Andre Boutin
M.Adm, GRCP, CGEIT, ITIL Expert, LA 27001, COBIT 5 Implementor and Assessor, ISO 38500
CONSULTANT IN:
(1) Digital Governance & (GRC),
(2) IT Service Management,
(3) Information Security
PROFILE
I work as a freelancer and I help organizations to be more effective and efficient in the digital economy, more specifically in the following fields:
- Governance of Enterprise IT (GEIT) and GRC
- IT Service Management (ITSM)
- Information Security Management System (ISMS)
To do this, I provide the following services for those different above-mentioned fields:
- Assessment / Audit
- Consulting
- Training (COBIT 5, ITIL, ISO 38500)
APTITUDES
Results-oriented
Strong analysis and synthesis skills
Facilitator
Autonomous
Motivated by the added value of IT and its contribution in achieving business objectives
Lead work group sessions and interviews
Change enablement
LANGUAGES
French (native language)
English (professional working proficiency)
Additional note:
The gaps between mandates are due to training contracts. Going forward, I want to take on more consulting and auditing activities than training.
Accredited Training (13+ years)
In addition to my consulting /auditing activities, I also deliver trainings in the fields below. These trainings can be delivered with or without the certification exam.
IT Service Management
Client: Various Accredited Training
Organizations (ATO)
Industry: Training industry
Competency: IT Service Management
Period: Since February 2007
These trainings are related to IT service management
ITIL 2011
Foundation
Service Strategy (SS)
Service Design (SD)
Service Transition (ST)
Service Operation (SO)Continual Service Improvement (CSI)
Service Offering and Agreements (SOA)
Planning, Protection and Optimization (PPO)
Release, Control and Validation (RCV)
Operational Support and Analysis (OSA)
Managing Across the LifeCycle (MALC)
ITIL 4
Foundation
ITIL Specialist - Create Deliver and Support
ITIL Specialist - Drive Stakeholder Value
ITIL Specialist - High Velocity IT
ITIL Strategist - Direct Plan and Improve
DevOps
DevOps Foundation
Digital Governance
Client: Various Accredited Training Organizations (ATO)
Industry: Training industry
Competency: Enterprise IT/digital governance and GRC
Period: Since June 2011
These trainings are related to the enterprise digital governance.
Data governance
IT governance
COBIT 5 Foundation
ISO/IEC 38500 Lead IT Corporate Governance Manager
IT Governance – IT audit – Information security (10+ years)
38
IT service management and information security
Client: Quebecor - NumeriQ
Industry: Multimedia
Competency: IT service management and information security
Period: Dec. 2018 – Mai 2019 (part time)
Support the IT operational team to achieve operational excellence by improving their IT and information security management practices in the following areas:
Operational support (incident management, problem management, request fulfilment)
Operational control (change management)
Infrastructure monitoring
Operational security (access management).
Environment: ITIL, DevOps, Cloud (Azure), JIRA Service Desk
37
IT Governance and IT service management
Client: HEC
Industry: University education
Competency: IT governance, IT service management
Period: March 2018 – present (part time)
Provide IT governance and IT service management expertise to improve the following practices:
Service catalog
Incident management
Problem management
Request execution and self-service
Knowledge management
Service asset and configuration management
Service level management
Information security
Environment: COBIT 5, ITIL, JIRA Service Desk
36
IT & Security Governance
Client: Resolute Forest Products
Industry: Forest products
Competency: IT governance, Information security
Period: December 2017 – August 2018 (part time)
Provide IT and security governance expertise to design and implement an IT security governance framework covering the following domains:
IT risk governance and management
Identity and Access governance and management
Information security system management
Security incident management
Exploration files: SIEM, IS awareness
Environment: SOX, COBIT 5, ITIL, ISO 27001, NIST
35
IT & Security Governance
Client: Laurentian Bank Canada
Industry: Bank
Competency: IT governance, Information security
Period: August 2017 – March 2018 (part time)
Provide IT governance and security expertise and support in the fields of:
IT risk assessment
GRC due diligence
Environment: COBIT 5, ISO 27001, SOC 2 type 2 reporting, OSFI
34
IT governance audit
Client: SOFAD, Montreal
Industry: Training solutions
Competency: IT audit, COBIT (governance)
Period: June 2016 – September 2016 (part time)
At the request of the Director General, identify and evaluate the organization's practices with regards to the following perspectives and provide recommendations to improve them:
IT Services and Infrastructure
Effectiveness of current policies, guidelines, practices and processes
Skills to be developed
Ethics and behavior
Organizational structures
Management of knowledge
Interview of fifteen people
Provide and present a detailed report about the aforementioned points to the Executive Committee
Develop and provide of an organizational IT governance framework
Provide an executive summary report for the board of directors of the organization.
