You must have heard stories of the fabulous returns made in the stock markets in recent months. And you longed wishfully for a piece of the action.
But you could also have heard horror stories of how a friend lost his shirt in the stock market.
And were promptly thankful that you didn't lose yours.
Let's set the record straight.
Wisely chosen (those are the key words), stocks are a must for any serious investor.
They add that extra zing to your collection of investments.
Study after study has revealed that over the long term, stocks outperform all other assets. That means you can expect to earn more from shares than from bonds, fixed deposits or gold.
No doubt the risk is higher with shares. But if you are in for the long haul, so are the potential returns.
But before you take the plunge and invest in the stock market, get your basics right.
This series will tell you about the basics of investing in stocks.
1. Stocks are not only for the brilliant
Stocks are far from being rocket science.
The strategies you need to know to maximise your wealth and the pitfalls you need to avoid are not beyond comprehension.
Even if you feel that you don't have the time, and prefer to entrust your money to a portfolio manager or mutual fund, the least you need to know is which funds are better, how to choose your fund manager, and keep a tab on his performance.
2. So what is a share?
Any business has a lot of assets: The machinery, buildings, furniture, stock-in-trade, cash, etc.
It will also have liabilities. This is what the company owes other people. Bank loans, money owed to people from whom things have been bought on credit, are examples of liabilities.
Take away the liabilities from the total assets, and you are left with the capital.
Assets - Liabilities = Capital.
Capital is the amount that the owner has in the business. As the business grows and makes profits, it adds to its capital.
This capital is subdivided into shares (or stocks).
So if a company's capital is Rs 10 crore (Rs 100 million), that could be divided into 1 crore (10 million) shares of Rs 10 each.
Part of this capital, or some of the shares, is held by the people who started the business, called the promoters.
The other shares are held by investors. These investors could be people like you and me or mutual funds and other institutional investors.
3. What does this mean for me?
You must have realised by now that owning a share means owning a share in the business.
When you invest in stocks, you do not invest in the market. You invest in the equity shares in a company. That makes you a shareholder or part owner in the company.
Since you own part of the assets of the company, you are entitled to the profits those assets generate. Or bear the loss.
So, if you own 100 shares of Gujarat Ambuja Cement, for example, you own a very small part -- since Gujarat Ambuja has millions of shares -- of the company. You own a share of its assets, its liabilities, its profits, its losses, and so on.
Owning shares, therefore, means having a share of a business without the headache of managing it.
Your Gujarat Ambuja shares, for instance, will rise in value if the company makes good profits, or may do badly if people stop building houses and demand for cement falls.
4. What do mean by rise in value?
If the company has divided its capital into shares of Rs 10 each, then Rs 10 is called the face value of the share.
When the share is traded in the stock market, however, this value may go up or down depending on supply and demand for the stock.
If everyone wants to buy the shares, the price will go up. If nobody wants to buy them, and many want to sell the shares, the price will fall.
The value of a share in the market at any point of time is called the price of the share or the market value of a stock. So the share with a face value of Rs 10, may be quoted at Rs 55 (higher than the face value), or even Rs 9 (lower than the face value).
If the number of shares in a company is multiplied by its market value, the result is market capitalisation.
For instance, a company having 10 million shares of a face value Rs 10 and a market value of Rs 30 as on November 1, 2004, will have a market capitalisation of Rs 300 million as on November 1, 2004.
5. So how does one buy shares?
Alright, you have decided you want part of the action. Shares are bought and sold on the stock exchanges -- the two main ones in India are the National Stock Exchange (NSE), and the Bombay Stock Exchange (BSE).
You can use three different routes to buy shares: Through your broker, trade directly online, or buy shares when a company comes out with a fresh issue of shares. This is called an initial public offering (IPO).
Now that we have demystified the key words -- shares, face value, market value and market capitalisation -- in the subsequent articles, we will explore how to buy and sell stocks, and how to subscribe to a new issue.
Thursday, October 16, 2008
Make money with shares
Good question indeed. Why do people buy shares?
In a line: Because they can make big money on it.
There's a huge difference between the gains and losses you can make by investing in the stock market as compared to your returns from bank fixed deposits.
In stocks, you can make unbelievable money -- it's not uncommon for people to have doubled their money in the last one year.
On the flip side (there is always one), when the markets crashed in May, many people lost more than a quarter of their investment.
Compare this with your bank fixed deposit. Your FD will only fetch you around five to six percent per annum, but you can be sure of getting your money back.
When you put your money in a bank deposit, you loan the money to a bank for a fixed return (rate of interest) and a fixed tenure (number of months or years). At the end, you get back your original amount and you are paid interest on the same.
When you invest in stocks, you do not invest in the market (despite what you think). You invest in the equity shares of a company. That makes you a shareholder or part-owner in the company.
The good news is that since you own a part of the assets of the company, you are entitled to a share in the profits those assets generate.
The bad news is that you are also expected to bear the losses, if any.
Now, if you are a shareholder, there are two ways you can benefit from the profits of the company: capital appreciation or dividend.
Dividend
Usually, a company distributes a part of the profit it earns as dividend.
For example: A company may have earned a profit of Rs 1 crore in 2003-04. It keeps half that amount within the company. This will be utilised on buying new machinery or more raw materials or even to reduce its borrowing from the bank. It distributes the other half as dividend.
Assume that the capital of this company is divided into 10,000 shares. That would mean half the profit -- ie Rs 50 lakh (Rs 5 million) -- would be divided by 10,000 shares; each share would earn Rs 500. The dividend would then be Rs 500 per share. If you own 100 shares of the company, you will get a cheque of Rs 50,000 (100 shares x Rs 500) from the company.
Sometimes, the dividend is given as a percentage -- i e the company says it has declared a dividend of 50 percent. It's important to remember that this dividend is a percentage of the share's face value. This means, if the face value of your share is Rs 10, a 50 percent dividend will mean a dividend of Rs 5 per share (See What's in a share? Money!).
However, chances are you would not have paid Rs 10 (the face value) for the share.
Let's say you paid Rs 100 (the then market value). Yet, you will only get Rs 5 as your dividend for every share you own. That, in percentage terms, means you got just five percent as your dividend and not the 50 percent the company announced.
Or, let's say, you paid Rs 9 (the then market value). You will still get Rs 5 per share as dividend. That means, in percentage terms, you got just 55.55 percent as dividend yield and not the 50 percent the company announced.
Capital Gain
As the company expands and grows, acquires more assets and makes more profit, the value of its business increases. This, in turn, drives up the value of the stock. So, when you sell, you will receive a premium over (more than) what you paid.
This is known as capital gain and this is the main reason why people invest in stocks. They want to make money by selling the stock at a profit.
It is not as easy as it sounds. A stock's price is always on the move. It could either appreciate (increase in value) or depreciate (decrease in value) with respect to the price at which you purchased it.
If you buy a stock for Rs 10 and sell it for Rs 20 after a year, then your return from that stock is Rs 10, or 100 percent.
Or, if you buy a stock for Rs 10 and sell it for Rs 9, you lose Rs 1, or your loss is 10 percent.
Now look at both: Dividend and Capital Gain
If you buy a stock for Rs 10 and sell it for Rs 20 after a year, then your return from that stock is Rs 10, or 100 percent.
Add the Rs 5 per share you have received as dividend, and your total return will be Rs 10 plus Rs 5 = Rs 15 or 150 percent (Rs 15 divided by Rs 10 multiplied by 100).
If you buy a stock for Rs 10 and sell it for Rs 9 after a year, you would lose Rs 1 per share.
However, you would have got Rs 5 as dividend. So you would net Rs 4 as earnings from the company.
In percentage terms, your return would be 40 percent (Rs 4 divided by Rs 10 multiplied by 100).
Tax
One last point.
If you are a tax payer, the finance minister has made it very easy for you to invest in the stock market. There is no tax on dividend. Neither will you be taxed on long-term capital gains. This means, if you buy a share, hold it for at least a year and sell it at a profit, you don't have to pay any tax on the profit your make. If you sell it within a year, the short-term capital gains tax is only 10 percent.
Contrast this with fixed deposits, where you have to pay tax on the interest at your marginal tax rate. This means that, if you are in the 30 percent tax bracket and your interest income exceeds Rs 12,000 in a year, you'll have to pay tax on your interest income at that rate (including the surcharge, the cess, etc, the rate works out to almost 35 percent).
Investing in stocks may be more risky, but it is more tax-friendly. Besides, there is the potential to get a higher return on your investment
In a line: Because they can make big money on it.
There's a huge difference between the gains and losses you can make by investing in the stock market as compared to your returns from bank fixed deposits.
In stocks, you can make unbelievable money -- it's not uncommon for people to have doubled their money in the last one year.
On the flip side (there is always one), when the markets crashed in May, many people lost more than a quarter of their investment.
Compare this with your bank fixed deposit. Your FD will only fetch you around five to six percent per annum, but you can be sure of getting your money back.
When you put your money in a bank deposit, you loan the money to a bank for a fixed return (rate of interest) and a fixed tenure (number of months or years). At the end, you get back your original amount and you are paid interest on the same.
When you invest in stocks, you do not invest in the market (despite what you think). You invest in the equity shares of a company. That makes you a shareholder or part-owner in the company.
The good news is that since you own a part of the assets of the company, you are entitled to a share in the profits those assets generate.
The bad news is that you are also expected to bear the losses, if any.
Now, if you are a shareholder, there are two ways you can benefit from the profits of the company: capital appreciation or dividend.
Dividend
Usually, a company distributes a part of the profit it earns as dividend.
For example: A company may have earned a profit of Rs 1 crore in 2003-04. It keeps half that amount within the company. This will be utilised on buying new machinery or more raw materials or even to reduce its borrowing from the bank. It distributes the other half as dividend.
Assume that the capital of this company is divided into 10,000 shares. That would mean half the profit -- ie Rs 50 lakh (Rs 5 million) -- would be divided by 10,000 shares; each share would earn Rs 500. The dividend would then be Rs 500 per share. If you own 100 shares of the company, you will get a cheque of Rs 50,000 (100 shares x Rs 500) from the company.
Sometimes, the dividend is given as a percentage -- i e the company says it has declared a dividend of 50 percent. It's important to remember that this dividend is a percentage of the share's face value. This means, if the face value of your share is Rs 10, a 50 percent dividend will mean a dividend of Rs 5 per share (See What's in a share? Money!).
However, chances are you would not have paid Rs 10 (the face value) for the share.
Let's say you paid Rs 100 (the then market value). Yet, you will only get Rs 5 as your dividend for every share you own. That, in percentage terms, means you got just five percent as your dividend and not the 50 percent the company announced.
Or, let's say, you paid Rs 9 (the then market value). You will still get Rs 5 per share as dividend. That means, in percentage terms, you got just 55.55 percent as dividend yield and not the 50 percent the company announced.
Capital Gain
As the company expands and grows, acquires more assets and makes more profit, the value of its business increases. This, in turn, drives up the value of the stock. So, when you sell, you will receive a premium over (more than) what you paid.
This is known as capital gain and this is the main reason why people invest in stocks. They want to make money by selling the stock at a profit.
It is not as easy as it sounds. A stock's price is always on the move. It could either appreciate (increase in value) or depreciate (decrease in value) with respect to the price at which you purchased it.
If you buy a stock for Rs 10 and sell it for Rs 20 after a year, then your return from that stock is Rs 10, or 100 percent.
Or, if you buy a stock for Rs 10 and sell it for Rs 9, you lose Rs 1, or your loss is 10 percent.
Now look at both: Dividend and Capital Gain
If you buy a stock for Rs 10 and sell it for Rs 20 after a year, then your return from that stock is Rs 10, or 100 percent.
Add the Rs 5 per share you have received as dividend, and your total return will be Rs 10 plus Rs 5 = Rs 15 or 150 percent (Rs 15 divided by Rs 10 multiplied by 100).
If you buy a stock for Rs 10 and sell it for Rs 9 after a year, you would lose Rs 1 per share.
However, you would have got Rs 5 as dividend. So you would net Rs 4 as earnings from the company.
In percentage terms, your return would be 40 percent (Rs 4 divided by Rs 10 multiplied by 100).
Tax
One last point.
If you are a tax payer, the finance minister has made it very easy for you to invest in the stock market. There is no tax on dividend. Neither will you be taxed on long-term capital gains. This means, if you buy a share, hold it for at least a year and sell it at a profit, you don't have to pay any tax on the profit your make. If you sell it within a year, the short-term capital gains tax is only 10 percent.
Contrast this with fixed deposits, where you have to pay tax on the interest at your marginal tax rate. This means that, if you are in the 30 percent tax bracket and your interest income exceeds Rs 12,000 in a year, you'll have to pay tax on your interest income at that rate (including the surcharge, the cess, etc, the rate works out to almost 35 percent).
Investing in stocks may be more risky, but it is more tax-friendly. Besides, there is the potential to get a higher return on your investment
Spot a good stock. Win big!
Between MTV and Channel [V], you might have sometimes come across, say, CNBC.
You might have noticed a band that runs at the bottom of the screen containing the stock prices.
This is called the ticker.
