More than 15 years of IT Audit, Security, Compliance, Project Management, HIPAA audit, PCI DSS Compliance
US-NC-Cary (will consider relocating)
CISA, PMP ( US Citizen) To I am writing to express interest in offering my experience and expertise in IT Audit ( SOX 404 and SAS 70), Payment Card Industry (PCI) DSS Compliance, Web Application Security Audit , ISO 27001 Security Audit ,HIPAA Compliance, project management, and risk management to your company. I have been working in IT management roles for more than 15 years. I am a Certified Information Systems Auditor (CISA) and certified Project Manager (PMP). I am also a Cisco Certified Design Associate (CCDA) and Cisco certified Network Associate(CCNA). As a highly proficient and experienced professional with a passion for technology, I am skilled in many areas, which will be of use to your company. The following is a summary of these skills: a IT Audit and Compliance a"SOX-404 and SAS 70 a IT Security a IT Security Policies and Frameworks a Payment Card Industry (PCI) DSS Assessment a Project Management a Web Application Security and Penetration Testing
a ISO 27001 IT Security Implementation and Audit a SAS/70 Assessments a Federal Trade Commission (FTC) or Personal Identifiable Information (PII) Audit a Privacy and GLBA Act a Business Continuity Plan and Disaster Recovery Plan (BCP/DRP) Audit a IBM Mainframe Audit a ERP (SAP and PeopleSoft) Audits a Enterprise Risk Management a Process Improvement Projects (SIX Sigma and ITIL) I look forward to meeting with you to discuss the opportunities for employment with your company. (Please note that I am a Citizen and am eligible to work for any employer in USA) Thank you for your consideration. Sincerely, Arvind G.
More than 15 years of IT Audit, Security, Compliance, Project Management, HIPAA audit, PCI DSS Compliance, technical and risk management experience galvanizing teams in core initiatives including Information Security, PCI DSS Compliance,SOX-404 IT Audit, SAS/70 ,ISO27001, HIPAA Act Technology Risk Management, Project Management, Technical Management, and Corporate Compliance while serving as a change agent for efficiency improvements with expertise in Platform and Interface Management. Professional Strengths a IT Audit and Compliance a" SOX 404 & SAS 70 a IT Security a Security Frameworks ( ISO 27001)
a Security Policies and Frameworks a Payment Card Industry (PCI) DSS Compliance a Project Management a Ethical Hacking and Penetration Testing a SOX-404 IT Audit and Compliance a IT Security a Team Development a Web Application Security ( OWASP) a ISO 27001 / SAS 70 a HIPAA Compliance a Negotiation Skills a Technical Management Domain Experience: o Finance and Banking Experience a Principal Bank a World Bank a Wells Fargo a Wachovia bank o Insurance and HealthCare a Blue Cross Blue Shield a Siemens Systems a Wells Fargo Insurance a Principal Insurance o Telecommunication a AT & T Wireless a iBasis o Retail a TJMAX a AlFuttaim Trading Company o Manufacturing Industry a Philips a Siemens Systems o Consumer Electronics a Philips o Legal Discovery Services a Stratify o Information Management Services a Iron Mountain o Consulting and Outsourcing Services a Keane Significant Achievements a Obtained certifications of CISA (Certified Information Systems Auditor) and PMP (Project management professional. a Took an exam on PCI Security Manager (CPISM) and awaiting for results a Effective manager who motivated and aligned IT auditors ,security and compliance professionals and through logical achievement oriented thinking and negotiation skills a Audited the systems for complying with SOX-404 IT Compliance, PCI DSS Compliance, HIPAA Compliance, SAS 70 Certifications and ISO 27001 Certifications. a Managed and implemented the security policies, procedures and controls that are required for SOX-404 IT, PCI DSS and HIPAA act. a Managed a team of IT auditors and reviewed the audit work papers of SOX-404 IT Audits and findings matrix. a Conducted the conducted ethical hacking ,web penetration test and web application vulnerability scan test using Nessus, Fortify,Rapid7,HP webinspect and Appscan tools for Ecommerce applications a Conducted IT Security awareness training programs in numerous companies a Established Security Committee offering ISO 27001-certification guidance, while working with external auditors and directing IT security audit procedural policies. a Conducted vendor security risk assessments and identified the gaps. a Prepared the final audit reports for numerous audit programs. a Managed PCI DSS (Payment Card Industry) and FTC (Federal Trade Commission), Privacy act with five auditors. a Managed and implemented the security policies, procedures and controls that are required for PCI DSS and HIPAA act. a Audited and tested controls for SAP, PeopleSoft, JD Edwards, Oracle, DB2, MS SQL, IBM /390, IBM Z/OS, AS/400, AIX6000, UNIX, Network, IT security, firewall, systems, and web applications a Conducted integrated, operational, and business process audits and recommended the business process and IT system related controls a Implemented controls and processes based on COBIT/ COSO/ ISO 27001 /OWASP / ITIL / NIST methodology a Performed complex IT Risk Assessments, Vulnerability Assessments, Entity Level Controls Assessments, IT Infrastructure Audits, Business Continuity Planning, Technology Risk Management, SAS70, HIPAA Act a Designed large IT networks, configured and administered CISCO and PIX firewalls, Routers and Switches.
