Security Compliance & Risk Management
Resume:
Abdul Baqui
advnl6@r.postjobfree.com
Summary
● 10+ years of experience in Information Security Governance, Risk Management and Security Compliance
● Hands-on security experience working in both cloud and on-premises data center environments
● Ability to identify security gaps in the overall system design as well as configuration issues in individual components
● Hands-on experience with a broad range of AWS services including IAM, EC2, S3, VPC, KMS, Security Hub, Config, Trusted Advisor, etc.
● Manage the certification and accreditation activities for various frameworks including ISO 27001, PCI DSS, SOC1/2 and HITRUST
● Demonstrated experience working across multiple compliance domains concurrently and applying security best practices across an organization
● Conducted risk assessments, identification, analysis, evaluation and treatment, using ISO 27005
● Perform planning/scoping and liaising with auditors and manage related audits
● Perform internal audits and report on non-conformities and opportunities for improvement
● Establish and conduct compliance reviews and audit initiatives and maintain documentation of compliance activities to support audit requests
● Collaborate with Development, SRE, IT, HR, product management, product owners and project teams on security and compliance requirements
● Perform vendor security reviews
● Keep informed regarding industry changes, trends, and best practices and assess the potential impact of these changes on organizational processes
● Strong background in software quality, penetration testing, technical validation, static/dynamic analysis
● Strong verbal and written communication skills as well as strong analytical and problem-solving abilities. Excellent English language, grammar, and spelling skills for writing, editing, and proofreading
● CISSP, CISA, CCSFP, ISO 9001 Internal Auditor, ISO 27001 Internal Auditor Areas of Expertise
● Requirements analysis & mapping Information security policy & documentation development Compliance-related training and education Auditing Risk management SOC2, PCI DSS, HIPAA, HITRUST, ISO 27001
● AWS (IAM, EC2, S3, Security Hub, Config, Trusted Advisor, CloudWatch, CloudTrail, etc.)
● Splunk, Prisma Cloud, Burp Suite, OWASP ZAP, Nessus, Nmap, Kali Linux, Sqlmap Work History
Senior Technical Compliance Engineer
Zoom Video Communications (February 2022 - February 2023)
● Coordinated with internal stakeholder teams to validate the implementation of security compliance controls for technical, management, and operational requirements
● Identified, validated, and maintained continuous compliance of CIS benchmark and AWS Best Practices across AWS Production Accounts
● Validated projects related to security findings, and improvements
● Evaluated continuous compliance against frameworks such as SOC 2, ISO 27001, HIPAA, HITRUST, and PCI as well as internal security standards
● Identified opportunities to leverage automation to reduce time and effort required for compliance control validation, evidence collection, and artifact generation
● Monitored and analyzed security risks and metrics to identify themes, trends, correlations and variances
● Supported the development of technical material, operational processes, security policies, and other core documents
Senior Security Architect (Security Compliance & Risk Analyst) TIBCO April 2018 - February 2022
● Developed, updated, reviewed and maintained the Information Security Management System
(ISMS) policies
● Plan and manage concurrent certification activities across information security frameworks, using expertise to map requirements across frameworks, reduce costs, and create significant time savings
● Translate complex framework requirements into actionable information security deliverables, aligning compliance activities with day-to-day work processes
● Prepare and qualify teams for certifications, training and guiding teams in adopting information security policies and procedures to ensure successful certification and build a culture of compliance
● Conducted risk assessments using the ISO 27005 methodology
● Conducted internal audits to identity major / minor non-conformities, and opportunities for improvement (OFIs), followed up with teams to address the non-conformities as per company guidelines
● Managed the certification and accreditation activities from inception to completion for various frameworks including ISO 27001, PCI DSS, SOC1/2, HIPAA and HITRUST
● Performed planning/scoping and liaising with auditors and manage related audits
● Established and conducted compliance reviews and audit initiatives and maintained documentation of compliance activities to support audit requests
● Collaborated with Development, SRE, IT, HR, product management, product owners and project teams on security and compliance requirements
● Used A-scend, GRC tool from A-LIGN, to manage evidence gathering and validation, and conduct audits
Security Validation Engineer
TIBCO September 2015 - March 2018
● Perform static analysis, generate reports, meet with developers, identify vulnerabilities, and schedule fix based on severity
● Perform blackbox penetration testing, manually verify vulnerabilities, determine severity and work with developers to schedule fix
