Summary
Gautam Sarnaik is a versatile IS Assurance
professional having a 10+ years hands-on experience across IT implementation,
management, consulting and audit. He is an engineer, CISA and a certified
BS7799 Lead auditor with knowledge and experience of effective service delivery
and support and of building and auditing internal controls based on BS7799,
ITIL, COBIT and PCI-DSS.
Gautam started his career in the electronics
manufacturing industry and has worked across verticals such as
telecommunications, banking and financial industry. He has an extensive
experience in using risk analysis models for identifying, evaluating controls
and providing assurance and advice to the management and business process
owners.
Education & Accreditations
Academics
§
Post Graduate Diploma in Software
Technology [Jan 2000]
§
Bachelor of Engineering
[June 1998]
Accreditations
Skills
·
IS Delivery and Support
· ITIL Service delivery and support
· Project and team management for service delivery projects
· Technology management for network and security infrastructure
· Software systems implementation projects
·
IS audit and IT Security
· Technical risk assessments
· Internal controls audit using COBIT, ISO 27001, NIST guidelines and ITIL
· Risk driven IT Audits including
§ IT General controls
§ Logical Access controls
§ Network and Infrastructure controls
· Strategic information security planning, policy management and reviews
·
Software Systems Development
· SLDC and Unified processes
· Software solution design and communication using UML
· Software security strategies to manage confidentiality and integrity
·
Pre-Sales
· Customer oriented communication
· Effective presentation skills
· Mapping client requirements to delivery capabilities
· Solutions overview and business proposals
· Supporting customer retention from ongoing projects
Work History
Supervisor – IT Audit and Consulting |
|
Aug 2005 to Current |
Moore Stephens
International Al Nisf and Partners [MSIL] |
|
|
Summary |
Client
Management: Managing
IT Audit engagement with a key telecom industry client. The client is an MNC
telecom operator with footprint spread across 20+ countries in Middle-east
and Africa. Specific engagement activity:
·
Develop and manage
annual IT Audit plan (2006, 2007) across 6 countries including Kuwait,
Bahrain, Iraq, Jordan, Lebanon and Sudan.
·
Plan and deliver
audit programs to review security and internal controls based on COBIT, ITIL,
ISO27001 and other security and technology guidance.
·
Supervise and
review other IT auditors
·
Support business auditors in specific technology controls
·
Contribute to knowledge management and audit automation efforts
·
Support the clients ISO27001 certification process by internal
reviews, guidance on security policy management and security management
processes Practice management:
·
Knowledge
development and management for ISO27001 and Information Security Management
practice.
·
Development of
in-house capabilities for ITIL service delivery and support by resource
training, knowledgebase development and management.
·
Exploring
synergies with and relationship development with quality vendors for ITIL
practice and training.
·
Domain expertise
on topics such as PCI-DSS, eTOM, telecom management networks and security. Business development:
·
Lead generation
from professional references leading to significant business in 2007.
·
Relationship
management with existing and potential clients.
·
Presentations for
knowledge sharing and business proposals to clients.
·
Content
development for presentations to public forum on standards such as ISO 27001,
BS25999 (Business Continuity Management). |
Consultant – Information Security |
|
Aug 2004 to July 2005 |
SIFY ltd. [SIFY
Assure SBU] |
|
|
Summary |
Information Security services: Project management and delivery
·
Telecom Industry:
Largest telecommunications operator in Saudi Arabia
·
Life Insurance:
Private Life Insurance company in Mumbai, India
·
Internet : ISP Data
Centre, India (Technical Risk assessment) Client focussed project services:
·
Managing client
requirements and projects
·
Management
reporting and presentations
·
Design and
development of Information Security policy framework
·
Review of
information security policies and standards
·
Gap analysis
vis-ŕ-vis BS7799 control baseline
·
Review and
enhancements to security organization components
·
Pre-acceptance
reviews of technical standards for telecommunication assets
·
Design and
development of standards for emerging technologies and systems such as
Windows XP, Wireless networking etc.
