Director or Senior Manager or Manager
Content
Aravindan "Arvind" Ganesan CISA PMP [email protected] 978-760-3400 Summary More than 15 years of IT SOX-404 Audit, IT Security Management, PCI DSS Complian ce, Risk Management, Compliance, HIPAA audit and Project Management, experience galvanizing teams in core initiatives while serving as a change agent for effici ency improvements with expertise in Platforms and Interface Management. Demonstrated ability to identify gaps relating to key IT processes and implement ed best IT practices. Managed audit and security teams delivering successful IT Security Programs, SOX -404 IT Audits, PCI DSS, CISP and HIPAA Compliance, SAS 70 and ISO 27001 for mor e than six fortune 500 companies. Wide industry experience including Banking, Financial, Insurance, Retail, Teleco mmunications, Manufacturing and Logistics. Interfaced with Senior VPs and Directors to determine business strategy and to a llocate budget and resources. Effective at motivating and leading IT audit ,security, and compliance professio nals. Excellent presentation, communication and negotiation skills. Proven track record of delivering technology solutions using multi-sites and cro ss-cultural teams. Significant Achievements a Managed the large audit and compliance initiatives of SOX-404 IT, PCI DSS and HIPAA/HITECH including security policies, procedures and controls.. a Managed implementation of security policies, guidelines, standards, controls a nd processes based on ISO 27001 / COBIT/ COSO/ OWASP / ITIL / NIST frameworks an d methodologies. a Managed the implementation of IS Security programs in large enterprises a Established Security Committee and change control committees. a Developed audit universe and audit programs; Resource Planning and Allocation. a Managed the operational audits of ERP (SAP and PeopleSoft) and IBM/UNIX system s. a Prepared the final audit reports for numerous audit programs and presented to audit committee. a Managed auditors and team to implement IT General Controls (ITGC) a Audited BCP and DRP plans and implementations; Recommended best practices. a Interfaced with external auditors (E&Y and KPMG) for audit concerns and certif ications. a Designed large IT networks and managed large and complex IT security projects. a Risk Management, Program management, Project Prioritization and Team Selection . a Vendor negotiation and leveraged global development and delivery models. a Managed the implementation of CISCO PIX and Checkpoint firewalls, IDS/IPS and VPN a Restricted the access of users and implemented role based access in SAP and AS /400 a Developed and reviewed 31 IT security policies, guidelines and standards as per NIST Standard a Created and implemented incident response policy and procedures a Conducted the web penetration and web application vulnerability scan tests usi ng Nessus, Fortify, Rapid7, and Appscan; solved the issues based on the recommen dation of OWASP. a Conducted IT Security Awareness Training programs in numerous companies a Trained and mentored IT professionals for CISSP,CISA and PCI DSS Certificatio ns a Managed complex projects with budgets ranging from $500K to $7M and resources from 5 to 25 professionals.
Education / Certifications a MBA - Technology Management (expected : 2011) B.E, Anna University, Madras, India a CISA-Certified Information System Auditor ISACA 2005 a CPISM-Certified PCI Security Manager (Awaiting certification) a PMP- Project Management Professional - 2001 a Cisco Certified Design Associate (CCDA) 2000 a Cisco Certified Network Associate ( CCNA) 1999 Training Courses a CISSP Certification Course - IT Security Course - ISC2 2005 Professional Experience Wells Fargo /Wachovia Banking Nov 2010 to date Manager (Security and Compliance) Web Application Security Audit (Budget: $2M, Resources: 7) Manage the team of se curity and compliance professionals to audit the security issues of Wells Fargo web applications relating to PCI DSS, HIPAA, GLBA and privacy acts. Identified the issues as per OWASP code review and security audit testing guides . Created findings matrix and final security issue reports and recommended the s olutions to fix the issues. Incorporated the security in system development life cycle (SDLC). Trained the developers on web application security audit process, gave an overview of securing the code of web applications. Conducted the web ap plication (E commerce) vulnerability and penetration testing using Fortify and A ppscan. Reviewed the security of web sites and web applications to identify vari ous security vulnerabilities (SQL injection, cross site scripting , buffer