Risk Management Project
Resume:
Exposure – BFSI, IT (Services & Products), ITES & Non-IT MNCs
BFSI (Banking, Financial Services & Insurance)
Energy - Oil & Gas
IT Services
IT Audit (Advisory & Consulting Services)
Chartered Accountants Firms
IT Products
Core Competencies
IT Program / Project Management
Cloud Security & Compliance
SOX - IT General Controls
IT Security Advisory
Agile & Scrum
Exception Management
InfoSec Management
IT Audit & Compliance
Secure SDLC
Vendor Risk Management
SOC2 Audit & Compliance
Risk Heat Map
Identity & Access Management
ISO27K1 Audit & E2E Implementation
Dashboard & Big Picture
Vulnerability Management
Physical & Environmental Security Audit
Metrics & Measurement
IT Risk Management
BCP & DRP Audit
Trend Analysis
InfoSec Cognizance – Standards, Regulations, Legislations, Maturity Models, Laws & Acts
Supplier/Vendor/Extranet Infosec Risk Management processes based on the ISO 27001 framework
Cloud Computing Security Risks - SAAS, IAAS & PAAS awareness and understanding w.r.to. cloud native technologies and security requirements from a secure architecture standpoint for multi-cloud environments
End-to-End ISO 27001 ISMS Implementation Lifecycle - Stage 0, 1 & 2 – Readiness to conformance of Certification.
Considerate knowledge & understanding of ITGC, GDPR, NIST, SOX 404, SOC I, II & III, COBIT, HIPAA, PCI DSS
Organizational Skillsets
Stakeholder Management includes CXO/C-Suites Level
Strategy Development, Determined BAU Processes, Run & Maintain Operations & E2E Program/Project Management
Tools – Awareness & Know-How
GitHub, JIRA Tool, Cisco ACL Tool, Cisco TIARA Tool & RSA Archer – Shell Collective
MS Office Suite, MS PowerBI & SharePoint
Academic Qualifications, Professional Certifications, Trainings, Standards, Diplomas & Courses
B.Sc. (Bachelor of Science) Mathematics – Bachelor’s Degree from Shivaji University, Kolhapur, INDIA.
Certifications – CISA Certified, ISO 27001 Lead Auditor, CEH v7 & Cisco Ninja White Belt Certified
Completed preparatory trainings for CRISC, CISSP, PMP, ITIL & Diploma in Software Testing.
Pursuing CISSP ISC2 & CISM Certification, ISACA, USA.
# IBM Public Cloud Tenure Feb 2021 – Present
Designation: Cloud Security Compliance Leader (Associate Director Band) with IBM - Public Cloud Platform
Line of Reporting – Program Director for IBM Public Cloud Division
Team Size Managing – 2 Indirect Reportees
Scope of Operations – Program/Projects for VPCNG Cloud, PAAS & IAAS for SOC2 ConMon & PCI Compliance
Applicable Compliances IBM Internal & External – SOC2 ConMon, PCI DSS, & NIST
Key Accountabilities
Planned & executed Projects/Programs – Cloud Governance Framework, Security Risks and Compliance Programs
Setting Vision, Strategy & Directions – Certification Compliances efforts
Cross-functional collaboration with Engineering Operation, Infrastructure, Cloud Services Teams & PMO
Instituted Goals, Objectives, KPIs and KRIs and streamlined processes.
Devised quarter-wise services scope and planning for different compliance program cycles.
Responsible for resource allocation, project assignments, training programs, KT sessions & published Calendar
ConMon Audit Planning & Execution – VPC NG (Virtual Private Cloud Next Gen)
ConMon Program Management – Agile & Scrum
Coordination with DevOps, DevSecOps, SREs and NREs Teams as required during the testing of the controls.
Cloud Security Controls Scope i.e. reviewed/tested includes ASV Scan, Backups, BCP/DRP, Change Management, Container Patching and Health Checking, Continued Business Need, Endpoint Detection & Response, File Integrity Monitoring, Intrusion Detection, Inventory Management, Network Monitoring, Network Rule Revalidation, New Users & User Terminations, Non-Armada Devices Patching & Health checking, Penetration Testing, Risk Assessment, Root Access for QRadar, Security Incident Management, Segmentation Testing, Significant Changes, System Description, Vendor Management, Vulnerability (Nessus) Scans, Worker Nodes Health Checking & Patching, Baseline Review, Changes & Challenges.