Watch this ticker for some time, and you will find that stock prices are constantly going up or down. Rarely do they stay put.
Which brings you to the common question: when should you buy stocks?
Pose this question to any stock market guru (even someone who falsely professes to be one), and you will get this answer: Buy Low. Sell High.
That means you should buy stocks at a low price and sell them at a high price.
Easier said than actually done, of course.
Which brings us to the next question: how do you know if a stock is worth buying?
One, look at the 'fundamentals' of the stock: check the underlying factors behind the stock price.
In other words, find out what it is about this stock that makes it hot.
Let me introduce you to three ways by which you can figure that out.
1. Earnings per Share (EPS): How well the company is doing
Company XYZ Ltd.
Capital: Rs 100 crore (Rs 1 billion).
Capital is the amount the owner has in the business.
As the business grows and makes profits, it adds to its capital.
This capital is subdivided into shares (or stocks).
For a clearer understanding of capital, read What's in a share? Money!
The capital is divided into 100 million shares of Rs 10 each.
Net Profit in 2003-04: Rs 20 crore (Rs 200 million).
EPS is the net profit divided by the total number of shares.
EPS = net profit/ number of shares
EPS = Rs 20 crore (Rs 200 million)/ 10 crore (100 million) shares = Rs 2 per share
Lesson to be learnt
If a company's EPS has grown over the years, it means the company is doing well, and the price of the share will go up. If the EPS declines, that's a bad sign, and the stock price falls.
Companies are required to publish their quarterly results. Keep an eye out for these results; check for the trend in their EPS.
2. Price earnings ratio (PE ratio): How other investors view this share
Two stocks may have the same EPS. But they may have different market prices.
That's because, for some reason, the market places a greater value on that stock.
PE ratio is the market price of the stock divided by its EPS.
PE = market price/ EPS
Let's take an example of two companies.
Company XYZ Ltd
Market price = Rs 100
EPS = Rs 2
PE ratio = 100/ 2 = 50
Company ABC Ltd
Market price = Rs 200
EPS = Rs 2
PE ratio = 200/ 2 = 100
In the above cases, both companies have the same EPS.
But because their market price is different, the PE ratio is different.
Lesson to be learnt
In the case of EPS, it is not so much a high or low EPS that matters as the growth in the EPS. The company's PE reflects investors' expectations of future growth in the EPS. A high PE company is one where investors have hopes that earnings will rise, which is why they buy the share.
3. Forward PE: Looking ahead
The stock market is not nostalgic. It is forward looking.
For instance, it sometimes happens that a sick company, that has made losses for several years, gets a rehabilitation package from its bank and a new CEO.
As a consequence, the company's stock shoots up.
Why? Because investors think the company will do better in the future because of the package and new leadership, and its earnings will go up.
And they think it is a good time to buy the shares of the company now.
Suddenly, the demand for the shares have gone up.
Because stock prices are based on expectations of future earnings, analysts usually estimate the future earnings per share of a company. This is known as the forward PE.
Forward PE is the current market price divided by the estimated EPS, usually for the next financial year.
Forward PE = Current market price/ estimate EPS for the next financial year.
To illustrate what we��ve been talking about, let's take the example of Infosys Technologies.
Trailing 12-month EPS = Rs 56.82 (EPS of the last four quarters)
Closing price on January 6 = Rs 2043.15
PE = Price/EPS = 2043.15/ 56.82 = 35.95
The PE of Infosys [Get Quote] as on January 6 = 35.95
Clear? Now be alert:
Estimated EPS for 2004-05 = Rs 67
Estimated EPS for 2005-06 = Rs 90
These figures are according to brokers' consensus estimates (you can find those in the business daily, Economic Times).
Forward PE = current market price/ esimated EPS for next financial year
Forward PE for 2004-05 = 2043.15/ 67 = 30.49
Forward PE for 2005-06 = 2043.15/ 90 = 22.70
With an EPS growth of over 30%, a forward PE of 22.7 is not high, indicating that there is scope to be optimistic about the stock's price.
Lesson to be learnt
Sometimes, investors look out for a low PE stock, expecting that its price will rise in the future. But sometimes, low PE stocks may remain low PE stocks for ages, because the market doesn't fancy them.
Keep tab on the business news to check out the company's prospects in the future.
That was the basics of fundamental analysis. Not too mind boggling, is it?
Next time you want to buy the shares of a company, at least do this groundwork.
Please watch out for ratios and how to calculate shares in the coming pieces.
You might have noticed a band that runs at the bottom of the screen containing the stock prices.
This is called the ticker.
Watch this ticker for some time, and you will find that stock prices are constantly going up or down. Rarely do they stay put.
Which brings you to the common question: when should you buy stocks?
Pose this question to any stock market guru (even someone who falsely professes to be one), and you will get this answer: Buy Low. Sell High.
That means you should buy stocks at a low price and sell them at a high price.
Easier said than actually done, of course.
Which brings us to the next question: how do you know if a stock is worth buying?
One, look at the 'fundamentals' of the stock: check the underlying factors behind the stock price.
In other words, find out what it is about this stock that makes it hot.
Let me introduce you to three ways by which you can figure that out.
1. Earnings per Share (EPS): How well the company is doing
Company XYZ Ltd.
Capital: Rs 100 crore (Rs 1 billion).
Capital is the amount the owner has in the business.
As the business grows and makes profits, it adds to its capital.
This capital is subdivided into shares (or stocks).
For a clearer understanding of capital, read What's in a share? Money!
The capital is divided into 100 million shares of Rs 10 each.
Net Profit in 2003-04: Rs 20 crore (Rs 200 million).
EPS is the net profit divided by the total number of shares.
EPS = net profit/ number of shares
EPS = Rs 20 crore (Rs 200 million)/ 10 crore (100 million) shares = Rs 2 per share
Lesson to be learnt
If a company's EPS has grown over the years, it means the company is doing well, and the price of the share will go up. If the EPS declines, that's a bad sign, and the stock price falls.
Companies are required to publish their quarterly results. Keep an eye out for these results; check for the trend in their EPS.
2. Price earnings ratio (PE ratio): How other investors view this share
Two stocks may have the same EPS. But they may have different market prices.
That's because, for some reason, the market places a greater value on that stock.
PE ratio is the market price of the stock divided by its EPS.
PE = market price/ EPS
Let's take an example of two companies.
Company XYZ Ltd
Market price = Rs 100
EPS = Rs 2
PE ratio = 100/ 2 = 50
Company ABC Ltd
Market price = Rs 200
EPS = Rs 2
PE ratio = 200/ 2 = 100
In the above cases, both companies have the same EPS.
But because their market price is different, the PE ratio is different.
Lesson to be learnt
In the case of EPS, it is not so much a high or low EPS that matters as the growth in the EPS. The company's PE reflects investors' expectations of future growth in the EPS. A high PE company is one where investors have hopes that earnings will rise, which is why they buy the share.
3. Forward PE: Looking ahead
The stock market is not nostalgic. It is forward looking.
For instance, it sometimes happens that a sick company, that has made losses for several years, gets a rehabilitation package from its bank and a new CEO.
As a consequence, the company's stock shoots up.
Why? Because investors think the company will do better in the future because of the package and new leadership, and its earnings will go up.
And they think it is a good time to buy the shares of the company now.
Suddenly, the demand for the shares have gone up.
Because stock prices are based on expectations of future earnings, analysts usually estimate the future earnings per share of a company. This is known as the forward PE.
Forward PE is the current market price divided by the estimated EPS, usually for the next financial year.
Forward PE = Current market price/ estimate EPS for the next financial year.
To illustrate what we��ve been talking about, let's take the example of Infosys Technologies.
Trailing 12-month EPS = Rs 56.82 (EPS of the last four quarters)
Closing price on January 6 = Rs 2043.15
PE = Price/EPS = 2043.15/ 56.82 = 35.95
The PE of Infosys [Get Quote] as on January 6 = 35.95
Clear? Now be alert:
Estimated EPS for 2004-05 = Rs 67
Estimated EPS for 2005-06 = Rs 90
These figures are according to brokers' consensus estimates (you can find those in the business daily, Economic Times).
Forward PE = current market price/ esimated EPS for next financial year
Forward PE for 2004-05 = 2043.15/ 67 = 30.49
Forward PE for 2005-06 = 2043.15/ 90 = 22.70
With an EPS growth of over 30%, a forward PE of 22.7 is not high, indicating that there is scope to be optimistic about the stock's price.
Lesson to be learnt
Sometimes, investors look out for a low PE stock, expecting that its price will rise in the future. But sometimes, low PE stocks may remain low PE stocks for ages, because the market doesn't fancy them.
Keep tab on the business news to check out the company's prospects in the future.
That was the basics of fundamental analysis. Not too mind boggling, is it?
Next time you want to buy the shares of a company, at least do this groundwork.
Please watch out for ratios and how to calculate shares in the coming pieces.
5 things you must know before buying shares
friend of mine recently landed her first job.
She spent her first few paychecks on a new cell phone, and a new wardrobe to go with it. Then, her parents began pressurise her to save.
Her question to me was: which shares can I invest in?
When I proceeded to tell her that shares were the riskiest of all investments (bonds, fixed deposits, post office schemes, gold etc), she shrugged.
When I asked her if she even knew what a share was, she confessed she did not.
I could not blame her.
Over the last year or so, the stock market has been hogging the limelight. Companies have been coming out with Intial Public Offerings (which is when the company first makes its shares available to the public by getting them listed on the stock exchange). Everyone wants to join the party and make money.
If you identify with her, here is a tutorial to help you get your basics right. Before you invest in the stock market, you must understand what it entails.
How to invest in an IPO
1. You own a part of the business
When you invest in stocks, you do not invest in the market (despite what you think). You invest in the equity shares of a company. That makes you a shareholder; you now own a small part of that business without having to go to work there.
The good news is, since you own part of the company, you are entitled to a share in its profits.
The bad news is that you are also expected to bear the losses, if any.
That is why investing in shares is risky. If the company does well, you benefit. If it does not, you lose. There are no guarantees whatsoever.
Read this before you buy an IPO
2. In the short-run, the price of the share can wildly fluctuate
Let's say the company fixes the price of each share at Rs 10. This is called the face value of the share.
When the share is traded in the stock market, this value may go up or down depending on supply of and demand for the stock.
If everyone wants to buy the shares, the price will go up. If nobody wants to buy the shares, and many want to sell them, the price will fall.
The value of a share in the market at any point of time is called the 'price of the share' or the 'market value of a stock'.
A share with a face value of Rs 10 may be quoted at Rs 55 (higher than the face value) or even Rs 9 (lower than the face value).
So you might have paid Rs 15 for a share which is now quoting at Rs 12. Don't panic and sell. If it is a good company, the share price will eventually rise.
The prices will get influenced by the market sentiment and the general direction of the market. As a result, you may see short-term slumps.
What you should know about mutual fund IPOs
3. Always invest for the long-term
The best way to make money is to buy low and sell high. This means you should buy the share when the price is low and sell it when it is high.
That is why you must buy in a bear market. This is a term used to describe the sentiment of the stock market when it is low and the prices of shares have generally fallen. The best time to sell is in a bull market, when the sentiment is high and the prices of shares are rising.
But it is very difficult to time the market. In fact, no one can do it. If we could, we would all be millionaires, wouldn't we?
That is why, when you invest in the market, it is best to invest for the long-term. Hold on to your shares for a few years before you think of selling them.
Companies increase their sales and book higher profits over the years. This will eventually reflect in the share price, so ignore the short-term slumps.
Once you decide that you are in for the long haul, you can ride over the bear and bull runs with no stress at all. Over time, the price of your shares will appreciate.
If you are getting a good price for your stock, keep selling small amounts at regular intervals. Keep booking profits.
Why you need a stock broker
4. Decide how much you want to invest
Always remember one basic rule in finance -- if something gives you higher returns, that's usually because it carries a greater risk.
That's the reason why not-so-good companies will pay you a higher rate of interest for your deposits.
The same reasoning goes for stocks too -- they give higher returns than, say, bank fixed deposits because they are more risky. So the amount of money you invest in the market depends on your capacity to bear the risk.
If you are young with a steady job, you can invest a larger proportion of your income in the stock market than, say your parents who are close to retirement. If you have a lot of debt to repay, avoid putting too much of your money in stocks.
It's best to decide how much of your savings you will allocate to stocks, and stick to that plan. Don't get swayed by how much your friend is investing.
How to get a broker
5. Don't rely solely on 'good advice'
A smart investor should never invest buy shares of companies he doesn't know much about. Relying on 'advice' from friends is not always a great idea. Do some groundwork yourself.
It doesn't matter who is buying the stock or who is recommending it. Steer clear of such ways of making a fast buck. These tips will land you in a soup.
When you hear of a 'hot tip', dig further.
Take a look at the company's profit and loss statement, which would have been audited by chartered accountants. There is a wealth of information here. To understand the information in a Profit & Loss Account, read Want to buy a stock? Read this first.
Do some basic calculations on your own. The Earnings Per Share (net profit/ number of shares) and Price/Earnings ratio (market price/ EPS) should give you a fair understanding. Read How to spot a good stock to understand what these ratios mean and how to use them.
