Seasoned IT GRC, Security & Change Leader, MBA
Resume:
Sharan Khurana CRISC, CGEIT, CISA, CET, PROSCI Change Practitioner, MBA (Finance)
******.*******@*****.***; 780-***-****
To
Hi,
Re:
Please find my resume attached for the position. I am confident that my experience, qualification, skills, and background listed below and in more detail in my resume closely match your requirements.
I am a qualified IT Governance, Risk & Compliance, IT Security, and IT Audit professional with relevant certifications of Certified in Risk and Information System Control (CRISC), Certified in the Governance of Enterprise IT (CGEIT), Certified Information System Auditor (CISA) and PROSCI Change Management. I have 15 + years of relevant experience with reputed organizations worldwide (Athabasca University; Alberta Gaming, Liquor and Cannabis Commission; Alberta Pacific Forest Industries; Kinross Gold Corp; Sherritt Power; Toronto Hydro; Direct Energy and Bank of India) in following areas:
IT Governance, Risk and Compliance
AWS/Cloud security
Leading, coordinating and implementing IT Security projects and project teams.
People side of Change Management (PROSCI)
Designing, documenting, and implementing IT Security Standards, policies, and procedures
Designing, developing, implementing and overseeing Cybersecurity Awareness training programs
Regulatory Compliance (NIST CSF, CIS CSC, ITGC, PCI DSS, SOX, C-SOX, ISO, COSO)
Designing, developing and documenting standards, guidelines and processes.
I am an effective team leader and a team player having excellent communication and interpersonal skills with an ability to articulate issues clearly and concisely. My interpersonal and problem-solving abilities with skills of handling multiple tasks/teams and projects simultaneously help me achieve goals set for me by the organization.
My qualifications MBA (Finance), certifications CRISC, CGEIT, CISA, CET, PROSCI Change Management and an accredited trainer (accredited by APMG and ISACA) for CGEIT, CISA and CET exams bring additional value on the table.
Looking forward to working with you.
Sincerely,
Sharan Khurana
Sharan Khurana CRISC, CGEIT, CISA, CET, PROSCI Change Practitioner, MBA (Finance)
Summary
A well-rounded self-motivated professional with 15+ years of relevant experience of IT Governance, Risk and Compliance (GRC), IT Security, IT Audit, in international and North American organizations having knowledge and experience of control frameworks (NIST CSF, CIS CSC, COBIT, PCI DSS, ISO 27001, ISO 31000, COSO), Auditing Standards (IIA, GAAS and ISACA) and understanding of data privacy regulations and frameworks (FOIP, GDPR, etc.). Reputed for having an eye for finer details without losing the bigger picture, has always met the time schedules and business budgets.
Participated in corporate Enterprise Risk Management (ERM) process and conducted IT Risk identification and assessment for various segments of Information Technology.
Coached, trained, mentored, and led 5 culturally diversified complex teams of 15 Internal/IT Auditors. Reviewed their work/audit reports for conformance with IIA/ISACA standards.
Prepared material for IT Steering Committee, Audit Committee and Quality Assurance Improvement Program (QAIP).
Planned, and managed Operational audit and IT Audit projects
Used sound professional judgment to design and implement revenue leakage process for Internal Auditors and IT Auditors and detected revenue leakage of $ 220,000 in one year.
Used communication, interviewing, analytical problem solving and conceptual abilities for documenting IT Standards, policies, procedures, and controls, to re-engineer/develop new processes/controls for risk mitigation and for making corporations SOX/Bill 198/audit compliant.
Designed and prepared Risk-Based Audit Policy, IS Audit Policy, and Corporate Audit Report Template. Revised IS Audit Manual of an international Bank.
Led AWS security team for implementing NIST and CIS CSC controls. Used Security Improvement Program to improve the compliance score for these controls to more than 80%
Supervised and reviewed work of outsourced third parties including MSSP.
Excellent communicator, coach, mentor, and facilitator capable of cascading mission, vision, strategy, mandate, and goals to both technical and non-technical stakeholders. Capable of articulating ideas and influencing internal and external stakeholders by conducting meetings and making presentations to stakeholders at all levels.
Strong people management (PROSCI certified), organizational and negotiation skills. An effective team leader and team player capable of managing multiple tasks/teams and projects, simultaneously. Known for developing strong, lasting, and synergetic relationships with stakeholders.
As a member of Quality Assurance Team (QAT) for review of Certified in the Governance of Enterprise IT (CGEIT) Manual, reviewed six CGEIT manuals over a period of four years.
