review operational and project activities (plans, designs, testing, reporting and maintenance) providing a risk profile, and recommending appropriate remediation measures to minimize cybersecurity risks.

●Oversight of security architecture and Cloud strategy for public and private cloud solutions.

●Create solutions that balance business requirements with information and cyber security

requirements for clients particularly for migration to Azure Cloud.

●Identify security design gaps in existing and proposed mitigation plan and recommend

changes or enhancements.

●Drive business growth with the sales organization by identifying, evaluating,

managing, and executing on strategic customer service opportunities.

●Drive the creation of SOW’s, Master Service Agreements (MSA), proposals, reports, and deliverables for cyber security solutions with a focus on both mid-market and enterprise segments.

●Review current system security measures; recommend and implement enhancements.

●Partner with subject matter experts both within and outside the organization to properly

implement security solutions that provide the necessary confidentiality, integrity, and

availability of systems and data.

●Participate as technical subject matter expert in responding to Request for Proposals.

●Perform internal/external security vulnerabilities assessment of information systems across broad range of business functions.

●Experience with IT Compliance and Audit Standards - ISO 27000 series, SOC2, GDPR and PCI.

●Experience with Data Protection and Data Privacy - PIPEDA, GDPR, Privacy Assessments

●Manage Information Security Policy and Regulatory Compliance implementation.

●Use Cloud Security Alliance fundamental for providing security assurance within cloud computing.

Allstate Insurance Corporate Risk, Markham, ON

Lead and direct a team of information security consultants in developing and executing practice strategies, providing risk oversight, driving alignment, currency and enforcement of global cyber security standards and controls, forecasting workloads, managing projects, reporting revenue, and undertaking client concerns. Revise and update relevant policies and standards to meet the requirements of emerging regulations such as new version of PCI DSS and GDPR.

Cyber Risk & Security Practice Lead – Contract (Dec 2017 to July 2019)

Create a roadmap and assist Allstate to adopt best practices and procedures to integrate risk management into the business agenda and implement security controls within Allstate Canada Group (ACG) in collaboration with the Chief Risk Officer (CRO) and Chief Information Security Officer (CISO). Oversee and manage external auditors performing PCI-DSS assessment and remediation services and setting GRC practice technical direction. Expertly carry out 3rd party security assessments as part of procurement process to ensure 3rd party vendors have adequate security measures in place aligned with Allstate standards. Liaise and function closely with the application development team to create new Agile secure development life cycle (SDLC) processes in accordance with PCI DSS. Coordinate with multiple stakeholders to coaching and training sessions for IT and non-IT staff.

●Developed and executed IT governance and risk policies as well as harmonized processes across the organization along with assurance testing frameworks in line with PCI DSS 3.2.1, ISO 27001 standards and OSFI requirements.

●Devised and employed best practices to promote security by design approach for ACG products (such as online policy registration and online claim applications) using OWAS and CIS benchmarks as well as involved in making systems free of vulnerabilities and impervious to attack through continuous testing, authentication safeguards, and adherence to Threat Modeling techniques.

●Steered research and analysis to identify and evaluate threat landscape that aided in enhancing resilience of ACG’s critical information infrastructure and networks.

●Built an effective communication channel with stakeholders that helps in sharing complex security ideas and areas of potential risk.

●Reduced company expense up to $60K annually by planning and conducting internal threat risk assessments (TRA) and cyber security audit.

●Designed a sustainable PCI Governance framework to guarantee implementation of required PCI DSS controls throughout Business-As-Usual operational processes that increased efficiency up to 12% across the company.

●Support the development of a risk assessment approach for assessment both inside and outside the company (including PCI DSS and SOC2 )

●Coordinate with the Legal and Risk Management teams to ensure PCI compliance needs are being addressed and tracked appropriately with all partners and third-party vendors.

●Continuously improve the PCI compliance program with new information, procedures, or documentation.

●Draft policies/procedures that govern the security of PCI data across all brokerage and corporate offices with a specific focus on PCI compliance requirements.

●Ensure ASV Vulnerability Scans and Penetration Testing are conducted quarterly and annually, respectively with all remediation activities being completed within expected timelines

Scotiabank, Information Security & Compliance, Global Wealth Technology, Toronto, ON

Rendered expertise as a trusted advisor and central point of reference for Information security at Scotia Global Wholesale Technology (GWT). Created security governance and compliance frameworks in cooperation with internal stakeholder groups, including security teams, legal, privacy, and relevant IT functions and business groups.

Senior Information Security & Compliance Advisor (Information Security Officer) (Oct 2014 to Dec 2017)

Defined and developed enterprise architecture framework, which included policies/procedures, corporate solution design, and delivery methods. Created a governance framework for Scotiabank to become compliant with OSFI-B10 requirements. Delivered support in classification and protection of data resources by offering guidance on cost effective implementation of security policies and standards. Performed security and privacy consulting engagements such as security strategy, security principles, security policy, threat risk assessments (TRA), security architecture, application security, security health checks, and penetration testing. Created a formal process to re-assess exiting 3rd part vendors to ensure implemented security and control practices align with bank’s standard and industry practices.

