Thanks Khusbhu. Really appreciate the knowledge acquired in the Infosec & BC arena in such early stages of career and your session delivery was by far the best.

- Girish Awachat, Principal Financial Group.

Her expertise lies in information security and IT implementation with specializations in Business Continuity Management (BS 25999 and other guidelines), Payment Card Industry Data Security Standards (PCI DSS), COBIT, COSO, IT Governance, Information Security Management Systems (ISO 27000 series), IT Service Management (ISO 20000), Information Technology Infrastructure Library (ITIL), and Integrated Management Systems (based on PAS 99). Experience ranges from providing consulting services to executing implementation projects in addition to auditing and overall management of the compliance practice at the organization

• Masters of Science (Information Technology)
  University of Mumbai, India
• Bachelor of Science (Information Technology)
  University of Mumbai, India

• Certified Information Systems Auditor (CISA), ISACA
• ISO 27001:2005 Implementation Course (International Standard for Information Security), BSI Systems
• BS25999 Lead Auditor Course (International Standard for Business Continuity), BSI Systems
• BEC Higher (Business English Certificate), University of Cambridge, UK

• Specializations in the areas of Governance, Regulation, and Compliance (GRC) and Information Assurance, along with Security standards and methodologies
  
  

  PCI DSS	Open Web Application Security Project (OWASP) Top 10
  ISO 20000 and ITIL and IT Assurance	OSSTM Framework Open Source Security Testing Methodology
  ISO 27001	Governance, Regulation, and Compliance (GRC)
  BS 25999, Business Continuity Institute BCI Good Practices Guidelines	Auditing: ISO 19011
  COSO and COBIT	Val IT Framework
  RBI and NSE guidelines	Java Spring Framework


She has also actively contributed to the successful completion of Advanced Product Guides for a major Security Information Management (SIM) solution - netForensics. Additionally, she writes special papers and service reports (Compliance, Penetration Testing, Vulnerability Assessment, and Internal Audits), and carries out analysis of security advisories. She is also engaged in information security research activities at the organization.

She also plays an important part in delivering all information security documentation projects and heads the Information Security Documentation service.

She holds understanding and knowledge of the following domain-specific repositories of practice information. These are used in conjunction with NIIs custom-methodology for approaching each assignment

• Standards
• BS 25999 Standards for Business Continuity Management
• ISO 27001 - Information technology -- Security techniques -- Information security management systems -- Requirements
• ISO 27002 - Information technology - Security techniques - Code of practice for information security management
• ISO 27005 - Information technology -- Security techniques -- Information security risk management
• ISO 20000 International standards for IT Service Management
• ISO 9001 International standard Quality Management Systems
• ISO 19011 International standards for guidelines in management systems auditing (especially, quality and environment)
• PAS 99 Publicly Available Specification of integrated management system (ISO 27001, ISO 9001, ISO 14000)
• PCI DSS Payment Card Industry Data Security Standards
• PA-DSS Payment Applications Data Security Standard


• Frameworks
• COSO Enterprise Risk Management Framework
• COBIT Control Objectives for Information and related Technologies
• ITIL version 3 IT Infrastructure Library


• NIST 800 series guidelines
• 124 - Guidelines on Cell Phone and PDA Security
• 123 - Guide to General Server Security
• 121 - Guide to Bluetooth Security
• 115 - Technical Guide to Information Security Testing and Assessment
• 114 - User's Guide to Securing External Devices for Telework and Remote Access
• 113 - Guide to SSL VPNs
• 111 - Guide to Storage Encryption Technologies for End User Devices
• 095 - Guide to Secure Web Services
• 092 - Guide to Computer Security Log Management
• 055 - Performance Measurement Guide for Information Security
• 051 - Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
• 050 - Building an Information Technology Security Awareness and Training Program
• 045 - Guidelines on Electronic Mail Security
• 044 - Guidelines on Securing Public Web Servers
• 040 - Creating a Patch and Vulnerability Management Program
• 030 - Risk Management Guide for Information Technology Systems

• Key Strategies for Implementing ISO 27001 at IT Audit (An IT resource for Internal Auditors)
  An article outlining the essentials of implementing an information security management system (ISMS) as prescribed by the international standards for information security ISO 27001.
• MS Office Security at Infocus, SecurityFocus (Official Online publication of Symantec Corp.)
  A two-part article which discusses Microsoft Office's OLE Structured Storage and the nature of special (dropper) programs and other exploit agents, in an effort to scrutinize the workings of some MS Office exploits. It collates some forensic investigation avenues through different MS Office features. Parts of the article sample different MS Office vulnerabilities to discuss their nature and the method of exploitation.
• iScribe Information Security Documentation
  A one of a kind blog on the niche domain of Information Security Documentation. It aims to discuss InfoSec documentation practices and challenges faced by technical communicators.

