Jul 2022 – Apr 2024 · 1 yr 9 mos · Chennai, Tamil Nadu, India · Hybrid

• # Provided SME support to review vendor (cloud and non-cloud) information security controls based on the customer identified cloud control framework
• # Reviewed vendor independent audit reports (SOC/PCIDSS/ISO/Pentest) reports to understand the threat agent, vulnerabilities and associated risks
• # Incorporated output from controls review into a Cloud Risk Assessment template and rate impact and probability of occurrence to arrive at overall risk ratings
• # Supported projects to present risk assessment output to appropriate forums and committees to secure approval
• # Acted as a process and governance expert for the Cloud Risk Assessment process for the customer’s projects and programmes
• # Managed key business stakeholders to secure strong stakeholder engagement to meet their needs and expectations.

May 2019 – Jul 2022 · 3 yrs 2 mos · India · On-site

• # Interacted with businesses and vendors to understand the scope of their service being on-boarded to the bank
• # Based on the interaction, level of risk being identified, the scope of TPSA is defined and respective control domains are assessed including but not limited to security policies, risk and incident management, cloud security and governance of external parties
• # Published TPSA report based on outcome of the assessment and working towards closure of exceptions based on remediation achieved
• # Governed risk exceptions that arise to the bank out of third-party security assessments
• # Performed the process of due diligence to ensure the scope of the vendors are intact without any change within the assessment validity period and to track any change in their service, IT/Non-IT environments
• # Managed stake holders needs and expectations from South Asian region
• # Managed vendor management tool and tracked all identified tool issues to its logical closure and tested tool changes as part of UAT
• # Trained new team members on the process to facilitate their onboarding to the team.

Mar 2017 – May 2019 · 2 yrs 2 mos · India · On-site

• # Carried out compliance assessments for North America, Central Europe and Indian regions to identify their respective areas for continuous improvement and provided necessary remediation plans to address in case of any non- conformities and enabling them to be in compliant with ISO 27001:2013 ISMS standard
• # Carried out ISMS process writing for the North America region
• # Performed SOC 2 Type 1 and Type 2 audits based on the following five trust principles: Security, Confidentiality, Availability, Processing Integrity and Privacy
• # Analyzed evidence artifacts received to ensure they meet the intent of the PCI DSS assessment and thereby demonstrating compliance as part of PCI DSS annual compliance program
• # Performed security review on Master Service Agreement (MSA)/Statement of Work (SoW) to ensure that the organization fulfils the security requirements laid out by the clients
• # Conducted security risk assessments on 3rd party security controls
• # Assessed using Cyber Security & Information Protection Mandatory Baseline Controls for the clients in North American region
• # Planned and executed security assessment for an in-house analytical tool
• # Carried out privilege access review of SOX system DBs for both OS and application.

Dec 2013 – Feb 2017 · 3 yrs 2 mos · India · On-site

• # Implemented Information Security Management System (ISMS) for the organization
• # Carried out the migration activities from old ISMS standard (ISO 27001:2005) to new ISMS (ISO/IEC – 27001:2013) standard
• # Collaborated with business units to determine continuous improvements with respect to ISMS
• # Performed risk assessments for business projects and vendors and recommended risk treatment strategies
• # Analyzed, tracked IT and Non-IT incidents and reported on weekly and monthly basis to all the relevant stakeholders
• # Performed ISMS internal audits for the business and vendor functions
• # Managed & tracked ISO 27001:2013 ISMS internal and external audit findings and facilitated towards closure
• # Developed /provided inputs on development of security trainings
• # Delivered end users and vendors security awareness trainings.