These tips should get you started. Tread cautiously though. If stocks intimidate you, consider a diversified equity fund.
A mutual fund manager will research many companies before investing in their shares. This way, you can participate in the stock market even as you leave the research to professionals.
She spent her first few paychecks on a new cell phone, and a new wardrobe to go with it. Then, her parents began pressurise her to save.
Her question to me was: which shares can I invest in?
When I proceeded to tell her that shares were the riskiest of all investments (bonds, fixed deposits, post office schemes, gold etc), she shrugged.
When I asked her if she even knew what a share was, she confessed she did not.
I could not blame her.
Over the last year or so, the stock market has been hogging the limelight. Companies have been coming out with Intial Public Offerings (which is when the company first makes its shares available to the public by getting them listed on the stock exchange). Everyone wants to join the party and make money.
If you identify with her, here is a tutorial to help you get your basics right. Before you invest in the stock market, you must understand what it entails.
How to invest in an IPO
1. You own a part of the business
When you invest in stocks, you do not invest in the market (despite what you think). You invest in the equity shares of a company. That makes you a shareholder; you now own a small part of that business without having to go to work there.
The good news is, since you own part of the company, you are entitled to a share in its profits.
The bad news is that you are also expected to bear the losses, if any.
That is why investing in shares is risky. If the company does well, you benefit. If it does not, you lose. There are no guarantees whatsoever.
Read this before you buy an IPO
2. In the short-run, the price of the share can wildly fluctuate
Let's say the company fixes the price of each share at Rs 10. This is called the face value of the share.
When the share is traded in the stock market, this value may go up or down depending on supply of and demand for the stock.
If everyone wants to buy the shares, the price will go up. If nobody wants to buy the shares, and many want to sell them, the price will fall.
The value of a share in the market at any point of time is called the 'price of the share' or the 'market value of a stock'.
A share with a face value of Rs 10 may be quoted at Rs 55 (higher than the face value) or even Rs 9 (lower than the face value).
So you might have paid Rs 15 for a share which is now quoting at Rs 12. Don't panic and sell. If it is a good company, the share price will eventually rise.
The prices will get influenced by the market sentiment and the general direction of the market. As a result, you may see short-term slumps.
What you should know about mutual fund IPOs
3. Always invest for the long-term
The best way to make money is to buy low and sell high. This means you should buy the share when the price is low and sell it when it is high.
That is why you must buy in a bear market. This is a term used to describe the sentiment of the stock market when it is low and the prices of shares have generally fallen. The best time to sell is in a bull market, when the sentiment is high and the prices of shares are rising.
But it is very difficult to time the market. In fact, no one can do it. If we could, we would all be millionaires, wouldn't we?
That is why, when you invest in the market, it is best to invest for the long-term. Hold on to your shares for a few years before you think of selling them.
Companies increase their sales and book higher profits over the years. This will eventually reflect in the share price, so ignore the short-term slumps.
Once you decide that you are in for the long haul, you can ride over the bear and bull runs with no stress at all. Over time, the price of your shares will appreciate.
If you are getting a good price for your stock, keep selling small amounts at regular intervals. Keep booking profits.
Why you need a stock broker
4. Decide how much you want to invest
Always remember one basic rule in finance -- if something gives you higher returns, that's usually because it carries a greater risk.
That's the reason why not-so-good companies will pay you a higher rate of interest for your deposits.
The same reasoning goes for stocks too -- they give higher returns than, say, bank fixed deposits because they are more risky. So the amount of money you invest in the market depends on your capacity to bear the risk.
If you are young with a steady job, you can invest a larger proportion of your income in the stock market than, say your parents who are close to retirement. If you have a lot of debt to repay, avoid putting too much of your money in stocks.
It's best to decide how much of your savings you will allocate to stocks, and stick to that plan. Don't get swayed by how much your friend is investing.
How to get a broker
5. Don't rely solely on 'good advice'
A smart investor should never invest buy shares of companies he doesn't know much about. Relying on 'advice' from friends is not always a great idea. Do some groundwork yourself.
It doesn't matter who is buying the stock or who is recommending it. Steer clear of such ways of making a fast buck. These tips will land you in a soup.
When you hear of a 'hot tip', dig further.
Take a look at the company's profit and loss statement, which would have been audited by chartered accountants. There is a wealth of information here. To understand the information in a Profit & Loss Account, read Want to buy a stock? Read this first.
Do some basic calculations on your own. The Earnings Per Share (net profit/ number of shares) and Price/Earnings ratio (market price/ EPS) should give you a fair understanding. Read How to spot a good stock to understand what these ratios mean and how to use them.
These tips should get you started. Tread cautiously though. If stocks intimidate you, consider a diversified equity fund.
A mutual fund manager will research many companies before investing in their shares. This way, you can participate in the stock market even as you leave the research to professionals.
Buying shares for the first time?
Got your first paycheck and can't wait to buy your first lot of shares?
Hold on!
Before you start investing in the stock market, you have to get certain basics in place.
Follow this checklist to ensure you are on track.
Should you buy shares now?
1. Get a broker
People like you and me cannot just go to a stock exchange and buy and sell shares.
Only the members of the stock exchange can. These members are called brokers and they buy and sell shares on our behalf.
So, if you want to start investing in shares, you can do it only through a broker.
Every stockbroker has to be registered with the Securities and Exchange Board of India, which is the stock market regulator.
You can either choose a broker (who is directly registered with SEBI) or a sub-broker (people licensed by brokers to work under them).
The Bombay Stock Exchange directory or the National Stock Exchange Web site will give you a list of brokers affiliated to them. Most of them entertain retail clients.
If you want an online broker, you can start by looking at the Web sites of some well-known online players: Sharekhan, Kotak Securities, ICICI Direct, 5paise and India Bulls.
How to sell shares at the right time
2. Get a demat account
Gone are the days when shares were held as physical certificates.
Today, they are held in an electronic form in demat accounts.
Demat refers to a dematerialised account.
Let's say your portfolio of shares looks like this: 40 shares of Infosys, 25 of Wipro, 45 of HLL and 100 of ACC.
They will show in your demat account. You don't have to possess any physical certificates showing you own these shares. They are all held electronically in your account.
Periodically, you will get a demat statement telling you what shares you have in your demat account.
How to get a demat account
To get a demat account, you will have to approach a Depository Participant.
A depository is a place where an investor's stocks are held in electronic form.
There are only two depositories in India -- the National Securities Depository Ltd and the Central Depository Services Ltd.
The depository has agents who are called Depository Participants. In India, there are over a hundred DPs.
Think of it like a bank. The head office, where all the technology rests and the details of all the accounts are held, is like the depository. The DPs are like the branches of banks that cater to individuals.
A broker, however, is not similar to a DP. A broker is a member of the stock exchange and he buys and sells shares for his clients and for himself. A DP, on the other hand, gives you an account where you can hold those shares.
To get a list of the registered DPs, visit the NSDL and CDSL Web sites.
5 rules when buying stocks
3. Get a PAN
The taxman demands that you get yourself a Permanent Account Number.
This is a unique 10-digit alphanumeric number (AABPS1205E, for example) that identifies and tracks an individual in the taxman's database.
Almost every money transaction demands the use of a PAN. These include:
~ When you get a job
~ When you file an income tax return
~ When you open a bank account
~ When you deposit cash of Rs 50,000 or more in a bank
~ When you open a bank fixed deposit of Rs 50,000 or more
~ When you open a post office deposit of Rs 50,000 or more
~ When you buy/ sell shares and mutual funds
~ When you buy/ sell property
~ When you buy a vehicle
~ When you take a loan: home/ personal/ other
~ When you install a telephone (or buy a cell phone)
~ When you pay in cash to hotels and restaurants against bills for an amount exceeding Rs 25,000 at a time
~ You also need to mention it in every transaction you have with the tax officials.
If you are going through a tax consultant, you need not worry. He will supply you with Form 49A (the application form for the PAN number) and give you a list of the documents he needs.
However, if you believe in doing things on your own, the process is really not that tedious.
You could visit the official Web sites of the Income Tax department or UTI Investor Services Ltd or National Securities Depository Limited.
Download Form 49A from any of these sites and follow the instructions.
You should get your PAN in the form of a laminated card within a month.
3 stock market mistakes to avoid
4. Check if you need a UIN
This depends on how much you plan to invest.
The Unique Identification Number is the identification an investor needs to buy and sell shares or mutual fund units.
It is part of the Security and Exchange Board of India's attempt to create a database of all Market Participants and Investors, called MAPIN.
Who needs a UIN?
An investor who is involved in a single transaction of Rs 1,00,000 or more will have to quote his/ her UIN.
If you plan to be a prominent stock market player or a mutual fund investor and expect to deal with such huge amounts in the near future, you should get a UIN.
SEBI has appointed the National Securities Depositories Ltd that, in turn, has appointed Points Of Service agents. The NSDL Web site has a list of the POS agents.
Visit the office of a POS agent. Make sure you take an appointment before you go. As part of the application process, your fingerprints will be scanned and a photograph taken.
All you have to do is fill and submit an application form (there are separate forms for corporates and individuals). You can also download the form for an individual at the NSDL Web site.
Incidentally, the UIN is totally different from a PAN. The Permanent Account Number is an identification number for filing your income tax returns.
How I missed making a killing in the market
Now that you have all this in place, you're ready for the stock market. All the best!
Hold on!
Before you start investing in the stock market, you have to get certain basics in place.
Follow this checklist to ensure you are on track.
Should you buy shares now?
1. Get a broker
People like you and me cannot just go to a stock exchange and buy and sell shares.
Only the members of the stock exchange can. These members are called brokers and they buy and sell shares on our behalf.
So, if you want to start investing in shares, you can do it only through a broker.
Every stockbroker has to be registered with the Securities and Exchange Board of India, which is the stock market regulator.
You can either choose a broker (who is directly registered with SEBI) or a sub-broker (people licensed by brokers to work under them).
The Bombay Stock Exchange directory or the National Stock Exchange Web site will give you a list of brokers affiliated to them. Most of them entertain retail clients.
If you want an online broker, you can start by looking at the Web sites of some well-known online players: Sharekhan, Kotak Securities, ICICI Direct, 5paise and India Bulls.
How to sell shares at the right time
2. Get a demat account
Gone are the days when shares were held as physical certificates.
Today, they are held in an electronic form in demat accounts.
Demat refers to a dematerialised account.
Let's say your portfolio of shares looks like this: 40 shares of Infosys, 25 of Wipro, 45 of HLL and 100 of ACC.
They will show in your demat account. You don't have to possess any physical certificates showing you own these shares. They are all held electronically in your account.
Periodically, you will get a demat statement telling you what shares you have in your demat account.
How to get a demat account
To get a demat account, you will have to approach a Depository Participant.
A depository is a place where an investor's stocks are held in electronic form.
There are only two depositories in India -- the National Securities Depository Ltd and the Central Depository Services Ltd.
The depository has agents who are called Depository Participants. In India, there are over a hundred DPs.
Think of it like a bank. The head office, where all the technology rests and the details of all the accounts are held, is like the depository. The DPs are like the branches of banks that cater to individuals.
A broker, however, is not similar to a DP. A broker is a member of the stock exchange and he buys and sells shares for his clients and for himself. A DP, on the other hand, gives you an account where you can hold those shares.
To get a list of the registered DPs, visit the NSDL and CDSL Web sites.
5 rules when buying stocks
3. Get a PAN
The taxman demands that you get yourself a Permanent Account Number.
This is a unique 10-digit alphanumeric number (AABPS1205E, for example) that identifies and tracks an individual in the taxman's database.
Almost every money transaction demands the use of a PAN. These include:
~ When you get a job
~ When you file an income tax return
~ When you open a bank account
~ When you deposit cash of Rs 50,000 or more in a bank
~ When you open a bank fixed deposit of Rs 50,000 or more
~ When you open a post office deposit of Rs 50,000 or more
~ When you buy/ sell shares and mutual funds
~ When you buy/ sell property
~ When you buy a vehicle
~ When you take a loan: home/ personal/ other
~ When you install a telephone (or buy a cell phone)
~ When you pay in cash to hotels and restaurants against bills for an amount exceeding Rs 25,000 at a time
~ You also need to mention it in every transaction you have with the tax officials.
If you are going through a tax consultant, you need not worry. He will supply you with Form 49A (the application form for the PAN number) and give you a list of the documents he needs.
However, if you believe in doing things on your own, the process is really not that tedious.
You could visit the official Web sites of the Income Tax department or UTI Investor Services Ltd or National Securities Depository Limited.
Download Form 49A from any of these sites and follow the instructions.
You should get your PAN in the form of a laminated card within a month.
3 stock market mistakes to avoid
4. Check if you need a UIN
This depends on how much you plan to invest.
The Unique Identification Number is the identification an investor needs to buy and sell shares or mutual fund units.
It is part of the Security and Exchange Board of India's attempt to create a database of all Market Participants and Investors, called MAPIN.
Who needs a UIN?
An investor who is involved in a single transaction of Rs 1,00,000 or more will have to quote his/ her UIN.
