Information Security Manager

JAY QAZI

***** ****** ******* **., *********, NC 28278 Cell: 980-***-**** Tel: 704-***-****

Email: *******@*******.*** LinkedIn: www.linkedin.com/in/jayqazi

GLOBAL IT & CYBERSECURITY OPERATIONS STRATEGY, GOVERNANCE, RISK & COMPLIANCE

CGEIT CRISC CISM CISA CISSP COBIT 5 FOUNDATION & IMPLEMENTATION LEAD IMPLEMENTER ISO/27001 ITIL

25+ years’ IT experience. Establishing strategy and governance for IT and security operations center (SOC) at large, complex enterprises across multiple, next-generation technologies and platforms. Aligning SOC vision, mission and goals with corporate strategy. Adept at planning, defining, and executing security roadmaps, models, programs, and processes.

Proven ability to translate risks and business needs into the right technology-based security solutions

Planning and prioritizing investments in security resources to align with day-to-day SOC operations

Utilizing operational excellence methodology and KPIs to increase SOC maturity level through continuous improvement

Developing reports to keep corporate management upraised of global security threats and regulatory compliance

Highly motivated, self-starter and goal-oriented, taking ownership of deliverables and bringing them to completion

Team-player, exceptional at creating alliances, and solving problems by building relationships and consensus

KEY ACCOMPLISHMENTS

Established Aramco’s IT security operations center (SOC) post 2012 ‘Shamoon’ malware cyber-attack

Implemented global IT SOC functions across Saudi Aramco international subsidiaries with centralized monitoring

Developed and executed information security staff training and talent plan saving $4.5M in training costs

Deployed $5.6M MS in Information Security program, through Georgia Tech, for 105 security employees

Rolled-out security awareness training for 70,000+ employees in US, Europe, Mexico, and Asia

PROFESSIONAL EXPERIENCE

Sr. Director, IT Security Operations Strategy, Governance, Risk and Compliance

Saudi Aramco Dhahran, Saudi Arabia Sep 2011 – Jun 2020

Recruited to define, build, and implement IT strategy and governance – transitioned to establishing and managing security operations center post major cyber-attack. Reporting to Division Head and supervising departments/ individuals.

Ensured IT and SOC strategy are aligned with short-, medium- and long-term Aramco corporate objectives, and established missing security operation functions post 2012 major cyber-attack

Managed integrated cybersecurity functions – endpoint detection and response (EDR), identity and access management (IAM), continuous proactive monitoring and log management (SIEM), alert management, threat response, recovery and remediation, root cause analysis and compliance

Addressed advanced persistent threats (APTs), targeted attacks, DLP, malware, ransomware, ICS infrastructure, threat intelligence, CSIRP, third-party and insider threats, phishing, DDoS, exploit kits, and spam emails

Defined and implemented standardized operations across IT and security operations organization

Assessed security operations by conducting compliance, risk and maturity assessments using NIST and ISO standards

Addressed IT challenges – ineffective IT security governance, misalignment between business and IT security, lack of holistic view for IT security architecture, IT security workforce, program, project and change management

Developed application security framework using controls from OWASP, WASC and SANS Top 20, including DevOps

Established controls using NIST Cybersecurity Framework and ISO 27001 Information Security Standard

Reduced cybersecurity risks by applying NIST RMF and ISO 3100 Risk Management Standard

Enhanced security operations and infrastructure by standardizing policies, standards, baselines, processes procedures, workflows, and support models

Partnered with vendors to identify services and products, and evaluated technical solutions; RSA Archer GRC, Cloud

Introduced KPIs, KRIs and analytical reports for executive management and coordinate ISO 27001re-certification

Sr. Consultant, IT Security, Compliance and Risk Management

Shell Trading US Company Houston, TX Aug 2010 – Aug 2011

Designed and tested security and SOX controls for Shell Trading’s Control Access Monitoring (CAM) program.

Conducted risk and control identification reviews

Mentored and trained compliance staff

Operated logical access controls for SAP sensitive access, critical actions, and permissions

Sr. Manager, IT Security, Controls, and Compliance

Cooper Industries Inc. Houston, TX Feb 2009 – Aug 2010

Recruited by CIO to build and manage IT compliance department.