●Successfully produced high quality threat risk assessment (TRA) reports and threat models for initiative projects across the bank and clearly articulated and presented potential cyber risks.

●Contributed efforts towards completion of a TRA on Oracle Cloud platform and shared identified security gaps with senior management for review.

●Retained currency of security policies, standards, risk acceptance, and deviation letters to ensure continual alignment of standards in line with regulatory requirements and industry best practices.

●Established external "benchmarks" (including ISO, PCI, NIST and other standards and guidelines) to ensure that Bank's information security and control governance framework remains responsive to risk and reflects the security practices.

●Supervised and managed vendor contractual obligations related to annual SOC 1 or SOC 2 (SSAE 16 and ISAE 3402) and SOX audits as well as provided expert recommendations on resolving issues.

●Played a key role in continuous growth of security and privacy practice through mentorship and new opportunities utilization as well as coached and trained staff to increase security awareness.

Manulife Financial, Canadian Information Risk Management, Waterloo, ON

Acted as a business unit security officer (BUSO) at Manulife and worked on information security functions in various projects, initiatives, and merger and acquisition. Managed the IT security advisory practice for Manulife Securities from business and practiced development on large engagements covering cyber security and advance malware intrusion, privacy, attack & penetration, and security road map development.

Information Security Risk Manager (Security Focal) (Sep 2010 to Oct 2014)

Coordinated and functioned with business lines to create robust security strategic and tactical plans for implementation of consistent and secure control processes to protect information assets. Delivered guidance and support on development and implementation of sound risk management controls in line with Manulife's standards, confirming compliance with industry regulations. Provided strategic input in initiatives and projects driven by various business lines as well as guided project and delivery managers to implement improved information security practices, facilitating key artifacts such as security design documents, threat risk assessments, business impact analysis, data classifications, and deviation letters. Developed security aware culture and embedded security in the DNA via providing pro-active security advisory to business and making transparent situation around maturity of security capabilities. Handed over work plans to staff members, defined security and business objectives, observed performance, and delivered constructive feedback to boost productivity.

●Developed and implemented procedures for business continuity and provided expert advice on pervasive Manulife's information security standards, policies, and processes. Administered implementation of disaster recovery/business continuity plans in response to an interruption or crisis to fulfill PCI DSS, IIROC and OSFI requirements.

●Monitored and evaluated threat landscape, translated implemented security strategy into local roadmap, and facilitated business with third party contracting.

●Work with Manulife Travel Insurance and Accounting / Finance teams to identify and analyze security requirements to align with PCI DSS compliance standards.

●Participated as the Security Focal in Vulnerability Management Program to plan, review, analyze, and mitigate the security findings on outcomes of penetration tests and vulnerability assessments reports and provided regular update to senior management.

●Applied best practices to ensure adequate management of risk for a large portfolio applications and platforms based on HIPAA and PIPEDA requirements.

●Retained currency of security policies, standards, risk acceptance, and deviation letters to confirm continual alignment of standards to regulatory requirements and industry best practices such as OSFI, IIROC and MFDA.

●Rendered expert services as a security officer for all security aspects during the business acquisition period.

ADDITIONAL EXPERIENCE

Senior Security Consultant, Governance-Risk-Compliance (GRC) TELUS Security Solutions, Toronto, ON

Senior Security Analyst TELUS Security Solutions, Toronto, ON

IT Security Researcher University of Ontario Institute of Technology, Oshawa, ON

Education & Credentials

Professional Certifications:

CDPSE (ISACA, Certified Data Privacy Solutions Engineer), Feb 2021

GDPR Foundation (EU General Data Protection Regulation Foundation), Dec2018

AWS Security Roadshow, Sep 2016

CISM (ISACA, Certified Information Security Manager), Jan 2012

ISO 27001 LI (ISO 27001 Lead Implementer), Nov 2011

ABCP (Associate Business Continuity Professional), Apr 2011

PCI-QSA (Qualified Security Assessor), Mar 2010

Formal Education:

University of Ontario Institute of Technology (UOIT), Oshawa, Ontario

Master of Information Technology Security (MITS)

Ferdowsi University, Mashad, Iran (Evaluated by University of Toronto)

Honors Bachelor of Computer Engineering (Software)

Other experiences with selected CLIENTS & ENGAGEMENTS

Workplace Safety and Insurance Board (WSIB) - Cyber Security Consultation

Canadian Cancer Society – IS Policy & Process Design and Implementation based on PCI DSS

Thomson Reuters Legal Tracker – Vendor Application Assessment

Canadian Imperial Bank of Commerce (CIBC) – Vulnerability Management Program

Thomson Reuters (TR) – Cyber Security Maturity Evaluation (ISO 27001-2)

Canadian Tire Financial Services (CTFS) – PCI DSS Assessment

Shoppers Drug Mart Inc. – Threat Risk Assessment (ISO 27001-2)

SUNCOR Energy Inc. (SUNOCO) – PCI DSS Gap Assessment

Lawson Health Research Institute – Threat Risk Assessment (HIPAA)

Sunnybrook Hospital – High-Level Emergency Continuity Plan

Ontario Medical Association – PCI DSS Gap Assessment

SYMCOR Inc. – PCI Remediation

Contact this candidate