As Accredited trainer (Accredited by APMG and ISACA) for CISA, CGEIT, and CET exams. delivered one-week CISA Exam prep training for candidates preparing for CISA.
Consistently delivered lectures in Bank of India’s training college on “Risk Management”; “Audit Process” and “Improvement in Risk Rating”.
As President of Licensed to Speak Toastmasters received Competent Leader award and steered the club to become a Distinguished Club.
Skills/Areas of expertise
IT GOVERNANCE, RISK & COMPLIANCE
Led AWS security team for implementing NIST and CIS CSC controls. Used Security Improved Program (SIP) to improve the compliance score for these controls to more than 80%
Supervised and reviewed work of outsourced third parties including MSSP.
Implemented and prepared status reports for the compliance of AWS Best practices, NIST and Center for Internet Security (CIS) Critical Security Controls (CSC).
Prepared briefing notes and other compliance materials for the IT Steering Committee and Audit Committee of the Board of Directors.
Page 1 of 5
Sharan Khurana CRISC, CGEIT, CISA, CET, PROSCI Change Practitioner, MBA (Finance)
Planned, supervised, and executed IT Audit projects including risk identification and assessment, risk ranking, scoping, monitoring, finding deficiencies (design and operating), mapped existing controls with COBIT, ISO, NIST controls, prepared gap analysis and prepared remediation plan.
Designed and documented minimum IT control standards for Casinos.
Designed and documented ITGC control framework
Audited ITGC, IT Infrastructure, and Applications to determine the level of compliance.
Presented audit observations/deficiencies and compliance reports to stakeholders and the audit committee.
SARBOX/C-SOX/J-SOX (Regulatory Compliance)
Scoped, documented processes and flowcharts, reviewed processes and controls, performed walkthroughs, advised on process changes for control effectiveness.
Designed tests, tested design and operating effectiveness, recorded test results and significant deficiencies, revisited and realigned/rationalized controls; completed quarterly testing of controls.
Worked with IT Team for compliance with Privacy, ITGC, and Office of Auditor General (OAG) controls. Coordinated OAG Audit process.
TECHNICAL SKILLS
MS Office suite (Word, Excel, PowerPoint, Project, Visio, Outlook), ACL, Confluence, Jira
Professional experience
Athabasca University
Director, Digital Security Office (DSecO) May 2021 – August 2024
Worked with and led Digital Security Risk Analyst, Digital Security Operations Analyst, Digital Security Architect and Technical Project Managers on various digital security projects. Reviewed and presented their work to the Digital Security Program (DSP) Steering Committee.
Supervised Subject Matter Experts (SMEs), project teams and vendors pertaining to Threat Intelligence, Vulnerability Management, and Penetration Testing.
Created and maintained IT Risk Register. Coordinated with IA and ERM teams.
Coordinated Internal Audit, External (OAG) Audit and Security Audit projects
Led AWS security team implementing NIST and CIS CSC controls and improved the compliance score for these controls to more than 80%
Designed, developed, implemented and oversaw Cybersecurity Awareness training programs. Increased fishing email reporting rate from 10.4% to 13.2%
Using Rapid7 and other scanning tools reduced the number of vulnerabilities by 75%
Increased adoptability and usage of project products by applying PROSCI concepts.
Coordinated activities in support of Digital Security priorities that included the development of technical security standards, controls, policies, specifications, and procedures. Developed and tracked metrics (KPIs) to track effectiveness of DSecO.
Participated in creating documentation for mapping IT Applications and systems that support critical business services for BCP/DRP
Translated cybersecurity and other technical risk quantities into qualitative digital business risks and constraints that senior management and executives understood.
Developed strategies and tactics to align identified risks to defined tolerance levels.
Designed and documented Policy Framework, Digital Security SOPs and reviewed SOPs prepared by team members.
Created Digital Security Architecture team and designed and documented AWS Security Patterns
Participated in recruitment process. Created an on-boarding process for new hires in the Digital Security Office (DsecO) and an environment of trust and continuous improvement.
Conducted weekly one-on-one meetings with team members and provided caring, challenging, and constructive feedback
Page 2 of 5
Sharan Khurana CRISC, CGEIT, CISA, CET, PROSCI Change Practitioner, MBA (Finance)
Athabasca University
Digital Security Program Management Officer Nov 2020 – May 2021
Supported CISO in implementation of Digital Security Program (DSP) including developing security controls for Amazon Web Services (AWS)
Co-ordinated activities of Digital Security Office
Created knowledge transfer plan for Project Managers and other SMEs.
Designed Status Report for tasks undertaken by the team members.