Reviewed DAST, SAST, SCA (Software Composition Analysis) & Threat modelling processes.
As part of the CRB (Change Review Board) team, reviewed end-to-end the process followed by the services.
Managed and led the end-to-end VPC NG ConMon project i.e. right from planning to closure of findings.
Coordinated with Service Team focal points for audit evidence sufficiency.
Monitored GitHub Repository – CAR Technical Review, Follow-Up, Out-to-Service & Closed pipeline queue.
Control testing & verification of evidence provided by the services team.
Depicted big picture, trend analysis, metrics, and dashboard to the executive leadership team.
Introduced New Initiatives, and formulated Action Plans with milestones, Tracker sheets & Cheat sheets.
Operational Responsibilities
Crafted VPC NG Consolidated Master Data Sheet w.r.to. Controls, Pillars & IDR Data Request
VPCNG controls selection for quarterly scope finalization
Established IAAS Consolidated Master Data Sheet w.r.to. Controls, Pillars & IDR Data Request
Completed Exception Analysis (Observations) - Audit Report for 4Q 2021 IAAS & 4Q 2021 VPC NG
Provided daily updates to the Weaver Team on the submitted IDRs in GitHub
Maintained daily tracker for IDRs submitted and actioned as per the ConMon process.
Accomplished quarterly housekeeping GitHub post to completion of the audit cycle as per Huddle status.
ConMon Onboarding Process Repo Optimization for VPC NG
ConMon Audit Planning & Execution – PAAS
IDR Control Testing & verification of evidence provided by the services team.
PCI DSS Program - Renewal Services Audit Planning & Execution
Developed PCI 2H21 compliance audit project prerequisites.
Interpretation of AOC (Attestation of Compliance) & ROC (Report on Compliance) w.r.to. non-compliances, findings, observations etc.
Involved in Audit readiness i.e., preparedness w.r.to. current security controls posture’s effectiveness.
Coordinated with the onshore team to streamline the PCI Annual Audit Plan.
Participated in and planned PCI process documentation for service understanding.
Prepared and improved existing PCI cheat sheets in easy-to-understand terminologies.
Daily coordination with the onshore team to make sure PCI Audit activities are on track.
Presented daily metrics with the onshore team in terms of project status.
Managed closure of IDRs in GitHub, as per Huddle status i.e., email notifications.
Ensured that Weaver auditors’ tool (Huddle) status was mapped with the IBM Audit tool (GitHub).
Represented the Audit Findings to the management as identified during the External Audits.
Liaised with External Auditors during the external audit phases.
Reviewed evidence and artefacts as provided by service teams.
Managed closure of the gaps i.e., observations, recommendations, and considerations.
Controlled GitHub Repository for CAR Technical Review pipeline queue.
Gained a comprehensive understanding of testing & verification of evidence.
# Royal Dutch Shell Tenure Sep 2018 – Feb 2021
Designation: Business ITSO Security Advisor (Manager Band) with Global Functions SOM Service Integration, Information Risk Management, Risk, Control Assurance & Compliance
Line of Reporting – Global Risk Lead (Manager) for Global Risk Specialists Team
Team Size Managing – 2 Indirect Reportees
Scope of Operations – Corporate Finance Business Critical Treasury & E-Banking Application Portfolio
Applicable Compliances Shell Internal & External – NIST, RDS, ONE IT Control Framework, Key Controls (Guideline Controls), SOX, FCM (Financial Control Matrix) & IRM (Information Risk Management) Policies
COBIT, SOX 404, ISO 27001 & IT General Controls
Key Accountabilities
LOD2 (Second Line of Defense) as a Business ITSO Security Advisor (Manager Band) – ITSO IT Security Management Team IRM Information Risk Management
Business Information Security Advisor for various Sub Business Functions within ITSO at the Enterprise Level
Reviewed the overdue critical vulnerabilities for assigned risk rating and sought buy-in to endorse and risk acceptance from the CIO.
