viVEK NAITHANI                                 

vivek.naithani@gmail.com                                                                                                      704 - 941-7158

Education: ·        Bachelor of Engineering   Certifications: ·       Certified Project Management Professional. PMP ·        Certified Information Systems Auditor .CISA ·        Six Sigma Green Belt (Internal)

Experience Summary              ·        Extensive experience in Information Security area ·        Security architecture in the Cloud for AWS, Azure, VMWare,  RackSpace, ServiceNow Clouds ·      Providing Authentication, WebServices and other Architecture solutions ·      Strong experience in Project management, SDLC and Process   Improvement ·        Knowledge of IT Security and Compliance Frameworks like COBIT, OWASP, GLBA, PCI, FISMA, FedRamp, FICAM ·        Knowledge of CMM/CMMI, ITIL, Agile and Six Sigma processes ·      Web Application vulnerability assessments using scanning tools like WebInspect, Wireshark, Nessus ·        Experience implementing SOX procedures and testing for SOX controls ·        Develop Hardening Standards and Configuration baselines for various platforms/tools ·       Performed FedRamp and PCI compliance audits of applications and vendor relationships ·       Physical Security audits, Site visits of Vendor Data Centers

February 2010 – Current

United States Postal Service

Job Role: Information Systems Security Officer (ISSO)

The ISSO ensures the Federal Certification and Accreditation Process is followed for the deployment of IT systems.

·         Provide Security Architecture solutions for Cloud Application deployments to Amazon AWS, Microsoft Azure, VMWare, ServiceNow and other clouds.

·         Review of Authentication, Audit Logging, Firewall Rules, APIs and Cloud specific services

·         Conduct security reviews of Cloud systems and Cloud service Providers using the FedRamp process

·         Provide architecture guidance to application teams and infrastructure groups

·         Design Security requirements for Cloud platforms including Amazon AWS, Microsoft Azure, Rackspace, HP

·         Manage the Certification & Accreditation (C&A) process based on the FISMA guidance and produce all appropriate documentation

·         Perform Business Impact Assessments, Risk assessments and create Security Controls and Test plans for the applications and the infrastructure

·        Security design of federation identity solutions including FCCX to provide authentication options to agencies and other entities

·         Work with the architecture and Vendor teams to understand and review the systems

·         Establish PCI compliance procedures and controls for PCI impacted systems

·         Establish architecture patterns for various infrastructure solutions

·         Create hardening standards for various platforms, tools and technologies

·       Provide consulting for DLP (Data Loss Prevention) implementation requirements for   various applications

·         Ensure SOX controls are being put in the process and create the test plans

·         Schedule and interpret PCI and vulnerability scans for the applications

 

July 2009 – January 2010

Freddie Mac

Job Role: Risk Manager

The Risk Analyst ensures compliance with information security standards by conducting assessments scans and provides guidance and consulting to various Business and IT initiatives

·         Understand the different applications and tools used by the business groups

·         Work with the business areas to gather evidence and documentation for the SOX control execution

·         Facilitate risk assessments based on the RCSA process

·         Review systems and resolve information security issues

·         Oversee and coordinate database and application designs

·         Provide solutions for remediation of issues and deficiencies

·         Understand the controls and create the attributes for the test approach

·         Enforce development standards and processes (coding, naming, data access, documentation)

·         Create and enforce architectural and engineering standards for security, availability, replication, storage and configuration management

·         Provide information security consulting to Business areas when needed

·         Work with the Internal controls Office to get the controls approved

 

January 2007 – July 2009

Wachovia Corporate Information Security

Job Role: Information Security Project Manager

The Information Security Project Manager has to ensure that all Corporate Information Security policies are followed by the LOB and assist the IT groups in their compliance and testing

·         Provide consulting and operational support to cross functional security activities and project teams including infrastructure compliance, application security and vulnerability identification and remediation

·         Review major changes to applications and infrastructure and ensure adequate controls are in place

·         Evaluate new tools and products for compliance with corporate information security standards and recommend appropriate configurations

·         Application vulnerability assessments using scanning tools like Paros, WebScarab, Webinspect and Foundstone based on OWASP and SANS top 10 vulnerabilities

·         Conduct/facilitate ethical hacks for web based applications and work with the application teams for remediation of identified vulnerabilities

·         Conducting special testing of applications for sql injection vulnerabilities based on the incidents reporting process

·         Defining and establishing implementation guidelines for Smartphones (Blackberry’s, iPhones etc)

·         Conduct Vendor security assessments based on PCI standards and where required conduct site visits to their data centers

·         Monitoring systems and infrastructure using tool such as Rohati, Bigfix and compliance checkers

·         Point of contact for remote access, privileged access and vendor access to applications

·         Interact with legal for paperwork related to ethical hacks, contracts and SOWs

·         Analyzing the data in the compliance and security review repository for non compliance/deviations from standards

·         Ensure Unix/Windows/Database and other servers used by applications are built to CIS standards

·         Assisting the system managers with remediation of audit/security review and self assessment findings

·         Working with operational risk managers and risk committee for risk acceptances of unremediated risks

·         Provide reports related to the security reviews

 

July 2006 – December 2006                           

Fannie Mae

Job Role: Security Analyst

The Security Analyst is responsible for ensuring compliance with Information Security procedures in the assigned areas

·         Evaluating the GCC controls, change controls, end user computing controls, data base controls and other application configuration procedures and testing guidelines in these areas.