If you plan to be a prominent stock market player or a mutual fund investor and expect to deal with such huge amounts in the near future, you should get a UIN.
SEBI has appointed the National Securities Depositories Ltd that, in turn, has appointed Points Of Service agents. The NSDL Web site has a list of the POS agents.
Visit the office of a POS agent. Make sure you take an appointment before you go. As part of the application process, your fingerprints will be scanned and a photograph taken.
All you have to do is fill and submit an application form (there are separate forms for corporates and individuals). You can also download the form for an individual at the NSDL Web site.
Incidentally, the UIN is totally different from a PAN. The Permanent Account Number is an identification number for filing your income tax returns.
How I missed making a killing in the market
Now that you have all this in place, you're ready for the stock market. All the best!
Sunday, June 8, 2008
Senthil on Hindu -- Personnel
http://www.hinduonnet.com/thehindu/2006/06/09/stories/2006060918320100.htm
My Resume...
Ramasubbu Senthilnathan
E-Mail: nathan_thilse@yahoo.com
Summary:
Over all 10 years of experience in Information Security with specialization in enterprise level security consulting services spanning from security framework design to IS audits.
Well experienced in Developing Corporate Information Security Policies, processes, procedures and technical controls for many enterprise clients to meet the compliance and standards requirements
Strong knowledge on translating the compliance and standards requirements to the technical controls and configurations.
Expertise in design, deployment and managing the security solutions in the areas of Managed Security Solutions, IT operations management, Information Security Management System (ISMS), Security Incident management (SIM) systems.
Specialized on ArcSight, Symantec Enterprise Security Manager (ESM), Network Intelligence and SESA.
Have experienced in integrating multiple OS, database and other applications with SIM.
Well experienced on Plan, deploy, configure and manage the SOx monitoring, privileged user monitoring and security monitoring solutions for the clients based out of USA and UK
Performed Information Security Risk Assessments and Risk management at the Enterprise level.
Excellent knowledge and experience in Information Systems Security Auditing, (ISO27001) BS7799 Implementation as well as auditing, building ISMS inline with information security standards and industry best practices.
Has worked on few SOX 404 assignments in the US (Shell – Richmond and Capitalone – Virginia)
Worked closely with internal and external audit towards regulatory requirements and compliance objectives
Strong technical aptitude with exceptional talent in training and development and an ability to effectively translate technical information and procedures to end-users.
Understanding the customer’s pain area and resolving with perfect solutions.
Drafted RFP and Formal proposals for various Information Security Solutions to solutions to the USA and UK based clients.
Validated the various security products for the different customer requirements and recommending the suitable and cost effective products for the optimal solutions.
Well experienced on planning and executing the compliance related and other security projects for the corporate clients.
A Very excellent Project Management Skill set and executed more than 75 Enterprise level Projects in the span of 8 years.
Well experienced on Vendor management, Support and service team management, Logistics management, SLA management.
Information Security Designed and Implemented for various business verticals as: Banking, Manufacturing, OIL and Gas, Government, Aviation, ISP, TELCO, BPO, Software and Services industry etc.
Skill sets:
Process
IS Audit Planning, Execution, Audit Documentation and Reporting
Review Internal Controls implemented for PSI-DSS, SOx compliance, ISO27001 standards and enterprise security
Design, Implement and manage the framework inline with ITIL for ISO 27001, PCI-DSS, Sox monitoring, Security Risk office and PUM
IT Risk Assessment and Management
Interview, evidence gathering and analysis
Business Continuity Plan development and Assessment
Information technology & Information security management system (ISMS)
Auditing (IT Security, Standards, Controls, Best Practices and Regulatory Compliance)
Exposure to ISO 27001, PCI-DSS, SOx, HIPAA, CoBiT, COSO, Basel II The World bank Technology Risk Checklist and ITIL
Compliance Audits
Manual Auditing (Process Mapping)
Application walkthroughs.
Trend analysis to capture the interesting events under regulatory compliance
Analysis and Management
Business Analysis
Project Management
Expertise solutions and products:
Security Information Management solutions: Arcsight, Network Intelligence envision, Symantec SIM, Symantec (Enterprise Security Manager) and Symantec Enterprise Security Architecture (SESA)
Secure communications: SecureID, IPSec, Encryption, SSH, SSL, Secure FTP, PKI, Digital certificates and signatures
Authentication, Authorization and Access Control: End-End Application Security, Enterprise Authentication and Authorization Web Services, Secure administration, RADIUS, SecureID, Single Sign-on (SSO)
Compliance and Auditing: PCI-DSS, Sarbanes-Oxley, Control Objectives for Information and Related Technology (COBIT), ISO27001, HIPAA, COSO, Basel II The World bank Technology Risk Checklist and industry best practices like ITIL
Information Security Policies and Procedures: Policies, Standards, Guidelines, Technical controls, workflows and procedures.
Host Assessment tools: NetIQ and Symantec Enterprise Security Manager (ESM)
Messaging Security: IronPort – Email Security product, Symantec Brightmail Antispam, Mirapoint Secure Email Server
Authentication: Cisco Secure Access Control Server (AAA Server), Certificate Authority Server – Microsoft Windows ISS Server, RSA – Secure ID and Single sign on Products
Patch management: Shavlik, Marimba and SUS
Intrusion Detection and Prevention tools: e-Trust, ISS – Proventia A, G and M Series of Products, Netscreen IDP, Entercept Host Intrusion Prevention System, Symantec HIDS, eTrust
Assessment Tools: ISS (Internet scanner, Network Scanner, Database Scanner), Nmap, Nessus, Retina, Super Scan
Other Tools: Brutus, Solar Winds, Quick Spoof, CIA, Ethereal and other packet analyzers, Ghost
End Point Security: Cisco Security Agent (CSA), NIS, Norton Personal Firewall
Ticketing system: OTRS with SQL
Firewalls and DMZ configurations: Cisco PIX, Check Point NG & AI, Netscreen, Fortigate, Checkpoint Provider1.
Virtual Private Networks and Remote Access: Cisco VPN, Nortel Contivity, SSL VPN, RAS, Netscaler, Juniper SSL VPN Appliance, Cisco VPN Concentrator Series, Cisco and Intel VPN Clients, Checkpoint Secure remote on Windows and various third party VPN products.
Resource optimizing solutions: Netscaler and Peribit
Monitoring, Filtering and Reporting: Websense, SurfControl, ISA, WebTrends
Antivirus: Symantec Norton Corporate Edition, Symantec Anti Spam, Trend Server Protect 5.5 and McAfee
Anti Spam Solutions: IronPort, BrightMail
Wireless Technologies: Cisco's LEAP, IEEE 802.11b standard, WAP protocol.
Planning, development, implementation and review of information security and documentation.
Web Servers - Apache, IIS
Networking - TCP/IP, NFS, Telnet, FTP, DNS, DHCP, NAT, ipconfig, route, netstat
Routing, Switching, Layer 2 and Layer 3 VLAN
Project management Systems: Microsoft Project 2000, Project Scheduler Ver 8.0
Operating systems integrated and managed for security Events: Windows 2000, 2003 and NT SOx Servers Unix, AIX, Linux, Solaris and AS400
Data base integrated and managed for security Events: Oracle, Oracle 9i, DB2, MySQL, SQL Server 2000, VB Scripts
Applications integrated and managed for security Events: Powerbroker, Ironport, IDP, IDS, Routers, and Switches, Firewall.
Workshops / Trainings attended
Certified Ethical Hacker - Trained at Asian School of Cyber Laws, Pune.
Trained on Arcsight and Network Intelligence
Trained on effective presentation skills at Richmond, USA
Trained on Antispam solutions by Ironport, USA.
Boot Camp on Application Architecture and Analysis of Symantec NAV and NIS, Aug-2005
Appearing for CISSP and Pursuing PMP training
Accreditations:
BS ISO/IEC 27001:2005 Lead Auditor
SANS GIAC Payment Card Industry (GPCI) – From SANS – No:403
IT Service Management Foundation – ITIL Exam from Exin
CoBiT based IT Governance Foundation Exam
156-210.4 Check Point Certified Security Administrator NG – AI (CCSA)
Cisco Secure PIX Firewall Advanced Exam (CSPFA 642-521) – Appeared and Scored 743 -
Cisco Certified Network Associate (CCNA 640- 607) – CSCO10682369
Checkpoint Firewall1 Administration Certificate from Brain Bench.
Education:
Bachelor of Engineering (Electrical and Electronics) from University of Madras, India.
Diploma in Electrical and Electronics from Directorate of Technical Education, India.
Key Projects
A Major Insurance Company, Madison, USA – (June 07 Till Date)
Role: Project Manager
Currently, I am handling multiple projects
Project –1 Audit Remediation Project – Security Access Reporting
Summary: This engagement included the audit remediation for the financial critical systems, Interim Solution plan and design, implement and train the team and Business System Owners (Includes Business vertical Directors, Application Owners Sr. Management staffs) on security access reporting. Ensure that the identified Gap on internal audit is resolved.
Environment: Security access reporting, Project management, PCI, ISO 27001, UNIX, AIX, Linux, AS400, DB2, SQL Server 2000, VB Script, VB 6.0, Team System, MS Project, Compliance Gap analysis report, Policies, Standards, Regulations, Guidelines, Industry best practices.
My responsibilities are:
• Understood the audit gaps and requirements based on corporate policy, ISO 27001 standards and PCI standards
• Proposed a cost effective solution as the interim solution.
• Project management methodology followed as Assess Phase, Initiate Phase, Plan Phase, Execute Phase, Control Phase, Transition and Stabilize Phase, Signoff and close phase.
• Gate review with Sr. Management on every phase completion
• Project executed on 4 major modules as Data Stream, Reporting Stream, Attestation Stream and Training/Awareness Stream
• Information gathered from various verticals of business including IT
• Identified and documented the requirements from Privacy leaders and internal auditors
• Designed and Deployed programmers to develop the interim automated solution for Security Access Reporting. Process and procedure documents were prepared and trained the team
CUNA Mutual Group, Madison, USA – (June 07 Till Date)
Project –2 IAM – Identity and Access Management
Role: Business Analyst
Summary: Define processes, technologies, and policies to manage digital identities and specify how they are used to access resources across the various platform and finance significant applications (37). Implementing the state-of-art and cost-effective IAM solution for the hybrid and complex access environment.
Environment: Identity and Access management, Project management, PCI, ISO 27001, UNIX, AIX, Linux, AS400, DB2, SQL Server 2000, 37 various financial significant applications, Team System, MS Project, Compliance Gap analysis report, Policies, Standards, Regulations, Guidelines, Industry best practices.
My responsibilities are:
• Analysis on financial significant applications and understanding the identity and access management methodology of them
• Information gathering on business, IT and operational roles, Personnel and financial data access
• IAM Product identification, bench marking, testing and selection
• Implementing the IAM Product and integrating the hybrid and complex set of financial significant applications with the IAM product.
• Process, Procedure and document the complete IAM project
CUNA Mutual Group, Madison, USA – (Nov 07 – Dec 07)
Project –3 Data Loss Prevention Project - Demo
Summary: Discover and protect data at rest, in motion, at the endpoint and exposed on centralized and decentralized file servers, SQL and Lotus Notes databases, desktops, laptops and other data repositories.
Environment: Data Loss Prevention, Vontu 6.0, PCI, ISO 27001, UNIX, AIX, Linux, AS400, DB2, SQL Server 2000, 37 various financial significant applications, Team System, MS Project, Compliance Gap analysis report, Policies, Standards, Regulations, Guidelines, Industry best practices.
My responsibilities are:
• Design and implement the comprehensive security policies and rules
• Configuring the Vontu for the following action items:
Accurate detection of all data types and languages including Western and Asian character sets
Universal data security policy, detection, and enforcement
Automatic enforcement of data security policies: block, protect, quarantine, encrypt, and notify
Integrated reporting, remediation and workflow across data at rest, in motion, and at the endpoint
Business unit reporting on risk reduction and compliance
Project –4 Security monitoring and privileged user monitoring
CapitalOne, Richmond, USA – (Aug 06 – April 07)
Role: Project Manager/Security Consultant
Summary: This engagement included the framework development for the Security Monitoring and Privileged User Monitoring. Defining the Process, procedure and documentation. Enabling the client to meet the SOx compliance audit requirements on security and privileged user security event monitoring.
Environment: Security event and privileged user monitoring, Network Intelligence –enVision (SIM), OTRS ticketing system, PCI Standard, ITIL frame work, Windows 2000, 2003 and NT SOx Servers Unix, AIX, Linux, Solaris and AS400 SOx servers, Oracle, Oracle 9i, DB2, MySQL, SQL Server 2000, SNORT IDS, Checkpoint Firewall, Powerbroker, Ironport, IDP, IDS, Routers, and Switches, Firewall, SOx Compliance Gap analysis report, Policies, Standards, Regulations, Guidelines, Industry best practices.
My responsibilities are:
• Framework development for security monitoring and privileged user monitoring to meet the PCI standards
• Defining the process in line with ITIL and other industry best practices
• Fine-tuning the Network Intelligence enVision SIM configurations for the client environment
• Defining the various reporting structures for client and the analyst to analyze the events, to reveal the trend of the events.