• Invited to conduct BCM Workshop at the Annual ISACA Conference (September 2009)
• Invited to speak at the 4th IT Audit Research Symposium, International IIA Conference (May 2009)
• Invited to speak at Annual training program on information risk management, Institute of Distance Education, Mumbai University (June 2008)
• Invited to speak at IEEE PCS 2006
• Invited to speak at the 8th Annual STC India Conference (December, 2006)
• Invited to conduct a session at the STC Mumbai Learning Session (October, 2006)

• Operating Systems: Windows NT/2K/XP/9x/Vista, Linux (RedHat)
• Databases: MS SQL Server, Oracle, MySQL
• Languages: C, C++, Visual Basic, PHP
• Firewalls: Cisco PIX range, Cyberguard, Watchguard, Juniper Netscreen
• Secure enterprise and telecommuting remote connectivity techniques and technology: VPN, SSL, SSH, RADIUS, TACACS, PAP, CHAP
• Network and information availability concepts: RAID, Backup Media (Tape Arrays, Jaz drives)
• Key security protocols: SET, SHTTP, SSH-2, SSL, SKIP
• Cryptographic Concepts: Symmetric and Asymmetric key cryptosystems, Public Key Infrastructure, and cryptographic algorithms
• Block ciphers IDEA, 3DES, Blowfish, Lucifer, Rijndael, Skipjack, Twofish
• Stream ciphers RC4
• Hashing algorithms MD5, SHA1

• Scope identification, expectations management, and resource management
• Risk Assessment and Management Approaches: Probabilistic Risk Assessment, Current State Assessment, Qualitative and Quantitative Risk Assessment
• Business Impact Analysis Concepts: Identification criteria for Recovery Time Objective, Recovery Point Objective (or Maximum Tolerable Period of Disruption), and Level of Continuity. Risk Quartile Matrix, Business Impact Resource Recovery Analysis
• Fundamental Business Continuity Models: Active/Backup, Active/Active, Alternate Site Models. Planning and activation tests of disaster recovery site options: Hot/Warm/Cold/Reciprocal
• Crisis Management: Identifying inputs for designing the evaluation and categorization framework and designing the escalation process flow chart

• Executed more than 20 disparate projects (internal and external) in a span 42 months
• Planned and managed some of the major accounts for projects involving business continuity management framework design and implementation, ISO 27001 implementation, PCI DSS compliance, internal security reviews, and security awareness programs
• Aware of the best practices from project management frameworks such as PMBOK and PRINCE2
• Managed teams of varied nature and sizes
• Experience working with global clients especially in the US, European and Middle East regions

• Planning Exercise for a major telecom organization
• BCM Framework for a major collection of BPO
• BCM Framework for a major KPO
• BCM Framework for Indias largest online share trading portal
• BCM Framework for a major specialized telecom device tracking solution provider
• In-house BCM Framework
• BCM Framework for Bollywoods major visual effects and animation studio
• Business Continuity and Security Audit for an international customs organization

• Internal security audit based on BS 25999 and ISO 27001 for India's largest local search engine
• Internal security review based on CoBIT, ISO 27001, and COSO for one of India's largest insurance coverage providers
• Internal security review of the web application environment for one of India's largest insurance coverage providers
• Internal Audit for a major collection of BPO
• Internal Audit for a major KPO

• PCI DSS compliance consulting for India's largest matrimonial portal

• Implemented an integrated management system based on the PAS 99 guidelines. The assignment included the integration of the quality management system (QMS) and the information security management system (ISMS) for more than 10 business units

• Implemented the Quality Management System and conducted internal audits for the BPO for its two major facilities in Mumbai. The assignment required drafting of policies, processes and procedures in addition to a comprehensive gap analysis exercise carried out to ascertain the problems affecting the performance of the organization.

• Conducted a comprehensive ISO 27001 compliance exercise covering more than 17 processes for a major KPO. The assignment required a full-fledged audit of the organization and plugging of the findings in the audit.

• Designed and implemented presentations, quizzes, news, and vulnerability updates as part of an information security awareness initiative (to be used for the organizations Intranet sites). The implementation was designed with the help of content maps and tested with the help of usability tests and personal feedback.

• Conducted a comprehensive ISO 27001 compliance exercise covering more than 17 processes for a major KPO. The assignment required a full-fledged audit of the organization and plugging of the findings in the audit.