Cybersecurity |Governance Risk & Control | IT Audit & Assurance
Aktualisiert am 09.06.2024
Profil
Freiberufler / Selbstständiger
Remote-Arbeit
Verfügbar ab: 09.06.2024
Verfügbar zu: 100%
davon vor Ort: 100%
ISO17001
CIS Controls
SWIFT CSP
ISAE3402
NIST
COBIT
Deutsch
Fließend
Englisch
Fließend
Französisch
Gutes Wissen
Italienisch
Gutes Wissen
Portugiesisch
Fließend
Spanisch
Fließend

Einsatzorte

Einsatzorte

Deutschland, Schweiz, Österreich
möglich

Projekte

Projekte

2 Monate
2023-03 - 2023-04

Audit of Secure Software Development for the Asset Management product stream encompassing several applications, APIs, databases and technical infrastructure

Security Auditor Java JavaScript Windows ...
Security Auditor

Scope of audit
? Selection of a process model and development environment
? Secure software design and Threat modelling
? Use of external libraries from trusted sources
? Provision of patches, updates and changes
? Source code version control
? Checking of external components
? Training of the development team on information security
? Appropriate control of software development
? Authentication in web applications
? Access control for web applications
? Secure session management
? Controlled integration of content in web application
? Protection against unauthorized automated use of web applications
? Protection of confidential data
? Comprehensive input validation and output encoding
? Protection against SQL injection


Azure DevOps Kubernets Sharepoint Confluence Jira MS Office programming
Java JavaScript Windows Linux Oracle NIST SP 800-218 Secure Software Development Framework (SSDF) Whitesource sonarQube
LPA Lucht Probst Associates GmbH
Frankfurt am Main, Germany
3 Monate
2022-10 - 2022-12

SWIFT CSP Assessment 2022

SWIFT CSP Advisor
SWIFT CSP Advisor

·        Advisory support of 1st line on SWIFTS CSP Attestation 2022 ? external Assessment.

·        Analysis of the Assessment Report, control testing results and evidence of the SWIFT CSP Attestation 2022

·        Review of final SWIFT CSP Assessment Report


? SWIFT Architecture type A1 (Net Link Alliance Gateway Alliance Access Alliance Web platform) Windows OS Linux OS Virtualization platform (Citrix EXDI) CyberArk QRadar Nexpose CrowdStrike
Sumitomo Mitsui Banking Corporation
New York, USA
2 Monate
2022-09 - 2022-10

SWIFT CSP Assessment 2022

SWIFT CSP Assessor
SWIFT CSP Assessor

·        Advisory support of internal Audit on SWIFTS CSP Attestation 2022 ? internal Assessment.

·        Analysis of the Assessment Report, control testing results and evidence of the SWIFT CSP Attestation 2022

·        Testing of Evidences (inquiry, inspection, examination, re-performance)

·        Final CSCF Assessment Report

·        1. Restrict Internet Access and Protect Critical Systems from General IT Environment

·        2. Reduce Attack Surface and Vulnerabilities

·        3. Physically Secure the Environment

·        4. Prevent Compromise of Credentials

·        5. Manage Identities and Separate Privileges

·        6. Detect Anomalous Activity to Systems or Transaction Records

·        7. Plan for Incident Response and Information Sharing



SWIFT Architecture type A1 Net Link Alliance Gateway Alliance Access Alliance Web platform Windows OS Linux OS Virtualization platform (Citrix EXDI) CyberArk QRadar Rapid7 CrowdStrike
European Central Bank
Frankfurt am Main
3 Monate
2022-07 - 2022-09

SWIFT CSP Assessment 2022

SWIFT CSP Assessor Net Link Alliance Gateway Alliance Access ...
SWIFT CSP Assessor

·        Advisory support of internal Audit on SWIFTS CSP Attestation 2022 ? internal Assessment.

·        Analysis of the Assessment Report, control testing results and evidence of the SWIFT CSP Attestation 2022

·        Testing of Evidences (inquiry, inspection, examination, re-performance)

·        Final CSCF Assessment Report

·        1. Restrict Internet Access and Protect Critical Systems from General IT Environment

·        2. Reduce Attack Surface and Vulnerabilities

·        3. Physically Secure the Environment

·        4. Prevent Compromise of Credentials

·        5. Manage Identities and Separate Privileges

·        6. Detect Anomalous Activity to Systems or Transaction Records

·        7. Plan for Incident Response and Information Sharing


? SWIFT Architecture type A1
Net Link Alliance Gateway Alliance Access Alliance Web platform) Windows OS Linux OS Virtualization platform (Citrix EXDI) CyberArk QRadar Nexpose CrowdSrtrike
Deutsche Bundesbank
Frankfurt am Main
2 Monate
2022-05 - 2022-06

CIS Controls - Implementation

Cybersecurity Consultant
Cybersecurity Consultant

·        CIS Controls implementation: control assurance of the 140 Definitions of Done

·        Advisory support for the CISO and 1st line Stakeholders

·        Walkthrough with 1st and 2nd Line of Defense

·        Review of the 75 DoDs already created

·        Adaptation/ standardization of the existing DoDs


CIS Controls Version 7 ISAE3402 Azure DevOps ZScaler Log360 Sharepoint Confluence Jira MS Office Windows Linux
Swiss Life Investment Management Holding AG
Zürich. Schweiz
7 Monate
2021-10 - 2022-04

ISO27001 Consulting

Information Security Consultant ? Technologie: Azure DevOps Kubernets Sharepoint ...
Information Security Consultant

·        Monitoring of the ISO27001 Certification non-compliances, Gap Assessments for the ISO27001 Surveillance Audit

·        Cyber risk assessment of Cloud Services (SaaS, PaaS): Germany, Switzerland, Luxembourg, France, England, Spain, USA, Israel, Singapore, and Greece.