• Analyzing the various security and privileged events reported from various OS, database, perimeter security products like firewall, IDS, IDP and Ironport.
• Coordinating with the SME (Subject matter expertise) and audit team to reduce the false positives and to avoid the system noise.
• Setting up the analyst team to do the interest events analysis
• Designed and implemented the ticketing system using OTRS for to support the audit trial.
• Trained and lead the analyst team to analyze the security and privileged events and to use the ticketing system for audit trails.
• Designed and integrated the Knowledge base (KB) in to the OTRS.
• Handling the Change management, Incident management, Problem Management, Internal Audit, Quality assurance, Management reporting, Executive reporting on SOx events.
• Documented the entire processes and procedures the activities performed in the project.
• Backup plan developed and tested to provide the audit trail supporting details on failure or loss of analysis data.
Project –5 SOx Monitoring
Shell, Houston, USA – (Aug 05 – July 06)
Role: Project Manager/Security Consultant
Summary: This engagement included the design, deployment and configure the security information management system (SIM) and to integrate the SOx servers (more than 3000 servers spread over USA, UK and CBJ). Enabling the client to meet the SOx compliance audit requirements.
Environment: ArcSight Management Server 3.0 (SIM), ArcSight Smart Agents (1. AS400 JRN File Agent, 2. Syslog Smart Agent, 3. SESA Smart Agent, 4. NT-Collector Smart Agent, 5. Flex Agent), ArcSight Database Server, ArcSight Console, SESA (Symantec Enterprise Security Architecture), SHIDS (Symantec Host Intrusions Detection System), Windows 2000, 2003 and NT SOx Servers Unix, AIX, Linux, Solaris and AS400 SOx servers, Oracle, Oracle 9i, DB2, MySQL, SQL Server 2000, SNORT IDS, Checkpoint Firewall, SOx Compliance, Policies, Standards, Regulations and Guidelines)
My responsibilities are:
• Working as a Security Analyst in SOX Event Monitoring team managing 1500+ SOX servers (Win2k/Win2k3, Linux, Solaris, AIX, and AS400) for Shell GEMS. These servers are based in USA (Houston), Europe (Netherlands), and Asia Pac (CBJ).
• Handling Symantec Enterprise Security Architecture (SESA) and Arcsight Enterprise Security Manager for the locations in USA, Europe, and Asia Pacific.
• Traveled USA for Setting up the SIM system and analyzing the events, validating rules and customizing the parser files and Arcsight agents for the Shell environment.
• Arcsight SIM designed, deployed, configured and integrated with Sox servers.
• Tested Proof of Concept for SESA Integration with Arcsight Environment.
• Installation, Integration and configuration of SHIDS agent and Arcsight Smart Agent.
• Various SOx systems (More then 3000 servers) are integrated to the Arcsight to report their security events. (Eg: OS - Windows 2000, 2003 and NT SOx Servers Unix, AIX, Linux, Solaris and AS400, Database - Oracle, Oracle 9i, DB2, MySQL, SQL Server 2000)
• Mapping SOX Controls to Arcsight Rules and filters to normalize and Correlate the raw events.
• Troubleshooting and resolving Arcsight and SESA problems. Validating the setup and identifying the false positive.
• Various customized reports (Executive report, SOx compliance effectiveness report, Trend Analysis report, etc.,) are configured on Arcsight SIM.
• Monitoring and Analyzing the SOX Servers Events using Arcsight Console.
• Inducting the analyst regarding Process, ticket creation and technical knowledge.
• Coordinating the Incident and change management.
• Scheduling Reports on weekly and monthly basics. Documenting the technical and process activities.
Project –6 HIPS (Host Intrusion Prevention System) Design and Deployment
Major Retail (Albertson), USA – (July 05 – Aug 05)
Role: Project Lead/Security Consultant
Summary: This assignment-involved design, installation, integration, managing and administering the McAfee Entercept Host Intrusion Prevention System for more than 3000 servers.
Environment: McAfee® Entercept® Management System, McAfee® Entercept® agents, Windows 2000, 2003 and NT Servers Unix, Linux, Solaris servers, Oracle 9i and SQL Server 2000.
My responsibilities are:
• Generating the necessary attacks and ethical hacking methods in a controlled environment to validate and customize the HIPS signatures.
• Installed and administered the McAfee® Entercept® Management System.
• Installed the McAfee® Entercept® agents over various servers against zero-day and known attacks.
• Evaluated and implemented the behavioral rules for various agents and integrated the agents with Entercept® Management System
• Installation, Integration and configuration of Entercept® agents globally.
• Created the system and base line configuration document.
Project –7 SOx Monitoring thru SESA
Oil and Natural Gas Company (SHELL), UK – (Aug 04 – June 05)
Role: Project Lead/Associate Consultant
Summary: Customer has the mandate to comply with Sarbanes-Oxley (SOx) and hence the top priority is to achieve readiness for the compliance a short time period. Customer has existing SESA environment. Assignments involved with understanding of SOx requirement, configuring and maintain the system for SOx Compliance requirement using SESA (Symantec Enterprise Security Architecture).
Environment: Enterprise Security Manager (ESM), Symantec Enterprise Security Architecture (SESA), SHIDS - Symantec Host Intrusion Detection System, OS - AS/400,HP-UX, IBM-AIX, Linux, Sun Solaris, Unix, Windows 2000,Windows 2003 Server, Windows NT, DB2, Oracle 9i,Security Incident Management, Security Operations Management, Information Security Consulting, SOx Compliance.
My responsibilities are:
• This assignment involved architecting the solution, managing and administering the Symantec ESM (Enterprise Security Manager) and SESA (Symantec Enterprise Security Architecture).
• Conducted internal and external vulnerability assessments.
• Enterprise Security Manager system was evaluated and implemented.
• Assisted in the development of enterprise information security policies and Standards.
• Customized and configured the SESA policies and rules for the Shell environment to capture the compliance events.
• Checking multiple systems simultaneously for deviations such as missing OS patches, inappropriate user password settings, unauthorized privileges, incorrect file access, changes to security settings, and incorrect configurations.
• Installed, Integrated and configured the Symantec ESM globally.
• ESM Policies created to evaluate network vulnerabilities and security policy violations.
• Enterprise-wide intrusion detection / prevention (SHIDS) Solution is implemented.
Project –8 Security Audit
India’s Number 1 Forging Company (Bharat Forge Ltd), India – (June 04 – July 04)
Role: Specialist Security Solutions / Security Auditor
Summary: This engagement involved vulnerability assessment for the App Servers, Data Base Servers, File Servers, and Mail Server and for the Entire network. Cisco PIX Firewall policy reviewed. Log reviewing and incident analyzing. Security audit report submitted covering all the possible loopholes and workarounds. ISMS implementation roadmap prepared and submitted to the client.
Environment: Number of various application servers includes App Servers, Data Base Servers, File Servers and Mail Servers, Cisco PIX Firewall, CISCO IOS and around 800 desktops with Windows 3.1/95/98,2K, NT, -XP, IT Infrastructure Audit Management, Information Risk Management, Security Incident Management, Security Operations Management, Technical Documentation, BS 7799, OS Hardening, Regulatory Compliance, Risk Assessment, various vulnerability analysis and assessment tools.
My responsibilities are:
• The IT infrastructure of organization includes number of various application servers, firewall and around 800 desktops.
• A detailed security audit performed which includes the Vulnerability Assessment of business critical servers, which includes App Servers, Data Servers, File Servers and Mail Server.
• GAP analysis of corporate standards with Industry standard regulations such as ISO 17799
• High Level Risk Assessment for CRM Application system
• OS Vulnerability Assessment and Database Vulnerability Assessment.
• Threat analysis
• Impact analysis
• Firewall policy reviewing
• Client interaction and Stakeholder information capture and documents review
• Assessment of efficacy of existing controls
• Development of policies and procedures
• Policy Discussion with business managers
• BS 7799 based Security Assessment Audit of Infrastructure including Vulnerability Assessment
• Present audit findings to Management
• Recommendations with secure architecture design
• IT and Business Process Assessment with reference to BS 7799 Standards
• Submission of reports and imparting security awareness training to customer
• Implementation Road Map for Compliance
Project –9 BS7799 ISMS Building
A leading News paper company (Malayala Manorama), India – (April 04 – May 04)
Role: Specialist Security Solutions / Security Auditor
Summary: This engagement involved building Information Security Management system in accordance with the BS 7799:2002 – Part 2 Specifications for the client.
Environment: BS 7799:2002 – Part 2 Specifications, ISMS Framework, Security Audit, various vulnerability analyzing and accessing tools, Asset management, Risk assessment and management.
My responsibilities are:
• Build ISMS Scope
• Risk Assessment Conducted
• Review of Internal Controls
• Develop Risk Treatment Plan
• Statement of Applicability
• New Internal Controls selection
• Develop narratives for network domain for controls mapping for general controls and network security controls
• Designed narratives and controls such as Automatic and manual reconciliation for interface programs between SAP and other applications
• Reviewing and developing Information Security Policies / procedures for the organization as part of an ongoing policy and procedure review.
• Regular interaction with client enabling the refinement of policies / procedures over a period of time
• Building ISMS for BS7799
• Recommending products and tech for adopting counter measure on Gap Analysis Enabling Malayala Manorama for third party audit for BS7799
• Testing & Documenting the Risk, Expected Control, Actual Controls and Gaps within the IT Process/Application /Application interfaces. Develop Risk and control library for information security discipline
• Design Baseline Controls and Controls Assessment after Corporate Risk assessment
• Provide Risk and controls matrix for enterprise automated risk assessment and risk reporting
• Development of risk control framework and enterprise risk assessment methodology
• Compliance assessment on content of Risk Control library for corporate.
• BS 7799 GAP analysis
• Inspecting the setup for ISMS compliance.
Project –10 Security Audit, Incident review and Firewall Policy design and deployment.
Software / Embedded designers & program developers, (Honeywell Ltd), India – (Feb 04 – March 04)
Role: Specialist Security Solutions / Security Auditor
Summary: The IT infrastructure of this enterprise includes Web servers, File Servers, Firewalls and around 1500 desktops. A detailed security audit, Incident Review and Firewall Policy design and deployment is involved in this assignment.
Environment: App Servers, Data Servers, File Servers, Mail Server and 1500 desktops spread over two remote offices and One HO. IT Infrastructure Audit, Information Risk Assessment and Management, Security Incident Management, Information Security Consulting, NMAP, Nessus, OS Hardening, Penetration Testing, Policy Definition, Security Awareness, Vulnerability Assessment, Information Security - Policy & Process, Network Audit, Security audit, Risk Assessment, Security Audit, Incident review on SQL 2000 Server.
My responsibilities are:
• Detailed security audit performed which includes the Vulnerability Assessment of business critical servers, which includes App Servers, Data Servers, File Servers and Mail Server.
• Over all Security audit and VA is done for the IT infrastructure which consisting 2 remote offices and One HO with different networks with two Firewalls.
• Assessment of efficacy of existing controls
• Design Secure Architecture
• Policy Discussion with business managers
• Design of Policy and Procedures
• OS Vulnerability Assessment
• Database Vulnerability Assessment
• Enterprise Firewall policy creation
• Deployment of NetScreen Firewall in load sharing mode and implemented Defense-in-depth.
• Training on Firewall administration to the IMG Team
• Incident of SQL Server issue was analyzed in detail. Workarounds and suitable solutions are kept in place to avoid such incidents in future.
Project –11 BS7799 ISMS Building AND Covert Channel analysis
Banking industry (Not to disclose the client name as per NDA), India (Oct 03 – Jan 04)
Role: Specialist Security Solutions / Security Auditor
Summary: BS7799 ISMS Building AND Covert Channel analysis to the incident reported by the client.
Environment: (Not to disclose the environment of the client as per NDA)
My responsibilities are:
• Performed the application level covert channel Analysis. Real time incident information and logs are captured and evidence was documented. Final report was presented to the top management and successfully stopped the illegitimate information flow and assured the data confidentiality. (NDA – Won’t be able to discuss further on this assignment).
• Build ISMS Scope
• Provide Risk and controls matrix for enterprise automated risk assessment and risk reporting
• Development of risk control framework and enterprise risk assessment methodology
• Risk Assessment Conducted
• Review of Internal Controls
• Develop Risk Treatment Plan
• Statement of Applicability
• New Internal Controls selection
• Reviewing and developing Information Security Policies / procedures for the organization as part of an ongoing policy and procedure review.
• Building ISMS for BS7799
• Design Baseline Controls and Controls Assessment after Corporate Risk assessment
• Inspecting the setup for ISMS compliance.
Project –12 Application Resources Optimization Solution
Kirloskar Oil Engines Limited, India – (Sep 03 – Sep 03)
Role: Security Solutions Architect
Summary: This engagement involved to decrease the number of servers used for Oracle database and increase the performance.
Environment: Netscaler, Strong knowledge on TCP-IP, Windows 2000, Windows 2003 Server, Windows NT, Oracle 9i Servers, Web Server, ERP Application servers, Load balancing, Business Continuity Planning, Business Process Management,
My responsibilities are:
• Netscaler is configured for load balancing the Oracle Servers.
