Thierno N

CONTEXT: SUPPORT FOR THE IMPLEMENTATION OF AN ISMS AND ISO 27001 CERTIFICATION

Develop the project approach and methodology. Reformulate needs, frame the project, and define the scope. Define the committee structure, identify stakeholders and the project team. Build the schedule and action plan. Create the RACI matrix and project risks. Identify mandatory/non-mandatory certification documents. Produce the security risk assessment policy. Monitor compliance with policies, standards, directives, and procedures. Produce the risk analysis and the SoA (Statement of Applicability). Produce the asset inventory, KPIs, and control plans. Prepare internal audit, correct non-conformities, and prepare for certification. Review Security Assurance Plans (SAP). Procedure for integrating security into developments and proposing the implementation of a secure CI/CD pipeline with Pre-commit: [truffleHog, gitleaks, git hooks], for SAST: [gitlab SAST Semgrep or sonarqube], for SCA: Snyk or OWASP Dependency-check or gitlab dependency Scanning for DAST: Gitlab DAST, OWASP Zap for Docker: Trivy, GitLab Container Scanning For IaC [checkov, tfsec] for monitoring [Falco, Prometheus & Grafana]….

Deliverables: Project kick-off, Gap analysis, project scope, RACI (directors, CISO, IT, business units), Security policy, Asset inventory, EGERIE Risk Analysis, Risk Treatment Plan, Incident Management Procedure, Security Assurance Plan (SAP), SoA (Statement of Applicability), ISMS Manual, Security Governance in Projects (SiP)…

Technical Environment: Microsoft Azure Cloud, SAST, SCA/DAST, Sonarcloud, Zero Trust, Power Apps, Power Automate, SharePoint, Jira, Confluence, Azure DevOps, Egerie…

CONTEXT: INTEGRATE SECURITY IN PROJECTS (SiP) IN AN ON-PREMISE AND MULTI-CLOUD ENVIRONMENT (Azure - Google Cloud Platform (GCP) – AWS).

Support operational teams in integrating security into projects by involving the security team as early as possible. Conduct risk analyses before the start of each project (Security by Design). Ensure the processing of personal data by completing the questionnaire (PDP). Personal Data Protection during the project study phase or the launch of a new application. Support Data Privacy teams in addressing information security requirements and ANSSI recommendations in collaboration with legal, purchasing, and management control teams. Study contract clauses with a focus on security measures implemented for the protection of data and information systems infrastructure, subcontractors, suppliers, and outsourcing providers. Monitor the action plan for recommendations addressing risks identified during project studies. Work with network infrastructure and data center teams (AWS and Windows AD). Participate in various committees (data protection committees, infrastructure security, or monitoring of vulnerability remediation indicators). Assist the security incident response team: Manage and track corrections following SOC alerts. Provide expertise in case of crisis or major incident. Cloud and SaaS security. Ensure the security of Infrastructure as Code (IaC) with tools like checkov, tfsec, terrascan. Monitor alerts generated by the Splunk SIEM.

Deliverables: Asset inventory, Risk analysis sheet, Risk treatment action plan, Identity and access management procedure, define security policies, rules, directives, and charters for the entire information system, disseminate these rules (awareness).

Scope of the NIS program and agile project work methodology. Translation of directive obligations into operational requirements and concrete measures. Identification of actors and contact points. Mapping of critical assets and business processes and essential services. Organization of weekly workshops and follow-up committees. Definition of a schedule and action plan. Risk analysis (Mapping of critical assets and business processes). Definition of major risk scenarios. Implementation of an incident management process. Classification of significant incidents (Early warning ≤ 24h, Notification ≤ 72h, Final report ≤ 1 month). SOC / CERT / CSIRT coordination. Supplier risk assessment via an assessment. Monitoring of critical service providers. Implementation of compliance indicators. Reporting to management and stakeholders during committee meetings.

Deliverables: RACI (directors, CISO, IT, business units), Security policy, Asset inventory, Cyber risk register, Mapping of essential services, Risk treatment plan, Incident management procedure, Security assurance plan.

Technical Environment: IT & OT infrastructure security, Network security (segmentation, firewall, IDS/IPS), Endpoint security, IAM / MFA, Vulnerability & patch management, Backups & restoration, CyberArk, AS400, Qualys, Production environments (Win OS/AD, UNIX, Z/Os Mainframe, Illumio, PDIS, COBRA, Garfild, YOGA, OS obsolescence, Vulnerability, isolation.