LOD1 (First Line of Defense) as a Senior Risk Specialist - LOB Finance Treasury & E-Banking & Pensions, Risk & Insurance Portfolios.
Findings management w.r.to operational risk management as part of run and maintain operations.
SPOC SIA-Internal Audit – TOR Scope & objective review, Preparation, audit outcome & closure.
Operational Risk Management, Risk and Advisory consultancy & Findings Management.
Depicted Risk Visuals, Dashboard and Application Risk Posture and Proactive Risk Review
Conducted risk assessment for applications/deployment viz.., BIA’s (Business Impact Assessments), LRA’s (Legal & Regulatory Assessments) & CSA’s (Control Selection Assessments)
Supported and carried out periodic reviews of Business Impact Assessments, Legal & Regulatory assessments, and control sets for existing applications/deployments.
Run & Maintain Operations, Process flowcharts and Workflow, and BAU and non-BAU documentation.
Maintained a system of effective internal controls utilizing the tool: “Collective” customized module.
Cybersecurity – Systems Vulnerabilities based on NIST Cybersecurity Framework
Managed E2E Vulnerability Management Remediation Process
BAU Remediation process - Initial communication i.e., notification till Closure
Led Risk Acceptance endorsement and approval meetings with the Group CIO on a quarterly basis.
Focal Point – Critical, High, Medium & Low Rating Vulnerabilities i.e., Point of contact for coordination, communication & remediation of vulnerabilities w.r.to OWASP TOP 10 & other vulnerabilities.
High visibility critical project liaising and working with C-Suite level Board and Senior Management.
Driven GF CIO level board meetings for Yellow List Risk Acceptances approvals & sign-off proposals for raised Risk Acceptances for open items not remediated within timelines as per the IRM guidelines.
BAU collaboration with ITSO Security Manager, Group Risk Manager, OLM (Operate Landscape Manager), IT Manager, Cross Functional IT Project/Portfolio Manager & BAO as required.
Responsible for remediation/mitigation or risk acceptance of critical Vulnerable Remote Accessible Systems, Obsolete Middleware & OS e.g., MS Windows (OS), Oracle, JBOSS, Adobe, MS SQL & VNC Vulnerabilities (Yellow List) within SHELL Production and Business Critical applications (ERP) Supporting SHELL GF SOM (Global/Corporate Functions Service & Operation Management) LOBs.
Led the timely Identification, Remediation/Risk Acceptance based on Risk ratings/rankings.
Liaison with asset owners and suppliers for faster remediation of vulnerabilities.
Nominated as the focal point of contact for findings management Risk Assessment of new & existing gaps.
Planned and executed the Vulnerability Remediation via automation macro scripts achieving efficiency and effectiveness for the new process to be followed.
Created workflow & flowcharts, as a pre-requisite for writing macro scripts
Devised process flows to handle the asset owner’s queries and designed FAQs, and standard templates for a pleasant user experience while adhering to InfoSec and Risk Management policies
Functional Mailbox integration with PowerBI Dashboard for precise segregation of responses to deal with asset owner’s email requests.
Devised the BAU and Non-BAU process for the Vulnerability Remediation process for Suppliers/Vendors while engaging internal stakeholders and the LT Team as deemed to be necessary.
# Cisco Systems Inc. Tenure Apr 2013 - Aug 2018
Designation – InfoSec Project Manager & India Site Lead - ISO 27001 Certification Audit Program with InfoSec Operations & Services – Security & Trust Organization
Line of Reporting – InfoSec Director & Asia Pacific CISO
Team Size Managed – 2 Direct and 3 Indirect Reportees.
Scope of Operations – India Site Operations – Bangalore, Pune & Chennai Site
Business Units & Functions– Engineering R&D Technology/Business Groups, IT (Applications Development & Infrastructure Services), Cisco Services (Technical Services & Advanced Services) – CX (Customer Experience) Services, WPR–Workplace Resources, SSBR–Safety & Security Business Resiliency Function, Admin-Logistics Function, Infosec Operations & CSIRT-Cisco Security Incidence Response Team & Human Resources Functions.