Alberta Gaming, Liquor & Cannabis Commission (AGLC), St. Albert
Manager, IT Audit Jan 2015 – Nov 2020
Assisted Director, Internal Audit prepare annual budget, annual audit plan and 3-year audit plan.
Prepared briefing notes, status reports and other material for the Audit Committee of the Board.
Reviewed Internal Audit and IT Audit Procedure manual.
Planned, supervised, and executed IT audit projects including IT risk identification and assessment, risk ranking, scoping, finding deficiencies (design and operating effectiveness), mapping with COBIT and ISO. Prepared IT audit reports with practical recommendations.
Presented new IT Security initiatives to Senior Leadership Group (SLG)
Worked with ERM for risk identification, assessment, assigning inherent and residual risk ratings.
Reviewed purchasing department’s IT Procurement contracts pertaining to Cloud and outsourced services to mitigate IT related third-party risks particularly IT Security and privacy risks.
Designed and developed Minimum IT Controls Standards for Casinos
Norquest College, Edmonton
IT Governance and Change Specialist June 2014 – Jan 2015
Identified risks and conducted risk assessment of applications, servers, and other infrastructure.
Designed IT Governance Framework and documented IT General Controls (ITGC)
Worked with IT Team for compliance with Privacy, ITGC, and Office of Auditor General (OAG) controls. Coordinated OAG Audit process.
Documented Change Management Process
Alberta Pacific Forest Industries, Athabasca March 2010 - Jan. 2014
Senior Compliance Auditor
Designed and created documentation for Risk Control Matrices, design, and operating effectiveness of ITGCs. Prepared test plans and test scripts for testing of ITGCs
Tested design and operating effectiveness of ITGCs and prepared reports in compliance with Internal Control Over Financial Reporting (ICOFR)
Used Audit Command Language (ACL) for Analysis and Teammates for preparing reports.
Result: The Company saved $250,000 p.a. which was being paid to outside consultants. The company remained SOX compliant.
Alta Gas, Calgary, IT Auditor May 2009 – Aug. 2009
Identified and evaluated risk areas and provided inputs for developing the annual audit plan.
Performed IT audit procedures, including identifying and defining issues, developed criteria, reviewed, and analyzed evidence, and documented client processes.
Conducted interviews, reviewed documents, developed, and administered surveys, composed summary memos, prepared working papers, practical audit recommendations, and audit reports.
CSI Consulting, Toronto (Projects Completed) March 2006 – Dec. 2008
Direct Energy, Toronto –IT Audit Project (Team Lead, team size 2, duration 3 months)
Audited 6 critical IT Applications covering:
oAccess Controls in Windows, Sybase, Oracle, and Computer Operations Controls
oChange Management, SDLC, and Security Management Controls.
Result: The security level of the applications increased, giving better assurance to the management.
Sherritt Intl Corp., Calgary – Bill 198 Project (Project Lead, Team size 2, duration 6 months)
Scoped, documented process narratives and flowcharts both for business processes and IT processes, performed risk analysis, documented gaps, communicated with process owners, prepared Risk Control Matrices (RCMs)
Result: The Company became Bill 198 compliant.
Page 3 of 5
Sharan Khurana CRISC, CGEIT, CISA, CET, PROSCI Change Practitioner, MBA (Finance)
Kinross Gold Corp., Toronto – SOX Compliance Project (Duration 3 months)
Designed tests, performed walkthroughs, tested design and operating effectiveness of controls (for SOX compliance) at US and Canadian locations.
Result: Company improved their control framework and met with the statutory SOX requirement
Toronto Hydro, Toronto – COBIT, BCP/DRP Project (Team lead, Team size 3, duration 12 months)
Prepared IT Security Policies, BCP/DRP framework, conducted risk analysis and impact analysis for BCP/DRP. Implemented COBIT, and ISO. Designed, implemented, and monitored relevant Key Performance Indicators (KPIs)
Result: The Company implemented COBIT DS 03 and sustained Maturity Model level 3.
Bank of India, (Asset Size $100 Billion) Mumbai/Bhopal Aug. 2001 – Feb. 2006
Chief Manager, Internal Audit, and IT Audit
Coached, trained, mentored, and led 5 culturally diversified complex teams of 15 Internal Auditors. Reviewed their work/audit reports for conformance of IIA and ISACA standards.
Led Operational Audit and IT Audit projects for 9 exceptionally large branches of the bank (asset base of each branch more than $10 Million) in widely spread geographical locations.
Prepared quality audit reports with practical recommendations and presented audit reports recommendations/deficiencies to stakeholders and Audit Committee.