Environment: COBIT 5, ITIL
r 33
Information Security audit
Client: Velcro, USA
Industry: Various industrial sectors
Competency: Audit ISO/EIC 27001
Period: December 2014
As requested by the board, conduct a gap analysis of the enterprise information security practices against the ISO/EIC 27001 standard for a business domain
Interview about fifty people from different areas: various departments / Operations Groups (procurement, supply chain, manufacturing, etc.), marketing, quality assurance and the IT department;
Visit and evaluate the physical security of USA sites;
Meet other stakeholders concerned by the information security;
Executive presentation to worldwide responsibility positions such as VP operation, VP marketing, Engineering and compliancy officers, and local IT officer;
Produce an information security assessment report including findings and a short, medium and long-term recommendations as well as action plan.
Environment: ISO/EIC 27001 and ISO/EIC 27002 standards, ISO/EIC 27001 auditing practices.
32
IT Service Management
Client: CEGEP Brebeuf, Montreal
Industry: Pre-university education
Competency: IT Service Management
Period: Feb 2014 – Jan 2015 (part time)
Coach the organization in reaching the following goals:
Train the IT team to service catalog and IT service management concepts;
Develop templates to document IT services to users, technical services, service requests and SLA;
Provide support to the identification, description and documentation of IT services by the IT team;
Develop an IT service catalog;
Review and propose actions to improve IT operations with respect to the following points: roles and responsibilities throughout the IT service life cycle as well as change management.
Environment: ITIL; Tool: Octopus
31
IT Audit
Client: CEGEP, Sorel-Tracy
Industry: Pre-university education
Competency: IT Service Management
Period: June 2013 – June 2013 (part time)
Review role and responsibility assignments amongst the IT team members and provide recommendations to improve the team harmony and performance:
Conduct interviews with IT team members;
Reconstitute the operational working mode;
Identify the role and responsibility assignments root cause issues;
Comparisons with IT service management best practices;
Write an observations and recommendations report validated by the review sponsor and to be presented to the CEGEP board members.
Environment: N/A
30
IT Audit
Client: Concordia university, Montreal
Industry: University education
Competency: Process assessment and auditing
Period: July 2012 – Dec.2012 (part time)
Contribute to the assessment of the organization’s IT processes and the service desk based on the ITIL framework:
Review the project plan
Meetings with IT managers to gain insights of the organization
Review existing auditing materials (questionnaires, reports)
Lead IT auditing interviews.
Prepare and present the reports to stakeholders.
Environment: ITIL, TIPA (ITIL processes assessment methodology)
29
Information security
Client: Toronto Dominium, Montreal
Industry: Bank and insurance
Competency: Risk Management and Information Security
Period: Jul. 2010 - Sep. 2010
Contribute to the project of the Technology Risk Management and Information Security department in identifying and assessing business risk exposure with respect to business regulations:
Coordinate the business and technology risk assessment project.
Plan and schedule meetings with, and interview the organization’s senior business managers - VP and directors – in order to determine their business exposure / sensitivity with respect to information technology (IT) dependence, compliancy to banking and insurance business and legal regulatory bodies.
Process and summarizes business risk exposure / sensitivity with respect to information technology (IT).
Develop a dashboard to manage the project progression as well as risk assessment results.
Take part of the weekly status meeting with other business divisions located in Ontario and USA to follow up on this North America business risk assessment project.
Environment: In-house risk management tool and approach based on ISO 27005, ISO 27001.
28
Processes
Re-engineering
Client: Surete du Quebec [Quebec public safety agency]
Industry: Public safety
Competency: IT governance framework
Period: Feb. 2009 - Apr. 2009 (part-time)
Coach the organization in their reengineering effort of business processes (police practices) in order to use and adapt a new technology platform which had a strong impact on business activities as well as on the organization structures:
All business units and about ten call centers are concerned.
About 5,000 users potentially impacted.