Applicable Compliances: NIST, Cisco Internal/External & ISO 27001 & Product Specific Compliances
Key Accountabilities
ISO 27001 India Site Program Management, Supplier/Extranet Risk Management, InfoSec & IT Services BCP/DRP, Services Compliance Audit & Assurance, Firewall ACL Audit & Automation.
Review of Engineering Operations – SDLC, PRDs and BRDs, Functional requirements etc.
Devised NIST-based framework for Infosec Operations & CSIRT-Cisco Security Incidence Response Team
SUPPLIER/VENDOR/EXTRANET INFOSEC RISK MANAGEMENT FRAMEWORK
Proposed revisions in Extranet InfoSec Risk Mgmt. framework, processes, & guidelines for all extranet partners
Streamlined lifecycle for New Site Engagement, Implementation, Operational & Decommission stages.
Proposed enhancements to close gaps and address challenges to the extranet risk management process.
Formulated Metrics, ONE Risk Register concept, data source attribution, dashboard & trends analysis
SERVICE COMPLIANCE AUDIT & ASSURANCE
Devised E2E audit processes & simplified it to justify why, how & what rationale behind the audit strategy.
Derived scope of audits - Firewall FDCS, Labs, Extranet, Engineering Access Mgmt. & Awareness services
Executed audit services, published the dashboards on gaps/issues, driven the management review meetings.
FIREWALL ACL RULES AUDIT & ASSURANCE AUTOMATION.
Devised requisite problem statement, current state, proposed remediation, challenges & future state.
Established strategy, scope, budget, resources, timelines, coordination, & communication
Brainstorming ACL rules to interpret into structured data & blocks to qualify for writing automation scripts.
Created RACI matrix to ensure proper segregation of duties, independence, and transparency of roles.
Ownership of reviews, publishing the dashboards on gaps, & driven management meetings
Prioritized the criticality of Firewall ACL rules based on the current cyberattacks and threat landscape.
Defined tier-wise approach to focus on high-risk ACL audits and ensured the clean-up activity.
ISO 27001 AUDIT, COMPLIANCE, RISK MANAGEMENT & IMPLEMENTATION
Strategized alignment with global APJC ISO 27001 Programs w.r.to. current state representation, roadmap, future state, continuous service improvements
Introduced ISO 27001 Program as a service offering via Service Catalogue mode for new site additions.
Derived service review metrics and business cost model for new sites for implementation of ISO 27001 standard; effort/ballpark estimation, gap assessment & extension to the scope of ISO 27001 Global sites
Revamp of Risk Assessment methodology by adopting ISO 27005/31000 Risk Management best practices
ISO 27001 Program INDIA Planned, Initiated, Executed and Monitored till the Project Closure phase.
Enforcement and introduction of new initiatives for program activities to depict the ISMS effectiveness.
Sought buy-in from senior leadership on focus areas for program activities to exhibit InfoSec health posture.
Drafted and communicated internal audit and risk assessment reports for audited business units/functions also proposed technical/process-based solutions to reduce the risks of data loss as remediation steps.
Created and managed two intranet community sites for publishing ISO 27001 Program planned activities.
Communicated trend analysis of InfoSec metrics health report Senior Leadership Team
Organized MRM (Management Review Meeting) and communicated the MOMs to all Leadership Teams
Responded to client RFPs & InfoSec Questionnaires liaising with the Business Development Sales team.
Responsible for supporting compliance of customer ISMS audit & Safe Harbor (EU Data Privacy and Protection)
Established influential relationships with cross-functional teams i.e., product engineering, services, IT applications & Infrastructure Services business units, support functions & executive leadership team.
BCP/DRP - BUSINESS CONTINUITY PLANNING & MANAGEMENT - IT SERVICES
Liaising with Global BCP Program Team – Kick-off meeting till closure of BCP Plan project
Reviewed existing BCP for the IT services, Identified & Prioritized Critical IT Services for BIA workshops
Proposed separate BCPs i.e. Individual BCPs of IT Services.