• Load balancing tried on multiple methods like least load, round robin, minimal number of TCP-IP connections.
• This increased the usability of the Oracle servers and the numbers of Oracle servers required earlier are reduced. The unique technology on TCP/IP handling of Netscaler plays a key role increases over all service performance.
• So the entire system performance is enhanced.
Project –13 Integrated Messaging Solution and Gateway Security Solution
Leading software development firm, (Persistent Systems Pvt Ltd), India – (June 03 – Aug 03)
Role: Security Solutions Architect
Summary: This engagement involved to setup the enterprise users 10000 mailboxes in a well-secured and cost effective environment. An Integrated messaging solution provided with Mirapoint appliance and the gateway and perimeter security solution to be designed and deployed.
Environment: Mirapoint Appliance, Firewall - NetScreen 8 Numbers, NetScreen Network Intrusion prevention system, 10000 mailboxes, 3000 desktops and 50 Servers, Information Security Consulting, Capacity Planning and sizing, Network Security, IT Consultancy.
My responsibilities are:
• The Entire Network has consisting around 3000 desktops and more that 50 Servers are secured totally by framing very tight layered security architecture.
• Framed and deployed the multi-zone and multi-layer security solution with firewalls, HIDS and NIDS.
• An integrated messaging solution designed and deployed with Mirapoint.
• A User level training is organized and documentation provided
• NetScreen firewall and IDP sizing was done Gateway security solution designed and proposed with 8 numbers of NetScreen firewall in online fallback option and one NetScreen IDP.
Project –14 Enterprise Security Solutions and Antispam Project
A Leading private cellular player in India (IDEA Cellular Ltd), India (Jan 03 – May 03)
Role: Specialist – Security solutions
Summary: Enterprise to review the security Policy in a regular interval and need the consultancy on demand to maintain the networking security of the enterprise.
Environment: NetScreen Firewalls with multi-zoning architecture, IronPort, Netscreen SSL VPN Appliance, Trend Micro, Content Management, Security Operations Management, Access Control & Single Sign On, Information Security Consulting, Policy Definition, Capacity Planning and sizing, Network Security.
My responsibilities are:
• Providing the consultancy on demand to maintain the networking security of the enterprise.
• Recommending the security policy modifications to mitigate the latest risks in the security domain.
• Security Architecture has been redesigned according to the current requirement and Firewall policies are constructed and reviewed with firewall log files for any attacks and intrusion.
• Firewall has been configured for the core security with multi-zoning architecture.
• Policies are defined and modified for the current requirement.
• VPN solution is deployed for the 4 circles (branch) from the NetScreen Firewall
• Policy revision and system security analysis done in a regular time intervals.
• Root Cause Analysis for the issues faced on day-to-day activity by the client.
• Disaster recovery and Contingency plan executed in a regular time interval for to ensure the availability of the system.
• NetScreen Firewall up gradation done.
• Ironport is successfully evaluated for the AntiSpam solution. This includes AntiSpam service for more than 150,000 mails per day of the corporate mail users.
• Netscreen SSL VPN is deployed in multi location primary-backup setup for the single sign on and remote secure assess to the business critical applications.
• Support to the TrendMicro gateway antivirus setup.
Project –15 ISP Backbone Security
A Leading ISP (HCL Infinet Ltd), India (May 01 – Dec 02)
Role: Project Leader / Tech Lead
Summary: A very big ISP setup with the combination of partially mesh network and full mesh network. The total network has to be secured from External and Internal Attacks.
Environment: Checkpoint Provider-1, Checkpoint Firewall, Symantec Norton Antivirus with Primary and Secondary Server, Fortigate Firewall, eTrust IDS, SolarWinds, Websense, ISS real secure IDS, Content Management, IP Network Planning, IT Operations Management, IT Project Management, Network Operations Management, Security Incident Management, Security Operations Management, Information Security Consulting, OS Hardening, Policy Definition, Security Awareness, Frame Relay, High Availability, Layer -2 Switch, N/W Management, TCP/IP, ATM Switching, Cisco LAN Switch, Cisco Routers, IP Routing, IPv6, ISS RealSecure IDS, Information Security - Policy & Process, Juniper Routers, Microsoft Exchange Server and other Networking Products.
My responsibilities are:
• Evaluation of Checkpoint Provider-1 for Core Security
• Evaluation three Checkpoint gateways at core layers and Internet peering points are managed with Checkpoint Provider-1.
• Ongoing management and support for Checkpoint NG.
• Content Filtering, Email Filtering, URL Filtering and other policy development according to the requirement.
• Distribution Model Setup
• Symantec Antivirus - Integration with Global Server, Primary Server and Client mode.
• Fortigate Firewall – Configured as a Gateway for Noida – HO site, with the security policy defined for Content filtering, Email filtering, URL filtering and Inbuilt IDS.
• SolarWinds Software integrated with Firewall for to collect the logs. Periodic Validation of logs is checked.
• Policies of firewall are reviews and modified as per change management to protect the entire setup from latest attacks.
• Also Logs of Content Filtering being utilized to monitor the employee’s activity and to avoid the misusage of Internet and mails.
• Firewall level authentication enabled for to access the various business critical servers.
• Incident reviewing & monitoring and validating the effectiveness and implementation of WAN Security, Application Security, Remote Access security, etc.
• Successful Evaluation on eTrust IDS for to monitor the Intrusion activities and network traffic analysis for HO
• ISS Real Secure IDS is installed and configured to monitor the network related intrusions.
• Validating the effectiveness of internal controls for the collocated client servers and routers.
• Providing recommendations on Information Security policy to the firewall administrator.
• Worked with internal audit team to meet the requirements of BS7799 standard and roadmap for ISMS implementation was projected to the manager.
Project –16 Enterprise Networking Security and VPN Solution
Leading Tyres manufactures (Apollo Tyres Pvt Ltd), India (Nov2000 – March 01)
Role: Project Lead
Summary: Information Security at HO is designed with Pix firewalls and Cisco VPN Concentrator. Considering all the business requirement and security standards and guidelines derives pix firewall policies.
Environment: Cisco PIX Firewall on HA Mode, Cisco VPN 3000 Concentrator, Cisco LAN Switch, Cisco Routers, IP Network Planning, IT Operations Management, IT Project Management, Network Operations Management, Solutions Management, Cisco PIX, Information Security Consulting, Frame Relay, High Availability, ISDN, Layer -2 Switch, TCP/IP, IP QoS, IP Routing, Network Security.
My responsibilities are:
• Cisco Pix Firewall 515-E on Hot Standby Mode for Core Security and Cisco 3745 configured as Pocket Filter Firewall.
• Prevention of well-known attacks is configured and Security Policy and logs are reviewed and correlated periodically and polices are modified accordingly.
• Corporate VPN policy for Secure Remote Access VPN is designed and deployed with Cisco 3000 Concentrator.
• More than 300 Sites over VPN connected to HO – Hub and Spoke Model
• Site-to-Site IPSec and layered Security at Head Office are deployed.
• Contingency Plan is planned and executed for the gateway security solution provided by Pix Firewall in Hot Standby Mode.
Project –17 Public Key Infrastructure (PKI)
ELGI Equipments Ltd, India (Aug2000 – Oct2000)
Role: Project Lead
Summary: Implementing Public Key Infrastructure to provide the secure data flow between the sites over shared network environment by ensuring the data authenticity, integrity and confidentiality.
Environment: Cisco PIX Firewall, IPSec, Cryptography, Information Security Consulting, Cisco LAN Switch, Cisco Routers, Win 2000 Server configured as CA Server, Windows 2000 Active Directory Server, Project management.
My responsibilities are:
• Cisco PIX Firewall 515E is deployed to provide robust user and application policy enforcement, multivector attack protection, and secure connectivity services.
• Cisco Pix Firewall 515-E is configured as per the enterprise policies.
• Site-to-Site VPN is configured between Cisco PIX Firewall to Cisco Routers at Branch offices.
• Internal Certificate Authority primary server and backup servers are configured using Win 2000 Server.
• Pix Firewall and the remote office routers are integrated with Certificate Authority server.
• Private keys are configured in the router and PIX Firewall
• Public keys are kept with the CA server.
• IPSec tunnels are configured to use the PKI for authentication between PIX Firewall at HO and routers at remote offices.
Project –18 Disaster Recovery Network Design and Implementation
Bank Of Rajasthan, India (May2000 – July2000)
Role: Project Leader
Summary: Bank required a DRN Solution to keep the business continuity at the networking level.
Environment: DRN (Disaster Recovery Network), Business Continuity Planning, Disaster Recovery Planning, ISP backbone configuration, Project management.
My responsibilities are:
• Disaster site network solution is framed between primary sites at Jaipur to DRN site Indore.
• Configuration in HCL InfiNet ISP backbone and routing is planned and configured.
• DRN network solution deployed
• Contingency and disaster plan successfully executed and tested.
Project –19 VPN Design and Deployment with IPSec
ITC, India (July 1999 – April 2000)
Role: Project Leader
Summary: VPN solution framework with IPSec Security for about 6 divisions and 250 branch offices.
Environment: Frame Relay, H.323, High Availability, ISDN, LAN Workplace, Layer -2 Switch, N/W Management, Wireless N/W, Cisco Routers and switches, ISP backbone configuration, IPSec Technology, Checkpoint firewall, Project management.
My responsibilities are:
• VPN solution framework with IPSec Security designed and implemented for about 6 divisions and 250 branch offices spread all over India.
• Partially mesh VPN topology with Point-to-Point and VPN solution framework designed and deployed for more than 250 locations and 7 Divisional HQ.
• IPSec VPN Solution deployed between branch offices to Division HQ.
• IPSec over GRE tunnels are configured between DHQ to Corporate HQ.
Few More Projects handled on Different Domains are listed below.
Solution Name: Proposals for Information Security Frameworks
Client Name: Tata Motors, India, Idea Cellular, India
Tool Used: Clear documentation and Proposal documentation on Intrusion Detection and Prevention (IDP) requirement of the customer. Netscreen IDP and ISS products are evaluated
Solution Name: Internal Benchmarking and validating the security products
Client Name: Clients for Wipro Technologies Ltd and Apara Enterprise Solutions (P) Ltd.
Tool Used: Various security devices are validated in a controlled environment and the best product for the customer environment was suggested and promoted.
Solution Name: Bandwidth Optimization Solution
Client Name: AESSEAL, Bajaj Alliance, WNS and Emphasis, India.
Tool Used: Peribit
Solution Name: Bill Of Material Validation
Client Name: Enterprise Solutions provided by HCL Infinet to their Customers.
Tool Used: Understanding the solution and validating the Bill of Material (BoM) estimated for that.
Solution Name: Corporate VPN Solution Design, Deployment and Support
Client Name: ITC, LG Electronics Ltd, Manipal Hospitals, Gabriel, Kone Elevators, Airport Authority Of India, Air Deccan Aviation, etc. India.
Tool Used: VPN Technology, Routers, Layer Three and Two Switches, HCL Infinet Backbone.
E-Mail: nathan_thilse@yahoo.com
Summary:
Over all 10 years of experience in Information Security with specialization in enterprise level security consulting services spanning from security framework design to IS audits.
Well experienced in Developing Corporate Information Security Policies, processes, procedures and technical controls for many enterprise clients to meet the compliance and standards requirements
Strong knowledge on translating the compliance and standards requirements to the technical controls and configurations.
Expertise in design, deployment and managing the security solutions in the areas of Managed Security Solutions, IT operations management, Information Security Management System (ISMS), Security Incident management (SIM) systems.
Specialized on ArcSight, Symantec Enterprise Security Manager (ESM), Network Intelligence and SESA.
Have experienced in integrating multiple OS, database and other applications with SIM.
Well experienced on Plan, deploy, configure and manage the SOx monitoring, privileged user monitoring and security monitoring solutions for the clients based out of USA and UK
Performed Information Security Risk Assessments and Risk management at the Enterprise level.
Excellent knowledge and experience in Information Systems Security Auditing, (ISO27001) BS7799 Implementation as well as auditing, building ISMS inline with information security standards and industry best practices.
Has worked on few SOX 404 assignments in the US (Shell – Richmond and Capitalone – Virginia)
Worked closely with internal and external audit towards regulatory requirements and compliance objectives
Strong technical aptitude with exceptional talent in training and development and an ability to effectively translate technical information and procedures to end-users.
Understanding the customer’s pain area and resolving with perfect solutions.
Drafted RFP and Formal proposals for various Information Security Solutions to solutions to the USA and UK based clients.
Validated the various security products for the different customer requirements and recommending the suitable and cost effective products for the optimal solutions.
Well experienced on planning and executing the compliance related and other security projects for the corporate clients.
A Very excellent Project Management Skill set and executed more than 75 Enterprise level Projects in the span of 8 years.
Well experienced on Vendor management, Support and service team management, Logistics management, SLA management.
Information Security Designed and Implemented for various business verticals as: Banking, Manufacturing, OIL and Gas, Government, Aviation, ISP, TELCO, BPO, Software and Services industry etc.
