Shahriar Chowdhury, CISSP, CISA, CISM, CRISC, CEH, CCISO, MS-­‐ISA

Local to New York City area | Cell: 347-­‐321-­‐4385 | shahriarc@me.com

OBJECTIVE

Senior Information Security professional with proven record in security engineering for constantly

evolving threat landscape in Cyber Security defense. With 14+ years of experience in Information

Security, I have adapted my strategies for many industries, including Financials, IT/e-­‐commerce and

other global companies. Both hands-­‐on and leadership positions in IT Risk and Security consulting,

Information Security Architecture, Mobile/Cloud application security, Security Investigations,

Intellectual Property protection and Financial Fraud prevention. I have 12+ years of Data

Security/Privacy, and Risk Management experience with a focus on compliance such as SEC, Dodd-­‐Frank,

SOX, FFIEC, PCI and privacy laws.

EXPERIENCE

VICE PRESIDENT, IT RISK & SECURITY CONSULTING, IALOGIX CORPORATION

Role: Information Security Officer for major financial clients

JAN 2006-­‐ PRESENT

As Lead of Information Security consulting practice, I lead a team of 12 security engineers. Major Clients

included: Morgan Stanley, Citigroup, BNP Paribas, Dexia, Federal Reserve Bank of NY

June 2013-­‐ Present

● Provide strategic guidance to CISO/CIOs of Financial Institutions and Government agencies to

achieve regulatory compliance to SEC/SOX and privacy laws, and assess need and level of

compliance PCI, HIPAA. Recommend solutions and best practices for Information Security

Governance and practical approaches to frameworks such as ISO, NIST, SABSA, TOGAF.

● Perform Infosec and Controls review for new project requests from various teams. Manage

projects and make purchasing decisions relevant to Infosec and audit areas, including Enterprise

Single-­‐Sign-­‐On, Encryption and Data Loss Prevention (DLP). Lead the Vendor Security Risk

Management process, and Security Incident Response Team SIRT).

● Manage Risk Assessment Process, perform security control gap analysis using ISO 27000

standards. This process includes having regular meetings with business owners for data and

application classification, understanding business risk, and translating IT risk to business risks for

both internal and external customers and third-­‐party providers.

● Established a comprehensive Information Security Awareness program to meet FFIEC

requirements by identifying stakeholders and developing customized, targeted content. Develop

and update security policies in both technical and non-­‐technical areas.

● Tools Used : HP ArcSight, Archer GRC, Splunk, QRadar, DBProtect, Guardium, Oracle and Tivoli

Identity/Access Manager, Varonis Data Advantage, Quest ChangeAuditor, IBM AppScan, HP Web

Inspect/ Fortify, Websense/McAfee/Symantec DLP(Vontu)

Role: Lead, Information Security Audit BNP Paribas, NY

Sep 2012-­‐ June 2013

As a Subject-­‐matter expert (SME) for Internal IT Audit team, responsible for identifying IT and

procedural risks, measure and report on effectiveness of existing controls.

● Lead and perform audit of Information Technology functions and services including schedule

development, project planning, documenting existing controls and evaluation of gap analysis.

Present audit findings to IT and business audience and develop reports following internal audit

framework.

● Develop, communicate and explain risk mitigation techniques and methods to business users, in

order to resolve existing audit findings.

Page 1

● Serve as an internal advisor for Information Security and emerging technology issues. Provide

technical guidance to teams on complex concepts in Information Security controls, networking

technology/infrastructure and secure application design.

● Review technical and non-­‐technical documentations, including security policy, standards and

procedure to ensure compliance, and request and evaluate evidence items to support audit

findings.

Role: IT Security Officer, Lead Consultant

Clients: Moody’s, Dexia, Federal Reserve, City of New York Aug 2009-­‐ Aug 2012

● Act as primary point of contact for application development projects, and software and system

change reviews on various stages of SDLC. Standardize application and systems controls using

COBIT/COSO frameworks, write documentation and procedures.

● Extensive application security review experience, including web application, web 2.0/mobile and

cloud.

Integrated security review into standard SDLC process, including architecture and code

reviews.

● Manage coordination of security event handling to comply with various privacy laws and

internal compliance objectives. Implemented a comprehensive security incident management

procedure and managed daily operations of the IDS/SIEM, firewall, proxy teams, including

escalation management.