Audit and Project Management Tools : ACL, Visio, MS Project, Business Objects, CA Top Secret, Crystal Reports, Web Application Security Tools : Fortify,Appscan, HP WebInspect Vulnerability and Event Correlation Tools : Rapid 7, Symantech Enterprise Security Manager (ESM), Nessus,Sara,Qualys,Whitehat and Arcsight. Audit or Risk Management Software : Galileo,Saxena, SOax Toolkit 4.0 ( Axena), AutoAudit software Frameworks/Change Management Tools : COBIT/COSO/ISO 27001/ITIL/NIST SP800-53 Quest STAT change management tool for PeopleSoft and AS/400 and SAP Transport Management System (SAP TMS) Systems and Software : SAP ERP R/3, PeopleSoft, Oracle E business Suite,JD Edwards, RS6000, IBM AS/400, DEC VAX 4000, IBM 3090, IBM 390, HP 9000 UNIX/Linux systems, Windows 2000/NT, MS Exchange,MS SQL, Oracle, DB2, PL/SQL, Developer 2000, RPG/400, ABAP/4, UNIX, C and VOIP,SIP ,SS7 Systems. System and Network Security : Checkpoint/PIX Firewall, Router, Layer 3 Switches, Active Directory, LDAP, IDS, VPN, IPSec, PKI, digital signature, SSL, SET, encryption and cryptographic systems
Education: a Master of Business Administration/Technology Management University of Phoenix, Boston, Massachusetts (expected completion 2011)
a Bachelor of Engineering - Major: Computer Science Anna University, College of Engineering, Madras, India
a CISA-Certified Information System Auditor ISACA 2005 a CPISM-Certified PCI Security Manager (Awaiting certification) a PMP-Project Management Professional 2001 a Six-Sigma Green-Belt Course, Keane a" (awaiting certification) 2008 a ISO 27001 Information Security Management System Lead Auditor (awaiting certification) a Cisco Certified Design Associate (CCDA) 2000 Training Courses: a CISSP Certification Course - IT Security Course - ISC2 2005 a ISO 27001:2005 Information Security Management System Lead Auditor Course 2006 a Risk Management Framework- PMI Chapter 2005 a CISA Course-System, Network, Security, BCP and DRP - ISACA Chapter 2004 a Project Management - PMI Chapter 2000 a ERP SAP R/3 Basis and Security - Dubai 1999
WellsFargo /Wachovia Banking, Financial and Insurance Services Oct 2010 to till date Manager (Security and Compliance)
Security and Compliance Project (Web Application Security Audit) Manage the team of security and compliance professionals to audit the security issues of the Wells Fargoas web applications. Identified the issues relating to Privacy act,PHI and PII and HIPAA related acts. Identified the issues as per OWASP code review and security audit testing guides. We used Fortify as a security analyzer tool to identify the issues. Created findings matrix and final audit reports and recommended the solutions to fix the issues. Used threat modeling principles to identify and rank and the issues. Conducted the ethical hacking and web application penetration tests and identified security issues. Trained the developers about the web application security audit process and gave an overview of securing the code of web applications.
Siemens HealthCare Systems, Raleigh, NC June 2010 a" Sep 2010 Lead IT Audit and Compliance/ PCI Security Architect
PCI DSS Compliance Manage the team of network engineers and programmer to identify the solution for credit card processing vendor and identify the security solution for Siemens.
