Objective
Currently seeking a position in Corporate Risk Governance, Compliance, Information Security, Privacy, Service Management & Quality Management, assisting enterprises in implementing, establishing and documenting business processes and systems based on standards & best practices
Certified as a Lead Auditor for ISO 27001 & ISO 9001. Worked on Risk Governance projects with the Federal Reserve Bank, Deposit Trust & Clearing Corporation, Citigroup, Johnson & Johnson and Reuters amongst others. Has over 18 years experience in Risk Governance with both the private & public sectors globally including the United States & Asia. Adept at both the offshore and onshore models and the risk and advantages associated with each.
Deep experience based on implementing several standard based systems including but not limited to, ISO 27001, ISO 9001, ISO 20001, BS 25999, ITIL, COBIT, COSO, PCI, VISA CISP, HIPAA, Basel II, GLBA, Sarbanes-Oxley, SAS 70 Type I & II, EU Data Privacy, Safe Harbor, PIPEDA, FFIEC, FISMA, NIST 800-xx, OECD, SB 1386, HCC, GXP, FDA, CSV and SDLC.
Career Highlights
• Risk assessments and audits (SOX, GXP, SDLC, and CSV) in the J&J SAP environment for $146 million project in J&J to allow access to real time manufacturing data, a global view of inventory, 25 different plant operations consolidated into 1 integrated platform and common processes across 63 manufacturing sites
• 1st ISO 27001 certificate in the United States to the Federal Reserve Bank (largest Central Bank in the World)
• 1st BITS Shared Assessment Program (SAP) third party audit of DTCC ($28 Trillion dollars of assets, $ 1.8 quadrillion in securities settlement in 2008)
• ISO 27001 - 100% success in getting all clients certified to ISO 27001 – Federal Reserve, Citigroup, Reuters.
• 7 of 15 (46%) of ISO 27001 certificates awarded in 2005 in the United States – Federal Reserve, Citigroup, Reuters
• Over 500 risk assessments globally – including Information Security, Privacy, Validation, Cross certification to ISO 27001 and ISO 9000 simultaneously – Federal Reserve, Reuters, Address & eliminate major audit findings by Federal regulators (SEC, OCC) - Citigroup
• Risk Governance Alignment for Information security & BCDR governance groups - Citigroup
• Compared the Corporate Governance IAPP policies with globally accepted risk principles to outline gaps for remediation based on ISO 27001 principles – J&J
• Mapped the BS 25999 standard against the NFPA 1600. Currently in use with the British Standards Institute
Work Experience
Audit and Doc Control & IT SOX 4/’07 - Present
HCS – Crossroads - Audit and Doc Control - Johnson & Johnson, NJ
• Conduct Audits of both Business and IT process teams and groups for compliance with SOX, GxP, Privacy, HCC, CSV, SDLC for the Crossroads SAP project, a $ 146 million SAP software development project to streamline the manufacturing & supply chain processes across J&J global enterprise.
• Provide guidance and direction to Business Process teams including Finance, Quality and Human Relations on potential gaps and remediation of audit findings based on the observations from the conduct of internal and external audits.
• Plan, organize and implement a full Document Control function from the ground up. Establish the process, vet the technology options, hire the doc control team and manage project stakeholder expectations. Completed the validation requirements for the technology components of the Document Control project to provide evidence of all legal and regulatory related compliance activities for healthcare including SOX, GXP, CSV, SDLC, Privacy and IAPP requirements.
• Organize and archive all documents for legal and regulatory compliance, including, the Compliance Plan, Compliance Analysis, Risk Assessment, Strategy Documents, SOPs, WIs, Test Scripts and Test Results.
• Supplier risk assessment evaluation and BPRAs for J&J HCS.
• Some key concerns revealed during my audits were as follows:
The Core Design had had not been rigorously prototyped prior to Integration testing
The Master Data team had not finalized the field mapping process from existing legacy systems to the Crossroads SAP project
The Interfaces were at risk of overloading on account of Core Design not meeting all its integration goals
Supplier governance was not being viewed strategically as a part of the Global Corporate Risk Governance framework
• Provide training to the entire project team on the Compliance requirements including, FDA, CSV, SDLC, SOX and Privacy requirements. Over 100 training programs conducted.
• Guide the Data Migration and Conversion team to define a comprehensive compliance strategy for the entire migration and conversion process.
• Guide the Testing team to ensure that testing and stage gate reviews for various stages of the SDLC were archived and available for audits, internal and external.
• Acquired tools for Requirements Traceability to prove that Design-To-Meet requirements were developed, tested and found to fully meet user requirements.
Ethicon - IT SOX Lead
• Guide, train and orient the IT team towards responsibility towards SOX, the implementation of new SOX controls, the review of existing SOX controls and coordination of all SOX testing for an $8 billion division of J&J - Ethicon.
• Review the changes in the business process and understand the changes and new controls required to be put in place for SOX compliance based on an Impact Analysis. Provide guidance to Top Management and Process leads on impact of changes based on metrics related to Materiality for SOX. Reduced the number of SOX tests by 894.
• Planning, Organizing, Directing, Coordinating and Conducting of Internal and External audits with Corporate Internal Audit and Price Waterhouse for SOX. During the audit, communication with all stakeholders to appraise them of the Audit progress. Post Audit follow-up in completing remediation and documenting actions taken based on audit observations.
• Led the IT group though 3 internal and external audits. Result of the audit was Adequate. Trending for J&J Enterprise as a whole was Inadequate or Adequate with Significant concerns.
• Implementing efficiencies in the SOX program based on guidance in AS-2 and AS-5, neither of which had been implemented prior to me getting there.
