It Security Information Technology
Resume:
Muhammad Najam Iftikhar
• *** Colville Pl • Milton, ON, L9E 1H4 • 416-***-**** • ********@***.***
Objective
Experienced Information Security Analyst with 10+ years in IT Security, Risk Management, and PCI Compliance. Seeking to leverage expertise in vulnerability management and control testing to enhance organizational security.
Summary of Skills
·Skilled in third-party, vendor, and project risk assessments with strong knowledge of PCI-DSS, ISO 27001, and NIST Compliance.
·Extensive experience in ITGC testing, evaluating internal control effectiveness, and ensuring SOX and audit compliance.
·Skilled in vulnerability assessment, firewall change request reviews, and incident response handling.
·Proficient in using security tools such as Dragon Network Intrusion Prevention Systems, McAfee ePolicy Orchestrator, FireFlow, AlgoSec, Arbor Pravail APS (DDoS), and McAfee DLP.
·Proven ability to coordinate with vendors, project teams, and network teams to implement security patches and ensure PCI audit compliance.
Technical Skills
Security Tools: Mcafee ePolicy Orchestrator, Cisco FirePower, Palo Alto Traps, Arbor Pravali, Trust-Wave, QualysGuard
Operating Systems: Windows Server, Unix, Linux
·Networking: TCP/IP, DNS, Fortinet VPN
Certifications & Training
·CISSP – Certified Information Systems Security Professional
·Microsoft Certified Professional
·Completed Fortinet FortiGate I & FortiGate II Training
·Completed AlienVault Sourced Computer Security Training
Security Clearance
·Secret Level II Security Clearance
Professional Experience
Information Security Consultant (Remote)
Public Services and Procurement Canada (PSPC). Ottawa, Ontario. (December 2024 – Present)
·Led the Security Assessment and Authorization (SA&A) process for the Central Index application, ensuring compliance with GC security frameworks, including ITGC-33 and TBS guidelines.
·Authored and maintained the Concept of Operation (ConOps), Security Assessment Plan (SAP), and Management Action Plan (MAP), and coordinated evidence collection from project stakeholders.
·Conducted architecture reviews, analyzed the Target State and Disaster Recovery architecture diagrams, and aligned security controls to Government of Canada (GC) cloud standards.
·Reviewed and confirmed security mechanisms, including TLS 1.3 enforcement, data masking, PIM configuration, and GC Pass integration for security authentication.
·Ensured compliance for Protected B data, including PRI, IAN, and PII, by verifying encryption at rest and in transit and validating database-level protections.
·Worked closely with the application technical advisor to verify the implementation of fallback authentication, vulnerability scanning, Azure Sentinel logging, and real-time SOC monitoring.
·Integrated DevSecOps principles with continuous integration/deployment (CI/CD), automated testing, and stakeholder involvement in security testing.
·Provided security control recommendations based on the GC EA Framework (Application, Technology, and Security Architecture).
·Maintained detailed RACI matrix for SA&A roles, collaborated with cross-functional teams, and supported authorization to Operate (ATO) issuance.
IT Security Practitioner & Security Assessment Specialist (Remote)
Employment and Social Development Canada (ESDC). Gatineau, Quebec. (May 2023 – December 2024)
·Collaborate with solution teams to implement security controls per ITGC-33 security profiles, ensuring compliance with Government of Canada policies.
·Provide strategic guidance on security mechanisms for cloud-based projects, analyzing and selecting appropriate controls.
·Conduct comprehensive risk assessments for enterprise technologies and cloud services, identifying vulnerabilities and recommending remediation measures.
·Facilitate third-party risk assessments by analyzing external vendor risks and delivering detailed reports to mitigate security threats.
·Review and validate security documentation, including SSAE 18 Type 2 reports, vulnerability scan reports, independent penetration test results, ISO 27001 certifications, and PCI-DSS compliance evidence.
·Develop and deliver Threat and Risk Assessments (TRA) for cloud and IT projects, aligning security protocols with internal policies and industry best practices.
·Work closely with project managers, security architects, and cloud operations teams to assess, test, and improve security measures, while maintaining compliance with regulatory standards.
·Present security assessment results and provide detailed recommendations to senior management and stakeholders, ensuring alignment with organizational objectives and government compliance standards.
Senior Cybersecurity Risk Analyst (Remote)
Shaw Communications. Calgary, Alberta. (June 2022 – May 2023)
·Conducted risk assessments for enterprise technologies, products, and services based on ISO 27001, COBIT, NIST, and PCI-DSS standards.
·Reviewed security documentation including SSAE 18 Type 2 reports, vulnerability scan reports, and ISO 27001 certifications.
·Conducted in-depth risk-based security assessments of housed, cloud, vendor, and third-party hosted environments. The assessment focus included Risk Management, Physical Security, Identity & Access Management, Encryption, Data Loss Prevention, Secure Development, Incident Management, Security Infrastructure, and Information Security Policy.
·Led security risk assessments for various projects, delivering TRVA reports and providing recommendations to senior management.
·Worked closely with the Security Architect and SecDevOps teams to implement security solutions and best practices.
·Report risk assessment results, including metrics to internal senior management and the service provider, and recommend remediation actions
Third-Party Risk Analyst (Remote)
Bank Of Montreal. Chicago, Illinois. (August 2021 – August 2022)
·Engaged with service providers to obtain due diligence reports and performed end-to-end risk assessments for third-party vendors.
·Performing end-to-end risk assessments for all assigned third-party vendors.
·Reviewed SOC1, SOC2, ISO, PCI-DSS, and Pentest reports to validate control accuracy and identified gaps.