● In-depth hands-on experience in monitoring, detecting, reporting security weaknesses, and enforcing information security policies
● Establish, communicate and maintain information security standards, procedures and guidelines Integrate information security requirements into organizational processes
● Security risk assessment and risk register
● Coordinated Business Continuity Plan development and testing
● Coordinated Incident Response Plan development and testing
● Research new threats and update organization on fixes and patches
● Aligning company’s security objectives with Critical Security Controls
● Maintained up to date PCI DSS, HITRUST, SSA16 and FedRAMP compliance ISO 27001 certification for one line of business in progress
● Bring Security Awareness by way of brown-bag presentations and demo of vulnerabilities and tools
● Used A-scend, GRC tool from A-LIGN, to manage evidence gathering and validation, and conduct audits
Security Validation Engineer
Intel Corporation Jul 2013 - Aug 2015
● Perform static analysis, generate reports, meet with developers, identify vulnerabilities, and schedule fix based on severity
● Perform blackbox penetration testing, manually verify vulnerabilities, determine severity and work with developers to schedule fix
● In-depth hands-on experience in monitoring, detecting, reporting security weaknesses, and enforcing information security policies
● Establish, communicate and maintain information security standards, procedures and guidelines Integrate information security requirements into organizational processes
● Evaluate tools for static analysis
● Research new threats and update organization on fixes and patches
● Incident Response Handling for issues in Production after releases
● Business Continuity and Disaster Recovery Planning
● Aligning company’s security objectives with Critical Security Controls
● Helping company maintain PCI DSS, HITRUST, SSA16 compliance
● Bring Security Awareness by way of brown-bag presentations and demo of vulnerabilities and tools
Senior Software Quality Assurance Engineer
Mashery Apr 2011 - Jun 2013
● Collaborated in Product Backlog, Sprint Backlog and Sprint Planning meetings Developed Test Plans from BRDs, FRDs and User Stories
● Reviewed Test Plans and Test Cases of team members and contributed to improvements in text coverage.
● Trained new QAs on company products and testing tools like Behat, JMeter
● Developed and executed test cases manually and using Selenium RC / Webdriver Owned complete QA for two of the company’s most important products, Debugger and Mashery Local, an on-premise solution for the cloud computing solution
● Debugged customer issues and actively resolved issues to customer satisfaction Guided Customer Support Managers with product demonstration and configuration Interviewed candidates for various positions in the company including Technical Writers, Developers and Quality Assurance Engineers
● Introduced software security testing
● Lead for security testing, used Whitehat dynamic analysis and Checkmarx static analysis tools Executed pen testing for OWASP top 10 and SANS top 25 vulnerabilities
● Facilitated information security awareness training Senior SDET
Keas May 2009 - Apr 2011
● Developed and executed test cases manually and using Selenium RC for the consumer facing web site
● Developed and executed test cases manually and using RIATest for the flex based Plan Authoring Tool (PAT) used by doctors and health professionals to develop health care plans.
● Tested metrics on the MySQL database using Workbench and command line. Tested the application on Windows and Mac OS using IE, Firefox, Chrome and Safari
● Actively participated in the product brain-storming sessions and sprint planning
● Reproduced customer issues and followed through to resolution
● Developed production checklist to smoke test the application before releasing to customers
● Responsible for coordinating the build release and following through with updates to all the stakeholders
Software Quality Assurance Engineer
Veodia May 2008 - Mar 2009
● Managed Front End functional testing of the flash / flex based video application using both Windows and Mac OS X on IE / Safari / FF / Chrome
● Conducted Back end testing which included database, Ingest Unit (IU), Outgest Unit (OU), WebApp, etc.
● Coordinated Performance and Load testing of the Veodia video application to find out memory / CPU usage during loads of 50 / 100 / 200 users under various scenarios
● Involved in System and User Acceptance Testing.
● Evaluated QTP and RIATest for flash automation testing. Selected RIATest for automation as it provided an economical solution for Veodia flash application
● Used Splunk to monitor logs and debug exceptions / errors and provided accurate bug logs to developers
Product Development Engineer
Intel Corporation February 2000 - March 2007
Education
University of South Alabama 1999
Master of Science in Electrical Engineering, Electrical and Electronics Osmania University 1996
Bachelor of Engineering in Electronics and Communications Engineering, Electronics and Communications Engineering
Licenses & Certifications
CISSP - (ISC)
554386
CISA - ISACA
18145548
Certified Common Security Framework Practitioner (CCSFP) - HITRUST 59026
Contact this candidate