I'm Shaswat

an Information Security & IT Risk Consultant

I help organizations navigate through complexities of cybersecurity, compliance, and IT risk. My expertise spans IT Internal Audit, Governance, Risk & Compliance (GRC), and Cybersecurity Framework Implementation. I bridge governance with hands-on technical insights, enabling businesses to strengthen their defenses, meet regulatory expectations, and build resilient systems.

Download CV

0 +

Years of
Experience

0 +

Organizations
Defended

0 k+

YouTube
Subscribers

Professional Synopsis

A Certified Ethical Hacker (CEH) and ISO/IEC 27001 Lead Auditor with over 3 years of experience in Information Security, specializing in IT Internal & Integrated Audits and GRC (Governance, Risk Management & Compliance). Adept at executing engagements involving ISMS, IT General Controls (ITGC), IT Application Controls (ITAC), Endpoint Data Leak Prevention (DLP), and regulatory compliance aligned with the Digital Personal Data Protection Act (DPDP) 2023, NIST Cybersecurity Framework (CSF), and ISO/IEC 27001.

Possess a strong grasp of cybersecurity principles, privacy regulations, and frameworks such as NIST RMF 800-37, PCI-DSS, ISO 22301, and ISO 31000. Known for a keen analytical eye and meticulous attention to control design, documentation, and policy drafting, ensuring effective governance and risk mitigation across technology and business environments.

With extensive exposure to the insurance and financial services sectors, have collaborated with leading global and Indian organizations to deliver tailored, stakeholder-focused solutions that enhance compliance maturity, operational resilience, and audit efficiency.

Adept at developing winning proposals, RFPs, comprehensive reports, audit documentation, and insightful presentations that communicate technical findings with clarity. Passionate about continuous learning and innovation, with proficiency in Generative AI, Web Application Penetration Testing, Power BI, Visio, Data Science, Big Data, SQL, and working knowledge of PHP, Python, and C++.

Explore my core areas of experience below (click to expand for details).

IT General Controls (ITGC) and Risk Management

1. Led ITGC reviews across IAM, Change Management, IT Operations (including Backup & Recovery) and Physical Security, executing Test of Design (ToD) and Test of Operating Effectiveness (ToE) to validate control design and operating effectiveness under NIST CSF 2.0, SOX, and NIST SP 800-53. Leveraged Azure Active Directory, SailPoint, SIEM (Splunk), and ITSM (ServiceNow) to evidence control design, operating effectiveness, and remediation.

1. Performed integrated audits mapping IT controls to business processes and financial assertions; documented walkthroughs, control narratives, RACM, test scripts, sampling, and audit evidence to support assurance conclusions.

1. Reviewed and improved ISMS policies (User Access, Change, Acceptable Use, Asset Management, Incident Response, BCP, DR, Cyber Crisis Management) with document control, versioning, and approval records, ensuring alignment to ISO/IEC 27001:2022 and organizational objectives.

1. Assessed RPA environments for governance, credential vaulting, segregation of duties (SoD), bot account management, logging, monitoring, and exception handling for ITGC compliance and change governance.

1. Assessed cloud security using CIS Benchmarks, validating IAM, encryption, logging, segmentation, backup and DR per NIST CSF 2.0.

1. Established security governance through monthly SteerCo reviews by tracking KRIs/KPIs and driving timely issue resolution achieving over 95% on-time closure.

Conducted gap analyses against NIST SP 800-53, producing maturity assessments, risk heatmaps and closure evidence for prioritized remediation.

IT Automated Controls (ITAC)

1. Assessed application controls across interfaces, input and edit checks, master data, report integrity, configurable parameters, and SoD to ensure accuracy, completeness, and authorized processing (C&A assurance).

1. Identified risks of unauthorized data modification; implemented preventive and detective measures (e.g., maker–checker, field validation, audit trails, immutability, reconciliations), and validated parameter security and access restrictions.

1. Evaluated automated controls and system configurations; recommended design changes to reduce manual intervention, lower control failure probability, improve change management and strengthen the Software Development Lifecycle (SDLC).

Evaluated input fields to verify that critical data inputs are governed by appropriate validations and checks, ensuring data integrity and completeness.

Regulatory & Framework Compliance (RBI, IRDA, SAMA, DPDP etc.) and Internal Policy Adherence:

1. Aligned ISO/IEC 27001 implementations with IRDAI and RBI expectations; mapped controls to NIST CSF 2.0 and NIST SP 800-53 to demonstrate regulatory coverage and identify residual risk.

1. Performed SAMA Cybersecurity Framework (SAMA CSF) gap assessments across cybersecurity and IT governance policies; tracked remediation to closure with audit evidence and management sign-off.

1. Reviewed applications and APIs for PII exposure across UI, logs, and reports; verified compliance with IRDAI guidance and India’s Digital Data Protection Act (DPDP) 2023 (e.g., purpose limitation, data minimization, consent, retention).

1. Strengthened BCP/DR programs for asset coverage, RTO/RPO alignment, backup and restore validation, and periodic drills and tabletop exercises; captured lessons learned and plan updates.

Operationalized policy adherence by converting policies into testable checklists, sampling plans, and evidence requirements; recorded non-conformities and corrective actions for compliance reporting.

Vendor / Third Party Risk Management:

1. Executed Third-Party Risk Management (TPRM) assessments covering SLA compliance, logical and physical security, data protection, incident notification, and sub-processor oversight; identified material gaps and drove remediation with vendors.

Conducted on-site assessments for social-engineering exposure, media handling, endpoint DLP posture, and access provisioning and de-provisioning, mitigating data leakage and insider risk.

PII Data Security, Endpoint Review and DLP Testing:

1. Mapped sensitive-data flows across users, systems and apps on Microsoft Visio; evaluated encryption in transit and at rest (e.g., TLS 1.2+, AES-256, where applicable) and identified leakage points for targeted controls.

1. Assessed endpoint security (laptops, desktops, thin clients), identified DLP control gaps, and recommended policy/rule updates, device and port control, clipboard/print restrictions, and browser isolation.

Centralized endpoint hygiene via asset inventory, patch management, DLP ruleset deployment, and Antivirus and Endpoint Detection and Response (EDR) updates through remote management, with coverage and exception dashboards for governance.

Cybersecurity, Dynamic Application Security and Penetration Testing (DAST):

1. Performed automated and manual DAST using Burp Suite, OWASP ZAP, and SQLMap; validated OWASP Top 10 issues (SQLi, XSS, IDOR, Broken Authentication, Access Control, Security Misconfiguration, Sensitive Data Exposure) and captured PoC and risk ratings (CVSS).

1. Partnered with the IT team to retest, verify fixes, and implement secure defaults (least privilege, CSRF protections, rate limiting, input sanitization, CSP and security headers), updating threat models and the risk register.

Proposals, Reports and Documentation

1. Developed client proposals with tailored scope, methodology, deliverables, and effort estimates, leading to awarded engagements and clear acceptance criteria.

1. Led Business Impact Analyses (BIA) and produced governance artifacts (risk register, software and hardware asset inventories, lessons-learned log, endpoint testing templates) to standardize security operations.

Delivered executive-ready reports with graphs and dashboards (PowerPoint, Power BI) with findings, risk ratings, prioritized recommendations, and roadmaps, improving stakeholder decision-making and remediation tracking.