·        Improve internal processes in Penetration test planning and control

·        Improve internal processes in Secure code development (OWASP) and tests (SAST, DAST)

 


? Technologie: Azure DevOps Kubernets Sharepoint Confluence Jira MS Office Programmiersprache (Java JavaScript C/C++ usw.) Sicherheitstools (Wireshark Kali ZAP) Betriebssysteme (Windows Linux) Code Inspektion/Scannen (Whitesource sonarQube VeraCode) ? Standards und Rahmen: ISO27001/27002 ISO27017 ISO27018 ISO22301 OWASP ? Regulatorisch: Verordnung (EU) 2016/679 zum allgemeinen Datenschutz MaRisk BAIT EBA-Leitlinie
LPA Lucht Probst Associates GmbH
Frankfurt am Main
3 Monate
2021-08 - 2021-10

SWIFT CSP Assessment 2021

SWIFT CSP Assessor ? SWIFT Architecture type A1 (Net Link Alliance Gateway Alliance Access ...
SWIFT CSP Assessor

? Unterstützung der internen Revision zu SWIFTS CSP Attestation 2021 ? Independent Assessment.

? Analyse des Bewertungsberichts, Kontrolltestergebnisse und Nachweis der SWIFT CSP Attestation 2021

? Abschließender  SWIFT CSCF-Bewertungsbericht

·        1. Restrict Internet Access and Protect Critical Systems from General IT Environment

·        2. Reduce Attack Surface and Vulnerabilities

·        3. Physically Secure the Environment

·        4. Prevent Compromise of Credentials

·        5. Manage Identities and Separate Privileges

·        6. Detect Anomalous Activity to Systems or Transaction Records

·        7. Plan for Incident Response and Information Sharing

? SWIFT Architecture type A1 (Net Link Alliance Gateway Alliance Access Alliance Web platform) ? Windows OS Linux OS Virtualization platform (Citrix EXDI).
European Central Bank
Frankfurt am Main
1 Jahr 4 Monate
2020-05 - 2021-08

SWIFT CSP Controls

Senior Control Assurance Advisor ? Standards & Frameworks: ISO27001 ISO22301 NIST-SP 800 ...
Senior Control Assurance Advisor

·        SWIFTS CSP Attestation 2021 ? CSCF controls pre-assessment.

·        Analysis of the Assessment Report, control testing results and evidence of the SWIFT CSP Attestation 2021

·        Definition of the Testing Methodology (inquiry, inspection, examination, re-performance) and Sampling approach (statistical and non-statistical)

 

·        SWIFT CSP Attestation 2020

·        Review of the AS-IS process flow for each security service and related SWIFT CSCF Controls with an identification of inefficiencies, deficiencies, and integration issues. Validation of findings with 1st, 2nd and 3rd lines of defense

·        SWIFT CSCF Controls in scope: Internal Data Flow Security, Operator Session Confidentiality and Integrity, Vulnerability Scanning, Application Hardening, Database Integrity, and Logging and Monitoring


? Standards & Frameworks: ISO27001 ISO22301 NIST-SP 800 CIS-CONTROLS ISAE3402 CSA Star OWASP ITIL COBIT 5 Agile Scrum ? Regulatory & external: National Bank of Belgium Bank of England Directive (EU) 2016/679 on General Data Protection Swift CSCF. ? Technology: SWIFT Architecture type A1 (Net Link Alliance Gateway Alliance Access Alliance Web platform) Virtualizazion platform (Citrix ESX)IBM Mainframe Tandem CHAPS CREST RTGS QRadar MIPS CrowdStriker Cyberark Sailpoint ServiceNow and Office365
Euroclear Bank SA
Brüssel, Belgien
5 Monate
2019-08 - 2019-12

Cybersecurity Program

Cybersecurity Consultant ICS (Industrial Control Systems) Cloud Computing (Google Azure ...
Cybersecurity Consultant
  1.         Establish the Risk Assessment as an ongoing, recurring process: implementation of risk assessments for 25 countries (Europe and Asia)

    ·        Analysis of past risk assessments (processes and results), and further development of the already started process for a detailed risk assessment (Scenario-based, Asset-based, Control-based und GAP Assessments)

    ·        Execution ISO27001 Gap Assessments for the ISO27001 ISMS Certification

    ·        Execution Risk Assessments: ICS (Industrial Control Systems), Cloud Computing (Google, Azure, AWS, Salesforce), SAP (SAP ECC, SAP HR, SAP BPM, SAP Netweaver), Incident Management (ServiceNow).


ICS (Industrial Control Systems) Cloud Computing (Google Azure AWS Salesforce) IoT Big Data Frameworks: ISO27001/27002 ISO27017 ISO27018 ISO22301 IEC 66243 CIS-CONTROLS(SANS 20) CSA Star ITIL OWASP
Vaillant Group GmbH
Remscheid
3 Monate
2019-07 - 2019-09

Identity & Access Management

Lead Security Risk Analyst
Lead Security Risk Analyst
  • ·        Identity and Access Management (Germany & Spain): Risk Assessment of overall architecture applications in terms of available roles, profiles, and permissions in collaboration with IT and business owners. Reviewing Roles, Permissions, and Segregation of Duties within SW Applications. Development of proposals for the treatment of security risks and creation of guidelines and regulations for information security

    ·        Data analysis and solution design (on-/offboarding, mover, leave, privileged access)

    ·        Review of business concepts and access control of mission-critical applications

    ·        Track status and communicate with stakeholders (departments and IT architecture)




·        Tools: Sailpoint, Splunk, CyberArk


ISO27001/27002 Sailpoint Splunk CyberArk Agile Scrum
Santander Consumer Bank AG
Mönchengladbach, Deutschland
3 Monate
2019-05 - 2019-07

Identity & Access Management

Lead Security Risk Analyst
Lead Security Risk Analyst

·        Identity and Access Management: integration of processes and data sources relating to personal information as well as the distribution of digital identity data to downstream systems.

·        Driving the business processes analysis for the integration of the on- and off-boarding of technical, internal and external users.

·        Ensuring fulfilment of risk control, audit, and compliance requirements (BAFIN, MAS, SOX, EU-GDPR)

·        Risk Assessment of overall architecture applications in terms of available roles, profiles, and permissions in collaboration with IT and business owners. Reviewing Roles, Permissions, and Segregation of Duties.




