Ebenezer Owusu-Afriyie
CISM, CISA, CDPSE, CEH, ECSA, C CISO, ISO 27001:2013 LA
PROFILE
Over 14 years of networking, GRC and Security/Privacy experience.
Computer system, information technology and Information Security Management educated.
Collaborative, approachable, positive and authentic.
Extensive experience including;
oWorking with multiple vendors and open-source technologies.
oInformation Security Auditing/Implementing ISO27001 framework and conducting ISO27001 Certification Audits
oVendor Risk Assessment
oDeveloping robust information security architectures with an Agile Project Management delivery methodology and assisting in the development of client IT and security strategies.
oImplementing ISO27001 and provided training for clients
oCyber security workshops, vendor and risk assessments.
Track record of building successful relationship across all organizational levels, high achievement and motivation.
Experience working with, reporting to, and managing geographically dispersed teams.
PROFESSIONAL EXPERIENCE
MUFG Investor Services
Associate Director, IT, Information Security Manager
Oct 2022 Present
Tasks summary:
Conducting Vendor and monitoring Risk Assessment
Administer security awareness training assignments and follow-up for annual training, new joiners (incl. Contractors) and long-term leave returnees. Streamline and document the process followed.
Provide support in carrying out systems assessments using the SISRA module in the vendor portal, documenting the rationale for assessment points, following up with the owner, etc. and determining any issues that should be documented clearly in our vendor portal.
ISMS / Security frameworks lead – ISO 27001, NIST Cyber Security Framework
oDriving the adoption of these standards at a global level
oOperating an Information Security Management System (ISMS) - the global management system for information security which drives our security posture
oEngagement across multiple departments / teams, to secure their support in the adoption and operation of controls required
Policy & Procedures – review, development and implementation
oManagement of the information security policy suite - annual review, updates in line with risk posture / ISMS requirements
oProviding guidance to IT Security Operations in the development of Information Security Procedure documents
Security risk management – framework development, implementation and risk identification facilitation
oDevelopment and implementation of an appropriate framework for the timely identification of information security and related risk
oEngagement with internal teams, such as Operational Risk, to ensure alignment and consistency in the assessment of risk
KPI and KRI development – monthly reporting to CRC, EC and Information Security Governance Committee
oDevelopment of metrics - both KPIs and KRIs - to provide timely and accurate reporting on performance to internal committees and Boards
Third party security assurance – operating on-going assurance processes
oIn conjunction with Vendor Management, developing and implementing a security assurance process for ensuring that appropriate information security assurance is obtained from vendors where information security is a requirement
Data Privacy
oSupporting the Data Protection Officer in meeting the security requirements of relevant privacy legislation through the design and operation of effective controls
MUFG Investor Services
Information Security Manager
Dec 2019 Oct 2022
Tasks summary:
ISMS / Security frameworks lead – ISO 27001, NIST Cyber Security Framework
oDriving the adoption of these standards at a global level
oOperating an Information Security Management System (ISMS) - the global management system for information security which drives our security posture
oEngagement across multiple departments / teams, to secure their support in the adoption and operation of controls required
Policy & Procedures – review, development and implementation
oManagement of the information security policy suite - annual review, updates in line with risk posture / ISMS requirements
oProviding guidance to IT Security Operations in the development of Information Security Procedure documents
Security risk management – framework development, implementation and risk identification facilitation
oDevelopment and implementation of an appropriate framework for the timely identification of information security and related risk
oEngagement with internal teams, such as Operational Risk, to ensure alignment and consistency in the assessment of risk
KPI and KRI development – monthly reporting to CRC, EC and Information Security Governance Committee
oDevelopment of metrics - both KPIs and KRIs - to provide timely and accurate reporting on performance to internal committees and Boards
Third party security assurance – operating on-going assurance processes
oIn conjunction with Vendor Management, developing and implementing a security assurance process for ensuring that appropriate information security assurance is obtained from vendors where information security is a requirement
Data Privacy
oSupporting the Data Protection Officer in meeting the security requirements of relevant privacy legislation through the design and operation of effective controls
Bell Canada
Technical Security Consultant
Nov 2018 Oct 2019
Developing and implementing security practices; responsible for delivery of security services to the business and assisting in the development of client security architecture
Tasks summary:
Security architecture design, technology integration, and configuration
Development of standard builds for security technologies
Pre-sales support for security services
Performing physical PenTest
Security Framework: NIST, ISO27001
Conducting Cyber Security workshop
Security Assessment
Firewall and Switch Audit
Consulting with clients and preparing reports based on my
Mobile Penetrating Testing
Major clients include:
Insurance Company, PEI February 2019
VPN Tunnel Configuration
Task Summary:
Configure firewall on site
Setup internet connection
Configure VPN tunnel
Setup encryption and test the connection to make sure it was working.
