Paras Arora

Gurgaon Haryana
[email protected]

Information Security Advisor

CISA

ISO/IEC 27001:2005 Lead Auditor

ISO 31000 Lead Implementer

Certified Ethical Hacker (CEH)

Computer Hacking Forensic Investigator (CHFI)

Microsoft Certified System Engineer (MCSE)

Certified Sarbanes Oxley Expert (CSOE)

PCI QSA

CISM

Skills

Privacy and Data Protection

1. Exposure to Safe Harbour law 2. Exposure to CanSpam Act

Web Application Source Code Review

1. Involved in threat profiling of the application under assessment 2. Involved in determining severity ratings for identified vulnerabilities 3. Presenting the identified issues and vulnerabilities to Sr. Management (including CxO's of the company) 4. Exposure on assessment tools like - IBM AppScan Source Edition

Web and Network Infrastructure Security Review

1. Conducted Network Security Architecture Reviews 2. Conducted Device Configurations Reviews for Network Devices 3. Conducted System Configuration Reviews for Web and DMZ Servers

Information Security Risk Assessment

1. Developed Risk Assessment Methodologies based on NIST 800-30 framework 2. Conducted Information Security Risk Assessment based on NIST 800-30 framework 3. Conducted Business Risk Assessment for Technology and Business Processes 4. Implemented controls to reduce the identified risks to an acceptable level

Infrastructure Penetration Testing

Application Penetration Testing

ISO 27001 Implementation and Sustenance

1. Involved in documenting Policies, Procedures and Guidelines. 2. Conducting Information Security Risk Assessment based on NIST 800-30 3. Managing and Conducting Internal Audits based on ISO/IEC 27001:2005 Standard 4. Driving the implementation of controls for minimizing the identified risks and issues 5. Involved in preparation of Information Security Awareness communication and imparting training. 6. Managing external surveillance audits for ISO/IEC 27001:2005 and ITGC standards.

PCI QSA

1. Documented the IROC and FROC based on PCI DSS v2.0\ 2. Conducted PCI DSS Assessments for Service Providers, Merchants, Payment Processors and Banks.

Passport and VISA Information

Passport Number: K6494222

Country: India

VISA: B1 VISA for USA.

VISA Validity: till Mar 2022

Awards and Recognitions

1. Award for Academic Excellence for year 2003-2004 (Guru Nanak Dev Polytechnic)

2. Award for Academic Excellence for year 2004-2005 (Guru Nanak Dev Polytechnic)

3. Awarded with I-to-I (Initiation to Implementation) award at Compare Infobase Pvt Ltd.

4. Awarded with Technical Excellence Award ( January 2009 )

5. Awarded with OVATION Award (January 2013) at Verizon India Pvt Ltd

6. Awarded with OVATION Award (March 2013) at Verizon India Pvt Ltd

Objective

A responsible and challenging position in an organization that would utilize my experience, nurture my ambitions and give vent to my inquisitiveness to learn and acquire newer skills. Get opportunities for growth based on achievements and to gain comprehensive understanding of the working of the Organization and to contribute to its overall growth.

Recent Project Experience

PCI DSS Gap Assessment for one of the Largest American Bank

Role: Project Manager and Lead Assessor

Responsibilities: To manage and conduct the Gap Assessment for one of the Largest USA Bank across multiple geographies within APAC region.

Business Continuity Strategy Implementation

Role: Project Manager / Lead Consultant

Responsibilities: To implement the practical business operations recovery strategy for a medium sized organization. This is in-line with the compliance and sustenance of ISO/IEC 27001:2005 control.

PCI DSS Implementation

Role: Project Manager / Lead Consultant

Responsibilities: To provide a project management and implementation support for an organization to achieve and sustain compliance to Payment Card Industry – Data Security Standard (PCI DSS) v2.0.