Conducted the web application ( E commerce) vulnerability and penetration testing using Fortify and Appscan tools to identify the security vulnerabilities and missing security patches in the Siemenas system and network. Reviewed the security of web sites and web applications and identify the various security vulnerabilities ( SQL injection, cross site scripting , buffer overflow etc.,)
Evaluate the controls and policies relating to PCI DSS compliance and identify the gaps in the systems and processes. Act as an security advisor in evaluating the SAQ Type questionnaires and finalize the SAQ type and category for Siemens based on system environment.. Provide an expert opinion on selecting the payment card processing vendors after evaluating the products that are suitable for processing credit cards. Evaluated the different methods to encrypt the credit card data and finalized the method to secure the credit card data. Reduce the scope of the PCI DSS compliance by selecting the vendors who are providing the hosted solutions along with tokenization of credit cards and remote card entry system. Validate the high risk PCI DSS controls and recommend the best solutions that are adopted in the industry.
SAP, PeopleSoft, UNIX and Oracle Application Security Audit Remediate the issues identified during the IT SOX audits relating to security controls of SAP, PeopleSoft and UNIX and Oracle database servers and recommend the solutions.
Iron Mountain March 2010- May 2010 Lead IT Audit and Compliance
PCI , SAS 70 and ISO 27001 Security Readiness Audits: Identified the gaps or deficiencies relating to PCI DSS, ISO 27001 and SAS/70 controls, developed and implemented ISMS (Information Security Management Systems) and prepared the company for ISO 27001 and SAS 70 certifications..
Blue Cross Blue Shield a"Health Care Industry Oct 2009 a" Feb 2010 Lead IT Audit and Compliance- PCI DSS and HIPAA
Managed the team of network and security consultants and developed and implemented the security policies and controls to comply with PCI DSS, SAS/70 and ISO 27001 Security Compliance. Conducted the vulnerability scan and penetration tests for web or Ecommerce applications to identify the vulnerabilities using Fortify and Appscan tools. Developed policies, standards and procedures based on NIST and ITIL Standards.
HIPAA and PCI Compliance: Review the policies and configurations standards as per NIST SP800-53 standards. Reviewed the systems and processes and identified the gaps relating to HIPAA and PCI compliance.
Iron Mountain, Mountain View CA Sept 2009 to Oct 2009 Lead IT Audit and Compliance
PCI , SAS 70 and ISO 27001 Security Readiness Audits: Identified the gaps or deficiencies relating to PCI DSS, ISO 27001 and SAS/70 controls, developed and implemented ISMS (Information Security Management Systems) and prepared the company for ISO 27001 and SAS 70 certifications.
TJX Group Companies, Framingham, MA June 2008 to May 2009 Lead IT Audit and Compliance a"PCI DSS Compliance
Developed, planned, managed, and executed audit programs for PCI-DSS and FTC Privacy regulations and SOX 404-IT in TJX corporate offices in USA, Canada and Europe. Conducted the vulnerability scan and penetrations testing for web applications (TJX E commerce products) and identified the vulnerabilities.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance: Managed the team of five security and compliance personnel to conducting the PCI DSS compliance and safeguarding the systems that are used to process the credit card Information. Identified and evaluated cryptography and encryption standards ( PKI, VPN,IKE, SSL/TLS etc.,) processes, key management processes, system configuration standards, anti-virus, vulnerability scans, patch management , Penetration test etc., relating to PCI and recommended the controls and processes required to comply with PCI. a PCI DSS Compliance: Evaluated the 12 high-level requirements and 245 controls given in the PCI standards and identified the deficiencies in the system, and coordinated with external auditors (VeriSign) and process owners to remediate the deficiencies. a Federal Trade Commission (FTC) Privacy Act: Managed the audit of the systems that are related to storing and processing of the customer and associate information. Identify the requirements of FFIEC a"Information Security IT Examination Handbook, OCC bulletin 2001-35 and GLBA/Privacy Act to evaluate the effectiveness of the controls implemented in the company. a Review of IT Security Policies and Configuration Standards: Reviewed 31 IT Security policies and configuration standards as per NIST Standard and identified the gaps in the policies. Recommended the best practices adopted in the industry.
World Bank - Washington DC Feb 2008 to June 2008 Senior IT Audit and Compliance a ERP( PeopleSoft and SAP) Systems and Application (Benefits) Security and Compliance: Conducted the application security and compliance audit for their ERP (People Soft and SAP) systems and identified the gaps and deficiencies in the applications and systems as per World Bank's security and compliance guidance and standards. a HIPAA Compliance: Conducted the HIPAA compliance audit for one of their healthcare division and identified the deficiencies. Conducted the vulnerability testing to identify the vulnerabilities relating to web applications. a SOX 404-ICFR Audits: Project managed the ICFR (SOX-404) audit and identified the risks and gaps in the critical financial systems.