• Also worked on compliance requirements linked to Health Care Compliance, Privacy and GxP.
• Led the SOX bi-annual reviews with the SOX Steering Committee and the Board
• Saved the company $ 5 million over a 8 months based on 6 ideas which were implemented
Sr. Consultant Risk Assurance, Mitigation & Services Mgt. 8/’04 – 3/’07
Churchill & Harriman, NJ
• 1st ISO 27001 certificate awarded to Federal Reserve Bank, based on subject matter expertise and implementation consultation provided by me
• 100% success in getting clients to certification. Clients cross-certified to multiple standards like ISO 27001, ISO 9001 and ISO 20000. Zero observations from external auditors.
• 7 of 15 (46%) of ISO 27001 certificates awarded in 2005 in the United States – Federal Reserve, Citigroup (Information Security and Business Continuity Governance Groups), Reuters (Key strategic data centers across the United States)
• Strategic Supplier Governance (including Contract Governance) expertise to clients in different sectors including Financial Services, Healthcare and News Dissemination. Saved the clients $ 18 million annually in the process
• Subject Matter Expert in deploying ISO 17799/ISO 27001/ISO 9001/ISO 20000/BS 25999 amongst others standards for Security, Quality & IT Service & Business Continuity standards.
• 1st BITS SAP Third Party assessment of DTCC for compliance with the Strategic Vendor Governance program
• Over 500 risk assessments all across the globe for Information Security, Privacy, Infrastructure capability, Standards like ISO 9001, ISO 27001 amongst others.
• Application Vulnerability Scanning for clients and interpreting the results so that appropriate remedial action could be taken as part of the SDLC cycle.
Sr. Consultant – Location Based Services & Project Mgt. 6/’04 – 7/’04
Izar Associates, NJ
• Hired to address Business Risk in the offering of new Location Based Services.
• Project Management checklist for closing out client engagements.
Sr. Consultant – Infrastructure Security Risk Assessment & Remediation 9/’02 – 5/’04
Norvergence Inc., NJ
• Hired to address Information Risk in Infrastructure and conduct Security Assessments and suggest methods for Risk Remediation.
• Project Management & staffing customer specific engagements with teams to address remediation.
• Developed a methodology and documented it for productivity enhancements.
• Assessed impact of platform transitions and mergers and acquisitions on current customers risk profile and recommend remediation.
• Explored the link between Security Management and IT Services Management around risk.
Senior Consultant – HIPPA Privacy and Security 7/’02 – 8/’02
Innovative Business Solutions Inc., PA
• Responsible for developing a methodology to assess HIPPA Privacy Risk Assessments.
• Develop a system for securing HIPAA transactions in a B2B environment.
• Conducted 3 Privacy Risk assessments for Protected Health Information (PHI).
Senior Consultant – B2B Info Risk Assessment 1/’01 – 6/’02
New York City, NY
• Hired to address Business Information Risk in B2B connections between the businesses and their partners and develop a methodology to assess the same.
• Managed & conducted over 100 risk assessments based on risk assessment methodology developed.
Senior Consultant – HIPAA Privacy 9/’00 – 12/’00
Kaltech International, NJ
• Present a position paper on the business opportunities to make a Business Case for HIPPA to make up for declining revenues from Telecom sector
Senior Consultant – Business Process Reengineering 3/’00 – 8/’00
Everest Consulting Inc., NJ
• Present a strategy to scale and reengineer business processes to comply with H1-B requirements and plan and execute a HR strategy around compliance with a view to maximizing revenues
• Present a Diversification Plan to move company into on-shore software development to protect revenues from business and legislative risk due to H1-B volatility
Sr. Consultant – Enterprise Application Integration 12/’98 – 2/’00
Hexaware Technologies Inc., NJ
• Present a position paper on the business opportunities to make a Business Case for the company to take a leadership position in a new area of Enterprise Application Integration (EAI)
• Present and execute a strategy to convert Year 2000 clients over to new services like Enterprise Application Integration and work with technology partners in offering an end-to-end solution to clients
Consultant – Year 2000 Project Methodology 6/’98 – 11/’98
Global Software Technologies Inc., NJ
• Work on engagements to conduct Business Impact Analysis for business critical systems that were impacted by the Year 2000 problem and recommend remediation strategies for impacted systems
• Suggest methods for decoupling business critical systems touch points with overall infrastructure to limit any cascading effects of a system shutdown
Education
• ISO 27001 Lead Auditor - BSI, ISO 9000 Lead Auditor - BVQI
• University of Poona – MBA, University of Poona - BS (Electronics)
Professional Affiliations
Past Member - Open Security Exchange (OSE) - Physical & Logical Security Convergence, Information Systems Security Association (ISSA) – Member & Presenter, BITS - Financial Services Roundtable - Technical Development Committee for Supplier Governance, ASIS (American Society for Industrial Security)
Skills
Skill Skill Level Last Used/Exp in yrs
1 BS 25999 - Business Continuity, BS 7799 Conversion, BS 7799-3 - Risk Management, ACL Expert Currently used/3
2 Business Process Outsourcing, Combining Quality, Security & ITSM, COBIT & Controls, Information Governance Auditing Expert Currently used/10
3 ITIL, ISO 17799/ISO 27001, ISO 20001, ISO 9001 Expert Currently used/6
4 Knowledge Management, Management Planning & Control Systems, Operations & Project Mgt, Organizational Development, Presenter, Resource Management, Risk Assessment & Mitigation Management, Total Quality Management (TQM), Expert Currently used/12 |
