Paras Arora

  • Gurgaon Haryana
Paras Arora

Information Security Advisor

Skills

Skills

Privacy and Data Protection

1. Exposure to Safe Harbour law 2. Exposure to CanSpam Act

Web Application Source Code Review

1. Involved in threat profiling of the application under assessment 2. Involved in determining severity ratings for identified vulnerabilities 3. Presenting the identified issues and vulnerabilities to Sr. Management (including CxO's of the company) 4. Exposure on assessment tools like - IBM AppScan Source Edition

Web and Network Infrastructure Security Review

1. Conducted Network Security Architecture Reviews 2. Conducted Device Configurations Reviews for Network Devices 3. Conducted System Configuration Reviews for Web and DMZ Servers

Information Security Risk Assessment

1. Developed Risk Assessment Methodologies based on NIST 800-30 framework 2. Conducted Information Security Risk Assessment based on NIST 800-30 framework 3. Conducted Business Risk Assessment for Technology and Business Processes 4. Implemented controls to reduce the identified risks to an acceptable level

Infrastructure Penetration Testing

1. Involved in threat profiling of the application under assessment 2. Involved in determining severity ratings for identified vulnerabilities 3. Presenting the identified issues and vulnerabilities to Sr. Management (including CxO's of the company) 4. Exposure on assessment tools like - Wireshark, NMap, Nessus Pro Feed, Open VAS, Cain n Able, Metasploit, Core Impact, etc.

Application Penetration Testing

1. Involved in threat profiling of the application under assessment 2. Involved in determining severity ratings for identified vulnerabilities 3. Presenting the identified issues and vulnerabilities to Sr. Management (including CxO's of the company) 4. Exposure on assessment tools like - Eco Mirage, Java Snoop, HP Webinspect, IBM Rational AppScan, Acunetix, WebScarab, Wireshark, Burp Suite, etc.

ISO 27001 Implementation and Sustenance

1. Involved in documenting Policies, Procedures and Guidelines. 2. Conducting Information Security Risk Assessment based on NIST 800-30 3. Managing and Conducting Internal Audits based on ISO/IEC 27001:2005 Standard 4. Driving the implementation of controls for minimizing the identified risks and issues 5. Involved in preparation of Information Security Awareness communication and imparting training. 6. Managing external surveillance audits for ISO/IEC 27001:2005 and ITGC standards.

PCI QSA

1. Documented the IROC and FROC based on PCI DSS v2.0\ 2. Conducted PCI DSS Assessments for Service Providers, Merchants, Payment Processors and Banks.

Passport and VISA Information

Passport Number: K6494222

Country: India

VISA: B1 VISA for USA.

VISA Validity: till Mar 2022

Awards and Recognitions

1. Award for Academic Excellence for year 2003-2004 (Guru Nanak Dev Polytechnic)

2. Award for Academic Excellence for year 2004-2005 (Guru Nanak Dev Polytechnic)

3. Awarded with I-to-I (Initiation to Implementation) award at Compare Infobase Pvt Ltd.

4. Awarded with Technical Excellence Award ( January 2009 )

5. Awarded with OVATION Award (January 2013) at Verizon India Pvt Ltd

6. Awarded with OVATION Award (March 2013) at Verizon India Pvt Ltd

Objective

A responsible and challenging position in an organization that would utilize my experience, nurture my ambitions and give vent to my inquisitiveness to learn and acquire newer skills. Get opportunities for growth based on achievements and to gain comprehensive understanding of the working of the Organization and to contribute to its overall growth.

Recent Project Experience

  • PCI DSS Gap Assessment for one of the Largest American Bank

Role: Project Manager and Lead Assessor

Responsibilities: To manage and conduct the Gap Assessment for one of the Largest USA Bank across multiple geographies within APAC region.

  • Business Continuity Strategy Implementation

Role: Project Manager / Lead Consultant

Responsibilities: To implement the practical business operations recovery strategy for a medium sized organization. This is in-line with the compliance and sustenance of ISO/IEC 27001:2005 control.