ISO27001/27002 Agile Scrum EU-GDPR MaRISK BA-IT DELL One Identity CyberArk Anaconda Python
Deutsche Bank AG
Frankfurt am Main
4 Monate
2018-09 - 2018-12

ISO27001 Implementation

Security Berater NIST CIS-CONTROLS(SANS 20) BSI-Series ...
Security Berater
  • ·        Critical Infrastructure Protection Program (Cologne, Brussels, and Paris)

    ·        Supplier management - review of ISMS and technical security controls (Asset Management, Access Control, Cryptography, Security operations, and Network Communication)

    ·        Development of proposals for the treatment of security risks

    ·        Creation of guidelines and regulations for information security

    ·        Conducting risk analysis and assessment of the efficiency and effectiveness of security controls

    ·        Support for 3rd Party and internal audits.


NIST CIS-CONTROLS(SANS 20) BSI-Series ISO2700x COBIT ITIL EU-GDPR VA-IT MARisk
AXA Services GmbH
Köln, Deutschland
11 Monate
2018-02 - 2018-12

Risk and Control- 2nd Line of Defence

Security Consultant NIST-CSF CIS-CONTROLS(SANS 20) BSI-Series ...
Security Consultant
  • ·        Risk and Controlling- 2nd Line of Defense Ensuring the objectives of the Bank's business and risk strategy to meet regulatory requirements. Design and Review of ISMS Policy with stakeholders

    ·        Supplier management - conducting security risk assessments and preparation of supplier audits (1st and 2nd Party Audits): Asset Management, Identity & Access Management, Operations Security, Network Communication, Physical Security, Business Continuity and Disaster Recovery)

    ·        Draft and review of a DLP (Data leakage prevention & data loss protection) concept for the implementation of regulatory requirements (EU-GDPR Article 32 "Security of processing").


NIST-CSF CIS-CONTROLS(SANS 20) BSI-Series ISO2700x ISO22301 COBIT ITIL EU-GDPR SOC1/SOC2 BA-IT MARisk
Deutsche Apotheke und Ärzte Bank
Düsseldorf
2 Jahre 3 Monate
2016-06 - 2018-08

Identity & Access Management

Security Analyst OMADA Sharepoint Regulatory apps (Finance ...
Security Analyst
  •  

    ·        COO Chief Security Office ? Global IS Identity & Access ? (Germany, UK, Portugal, Spain, India)

    ·        Segregation of Duties (SoD) - Information Security access controls in accordance with ISO27001/27002 standards and compliance requirements (BAFIN, MAS, SOX, EU-GDPR).

    ·        Management of the global SoD (Segregation of Duties) implementation and monitoring process of users and assets. Governance of violation of access rights and related documentation

    ·        Check access control issues in selected SW applications. Support for the integration of security policies into the overall architecture, from the applications (Attribute- Based Access Control) to the RACF mainframe (Role-Based Access Control)

    ·        Identification of Toxic Combinations and SoD Violations within the application and technical implementation and maintenance of SoD rules, including the coordination of testing and sign-off activities

    ·        Reporting - Monthly delivery of relevant reports, scorecards, and presentations to the management

OMADA Sharepoint Regulatory apps (Finance Reporting SAP Payments and Securities) Middlerange und Mainframes apps COBIT ITIL
Deutsche Bank AG
Frankfurt am Main
9 Monate
2015-10 - 2016-06

Risk Assessment - 3 Lines of Defence

Lead Control Risk Assessor COBIT ITIL ISO27001/27002 ...
Lead Control Risk Assessor
  • ·        Regulatory Risk & Control Office - IT Security, Audit, Risk & Compliance - 3LoD Program (Frankfurt, London, Birmingham, Barcelona, Lisbon, New York, Singapore and Pune)

    ·        Performing risk-based assessments on the global level of 3LoD (3 lines of defense) approach within the bank for all critical and high important RBP´s (relevant business points).

    ·        Risk Assessment assignments in IHC Stride/FDW/Datahub Program (New York, Germany, UK), DB Germany, DB Spain and DB Portugal as part of divisional control office function following the 3 lines of defense framework to meet audit and regulatory requirements of several external regulators (i.e FED, MAS, BaFin), with key focus on information security inherent risks and gap analysis of IT service areas (application development and production), rating the control design and operating effectiveness.

COBIT ITIL ISO27001/27002 Bafin-MaRisk MAS SOX.
Deutsche Bank AG
Frankfurt am Main
6 Monate
2015-01 - 2015-06

Implementation of B2B E-commerce Platform

Security Analyst
Security Analyst
  • Implementierung B2B Internet Plattform
  • Architektur Strategie, Risk & Security Management
  • Definition der E-Commerce Services (Web Frontend, Ecommerce Solution, Finance /Customer Services und Backend Anwendungen), und Cloud Computing Security & Architectur (AWS, Azure und SAP)
  • Definition der E-Commerce Anforderungen und Erstellung eines Business Plans
  • Prüfung der Compliance Requirements für elektronische Zahlungen (PCI-DSS) 
AGROHIGHWAY - SOUTH LATAM TRADING COMPANY LTD
London, United Kingdom
17 Jahre 2 Monate
1998-05 - 2015-06

Quality Assurance & Control / IT Risk Management

Consultant
Consultant
  •  Scope: Germany, United Kingdom, United States, Belgium, Netherlands, Sweden, Switzerland, Spain, Portugal, France, Italy, India, and Singapore. 

