· Advisory support of 1st line on SWIFTS CSP Attestation 2022 ? external Assessment.
· Analysis of the Assessment Report, control testing results and evidence of the SWIFT CSP Attestation 2022
· Review of final SWIFT CSP Assessment Report
· Advisory support of internal Audit on SWIFTS CSP Attestation 2022 ? internal Assessment.
· Analysis of the Assessment Report, control testing results and evidence of the SWIFT CSP Attestation 2022
· Testing of Evidences (inquiry, inspection, examination, re-performance)
· Final CSCF Assessment Report
· 1. Restrict Internet Access and Protect Critical Systems from General IT Environment
· 2. Reduce Attack Surface and Vulnerabilities
· 3. Physically Secure the Environment
· 4. Prevent Compromise of Credentials
· 5. Manage Identities and Separate Privileges
· 6. Detect Anomalous Activity to Systems or Transaction Records
· 7. Plan for Incident Response and Information Sharing
· Advisory support of internal Audit on SWIFTS CSP Attestation 2022 ? internal Assessment.
· Analysis of the Assessment Report, control testing results and evidence of the SWIFT CSP Attestation 2022
· Testing of Evidences (inquiry, inspection, examination, re-performance)
· Final CSCF Assessment Report
· 1. Restrict Internet Access and Protect Critical Systems from General IT Environment
· 2. Reduce Attack Surface and Vulnerabilities
· 3. Physically Secure the Environment
· 4. Prevent Compromise of Credentials
· 5. Manage Identities and Separate Privileges
· 6. Detect Anomalous Activity to Systems or Transaction Records
· 7. Plan for Incident Response and Information Sharing
· CIS Controls implementation: control assurance of the 140 Definitions of Done
· Advisory support for the CISO and 1st line Stakeholders
· Walkthrough with 1st and 2nd Line of Defense
· Review of the 75 DoDs already created
· Adaptation/ standardization of the existing DoDs
· Monitoring of the ISO27001 Certification non-compliances, Gap Assessments for the ISO27001 Surveillance Audit
· Cyber risk assessment of Cloud Services (SaaS, PaaS): Germany, Switzerland, Luxembourg, France, England, Spain, USA, Israel, Singapore, and Greece.
· Improve internal processes in Penetration test planning and control
· Improve internal processes in Secure code development (OWASP) and tests (SAST, DAST)
? Unterstützung der internen Revision zu SWIFTS CSP Attestation 2021 ? Independent Assessment.
? Analyse des Bewertungsberichts, Kontrolltestergebnisse und Nachweis der SWIFT CSP Attestation 2021
? Abschließender SWIFT CSCF-Bewertungsbericht
· 1. Restrict Internet Access and Protect Critical Systems from General IT Environment
· 2. Reduce Attack Surface and Vulnerabilities
· 3. Physically Secure the Environment
· 4. Prevent Compromise of Credentials
· 5. Manage Identities and Separate Privileges
· 6. Detect Anomalous Activity to Systems or Transaction Records
· 7. Plan for Incident Response and Information Sharing
· SWIFTS CSP Attestation 2021 ? CSCF controls pre-assessment.
· Analysis of the Assessment Report, control testing results and evidence of the SWIFT CSP Attestation 2021
· Definition of the Testing Methodology (inquiry, inspection, examination, re-performance) and Sampling approach (statistical and non-statistical)
· SWIFT CSP Attestation 2020
· Review of the AS-IS process flow for each security service and related SWIFT CSCF Controls with an identification of inefficiencies, deficiencies, and integration issues. Validation of findings with 1st, 2nd and 3rd lines of defense
· SWIFT CSCF Controls in scope: Internal Data Flow Security, Operator Session Confidentiality and Integrity, Vulnerability Scanning, Application Hardening, Database Integrity, and Logging and Monitoring
Establish the Risk Assessment as an ongoing, recurring process: implementation of risk assessments for 25 countries (Europe and Asia)
· Analysis of past risk assessments (processes and results), and further development of the already started process for a detailed risk assessment (Scenario-based, Asset-based, Control-based und GAP Assessments)
· Execution ISO27001 Gap Assessments for the ISO27001 ISMS Certification
· Execution Risk Assessments: ICS (Industrial Control Systems), Cloud Computing (Google, Azure, AWS, Salesforce), SAP (SAP ECC, SAP HR, SAP BPM, SAP Netweaver), Incident Management (ServiceNow).
