Sr. Information Technology Auditor / SOX Consultant Resume

Title
Sr. Information Technology Auditor / SOX Consultant

Primary Skills
CISA, CISSP, SOX, Sap Security

Location
US-NJ-Jersey City (will consider relocating)

Posted
May-04-09

Manoj is working as an Information Security & Compliance Consultant with 9 years of experience out of which he has worked with BIG 4 consulting firm for 3 years.

As a senior security consultant in Deloitte, he was associated with defining requirement, scoping and deliverables agreements with client. Monitored and led a team of consultants to deliver as defined in project charter. He has conducted various training and awareness session at client's location and successful in closure of projects

His professional background is in the field of IT Risk consulting and IT auditing which includes IS strategy, Risk Assessment & Management, Information Security audits, design of Security Policies & Procedures, formulation of Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP). He has worked for various clients across the globe covering a wide cross-section of the industry sectors such as banking, financial services, telecom, utilities, FMCG and manufacturing.

Education / Professional Certifications

Certified Information Systems Auditor (CISA), ISACA, USA
Certified Information Systems Security Professional (CISSP), (ISC)?, USA
Certified BS 7799 / ISO 17799 Lead Auditor, BSI, UK
Security+ Certified Professional, CompTIA, USA
Cisco Certified Network Associate, (CCNA), Cisco Systems Inc, USA
NSE (National Stock Exchange) Certification in Financial Markets (NCFM) -- Securities & Capital Market, INDIA
B.Tech in Computer Science & Information Technology, Institute of Engineering & Technology, Bareilly, INDIA

Key Skill Set
Risk Assessment: Risk Categorization (People, Process & Technology), Assessing risk based on matrices, defining risk quadrant based on impact and likelihood of risk.

Security Policy & Procedures: Development of Security Policy & procedures in alignment with Business needs.

Risk Management: Development of cost effective risk management framework mapping identified risk and security policy of organization.

Disaster Recovery & Business Continuity Plans: Conducting business Impact Analysis, Identify controls, Develop recovery strategy, plan testing, training and user awareness, and plan review and maintenance for development of business continuity and disaster recovery plans (BCP / DRP)

Frameworks / Standards used: COSO, COBIT, ISO 17799, ITIL / ITSM, SEI-CMM, NIST (National Institute of Standard & Technology), Reserve Bank of India's Audit Policy Framework/Guidelines for the Banking and Financial Sector.

Acquaintance with: HIPAA, GLBA, PCI DSS, DITSCAP, OCTAVE, FISMA, NIST SP800 Series (SP800-30, SP800-53), FFIEC, IT Act 2000 (India)

Concepts: PKI & Cryptography, Access Control & Identity Management, Network Security & Ethical Hacking

Key Management Responsibilities
Service Delivery: Engagement planning, management, client report review and delivering client presentations.

Knowledge Management: Developing work programs and methodologies to build specific competency and enhance value proposition.

Team Building: Knowledge sharing, training, motivating and development of team members.

Professional Experience
Organization Designation Duration
Independent Consultant Sr. IT Audit & Risk Consultant Feb 2006 -- Present
Deloitte. Senior Consultant June 2003 -- Jan 2006
ISEC Services Security Engineer Dec 2002 -- April 2003
Tata Consultancy Services Assistant System Engineer April 2001 -- Dec 2002
Globsyn Technologies Graduate Trainee Aug 2000 -- Feb 2001

Overview of major assignments Led and Executed
Sarbanes Oxley Compliance (SOX 404) projects -- IT Auditing & Process Consulting

Independent Consultant (Feb 2006 -- Till Date) Designation: Sr. IT Audit & Risk Consultant

The World Bank Group -- Washington [DC Jan 06 -- June 07, March 08 -- April 08 & Feb 09 - Current]

Project -- Internal Controls over Financial Reporting (based on SOX -- Sarbanes Oxley Compliance)
• Leading a team of IT Auditors for testing operational effectiveness of internal controls over financial reporting.
• Assisted IAD in augmentation of processes for Application Systems Development & Maintenance, Information Systems Security, Network Support, information System Operations, Database Implementation and Management, and Systems Software Support.
• Rationalization of key controls, sampling techniques, review of test plans and test procedures.
• Coordinating closely with Project Management team on identified issues, remediation steps, follow-up and Business unit's managers for harmonious control environment design, test and guidance on implementation of control framework
• IT Applications include SAP & Peoplesoft -- Access Control, Profile Authorizations, Configuration checks. Treasury Application --Access provisioning and access modification.
• Designed SQL scripts to extract security entitlements (access profile) of all users. Used ACL to analyze the output of scripts to ensure access privileges are appropriate.
• Databases: Oracle 9i & Sybase.
• Network Devices: Review of configuration files for firewall, routers and switches and mapping any critical changes to remedy logs.
• Reports reviewed: Reviewed dump from various tools such as ESM, Nessus, NGS Squirrel, SNORT.
• Audit Tools: BWise and Galileo.
• CAAT Tools: ACL and Excel.
• External Auditors Deloitte (07, 08) KPMG (09).