·
Design and
delivery of Information Security training
·
Technical risk
assessments
·
Internal controls
evaluation and reporting |
Assistant manager –Services Delivery and Support |
|
Jan 2004 to Aug 2004 |
SIFY ltd.
[SafeScrypt SBU] |
|
|
Summary |
Managed a team of 10 Information Security Engineers across major metros
in India implementing and supporting solutions and services based on PKI
[Public Key Infrastructure]. Consistently
achieved target revenue recognitions and maintained high motivation levels in
team. Typical clients from:
·
Government
·
Banks and NBFC
·
Telecommunications
operators
·
Small businesses
and enterprises Managed a 2 member team for technical risk assessment of email system:
·
Client a leading
automobile manufacturing company in India
·
Review and
analysis of IT infrastructure supporting the Email system
·
Personally trained
Engineers in the use of Nessus Vulnerability Assessment (VA) tool and managed
the evaluation and presentation of the VA
·
Guided post
implementation support to technical teams of the client Managed
development and implementation of PKI based secure bulk email solution (B2C) for
a leading MNC bank in India:
·
Managed client
requirements and SRS
·
Third party
solution development
·
Managed
implementation of the system at client data centre and integration with the
business processes of the client
·
Managed
enhancements and support to the client. |
Entrepreneur and Consultant – Information Security |
|
Sep 2002 to Dec 2003 |
SecureInfo |
|
|
Summary |
Entrepreneur and consultant for Information security. Developed
business and delivered end-to-end services for clients. For a software development house:
·
Reviewed the existing skill sets and requirements of the client.
·
Created a training program for the developers on PKI technologies
involved and usage using MS Crypto API.
·
Consulted on product development to integrate PKI requirements into
the design of the product.
·
Designed the modules required to use PKI and digital signatures
·
Provided implementation support to developers. For an engineering company in India developed Helpdesk and Incident
Management processes based on ITIL:
·
Review of existing infrastructure and processes
·
Design of incident capture and recording procedures using the ITIL
Help Desk and Incident management processes as the guiding framework
·
Presentation on ITIL and Incident Management to Management team to
seek buy-in.
·
Definition of the operational procedures and creation of Excel based
templates to support the same.
·
Initial training and support to operational staff in using the
templates. |
Security Software Engineer |
|
Feb 2000 to Sep 2002 |
Internet Trends (I)
Pvt. Ltd. |
|
|
Summary |
Key projects for development of network security software including an
IDS solution (Symantec NetProwler). As a software engineer and team member
was responsible for:
·
Research activity to understand and create knowledge base on network
security, types of intrusions, intrusion detection.
·
Internal papers and presentations on Denial of Service and Distributed
Denial of Service attacks on networks.
·
Analysing the requirements for the product and providing technical
solutions.
·
Design and implementations of various software modules.
·
Secure messaging channels (SSL), data and message structuring (XML),
Database designs (RDBMS and ER Diagrams) and API development for various
modules.
·
Using and mentoring the use of Unified processes for SDLC including
documentations using UML and UML supporting tools. |
Research Assistant |
|
Aug 1998 to Jan 2000 |
National Centre for
Software Technology [Now CDAC] India |
|
|
Summary |
Team member of Real Time Systems and Networks [now Computer Networks
and Internet Engineering] Group. Was responsible for operation, maintenance and security of the point
of presence of the ERNET (Education and Research network) in India.
·
Network administration
·
Management of Email, DNS infrastructure Development and delivery of Post Graduate course in Internet
Engineering [PGDIT]
·
Development of content over five core modules
·
Training and mentoring of post graduate students
·
Course deliver, testing and evaluations. |
Permanent Address |
5-A, Onkar Society, Amboli, Andheri (west), Mumbai – 400058, |
Residence Telephone |
0091-22-26793728 |
Current Location |
|
Current Telephone |
00965
- 9005197 |
Email Id. |