 Key achievements: 
  • ? CMMI SCAMPI Assessments (Levels A, B, C) in achieving CMMI Level 3 
  • ? CMMI Standards (CMMI-DEV, CMMI-ACQ, CMMI-SVC) Implementation 
  • ? Software process assessment and design (BOOTSTRAP, DSDM, V-Model 97) 
  • ? Quality Assurance and Control (unit, system, integration, and user acceptance testing) 
 

Assignments: 

  •  ? 04/2008 to 06/2015 - Generali Informatik Services GmbH ? Aachen/Cologne/Hamburg, Germany 
  • ? 10/2008 to 12/2009 - Deutsche Bundesbank - Frankfurt am Main, Germany 
  • ? 10/2007 to 01/2008 - German Federal Forces - Bonn, Germany 
  • ? 03/2007 to 09/2007 - Credit Suisse AG - Zurich, Switzerland 
  • ? 01/2007 to 03/2007 - Sogeti Deutschland GmbH - Frankfurt, Germany 
  • ? 10/2006 to 11/2006 - Deutsche Börse Gruppe AG - Frankfurt am Main, Germany 
  • ? 02/2006 to 05/2006 - SEB Bank AG - Frankfurt am Main, Germany 
  • ? 10/2004 to 01/2006 - Deutsche Post IT Solutions GmbH - Darmstadt, Germany 
  • ? 07/2002 to 09/2004 - Deutsche Bank AG - Frankfurt am Main, Germany 
  • ? 04/2002 to 10/2002 - Interquality Services AG - Augsburg, Germany 
  • ? 02/2001 to 05/2002 - Dresdner Bank AG - Frankfurt am Main, Germany 
  • ? 04/2000 to 03/2001 - Commerzbank AG - Frankfurt am Main, Germany 
  • ? 06/1999 to 03/2000 - Numerical Magic GmbH - Frankfurt am Main, Germany 
  • ? 05/1998 to 07/1999 - BASF Group - Targor GmbH - Mainz am Rhein, Germany 

Siehe Projektinhalte
Europe, EUA, Asia

Aus- und Weiterbildung

Aus- und Weiterbildung

Certifications

· (2022) SWIF CSP Framework v2022, Transcript 0001110329

· (2021) SWIF CSP Framework v2021, Transcript 0000929177

· (2020) ISO27032 Senior Lead Cybersecurity Manager (PECB) - License CSSLM1005842-2020-01 ? Canada

· (2018) Lead SCADA Security Manager PECB ? United Kingdom

· (2017) NATO Advanced Cybersecurity Training ? North Macedonia

· (2015) ISO27001 Lead Auditor (PECB) - License no. PECB-ISMSLA-101001 ? Canada

· (2008) ISO20000 Service Management Auditor - itSMF? United Kingdom

· (2007) Certified in Risk and Information Systems Control (CRISC) - License no. 1107610 - ISACA, USA

· (2005) Certified Information Systems Auditor (CISA) - License no. 0540072 ISACA, USA

· (2001) Quality Management Assessor - European Foundation for Quality Management ? Belgium

· (2000) Certified Business Engineer - Chamber of Commerce and Industry Saarland, Germany

· (1993) Certified Business Information Systems Specialist - Deutsche Private Akademie GmbH, Germany

Education

· (2010) - Fernuniversität Hagen, Germany - Academic Studies - Mathematics

· (2005) - University of Hertfordshire, London, UK - Post Graduation Diplom in Music Composition

· (1999) - St. George University International - Bachelor of Science in Computer Sciences and Information Technology - Grenada, West Indies

· (1996) - Royal Conservatorium - Sonologie Institute ? The Hague, Netherlands Post-Graduation Certification in Sonology Science - Music Technology

Professional Memberships

· IEEE - The Institute for Electric and Electronic Engineers Inc.

· ISACA ? Information Systems Audit and Control Association

· ISC² ? International Information Systems Security Certification Consortium

· PECB- Professional Evaluation and Certification Board


Kompetenzen

Kompetenzen

Top-Skills

ISO17001 CIS Controls SWIFT CSP ISAE3402 NIST COBIT

Schwerpunkte

Auditor
Experte
Project leader
Experte

Produkte / Standards / Erfahrungen / Methoden

BSI-Series
Fortgeschritten
CIS-CONTROLS
Experte
COBIT
Experte
EU-GDPR
Fortgeschritten
ISA(IEC)62443
Basics
ISO22301
Fortgeschritten
ISO27001
Experte
ITIL
Experte
NIST
Experte
NIST-CSF
Experte
SCADA
Basics
SOC2
Fortgeschritten
SWIFT CSP
Experte

Professional Skills

·        Information Security industry standards / best practice frameworks in large organisations: SWIFT CSCF, ISO 27000 series, ISO31000, ISO/IEC 62443, NIST-CSF, NIST-SP 800-53, COBIT, CSA-CCM, CIS-Controls, OWASP, SABSA, TOGAF, MITRE-Att&ck

·        Compliance testing of international standards, local or EU regulations, and 3rd party frameworks (SREP, ISAE 3402, FISR, EU-GDPR, SWIFT CSP, Bafin, MAS, Bank of England, National Bank of Belgium)

·        IT Risk assessments, internal/external audits, and monitoring of the residual risk remediation activities.

·        Security Assurance & Testing, risk assessment and mitigation of relevant risks ensuring security controls adherence of the information assets.

·        Rely on existing processes, policies, procedures, and methods to take decisions.

·        Reporting ethics - report sensitive matters in confidence and able to write in simple terms and short sentences formal information such as control procedure or security requirements

·        Autonomously work on standard activities or non-complex demands. Organises, co-ordinates and plans activities independently.

·        Experience in stakeholder management with projects experience within multicultural teams across all levels of an organisation. Result-oriented and imaginative to solve complex problems. Strong oral and written skills to translate complex risk requirements and issues.


