Summary

 

Gautam Sarnaik is a versatile Information Risk Management professional having a 10+ years hands-on experience across IT implementation, risk management, consulting and audit. He is an engineer, CISA and a certified BS7799 Lead auditor with knowledge and experience of building and auditing internal controls based on BS7799, ITIL, COBIT and PCI-DSS.

Gautam has worked across verticals such as telecommunications, banking and financial industry. He has an extensive experience in using risk analysis models for identifying, evaluating controls and providing assurance and advice to the management and business process owners.   

 

Education & Accreditations

Academics

§         Post Graduate Diploma in Software Technology  [Jan 2000]

§         Bachelor of Engineering [June 1998]

Accreditations

  • BS7799 Lead Auditor [June 2005]
  • CISA [June 2003]
  • Member, IETE (India)

 

Skills

·         Risk Management

·         Use of risk analysis in

·         Identity and Trust management

·         Threat and Vulnerability management

·         Strategic information security planning, policy management and reviews

·         FMEA (Failure Mode Effect Analysis)

·         OCTAVE methodology from CERT

·         Understanding of Operational risk management framework as required by Basel 2

 

·         IS Delivery and Support

·         ITIL based Service delivery and support

·         PMBOK based project and team management

·         Deep understanding on

·         Application Support

·         Network and Security infrastructure

·         Datacenter operations management

 

·         IS audit and IT Security

·         Internal controls audit using COBIT, NIST guidelines and ITIL

·         Compliance requirements such as ISO 27001 and PCI-DSS

·         Risk driven IT Audits including

·         IT General controls

·         Logical Access controls

·         Network and Infrastructure controls

 

·         Software Systems Development

·         SLDC and Unified processes

·         Software solution design and communication using UML

·         Software security strategies to manage confidentiality and integrity

Work History

 

Supervisor – IT Audit and Consulting

Aug 2005 to

Current

Moore Stephens International Al Nisf and Partners [MSIL]

 

 

Summary

 

Client Management:

Managing IT Internal Audit function with a key telecom industry client. The client is an MNC telecom operator with footprint spread across 20+ countries in Middle-east and Africa. Specific engagement activity:

·          Develop and manage annual IT Audit plan (2006, 2007) across 6 countries including Kuwait, Bahrain, Iraq, Jordan, Lebanon and Sudan.

·          Use threat identification and risk matrices to enhance and ratify audit programs

·          Plan and deliver audit programs to review security and internal controls based on COBIT, ITIL, ISO27001 and other security and technology guidance.

·          Supervision and quality assurance of IT audit reports

·          Support business auditors in specific technology controls

·          Knowledge management and audit automation

·          Support the client’s ISO27001 certification process by internal reviews, guidance on security policy management and security management processes

 

Practice management:

·          Knowledge development and management for ISO27001 and Information Security Management practice.

·          Development of in-house capabilities for ITIL service delivery and support by resource training, knowledgebase development and management.

·          Exploring synergies with and relationship development with quality vendors for ITIL practice and training.

·          Domain expertise on PCI-DSS, eTOM, telecom management networks and security.

·          Content development for presentations to public forum on standards such as ISO 27001, BS25999 (Business Continuity Management).

 

 

 

 

Consultant – Information Security

Aug 2004 to

July 2005

SIFY ltd. [SIFY Assure SBU]

 

 

Summary

Information Security services: Project management and delivery

·          Telecom Industry: Largest telecommunications operator in Saudi Arabia

·          Life Insurance: Private Life Insurance company in Mumbai, India

·          Internet : ISP Data Centre, India (Technical Risk assessment)

Client focussed project services:

·          Managing client IT risk and Information security requirements

·          Management reporting and presentations

·          Design and development of Information Security policy framework

·          Review of information security policies and standards

·          Gap analysis vis-à-vis BS7799 control baseline

·          Pre-acceptance reviews of technical standards for telecommunication assets

·          Design and development of standards for emerging technologies and systems such as Windows XP, Wireless networking etc.

·          Design and delivery of Information Security training

·          OCTAVE based risk assessments

 

 

Assistant manager –Services Delivery and Support

Jan 2004

to

Aug 2004

SIFY ltd. [SafeScrypt SBU]

 

 

Summary

Team Manager – Trust management solutions and services using PKI.

Consistently achieved target revenue recognitions and maintained high motivation levels in 10 member team. Typical clients from:

·          Government

·          Banks and NBFC

·          Telecommunications operators

·          Small businesses and enterprises

Risk assessment of email system:

·          Client a leading automobile manufacturing company in India

·          Use of OCTAVE and FMEA

·          Vulnerability assessments using Nessus

·          Post implementation technical support

Delivery and implementation of PKI based secure bulk email solution (B2C) for a leading MNC bank in India:

·          Managed client requirements and SRS

·          Third party solution development

·          Managed implementation of the system at client data centre and integration with the business processes of the client

·          Managed enhancements and support to the client.

 

 

Entrepreneur and Consultant – Information Security

Sep 2002

to

Dec 2003

SecureInfo

 

 

Summary

Business development and service delivery.

Training and services for PKI :

·          Client software development firm.

·          Trained developers in use of PKI for secure coding

·          Consulting and implementation support.

Process design and delivery:

·          Client engineering company

·          ITIL based Helpdesk and Incident management processes

·          Training and implementation support

 

Security Software Engineer

Feb 2000

to

Sep 2002

Internet Trends (I) Pvt. Ltd.

 

 

Summary

Development of network security software - Intrusion Detection System.

·          Develop and manage knowledge base for network security, threat and vulnerability management.

·          Requirement analysis, Design and implementations of software modules.

·          FMEA based risk analysis and SQA

·          Unified processes for SDLC including documentations using UML and UML supporting tools.

 

 

Research Assistant

Aug 1998

to

Jan 2000

National Centre for Software Technology [Now CDAC] India

 

 

Summary

Team member of Real Time Systems and Networks [now Computer Networks and Internet Engineering] Group.

 

Operation, maintenance and security of the point of presence of the ERNET (Education and Research network) in India.

·          Network administration

·          Management of Email, DNS infrastructure

 

Development and delivery of Post Graduate training course in Internet Engineering [PGDIT]

·          Development of content, Course deliver, testing and evaluations.

·          Training and mentoring of post graduate students

 

 

 

Permanent Address

5-A, Onkar Society, Amboli,

Andheri (west), Mumbai – 400058,

INDIA

Residence Telephone

0091-22-26793728

Current Location

Kuwait

Current Telephone

00965 - 9005197

Email Id.

gautam.ms.il@gmail.com