Senior Manager Program
Resume:
Raghunath Krishnan Nair GRCP, GRCA, IDPP ISO ***** LA, CSP, CIP, ISO 9001 LA 1-909-***-****
**************@*****.***
https://www.linkedin.com/in/nairraghu
Recipient of Certificate for Honesty & Integrity - Los-Angeles County Police Headquarters Recipient of Dubai Quality Award from President of UAE - Sheikh Mohammed Profile: Having worked in North America on both sides of Niagara in various capacities in the Information Technology Landscape, the common thread that weaved success was my Phased approach in the Governance of Process management and architecting of Security, Risk Management, Process Controls and Technology governance. As a program manager, I have worked on multiple large scale technology initiatives from inception to execution. I have led large teams in the development and implementation of roadmaps to fully govern, manage and provide assurance, ensuring solutions are in line with the enterprise vision. Without discarding the existing Security Policies & Risk practices, global & local privacy acts, information security mandates and regulations, I have aligned business with IT through appropriate Governance, thus transforming customer experience in several industries including banking, healthcare, insurance, energies & utilities, government, airlines and manufacturing utilizing both agile and waterfall methodologies. Experience
Dec 2024 till Date Senior Risk Analyst – GRC CIBC Bank Governance of Deviations from Standards, Deficiencies in Control and Issues in Processes ensuring the digital risk in the Infrastructure Operations & Network Engineering are managed
● End to end documentation of Audit Risk and Compliance process. (8 Weeks)
● Support the Director in the : Audit Preparation and Engagement, Deficiency Management & Monitoring, Audit Facilitation – Internal & External, Remediation Analysis, Control Testing
● Drive Implementation support to the roll-out and adoption of new practices and effectively lead the team in managing accountabilities and deliverables
● Daily Audit / Technology connects on control gap assessments and RCSA May 2023 – NOv 2024 BeyondCX Security Architect
GEN AI based Security design for a major seaport based in India. Strategized and designed the Gen AI based Cyber/ IT Security solution to benefit the SEA – PORTS cyber security, Interfacing Digital networks,
(OT/IT), ICS and PLC’s. This Design and Implementation plan was specifically meant to manage SEA-PORTS Cyber security systems.
• Architecture & Design
• Engaged, Discussed and strategized with executives
• Program Governance, Project Plan and Road Map
• Key stakeholders & Execution Partners and its collaboration March 2020 – April 2023 Cognizant Technology Solutions – Sr. Program Manager/ GRC Architect
Revamp Architect GRC – Cyber Security Posture – (A major health care provider, Bloom field Connecticut, USA) To integrate with an existing Control Based Management system - HiTrust control, Compliance control delta between current and potential integrated entity, Policy and Standard Harmonization, Access Integrations, and Application assessment for Data Lake were normalized utilizing the Cognizant-START methodology.
● Responsible for the project plan timeline and budget (ETC)
● Responsible for the program management and reporting of 3 major projects. o IT/Cyber Risk Assessment
o Identity & Access Management (OKTA integration) – PAM o Policy Governance & Hitech Compliance
● Designed and Established RISK ASSESSMENT framework utilizing NIST 800-53, COBIT and ISO 27001, factoring resiliency into solution controls.
● Responsible for the oversight and interdependencies and integration of interrelated projects
● Build relationships across organization including legal, compliance, IT and Business
● Risk Management, Policy Integration and Data Governance (Enterprise and Amazon VPC)
● To define evaluation report to establish the baseline for security measures utilizing Balance Scorecard
● Advocate for Policies & Procedures
● To statute HIPAA requirements as applicable to its affected business functions and covered entities that utilize PHI/ePHI Participate in special projects and initiatives as cyber security advocate to align with HITECH mandates. Performed an internal Cyber Security risk assessment of IT systems and infrastructure based on NIST CSF to enhance information security. The solutions that were implemented were transitioned to a managed security service.
● Report gap analysis, assess security process maturity against the controls and framework of NIST.
● Developed solutions in the space of:
o Policies
o Training & awareness
o Risk Assessment
o Access management
o Data Security
o Network Security
● Conducted DR testing, studied the results, improved the BCP and resilience.