Skill sets:
Process
IS Audit Planning, Execution, Audit Documentation and Reporting
Review Internal Controls implemented for PSI-DSS, SOx compliance, ISO27001 standards and enterprise security
Design, Implement and manage the framework inline with ITIL for ISO 27001, PCI-DSS, Sox monitoring, Security Risk office and PUM
IT Risk Assessment and Management
Interview, evidence gathering and analysis
Business Continuity Plan development and Assessment
Information technology & Information security management system (ISMS)
Auditing (IT Security, Standards, Controls, Best Practices and Regulatory Compliance)
Exposure to ISO 27001, PCI-DSS, SOx, HIPAA, CoBiT, COSO, Basel II The World bank Technology Risk Checklist and ITIL
Compliance Audits
Manual Auditing (Process Mapping)
Application walkthroughs.
Trend analysis to capture the interesting events under regulatory compliance
Analysis and Management
Business Analysis
Project Management
Expertise solutions and products:
Security Information Management solutions: Arcsight, Network Intelligence envision, Symantec SIM, Symantec (Enterprise Security Manager) and Symantec Enterprise Security Architecture (SESA)
Secure communications: SecureID, IPSec, Encryption, SSH, SSL, Secure FTP, PKI, Digital certificates and signatures
Authentication, Authorization and Access Control: End-End Application Security, Enterprise Authentication and Authorization Web Services, Secure administration, RADIUS, SecureID, Single Sign-on (SSO)
Compliance and Auditing: PCI-DSS, Sarbanes-Oxley, Control Objectives for Information and Related Technology (COBIT), ISO27001, HIPAA, COSO, Basel II The World bank Technology Risk Checklist and industry best practices like ITIL
Information Security Policies and Procedures: Policies, Standards, Guidelines, Technical controls, workflows and procedures.
Host Assessment tools: NetIQ and Symantec Enterprise Security Manager (ESM)
Messaging Security: IronPort – Email Security product, Symantec Brightmail Antispam, Mirapoint Secure Email Server
Authentication: Cisco Secure Access Control Server (AAA Server), Certificate Authority Server – Microsoft Windows ISS Server, RSA – Secure ID and Single sign on Products
Patch management: Shavlik, Marimba and SUS
Intrusion Detection and Prevention tools: e-Trust, ISS – Proventia A, G and M Series of Products, Netscreen IDP, Entercept Host Intrusion Prevention System, Symantec HIDS, eTrust
Assessment Tools: ISS (Internet scanner, Network Scanner, Database Scanner), Nmap, Nessus, Retina, Super Scan
Other Tools: Brutus, Solar Winds, Quick Spoof, CIA, Ethereal and other packet analyzers, Ghost
End Point Security: Cisco Security Agent (CSA), NIS, Norton Personal Firewall
Ticketing system: OTRS with SQL
Firewalls and DMZ configurations: Cisco PIX, Check Point NG & AI, Netscreen, Fortigate, Checkpoint Provider1.
Virtual Private Networks and Remote Access: Cisco VPN, Nortel Contivity, SSL VPN, RAS, Netscaler, Juniper SSL VPN Appliance, Cisco VPN Concentrator Series, Cisco and Intel VPN Clients, Checkpoint Secure remote on Windows and various third party VPN products.
Resource optimizing solutions: Netscaler and Peribit
Monitoring, Filtering and Reporting: Websense, SurfControl, ISA, WebTrends
Antivirus: Symantec Norton Corporate Edition, Symantec Anti Spam, Trend Server Protect 5.5 and McAfee
Anti Spam Solutions: IronPort, BrightMail
Wireless Technologies: Cisco's LEAP, IEEE 802.11b standard, WAP protocol.
Planning, development, implementation and review of information security and documentation.
Web Servers - Apache, IIS
Networking - TCP/IP, NFS, Telnet, FTP, DNS, DHCP, NAT, ipconfig, route, netstat
Routing, Switching, Layer 2 and Layer 3 VLAN
Project management Systems: Microsoft Project 2000, Project Scheduler Ver 8.0
Operating systems integrated and managed for security Events: Windows 2000, 2003 and NT SOx Servers Unix, AIX, Linux, Solaris and AS400
Data base integrated and managed for security Events: Oracle, Oracle 9i, DB2, MySQL, SQL Server 2000, VB Scripts
Applications integrated and managed for security Events: Powerbroker, Ironport, IDP, IDS, Routers, and Switches, Firewall.
Workshops / Trainings attended
Certified Ethical Hacker - Trained at Asian School of Cyber Laws, Pune.
Trained on Arcsight and Network Intelligence
Trained on effective presentation skills at Richmond, USA
Trained on Antispam solutions by Ironport, USA.
Boot Camp on Application Architecture and Analysis of Symantec NAV and NIS, Aug-2005
Appearing for CISSP and Pursuing PMP training
Accreditations:
BS ISO/IEC 27001:2005 Lead Auditor
SANS GIAC Payment Card Industry (GPCI) – From SANS – No:403
IT Service Management Foundation – ITIL Exam from Exin
CoBiT based IT Governance Foundation Exam
156-210.4 Check Point Certified Security Administrator NG – AI (CCSA)
Cisco Secure PIX Firewall Advanced Exam (CSPFA 642-521) – Appeared and Scored 743 -
Cisco Certified Network Associate (CCNA 640- 607) – CSCO10682369
Checkpoint Firewall1 Administration Certificate from Brain Bench.
Education:
Bachelor of Engineering (Electrical and Electronics) from University of Madras, India.
Diploma in Electrical and Electronics from Directorate of Technical Education, India.
Key Projects
A Major Insurance Company, Madison, USA – (June 07 Till Date)
Role: Project Manager
Currently, I am handling multiple projects
Project –1 Audit Remediation Project – Security Access Reporting
Summary: This engagement included the audit remediation for the financial critical systems, Interim Solution plan and design, implement and train the team and Business System Owners (Includes Business vertical Directors, Application Owners Sr. Management staffs) on security access reporting. Ensure that the identified Gap on internal audit is resolved.
Environment: Security access reporting, Project management, PCI, ISO 27001, UNIX, AIX, Linux, AS400, DB2, SQL Server 2000, VB Script, VB 6.0, Team System, MS Project, Compliance Gap analysis report, Policies, Standards, Regulations, Guidelines, Industry best practices.
My responsibilities are:
• Understood the audit gaps and requirements based on corporate policy, ISO 27001 standards and PCI standards
• Proposed a cost effective solution as the interim solution.
• Project management methodology followed as Assess Phase, Initiate Phase, Plan Phase, Execute Phase, Control Phase, Transition and Stabilize Phase, Signoff and close phase.
• Gate review with Sr. Management on every phase completion
• Project executed on 4 major modules as Data Stream, Reporting Stream, Attestation Stream and Training/Awareness Stream
• Information gathered from various verticals of business including IT
• Identified and documented the requirements from Privacy leaders and internal auditors
• Designed and Deployed programmers to develop the interim automated solution for Security Access Reporting. Process and procedure documents were prepared and trained the team
CUNA Mutual Group, Madison, USA – (June 07 Till Date)
Project –2 IAM – Identity and Access Management
Role: Business Analyst
Summary: Define processes, technologies, and policies to manage digital identities and specify how they are used to access resources across the various platform and finance significant applications (37). Implementing the state-of-art and cost-effective IAM solution for the hybrid and complex access environment.
Environment: Identity and Access management, Project management, PCI, ISO 27001, UNIX, AIX, Linux, AS400, DB2, SQL Server 2000, 37 various financial significant applications, Team System, MS Project, Compliance Gap analysis report, Policies, Standards, Regulations, Guidelines, Industry best practices.
My responsibilities are:
• Analysis on financial significant applications and understanding the identity and access management methodology of them
• Information gathering on business, IT and operational roles, Personnel and financial data access
• IAM Product identification, bench marking, testing and selection
• Implementing the IAM Product and integrating the hybrid and complex set of financial significant applications with the IAM product.
• Process, Procedure and document the complete IAM project
CUNA Mutual Group, Madison, USA – (Nov 07 – Dec 07)
Project –3 Data Loss Prevention Project - Demo
Summary: Discover and protect data at rest, in motion, at the endpoint and exposed on centralized and decentralized file servers, SQL and Lotus Notes databases, desktops, laptops and other data repositories.
Environment: Data Loss Prevention, Vontu 6.0, PCI, ISO 27001, UNIX, AIX, Linux, AS400, DB2, SQL Server 2000, 37 various financial significant applications, Team System, MS Project, Compliance Gap analysis report, Policies, Standards, Regulations, Guidelines, Industry best practices.
My responsibilities are:
• Design and implement the comprehensive security policies and rules
• Configuring the Vontu for the following action items:
Accurate detection of all data types and languages including Western and Asian character sets
Universal data security policy, detection, and enforcement
Automatic enforcement of data security policies: block, protect, quarantine, encrypt, and notify
Integrated reporting, remediation and workflow across data at rest, in motion, and at the endpoint
Business unit reporting on risk reduction and compliance
Project –4 Security monitoring and privileged user monitoring
CapitalOne, Richmond, USA – (Aug 06 – April 07)
Role: Project Manager/Security Consultant
Summary: This engagement included the framework development for the Security Monitoring and Privileged User Monitoring. Defining the Process, procedure and documentation. Enabling the client to meet the SOx compliance audit requirements on security and privileged user security event monitoring.
Environment: Security event and privileged user monitoring, Network Intelligence –enVision (SIM), OTRS ticketing system, PCI Standard, ITIL frame work, Windows 2000, 2003 and NT SOx Servers Unix, AIX, Linux, Solaris and AS400 SOx servers, Oracle, Oracle 9i, DB2, MySQL, SQL Server 2000, SNORT IDS, Checkpoint Firewall, Powerbroker, Ironport, IDP, IDS, Routers, and Switches, Firewall, SOx Compliance Gap analysis report, Policies, Standards, Regulations, Guidelines, Industry best practices.
My responsibilities are:
• Framework development for security monitoring and privileged user monitoring to meet the PCI standards
• Defining the process in line with ITIL and other industry best practices
• Fine-tuning the Network Intelligence enVision SIM configurations for the client environment
• Defining the various reporting structures for client and the analyst to analyze the events, to reveal the trend of the events.
• Analyzing the various security and privileged events reported from various OS, database, perimeter security products like firewall, IDS, IDP and Ironport.
• Coordinating with the SME (Subject matter expertise) and audit team to reduce the false positives and to avoid the system noise.
• Setting up the analyst team to do the interest events analysis
• Designed and implemented the ticketing system using OTRS for to support the audit trial.
• Trained and lead the analyst team to analyze the security and privileged events and to use the ticketing system for audit trails.
• Designed and integrated the Knowledge base (KB) in to the OTRS.
• Handling the Change management, Incident management, Problem Management, Internal Audit, Quality assurance, Management reporting, Executive reporting on SOx events.
• Documented the entire processes and procedures the activities performed in the project.
• Backup plan developed and tested to provide the audit trail supporting details on failure or loss of analysis data.
Project –5 SOx Monitoring
Shell, Houston, USA – (Aug 05 – July 06)
Role: Project Manager/Security Consultant
Summary: This engagement included the design, deployment and configure the security information management system (SIM) and to integrate the SOx servers (more than 3000 servers spread over USA, UK and CBJ). Enabling the client to meet the SOx compliance audit requirements.
Environment: ArcSight Management Server 3.0 (SIM), ArcSight Smart Agents (1. AS400 JRN File Agent, 2. Syslog Smart Agent, 3. SESA Smart Agent, 4. NT-Collector Smart Agent, 5. Flex Agent), ArcSight Database Server, ArcSight Console, SESA (Symantec Enterprise Security Architecture), SHIDS (Symantec Host Intrusions Detection System), Windows 2000, 2003 and NT SOx Servers Unix, AIX, Linux, Solaris and AS400 SOx servers, Oracle, Oracle 9i, DB2, MySQL, SQL Server 2000, SNORT IDS, Checkpoint Firewall, SOx Compliance, Policies, Standards, Regulations and Guidelines)
My responsibilities are:
• Working as a Security Analyst in SOX Event Monitoring team managing 1500+ SOX servers (Win2k/Win2k3, Linux, Solaris, AIX, and AS400) for Shell GEMS. These servers are based in USA (Houston), Europe (Netherlands), and Asia Pac (CBJ).
• Handling Symantec Enterprise Security Architecture (SESA) and Arcsight Enterprise Security Manager for the locations in USA, Europe, and Asia Pacific.
• Traveled USA for Setting up the SIM system and analyzing the events, validating rules and customizing the parser files and Arcsight agents for the Shell environment.
• Arcsight SIM designed, deployed, configured and integrated with Sox servers.
• Tested Proof of Concept for SESA Integration with Arcsight Environment.
• Installation, Integration and configuration of SHIDS agent and Arcsight Smart Agent.
• Various SOx systems (More then 3000 servers) are integrated to the Arcsight to report their security events. (Eg: OS - Windows 2000, 2003 and NT SOx Servers Unix, AIX, Linux, Solaris and AS400, Database - Oracle, Oracle 9i, DB2, MySQL, SQL Server 2000)
• Mapping SOX Controls to Arcsight Rules and filters to normalize and Correlate the raw events.