· Identity and Access Management (Germany & Spain): Risk Assessment of overall architecture applications in terms of available roles, profiles, and permissions in collaboration with IT and business owners. Reviewing Roles, Permissions, and Segregation of Duties within SW Applications. Development of proposals for the treatment of security risks and creation of guidelines and regulations for information security
· Data analysis and solution design (on-/offboarding, mover, leave, privileged access)
· Review of business concepts and access control of mission-critical applications
· Track status and communicate with stakeholders (departments and IT architecture)
· Tools: Sailpoint, Splunk, CyberArk
· Identity and Access Management: integration of processes and data sources relating to personal information as well as the distribution of digital identity data to downstream systems.
· Driving the business processes analysis for the integration of the on- and off-boarding of technical, internal and external users.
· Ensuring fulfilment of risk control, audit, and compliance requirements (BAFIN, MAS, SOX, EU-GDPR)
· Risk Assessment of overall architecture applications in terms of available roles, profiles, and permissions in collaboration with IT and business owners. Reviewing Roles, Permissions, and Segregation of Duties.
· Critical Infrastructure Protection Program (Cologne, Brussels, and Paris)
· Supplier management - review of ISMS and technical security controls (Asset Management, Access Control, Cryptography, Security operations, and Network Communication)
· Development of proposals for the treatment of security risks
· Creation of guidelines and regulations for information security
· Conducting risk analysis and assessment of the efficiency and effectiveness of security controls
· Support for 3rd Party and internal audits.
· Risk and Controlling- 2nd Line of Defense Ensuring the objectives of the Bank's business and risk strategy to meet regulatory requirements. Design and Review of ISMS Policy with stakeholders
· Supplier management - conducting security risk assessments and preparation of supplier audits (1st and 2nd Party Audits): Asset Management, Identity & Access Management, Operations Security, Network Communication, Physical Security, Business Continuity and Disaster Recovery)
· Draft and review of a DLP (Data leakage prevention & data loss protection) concept for the implementation of regulatory requirements (EU-GDPR Article 32 "Security of processing").
· COO Chief Security Office ? Global IS Identity & Access ? (Germany, UK, Portugal, Spain, India)
· Segregation of Duties (SoD) - Information Security access controls in accordance with ISO27001/27002 standards and compliance requirements (BAFIN, MAS, SOX, EU-GDPR).
· Management of the global SoD (Segregation of Duties) implementation and monitoring process of users and assets. Governance of violation of access rights and related documentation
· Check access control issues in selected SW applications. Support for the integration of security policies into the overall architecture, from the applications (Attribute- Based Access Control) to the RACF mainframe (Role-Based Access Control)
· Identification of Toxic Combinations and SoD Violations within the application and technical implementation and maintenance of SoD rules, including the coordination of testing and sign-off activities
· Reporting - Monthly delivery of relevant reports, scorecards, and presentations to the management
· Regulatory Risk & Control Office - IT Security, Audit, Risk & Compliance - 3LoD Program (Frankfurt, London, Birmingham, Barcelona, Lisbon, New York, Singapore and Pune)
· Performing risk-based assessments on the global level of 3LoD (3 lines of defense) approach within the bank for all critical and high important RBP´s (relevant business points).
· Risk Assessment assignments in IHC Stride/FDW/Datahub Program (New York, Germany, UK), DB Germany, DB Spain and DB Portugal as part of divisional control office function following the 3 lines of defense framework to meet audit and regulatory requirements of several external regulators (i.e FED, MAS, BaFin), with key focus on information security inherent risks and gap analysis of IT service areas (application development and production), rating the control design and operating effectiveness.
Assignments:
Weitere Projekte gern auf Anfrage
Certifications
· (2022) SWIF CSP Framework v2022, Transcript 0001110329
· (2021) SWIF CSP Framework v2021, Transcript 0000929177
· (2020) ISO27032 Senior Lead Cybersecurity Manager (PECB) - License CSSLM1005842-2020-01 ? Canada
· (2018) Lead SCADA Security Manager PECB ? United Kingdom
· (2017) NATO Advanced Cybersecurity Training ? North Macedonia
· (2015) ISO27001 Lead Auditor (PECB) - License no. PECB-ISMSLA-101001 ? Canada
· (2008) ISO20000 Service Management Auditor - itSMF? United Kingdom
· (2007) Certified in Risk and Information Systems Control (CRISC) - License no. 1107610 - ISACA, USA
· (2005) Certified Information Systems Auditor (CISA) - License no. 0540072 ISACA, USA
· (2001) Quality Management Assessor - European Foundation for Quality Management ? Belgium
· (2000) Certified Business Engineer - Chamber of Commerce and Industry Saarland, Germany
· (1993) Certified Business Information Systems Specialist - Deutsche Private Akademie GmbH, Germany
Education
· (2010) - Fernuniversität Hagen, Germany - Academic Studies - Mathematics
· (2005) - University of Hertfordshire, London, UK - Post Graduation Diplom in Music Composition
· (1999) - St. George University International - Bachelor of Science in Computer Sciences and Information Technology - Grenada, West Indies
· (1996) - Royal Conservatorium - Sonologie Institute ? The Hague, Netherlands Post-Graduation Certification in Sonology Science - Music Technology
Professional Memberships
· IEEE - The Institute for Electric and Electronic Engineers Inc.
