Federal Territory of Kuala Lumpur, Malaysia
18 years of combined experiences covering below scopes: 1) technology risk management 2) information security 3) technology assurance 4) operational risk management 5) outsourcing risk management 6) data privacy 7) business continuity 8) process improvement This include hands-on experiences rolling out framework, policies, standards, processes and programs. Solution-oriented, and trust that engagement is key to any solution. Believe that being decisive and self driven are crucial in achievement of goal.
- Established the technology risk management framework and process. - Provide advisory and support company-wide technology risk remediation effort. - Improved and consolidated company-wide technology risk registers. - Oversee the company ISO27001 certification program, continuous engagement with stakeholders to ensure continuous improvement of the company Information Security Management System (ISMS). - Established third-party technology risk management framework and process, including standard security contract clauses. - Improved Information Technology (IT) security policies, provided guidance on IT security best practices. - Drive cyber security awareness culture through established awareness program. - Drive improvement of internal control testing. - Provide advisory and guidance on other functions such as audit management, contract reviews, data governance and data privacy. - Managed a team of 4 for this role.
- Managed and provided advisory on IT security risk for projects. - Developed IT security risk assessment checklist for cloud related projects. - Developed new hardening checklists based on CIS benchmarks. - Maintenance of existing hardening checklists. - Provided advisory for cyber risk management of outsourcing vendors. - Developed guideline and checklist for cyber risk assessment of outsourcing vendor. - Improved on IT policy exemption process, including development of risk calculator to assess on IT security risk of IT assets. - Processed and provided advisory on exemption requests related to IT security requirements. - Updated the IT security policy.
- Supported the organisation overall enterprise risk management initiatives such as RCSA, control testing, including leading the outsourcing, business continuity and technology risk management initiatives. - Completed localization of Technology Framework and Cyber Resilience Policy based on BNM RMIT. - Developed Cyber Security Improvement (CSI) plan. - Managed implementation of various CSI initiatives. - Drafted the company cyber risk profiles. - Established value-at-risk for the cyber risks. - Developed Outsourcing Risk Mgt. Framework. - Revised risk assessment checklist to aligned to regulatory requirements. - Performed risk assessments on outsourcing and internet services, including assessing on operational, information, compliance, continuity and other risks. - Performed materiality assessments on services. - Worked with process owners to establish contingency plans for outsourcing arrangements. - Reviewed third-parties Business Continuity Plans. - Completed review of business impact assessment. - Reviewed risk profiles and performed control testing. - Managed a manager for this role.
- Drive resolution of internal audit findings. - Established IT risk profile. - Developed IT security baseline adoption plan. - Developed disaster recovery testing plan, guideline. - Reported on quarterly audit finding update. - Drive establishment of security incident mgt. process. - Reviewed technical security design for project. - Governed compliances to IT security policies. - Developed IT Governance function and framework. - Developed IT Assurance Program and conducted assurance review. - Developed IT Risk Management framework. - Supported the internal audit exercise. - Supported business continuity planning initiative. - Managed a team member for this role.
- Drive compliance to global IT policies, conducted review, identified and addressed policies gaps. - Managed coordination of IT audit exercise and resolution of audit issue. - Developed IT security program, including on its budgeting. - Implemented IT risk management process. - Performed security monitoring on patching, malware, prohibited software, access rights, encryption and vulnerability scanning. - Implemented checklist and conducted review for security requirements. - Implemented third party contract standard clauses. - Involved in information security incident resolution. - Implemented security awareness program. - Addressed security queries from stakeholders, including from third parties. - Established reporting mechanism to risk committee. - Provided advice on data privacy requirements