JAWAID IQBAL FAZL KARIM
PO Box *****, Al Khobar, Saudi Arabia
Email : ******@*******.***, ******@****.***
Cell Phone: 009**-***-***-***
SABSA Chartered
Security Architect
Foundation /
Practioner (Trained)
QMS 9001 LA
ISMS 27001 LA
Profile
Digital Transformation agent with extensive information technology, information Security, Security Architecture & Governance Risk Compliance GRC expertise achieving unparalleled result while bridging the gap between technical experts and company executives/boards. Seasoned leadership and management skills with ability to organize technology projects, improving team efforts and positively individuals and teams to produce. Adept with interpersonal oral and written skills with individuals and teams and at all levels throughout any organization. Skills
Information Governance
IT Governance Framework
IT Policies, Procedures, Roles & Responsibilities
Information Risk Assessment & Compliance
Information Security Program Management
Information System Governance – APQC’s PCF
Enterprise Security Architecture:
SABSA Enterprise Security Architecture
Security Design and Architecture Review
Business Architecture and BPM
Enterprise-wide Change Management
Virtualization & Could Computing
Information System Security and Audit
Information Systems Audit Program Development
IT network, System & Application Security
Incident Response, Business Continuity Planning
Vulnerability Assessment & Penetration Testing
Data Protection, Regulatory compliance,
Legal and Regulatory Compliance
Standards Implementation & Compliance
ISO27001/2, ISO 20000, CObIT5, ITIL, PCI-DSS, HITRUST
ISO 22301 – Business Continuity, NCEMA, NESA
NIST Cyber Security Framework, NIST Standards -800 52/53, 82,
ISA/IEC 62443, NERC CIP v3/v6, Cyber Resilience Review
SAMA Cyber Security Framework, NCSC Cybersecurity Controls
SWIFT Customer Security Controls Framework
Digital Forensics and Threat Analysis
digital forensics policies and systems - Development and implementation
Forensics Reports developments
Test and Validate mobile Application functionality
Project Delivery & Operational Excellence
Corporate Planning & Strategic Technology Initiatives
Emerging Technology Assessments
Team Building and Management
Knowledge Management
Accomplishment
Leadership
• Develop and implemented enterprise security strategy and framework that consists of strategically integrated elements SABSA, ISO 27001/27002, SANS Critical Controls.
Strategy and Planning
• Developed, established and implemented security policies, procedures, standards and guides and frameworks.
Team Collaboration
• Collaborated with company departments to establish security framework to accomplish IT security objectives and leverage common tools reduce cost
• Defined and established unified program-wide approach to address IT Security issues and mitigate security risks
Project Management
• Managed project planning and delivery related to Information security framework, SOC implementation, Security Audits.
Areas of Experience
Industries:
Manufacturing, Engineering, Financial Services and Utilities Technology Profile
Enterprise Architecture Frameworks: The Open Group – TOGAF; Zachman, SABSA,
Defensible Security Architecture: Zero Trust Architecture, Router & Switches (L2, L3) Firewall, NGFW, NIDS/NIPS, Active Directory, VPN, IPSec, Encryption and Cryptography, Sandboxing, PKI, digital signature, Endpoint Detection & Response DR, Security Monitoring -SIEM
Page 2 of 8
Data-Centric Security: Full Stack Security Architecture (Web Server, Application Server, Database Server), Web Application Firewalls, Data Loss Prevention, Mobile Device Management, Mobile Application Management, Data Loss Prevention DLP, Data Governance
Project Frameworks and Methodologies: Microsoft Solution Framework, Agile (Scrum, XP), Project Management BOK
Architecture Methodologies: Service Oriented Architecture, Cloud Computing Architecture, Enterprise Application Integration, Webservices, microservices
Architecture Tools: ADOit, ADONIS, BizzDesign, Enterprise Architect
Audit or Risk Management Software: Pentana, MetricStream, SimpleRisk, AutoAudit software
Frameworks/Change Management Tools: Team Foundation Server, Visual Studio Team Services, GIT
COBIT/COSO/ISO 27001/ITIL/SABSA: Orbus, ManageEngine, MOF
Systems and Software: Windows Servers, MS Exchange, MS SQL, Oracle, MS Azure
Vulnerability and Event Correlation Tools: Rapid 7, McAfee Enterprise Security Manager (ESM), Nessus, Qualys,
Penentration tools: Metasploit, Kali Linux, cuckoo sandbox, IDA, OllyDBG, WinDBG, metasm, ltrace, strace, volatilitux, sleuthkit, burp, OpenVAS, Nessus, Nexpose, nmap, w3af, TamperData