· ISACA ? Information Systems Audit and Control Association
· ISC² ? International Information Systems Security Certification Consortium
· PECB- Professional Evaluation and Certification Board
Professional Skills
· Information Security industry standards / best practice frameworks in large organisations: SWIFT CSCF, ISO 27000 series, ISO31000, ISO/IEC 62443, NIST-CSF, NIST-SP 800-53, COBIT, CSA-CCM, CIS-Controls, OWASP, SABSA, TOGAF, MITRE-Att&ck
· Compliance testing of international standards, local or EU regulations, and 3rd party frameworks (SREP, ISAE 3402, FISR, EU-GDPR, SWIFT CSP, Bafin, MAS, Bank of England, National Bank of Belgium)
· IT Risk assessments, internal/external audits, and monitoring of the residual risk remediation activities.
· Security Assurance & Testing, risk assessment and mitigation of relevant risks ensuring security controls adherence of the information assets.
· Rely on existing processes, policies, procedures, and methods to take decisions.
· Reporting ethics - report sensitive matters in confidence and able to write in simple terms and short sentences formal information such as control procedure or security requirements
· Autonomously work on standard activities or non-complex demands. Organises, co-ordinates and plans activities independently.
· Experience in stakeholder management with projects experience within multicultural teams across all levels of an organisation. Result-oriented and imaginative to solve complex problems. Strong oral and written skills to translate complex risk requirements and issues.
Diverse Mitgliedschaften gern auf Anfrage
Berufsverbände gern auf Anfrage
· Advisory support of 1st line on SWIFTS CSP Attestation 2022 ? external Assessment.
· Analysis of the Assessment Report, control testing results and evidence of the SWIFT CSP Attestation 2022
· Review of final SWIFT CSP Assessment Report
· Advisory support of internal Audit on SWIFTS CSP Attestation 2022 ? internal Assessment.
· Analysis of the Assessment Report, control testing results and evidence of the SWIFT CSP Attestation 2022
· Testing of Evidences (inquiry, inspection, examination, re-performance)
· Final CSCF Assessment Report
· 1. Restrict Internet Access and Protect Critical Systems from General IT Environment
· 2. Reduce Attack Surface and Vulnerabilities
· 3. Physically Secure the Environment
· 4. Prevent Compromise of Credentials
· 5. Manage Identities and Separate Privileges
· 6. Detect Anomalous Activity to Systems or Transaction Records
· 7. Plan for Incident Response and Information Sharing
· Advisory support of internal Audit on SWIFTS CSP Attestation 2022 ? internal Assessment.
· Analysis of the Assessment Report, control testing results and evidence of the SWIFT CSP Attestation 2022
· Testing of Evidences (inquiry, inspection, examination, re-performance)
· Final CSCF Assessment Report
· 1. Restrict Internet Access and Protect Critical Systems from General IT Environment
· 2. Reduce Attack Surface and Vulnerabilities
· 3. Physically Secure the Environment
· 4. Prevent Compromise of Credentials
· 5. Manage Identities and Separate Privileges
· 6. Detect Anomalous Activity to Systems or Transaction Records
· 7. Plan for Incident Response and Information Sharing
· CIS Controls implementation: control assurance of the 140 Definitions of Done
· Advisory support for the CISO and 1st line Stakeholders
· Walkthrough with 1st and 2nd Line of Defense
· Review of the 75 DoDs already created
· Adaptation/ standardization of the existing DoDs
· Monitoring of the ISO27001 Certification non-compliances, Gap Assessments for the ISO27001 Surveillance Audit
· Cyber risk assessment of Cloud Services (SaaS, PaaS): Germany, Switzerland, Luxembourg, France, England, Spain, USA, Israel, Singapore, and Greece.