Test the connectivity from both sides of the tunnel
Provide summary report to the client along with answering any questions that came up
New Brunswick Power February 2019
Hardening Cisco Layer 3 Switch
Task Summary:
NB Power requested to conduct a Lawyer 3 switch configuration assessment and make recommendations on hardening it, as well as recommend if the device needed an upgrade.
Conduct configuration review of the switch
Conduct presentation on my findings and my recommendation
Wrote a detailed report, including configuration to harden the device.
Conducted final Workshop after the report, present it and answer any questions that came up.
Network Innovations April 2019
Cyber Risk Management Services (Assessment Workshop)
Task Summary:
Conducted on-site assessment of client infrastructure, interview IT staffs to gather current state of IT infrastructure, process and staff deployment specifically for the design and maintenance of their security program.
Conducted an on-site assessment workshop gathering information on the following:
oServices / Critical Business Assets (Current State)
oBusiness Services (Target State)
oAttack Surface Information
oCompromise Assessment
Develop high-level summary of information gathered during the workshop
Provide a High-Level Recommendations based on information gathered during the workshop
Cape Breton Regional Municipality April 2019
Network Security Audit
Task Summary:
Conducted high level security assessment and policy review for CBRM. The assessment consist of testing and reviewing CBRM firewall, physical security, policy review etc.
Conducted Physical Security Review - A review of physical security controls and testing of controls to identify weaknesses in physical management of information assets and information systems
Conducted policy review - An assessment of current information security policy statements against a comprehensive framework for policies to address information security management, drawn from industry accepted standards and best practices.
Conducted Firewall rules - Testing of firewall and review of firewall rules and access lists, both ingress and egress. Overview of Unified Threat Management system and recommendations on conforming to industry standards.
Conducted remote access review - Review of remote access configuration to determine if appropriate measures have been implemented to reduce the risk level of offering network access services over the public Internet
Conducted Endpoint protection review - Assessment of endpoint protection strategy, implementation, and capability to reduce the risk of infection from malware.
Conducted office 365 Assessment - Review of implementation strategy of Office 365 and related services, including technical reviews to optimize configuration settings for security
Wrote a high level detailed report consolidated with other work that was conducted by Pentest Team
Provided detailed recommendations to improve their infrastructure and security roadmap including strategic technology recommendations for the next 3 5 years based on observations during the engagement.
New Brunswick Power June 2019
Endpoint Protection System Selection
Task Summary:
Conducted evaluation for the current NB Power endpoint protection environment vs other capabilities that exist leveraging the existing and new technologies to further enhance the endpoints.
Review technical architecture
Review applicable security strategy and policy
Review internal and external compliance requirements
Review current endpoint protection environment, including licensing current state
Identify and categorize endpoint protection Needs, Wants, and Nice-to-Haves
Research potential endpoint protection solutions
Present comparative matrix of options and projected cost
Marine Atlantic July 2019
ASA Cleanup Review
Task Summary:
Review ACL against firewall industry best practice
Review Routes, certificates and NAT statements for relevance
Provided a list of IP addresses (from the ACL’s, NATs, routes) and certificate details to Marine Atlantic for review.
Responses needed will include:
oIs the IP address still in use?
oIs the applicable ACL / route / NAT / Certificate still required?
oIf the item is identified as being present on both their ASA device, is it needed on both or only one ASA?
Implement the changes after clean up upon marine Atlantic approval
Create a list of recommendations on service changes, removals, enhancements
Make recommendations based on CIS Benchmark to harden the ASA
Provided a detailed report for the recommendations.
Create follow-up SOW for any service oriented changes based on recommendations
Bulletproof Solutions
Security Operations Analyst
May 2018 Nov 2018
Planning, installing, and supporting network security
Tasks summary:
Conduct daily threat feed for clients
Threat hunting
Phishing email assessment
Making security changes to various clients based on access we have to their infrastructure
Conducting daily threat hunt based on assigned client
Bulletproof Solutions
Governance Risk & Compliance Consultant
June 2017 May 2018
Tasks summary:
Responsible for leading and executing Professional Services including Governance, Risk and Compliance, specializing in technical reviews that include network security architecture, vulnerability assessment and penetration testing for gaming networks to comply with World Lottery Association best practice for security controls.
Performed the following security audits:
Data Analysis
Matching controls and making sure they compliant with ISO standard
Provide system analysis for lottery and gaming systems throughout the software development lifecycle. Drive business, technical and system requirements analysis specific to gaming systems
Clearwater Seafoods
IT Operation Analyst/Network Analyst
Mar 2015 – May 2017
Tasks summary:
Worked with ISP on improving network infrastructure and was responsible for wireless implementation and support for all location, as well as for updating network diagrams. Led efforts related to configuring and setting up routers/switches for unified communication projects, and implemented and supported VPN for all sites. Responsible for clearing wiring closet and following standard cabling for all locations, as well as for logistic for network implementation. Responsibilities also included change management; identification and fixing of network vulnerabilities; and creation/update/maintenance of network documentation. Responsible for developing/implementing policies, procedures, and associated training for network resource administration, security best practices, appropriate use, and disaster recovery. Performed risk and security assessment for all Clearwater sites, carried out wireless site survey, and completed risk assessment for each plant, providing recommendations reducing business being stalled for long periods of time. Audited AD and monitored access to the servers.