  • PCI DSS Implementation

Role: Project Manager / Lead Consultant

Responsibilities: To provide a project management and implementation support for an organization to achieve and sustain compliance to Payment Card Industry – Data Security Standard (PCI DSS) v2.0.

  • DLP, Log Correlation, and Web Proxy Implementation

Role: Project Manager / Lead Consultant

Responsibilities: To provide consultation and project management for implementation and operation management for RSA DLP, RSA enVision and Cisco IronPort Web proxy in a Medium Sized Technical Support organization.

  • Vulnerability Assessment and Penetration Testing for Web Application and Network Infrastructure

Role: Project Manager / Lead Consultant

Responsibilities: To manage and execute the medium – large sized (100 Web Application, 500 Network Devices) vulnerability assessment and penetration testing project for multiple clients.

  • Cert-IN Empanelment (Application Vulnerability Assessment) – Verizon Business

Role: Lead Consultant

Responsibilities: To identify, exploit, document and provide recommendations for the identified vulnerabilities in offline and online test bed for Cert-IN empanelment.

  • Resource Augmentation in Technical Support Organization

Role: Project Management

Description: To provide support and play a CISO role in an organization for strengthening Information Security services, managing compliance to various regulatory and organizational requirements, managing Vulnerability Assessment and Penetration Testing projects, conducting risk assessment, managing and coordinating for external PCI DSS, ITGC and Corporate Audits, to implement ISO 27001 standard and to manage the implementation of Security Operations Center (SOC).

Work History

Work History
Jun 2010 - Present

Sr. Information Security Consultant

Verizon India Pvt Ltd

Practice Development & Project Management

  • Working on proposals and doing the effort estimation (costing sheet) for various projects such as PCI DSS assessment & certification, ISO 27001 readiness assessment & implementation , ISO 22301 readiness assessment & implementation, Vulnerability assessment and penetration testing, Application security testing.
  • Aligning appropriate resource based on project requirement
  • Meeting client for new opportunities for practice development
  • Managing and mentoring resources for project delivery
  • Participation in project kick-off and closure meetings
  • Managing client escalations and delivery

PCI DSS

Carried out PCI DSS Gap Assessment and issued Initial Report on Compliance, Final Report on Compliance and Attestation of compliance to:

PCI DSS Gap Assessment for:

  • 8 Service Providers in India
  • 2 Merchant in India (Global Merchant)
  • 1 Payment Processor in India
  • 1 Bank in India

Initial Report on Compliance for:

  • 8 Service Providers in India
  • 1 Merchant in India (Global Merchant)
  • 1 Payment Processor in India
  • 1 Bank in India

Final Report in Compliance and Attestation of Compliance

  • 5 Service Providers in India
  • 1 Merchant in India (Global Merchant)

ISO 27001 Implmentation & Readiness Assessment

Implemented ISO 27001 for 2 Banking Clients, 2 IT Clients and 1 B.P.Os which included:

  • Development of Asset Register Development
  • Statement of Applicability
  • Risk Assessment, Risk Management and Risk Mitigation procedure Development
  • Policies, Procedures and Standard Development
  • Baseline documents Development for Server, Databases, Firewalls, Network Devices, Web Servers, etc.
  • Change Management
  • Information Security Manual and Policies Development
  • Disaster Recovery and Business Continuity Implementation
  • Recovery Procedure and Strategies Development
  • Documentation of Corrective and Preventive Action Plan
  • Information Security Awareness and Training

Vulnerability Assessment & Penetration Testing

  • Cert-IN Empanelment for Verizon Business -Consultant and Penetration Tester for empanelment of Verizon Business with Cert India. It involves performing Penetration Testing on Web Applications and reporting more than 90% of vulnerabilities within application along with Proof-of-Concept for exploited vulnerabilities.
  • Application Security Assessment for Leading IT Service Organization - Lead Consultant and Security Assessor for one of the major IT service organization for their in-house application project.
  • Network Assessment for BPO Organization in Financial Sector - Lead Consultant for Network Audit and Penetration testing for an IT/ITES client.
  • Network Assessment for Leading Financial Organization - Conducted internal and external network assessment for leading financial organization.