· Improve internal processes in Penetration test planning and control
· Improve internal processes in Secure code development (OWASP) and tests (SAST, DAST)
? Unterstützung der internen Revision zu SWIFTS CSP Attestation 2021 ? Independent Assessment.
? Analyse des Bewertungsberichts, Kontrolltestergebnisse und Nachweis der SWIFT CSP Attestation 2021
? Abschließender SWIFT CSCF-Bewertungsbericht
· 1. Restrict Internet Access and Protect Critical Systems from General IT Environment
· 2. Reduce Attack Surface and Vulnerabilities
· 3. Physically Secure the Environment
· 4. Prevent Compromise of Credentials
· 5. Manage Identities and Separate Privileges
· 6. Detect Anomalous Activity to Systems or Transaction Records
· 7. Plan for Incident Response and Information Sharing
· SWIFTS CSP Attestation 2021 ? CSCF controls pre-assessment.
· Analysis of the Assessment Report, control testing results and evidence of the SWIFT CSP Attestation 2021
· Definition of the Testing Methodology (inquiry, inspection, examination, re-performance) and Sampling approach (statistical and non-statistical)
· SWIFT CSP Attestation 2020
· Review of the AS-IS process flow for each security service and related SWIFT CSCF Controls with an identification of inefficiencies, deficiencies, and integration issues. Validation of findings with 1st, 2nd and 3rd lines of defense
· SWIFT CSCF Controls in scope: Internal Data Flow Security, Operator Session Confidentiality and Integrity, Vulnerability Scanning, Application Hardening, Database Integrity, and Logging and Monitoring
Establish the Risk Assessment as an ongoing, recurring process: implementation of risk assessments for 25 countries (Europe and Asia)
· Analysis of past risk assessments (processes and results), and further development of the already started process for a detailed risk assessment (Scenario-based, Asset-based, Control-based und GAP Assessments)
· Execution ISO27001 Gap Assessments for the ISO27001 ISMS Certification
· Execution Risk Assessments: ICS (Industrial Control Systems), Cloud Computing (Google, Azure, AWS, Salesforce), SAP (SAP ECC, SAP HR, SAP BPM, SAP Netweaver), Incident Management (ServiceNow).
· Identity and Access Management (Germany & Spain): Risk Assessment of overall architecture applications in terms of available roles, profiles, and permissions in collaboration with IT and business owners. Reviewing Roles, Permissions, and Segregation of Duties within SW Applications. Development of proposals for the treatment of security risks and creation of guidelines and regulations for information security
· Data analysis and solution design (on-/offboarding, mover, leave, privileged access)
· Review of business concepts and access control of mission-critical applications
· Track status and communicate with stakeholders (departments and IT architecture)
· Tools: Sailpoint, Splunk, CyberArk
· Identity and Access Management: integration of processes and data sources relating to personal information as well as the distribution of digital identity data to downstream systems.
· Driving the business processes analysis for the integration of the on- and off-boarding of technical, internal and external users.
· Ensuring fulfilment of risk control, audit, and compliance requirements (BAFIN, MAS, SOX, EU-GDPR)
· Risk Assessment of overall architecture applications in terms of available roles, profiles, and permissions in collaboration with IT and business owners. Reviewing Roles, Permissions, and Segregation of Duties.
· Critical Infrastructure Protection Program (Cologne, Brussels, and Paris)
· Supplier management - review of ISMS and technical security controls (Asset Management, Access Control, Cryptography, Security operations, and Network Communication)
· Development of proposals for the treatment of security risks
· Creation of guidelines and regulations for information security
· Conducting risk analysis and assessment of the efficiency and effectiveness of security controls
· Support for 3rd Party and internal audits.
· Risk and Controlling- 2nd Line of Defense Ensuring the objectives of the Bank's business and risk strategy to meet regulatory requirements. Design and Review of ISMS Policy with stakeholders
· Supplier management - conducting security risk assessments and preparation of supplier audits (1st and 2nd Party Audits): Asset Management, Identity & Access Management, Operations Security, Network Communication, Physical Security, Business Continuity and Disaster Recovery)
· Draft and review of a DLP (Data leakage prevention & data loss protection) concept for the implementation of regulatory requirements (EU-GDPR Article 32 "Security of processing").
· COO Chief Security Office ? Global IS Identity & Access ? (Germany, UK, Portugal, Spain, India)
· Segregation of Duties (SoD) - Information Security access controls in accordance with ISO27001/27002 standards and compliance requirements (BAFIN, MAS, SOX, EU-GDPR).