·         Assist applications in remediation testing and documenting the testing results

·         Assist applications with the deficiency management process

·         Working on a project for addressing SOD control gaps

·         Testing of SAP Accounts Payable Application Controls

·         Working on a metrics program for SOX testing

·         Collecting the metrics by querying the Organizational Service Management Tool, SharePoint Sites and other Information repositories

·         Analyzing the metrics based on the thresholds for the measures and creating a Dashboard for reporting to management

·         Business Process evaluations for control environment and to evaluate the effectiveness and cost of existing controls

·         Working on the Incident Reporting and analyzing process for the Risk organization

·         Analyzing Risk Control Self Assessments of the Business Units to evaluate follow up actions like mitigation plan and monitoring

 

August 2005 – June 2006                                                         

Bank of America

Job Role: Risk Analyst

The Applications in any Business Group have to be managed for the Compliance and regulatory standards established in the organization. The Risk Analyst interfaces with the Application managers and ensures that the Risks are being managed and reported as per the Applicability matrix established for that Application and reports on the status.

Responsibilities:

·         Responsible for ensuring that Applications comply with the Corporate Risk and Control Policies.

·         Validating Change/SDLC and Access controls for the applications

·         Provide guidance to applications and products being rolled out to follow the architecture patterns

·         For TZ and internet facing applications approve the architecture and integration patterns

·         Auditing applications for appropriate access/data masking and encryption standards

·         Develop and execute detailed audit programs to review application development activities

·         Process mapping for Application and GCC controls

·         Testing the applications against the appropriate Application Access program.

·         Perform General Controls Audits that include logical & physical security, operating system integrity and change control.

·         Facilitate Periodic Control Self assessments of Business Groups using the ARCAT tool

·         Creating Risk Dashboards for Senior Management

·         Gap analysis of the Groups Control Assessment process by mapping it to the CoBIT controls

·         Defining policies for access control rules for the Applications

·         Participate in Toll gate reviews and ensure the right controls are built in the new applications

 

December 2003 – July 2005

Bank of America

Job Role: Process Manager 

Part of a consulting team to roll out CMMI and Project Management processes for the technology organization.

Responsibilities:                           

·         Defining and Deploying CMM/CMMI based SDLC processes

·         Putting in place the verification and validation activities

·         Defining and Implementing a Metrics Program

·         Managing an Offshore team for Audits, Reviews and Metrics collection

·         Managing the Change Control Board and managing the inputs from other feeder processes (Compliance/Infrastructure/Architecture/Data)

·         Process Audits for critical programs of the Organization

·         Creating a Profile and Risk based IT Audit Program for the Portfolio

·         Conducting Audits of the IT Organization

·         Setting up a Project Management Center of Excellence

·         Worked on the SOX Controls in the Program development and Program Change processes

·         Conducting GLBA Audits on Applications and reviewing vendor assessments

 

January 2002 – December 2003                                                                                    

Tata Consultancy Services

Job Role: System Analyst, Hospital Management System

The Hospital Management System was a product providing functionality for Inpatient, Outpatient, Pharmacy, Surgery and other Hospital departments.

Responsibilities:                           

·         Analyzing the requirements from business for a Hospital Management System

·         Package implementation.

·         Impact analysis to extract business logic.

·         Implementing TCS proprietary tool and guiding process automation

·         Defect logging for Software artifacts

·         Change management and configuration control.

·         Validating coding standards, testing and analyzing system areas

·         Change Management and Testing of releases

·         Generating Metrics report , scheduling the project activities and managing billing information

·         Code customization specifications.

·         Perform program construction / modification due to problem fixes and other enhancements

 

July 2001 - December 2001                                                                                    

Tata Consultancy Services

Job Role: Programmer, MIS system

The Management Information System was to collect the data for the State government department from different cities and report on it.

Responsibilities:                           

·         Requirement Analysis for a Management Information System

·         System Study, Extraction Business requirements and translation to functional requirements

·         Creating the LLD

·         Change Management and User Training for the Project.

·         Coding for Screens, Documentation of SRS, SDD and UTS

·         Preparing of User Manual.

·         Coding for screens and reports using Java, J2EE, Java Script, PL SQL deployed on iPlanet application server.