Achievements:
Act as the project manager for the external firm
Participate in the design of the action plan with senior managers and project managers
Participate in the scheduling of activities and workshops for the different stakeholders
Deliver the different deliverables under my responsibility.
Environment: Macroscope DMR methodology, MS-project
27
IT Governance
Client : CSPQ [Quebec Shared Services Center]
Industry: Provincial government
Competency: IT governance framework and information security
Period: Apr. 2008 – Apr. 2009 (part-time)
Design a major IT service package - a voice recording and call dispatching service – which spans the province territory, including organizational and operational structures. The service is designed for government units involved in managing public incidents as well as natural disasters.
Act as the project manager for the external firm.
Clarify the mandate deliverables with senior business managers as well as the project manager.
Coach some teams in their understanding of the ISO 20000 (IT Service Management) and ISO 27002 (Information Security) norms and ITIL best practices. Transfer knowledge to people so that they perform dedicated activities.
Conciliate requirements from ISO 20000 and ISO 27001/27002, as well as internal standard practices, in order to design and document the service design package.
Produce a service package document including SLA and many IT processes specific documentation.
Environment: ISO 20000, ITIL, ISO 27001 / 27002, MS-project
26
IT Governance
Client : Montreal Airport
Industry: Aerospace
Competency: IT governance framework
Period: Oct. 2007 – Dec. 2007 (part-time)
Coach the IT department in improving ITIL best practices for the following processes:
-Incident management
-Problem management
-Service request management
Clarify the objectives and expectations with the IT director and other IT senior management.
Provide updated processes’ design documentation.
Environment: ITIL; tool: C2
25
IT Governance
Client: Axcan Pharma, Montreal
Industry: pharmaceutical
Competency: IT governance framework
Period: June 2007 – Sept. 2007
In the context of a SOX compliancy business environment spanned North-America and Europe, assist the IT director in putting in place an IT governance framework:
Assess the situation with IT management.
Meet the service provider to assess the IT service delivery and support.
-Examine the underpinning contract.
-Advise and assist the service provider to move from a « call center » approach to « service desk » approach.
Conciliate requirements from COBIT, ISO 27001/27002, and ITIL standards and norms in order to determine and document a initial level of IT service management framework for the following processes and function, including various templates for reports and plans:
-Service desk
-Incident management
-Change management
-Service request management
-Release management
Introduce the IT service governance framework to the organization’s IT management and professionals as well as the service provider’s representatives.
Environment: COBIT, ISO/IEC 27001/27002, ITIL
24
IT Governance
Client : Tecsult, Montreal
Industry: Engineering
Competency: IT governance framework
Period: March 2007 – May 2007 (part-time)
Coach the IT/IS and corporative services department in selecting an ITSM tool:
Act as the project manager for the external firm.
Clarify the organizational and operational stakes with the IT director.
Preliminary workshops with IT and business representatives proved that they were not ready for such a project.
Environment: ITIL, MS-project
23
IT Governance
Client : Bell Connexim, Montreal
Industry: ICT Outsourcing
Competency: IT governance framework
Period: July 2006 – December 2006
Assist the organization in the business of telecommunication to strengthening ITIL-based corporative incident and problem management processes:
Conduct workshops with stakeholders
Design and document the incident and problem processes
Review existing SLA in order to maintain/ensure adequacy between existing and new agreements
Provide assistance on other process implementations: configuration management and change management
Develop the key performance indicators for all implemented processes
Participate in the automation of the work instruction in the tool
Environment: ITIL, COBIT; tool: Maximo
22
IT Governance
Client : Longueuil City, Montreal area
Industry: municipal government
Competency: IT governance framework
Period: October 2005 – Dec 2006 – part-time
Coach the IT organization in establishing its ITIL-based change, configuration and incident management processes:
Act as the project manager for the external firm.
Design and document the new ITIL compliant processes and procedures
Provide assistance to set up and modeling the CMDB
Conciliate project and service management approaches within the organization
Conduct workshops with stakeholders
Bring about consensus on IT service management processes between IT management and business representative stakeholders (municipal departments such as police, finance, library, etc.)
Align the decision-making of the organizational structures of the IT department with those of the city hall
Advice and assist in the selection of an IT service management tool
Prepare specific training materials for IT managers and professionals of the organization.