overf low etc.) Egrove Systems Corporation Oct 2007 to Oct 2010 Director a" Audit, Security and Compliance Managed and delivered IT security and compliance initiatives a" Enterprise IT Se curity program, SOX, PCI, HIPAA/HITECH, and ISO 27001 using COSO/COBIT framework s for several fortune 500 companies including: Siemens HealthCare Systems PCI DSS Compliance (Budget: $500K, Resources: 6) Acted as PCI DSS advisor, identified credit card processing solutions, recommend ed the reporting procedures to comply with PCI-DSS. Managed the team of security consultants and programmers to identify the security solution and credit card p rocessing vendor for Siemens. Evaluated the security policies , guidelines and s tandards (NIST) relating to PCI DSS compliance and identified the gaps in the sy stems and processes. Provided expert opinion, evaluated the PCI DSS SAQ Type que stionnaires, and finalized the SAQ type and category for Siemens based on mercha nt level and transaction volume. SOX -404 IT Security Audit (SAP, UNIX and Oracle Database Security Audit) Managed the SOX remediation process with senior managers of IT and resolved the security control issues of SAP, UNIX and Oracle database systems. Iron Mountain PCI DSS, SAS 70 and ISO 27001 Security Compliance (Budget: $600K, Resources: 5) Worked as a team lead, managing teams and identified security gaps relating to P CI DSS, ISO 27001 and SAS/70 controls. Developed and implemented ISMS (Informati on Security Management Systems) and prepared the company for ISO 27001 and SAS 7 0 certifications. Blue Cross Blue Shield Web Application Security Audit (Yearly Budget: $2M, Resources: 9) Developed security framework and integrated with SDLC process for web applicatio ns. Managed web application security audits for 23 key business applications. TJX Group Companies, Framingham, MA (Yearly Budget: $1.5M, Resources: 7) Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Worked as a technical project manager, managed nine security and compliance audi tors. Executed audit programs for PCI-DSS to secure and safeguarded the credit c ard data in TJX corporate offices in USA, Canada and Europe. Unified or Comprehensive Security and Compliance Program: Created a unified secu rity and compliance programs that made the IT Compliance audit process more effi
cient and effective, which resulted in a significant cost reduction. (The key co mpliance requirements/regulations were - PCI, SOX and FTC privacy regulations.) Federal Trade Commission (FTC) Privacy Act: Managed audit of systems related to storing and processing of customer and associate information. Identified the req uirements of FFIEC a" Information Security IT Examination Handbook, OCC bulletin 2001-35 and GLBA/Privacy Act to evaluate the effectiveness of controls. World Bank - Washington DC (Budget: $600K, Resources: 6) SOX-404-ICFR Audit (PeopleSoft, SAP Systems and Security) Conducted application security and compliance audit for ERP (People Soft and SAP ) systems. Identified gaps and deficiencies in applications and systems as per W orld Bank's security and compliance guidance and standards. HIPAA/HITECH Security Compliance: Conducted HIPAA/HITECH compliance audit for on e of their healthcare divisions and identified the deficiencies. Conducted vulne rability testing to identify vulnerabilities relating to web applications. Principal Bank and Financial Group - Des Moines, IA (Yearly Budget: $1.2M, Resou rces: 4) IBM Mainframe Security Audit / Compliance: Audited IBM system/390 (MVS/RACF) GDP S/XRC data mirroring, storage systems and other systems and recommended the best practices adopted in the industry PCI Compliance and GLBA Acts: Conducted system audits to comply with PCI DSS Com pliance and GLBA acts. Keane Inc., Boston, Massachusetts (Yearly Budget: $1.5 M, Resources: 5) Aug 2004 to Sep 2007 Senior IT Audit Manager Managed IT Audit universe and audit programs including SOX-404 with five IT audi tors for the entire corporation, including locations in Europe, Asia, Australia, Canada and USA. SOX 404-IT Compliance (Budget: $1M, Resources: 20) Audited and tested controls for AS/400, SAP, PeopleSoft, JD Edwards, AS/400 Orac le, DB2, Infinium, AIX6000, UNIX (Sun Solaris), Network, IT security, systems, a nd applications. HIPAA Compliance (Budget: $250K): Audited the systems and applications for HIPAA Compliance. Audit of Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) (Budget : 500K): Audited and recommended best practices adopted in the industry for BCP and DRP SAS/70 Assessment (Budget: $250K): Assisted in developing controls required for SAS/70 and coordinated