Citigroup -- Global Wealth Management Operation & Technology Risk Management --NY [July 07 -- Oct 08]

Project -- Technology Risk Management
• Member of steering committee of GWM operations & technology risk management team, driving initiatives related to streamlining of policies, processes and conducting gap analysis to optimize risk & control self assessments (RCSA).
• Assisting GWM's Application Security oversight, root cause analysis, assisting in remediation planning and trend reporting to executive management on biweekly basis.
• Created a dashboard and conducted a comparative study by mapping the existing vulnerability issues with OWASP Top Ten issues.
• Conducting a feasibility study on various application security tools to identify vulnerabilities in development stage. Facilitating Center of Excellence - Quality Center to embed application security review within the normal Quality Assurance process.
• Review of Risk Assessment / Remediation approach for high and medium risk issues based on Common Vulnerability Scoring System (CVSS)
• Conducted Awareness session on one to one basis for business users on various facets of Information Security esp. application security, disposal of sensitive data etc.
• Part of various fast track programs related to information security initiative such as RSA Multifactor Authentication, Data Protection (Sensitive Disposal), RCSA Optimization, Application Security & Quality Review and Mainframe Security (RACF) Entitlement Review.

PSE&G -- Newark, NJ [July 06 -- Dec 06]

Project -- SOX Compliance
• Rationalization of key controls, sampling techniques, review of test plans and test procedures.
• Coordinating closely with Business unit's business process consultants and managers for harmonious control environment design, test and implementation of control framework
• Updating the project management team and attending the project review meeting
• Conducted SOX 404 IT General computer control (GCC) testing for one of the largest energy & utility company based in east coast as part of internal audit group. The task was to ensure operating effectiveness of IT general controls supporting business processes. The key areas of audit were IT infrastructure entailing Windows Active directory, Remedy application for Change management, Oracle databases, SAP & Peoplesoft.
• External Auditors Deloitte.

Canadian Pacific Railways -- Calgary, AB, Canada [May 06 -- July 06]

Project -- SOX Compliance & SAP Security
• Designing and documenting IT controls following the COBIT framework.
• Planning and testing of key controls
• GAP analysis and remediation of failed controls
• SAP Basis testing: SAP Basis testing involved review of SAP database controls, ABAP4 workbench controls, technical user access control and Centre computing management system testing.
• SAP segregation of duties analysis- Analyzed SOD component for major business cycle Order to cash, procure to pay, Asset accounting, HR, GL, Project system, and issued the report to the client's SAP security team for remediation.
• IS Access Management (IS General System Security Controls and Access controls for 10 other applications having different architecture and security system)
• IS Change Management (IS General Change Controls and change controls for 10 other applications having different architecture and security system)
• IS and Business Process Segregation of duties (Tested SOD controls implemented by Virsa compliance tool in SAP R/3 version 4.6, Tested business process SOD controls for other applications, Worked on SOD Strategy)
• IS Manage Configuration (Reviewed the use of Eye Retina Scanner, Tripwire Software, GSD 331 documentation, SAS 70 reports)
• External Auditors Deloitte.

Meridian Gold -- Reno, Nevada / Toronto, Canada [March 06 -- May 06]

Project -- SOX Compliance
• Assisted one of the leading mining companies based in US to comply with Sarbanes Oxley (SOX-404) on a corporate-wide basis including diagnostic assessment, design of work flow of processes based on ITIL framework, documentation of policies, procedures for key controls and its implementation and development of test plan based on COBIT framework.
• External Auditors E&Y

AVON -- New Delhi, India [Oct 05 -- Jan 06]

Project -- SOX Compliance
• Conducted readiness review on SOX compliance for a leading beauty product company. Assisted in remediation process, conducted workshop and trained resources to streamline process, testing methodology, sampling techniques, and materiality concepts to comply with SOX.
• External Auditors - PWC

Deloitte. (2003 - 2006) Multiple Clients Designation: Senior Consultant

SAS 70 Readiness Review and Assessment
• Assisted a major financial business process outsourcing company based in India for SAS70 Type I and Type II
reports prior to CPA firm evaluating organization's internal controls.
• Designed the control framework for this client based on COSO and COBIT framework.
• Interfaced with external CPA firm and helped client to get SAS 70 reports.
• Conducted a workshop on SAS 70 landscape in the era of Sarbanes Oxley.
• As an external auditor team, also evaluated SAS 70 reports provided by other clients for their outsourced process as reliance for General Computer Controls testing.