Betriebssysteme

Linux
Fortgeschritten
Mac OS
Fortgeschritten
Windows
Fortgeschritten
IBM Mainframe
Basics

Programmiersprachen

C
Basics
C++
Basics
Cobol
Basics
Java
Basics
Lisp
Basics
Pascal
Basics
SQL
Basics

Datenbanken

DB2
Basics
MS SQL
Basics
ODBC
Basics
Oracle
Basics

Datenkommunikation

Firewall
Basics
Router
Basics
Switches
Basics

Personalverantwortung

Team Leader
Experte

Branchen

Branchen

  • Banken & Versicherungen
  • Chemie & Energie
  • Logistik & Öffentliche Dienste 

Einsatzorte

Einsatzorte

Deutschland, Schweiz, Österreich
möglich

Projekte

Projekte

2 Monate
2023-03 - 2023-04

Audit of Secure Software Development for the Asset Management product stream encompassing several applications, APIs, databases and technical infrastructure

Security Auditor Java JavaScript Windows ...
Security Auditor

Scope of audit
? Selection of a process model and development environment
? Secure software design and Threat modelling
? Use of external libraries from trusted sources
? Provision of patches, updates and changes
? Source code version control
? Checking of external components
? Training of the development team on information security
? Appropriate control of software development
? Authentication in web applications
? Access control for web applications
? Secure session management
? Controlled integration of content in web application
? Protection against unauthorized automated use of web applications
? Protection of confidential data
? Comprehensive input validation and output encoding
? Protection against SQL injection


Azure DevOps Kubernets Sharepoint Confluence Jira MS Office programming
Java JavaScript Windows Linux Oracle NIST SP 800-218 Secure Software Development Framework (SSDF) Whitesource sonarQube
LPA Lucht Probst Associates GmbH
Frankfurt am Main, Germany
3 Monate
2022-10 - 2022-12

SWIFT CSP Assessment 2022

SWIFT CSP Advisor
SWIFT CSP Advisor

·        Advisory support of 1st line on SWIFTS CSP Attestation 2022 ? external Assessment.

·        Analysis of the Assessment Report, control testing results and evidence of the SWIFT CSP Attestation 2022

·        Review of final SWIFT CSP Assessment Report


? SWIFT Architecture type A1 (Net Link Alliance Gateway Alliance Access Alliance Web platform) Windows OS Linux OS Virtualization platform (Citrix EXDI) CyberArk QRadar Nexpose CrowdStrike
Sumitomo Mitsui Banking Corporation
New York, USA
2 Monate
2022-09 - 2022-10

SWIFT CSP Assessment 2022

SWIFT CSP Assessor
SWIFT CSP Assessor

·        Advisory support of internal Audit on SWIFTS CSP Attestation 2022 ? internal Assessment.

·        Analysis of the Assessment Report, control testing results and evidence of the SWIFT CSP Attestation 2022

·        Testing of Evidences (inquiry, inspection, examination, re-performance)

·        Final CSCF Assessment Report

·        1. Restrict Internet Access and Protect Critical Systems from General IT Environment

·        2. Reduce Attack Surface and Vulnerabilities

·        3. Physically Secure the Environment

·        4. Prevent Compromise of Credentials

·        5. Manage Identities and Separate Privileges

·        6. Detect Anomalous Activity to Systems or Transaction Records

·        7. Plan for Incident Response and Information Sharing



SWIFT Architecture type A1 Net Link Alliance Gateway Alliance Access Alliance Web platform Windows OS Linux OS Virtualization platform (Citrix EXDI) CyberArk QRadar Rapid7 CrowdStrike
European Central Bank
Frankfurt am Main
3 Monate
2022-07 - 2022-09

SWIFT CSP Assessment 2022

SWIFT CSP Assessor Net Link Alliance Gateway Alliance Access ...
SWIFT CSP Assessor

·        Advisory support of internal Audit on SWIFTS CSP Attestation 2022 ? internal Assessment.

·        Analysis of the Assessment Report, control testing results and evidence of the SWIFT CSP Attestation 2022

·        Testing of Evidences (inquiry, inspection, examination, re-performance)

·        Final CSCF Assessment Report

·        1. Restrict Internet Access and Protect Critical Systems from General IT Environment

·        2. Reduce Attack Surface and Vulnerabilities

·        3. Physically Secure the Environment

·        4. Prevent Compromise of Credentials

·        5. Manage Identities and Separate Privileges

·        6. Detect Anomalous Activity to Systems or Transaction Records

·        7. Plan for Incident Response and Information Sharing


? SWIFT Architecture type A1
Net Link Alliance Gateway Alliance Access Alliance Web platform) Windows OS Linux OS Virtualization platform (Citrix EXDI) CyberArk QRadar Nexpose CrowdSrtrike
Deutsche Bundesbank
Frankfurt am Main
2 Monate
2022-05 - 2022-06

CIS Controls - Implementation

Cybersecurity Consultant
Cybersecurity Consultant

·        CIS Controls implementation: control assurance of the 140 Definitions of Done

·        Advisory support for the CISO and 1st line Stakeholders

·        Walkthrough with 1st and 2nd Line of Defense

·        Review of the 75 DoDs already created

·        Adaptation/ standardization of the existing DoDs


CIS Controls Version 7 ISAE3402 Azure DevOps ZScaler Log360 Sharepoint Confluence Jira MS Office Windows Linux
Swiss Life Investment Management Holding AG
Zürich. Schweiz
7 Monate
2021-10 - 2022-04

ISO27001 Consulting

Information Security Consultant ? Technologie: Azure DevOps Kubernets Sharepoint ...
Information Security Consultant

·        Monitoring of the ISO27001 Certification non-compliances, Gap Assessments for the ISO27001 Surveillance Audit

·        Cyber risk assessment of Cloud Services (SaaS, PaaS): Germany, Switzerland, Luxembourg, France, England, Spain, USA, Israel, Singapore, and Greece.

·        Improve internal processes in Penetration test planning and control

·        Improve internal processes in Secure code development (OWASP) and tests (SAST, DAST)

 


? Technologie: Azure DevOps Kubernets Sharepoint Confluence Jira MS Office Programmiersprache (Java JavaScript C/C++ usw.) Sicherheitstools (Wireshark Kali ZAP) Betriebssysteme (Windows Linux) Code Inspektion/Scannen (Whitesource sonarQube VeraCode) ? Standards und Rahmen: ISO27001/27002 ISO27017 ISO27018 ISO22301 OWASP ? Regulatorisch: Verordnung (EU) 2016/679 zum allgemeinen Datenschutz MaRisk BAIT EBA-Leitlinie
LPA Lucht Probst Associates GmbH
Frankfurt am Main
3 Monate
2021-08 - 2021-10

SWIFT CSP Assessment 2021

SWIFT CSP Assessor ? SWIFT Architecture type A1 (Net Link Alliance Gateway Alliance Access ...
SWIFT CSP Assessor

? Unterstützung der internen Revision zu SWIFTS CSP Attestation 2021 ? Independent Assessment.