with external auditors to obtain SAS/70 certifications. iBasis, Burlington, Massachusetts (Yearly Budget: $15M, Resources: 25) April 200 1 to Aug 2004 International Project Manager (Audit and Security) Developed comprehensive project management plans for Enterprise Security and Aud it Programs. Project managed the implementation of security programs in global d ata centers in Europe, Asia and Americas. Global IT Security Projects: Project managed the implementation of security of t he systems and networks in remote locations; identified risks and proposed solut ions for remediation. PCI- Cardholder Information Security Program (CISP): Project managed the efforts of identifying the controls and processes required to comply with CISA (PCI DSS ) for online prepaid-card system. AT&T Wireless, Pittsburgh, Pennsylvania (Budget: $45M, Resources: 20) Mar 2000 to April 2001 Project Manager (Network and Security ) Managed a group of 20 network and security consultants for the design and implem entation of a complex network; implemented Lucentas design of layer 3 IP-based n etworks for AT&T Wireless systems in 91 locations. AL Futtaim Trading, Dubai, UAE (Budget: $7M, Resources: 16) 00 Mar 1996 to Mar 20
Network Manager/Controller (Network and Security) Managed and designed the large enterprise network and security programs and mana ged 120 locations. Project managed the migration of RPG programs (AS/400) to ERP SAP R/3 applicatio n during 1999 and 2000. Philips India Ltd, Madras, India Jan 1995 to Apr 1996 Assistant Automation Manager (Network and Security) Immigration Status: US Citizen
Education / Certifications a MBA - Technology Management (expected : 2011) B.E, Anna University, Madras, India a CISA-Certified Information System Auditor ISACA 2005 a CPISM-Certified PCI Security Manager (Awaiting certification) a PMP- Project Management Professional - 2001 a Cisco Certified Design Associate (CCDA) 2000 a Cisco Certified Network Associate ( CCNA) 1999 Training Courses a CISSP Certification Course - IT Security Course - ISC2 2005 Professional Experience Wells Fargo /Wachovia Banking Nov 2010 to date Manager (Security and Compliance) Web Application Security Audit (Budget: $2M, Resources: 7) Manage the team of se curity and compliance professionals to audit the security issues of Wells Fargo web applications relating to PCI DSS, HIPAA, GLBA and privacy acts. Identified the issues as per OWASP code review and security audit testing guides . Created findings matrix and final security issue reports and recommended the s olutions to fix the issues. Incorporated the security in system development life cycle (SDLC). Trained the developers on web application security audit process, gave an overview of securing the code of web applications. Conducted the web ap plication (E commerce) vulnerability and penetration testing using Fortify and A ppscan. Reviewed the security of web sites and web applications to identify vari ous security vulnerabilities (SQL injection, cross site scripting , buffer overf low etc.) Egrove Systems Corporation Oct 2007 to Oct 2010 Director a" Audit, Security and Compliance Managed and delivered IT security and compliance initiatives a" Enterprise IT Se curity program, SOX, PCI, HIPAA/HITECH, and ISO 27001 using COSO/COBIT framework s for several fortune 500 companies including: Siemens HealthCare Systems PCI DSS Compliance (Budget: $500K, Resources: 6) Acted as PCI DSS advisor, identified credit card processing solutions, recommend ed the reporting procedures to comply with PCI-DSS. Managed the team of security consultants and programmers to identify the security solution and credit card p rocessing vendor for Siemens. Evaluated the security policies , guidelines and s tandards (NIST) relating to PCI DSS compliance and identified the gaps in the sy stems and processes. Provided expert opinion, evaluated the PCI DSS SAQ Type que stionnaires, and finalized the SAQ type and category for Siemens based on mercha nt level and transaction volume. SOX -404 IT Security Audit (SAP, UNIX and Oracle Database Security Audit) Managed the SOX remediation process with senior managers of IT and resolved the security control issues of SAP, UNIX and Oracle database systems. Iron Mountain PCI DSS, SAS 70 and ISO 27001 Security Compliance (Budget: $600K, Resources: 5) Worked as a team lead, managing teams and identified security gaps relating to P CI DSS, ISO 27001 and SAS/70 controls. Developed and implemented ISMS (Informati on Security Management Systems) and prepared the company for ISO 27001 and SAS 7 0 certifications. Blue Cross Blue Shield Web Application