Digital Foresnics: SANS SIFT, Volatility Framework, The Sleuth Kit (+Autopsy), CAINE, Xplico, FTK, X-Ways Forensics
Security Operation Center: Splunk, ELK Stack (Elasticsearch, Logstash, and Kibana)
Languages/Technologies: Java, C++, ASP, HTML, DHTML, PL/SQL, SQL, UML
Databases: Oracle 8i/9i 10g, SQL Server, MS Access
Cloud: Windows Azure, Amazon EC2
PROFESSIONAL WORK EXPERIENCES
Cyber Security Consultant / Director Period December 2017 to Present Golden Rocks Services / AlShorouk Business Optimization Solutions – Cyber Risk and Security Consultancy
Information Security, Governance, Risk Management, and Compliance (GRC) Services Provided: o Lead IT Risk and control assessment; Business Impact Analysis; Risk mitigation and corrective action plan development, documenting and tracking risks mitigation efforts; analysing business processes and develop process improvement plan, implementing a governance framework; develop policies, standards and procedures to comply with organizational, regulatory and industry requirements; security awareness training; specialized training for technical staff and executives. o Lead the developed of enterprise information security framework. Ensuring data integrity, confidentiality and availability of information as well as creating controls on how data is processed by the organization. o Lead development of security architecture based on SABSA Security Architecture Framework o Developed methodologies to perform risk assessment, business impact analysis, and security assurance to improve systems and operational security
o Lead developing, implementing, improving and effectively managing security processes, programs, procedures and policies (BCP, Incident Response Planning, Risk Management, Vulnerability Management, and Privacy) to meet regulatory requirements
o Lead research and development of intrusion prevention models using a trusted framework and an anomaly approach.
o Lead Creation of IT security technical reference architecture and documented current state security capabilities, current state gaps and future state roadmap aligned with IT and business strategies o Lead evaluation, selection and implementation of following tools: Governance, Risk and Compliance (GRC), security information and events managements (SIEM), Automated penetration testing, application white listing, Data Loss Prevention, Intrusion detection and Prevention system (IDS/IPS), web filtering, malware defence systems for endpoints & network perimeter, and mobile device management. o Lead projects in the areas of Identity and Access Management, perimeter defence, wireless security, compliance audit, and evaluation.
Page 3 of 8
o Lead development of appropriate metrics and analytic reporting in order to have a solid understand of the operation issues and provide value reporting to the stakeholders.
SOC and Threat Management: Lead development, implement, and manage standard operating procedures for monitoring and incident handling program, network cyber security platforms, digital forensics and e-discovery program vulnerability management, penetration and application testing activities threat intelligence and threat hunting programs
Lead Implementation of automated process to manage change management for all security related infrastructure and architecture changes
Financial Sector Compliance Services
o Carried out Compliance review of following areas with respect to Saudi Arabian Monitoring Authority applicable standards and procedure guidelines:
Saudi Payment Network – SPAN
Saudi Arabian Interbank Riyal Express
PCI DSS Compliance Review
Utilities Sector Cybersecurity
o NIST Cybersecurity Framework Compliance and Maturity Assessment
Identify Gap of NIST CSF implementation
Identify Maturity level of Functions in accordance with Capability Maturity Model
Identification areas of improvement and Recommendations to improve the Capability Maturity level. ITQMS- MANAGER Period August 2003 to August 2017
Pan Gulf – Al Khobar, Saudi Arabia
Information Security Architect
o Subject matter expert and security architect for all security efforts across multiple IT programs. Advises executive management and representatives on security best practices for systems providing data to critical operations. Worked closely with users and technical personnel to evaluate, design and select solutions which suited their needs
Security architect for integration of multiple products to form defence-in-depth strategy for corporate information technology assets.