● Tools Used : HP ArcSight, Archer GRC, Splunk, QRadar, DBProtect, Guardium, Oracle and Tivoli

Identity/Access Manager, Varonis Data Advantage, Quest ChangeAuditor, IBM AppScan, HP Web

Inspect/ Fortify, Websense/MacAfee/Symantec DLP(Vontu)

● City of New York

Aug 2007 – Aug 2009

Security Engineer/Architect for NYC DoITT

● Designed Security for of NYCServ, an $8B Online Transaction Systems; Security Project lead of

NYC-­‐wide Mobile Wireless (3G) Network implementation for emergency service use.

● Standardized processes related to IDS Event Detection and escalations; coordinated

investigation and correlation of security events reported to security operation center using

enterprise monitoring tools.

● Morgan Stanley

Jan 2006 – Aug 2007

Security Engineer, Global Security Operations

● Managed technical escalations of Security Operations team, and maintain managed service

provider relationship, including operational, service-­‐level, and performance metrics to identify

and mitigate any issues affecting services or SLA. Played critical role in perimeter security

integration of Retail and Institutional environments.

● As a member of Global IT Security Operations, responsible for approving security access changes,

perimeter access control maintenance; DNS/ Email/Proxy Security.

● Supported centralized security incident response functions including follow up, evaluation and

analysis of security events related to internal and external threats. Utilized customized tools to

parse web proxy logs, vulnerability databases and malware detection tools and source code

analysis/reverse engineering to provide security monitoring and analysis for Internet activities.

Implemented optimizations and improvements in Security Investigation processes that reduced

average response time by 60%.

● Infosec Professionals, LLC

Aug 1999– Dec 2005

Systems Security Consultant

● Served as Security Expert for incident response to malicious/ phishing websites and identity

theft investigations related to online banking portal.

Page 2

● Audited risks and security controls of financial products, and Online Banking. Lead investigator

for online credit card frauds and online banking security.

● Investigated security events and produced reports for senior management for corporate

security. Arranged meetings, provided support and training to software developers in IT

security issues during SDLC lifecycle. Performed categorization of assets based on risk exposure,

and documented vulnerability and incident management process based on defined risk levels.

● Provided email and phone based customer service, maintained day to day operations of the e-­commerce

platforms and was in charge of financial and technical security aspects, including PCI

compliance and credit card security.

● Provided consulting services for business web/application hosting solutions for multiple clients

in greater New York City area.

TECHNICAL SKILLS

Operating Systems:

Technologies:

Perimeter:

Security Management:

Windows XP/Vista/7/2003/2008/2012 server family, Linux, Solaris

TCP/IP, IPSec, VPN, SSH, PGP, PKI, Encryption

Cisco PIX, AAA, IDS, Radius, ACE, Juniper NetScreen, SSL VPN,

Palo Alto, Checkpoint, F5, Websense, Blue Coat, IronPort, M86

Oracle/Tivoli Access/Identity Manager, Varonis DataPrivilege,

Quest ChangeAuditor, Archer, ArcSight ESM, QRadar, RSA envision,

SecurID, SPLUNK, loglogic, TippingPoint IDS, Juniper IDP, Tufin,

Imperva, Guardium, DBProtect, IBM Appscan, HP Fortify, Site Minder,

Symantec DLP, FireEye, Sourcefire, Forescout NAC, Zscaler

Networking Technologies:

Programming:

Cloud/Virtualization:

TCP/IP, Ethernet, WAN Wireless, VLAN, VPN/IPSec, OpenView

HTML/Java, C, C++; UNIX Scripting, Perl, Windows Scripting

Amazon EC2, Azure, Salesforce CRM, Vmware ESX, EMC

Others: Computer Forensics, Cyber Law, ISO 27000, Microsoft Office Suite, Access, Project, Visio, SQL,

WebSphere, OWASP Top 10, Sans Top 20 Controls, ServiceNow, Salesforce.com, Remedy,

PeopleSoft, .NET J2EE, XML, SAML, LDAP, Active Directory, Mobile Device Management, BB, /iOS.

CERTIFICATIONS

● CISSP-­‐ Certified Information Systems Security Professional

● ISACA-­‐ Certified Information Security Auditor/ Manager – CISA/CISM, CRISC

● EC-­‐Council Certified CISO. Certified Ethical Hacker. In Progress: CIPP

● Stanford University-­‐ Software Security Certificate

EDUCATION

New York University-­‐ Polytechnic Institute Computer Engineering (100+ UG, 30 Graduate credits)

Computer Science degree -­‐ Thomas Edison State College, New Jersey.

Western Governors University -­‐ Master of Science -­‐ Information Security and Assurance

Master of Business Administration-­‐ Management and Strategy (Exp 2014)

Northwest California University-­‐ School of Law -­‐ Legal Studies on contracts, torts and patents.

Page 3