Security Audit (Yearly Budget: $2M, Resources: 9) Developed security framework and integrated with SDLC process for web applicatio ns. Managed web application security audits for 23 key business applications. TJX Group Companies, Framingham, MA (Yearly Budget: $1.5M, Resources: 7) Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Worked as a technical project manager, managed nine security and compliance audi tors. Executed audit programs for PCI-DSS to secure and safeguarded the credit c ard data in TJX corporate offices in USA, Canada and Europe. Unified or Comprehensive Security and Compliance Program: Created a unified secu rity and compliance programs that made the IT Compliance audit process more effi
cient and effective, which resulted in a significant cost reduction. (The key co mpliance requirements/regulations were - PCI, SOX and FTC privacy regulations.) Federal Trade Commission (FTC) Privacy Act: Managed audit of systems related to storing and processing of customer and associate information. Identified the req uirements of FFIEC a" Information Security IT Examination Handbook, OCC bulletin 2001-35 and GLBA/Privacy Act to evaluate the effectiveness of controls. World Bank - Washington DC (Budget: $600K, Resources: 6) SOX-404-ICFR Audit (PeopleSoft, SAP Systems and Security) Conducted application security and compliance audit for ERP (People Soft and SAP ) systems. Identified gaps and deficiencies in applications and systems as per W orld Bank's security and compliance guidance and standards. HIPAA/HITECH Security Compliance: Conducted HIPAA/HITECH compliance audit for on e of their healthcare divisions and identified the deficiencies. Conducted vulne rability testing to identify vulnerabilities relating to web applications. Principal Bank and Financial Group - Des Moines, IA (Yearly Budget: $1.2M, Resou rces: 4) IBM Mainframe Security Audit / Compliance: Audited IBM system/390 (MVS/RACF) GDP S/XRC data mirroring, storage systems and other systems and recommended the best practices adopted in the industry PCI Compliance and GLBA Acts: Conducted system audits to comply with PCI DSS Com pliance and GLBA acts. Keane Inc., Boston, Massachusetts (Yearly Budget: $1.5 M, Resources: 5) Aug 2004 to Sep 2007 Senior IT Audit Manager Managed IT Audit universe and audit programs including SOX-404 with five IT audi tors for the entire corporation, including locations in Europe, Asia, Australia, Canada and USA. SOX 404-IT Compliance (Budget: $1M, Resources: 20) Audited and tested controls for AS/400, SAP, PeopleSoft, JD Edwards, AS/400 Orac le, DB2, Infinium, AIX6000, UNIX (Sun Solaris), Network, IT security, systems, a nd applications. HIPAA Compliance (Budget: $250K): Audited the systems and applications for HIPAA Compliance. Audit of Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) (Budget : 500K): Audited and recommended best practices adopted in the industry for BCP and DRP SAS/70 Assessment (Budget: $250K): Assisted in developing controls required for SAS/70 and coordinated with external auditors to obtain SAS/70 certifications. iBasis, Burlington, Massachusetts (Yearly Budget: $15M, Resources: 25) April 200 1 to Aug 2004 International Project Manager (Audit and Security) Developed comprehensive project management plans for Enterprise Security and Aud it Programs. Project managed the implementation of security programs in global d ata centers in Europe, Asia and Americas. Global IT Security Projects: Project managed the implementation of security of t he systems and networks in remote locations; identified risks and proposed solut ions for remediation. PCI- Cardholder Information Security Program (CISP): Project managed the efforts of identifying the controls and processes required to comply with CISA (PCI DSS ) for online prepaid-card system. AT&T Wireless, Pittsburgh, Pennsylvania (Budget: $45M, Resources: 20) Mar 2000 to April 2001 Project Manager (Network and Security ) Managed a group of 20 network and security consultants for the design and implem entation of a complex network; implemented Lucentas design of layer 3 IP-based n etworks for AT&T Wireless systems in 91 locations. AL Futtaim Trading, Dubai, UAE (Budget: $7M, Resources: 16) 00 Mar 1996 to Mar 20
Network Manager/Controller (Network and Security) Managed and designed the large enterprise network and security programs and mana ged 120 locations. Project managed the migration of RPG programs (AS/400) to ERP SAP R/3 applicatio n during 1999 and 2000. Philips India Ltd, Madras, India Jan 1995 to Apr 1996 Assistant Automation Manager (Network and Security) Immigration Status: US Citizen
