Paras Arora

Practice Development & Project Management

• Working on proposals and doing the effort estimation (costing sheet) for various projects such as PCI DSS assessment & certification, ISO 27001 readiness assessment & implementation , ISO 22301 readiness assessment & implementation, Vulnerability assessment and penetration testing, Application security testing.
• Aligning appropriate resource based on project requirement
• Meeting client for new opportunities for practice development
• Managing and mentoring resources for project delivery
• Participation in project kick-off and closure meetings
• Managing client escalations and delivery

PCI DSS

Carried out PCI DSS Gap Assessment and issued Initial Report on Compliance, Final Report on Compliance and Attestation of compliance to:

PCI DSS Gap Assessment for:

• 8 Service Providers in India
• 2 Merchant in India (Global Merchant)
• 1 Payment Processor in India
• 1 Bank in India

Initial Report on Compliance for:

• 8 Service Providers in India
• 1 Merchant in India (Global Merchant)
• 1 Payment Processor in India
• 1 Bank in India

Final Report in Compliance and Attestation of Compliance

• 5 Service Providers in India
• 1 Merchant in India (Global Merchant)

ISO 27001 Implmentation & Readiness Assessment

Implemented ISO 27001 for 2 Banking Clients, 2 IT Clients and 1 B.P.Os which included:

• Development of Asset Register Development
• Statement of Applicability
• Risk Assessment, Risk Management and Risk Mitigation procedure Development
• Policies, Procedures and Standard Development
• Baseline documents Development for Server, Databases, Firewalls, Network Devices, Web Servers, etc.
• Change Management
• Information Security Manual and Policies Development
• Disaster Recovery and Business Continuity Implementation
• Recovery Procedure and Strategies Development
• Documentation of Corrective and Preventive Action Plan
• Information Security Awareness and Training

Vulnerability Assessment & Penetration Testing

• Cert-IN Empanelment for Verizon Business -Consultant and Penetration Tester for empanelment of Verizon Business with Cert India. It involves performing Penetration Testing on Web Applications and reporting more than 90% of vulnerabilities within application along with Proof-of-Concept for exploited vulnerabilities.
• Application Security Assessment for Leading IT Service Organization - Lead Consultant and Security Assessor for one of the major IT service organization for their in-house application project.
• Network Assessment for BPO Organization in Financial Sector - Lead Consultant for Network Audit and Penetration testing for an IT/ITES client.
• Network Assessment for Leading Financial Organization - Conducted internal and external network assessment for leading financial organization.

Manual Configuration Review

 Performed manual configuration review of the following:

• Network Devices (Firewall, Routers, Switches, IDS, IPS, etc)
• Web Servers (IIS and Apache)
• Domain Controller/Active Directory
• Database Audits (Oracle, SQL 2000, 2005)
• Operating Systems (Windows, Linux, Unix, AIX)
• Antivirus (Symantec, McAfee)

 Risk Assessment

Carried multiple risk assessments which includes formulation of Asset Register, Asset Classification, threat and vulnerability identification, likelihood of impact and probability of  occurrence, based on Industry best practices such as:

• NIST 800-30
• OCTAVE
• ISO 27005

Incident Management Matrix Formulation

Formulated a Incident Management Matrix based on Verizon's VERIS Framework

• ISO 27001 Readiness Assessments and Implementation for IT/ITES and Payment Processor in India
• Performed Application Penetration Testing for Major Bank in India and Largest New Channel company in India.
• Carried out Business Impact Assessments for IT/ITES companies in India.
• Performed multiple Third Party vendor Risk Assessment reviews for Financial and Banking clients.
• Played key role in developing framework, methodology and templates for Vulnerability Management Lifecycle (VML) service offering.
• Executed a number of External and Internal Vulnerability Assessment (Firewalls, Network Devices, Applications, Servers, Databases, etc), Penetration Testing engagements on networks (wired and wireless) and Application Security.
• Assisted IT/ITES clients in developing Privacy and Data Protection solutions.
• Performed security configuration review and identified gaps against security baselines set by Clients' and leading industry practices; provided technical recommendations to mitigate the risk arising because of the gaps.
• Worked on SOX- IT engagements for manufacturing industries. The scope of work includes testing and review of different controls for operation, security and change management domains.
• Created Hardening of Servers and devices - Windows: Windows 2000 and 2003, UNIX: Solaris, AIX, Linux, Databases: Oracle, MSSQL 2000 and 2005, MYSQL, DB2, Routers and Switches: Cisco, Firewalls: Netscreen, Check Point and Pix, Web Servers: IIS and Apache, Proxies: Squid, IWSS, Exchange Servers: Microsoft Exchange, Hardening of Citrix Servers and Blackberry Servers.
• Team Management, timely project delivery, working on proposals and new oppurtunities

a. Providing expert level support for Linux Servers, Clusters, Databases and Healthcare Application.

b. Conducting RCA for Servers, Databases and Healthcare IT incidents

a. Managing Datacenter Operations.

b. Directing Administrators on Server Administration.

a. Providing Advisory on Linux and Microsoft infrastructure implementation

b. Conducting awareness sessions on Linux and Microsoft infrastructure implementation

a. Active Directory Management for in-house network

b. Microsoft infrastructure maintenance for in-house network

c. Security Controls (technical) implementation