an Information Security & IT Risk Consultant
I navigate businesses through the complex landscape of information security. My experience primarily lies in IT Internal Audit, GRC, and cybersecurity. I help businesses fortify their defenses and safeguard their valuable assets.
Experience
Defended
Subscribers
Career Synopsis
As a Certified Ethical Hacker (CEH) and ISO 27001 Lead Auditor, I bring nearly 3 years of hands-on experience in the realm of information security, serving both global and Indian organizations. My expertise lies in IT Internal Audit and Governance, Risk Management, and Compliance (GRC), where I have successfully led projects focused on ISMS, IT General Controls (ITGC), IT Application Controls (ITAC), Endpoint Data Leak Prevention (DLP), and regulatory compliance frameworks such as the Digital Personal Data Protection Act (DPDP) 2023, NIST CSF 800-53, and ISO 27001. I also have a solid grasp of frameworks like NIST RMF 800-37, PCI-DSS, ISO 22301, and ISO 31000.
My experience spans across the insurance and financial services sectors, having worked with prominent global clients like Prudential, Guardian, and CME Group, as well as leading Indian organizations such as Niva Bupa Health Insurance, Max Life Insurance, Aditya Birla Health Insurance, IIFL Housing Finance, and Bajaj Finserv. My natural ability to identify flaws in design and detail empowers me to craft thorough and compelling audit reports, proposals, and assessment documentation.
I am deeply committed to continuous learning, constantly enhancing my skill set through online training in advanced technologies such as Data Science, Big Data, SQL, SIEM, Power BI, and Visio. Additionally, I possess foundational knowledge in programming languages like PHP, Python, and C++.
Below are my Areas of Expertise (Expand to know detailed experience)
- Conducted comprehensive ITGC reviews across areas like Identity and Access Management (IAM), incident management, backup and recovery controls, data center security, and change management.
- Led integrated audits by working closely with cross-functional teams to assess the interplay between IT systems and business processes.
- Developed and refined ISMS policies for various organizations, including Cyber Crisis Management, Disaster Recovery, Business Continuity, Change Management, Acceptable Use, Asset Management, and Incident Response.
- Investigated the presence of generic accounts in systems and applications, offering recommendations to enhance accountability, minimize excessive privileges, and monitor activity.
- Created Risk Control Matrices (RCMs) with tailored risk rating criteria for multiple clients and facilitated discussions on remediation plans for identified risks.
- Conducted Test of Design (TOD) and Test of Effectiveness (TOE) to evaluate the adequacy and operational effectiveness of controls in mitigating risks.
- Reviewed automated controls in key business systems to ensure the accuracy and reliability of financial and operational data.
- Tested controls related to interfaces, input validation, report generation, segregation of duties, access controls, and configurable controls.
- Assessed the configuration of system-based controls, tested automated processes, and recommended improvements to enhance efficiency and reduce manual intervention.
- Supported organizations in reviewing ISO 27001 implementation and aligning security controls with NIST CSF 800-53 guidelines as per IRDAI.
- Reviewed applications and APIs to ensure the security and accessibility of Personally Identifiable Information (PII) in compliance with IRDAI and the Indian Digital Data Protection Act (DPDP) 2023.
- Enhanced Business Continuity and IT Disaster Recovery (DR) plans to ensure asset coverage and the timely execution of drills and incident response exercises.
- Conducted policy adherence reviews by converting policy documents into actionable checklists, establishing relevant test steps, and specifying data requirements to identify non-compliances.
- Evaluated vendor management practices to ensure compliance with service level agreements (SLAs).
- Conducted physical and digital security assessments at vendor sites, identifying significant gaps in client data security.
- Inspected tele-sales operations to uncover social engineering vulnerabilities and other physical data leakage risks.
- Analyzed data flows within applications to pinpoint potential data leakage points.
- Designed data flow diagrams in Microsoft Visio to visualize the movement of sensitive data and PII across staff, systems, and applications.
- Assessed endpoint security (laptops, desktops, thin clients), identified major gaps in Data Leak Prevention (DLP), and recommended measures to prevent unauthorized data extraction.
- Assisted in maintaining endpoint inventory and configuring remote updates for patches, DLP rulesets, and antivirus definitions.
- Utilized manual and automated Dynamic Application Security Testing (DAST) tools such as Burp Suite, SQL Map, and OWASP Zap to identify and mitigate security vulnerabilities in web applications.
- Identified and exploited vulnerabilities like SQL Injection, XSS, IDOR, Broken Authentication, Broken Access Control, Security Misconfiguration, and Sensitive Data Exposure.
- Crafted winning proposals for multiple clients by incorporating unique approaches and innovative methodologies tailored to the requested scope.
- Conducted Business Impact Analysis (BIA) and created documentation such as risk registers, software inventories, asset inventories, lessons learned trackers, and endpoint security testing templates.
- Developed detailed reports in PowerPoint, using executive summaries, recommendations, and Power BI visualizations to clearly represent the security posture and make complex information easily understandable.
Experience
Ernst & Young:
A global leader in assurance, tax, transaction, and advisory services, helping businesses achieve their potential.
Consultant
August 2024 - PresentProtiviti:
A global consulting firm delivering deep expertise in risk, advisory, and internal audit services.
Tech Risk Consultant
June 2023 - Aug 2024Nangia & Co LLP:
A trusted advisory firm in India, offering comprehensive tax, audit, and business consulting services.
Sr. Cybersecurity Analyst
June 2022 - June 2023TCS:
A leading global IT services, consulting, and business solutions organization, driving digital transformation.
Intern - Advanced DAST
June 2020 - Aug 2020Technical Skills
Education
MBA – Information Technology and Financial Management
2022 - 2024
Swami Vivekananda Subharti University, Meerut (Distance)B. Tech – Computer Science and Engineering (81%)
2018 - 2022
Madhyanchal Professional University, Bhopal (Full-Time)Recent Posts
Say Hi!
YouTube
/c/ShaswatManojJhaLinkedIn
/in/Shaswat Manoj JhaTelegram
@shaswatmanojjhaAddress
Mumbai, India