Interoperability Architect – Regulatory mandate on Interoperability (HL7) – Multiple clients in US Health Sector - California, USA Reporting to the Vice President for the geographies which the customer serves; analyze implications of federal, state, tribal, and local regulations including but not limited to HIPAA privacy rule, security rule, unique identifiers rule, and enforcement rule to define and strategize the shall and will aspects of the Medicare units embrace the interoperability norms.
● Identified and developed policies for Personal representative access and privacy regulatory requirements.
● Finalized policies applicable for Interoperability Solution. (HIPAA, CURES ACT, ONC, CMS)
● Designed and implemented risk assessment “Expectation Based Interoperability Risk Assessment Framework.”
● Weaved the RA framework through ISO 27001 Domains and NIST 800-53 cyber controls.
● Mapping of health solutions to manage the covered entities of Payer, provider, and patient within the rules of HL7 standards and FHIR profile cross mapping. This involved:
o Following CMS guidelines on Member Data rules, Member data exchange rules o Data movement mandated through FHIR rules
o Design for Data Privacy Engine into the cloud.
o Integration with member portals
o Learn, Identify and Scope data elements to be mapped for access via API’s.
● Designed & documented third party applications risk management and onboarding processes.
● Data Extract process and design inclusive of:
o Pharmacy encounter data, medical claims, provider data, laboratory data
● Sensitive data definition areas for governance
● Designing the Third-party APP Risk Strategy and Member portals integration
● Integration of member portal with privacy and consent engine
● Security review – Application Security – Test Strategy
● Establishing the design of data and privacy consent engine driven by the compliance standards and integration of those with member portals
● Redefining the rules for member view for adjudicated claims data including provider remittances, encounter data, clinical data and other data managed by Medicare advantage, Medicaid FFS and Medicaid Managed Care.
Subject Matter Expert COBIT - IT Risk Consultant – Large Investment Management co., Jersey City, New Jersey, USA As a COBIT IT Risk Consultant worked closely with department management and engaged key cross-functional stakeholders across Technology and with Operational & Strategic Risk to implement COBIT within the Technology organization. Evaluate, assess, and provide recommendations to the management in identifying, assessing, and documenting key risks and controls and assess the COBIT maturity level of the organization.
● Evaluate, assess, and provide recommendations to management for identifying, assessing, and documenting key risks and controls, Policy Changes, vendor management.
.August 2014 – March 2020 - Tata Consultancy Services Lead Consultant Cyber security & Compliance
Lead Consultant GRC, Vendor Risk Assessment & Process Governance – Large Insurance Company, Syracuse, New York Assessing the current strengths and weakness of Information Security Risk Assessment process of third party vendors through a TPRM process.
● Vendor adherence to SSAE 16 SOC 2 type 2 report, analyzing the risk acceptance level in conjunction with compensating controls.
● Assessing vendor managed controls impacting NYSDFS compliance.
● Works with team members, Legal, IT Architects and Business l to identify areas of improvement in the contract process and implements necessary changes.
● Review of vendor security controls and processes (PEN TEST Results, Data Lifecycle Encryption,)
● Categorized vendors on risk levels based on products and services supported.
● Categorized vendors based on handling of classified data to define risk levels.
● Report findings and discuss risk issues with internal contract management team inclusive of the legal
● Impart knowledge and provide training to AXA – TCS team in the space of SOX to enhance awareness of ITGC they operate and maintain.
Audit Compliance & Process Excellence Manager – Energies & Utilities Co, Long Island, New York To deliver Audit, Compliance and Process excellence for security & Compliance programs and projects
● Oversee the tracking and management to closure of SOX audit issues and compliance investigations.
● Mapped the NERC-CIP controls with SOX ITGC from a Control Management Standpoint
● Developed systems to identify critical and non-critical cyber assets.
● Developed process framework for Access and monitoring of ERP assets and integrated it with the On-site command center functions.
● Defined MSP operational responsibilities at a system and process level
● Identified potential footprint for the Managed Service Provider in the NERC-CIP data handling.
● Analyze risk trends and have an oversight on third party risk to initiate risk response process.
● Assisted in root cause analysis and corrective actions.