Policy formation and integration with security practices
Implemented penetration testing program for web architectures based upon OWASP top 10. Tests for XSS, SQL injection and other common vulnerabilities.
Lead risk assessment and reporting team, resulting in 80% reduction in security findings.
Chief architect of infrastructure security practices to include virtualization technologies which were used as a model for all future customer sites.
o Established the security and change/configuration management policies and procedures, advised and implemented infrastructure support for local/regional units and their expansion by providing the implementation, oversight, and management of network, operations, LAN, storage, PC’s, and client servers.
o Plan the infrastructure and operations for datacentres operations and successfully supported locally and remotely including disaster recovery.
o Lead implementation of security policies & procedures that focused on upgrading firewall, network, virus/spam protection tools, messaging systems and protection of agency sensitive information o Manage all external vendors, production support, LAN, enterprise architecture, enterprise systems, mobile handset management, data warehousing, and disaster recovery. Also determined capacity plans and managed project teams regionally.
o Manage Systems Vulnerability Assessment and Penetration Testing. o Monitor Security Vulnerabilities, Network and Host Intrusion Page 4 of 8
o Detection/Prevention Systems, Access Rights and Authorization of user IDs and group/profile memberships.
o Information Security Awareness and Training
Information System Risk Assessment and Auditing, Business Continuity o Document and maintain a Risk Management Framework and provide guidance and support to management on the tools and systems to monitor organizational, operational risk. o In conjunction with the Executive and management team develop a risk management strategy o Develop the tools to allow Leadership to maintain a Business Continuity Plan across all units. Assist business units with:
Assessment of potential business impact.
Definition of critical, time-sensitive functions.
Design, development, and documentation of work area (business function) business continuity plans. o Recommend recovery strategies and options, and assist with the implementation of recovery solutions. o Coordinate business continuity plan exercises.
o Develop schedules for training / awareness for business units. o Coordinate development of business unit schedules for annual business continuity documentation, maintenance and update, exercises, and independent review and validation. o Report the business continuity status of business units to senior management. o Provide expertise and support to management and business functional areas, as requested, when a business disruption occurs.
o Leads the design, implementation, operation and maintenance of the Information Security Management System based on the ISO 27000 series standards, including certification against ISO 27001 where applicable o Leads or commissions the preparation and authorizes the implementation of necessary information security policies, standards, procedures and guidelines, in conjunction with the Security Committee o Leads the design and operation of related compliance monitoring and improvement activities to ensure compliance both with internal security policies etc. and applicable laws and regulations o Leads or commissions suitable information security awareness, training and educational activities o Leads or commissions information security risk assessments and controls selection activities o Leads or commissions activities relating to contingency planning, business continuity management and IT disaster recovery in conjunction with relevant functions and third parties. o Leads Identification of Security solutions, testing and recommendations. o Vetting new applications using application Security checklist. o Reviewing and update Information Security Policies. o Performing Risk based Audit and reporting for IT Systems in the area of :
Software Development and Testing;
Software Changes;
Data Processing input and Output;
Application Controls; Access Control; Utilization; and Operation readiness. o Identifying and Auditing the IT general controls for adequacy, collecting and analyzing samples for testing the effectiveness of the controls.
o Perform SDLC audits for in house developed applications. o Perform key compliance audits and identifying critical IT vulnerabilities / issues in the applications which could lead to revenue leakage.
o Analyze risks related to new technologies (Convergence technologies). o Providing support to cross functional entities on Information Security requirements. Page 5 of 8
o Preparing Standard Audit Program in lines with IS Policy and ISO 27001. o Preparing and updating Network Assessment methodology. o Reviewing detailed BCP for Disaster recovery and identifying and reporting Audit risks. o Preparing questioners for various departments to identify the Organizational Information security needs. o Identifying security products, evaluations and provide a proof of concept based on different security technologies to the team.
o Conducting internal investigations relating to Information leakages. o Developing Information Security Policies and Procedures. o Monitor Security Vulnerabilities, Network and Host Intrusion o Detection/Prevention Systems, Access Rights and Authorization of user IDs and group/profile memberships.
o Information Security Risk Assessment, Documentation and Remediation. o Incident Monitoring, Response, Investigations and Reporting, o Information Security Awareness and Training.