Manual Configuration Review

 Performed manual configuration review of the following:

  • Network Devices (Firewall, Routers, Switches, IDS, IPS, etc)
  • Web Servers (IIS and Apache)
  • Domain Controller/Active Directory
  • Database Audits (Oracle, SQL 2000, 2005)
  • Operating Systems (Windows, Linux, Unix, AIX)
  • Antivirus (Symantec, McAfee)

 Risk Assessment

Carried multiple risk assessments which includes formulation of Asset Register, Asset Classification, threat and vulnerability identification, likelihood of impact and probability of  occurrence, based on Industry best practices such as:

  • NIST 800-30
  • OCTAVE
  • ISO 27005

Incident Management Matrix Formulation

Formulated a Incident Management Matrix based on Verizon's VERIS Framework

Mar 2007 - May 2010

Sr. Information Security Consultant

Proton Technosoft
  • ISO 27001 Readiness Assessments and Implementation for IT/ITES and Payment Processor in India
  • Performed Application Penetration Testing for Major Bank in India and Largest New Channel company in India.
  • Carried out Business Impact Assessments for IT/ITES companies in India.
  • Performed multiple Third Party vendor Risk Assessment reviews for Financial and Banking clients.
  • Played key role in developing framework, methodology and templates for Vulnerability Management Lifecycle (VML) service offering.
  • Executed a number of External and Internal Vulnerability Assessment (Firewalls, Network Devices, Applications, Servers, Databases, etc), Penetration Testing engagements on networks (wired and wireless) and Application Security.
  • Assisted IT/ITES clients in developing Privacy and Data Protection solutions.
  • Performed security configuration review and identified gaps against security baselines set by Clients' and leading industry practices; provided technical recommendations to mitigate the risk arising because of the gaps.
  • Worked on SOX- IT engagements for manufacturing industries. The scope of work includes testing and review of different controls for operation, security and change management domains.
  • Created Hardening of Servers and devices - Windows: Windows 2000 and 2003, UNIX: Solaris, AIX, Linux, Databases: Oracle, MSSQL 2000 and 2005, MYSQL, DB2, Routers and Switches: Cisco, Firewalls: Netscreen, Check Point and Pix, Web Servers: IIS and Apache, Proxies: Squid, IWSS, Exchange Servers: Microsoft Exchange, Hardening of Citrix Servers and Blackberry Servers.
  • Team Management, timely project delivery, working on proposals and new oppurtunities
Sep 2006 - Feb 2007

Support Engineer (Unix)

Apollo Health Street

a. Providing expert level support for Linux Servers, Clusters, Databases and Healthcare Application.

b. Conducting RCA for Servers, Databases and Healthcare IT incidents

Jan 2006 - Aug 2006

Server Coordinator

Compare Infobase Pvt Ltd

a. Managing Datacenter Operations.

b. Directing Administrators on Server Administration.

Aug 2005 - Dec 2005

IT Consultant

Centre for Development of Advanced Computing (CDAC)

a. Providing Advisory on Linux and Microsoft infrastructure implementation

b. Conducting awareness sessions on Linux and Microsoft infrastructure implementation

Jul 2004 - Feb 2005

Security Administrator - Microsoft

STG Intl', Delhi

a. Active Directory Management for in-house network

b. Microsoft infrastructure maintenance for in-house network

c. Security Controls (technical) implementation

Education

Education

PGDSDA

Centre for Development of Advanced Computing

Post Graduate Diploma in System and Database Administration

B.E.

Institute of Electronics and Telecommunication Engineers
2002 - 2005

Diploma in Computer Science

Guru Nanak Dev Polytechnic

References

References

Sarabjeet Singh

Manisha Bansiwal

Gaurav Benjamin

Mukesh Dubey

Sarvesh Goorha