Developed comprehensive BCP for all critical IT services.
# DXC – former CSC (Computer Sciences Corporation Inc.) Tenure Oct 2011 – Apr 2013
Designation – Senior InfoSec Specialist with Commercial & Managed Cybersecurity Services
Line of Reporting – InfoSec Senior Manager & CISO
Scope of Operations – India Site Operations for Hyderabad Site
Business Units / Projects – Corporate Services, Human Resources, BMS, Data Center-Environmental Security Controls, Procurement Services, Training-Learning & Development, IT Audit (Network & Server Support) & Project Support (Logistics & IT Help Desk Support), Third Party Vendor Audits - Drinking Water Supplier, Base Kitchen Caterers & Security Personnel/Guards Services.
Applicable Compliances – CSC Internal/External & ISO 27001 & Product Specific Compliances
Key Accountabilities
E2E ISO 27001 Audit, Compliance & Implementation
Third-Party Vendor Audits
Risk Management & Business Continuity Management
# ANB Solutions Private Ltd. Tenure Mar 2011 – Oct 2011
Designation – Consultant I. S. Auditor for IT Risk Assurance and Advisory Department
Key Accountabilities
Third Party IT/IS Auditing & Consulting & Projects / Clientele Handled
IDBI Federal Insurance IRDA - Windows Server Audit and Privileged User Identity Management SOP review & Data Center - Physical & Environmental Security
ICICI Bank RBI Banking - Proactive audit – OS & Server hardening review
Kotak Life Insurance IRDA - Data Center - Physical & Environment Security, SOP review, BCP & DRP
AEGON Religare Life Insurance IRDA - BCP and DRP, Datacenter - Physical and Environmental Security, SOP review, Media Disposal, Antivirus & Change management
CCIL - Clearing Corporation of India Ltd, RBI & SEBI - Server Audit, Access Control Matrix review, Application Audit, IT controls testing, Change Management & Back Up & Recovery process review. Data Centers - Physical & Environmental Security Controls.
# BNY MELLON - The Bank Of New York Mellon Tenure Oct 2007 – Mar 2010
Designation – Operation Executive
Profile & Key Accountabilities – User Access Control Management
# SACHIN S. BHATTAD Co., Chartered Accountants. Tenure Jan 2006 – Sep 2007
Designation – Assistant IS Auditor
Profile & Key Accountabilities – Information Systems Audits
# PANDHARE & CO., Chartered Accountants. Tenure Jun 2003 – Dec 2005
Designation – Administrative Assistant
Profile & Key Accountabilities – Accounts, Audit & Administration
Professional Memberships
ISACA, Information Systems Audit and Control Association, USA
ISACA, Bangalore Chapter, Bangalore, INDIA
Passport Status – Will be provided on request.
Professional References:
No. Name Current Company Designation Email
1 Manmeet Singh Cisco Systems InfoSec Engineer ********@*****.***
2 Amar Kaniganti InfoSys Security Architect *************@*****.***
Declaration:
I declare that the above details mentioned are true to the best of my knowledge.
Balaji Paskanti, B.Sc. Maths, CISA (Active), CEH v7 & ISO 27001 Lead Auditor
Cloud Security & Compliance, Cyber Security, IT Audit, Risk Management & Compliance
Mobile +91-990******* / 982-***-****
E-mail ******.********@*****.***
LinkedIn http://in.linkedin.com/in/balajipaskanti
ISO 27001
Lead Auditor
Certified
Ethical Hacker
Profile Synopsis
19 plus years of hard-core experience in IT with utmost focus on Cloud Security & Compliance, Cybersecurity, IT Audit, Risk & Controls Management. Veteran Cybersecurity Professional enriched with versatile hands-on experience in various InfoSec domains. Since security transcends technology; the goal is to continually improve upon and implement what I have acquainted so far, and in the process, help the organizations to attain their business objectives in conformance to internal & external security risks, compliance & regulatory requirements.
Currently associated as a Cloud Security Compliance Leader (Associate Director) with IBM Cloud.
International Exposure & Onsite Assignments – U.K. London & China Shanghai.
Contact this candidate