Resumé Richa Kulshreshtha176 Waterside Dr., Little Ferry, NJ – 07643. M - +1 508 439 3509 [email protected] Visa Status: H1B SUMMARY Over 9+ yrs of experience as Solutions-oriented IT Security and Risk & Controls Management Specialist with notable success directing a broad range of corporate IT initiatives while participating in planning and implementation of information-security solutions in direct support of business objectives. • Track record of increasing responsibility in Risk & Control Assessments, SOX 404 Compliance activities, SAS70 audits, secure network design, security product implementation and full lifecycle project management. • Demonstrated capacity to consult and implement innovative security programs that drive awareness, decrease exposure, and strengthen the security of organizations. • Hands-on experience on leading security technologies and products. • Outstanding leadership abilities; able to coordinate and direct all phases of project-based efforts while managing, motivating, and leading project teams. • Adept at developing effective security policies and procedures, project documentation and milestones, and technical/business specifications. Certifications • Project Management professional (PMP) • ITIL v3 Foundation • Cobit 4.1 Foundation • Certified in Control Self Assessment (CCSA) • Certified Information Systems Auditor (CISA) • Certified Information Systems Security Professional (CISSP) • Checkpoint Certified Security Administrator (CCSA) • Cisco Certified Network Associate (CCNA) • Microsoft Certified Professional + Internet (MCP+I) PROFESSIONAL EXPERIENCE Citigroup Inc., USA IS, COB & Controls Analyst / SAS70 Program Manager i-flex Solutions Inc., USA Assistant Manager / Consultant Ramco Systems Pvt. Ltd., Bangalore, India Technical Consultant Prudenté Solution Pvt. Ltd., Bangalore, India Network Security Consultant Bangalore Labs Pvt. Ltd., Bangalore, India Information Security Consultant May 2007 – Feb 2011 Jan 2004 - May 2007 Nov 2002 - Dec 2003 Jan 2002 - Nov 2002 Jun 2001 - Oct 2001 Professional Affiliation Member of ISACA business impact analysis of SOX issues & anticipated significant changes to the SOX environment.Resumé Richa Kulshreshtha PROJECTS Citigroup. Generated reports and scorecards for the corporate office and businesses for appropriate classification/determination of SOX issues. in accordance with the defined standards. Managed and maintained the SharePoint site current and updated for SAS70 audit logistics and SOX 404 Working group for archiving relevant guidance documents/procedural documents/announcements accessible to internal clients and external auditors. Infoman • Scanners: Nessus. resolving any concerns on factual accuracy of observations and escalating to respective stakeholders. creation and launch of the Archer SAS70 report management module in compliance with the global information security policy. relevant and sufficient issue remediation evidences. content filtering software etc. MARS+ • Configuration / Change Management Tools: PVCS Dimension. Cerebrus internet scanner. SAS70 and SOX 404 related IT General Controls. IIS Lock down.) • Change Control Process • • • • • • Tools • Risk Management Applications: ARMOR-IRM. Streamlined the process to improve access controls to Citi facilities and systems by external auditors/contractors as part of the Corporate initiative. Provided governance and guidance to all technology divisions for SOX 404 compliance activities and SAS70 activities to ensure organizations’ compliance to SOX404 Act. and circumventing the complexities and inconsistencies. anti-virus software. Proficiently supported the team with expert opinions/clarifications in review of reliable. Conducted the Resource Impact Analysis due to reduction in SOX scope and the AS-‐5 standards in Liaison with SOX Leads and Regional SOX compliance groups. Solidified the SOX issue review process for IT SOX Steering committee review and business impact analysis by respective businesses. Internet Security Systems scanner. The program involved managing the SAS 70 audit in liaison with KPMG auditors and various regional teams. keeping abreast of key organizational updates for SAS70 reporting and SOX 404 assessments. Led the design. mapping alongside with Citi Information Security Standards and facilitated the establishment of the IT RCSA baseline. facilitated the SOX business monitoring review by internal auditors. Played a key role in facilitating the SOX 404 review in coordination with KPMG auditors and various regional teams. Re-‐vamped the SOX/non-‐SOX issue review process adopting the risk based random sampling methodology and changing the frequency of review (based on observed success rate) for a robust and efficient risk based process leading to saving in man hours for the group. ARCHER. nMap. via regular SOX Working Group meetings. identified gaps and redundancies with CobIT and COSO