Organization Learning and Knowledge Management
o Analysis of user information and knowledge needs, for example, through questionnaires, interviews, focus groups and other relevant methods. These analyses will focus on particular staff groups or networks working on topics of common interest and will involve staff in all organization of group. o Contributing results of analysis to design, delivery, maintenance, evaluation and development of online information and knowledge systems to meet the needs of target audiences. o Promote knowledge sharing among Pan Gulf organisational units through its operational business processes, strengthening links between knowledge sharing and information systems, and improving integration of information systems.
o Maintain a pro-active view of the organization’s capability to deliver service by trending against performance and quality statistics.
o Analyzing organization competencies and capabilities requirements against long and midterm strategic plan.
o Developing competencies framework that align organization Talent Management objectives with corporate goals and provide positive operational outcomes o Training conducted
ISO 27001:2005 Awareness
ISO 27001 and Internal Control
Strategic Leadership Imperatives
Transformational Leadership
Leadership and Emotional Intelligence
Risk Management: Concept and Implementation
Scenario Analysis and Risk Management
Balanced Scorecard and Implementation
Data Analysis Effective techniques
Six Sigma Champion
INFORMATION MANAGER Period Jan 1998 to November 2000 Juma Al Majid Dubai U.A.E
Description of Role:
o Undertake a short term Enterprise wide high level review of Working Links IT systems, and produce a technical document. Scope included Business, Application, Infrastructure, Data and Security architecture. o Document included identified concerns and issues which would be risk assessed and resolved by the business as usual IT team
Page 6 of 8
o Provided solution architecture support for project development and maintenance activities. o Developed portfolio of business solutions to improve productivity. o Provided guidance to marketing team during project launch phase. o Proposed new architectural frameworks based on business trends. o Performed upgrades to solutions to meet changing business needs. o Participated in development of business plan and financial models. o Participated in business development discussions with cross-functional teams. o Carried out performance and scalability assessment activities. o Co-ordinate test procedures, activities, testing, integration testing, and system configuration tool. o Designing and executing manual test plans and test scripts for complete modules and/or workflows. o Converting business requirements into test plans and test cases. o Working closely with software developers to develop test specifications and build test cases to rigorously test product functionality and investigate all potential product test failures. o Bug fix verification and validation.
IT MANAGER Period January 1993 to June 1995
Wahid Industries Limited Gujrat Pakistan
Description of Role:
o Plan, organize, direct, control and evaluate the operations of information systems and electronic data processing (EDP)
o Develop and implement policies and procedures for electronic data processing and computer systems operations and development
o Meet with managers to discuss system requirements, specifications, costs and timelines o Hire and manage information systems personnel and contractors to design, develop, implement, operate and administer computer and telecommunications software, networks and information systems o Carry out all technical requirements for the systems including system planning, set up and enhancement with close information exchange to future users;
o define functionalities according to data, retrieval and information needs; o establish and maintain a structure to effectively identify and handle data for targeted efforts; o establish quality control; presentation and information; installation; to ensure accuracy and integrity of the database and act as focal point for all related questions and functions with support and advice. o Control the computer systems budgets and expenditures o Ensure technology is accessible and equipped with current hardware and software o Installation of Oracle Software and Databases.
o Maintaining strong database level security.
o Upgrading and Patching Oracle software and databases. o Deployment of strong disaster recovery plans as per SLA. o Performance Tuning and proactive database tasks. o Maintain proper documentation for future usage.