● Provided expert advice to Vulnerability management headed by CISO office.
● Designed and developed a Vulnerability Handling Matrix and prioritized vulnerabilities through CISO oversight.
● Work with CISO, third party vendor and client to manage the IT and other vulnerabilities.
● Provided IT Vulnerability information to Senior Leadership and Stakeholders.
● Lead a team of 20 people from different verticals to manage External Vulnerability and internal vulnerabilities identified through Qualys and Securicon.
● Assessed the current Vulnerability management process, identified areas of improvement, designed and proceduralized new process.
● Managed operational security metrics and compliance reports.
Project Lead – Compliance – A Major Supplier of Energies and Utilities for the state of California - San Dimas, California Transitioning the infrastructure services of the client to Managed Service (Integrating Service Management processes, Tools and other Infrastructure Services with the Regulatory requirements like SOX, NERC-CIP, SSAE16.
● Developed Systems and Processes for the management of NERC – CIP and SOX controls.
● Access Management Process Implementation (Design, Document, Train)
● Evaluate to assess Gaps in the Service Provider standards for SSAE-16 SOC1 reports.
● Assessed the current regulatory requirements of NERC-CIP
● Lead the MSP team to mitigate Cyber Security and Compliance 2017 Observations, Vulnerabilities on SOX Controls, General Controls (BCP, Operational and Governance), NERC/CIP Controls, Internal Audit Findings
● Evaluate and establish ITGC in the effectiveness of Security Operations, SIEM, NERC Security Incidents
● Oversee and monitor internal teams to provide governance and audit reports- weekly, monthly, and quarterly.
● Oversee General Operational Controls like BCP, operational data and System controls-
● Control Narratives for 3 domains that interface with SAP – GRC, ITSM and Non-SAP applications. a)Control Processes and Narrative Documentations (SOX & NERC-CIP) b)Review Controls Activity and Evidence Design with IT Compliance, SOX Testing, Internal Audit, Process Owners Controller Team, and External Auditors
c)Key controls testing with control performers by doing a tabletop exercise with each Primary/Backup control contact. d)Managed Service Provider were given training on SOX and detailed session on Train the Trainer (Control contact) to understand their responsibilities and obligation for each control in the 3 domains.
● Documented NERC-CIP controls and process documents with MSP responsibilities aligning with Client security mandates.
● Developed and managed a high level and detailed project plan for implementation of changes in the IT systems.
Manager Cyber Security – A Major Clearing Corporation– New Jersey, USA Security Control testing for Audit Readiness and provide guidance in risk identification, analysis and mitigation with summarized findings for executive reporting. Worked with stakeholders to formalize a governance process to conduct the design test and operating effectiveness. Provided guidance to the team in risk identification, analysis, and risk Mitigation towards Reporting
● Security Control testing for Audit Readiness
o Rationalized 180 Security controls to identify 30 key controls and categorized them under 9 security domains of ISO 27001 o Developed a governance structure to formalize the testing process. o Carried out Walkthrough with the stakeholders, conducted test of design and test of effectiveness using test of one principle. o Reviewed evidence identified gaps to be remediated in the form of Observations and recommendations. o Test Of design and Test of effectiveness on the COBIT Lite based controls
● CI/CD Pipeline DAST testing
o Review of Veracode Scanner test results both pre and postproduction o Validate application intent with dev team to manage exploits and vulnerabilities. o Simulate SQL Injection & Cross – Scripting attacks. o Conducted Control risk/impact assessments and determined potential risk mitigation strategies. o Document process mapping and changes to processes based on test results. o Security Vulnerability Management
o Security Network Operations
o Security Training
o Security Baseline
● Risk Identification
o Application Authorization and access management
o Authentication to firewall changes
o Device protection (Laptops, PDA, etc.)
o Firewall Management – Cisco (CSM)
o High Privileged and emergency access
o Information security tracking and monitoring (Splunk) o Baseline configurations
o Security Incidents management
● Provided guidance to the team in risk identification, analysis, and risk Mitigation towards Reporting
● Summarized the findings for executive reporting.