DLP, Log Correlation, and Web Proxy Implementation

Role: Project Manager / Lead Consultant

Responsibilities: To provide consultation and project management for implementation and operation management for RSA DLP, RSA enVision and Cisco IronPort Web proxy in a Medium Sized Technical Support organization.

Vulnerability Assessment and Penetration Testing for Web Application and Network Infrastructure

Role: Project Manager / Lead Consultant

Responsibilities: To manage and execute the medium – large sized (100 Web Application, 500 Network Devices) vulnerability assessment and penetration testing project for multiple clients.

Cert-IN Empanelment (Application Vulnerability Assessment) – Verizon Business

Role: Lead Consultant

Responsibilities: To identify, exploit, document and provide recommendations for the identified vulnerabilities in offline and online test bed for Cert-IN empanelment.

Resource Augmentation in Technical Support Organization

Role: Project Management

Description: To provide support and play a CISO role in an organization for strengthening Information Security services, managing compliance to various regulatory and organizational requirements, managing Vulnerability Assessment and Penetration Testing projects, conducting risk assessment, managing and coordinating for external PCI DSS, ITGC and Corporate Audits, to implement ISO 27001 standard and to manage the implementation of Security Operations Center (SOC).

Work experience

Jun 2010Present

Sr. Information Security Consultant

Verizon India Pvt Ltd

Practice Development & Project Management

Working on proposals and doing the effort estimation (costing sheet) for various projects such as PCI DSS assessment & certification, ISO 27001 readiness assessment & implementation , ISO 22301 readiness assessment & implementation, Vulnerability assessment and penetration testing, Application security testing.
Aligning appropriate resource based on project requirement
Meeting client for new opportunities for practice development
Managing and mentoring resources for project delivery
Participation in project kick-off and closure meetings
Managing client escalations and delivery

PCI DSS

Carried out PCI DSS Gap Assessment and issued Initial Report on Compliance, Final Report on Compliance and Attestation of compliance to:

PCI DSS Gap Assessment for:

8 Service Providers in India
2 Merchant in India (Global Merchant)
1 Payment Processor in India
1 Bank in India

Initial Report on Compliance for:

8 Service Providers in India
1 Merchant in India (Global Merchant)
1 Payment Processor in India
1 Bank in India

Final Report in Compliance and Attestation of Compliance

5 Service Providers in India
1 Merchant in India (Global Merchant)

ISO 27001 Implmentation & Readiness Assessment

Implemented ISO 27001 for 2 Banking Clients, 2 IT Clients and 1 B.P.Os which included:

Development of Asset Register Development
Statement of Applicability
Risk Assessment, Risk Management and Risk Mitigation procedure Development
Policies, Procedures and Standard Development
Baseline documents Development for Server, Databases, Firewalls, Network Devices, Web Servers, etc.
Change Management
Information Security Manual and Policies Development
Disaster Recovery and Business Continuity Implementation
Recovery Procedure and Strategies Development
Documentation of Corrective and Preventive Action Plan
Information Security Awareness and Training

Vulnerability Assessment & Penetration Testing

Cert-IN Empanelment for Verizon Business -Consultant and Penetration Tester for empanelment of Verizon Business with Cert India. It involves performing Penetration Testing on Web Applications and reporting more than 90% of vulnerabilities within application along with Proof-of-Concept for exploited vulnerabilities.
Application Security Assessment for Leading IT Service Organization - Lead Consultant and Security Assessor for one of the major IT service organization for their in-house application project.
Network Assessment for BPO Organization in Financial Sector - Lead Consultant for Network Audit and Penetration testing for an IT/ITES client.
Network Assessment for Leading Financial Organization - Conducted internal and external network assessment for leading financial organization.