·Collaborated with the Quality Assurance team to coordinate and complete third-party assessment questionnaires (TPAQ).
·Report risk assessment results, including vendor risk assessment (VRM) metrics to internal senior management and the service provider, and recommend remediation actions.
·Review existing and new contracts with third parties to ensure Early Warning’s security, compliance or governance-related requirements are being met.
·Ensure third-party adherence to contractual/regulatory compliance to minimize the risk of fines and reputational harm.
·Efficiently identified control gaps/deficiencies, and assisted business areas with documentation and resolution.
·Monitor Policies & Procedures and responsible for the maintenance of the vendor risk management system.
IT Security Analyst
Sobeys Inc. Mississauga, Ontario. (February 2018 – August 2021)
·Performing security risk assessments of new or existing services, applications, technologies, and vendors. Documents and effectively communicates findings to key stakeholders and is notified of the risk.
·Performs third-party risk assessments to identify issues and/or control gaps, and recommends remediation initiatives.
·Performed risk and control assessments for all high-risk third-party service providers to evaluate the effectiveness of control.
·Working with Internal Audit, Legal, Privacy and other key stakeholders to ensure that Information Security policies, procedures and controls are aligned with all associated requirements.
·Working closely with Managed Security Services through all integration, project, and ongoing Cyber Security operational activities.
·Own all aspects of cloud security project definition including vendor integration, platform integration and monitoring for cloud platforms including Azure.
·Assisting Managed Security Services Provider in building escalation procedures for various system-related events such as IPS, OS, Network switches, Routers and firewalls.
·Providing input into reviews of all security-related systems and applications such as Anti-Malware, SPAM and IPS (McAfee Web Gateway, Qradar, Cisco FirePower).
·Assisting the Security Administration team with Access control reviews of all critical applications and systems.
·Conduct Vulnerability Assessments of existing and new systems and development of remediation plans.
Senior Cybersecurity Analyst
Compass Group Canada. Mississauga, Ontario. (February 2016 – January 2018)
·Complete internal PCI Self-Assessment Questionnaires (SAQs) and the requirements to comply with PCI DSS Reports on Compliance (ROC), Approved Scanning Vendor (ASV) Reports, and PCI AOC (Attestation of Compliance).
·Deliver key PCI Program components such as scope determination, gap assessments and remediation strategy.
·Develop security configuration standards for infrastructure technology assets.
·Plan, test, and implement the technology required for PCI DSS compliance, such as Symantec DLP, event logging/alerting, a firewall rule compliance toolset, vulnerability assessments, etc.
·Work with Legal and Development teams to guide managing risk with third-party service providers.
·Lead incident response activities during technology security incidents.
·Manage vulnerability scanning of all relevant Canadian assets in Qualys and create a remediation plan.
·Identify action vulnerabilities in Qualys and ensure remediation efforts are taken.
·Make recommendations to senior management on the results of the analysis and work closely with other Information Technology groups to refine and enhance security controls.
Security Analyst, IT Security & Risk Manage
Moneris Solutions. Etobicoke, Ontario. (February 2015 – February 2016)
·Assist in the design, implementation and maintenance of security monitoring, intrusion detection/prevention and escalation within Moneris security architecture for minimizing risks against internal and external threats. This includes performing vulnerability assessments, reviewing firewall change requests and investigating and handling security incidents.
·Conduct vulnerability assessments with Rapid7 for all types of Critical Infrastructure systems and networks.
·Assisting in running monthly scans along with keeping the appropriate lines of business informed about the patches.
·Designed and established rules for the Dragon Network Intrusion Prevention System (Dragon 7.1), McAfee ePolicy Orchestrator, FireFlow, AlgoSec, Arbor Pravail APS DDoS and McAfee DLP. These capabilities included the ability to generate session-busting traffic and instantiate firewall-blocking rules in response to an attack.
·Provide business and application owners with clear information about the current situation regarding detected vulnerabilities.
·Coordinate between vendors, project team, and network team to implement vulnerability patches to meet PCI Audi.
·Conduct Risk assessments of various technological changes in cloud-based applications, Firewall, web controls and Secure file management methodologies.
Information Security Specialist (Technology Governance Risk & Control (Consultant)
CIBC Bank. Toronto, Ontario. (April 2014 – January 2015)
·Documented in-scope SOX processes such as risk overlays, procedure narratives, process risk assessments, handoffs and test plans.
·Responsibilities included assessment of information technology internal controls based upon the CoBIT framework, ICR, KCar, IT general and application controls, information security, systems development, change management, business continuity, disaster recovery, computer operations, risk management and regulatory compliance.
·Monitored and reviewed 80+ ITGC controls enforced, and proper evidence generated based on frequency for Audits.
·Developed and improved processes in IT Security like User Access Management and Program Change Management.
·Managed and Monitored day-to-day IT Logical and Physical Security operations including, user provisioning, password configuration, logical access, logging, New Hire, Termination and Transfer processes.
·Responsible for oversight of CIBC & FCIB security and compliance Policies, Processes, Procedures and Standards.
·Engaged with IT Security, IT Infrastructure, IT operation, and IT Architecture, to ensure ITGCC compliance.
·Performed consulting for businesses in establishing IT compliance solutions based on company policies and standards, industry best practices, industry standards, and regulatory requirements.
Education
·Ryerson University – Toronto, Ontario.
BACHELOR OF INFORMATION TECHNOLOGY MANAGEMENT (ITM)
·Seneca College – Toronto, Ontario.
Computer System Technology
Contact this candidate