Environment: ITIL, COBIT; tool: Alloy Navigator, MS-project
21
IT Governance
Client: National Bank of Canada, Montreal
Industry: Bank
Competency: IT governance framework
Period: July 2005 – August 2005
Improve processes related to software lifecycle development:
Diagnose the situation and present conclusion to the principal IT director
Develop an action plan
Realign the initial software process improvement project on best practices related to IT Service Management
Conduct workshops with the stakeholders of these processes.
Environment: COBIT, ITIL, CMMI
20
IT Governance
Client: Teleglobe, Montreal
Industry: Telecommunications
Competency: IT governance framework and Risk/security management
Period: January 2005 – March 2005
Coach the organization in reaching compliancy with the Sarbanes-Oxley act for business units located in Canada and the USA:
Study COBIT control objectives.
Consider IT best practices that help meeting COBIT control objectives.
Design and document the following COBIT processes:
-IT Quality Management at the corporate level (including IT quality plan)
-Compliancy with external requirements at the corporate level
-IT Performance and capacity management
-Service level management (including service catalogue and SLA)
-Assess internal control adequacy
-Independent assurance
-Independent audit
-Security management
-System installation and accreditation
-Configuration management
-Acquire and maintain technology infrastructure
Present COBIT control objectives and the related designed processes to IT management.
Environment: Sarbanes-Oxley, COBIT, COSO, ISO 27001 / 27002, ITIL, TickIT, NIST,
ISO/IEC TR 13335, ISO/IEC 15408
BUSINESS, SYSTEM AND PROCESS ANALYST (4 years)
Activities:
Business and system analyses
Quality Assurance
System verification and validation
System reengineering
Identifying and documenting business needs and system requirements
Feasibility studies
Contract List
Enterprise / Role / Industry
Location
From
mm/yyyy
To
mm/yyyy
19 Forensic Technology – Business and system analyst
Industry: Information system for forensic laboratories
Montreal
08/2004
11/2004
18 Adacel Canada – System Reengineering
Industry: Aerospace – Air traffic control simulator
Montreal
03/2002
03/2003
17 Canadian Space Agency (CSA) – Software verification and validation
Industry: Aerospace – International Space Station
Montreal
06/2001
10/2001
16 Bombardier Transportation – Quality assurance of Embedded software
Industry: Rail transportation
Montreal
06/2000
09/2000
15 Teleglobe – Real-time system analyst
Industry: Télécommunication
Montreal
11/1999
01/2001
Environment et tools:
Requisite Pro, Rational Rose, ClearQuest, UML
Requisite Pro, ClearQuest.
SS7 network
CMM and IEEE standards
MIL-STD-498
FAA (Federal Aviation Administration) dtandard
House moving from France to Quebec and back to software engineering activities (described below) for the period of May 1994 to October 2004.
7
IT Audit
Employer: Excelsior Publications, France
Industry: Publishing
Competency: Enterprise IT organization
Period: November 93 – April 94
Audit part of the organization in order to assess its IT business value:
Assess the exploitation of a section of the data processing systems
Interview of 100 IT users: from top management to clerical employees
Provide recommendations to improve the effectiveness and efficiency of the data processing systems.