Assessment of General Computer Controls for Audit Clients
• Led and executed various assignments pertaining to understanding IT risk, Understanding of control environment and testing operating effectiveness of implemented controls in accordance agreed upon procedures and industry best practices such as ISO 17799, COSO, COBIT, ITIL
• These assignments have been for various industries like Services, Banks, Utility, FMCG and Manufacturing.

SOX Compliance Review & Training
• Worked in coordination with US office to manage SOX 404 compliance process on a corporate-wide basis including diagnostic assessment, testing, remediation and training on SOX awareness. Developed reports and other communication vehicles to keep management apprised of progress. Participated in 404 Steering Committee meetings. Facilitate longer term objective of integrating SOX 404 compliance with the broader enterprise risk management framework -- COSO & COBIT

ERP -- SAP Security Control review
• Assessed SAP R/3 application security controls (FICO Module) and security configurations within application.
• Segregation of Duties (SOD) Analysis -- Review of roles and responsibilities as per organization's authorization matrix to ensure appropriate access to application.

Assessment of Business Computer controls
• Assisted financial auditor in evaluation and review of automated controls in a business process.

Development of Business Continuity & Disaster Recovery Plan
• Conducted Business Impact Analysis & developed recovery strategy, plan testing, user awareness and
business resumption plan for a document management company.

Fraud Investigation
• Identified fraud in distribution system of a leading medical equipment manufacturing company with high material impact and suggested remediation plan.
• Assisted financial auditors in identifying system control weakness vulnerable to fraud with high material impact.

Saudi Electricity Company (2002-2003) Designation: Security Engineer

Information Security Assessment
• Managed a team of 5 consultants in advisory role
• Devised Risk Assessment framework for IS / IT infrastructure by scanning of servers, routers and review of systems as per standard checklists based on ISO 17799.
• Devised Security Policy, Procedures and Implementation Plan based on ISO 17799
• Devised roadmap for Disaster recovery plan (DRP) and business continuity plans (BCP) based on NIST
• Conducted security awareness workshop & training session for security certifications such as CISSP, CISA.

Tata Consultancy Services (2001-2002) Designation: Assistant System Engineer

Roadmap for ISO-17799 / BS-7799 Certification
• Assisted in preparation of Security policy, Security procedures, Business Continuity & Disaster Recovery Plan
• Devised a Risk Assessment and Management methodology
• Conducted internal audit to conduct gap analysis with respect to BS-7799 requirements.
• Conducted training for BS-7799 awareness among users.

Penetration Testing
• Foot printing and Scanning of servers.
• Simulation of all possible hacking attacks on target system depending on services running.
• Collecting evidences to prove the vulnerability in web site.
• Liaising with the client and preparation of report

Public Key Infrastructure product development
• Implementation & Integration of OCSP (Online Certificate Status protocol) with existing prototype.

Globsyn Technologies Limited (2000-2001) Designation: Trainee

Young Software Manager -- Graduate Trainee
• Developed in house applications packages such as library management system, Office management packages adhering to all SDLC phase.

Professional Achievements
One of the founding members of e-Security practice for Asia's largest IT Consulting & Outsourcing Company
Conducted training for various topics in information security and certifications exams - CISA, CISSP and CCNA
Assisted (ISC) ? as a proctor for CISSP Examinations

IT Knowledge
Applications Used: MS Office / Outlook / Visio, Remedy, Archer, Virsa, Identity Management tool -- Netegrity SiteMinder

ERPs Security Controls Audit: SAP R/3, Peoplesoft, JD Edwards, Ramco e-Applications and Oracle Financials.

Programming Language & Database: C, C++, JAVA, Oracle, MS SQL and Sybase

Operating Systems Reviewed: MS DOS, Windows X, AS400, AIX, UNIX, LINUX and Mainframe OS/390

Networking Components: Cisco Routers 2500, 2600 and 7200 Series, Cisco Switches 1900, 6509 Series, Check Point NG, Juniper and Cisco Pix Firewall, IDS (Snort), WebSense proxy.

Tools & Utilities: Audit System 2, ACL, ISS, NESSUS, SARA, NMAP, and Symantec ESM, Netcat, L0phtcrack, John the Ripper, Ethereal, LANGuard, Iris, Sniffit, SNORT, Retina and Ngrep and War Dialing Tools such as Toneloc

Certifications
Certified Information Systems Auditor (CISA), ISACA, USA
Certified Information Systems Security Professional (CISSP), (ISC)?, USA
Certified BS 7799 / ISO 17799 Lead Auditor, BSI, UK
Security+ Certified Professional, CompTIA, USA
Cisco Certified Network Associate, (CCNA), Cisco Systems Inc, USA
NSE (National Stock Exchange) Certification in Financial Markets (NCFM) ? Securities & Capital Market, INDIA


You must be logged in and have a current resume access subscription. Login or Register »

Resumes in Jersey City, NJ | Resumes in New Jersey

View other Sr. Information Technology Auditor / SOX Consultant resumes, Business Analyst resumes