Established IT compliance functions, processes and procedures

Collaborated with Legal and HR to comply with HIPAA requirements

Reduced SODs by 90% by rolling out SAP Compliance Calibrator across 8 divisions

Remediated FY2008 SOX findings and collaborated with Ernst & Young on FY2009 SOX audit

Partnered with Legal, HR, and international divisions to deliver region-specific policies

Manager, Information Security and Compliance

Tyson Foods, Inc. Springdale, AR Jan 2006 – Feb 2009

Recruited to build Tyson’s IS and Compliance department. Managed a $1.4M budget with oversight of IT audit, compliance, IT security, firewall, SIEM, intrusion detection and prevention, e-discovery, and forensics functions.

Reduced SOX audit findings by 81% and segregation-of-duty conflicts by 90%

Established IS policies and procedures and developed and implemented compliance functions

Implemented and rolled-out Security Awareness Training to 20,000 employees (US, Mexico, Asia)

Managed SOX 404 audits, and developed management action plans, KPIs, and metrics to reduce SOX findings

Took ownership of SOX open audit findings and drove them to remediation with a completion rate of 81%

Built strategic relationships across the enterprise and brought visibility to IS through monthly New Hire orientation

Partnered with Legal and Record Retention to engineer an e-discovery process

Established and optimized audit processes for internal and external (E&Y) audit teams

Sr. Consultant, Financial Management Systems

IBM, Corp. Fairfax, VA Oct 2003 – Sep 2005

Consulted on IT audit engagements, evaluating management’s assessment of IT general controls (ITGC), auditing IT components, performing SOX 404 testing, and administering SAP security and authorization.

Created Test of Design (TOD) and Test of Effectiveness (TOE) documents to verify controls

Performed gap analysis identifying differences between “As-Is” and “To-Be” audit processes

Previous experience (1994 – 2003) includes IT Project Management, Business Development, Technical Account Management, Network Management, Software Support Engineering, and Help Desk Support

EDUCATION

Master of Science in Finance

The George Washington University Washington, DC Sep 2003

Bachelor of Science (BSc) in Electrical and Bio-Medical Engineering

Duke University Durham, NC May 1994

FRAMEWORKS, LEGISTLATIONS, METHODOLOGIES, PRACTICES, & STANDARDS

Frameworks

NIST Risk Management Framework ISACA Risk IT Framework Critical Security Controls (CSC) for Effective Cyber Defense (SANS Top 20) NIST Cybersecurity Framework (CSF) Factor Analysis of Information Risk (FAIR) Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53) Committee of Sponsoring Organizations’ (COSO) Control Objectives for Information Technology (COBIT) 5 Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Sherwood Applied Business Security Architecture (SABSA) Skill Framework for the Information Age (SFIA) The Open Group Architecture Framework (TOGAF) SOC2 CSA Cloud Controls Matrix (CCM)

Legislations

Sarbanes-Oxley (SOX) Health Insurance Portability and Accountability Act (HIPAA) General Data Protection Regulation (GDPR)

Methodologies

US-CERT Capabilities Lean Six Sigma

Practices

Open Web Application Security Project (OWASP) ITIL

Standards

ISO/IEC 27001:2015 Information technology - Security Techniques - Information Security Management Systems - Requirements ISO/IEC 27002 : 2013 Information Technology - Security Techniques - Code Of Practice for Information Security Controls ISO/IEC 27005:2018 Information Technology - Security Techniques - Information Security Risk Management ISO/IEC 31000 : 2018 Risk Management Guidelines Information Security Forum (ISF) Standard of Good Practice for Information Security Common Criteria for Information Technology Security Evaluation (Common Criteria) Payment Card Industry Data Security Standard (PCI DSS)

Strategic Planning and Management Systems

Capability Maturity Model (CMMI) Operational Excellence (OE) Balanced Scorecard (BSC)

PROFESSIONAL MEMBERSHIPS

Information Systems Audit and Control Association

ISACA (www.isaca.org)

International Information System Security Certification Consortium

(ISC) (www.isc2.org)

Contact this candidate