Network Security Project Manager – Large Aluminum Manufacturing Plant – New York, USA Network Transformation of an Aluminum Plant through a Technology refresh. Extend the wireless coverage, Security controls and Access controls using converged plant wide ethernet, centralized tool to manage wireless and wired network, administrative, engineering and plant environment. The Project was implemented in five (5) phases.
● High Level Design & Network Discovery
● Risk Management
● Low Level Design
● Implementation
● Document & Training
● FEB 2013 – JUN 2014: Qaknights.inc (Project Manager) Calgary, Canada Significant Projects and Responsibilities: -
Provided advice and guidance to business partners and project teams, established systems, processes to manage integration, developed processes to complete transition by, adapting best practices and standards. 1.Engineering Document Management System for IDocz (As a Senior BA) 2.Bair Project for UFA (UNITED FARMERS OF ALBERTA) (Part of the Transformation program) (As a Senior BA)
● MAR 2012 – NOV 2012: INFOSYS (Lead Project Consultant) Calgary, Canada Guided the design, planning, scheduling, and execution of IT Service Management (ITSM) Programs through a Global Delivery Model. This involved leading and coordinating offshore and onsite teams and if required business advisors with industry specialization. Performed cross functional activities to support the horizontal layers of Sales and Delivery across the four industry verticals as the SME in COBIT and ITIL. This was predominantly used for the preparation of Business Cases and Responses to RFP’s.
● JUL 2010 - MAR 2012: IBM (Project Lead Control Framework- Alberta Health Services) Calgary, Canada Focused on the Merged IT services for Alberta Health services; Project Managed, Counselled, Advised, Facilitated and Trained Process assessment participants in adding value to the Control Framework. Interacted with Business unit leads, third party vendors, Business Analysts, Operation centre staff, Developers and various groups within the ITS department, Providing facilitated guidance in the integration of systems and processes. Post assessment - facilitated guidance for solutions implementation and establishing IT controls to comply with HIPPA, FDA and FOIP requirements and standards.
● JUN 2007 - APR 2009: Enerflex (Lead IT Governance & Control) Calgary, Canada
DEC 2005 - APR 2007: CompuCom (Technical Support Analyst) Toronto, Canada
SEP 2005 – NOV 2005: Bank of Montreal (Project Coordinator) Toronto, Canada
APR 1989 – MAR 2005: Emirates Airline (Senior Network Engineer) Dubai, UAE Education:
● Postgraduate in Computer Application
● Bachelor of Commerce
● Managing Risk – Harvard Business School
Regulations, Standards, Frameworks, Systems:
NYSDFS, SOX, COSO, GLBA, AML, PCI-DSS, HIPPA, ISO 27001, NIST, NERC-CIP,DORA, GDPR, PIPEDA, SSAE 16/18, SOC 1&2, ITIL, COBIT, HITRUST, HITECH, NI
-52-109
Certifications and Trainings:
● Certified Governance Risk and Compliance Professional – OCEG
● Certified Integrated Risk Management Professional – OCEG
● Certified Governance Risk and Compliance Auditor – OCEG
● Certified Integrated Data Privacy Professional - OCEG
● ISO 27001:2005 – Lead Auditor -BSI
● Certified Cyber Security Professional – Global Tech
● COBIT - ISACA
● ITIL - EXIN
● ServiceNow System Administrator – Service Now
● Project Management certifications – PMI & Others
● Data Governance & Privacy Foundation certification – Informatica
● IT & Cyber Security – CYBRARY
● Data Governance & Privacy - Informatica
● Asset Security Fundamentals – CYBRARY
● Critical Infrastructure Protection - OPSWAT
● Payment Card Industry Data Security Standards - CYBRARY
● Certified Cloud Security Professional – CYBRARY
● Cyber Security Professional – Global Tech Council
● Insider Threat Program – CYBRARY
● ISO 9000 Lead Auditor – Det Norske Veritas
● SAS Fundamentals and SAS Time Series Forecasting – SAS Institute PM Tools: Jira, Confluence, MS Project, MS Excel
GRC Tools: ServiceNow, SAP, Archer, SCCM, Solar Winds Cloud Service Provider: AWS
CI/CD Pipeline: SAST, DAST, OWASP - TOP10
Working Towards CISM
Contact this candidate