frameworks. Managed the assigned internal audits ensuring timely progress of audits. increasing user friendliness and accurate reporting. CSI. Vulnerability Scanners. Additionally. HardenNT. Reviewed the Key IT Risks and internal controls. liasing with various stakeholders. Superscan. as appropriate. May 2007 – Till Date Skills • Risk Management & controls mapping • Process Mapping for on-going security management • Process and security consulting • Security Products Implementation (Firewall. IDS. New Jersey SOX404 Compliance/SAS70 Audit • Managed the SAS 70 Program. maintaining the updated documentation on the SharePoint site and supporting the clients resolving any issues/concerns. managing the final SAS 70 report distribution application and process. Initiated the trend analysis of Issue review process to report on process effectiveness and to focus on areas that needed improvement and educated/trained the regions/business divisions accordingly. Appdetective • OS Hardening tools: Server Lock. Retina. • Network sniffer: • • • • • • • . • Reviewed the issues/Corrective action plans after the BISO review for accuracy and correctness. nPatrol • Antivirus software: Sophos. performed detailed analysis in coordination with various stakeholders.. Symantec Norton anti-virus. enhancements and bug fixes. UAT and production promotions leading to timely releases and bug fixes meeting the strict time deadlines satisfying the business user’s requirements. • Collaborated to compose key documents detailing operational processes. New Jersey Information Security Consultant -‐ CRA Fast Track Project IS Fast Track CRA (Common Risk Assessment) initiative was started to enable and facilitate all business divisions under CTI to complete the risk assessments for year 2006. WebTrends Analysis Series • Integrated Products: Symantec Client Security .Resumé Richa Kulshreshtha • Iris. RCSA framework. USA) Configuration Manager Configuration Management. • Conducted gap analysis on the CITMP L2 and L3 documents. Release Manager. • Initiated the ARCHER & CSI data integrity review. Citigroup (New Jersey. is established in the complex application development environment at State Street to streamline and optimize the process of tracking the application development. SOX and FFIEC controls and provided recommendations for closing those gaps. Change Manager and Deployment Manager. escan. Role: • Interacted with various teams and assisted in managing the project by interacting with all the regions/business divisions for completing the application/business compliance questionnaires. Role: Configuration Manager. Anti-sniff Led the effort for the Risk Acceptance forms reconciliation. USA) GCC CITMP Operational Risk. as an important part of SDLC. • Firewalls: • i-flex Solutions Ltd. Trendmicro Interscan Viruswall • Content filtering software: Websense. Igear/Symantec Web Security • Log Analyser/ Reporting software: WebTrends Firewall Suite. • Independently led the Infrastructure risk assessments as part of the infrastructure risk assessments exercise. FFIEC and SOX 404 The project scope included writing L3 procedures for the technology platforms implemented by Citigroup and aligning them with the internal (RCSA and CITMP) and external (SOX 404 and FFIEC) control frameworks. Facilitated the audits based on BS7799 and ISO27001 frameworks. Also coordinated with various departments along with the development team for version control of sources and the QA. • Reviewed existing process documents and communicated needed enhancements. code deployment activities and Change control via Lotus work flow application leading to improvements in the CM process for the organization. Sonicwall. resolved discrepancies and presented the analysis results to senior management leading to accurate and consistent information in • Password cracker: LC3 the system. State Street Financial Center (Boston. Role: • Mapped the existing processes to best international practices (FFIEC. Jan 2004 – May 2007 Citibank Inc. SecureIIS(applicatio n level firewall for IIS). SuperScout surfcontrol. Trendmicro Officescan. SOX404). This was a success milestone for the department. Tiny Personal firewall • IDS: Real Secure. Administered CVS. All these activities strengthened the security policy and processes in the Checkpoint. Residual Risk forms and Issues/Corrective Action Plans within the targeted time frame. Role: As a Flexcube application Configuration . flexcube latest version rollout was carried out for 13 countries in the ASPAC region. Datacenter team. in an organized fashion. meeting the strict time deadlines for any UAT and Production release. The project was completed by handing over the implementation and administration documentation to the customer. Citigroup NA (Singapore) Release Manager At Citibank. Change and Release Manager: • Liaised with Citibank QA. • Documented the Standard operating procedures and Configuration