? Analyse des Bewertungsberichts, Kontrolltestergebnisse und Nachweis der SWIFT CSP Attestation 2021

? Abschließender  SWIFT CSCF-Bewertungsbericht

·        1. Restrict Internet Access and Protect Critical Systems from General IT Environment

·        2. Reduce Attack Surface and Vulnerabilities

·        3. Physically Secure the Environment

·        4. Prevent Compromise of Credentials

·        5. Manage Identities and Separate Privileges

·        6. Detect Anomalous Activity to Systems or Transaction Records

·        7. Plan for Incident Response and Information Sharing

? SWIFT Architecture type A1 (Net Link Alliance Gateway Alliance Access Alliance Web platform) ? Windows OS Linux OS Virtualization platform (Citrix EXDI).
European Central Bank
Frankfurt am Main
1 Jahr 4 Monate
2020-05 - 2021-08

SWIFT CSP Controls

Senior Control Assurance Advisor ? Standards & Frameworks: ISO27001 ISO22301 NIST-SP 800 ...
Senior Control Assurance Advisor

·        SWIFTS CSP Attestation 2021 ? CSCF controls pre-assessment.

·        Analysis of the Assessment Report, control testing results and evidence of the SWIFT CSP Attestation 2021

·        Definition of the Testing Methodology (inquiry, inspection, examination, re-performance) and Sampling approach (statistical and non-statistical)

 

·        SWIFT CSP Attestation 2020

·        Review of the AS-IS process flow for each security service and related SWIFT CSCF Controls with an identification of inefficiencies, deficiencies, and integration issues. Validation of findings with 1st, 2nd and 3rd lines of defense

·        SWIFT CSCF Controls in scope: Internal Data Flow Security, Operator Session Confidentiality and Integrity, Vulnerability Scanning, Application Hardening, Database Integrity, and Logging and Monitoring


? Standards & Frameworks: ISO27001 ISO22301 NIST-SP 800 CIS-CONTROLS ISAE3402 CSA Star OWASP ITIL COBIT 5 Agile Scrum ? Regulatory & external: National Bank of Belgium Bank of England Directive (EU) 2016/679 on General Data Protection Swift CSCF. ? Technology: SWIFT Architecture type A1 (Net Link Alliance Gateway Alliance Access Alliance Web platform) Virtualizazion platform (Citrix ESX)IBM Mainframe Tandem CHAPS CREST RTGS QRadar MIPS CrowdStriker Cyberark Sailpoint ServiceNow and Office365
Euroclear Bank SA
Brüssel, Belgien
5 Monate
2019-08 - 2019-12

Cybersecurity Program

Cybersecurity Consultant ICS (Industrial Control Systems) Cloud Computing (Google Azure ...
Cybersecurity Consultant
  1.         Establish the Risk Assessment as an ongoing, recurring process: implementation of risk assessments for 25 countries (Europe and Asia)

    ·        Analysis of past risk assessments (processes and results), and further development of the already started process for a detailed risk assessment (Scenario-based, Asset-based, Control-based und GAP Assessments)

    ·        Execution ISO27001 Gap Assessments for the ISO27001 ISMS Certification

    ·        Execution Risk Assessments: ICS (Industrial Control Systems), Cloud Computing (Google, Azure, AWS, Salesforce), SAP (SAP ECC, SAP HR, SAP BPM, SAP Netweaver), Incident Management (ServiceNow).


ICS (Industrial Control Systems) Cloud Computing (Google Azure AWS Salesforce) IoT Big Data Frameworks: ISO27001/27002 ISO27017 ISO27018 ISO22301 IEC 66243 CIS-CONTROLS(SANS 20) CSA Star ITIL OWASP
Vaillant Group GmbH
Remscheid
3 Monate
2019-07 - 2019-09

Identity & Access Management

Lead Security Risk Analyst
Lead Security Risk Analyst
  • ·        Identity and Access Management (Germany & Spain): Risk Assessment of overall architecture applications in terms of available roles, profiles, and permissions in collaboration with IT and business owners. Reviewing Roles, Permissions, and Segregation of Duties within SW Applications. Development of proposals for the treatment of security risks and creation of guidelines and regulations for information security

    ·        Data analysis and solution design (on-/offboarding, mover, leave, privileged access)

    ·        Review of business concepts and access control of mission-critical applications

    ·        Track status and communicate with stakeholders (departments and IT architecture)




·        Tools: Sailpoint, Splunk, CyberArk


ISO27001/27002 Sailpoint Splunk CyberArk Agile Scrum
Santander Consumer Bank AG
Mönchengladbach, Deutschland
3 Monate
2019-05 - 2019-07

Identity & Access Management

Lead Security Risk Analyst
Lead Security Risk Analyst

·        Identity and Access Management: integration of processes and data sources relating to personal information as well as the distribution of digital identity data to downstream systems.

·        Driving the business processes analysis for the integration of the on- and off-boarding of technical, internal and external users.

·        Ensuring fulfilment of risk control, audit, and compliance requirements (BAFIN, MAS, SOX, EU-GDPR)

·        Risk Assessment of overall architecture applications in terms of available roles, profiles, and permissions in collaboration with IT and business owners. Reviewing Roles, Permissions, and Segregation of Duties.




