Shahriar Chowdhury, CISSP, CISA, CISM, CRISC, CEH,
CCISO
Local
to New York City area | Cell: 347-321-4385 | shahriarc@me.com
OBJECTIVE
Senior Information Risk and
Compliance professional with proven record of executing challenging and
complex IT Risk Management initiatives. With 14+ years of experience in
Information Security, I have adapted my strategies for compliance with
banking and financial industry regulations. Both hands-on and
leadership positions in IT Risk and Security consulting, Information Security
Architecture, Mobile/Cloud application security, Security
Investigations, Intellectual Property protection and Financial Fraud prevention.
I have 12+ years of Data Security/Privacy, and Risk Management experience
with a focus on compliance such as SEC, SOX, FFIEC/Dodd-Frank, COBIT,
FINRA, PCI and privacy laws.
EXPERIENCE
VICE PRESIDENT, IT Risk & Security Consulting,
IALOGIX
CORPORATION
Jan 2006- Present
As Lead of Information Security
consulting practice, I lead a team of 12 security engineers.
Major Clients included:
Morgan Stanley, Citigroup, BNP Paribas, Dexia, Federal Reserve Bank of NY
Role: Information Security Risk and Compliance Officer for major financial clients
June 2013- Present
● Provide strategic guidance to CISO/CIOs of Financial
Institutions and Government agencies to achieve regulatory compliance to
SEC/SOX and privacy laws, and assess need and level of compliance for
FINRA/FFIEC. Recommend solutions and best practices for Information
Security Governance and practical approaches to frameworks such as ISO, NIST,
COBIT/COSO.
● Execute risk management initiatives by defining
requirements, deliverables and manage resources with diverse skillset and
experience by encouraging innovation and teamwork. Recent projects
included Dodd-Frank, FATCA, FINRA trading surveillance and monitoring
requirements. Investigate whistleblower complaints and audit
market-risk activities.
● Established a comprehensive Information Security and
Compliance awareness program to meet FFIEC/FINRA requirements by identifying
stakeholders and developing customized, targeted content. Develop and update
security policies in both technical and compliance areas.
● Perform Infosec and Controls review for new project
requests from various teams. Manage projects and make purchasing
decisions relevant to Infosec and audit areas, including Enterprise
Single-Sign-On, Encryption and Data Loss Prevention (DLP). Lead
the Vendor Security Risk Management process, and Security
Incident Response Team SIRT).
● Manage Risk Assessment Process, perform
security control gap analysis using ISO 27000 standards. This process
includes having regular meetings with business owners for data and
application classification, understanding business risk, and translating IT
risk to business risks for both internal and external customers and
third-party providers.
● Tools Used :
Finance/Compliance: FiServ, Actimize, Charles River.
MS-SQL, Oracle, DB2, Tableau, GlobalRelay, Recommind, HP ArcSight,
Archer GRC, Splunk, QRadar, DBProtect, Guardium, Oracle and Tivoli
Identity/Access Manager, Varonis Data Advantage, ChangeAuditor, IBM AppScan,
HP Web Inspect/ Fortify, Websense/McAfee/Symantec DLP(Vontu)
Role: Lead, Information Security Audit BNP Paribas,
NY
Sep 2012- June 2013
As
a Subject-matter expert (SME) for Internal IT Audit team, responsible for
identifying IT and procedural risks, measure and report on
effectiveness of existing controls.
● Lead and perform audit of Information Technology functions
and services including schedule development, project planning, documenting
existing controls and evaluation of gap analysis. Present audit
findings to IT and business audience and develop reports following internal
audit framework.
● Develop, communicate and explain risk mitigation
techniques and methods to business users, in order to resolve existing audit
findings.
● Serve as an internal advisor for Information Security and
emerging technology issues. Provide technical guidance to teams on complex
concepts in Information Security controls, networking
technology/infrastructure and secure application design.
● Review technical and non-technical documentations,
including security policy, standards and procedure to ensure compliance, and
request and evaluate evidence items to support audit findings.
Role: IT Security Officer, Lead Consultant
Clients:
Moody’s, Dexia, Federal Reserve, City of New York Aug 2009-
Aug 2012
● Act as primary point of contact for application
development projects, and software and system change reviews on various
stages of SDLC. Standardize application and systems controls using COBIT/COSO
frameworks, write documentation and procedures.
● Extensive application security review experience,
including web application, web 2.0/mobile and cloud. Integrated
security review into standard SDLC process, including architecture and code
reviews.
● Manage coordination of security event handling to comply
with various privacy laws and internal compliance objectives. Implemented a
comprehensive security incident management procedure and managed daily
operations of the IDS/SIEM, firewall, proxy teams, including escalation
management.