EDUCATIO NAL QUALIFICATIONS
Master in Computer Science: The University of Punjab – Pakistan in 1991
Bachelor in Science: The University of Punjab – Pakistan in 1988. INFORMATION TECHNOLOGY QUALIFICATIONS ACHIEVEMENTS
CERTIFIED IN THE GOVERNANCE OF ENTERPRISE IT - CGEIT
CERTIFIED INFORMATION SECURITY MANAGER - CISM
Page 7 of 8
CERTIFIED INFORMATION SYSTEMS AUDITOR – CISA
CERTIFIED IN RISK AND INFORMATION SYSTEM CONTROL – CRISC
EC-Council Certified Information Security Officer
SABSA Chartered Security Architect Foundation - SCF
CERTIFICATE OF CLOUD SECURITY KNOWLEDGE – CCSK
CERTIFICATE OF TOGAF FOUNDATION
CERTIFICATE IN SOFTWARE QUALITY MANAGEMENT
ISO 27001: 2007 Information Security Lead Auditor.
ITIL v4 Foundation
CoBIT 2019 Foundation
GIAC Security Training
GIAC Security Leadership Certificate - GSLC (SANS MGT 521 SANS Security Leadership Essentials)
GIAC Security Essentials (GSEC) - SEC401: Security Essentials Bootcamp
GIAC Continuous Monitoring Certification - SEC511: Continuous Monitoring and Security Operations
Global Industrial Cyber Security Professional (GICSP) - ICS410: ICS/SCADA Security Essentials
GIAC Critical Control certification – GCCC (SEC566: Implementing and Auditing the Critical Security Controls - In-Depth)
GIAC Certified Forensic Examiner (GCFE) - SANS FOR408 (FOR500) Windows Forensics IT Management Training
ITIL V3 Foundation
CobIT 5 Foundation
SOA Certified Professional SOACP
ORGANIZATIONAL EXCELLENCE
ASQ CERTIFIED MANAGER OF ORGANIZATION EXCELLENCE / QUALITY
Six Sigma Black Belt
QUALITY, HEALTH & SAFETY, ENVIRONMENTAL AUDIT QUALIFICATIONS
ISO 9001:2008 Quality Management System Lead Auditor
OHSAS 18001:2007 Auditor
ISO 9001:2000 & Process Mapping
PROJECT MANAGEMENT QUALIFICATION ACHIEVEMENT
Software Project Management
Project Management
IT CPE
Private Cloud Computing and Infrastructure Management
Windows Server 2012 R2 Storage Jump Start: New Choices
Microsoft Desktop Virtualization
System Center 2012 SP1: Capabilities
Introduction to Hyper-V Jump Start
Introduction to the Microsoft Private Cloud
Private Cloud Computing and Infrastructure Management OTHER QUALIFICATION ACHIEVEMENT
Neuro Linguistic Program Practitioner
Certified Process Professional
Certificate Total Performance Scorecard
Page 8 of 8
Member of ISACA
Member of ISSA
Member of American Society of Quality
Member of International Society of Performance Improvement Personal Data
Nationality : Pakistan
Contact Telephone : 009***********
Home Telephone : 009***********
Email Address : ******@*******.***,
Marital Status : Married and have 5 Children
Permanent Address in Pakistan : Faizabad, Street No.8, Gujrat Pakistan Phone No in Pakistan : 009***********
Miscellaneous Information
Driving License
Hobby: Reading and Research
Competent Communicator and Competent Leader as per Toastmaster International Management Skills
Leadership
o Motivates employees and utilizes their skills and knowledge. o Demonstrates values and communicates to team as part of team expectations. o Plans team direction and key outcomes to align with organizational strategy and objectives. o Strategic planning, development, implementation & review meet the business needs and reflected in team plans.
Budget Management
o Effectively plans, controls and executes the budget o Balances spending and saving, and appropriately allocates resources
Performance Development and Management
o Motivates employees as part of reviewing their progress and supporting them to achieve their goals. o Facilitates individual employee development program in line with the Performance Development Policy. o Gives employees regular, timely and balanced feedback about their performance. o Poor performance is managed effectively, and in accordance with the Counselling, Discipline & Termination Policy
Effective Communication
o Employees are treated with respect and are given equitable access to resources and support. o Speaks and writes in a manner that clearly, succinctly and appropriately transfers knowledge and delivers relevant information to employees.
Cultural Competence
o Able to respect the cultures of other people
o Able to communicate effectively with people from diverse backgrounds and uses an interpreter services