Management Plan which led to the compliance with the audit requirement. (Bangalore. Prudenté Solution Pvt. Server Management team and Change management for UAT and Production promotion which led to timely releases meeting the strict time deadlines. Implemented SecurID authentication for users logging onto Windows NT server and assigning SecurID tokens to users for 2-‐factor authentication while logging onto servers. firewall/IDS/ URL Filtering software/ Log Analyser for firewall and webserver implementation and establishing SecuRemote VPN for various branch offices and area offices to the servers in the central location) • Initiated the process for appropriate access rights for the authorized users and blocking unwanted services to or from the network. India) Nov 2002 – Dec 2003 Atos Origin (Bombay)/Hutch (Hyderabad)/TVS Motors (Bangalore) Resident Security Consultant Role: • Consulted based on BS7799 Security Standard on the security of existing network infrastructure • Implemented and supported the Infrastructure security (including servers/desktops security and their patch level. • Initiated the source code retro process resulting in consolidation of source code across various development locations. The project was a complete success with kudos from the customer.Resumé Richa Kulshreshtha organization in terms of compliance with the best practices and standards. • Streamlined the Change Control Process by documenting the change. Philips (Bombay. Ramco Systems Pvt. Ltd. The consulting and security products implementation led to a secure infrastructure for the organizations. (Bangalore. India) Security Consultant This project involved two-‐factor authentication mechanism implementation with RSA SecurID tokens and SafeStone DetectIT Agent on AS/400 server. raising the change in Infoman and following up the change till closure. • Maintained the version control repository in PVCS in co-‐ordination with the development team which led to the base lining of source code deployed in the organization. Role: Spearheaded the implementation of RSA/ACE server in Mumbai and co-‐ordinated the implementation of SafeStone’s DetectIT agent on AS/400 servers in Delhi. Ltd. India) Jan 2002 – Nov 2002 . Role: Carried out Foot-‐printing. OS Enumeration and Escalation of Access. Commercial Tools like ISS Scanner. which resulted in finding crucial security loopholes in the organization’s network. Ltd. The results were analyzed and reported back to the customer with steps for fixing the vulnerabilities.Resumé Richa Kulshreshtha Security Consultant • Security Consulting and Infrastructure Support for various clients. Durg 2001 1998 . Cisco. Role: Responsible for checking the new vulnerabilities reported from vendor web-‐sites (Microsoft. password crackers etc. This led to the first hand updated information available to customers before getting hit by any preventable security incident. • As a part of the Security Advisory Services. This resulted in creating awareness in the client for securing their network infrastructure and also strengthened the penetration testing services vertical of the organization after the first success story. Role: Conducted vulnerability Assessment for the network using tools like scanners. Bangalore Labs used to provide on-‐going support to the customer through email based alerts on patch upgrades. Trend Micro and McAfee. virus alarms and cures. Initiated and led the process for making the network infrastructure secure based on the findings ultimately leading to a secure network.). etc. test the solutions in a lab setup at Bangalore Labs and advise customers on the procedures for implementing in their environment. (Bangalore. Red Hat. Content filtering software implementation which facilitated the client to easily control access to sites for its users and monitor what URLs the users are accessing and when. virus free and secure networks. so that the organizations security policy can be complied with. CERT. ISS. Common Vulnerabilities and Exposures (CVE) website. Role: Provided virus cleaning services and antivirus implementation for quite a few Bangalore based companies ultimately leading to clean. Nmap. Bangalore Labs Pvt. operating system vulnerabilities. Created awareness for the security related issues among the users and management. India) Jun 2001 – Oct 2001 Information Security Consultant • This project involved doing a complete remote penetration testing on the live infrastructure of the Singapore based company. EDUCATION PG Diploma in Telecom Management Symbiosis Institute of Telecom Management BE (Electronics & Communication) Bhilai Institute of Technology. network traffic analyzers. Symantec. Remote Scanning. Retina and Freeware tools like Nessus. • This project was a Technical Security Audit project. X-‐Probe and custom scripts written in Perl were used for penetration testing. .Resumé Richa Kulshreshtha REFERENCES Available upon Request.