Clearwater Seafood’s
Service Desk Analyst
Aug 2013 – Mar 2015
Tasks summary:
Responsible for 24/7 service desk support, supporting existing infrastructure, server maintenance, and utilization of virtual platforms. Responded to inbound client communications including alerts, emails, phone calls, and in person communication, and supported client computing hardware (desktops, laptops, printers, PDA’s). Supported Clearwater’s corporate application suite (Siebel and Great Plains), and escalate or re-assigned complex or unresolved incidents. Provided guidance, assistance, and training for Clearwater customers and internal staff in technical and application areas, and assured timely resolution of incidents and service requests reported to Service Desk.
Government of Nova Scotia, Chief Information Office Jan 2013 – June 2013
Technical Analyst
Provided tier 1 or 2 support by troubleshooting and repairing hardware (computers, servers and equipment), infrastructure (networks), software (web-based applications, databases, word processing programs) and / or other IT equipment, peripherals or telecom equipment and implementing corrective action to ensure timely resolution of user’s IT issues. Provided wide range of technical installation services to internal clients for hardware including computers, networks, and other IT equipment. Installed, tested, and upgraded software, and recorded and documented hardware and software problems, system crashes, actions and solutions in incident and problem management system.
Government of Nova Scotia, Chief Information Office Aug 2012 – Jan 2013
Tier 1 Technical Supporter for OS Migration
Provided technical support to employees of the Government of Nova Scotia during migration from Novell to Microsoft Technologies. Troubleshot migration issues with client Workstations (Windows XP and Windows 7), software applications (Office 2010), user data, printers, email configuration (Outlook 2010) and VPN connections (Juniper). Provided telephone and email based, remote technical support to clients using tools such as Novell Zen-Works, Microsoft RDP and SCCM.
Research in Motion May 2012 – Aug 2012
Analyst, Blackberry Customer Technical Support
Delivered customer service, responding to product specific inquiries and other issues customers encountered. Acted as a representative of RIM for product specific customer inquiries and issues via inbound voice and email interactions. Providing technical support services for hardware, software and infrastructure, and utilized SAP to track customers’ orders and status.
PERSONAL INFORMATION
LANGUAGE(S)
English
Spoken and written
Twi
Spoken and written
EDUCATION
Information Security Management (Online),Graduate Certificate, Fanshawe College, London, Ontario
Bachelor of Information Technology, Cape Breton University, Sydney, Nova Scotia (2011)
Bachelor of Computer Science, University of New Brunswick, Fredericton, New Brunswick
Computer System Technician Diploma, Fanshawe College, London, Ontario (2008)
CERTIFICATIONS
Information Technology Infrastructure Library certified – ITILv3
GR750124729EO
ISO27001 Lead Auditor
ISLA1023591-2017-10
ISO27001 MS Auditor
Certified Ethical Hackerv10 (CEHv10)
ECC3145786209
Certified Chief Information Security Officer (C CISO)
ECC8534609127
Certified Information Security Manager (CISM)
2051352
Certified Information Systems Auditor (CISA)
20167425
Certified Data Privacy Solutions Engineer (CDPSE)
2006911
EC-Council Certified Security Analyst v10
ECC3145786209
MS-500
AZ-500
CONTINUING EDUCATION
2015
Global Knowledge
CCNA Boot Camp
2018
Udemy
NMAP
2019
Udemy
Mobile Application Hacking and Penetration Testing (Android)
2019
Udemy
GDPR Certification, data protection, privacy
2020
Social Engineering
2021
RMF for Systems and Organizations Introductory Course
NIST
2022
Excel 2021 Essential Training
2022
GDPR, GDPR Certification, data protection, privacy
COMPETENCIES
Network
Cisco, VoIP, Dell
RAS, SMTP, IMAP, POP3, NAT, RIP, EIGRP, OSPF, HSRP, VRRP, VLAN, Trunking, VTP, STP, GLBP, Ether Channel, IPsec VPN, SSL, VPN, L2TP VPN
Servers
Dell PowerEdge, Windows Server, VMware, Microsoft Exchange, Microsoft IIS, Kali linux
Security Devices
Cisco, Fortgate, Palo Alto
Security Software
Wireshark, Symantec Endpoint Protection, Trendmicro, Acronis, Nessus, Carbon Black defense, Burp suite
SIEM
IBM QRadar
Development
HTML, CSS
SECURITY CLEARANCE
Security Clearance level II
Goods and Service