ISO27001/27002 Agile Scrum EU-GDPR MaRISK BA-IT DELL One Identity CyberArk Anaconda Python
Deutsche Bank AG
Frankfurt am Main
4 Monate
2018-09 - 2018-12

ISO27001 Implementation

Security Berater NIST CIS-CONTROLS(SANS 20) BSI-Series ...
Security Berater
  • ·        Critical Infrastructure Protection Program (Cologne, Brussels, and Paris)

    ·        Supplier management - review of ISMS and technical security controls (Asset Management, Access Control, Cryptography, Security operations, and Network Communication)

    ·        Development of proposals for the treatment of security risks

    ·        Creation of guidelines and regulations for information security

    ·        Conducting risk analysis and assessment of the efficiency and effectiveness of security controls

    ·        Support for 3rd Party and internal audits.


NIST CIS-CONTROLS(SANS 20) BSI-Series ISO2700x COBIT ITIL EU-GDPR VA-IT MARisk
AXA Services GmbH
Köln, Deutschland
11 Monate
2018-02 - 2018-12

Risk and Control- 2nd Line of Defence

Security Consultant NIST-CSF CIS-CONTROLS(SANS 20) BSI-Series ...
Security Consultant
  • ·        Risk and Controlling- 2nd Line of Defense Ensuring the objectives of the Bank's business and risk strategy to meet regulatory requirements. Design and Review of ISMS Policy with stakeholders

    ·        Supplier management - conducting security risk assessments and preparation of supplier audits (1st and 2nd Party Audits): Asset Management, Identity & Access Management, Operations Security, Network Communication, Physical Security, Business Continuity and Disaster Recovery)

    ·        Draft and review of a DLP (Data leakage prevention & data loss protection) concept for the implementation of regulatory requirements (EU-GDPR Article 32 "Security of processing").


NIST-CSF CIS-CONTROLS(SANS 20) BSI-Series ISO2700x ISO22301 COBIT ITIL EU-GDPR SOC1/SOC2 BA-IT MARisk
Deutsche Apotheke und Ärzte Bank
Düsseldorf
2 Jahre 3 Monate
2016-06 - 2018-08

Identity & Access Management

Security Analyst OMADA Sharepoint Regulatory apps (Finance ...
Security Analyst
  •  

    ·        COO Chief Security Office ? Global IS Identity & Access ? (Germany, UK, Portugal, Spain, India)

    ·        Segregation of Duties (SoD) - Information Security access controls in accordance with ISO27001/27002 standards and compliance requirements (BAFIN, MAS, SOX, EU-GDPR).

    ·        Management of the global SoD (Segregation of Duties) implementation and monitoring process of users and assets. Governance of violation of access rights and related documentation

    ·        Check access control issues in selected SW applications. Support for the integration of security policies into the overall architecture, from the applications (Attribute- Based Access Control) to the RACF mainframe (Role-Based Access Control)

    ·        Identification of Toxic Combinations and SoD Violations within the application and technical implementation and maintenance of SoD rules, including the coordination of testing and sign-off activities

    ·        Reporting - Monthly delivery of relevant reports, scorecards, and presentations to the management

OMADA Sharepoint Regulatory apps (Finance Reporting SAP Payments and Securities) Middlerange und Mainframes apps COBIT ITIL
Deutsche Bank AG
Frankfurt am Main
9 Monate
2015-10 - 2016-06

Risk Assessment - 3 Lines of Defence

Lead Control Risk Assessor COBIT ITIL ISO27001/27002 ...
Lead Control Risk Assessor
  • ·        Regulatory Risk & Control Office - IT Security, Audit, Risk & Compliance - 3LoD Program (Frankfurt, London, Birmingham, Barcelona, Lisbon, New York, Singapore and Pune)

    ·        Performing risk-based assessments on the global level of 3LoD (3 lines of defense) approach within the bank for all critical and high important RBP´s (relevant business points).

    ·        Risk Assessment assignments in IHC Stride/FDW/Datahub Program (New York, Germany, UK), DB Germany, DB Spain and DB Portugal as part of divisional control office function following the 3 lines of defense framework to meet audit and regulatory requirements of several external regulators (i.e FED, MAS, BaFin), with key focus on information security inherent risks and gap analysis of IT service areas (application development and production), rating the control design and operating effectiveness.

COBIT ITIL ISO27001/27002 Bafin-MaRisk MAS SOX.
Deutsche Bank AG
Frankfurt am Main
6 Monate
2015-01 - 2015-06

Implementation of B2B E-commerce Platform

Security Analyst
Security Analyst
  • Implementierung B2B Internet Plattform
  • Architektur Strategie, Risk & Security Management
  • Definition der E-Commerce Services (Web Frontend, Ecommerce Solution, Finance /Customer Services und Backend Anwendungen), und Cloud Computing Security & Architectur (AWS, Azure und SAP)
  • Definition der E-Commerce Anforderungen und Erstellung eines Business Plans
  • Prüfung der Compliance Requirements für elektronische Zahlungen (PCI-DSS) 
AGROHIGHWAY - SOUTH LATAM TRADING COMPANY LTD
London, United Kingdom
17 Jahre 2 Monate
1998-05 - 2015-06

Quality Assurance & Control / IT Risk Management

Consultant
Consultant
  •  Scope: Germany, United Kingdom, United States, Belgium, Netherlands, Sweden, Switzerland, Spain, Portugal, France, Italy, India, and Singapore. 

 Key achievements: 
  • ? CMMI SCAMPI Assessments (Levels A, B, C) in achieving CMMI Level 3 
  • ? CMMI Standards (CMMI-DEV, CMMI-ACQ, CMMI-SVC) Implementation 
  • ? Software process assessment and design (BOOTSTRAP, DSDM, V-Model 97) 
  • ? Quality Assurance and Control (unit, system, integration, and user acceptance testing) 
 

Assignments: 