● Tools Used :
HP ArcSight, Archer GRC, Splunk, QRadar, DBProtect, Guardium, Oracle
and Tivoli Identity/Access Manager, Varonis Data Advantage, Quest
ChangeAuditor, IBM AppScan, HP Web Inspect/ Fortify,
Websense/MacAfee/Symantec DLP(Vontu)
● City of New York
Aug 2007 – Aug 2009
Security Engineer/Architect for NYC
DoITT
● Designed Security for of NYCServ, an $8B Online
Transaction Systems; Security Project lead of NYC-wide Mobile Wireless (3G)
Network implementation for emergency service use.
● Standardized processes related to IDS Event Detection and
escalations; coordinated investigation and correlation of security events
reported to security operation center using enterprise monitoring
tools.
● Morgan Stanley
Jan 2006 – Aug 2007
Security Engineer, Global Security
Operations
● Managed technical escalations of Security Operations team,
and maintain managed service provider relationship, including operational,
service-level, and performance metrics to identify and mitigate any issues
affecting services or SLA. Played critical role in perimeter security
integration of Retail and Institutional environments.
● As a member of Global IT Security Operations, responsible
for approving security access changes, perimeter access control maintenance;
DNS/ Email/Proxy Security.
● Supported centralized security incident response functions
including follow up, evaluation and analysis of security events related to
internal and external threats. Utilized customized tools to parse web
proxy logs, vulnerability databases and malware detection tools and source
code analysis/reverse engineering to provide security monitoring and analysis
for Internet activities. Implemented optimizations and
improvements in Security Investigation processes that reduced average
response time by 60%.
● Infosec Professionals, LLC
Aug 1999– Dec 2005
Systems Security Consultant
● Served as Security Expert for incident response to
malicious/ phishing websites and identity theft investigations related to
online banking portal.
● Audited risks and security controls of financial products,
and Online Banking. Lead investigator for online credit card frauds and
online banking security.
● Investigated security events and produced reports for
senior management for corporate security. Arranged meetings, provided
support and training to software developers in IT security issues during SDLC
lifecycle. Performed categorization of assets based on risk exposure,
and documented vulnerability and incident management process based on defined
risk levels.
● Provided email and phone based customer service,
maintained day to day operations of the e-commerce platforms and was in
charge of financial and technical security aspects, including PCI compliance
and credit card security.
TECHNICAL SKILLS
Operating
Systems:
Windows XP/Vista/7/2003/2008/2012 server family, Linux, Solaris
Technologies:
TCP/IP, IPSec, VPN, SSH, PGP, PKI, Encryption
Perimeter:
Cisco PIX, AAA, IDS, Radius, ACE, Juniper NetScreen, SSL VPN,
Palo Alto, Checkpoint, F5, Websense, Blue Coat, IronPort, M86
Security
Management:
Oracle/Tivoli Access/Identity
Manager, Varonis DataPrivilege,
Quest ChangeAuditor, Archer, ArcSight ESM, QRadar, RSA envision,
SecurID, SPLUNK, loglogic, TippingPoint IDS, Juniper IDP, Tufin,
Imperva, Guardium, DBProtect, IBM Appscan, HP Fortify, Site
Minder,
Symantec DLP, FireEye, Sourcefire, Forescout NAC,
Zscaler
Networking
Technologies:
TCP/IP, Ethernet, WAN Wireless, VLAN, VPN/IPSec, OpenView
Programming:
HTML/Java, C, C++; UNIX
Scripting, Perl, Windows Scripting
Cloud/Virtualization:
Amazon EC2, Azure, Salesforce CRM, Vmware ESX, EMC
Others: Computer Forensics, Cyber Law, ISO 27000, Microsoft
Office Suite, Access, Project, Visio, SQL, WebSphere, OWASP Top 10, Sans Top
20 Controls, ServiceNow, Salesforce.com, Remedy, PeopleSoft, .NET J2EE,
XML, SAML, LDAP, Active Directory, Mobile Device Management, BB, /iOS.
CERTIFICATIONS
● CISSP- Certified
Information Systems Security Professional
● ISACA- Certified Information Security Auditor/ Manager –
CISA/CISM, CRISC
● EC-Council Certified CISO. Certified
Ethical Hacker. IAPP: CIPP/IT
● Stanford University-
Software Security Certificate
EDUCATION
New
York University- Polytechnic Institute Computer
Engineering (100+ UG, 30 Graduate credits)
Computer
Science degree - Thomas Edison State College, New
Jersey.
In
Progress: University of Massachusetts- MBA (Finance), CPA (REG, BEC) and CFA Level-1 Training.
Page 1