Principal Bank and Financial Group -Des Moines, IA Nov 2007 to Jan 2008 Senior IT Audit and Compliance a IBM Mainframe Security Compliance: Audited the IBM system/390 (MVS/RACF) GDPS/XRC data mirroring, storage systems and other systems and recommended the best practices adopted in the industry a PCI Compliance and GLBA Acts: Conducted system audits to comply with PCI DSS Compliance and GLBA acts. Evaluated the security of systems that hold the personal and customer information. Conducted vulnerability scan test and penetration test to identify the web application related issues. Identified the gaps in the policies and procedures and recommended the solutions to safeguard the customer and personal information. a IT Security Compliance : Conducted the IT security compliance audit including firewall, DMZ and LAN/WAN (Secured Sockets Layer and Virtual Private Networks(VPN)) and audited the systems per COBIT/ COSO and NIST standards.
Keane Inc., Boston, Massachusetts Aug 2004 to Sep 2007 Senior IT Audit Manager (Audit and Compliance) Served as a principal liaison between executive and senior management to finalize companyas IT and integrated audit programs, reviewed the work papers, test cases and validated critical processes for SOX-404 IT audit while managing three IT auditors. Identified, evaluated, and ranked the risks related to IT systems; identified and documented control gaps for each financial application system; and recommended viable solutions to remedy any significant deficiencies.
Recent projects include the following: a Compliance of Sarbanes Oxley 404/302 Internal IT Controls: Audited and tested controls for PeopleSoft, JD Edwards, Oracle,DB2, Infinium, AS/400, AIX6000, UNIX ( Sun Solaris), Network, IT security, systems, and applications. Spearheaded IT risk management plan, which included the design of low-risk systems. Conducted the vulnerability scan and penetration test to identify security issues. Audited the systems in USA, UK, Canada, Australia and India. a ERP PeopleSoft and SAP SOX-IT Audit: conducted integrated audits of business functions supported by application systems, Identified and resolved complex auditing and information system issues a PCI DSS Compliance: Reviewed the policies , procedures and controls and identified the gaps and remediated the issues with the help of process owners. Conducted vulnerability scan using Nessus and conducted penetration test to identify the security issues. a HIPAA Compliance Audit: Audited the systems and applications in HIPAA division and recommended and mitigated the gaps in the application and system. a ISO 27001 IT Security Implementation and Audit: Recommended and assisted in implementing the Information Security Management System (ISMS) framework and developed enterprise-wide security policy. Review the security policies and procedures as per NIST standards. Assisted and coordinated with external auditors for obtaining ISO 17799/27001 certifications for the company. a SAS/70 Assessment: Assisted in developing controls required for SAS/70 and coordinated with external auditors to obtain SAS/70 certifications.
iBasis, Burlington, Massachusetts April 2001 to Aug 2004 International Project Manager a"a"Security and Compliance Developed project management plan from initial design to final implementation, which included collaborating with Senior VPs and Directors to determine strategy and allocating budget and resources; implemented controls and processes required for the Sarbanes Oxley (SOX)-404 IT Audit. Managed and audited the systems in Frankfurt, Amsterdam, Paris, London, Japan, Hong Kong, Singapore, United States, and India. Project managed and implemented VOIP (Voice over IP) applications and solutions across the globe. a SOX-404 IT Audit: Evaluated the policies, procedures and controls based on COBIT and COSO framework, identified the gaps and recommended the controls required to comply with SOX-404. a PCI- Cardholder Information Security Program (CISP) (Similar to PCI DSS Compliance) Project managed the efforts of identifying the controls and processes required to comply with CISA (PCI DSS) when they implemented online prepaid-card system. Evaluated and tested the controls and processes relating to credit card data and systems. Identified the gaps in the security of the systems and recommended the practical solutions. Conducted the vulnerability scan and penetrations testing for prepaid calling card web application ( E commerce products) and identified the vulnerabilities. a Global IT Security Audit Project: Project managed and audited the security of the systems and networks in remote locations and identified the gaps and risks in the network and systems
AT&T Wireless, Pittsburgh, Pennsylvania Mar 2000 to April 2001 Technical Lead/Project Manager (Network and Security Management)
AL Futtaim Trading, Dubai, UAE Mar 1996 to Mar 2000 Network Manager/Controller
Philips India Ltd, Madras, India Jan 1995 to Apr 1996 Assistant Automation Manager