Mourad Mehenni

Securing Generali's critical business applications and ensuring compliance with European NIS regulation.

Management of cross-functional cybersecurity and data protection programs in a highly regulated international environment (GDPR, NIS), involving governance, compliance, and digital usage security.

Program Management & Governance

▪ Management of multi-project security initiatives, ensuring overall consistency, prioritization, and deliverable tracking.

▪ Establishment and facilitation of governance (Steering Committees, progress reviews, executive reporting).

▪ Cross-functional coordination between Cybersecurity, IT, Business Units, DPO, and Procurement.

▪ Structuring roadmaps, work package breakdown, and dependency management.

Securing Digital Usage & Data (Requirements-based approach)

▪ Contribution to defining security requirements for collaborative usage and data protection, primarily in Microsoft environments.

▪ Ability to translate security requirements (GDPR, internal policies) into manageable operational objectives, without being in a technical execution role.

Compliance & Contracting Coordination

▪ Liaison with the DPO and Procurement on compliance, vendor contracting, and security measure validation.

▪ Participation in the validation and decision-making processes for security solutions through studies, comparisons, and recommendations.

▪ Evolution of authentication systems:

o Functional scoping.

o Work package structuring.

o Mobilization of business and IT teams.

o Dependency and validation tracking.

• • Translation of technical recommendations into operational recommendations understandable by business units.

• • Validation of risk analyses with Risk teams and business managers, and support in implementing action plans.

• • Mission assigned by the DPO and DSRO as part of CNIL/GDPR compliance and application security.

• • Conducted a comparative study of vendors, identified a shortlist of compliant and secure solutions.

• • Analysis of candidate solutions' limitations, integration recommendations, and presentation to stakeholders (CIO, Security, Legal).

• • Management of the regulatory compliance and critical application security program.

• • Coordination of security projects (access control, hardening, protection mechanisms).

• • Facilitation of steering committees, risk management, strategic reporting to the Executive Committee and CISO.

• • Contribution to user training and awareness on cybersecurity and compliance.

Development and management of remediation plans to secure Active Directory and its related components. Within the scope of risk analyses and with ANSSI's support, managed the hardening process to reduce exposure to risks and major compromise sources for business units.

• ➢ STRATEGIC program followed by the CIO directly, with monthly Steerco meetings facilitated in collaboration with security experts. SCOPE SG: 45 ADs managed by DWS and 600 DCs, ~1800 privileged accounts, 670k objects/accounts)

Program Objectives:

• ➢ Secure and maintain the security of the critical Active Directory environment

• ➢ Ensure AD availability and integrity for business units

• ➢ Identify and remediate security weaknesses

• ➢ Detect malicious actions against AD (continuous monitoring)

◼ Commitment committees and Budget monitoring for the program €4,800K for 2021 + KPI Reporting and defense.

◼ Significant achievements: Hardening and remediation of authentication mechanisms (Kerberos, NTLM): task force for the removal of 45,000 inactive accounts + Remediation of RC4 accounts (cutoff).

◼ Definition of test plans for AD rebuild, implementation of reconstruction and switchover of Active Directory to a healthy environment (internal reco + CYBERRESILIENCE).

Implementation of sources and information for migration processes, structuring of the crisis management team with IT experts and support teams, mobilization of BU managers and support and communication systems, )

◼ Task force in coordination with Group Security and Group Crisis Management Service.

◼ Significant achievements: Doubling of infrastructure in record time and Task Force migration of 36,000 users and implementation of access tools in addition to VPNs (VDI, Citrix Access).