  •  ? 04/2008 to 06/2015 - Generali Informatik Services GmbH ? Aachen/Cologne/Hamburg, Germany 
  • ? 10/2008 to 12/2009 - Deutsche Bundesbank - Frankfurt am Main, Germany 
  • ? 10/2007 to 01/2008 - German Federal Forces - Bonn, Germany 
  • ? 03/2007 to 09/2007 - Credit Suisse AG - Zurich, Switzerland 
  • ? 01/2007 to 03/2007 - Sogeti Deutschland GmbH - Frankfurt, Germany 
  • ? 10/2006 to 11/2006 - Deutsche Börse Gruppe AG - Frankfurt am Main, Germany 
  • ? 02/2006 to 05/2006 - SEB Bank AG - Frankfurt am Main, Germany 
  • ? 10/2004 to 01/2006 - Deutsche Post IT Solutions GmbH - Darmstadt, Germany 
  • ? 07/2002 to 09/2004 - Deutsche Bank AG - Frankfurt am Main, Germany 
  • ? 04/2002 to 10/2002 - Interquality Services AG - Augsburg, Germany 
  • ? 02/2001 to 05/2002 - Dresdner Bank AG - Frankfurt am Main, Germany 
  • ? 04/2000 to 03/2001 - Commerzbank AG - Frankfurt am Main, Germany 
  • ? 06/1999 to 03/2000 - Numerical Magic GmbH - Frankfurt am Main, Germany 
  • ? 05/1998 to 07/1999 - BASF Group - Targor GmbH - Mainz am Rhein, Germany 

Siehe Projektinhalte
Europe, EUA, Asia

Aus- und Weiterbildung

Aus- und Weiterbildung

Certifications

· (2022) SWIF CSP Framework v2022, Transcript 0001110329

· (2021) SWIF CSP Framework v2021, Transcript 0000929177

· (2020) ISO27032 Senior Lead Cybersecurity Manager (PECB) - License CSSLM1005842-2020-01 ? Canada

· (2018) Lead SCADA Security Manager PECB ? United Kingdom

· (2017) NATO Advanced Cybersecurity Training ? North Macedonia

· (2015) ISO27001 Lead Auditor (PECB) - License no. PECB-ISMSLA-101001 ? Canada

· (2008) ISO20000 Service Management Auditor - itSMF? United Kingdom

· (2007) Certified in Risk and Information Systems Control (CRISC) - License no. 1107610 - ISACA, USA

· (2005) Certified Information Systems Auditor (CISA) - License no. 0540072 ISACA, USA

· (2001) Quality Management Assessor - European Foundation for Quality Management ? Belgium

· (2000) Certified Business Engineer - Chamber of Commerce and Industry Saarland, Germany

· (1993) Certified Business Information Systems Specialist - Deutsche Private Akademie GmbH, Germany

Education

· (2010) - Fernuniversität Hagen, Germany - Academic Studies - Mathematics

· (2005) - University of Hertfordshire, London, UK - Post Graduation Diplom in Music Composition

· (1999) - St. George University International - Bachelor of Science in Computer Sciences and Information Technology - Grenada, West Indies

· (1996) - Royal Conservatorium - Sonologie Institute ? The Hague, Netherlands Post-Graduation Certification in Sonology Science - Music Technology

Professional Memberships

· IEEE - The Institute for Electric and Electronic Engineers Inc.

· ISACA ? Information Systems Audit and Control Association

· ISC² ? International Information Systems Security Certification Consortium

· PECB- Professional Evaluation and Certification Board


Kompetenzen

Kompetenzen

Top-Skills

ISO17001 CIS Controls SWIFT CSP ISAE3402 NIST COBIT

Schwerpunkte

Auditor
Experte
Project leader
Experte

Produkte / Standards / Erfahrungen / Methoden

BSI-Series
Fortgeschritten
CIS-CONTROLS
Experte
COBIT
Experte
EU-GDPR
Fortgeschritten
ISA(IEC)62443
Basics
ISO22301
Fortgeschritten
ISO27001
Experte
ITIL
Experte
NIST
Experte
NIST-CSF
Experte
SCADA
Basics
SOC2
Fortgeschritten
SWIFT CSP
Experte

Professional Skills

·        Information Security industry standards / best practice frameworks in large organisations: SWIFT CSCF, ISO 27000 series, ISO31000, ISO/IEC 62443, NIST-CSF, NIST-SP 800-53, COBIT, CSA-CCM, CIS-Controls, OWASP, SABSA, TOGAF, MITRE-Att&ck

·        Compliance testing of international standards, local or EU regulations, and 3rd party frameworks (SREP, ISAE 3402, FISR, EU-GDPR, SWIFT CSP, Bafin, MAS, Bank of England, National Bank of Belgium)

·        IT Risk assessments, internal/external audits, and monitoring of the residual risk remediation activities.

·        Security Assurance & Testing, risk assessment and mitigation of relevant risks ensuring security controls adherence of the information assets.

·        Rely on existing processes, policies, procedures, and methods to take decisions.

·        Reporting ethics - report sensitive matters in confidence and able to write in simple terms and short sentences formal information such as control procedure or security requirements

·        Autonomously work on standard activities or non-complex demands. Organises, co-ordinates and plans activities independently.

·        Experience in stakeholder management with projects experience within multicultural teams across all levels of an organisation. Result-oriented and imaginative to solve complex problems. Strong oral and written skills to translate complex risk requirements and issues.


Betriebssysteme

Linux
Fortgeschritten
Mac OS
Fortgeschritten
Windows
Fortgeschritten
IBM Mainframe
Basics

Programmiersprachen

C
Basics
C++
Basics
Cobol
Basics
Java
Basics
Lisp
Basics
Pascal
Basics
SQL
Basics

Datenbanken

DB2
Basics
MS SQL
Basics
ODBC
Basics
Oracle
Basics

Datenkommunikation

Firewall
Basics
Router
Basics
Switches
Basics

Personalverantwortung

Team Leader
Experte

Branchen

Branchen

  • Banken & Versicherungen
  • Chemie & Energie
  • Logistik & Öffentliche Dienste 

Vertrauen Sie auf GULP

Im Bereich Freelancing
Im Bereich Arbeitnehmerüberlassung / Personalvermittlung

Fragen?

Rufen Sie uns an +49 89 500316-300 oder schreiben Sie uns:

Das GULP Freelancer-Portal

Direktester geht's nicht! Ganz einfach Freelancer finden und direkt Kontakt aufnehmen.