· Management of the global SoD (Segregation of Duties) implementation and monitoring process of users and assets. Governance of violation of access rights and related documentation
· Check access control issues in selected SW applications. Support for the integration of security policies into the overall architecture, from the applications (Attribute- Based Access Control) to the RACF mainframe (Role-Based Access Control)
· Identification of Toxic Combinations and SoD Violations within the application and technical implementation and maintenance of SoD rules, including the coordination of testing and sign-off activities
· Reporting - Monthly delivery of relevant reports, scorecards, and presentations to the management
· Regulatory Risk & Control Office - IT Security, Audit, Risk & Compliance - 3LoD Program (Frankfurt, London, Birmingham, Barcelona, Lisbon, New York, Singapore and Pune)
· Performing risk-based assessments on the global level of 3LoD (3 lines of defense) approach within the bank for all critical and high important RBP´s (relevant business points).
· Risk Assessment assignments in IHC Stride/FDW/Datahub Program (New York, Germany, UK), DB Germany, DB Spain and DB Portugal as part of divisional control office function following the 3 lines of defense framework to meet audit and regulatory requirements of several external regulators (i.e FED, MAS, BaFin), with key focus on information security inherent risks and gap analysis of IT service areas (application development and production), rating the control design and operating effectiveness.
Assignments:
Weitere Projekte gern auf Anfrage
Certifications
· (2022) SWIF CSP Framework v2022, Transcript 0001110329
· (2021) SWIF CSP Framework v2021, Transcript 0000929177
· (2020) ISO27032 Senior Lead Cybersecurity Manager (PECB) - License CSSLM1005842-2020-01 ? Canada
· (2018) Lead SCADA Security Manager PECB ? United Kingdom
· (2017) NATO Advanced Cybersecurity Training ? North Macedonia
· (2015) ISO27001 Lead Auditor (PECB) - License no. PECB-ISMSLA-101001 ? Canada
· (2008) ISO20000 Service Management Auditor - itSMF? United Kingdom
· (2007) Certified in Risk and Information Systems Control (CRISC) - License no. 1107610 - ISACA, USA
· (2005) Certified Information Systems Auditor (CISA) - License no. 0540072 ISACA, USA
· (2001) Quality Management Assessor - European Foundation for Quality Management ? Belgium
· (2000) Certified Business Engineer - Chamber of Commerce and Industry Saarland, Germany
· (1993) Certified Business Information Systems Specialist - Deutsche Private Akademie GmbH, Germany
Education
· (2010) - Fernuniversität Hagen, Germany - Academic Studies - Mathematics
· (2005) - University of Hertfordshire, London, UK - Post Graduation Diplom in Music Composition
· (1999) - St. George University International - Bachelor of Science in Computer Sciences and Information Technology - Grenada, West Indies
· (1996) - Royal Conservatorium - Sonologie Institute ? The Hague, Netherlands Post-Graduation Certification in Sonology Science - Music Technology
Professional Memberships
· IEEE - The Institute for Electric and Electronic Engineers Inc.
· ISACA ? Information Systems Audit and Control Association
· ISC² ? International Information Systems Security Certification Consortium
· PECB- Professional Evaluation and Certification Board
Professional Skills
· Information Security industry standards / best practice frameworks in large organisations: SWIFT CSCF, ISO 27000 series, ISO31000, ISO/IEC 62443, NIST-CSF, NIST-SP 800-53, COBIT, CSA-CCM, CIS-Controls, OWASP, SABSA, TOGAF, MITRE-Att&ck
· Compliance testing of international standards, local or EU regulations, and 3rd party frameworks (SREP, ISAE 3402, FISR, EU-GDPR, SWIFT CSP, Bafin, MAS, Bank of England, National Bank of Belgium)
· IT Risk assessments, internal/external audits, and monitoring of the residual risk remediation activities.
· Security Assurance & Testing, risk assessment and mitigation of relevant risks ensuring security controls adherence of the information assets.
· Rely on existing processes, policies, procedures, and methods to take decisions.
· Reporting ethics - report sensitive matters in confidence and able to write in simple terms and short sentences formal information such as control procedure or security requirements
· Autonomously work on standard activities or non-complex demands. Organises, co-ordinates and plans activities independently.
· Experience in stakeholder management with projects experience within multicultural teams across all levels of an organisation. Result-oriented and imaginative to solve complex problems. Strong oral and written skills to translate complex risk requirements and issues.
Diverse Mitgliedschaften gern auf Anfrage
Berufsverbände gern auf Anfrage