MA
SOFTWARE ENGINEERING (10 years)
Activities: Automation, Real time and Embedded (SCADA) Systems
Requirement management
IT system re-engineering
Development team support
Systems integration
Software quality assurance
Verification and Validation
Software Product Line
Software Development
Methodologies and tools:
SADT (Structured Analysis Design Technique)
OOD (Object Oriented Design)
Petri net / State machine
Rational Requisite Pro
Rational Rose
UML
Activities:
User needs analysis
Requirement specification
System analysis & architecture
Software design
IT/Information security
Software programming and maintenance
Documentation
Integration & test
Configuration management
System command
Deployment on customer site
End-user training
Automation
Process control
Enterprise / Role / Industry
Location
From
mm/yyyy
To
mm/yyyy
14 Air Data – IT Consultant (Embedded and real-time system reengineering)
Industry: R & D Aerospace
Montreal
11/2000
12/2000
13 Altersys Inc – IT Consultant (I/O simulation for nuclear system)
Industry: Automation
Montreal
07/1999
08/1999
12 SITA – IT Consultant (Software development)
Industry: Airlines' Telecommunications and Information Services
Montreal
06/1998
06/1999
11 CAE – IT Consultant (Energy system control)
Industry: Electrical power
Montreal
07/1996
03/1998
10 Nortel – IT Consultant (Automation of a testing platform)
Industry: Telecommunication
Montreal
06/1996
07/1996
9 Prior Data Science – IT Consultant (Logical I/O control)
Industry: consulting firm
Montreal
10/1995
04/1996
8 Primetech Electronics – Maintenance of a real-time and embedded software application
Industry: R & D – Rail transportation
Montreal
09/1994
09/1195
6 Mettler-Toledo – real-time and embedded specialist
Industry: Manufacturing system automation
France
09/1991
01/1993
5 Aerospatiale – Measurement system
Industry: Aerospace manufacturer
France
04/1991
08/1991
4 CNRS – Technical support
Industry: CNRS [National Center for Scientific Research]
France
10/1990
03/1991
3 Digitec – Software of control system
Industry: tele-broadcasting
France
02/1990
11/1990
2 Lord Ingénierie – Real-time and embedded systems specialist
Industry: R & D – engineering consulting
France
03/1989
01/1990
Environment:
OS: OS-9 (3 years), VRTX-32 (6 months), UNIX (5 years), QNX (1 month), RTXC (2 months), VOS Stratus
(1 year), Linux (since 1998).
Languages: C (8 years), C++ (6 months), Pascal (6 months), Grafcet (6 months), Perl (6 months), XML-XSLT
(3 months).
Telecommunication: GPIB / IEEE-488 (9 months), RS-232 (2 years), X.25 (6 months), SS7 (3 months).
Materials: Industrials and standard PC, HP, SUN, PLC, Stratus.
ELECTRONIC (2 years)
Activities:
Installation, maintenance and reparation of electronic and electromechanical devices
Diagnosis and location of failures and breakdowns
Instrumentation and tools: multi-meters, oscilloscopes, protocol analyzers
Test and maintenance reports
Mandate description:
1
Electronic
Competency: Analog and digital Electronics – Electro-mechanisms
Employer: Spectral – France
Industry: Computer Maintenance
Period: Januarys 86 - December 87
Project: Hardware maintenance of banking IT systems of the «société Générale» branches.
Education
ACADEMIC EDUCATION
Master IT Administration.
Major in IT Governance, Audit and Information Security
Sherbrooke University (Longueuil campus)
Montreal, 2015
DESS IT Administration
Major in IT Governance, Audit and Information Security
Sherbrooke University (Longueuil campus)
Montreal, 2013
Second degree (DESS) in Organizational Management and Change
Second degree thesis: Decision processes
Second University degree, CNAM, Paris, France, 1994
Software Engineering
Major: Automation software systems
First University degree, CNAM, Paris, France, 1988
Computer Maintenance
College degree, Angers, France, 1985
CONTINUED EDUCATION
GRCP (Governance - Risk - Compliancy Professional), 2020
GRCA (Governance - Risk - Compliancy Auditor), 2020
ITIL4 Managing Professional (2020)
ITIL4 (foundation), 2019
GDPR (Introduction - MOOC FUN), 2018
ISO 38500 Lead IT Corporate Governance Manager, 2017
RESILIA (cyber resilience) foundation and practitioner, 2015
Certified COBIT 5 Assessor and Implementer, 2014
COBIT 5 Foundation, 2013
Certified TIPA Lead Assessor for ITIL®, 2011
Certified ISO 20000 Consultant/Manager and internal auditor, 2010
(IT Service Management)
CGEIT, 2010
[CGEIT: Certified in the Governance of Enterprise IT]
Certified ITIL® V3 Expert, 2009
(Also hold all ITIL® V3 intermediary certifications)
Certified ITIL® V2 Master, 2008
Certified ISO 27001 Lead Auditor, 2008 (information security)
CISA (succeed exam but certification not claimed)
Certified ITIL® V2 Foundation, 2003
Certified CMM Foundation, 2000
PROFESSIONAL INVOLVEMENT
Member of the Standard Council of Canada to contribute to the international ISO/IEC Subcommittee (JTC1/SC40/WG1) effort for the development and improvement of the norm ISO 38500 series – IT governance and IT service management (since 2009).
Member of the Standard Council of Canada to contribute to the international ISO/TC 309 - Governance of organizations (since 2020).
References on demand
CV disponible en français