Manual Configuration Review

Performed manual configuration review of the following:

Network Devices (Firewall, Routers, Switches, IDS, IPS, etc)
Web Servers (IIS and Apache)
Domain Controller/Active Directory
Database Audits (Oracle, SQL 2000, 2005)
Operating Systems (Windows, Linux, Unix, AIX)
Antivirus (Symantec, McAfee)

Risk Assessment

Carried multiple risk assessments which includes formulation of Asset Register, Asset Classification, threat and vulnerability identification, likelihood of impact and probability of occurrence, based on Industry best practices such as:

NIST 800-30
OCTAVE
ISO 27005

Incident Management Matrix Formulation

Formulated a Incident Management Matrix based on Verizon's VERIS Framework

Mar 2007May 2010

Sr. Information Security Consultant

Proton Technosoft

ISO 27001 Readiness Assessments and Implementation for IT/ITES and Payment Processor in India
Performed Application Penetration Testing for Major Bank in India and Largest New Channel company in India.
Carried out Business Impact Assessments for IT/ITES companies in India.
Performed multiple Third Party vendor Risk Assessment reviews for Financial and Banking clients.
Played key role in developing framework, methodology and templates for Vulnerability Management Lifecycle (VML) service offering.
Executed a number of External and Internal Vulnerability Assessment (Firewalls, Network Devices, Applications, Servers, Databases, etc), Penetration Testing engagements on networks (wired and wireless) and Application Security.
Assisted IT/ITES clients in developing Privacy and Data Protection solutions.
Performed security configuration review and identified gaps against security baselines set by Clients' and leading industry practices; provided technical recommendations to mitigate the risk arising because of the gaps.
Worked on SOX- IT engagements for manufacturing industries. The scope of work includes testing and review of different controls for operation, security and change management domains.
Created Hardening of Servers and devices - Windows: Windows 2000 and 2003, UNIX: Solaris, AIX, Linux, Databases: Oracle, MSSQL 2000 and 2005, MYSQL, DB2, Routers and Switches: Cisco, Firewalls: Netscreen, Check Point and Pix, Web Servers: IIS and Apache, Proxies: Squid, IWSS, Exchange Servers: Microsoft Exchange, Hardening of Citrix Servers and Blackberry Servers.
Team Management, timely project delivery, working on proposals and new oppurtunities

Sep 2006Feb 2007

Support Engineer (Unix)

Apollo Health Street

a. Providing expert level support for Linux Servers, Clusters, Databases and Healthcare Application.

b. Conducting RCA for Servers, Databases and Healthcare IT incidents

Jan 2006Aug 2006

Server Coordinator

Compare Infobase Pvt Ltd

a. Managing Datacenter Operations.

b. Directing Administrators on Server Administration.

Aug 2005Dec 2005

IT Consultant

Centre for Development of Advanced Computing (CDAC)

a. Providing Advisory on Linux and Microsoft infrastructure implementation

b. Conducting awareness sessions on Linux and Microsoft infrastructure implementation

Paras Arora

Privacy and Data Protection

Web Application Source Code Review

Web and Network Infrastructure Security Review

Information Security Risk Assessment

Infrastructure Penetration Testing

Application Penetration Testing

ISO 27001 Implementation and Sustenance

PCI QSA

Jun 2010Present

Sr. Information Security Consultant

Verizon India Pvt Ltd

Mar 2007May 2010

Sr. Information Security Consultant

Proton Technosoft

Sep 2006Feb 2007

Support Engineer (Unix)

Apollo Health Street

Jan 2006Aug 2006

Server Coordinator

Compare Infobase Pvt Ltd

Aug 2005Dec 2005

IT Consultant

Centre for Development of Advanced Computing (CDAC)

Jul 2004Feb 2005

Security Administrator - Microsoft

STG Intl', Delhi

PGDSDA

Centre for Development of Advanced Computing

B.E.

Institute of Electronics and Telecommunication Engineers

20022005

Diploma in Computer Science

Guru Nanak Dev Polytechnic

Sarabjeet Singh

Manisha Bansiwal

Gaurav Benjamin

Mukesh Dubey

Sarvesh Goorha