Monitored progress of various risk-based audit projects and reported plan vs. actual position to Management.
Prepared Corporate Risk-Based Annual Audit Plan and implemented it.
Prepared Risk-Based Audit Policy; defined Key Risk Indicators (KRIs).
Audited Branch Banking ERP Solutions, Data Centre, and Disaster Recovery Site. As a result, the Data Centre got ISO certification.
Audited Credit Card Operations of the Bank for PCI Compliance
Consistently delivered Lectures in Bank’s training college on “Risk Management”; “Audit Process”; Risk and Control Self-Assessment (RCSA) and “Improvement in Audit/Risk Rating”
Followed up for compliance of audit recommendations/deficiencies.
Coordinated with external auditors for the annual statutory audit process.
Bank of India, New Delhi, Khandwa (Madhya Pradesh), India Dec. 1997- July 2001
Chief Manager
Ensured compliance with Audit Reports, conducted studies for determining the cost of various services for revising and standardizing the service charges.
Successfully managed and led Branch Managers of a group of 55 branches to budgeted goals.
Successfully managed fully computerized branch (asset size more than $10 Million) with the annual increase in business of 30%
Magadh Stock Exchange, Patna, INDIA March to Nov. 1997
Executive Director
Implemented capital adequacy, Mark to Market, Value at Risk (VAR) and Margin requirements of SEBI (Equivalent of SEC in India) and complied with the policies of the regulator.
Regularly prepared agenda items, material for conducting board meetings.
Prepared and implemented the annual plan.
Won one promotion.
Before 1997 held positions like Branch Manager, Credit Manager in Bank of India, in India
Page 4 of 5
Sharan Khurana CRISC, CGEIT, CISA, CET, PROSCI Change Partitionner, MBA (Finance)
Education and Certifications
Certified in Emerging Technologies (CET) 2023 (Cloud, Artificial Intelligence, IoT, Blockchain)
Accredited trainer for CET Certification Exam 2023
PROSCI Change Management Certification 2022
Accredited Trainer (Accredited by APMG and ISACA) in 2018 for CISA, CGEIT and CETA Certification Examinations
Projects In Controlled Environment (PRINCE2) in 2015
Certified in Risk and Information System Control (CRISC) in 2010 from ISACA, USA
Certified in the Governance of Enterprise IT (CGEIT) in 2009 from ISACA, USA
Certified Information System Auditor (CISA) in 2004 from ISACA, USA.
Certified Associate of Indian Institute of Banking and Finance (CAIIB)
Master of Business Administration (MBA) (Finance).
Bachelor of Science (B. Sc.)
The flavor of Training completed for professional development:
Emotionally Effective Leader Course June 2019
ERP Selection and Implementation March 2019
Effective Performance Management for Managers
COBIT 5 Foundation course in 2014.
Passed ACL 101 (CAATS Tool) in 2011
In-house training on Leadership Challenge in 2018; on Effective Business Writing in 2018; on Think on Your Feet in 2017; on Difficult Conversation in 2014
Course organized by CPA Alberta “From Doer to Leader” in 2017
Attended ISACA training week for 4 years on IT Audit and Assurance, IT Governance, IT Risk and Privacy/data protection.
Risked Based Audit, Information System Audit for risk Management.
Personality Attributes
Client/people-focused has clear understanding of people side of the change management and Emotional Intelligence.
Critical and positive thinking with the desire to excel and succeed.
Creative, innovative thinking and entrepreneurial skills.
Disciplined, self-starter and self-motivated having high integrity.
Proactive, problem solver and always part of the solution.
Attitude to complete tasks accurately and thoroughly.
Knowledge of using tact, discretion, and sensitivity while dealing with intricate interpersonal matters and difficult conversations.
Solid organizational, collaboration, leadership, communication, mentoring, and change management skills.
High adaptability to the changing business and technological environment.
Analytical, evaluation and decision-making abilities
Fine negotiating, interpersonal, influencing and persuasion skills.
As an accredited trainer I have fine presentation skills, and I can articulate complex technical ideas into business and user-friendly language.
Understand and speak language of finance/business, Information technology, academics, and people side of change management.
Knack for providing caring, challenging, and constructive feedback.
Professional membership/affiliation/volunteering:
Platinum Member, Information System Audit and Control Association (ISACA)
Director, ISACA Edmonton Chapter for last 10 years
Past President, Licensed to Speak Toastmasters Club at AGLC
Ex-Member Quality Assurance Team of ISACA, Chicago, USA
Page 5 of 5
Contact this candidate