• Troubleshooting and resolving Arcsight and SESA problems. Validating the setup and identifying the false positive.
• Various customized reports (Executive report, SOx compliance effectiveness report, Trend Analysis report, etc.,) are configured on Arcsight SIM.
• Monitoring and Analyzing the SOX Servers Events using Arcsight Console.
• Inducting the analyst regarding Process, ticket creation and technical knowledge.
• Coordinating the Incident and change management.
• Scheduling Reports on weekly and monthly basics. Documenting the technical and process activities.
Project –6 HIPS (Host Intrusion Prevention System) Design and Deployment
Major Retail (Albertson), USA – (July 05 – Aug 05)
Role: Project Lead/Security Consultant
Summary: This assignment-involved design, installation, integration, managing and administering the McAfee Entercept Host Intrusion Prevention System for more than 3000 servers.
Environment: McAfee® Entercept® Management System, McAfee® Entercept® agents, Windows 2000, 2003 and NT Servers Unix, Linux, Solaris servers, Oracle 9i and SQL Server 2000.
My responsibilities are:
• Generating the necessary attacks and ethical hacking methods in a controlled environment to validate and customize the HIPS signatures.
• Installed and administered the McAfee® Entercept® Management System.
• Installed the McAfee® Entercept® agents over various servers against zero-day and known attacks.
• Evaluated and implemented the behavioral rules for various agents and integrated the agents with Entercept® Management System
• Installation, Integration and configuration of Entercept® agents globally.
• Created the system and base line configuration document.
Project –7 SOx Monitoring thru SESA
Oil and Natural Gas Company (SHELL), UK – (Aug 04 – June 05)
Role: Project Lead/Associate Consultant
Summary: Customer has the mandate to comply with Sarbanes-Oxley (SOx) and hence the top priority is to achieve readiness for the compliance a short time period. Customer has existing SESA environment. Assignments involved with understanding of SOx requirement, configuring and maintain the system for SOx Compliance requirement using SESA (Symantec Enterprise Security Architecture).
Environment: Enterprise Security Manager (ESM), Symantec Enterprise Security Architecture (SESA), SHIDS - Symantec Host Intrusion Detection System, OS - AS/400,HP-UX, IBM-AIX, Linux, Sun Solaris, Unix, Windows 2000,Windows 2003 Server, Windows NT, DB2, Oracle 9i,Security Incident Management, Security Operations Management, Information Security Consulting, SOx Compliance.
My responsibilities are:
• This assignment involved architecting the solution, managing and administering the Symantec ESM (Enterprise Security Manager) and SESA (Symantec Enterprise Security Architecture).
• Conducted internal and external vulnerability assessments.
• Enterprise Security Manager system was evaluated and implemented.
• Assisted in the development of enterprise information security policies and Standards.
• Customized and configured the SESA policies and rules for the Shell environment to capture the compliance events.
• Checking multiple systems simultaneously for deviations such as missing OS patches, inappropriate user password settings, unauthorized privileges, incorrect file access, changes to security settings, and incorrect configurations.
• Installed, Integrated and configured the Symantec ESM globally.
• ESM Policies created to evaluate network vulnerabilities and security policy violations.
• Enterprise-wide intrusion detection / prevention (SHIDS) Solution is implemented.
Project –8 Security Audit
India’s Number 1 Forging Company (Bharat Forge Ltd), India – (June 04 – July 04)
Role: Specialist Security Solutions / Security Auditor
Summary: This engagement involved vulnerability assessment for the App Servers, Data Base Servers, File Servers, and Mail Server and for the Entire network. Cisco PIX Firewall policy reviewed. Log reviewing and incident analyzing. Security audit report submitted covering all the possible loopholes and workarounds. ISMS implementation roadmap prepared and submitted to the client.
Environment: Number of various application servers includes App Servers, Data Base Servers, File Servers and Mail Servers, Cisco PIX Firewall, CISCO IOS and around 800 desktops with Windows 3.1/95/98,2K, NT, -XP, IT Infrastructure Audit Management, Information Risk Management, Security Incident Management, Security Operations Management, Technical Documentation, BS 7799, OS Hardening, Regulatory Compliance, Risk Assessment, various vulnerability analysis and assessment tools.
My responsibilities are:
• The IT infrastructure of organization includes number of various application servers, firewall and around 800 desktops.
• A detailed security audit performed which includes the Vulnerability Assessment of business critical servers, which includes App Servers, Data Servers, File Servers and Mail Server.
• GAP analysis of corporate standards with Industry standard regulations such as ISO 17799
• High Level Risk Assessment for CRM Application system
• OS Vulnerability Assessment and Database Vulnerability Assessment.
• Threat analysis
• Impact analysis
• Firewall policy reviewing
• Client interaction and Stakeholder information capture and documents review
• Assessment of efficacy of existing controls
• Development of policies and procedures
• Policy Discussion with business managers
• BS 7799 based Security Assessment Audit of Infrastructure including Vulnerability Assessment
• Present audit findings to Management
• Recommendations with secure architecture design
• IT and Business Process Assessment with reference to BS 7799 Standards
• Submission of reports and imparting security awareness training to customer
• Implementation Road Map for Compliance
Project –9 BS7799 ISMS Building
A leading News paper company (Malayala Manorama), India – (April 04 – May 04)
Role: Specialist Security Solutions / Security Auditor
Summary: This engagement involved building Information Security Management system in accordance with the BS 7799:2002 – Part 2 Specifications for the client.
Environment: BS 7799:2002 – Part 2 Specifications, ISMS Framework, Security Audit, various vulnerability analyzing and accessing tools, Asset management, Risk assessment and management.
My responsibilities are:
• Build ISMS Scope
• Risk Assessment Conducted
• Review of Internal Controls
• Develop Risk Treatment Plan
• Statement of Applicability
• New Internal Controls selection
• Develop narratives for network domain for controls mapping for general controls and network security controls
• Designed narratives and controls such as Automatic and manual reconciliation for interface programs between SAP and other applications
• Reviewing and developing Information Security Policies / procedures for the organization as part of an ongoing policy and procedure review.
• Regular interaction with client enabling the refinement of policies / procedures over a period of time
• Building ISMS for BS7799
• Recommending products and tech for adopting counter measure on Gap Analysis Enabling Malayala Manorama for third party audit for BS7799
• Testing & Documenting the Risk, Expected Control, Actual Controls and Gaps within the IT Process/Application /Application interfaces. Develop Risk and control library for information security discipline
• Design Baseline Controls and Controls Assessment after Corporate Risk assessment
• Provide Risk and controls matrix for enterprise automated risk assessment and risk reporting
• Development of risk control framework and enterprise risk assessment methodology
• Compliance assessment on content of Risk Control library for corporate.
• BS 7799 GAP analysis
• Inspecting the setup for ISMS compliance.
Project –10 Security Audit, Incident review and Firewall Policy design and deployment.
Software / Embedded designers & program developers, (Honeywell Ltd), India – (Feb 04 – March 04)
Role: Specialist Security Solutions / Security Auditor
Summary: The IT infrastructure of this enterprise includes Web servers, File Servers, Firewalls and around 1500 desktops. A detailed security audit, Incident Review and Firewall Policy design and deployment is involved in this assignment.
Environment: App Servers, Data Servers, File Servers, Mail Server and 1500 desktops spread over two remote offices and One HO. IT Infrastructure Audit, Information Risk Assessment and Management, Security Incident Management, Information Security Consulting, NMAP, Nessus, OS Hardening, Penetration Testing, Policy Definition, Security Awareness, Vulnerability Assessment, Information Security - Policy & Process, Network Audit, Security audit, Risk Assessment, Security Audit, Incident review on SQL 2000 Server.
My responsibilities are:
• Detailed security audit performed which includes the Vulnerability Assessment of business critical servers, which includes App Servers, Data Servers, File Servers and Mail Server.
• Over all Security audit and VA is done for the IT infrastructure which consisting 2 remote offices and One HO with different networks with two Firewalls.
• Assessment of efficacy of existing controls
• Design Secure Architecture
• Policy Discussion with business managers
• Design of Policy and Procedures
• OS Vulnerability Assessment
• Database Vulnerability Assessment
• Enterprise Firewall policy creation
• Deployment of NetScreen Firewall in load sharing mode and implemented Defense-in-depth.
• Training on Firewall administration to the IMG Team
• Incident of SQL Server issue was analyzed in detail. Workarounds and suitable solutions are kept in place to avoid such incidents in future.
Project –11 BS7799 ISMS Building AND Covert Channel analysis
Banking industry (Not to disclose the client name as per NDA), India (Oct 03 – Jan 04)
Role: Specialist Security Solutions / Security Auditor
Summary: BS7799 ISMS Building AND Covert Channel analysis to the incident reported by the client.
Environment: (Not to disclose the environment of the client as per NDA)
My responsibilities are:
• Performed the application level covert channel Analysis. Real time incident information and logs are captured and evidence was documented. Final report was presented to the top management and successfully stopped the illegitimate information flow and assured the data confidentiality. (NDA – Won’t be able to discuss further on this assignment).
• Build ISMS Scope
• Provide Risk and controls matrix for enterprise automated risk assessment and risk reporting
• Development of risk control framework and enterprise risk assessment methodology
• Risk Assessment Conducted
• Review of Internal Controls
• Develop Risk Treatment Plan
• Statement of Applicability
• New Internal Controls selection
• Reviewing and developing Information Security Policies / procedures for the organization as part of an ongoing policy and procedure review.
• Building ISMS for BS7799
• Design Baseline Controls and Controls Assessment after Corporate Risk assessment
• Inspecting the setup for ISMS compliance.
Project –12 Application Resources Optimization Solution
Kirloskar Oil Engines Limited, India – (Sep 03 – Sep 03)
Role: Security Solutions Architect
Summary: This engagement involved to decrease the number of servers used for Oracle database and increase the performance.
Environment: Netscaler, Strong knowledge on TCP-IP, Windows 2000, Windows 2003 Server, Windows NT, Oracle 9i Servers, Web Server, ERP Application servers, Load balancing, Business Continuity Planning, Business Process Management,
My responsibilities are:
• Netscaler is configured for load balancing the Oracle Servers.
• Load balancing tried on multiple methods like least load, round robin, minimal number of TCP-IP connections.
• This increased the usability of the Oracle servers and the numbers of Oracle servers required earlier are reduced. The unique technology on TCP/IP handling of Netscaler plays a key role increases over all service performance.
• So the entire system performance is enhanced.
Project –13 Integrated Messaging Solution and Gateway Security Solution
Leading software development firm, (Persistent Systems Pvt Ltd), India – (June 03 – Aug 03)
Role: Security Solutions Architect
Summary: This engagement involved to setup the enterprise users 10000 mailboxes in a well-secured and cost effective environment. An Integrated messaging solution provided with Mirapoint appliance and the gateway and perimeter security solution to be designed and deployed.
Environment: Mirapoint Appliance, Firewall - NetScreen 8 Numbers, NetScreen Network Intrusion prevention system, 10000 mailboxes, 3000 desktops and 50 Servers, Information Security Consulting, Capacity Planning and sizing, Network Security, IT Consultancy.
My responsibilities are:
• The Entire Network has consisting around 3000 desktops and more that 50 Servers are secured totally by framing very tight layered security architecture.
• Framed and deployed the multi-zone and multi-layer security solution with firewalls, HIDS and NIDS.
• An integrated messaging solution designed and deployed with Mirapoint.
• A User level training is organized and documentation provided
• NetScreen firewall and IDP sizing was done Gateway security solution designed and proposed with 8 numbers of NetScreen firewall in online fallback option and one NetScreen IDP.
Project –14 Enterprise Security Solutions and Antispam Project
A Leading private cellular player in India (IDEA Cellular Ltd), India (Jan 03 – May 03)
Role: Specialist – Security solutions
Summary: Enterprise to review the security Policy in a regular interval and need the consultancy on demand to maintain the networking security of the enterprise.
Environment: NetScreen Firewalls with multi-zoning architecture, IronPort, Netscreen SSL VPN Appliance, Trend Micro, Content Management, Security Operations Management, Access Control & Single Sign On, Information Security Consulting, Policy Definition, Capacity Planning and sizing, Network Security.
My responsibilities are:
• Providing the consultancy on demand to maintain the networking security of the enterprise.
• Recommending the security policy modifications to mitigate the latest risks in the security domain.
• Security Architecture has been redesigned according to the current requirement and Firewall policies are constructed and reviewed with firewall log files for any attacks and intrusion.
• Firewall has been configured for the core security with multi-zoning architecture.
• Policies are defined and modified for the current requirement.
• VPN solution is deployed for the 4 circles (branch) from the NetScreen Firewall
• Policy revision and system security analysis done in a regular time intervals.
• Root Cause Analysis for the issues faced on day-to-day activity by the client.
• Disaster recovery and Contingency plan executed in a regular time interval for to ensure the availability of the system.
• NetScreen Firewall up gradation done.
• Ironport is successfully evaluated for the AntiSpam solution. This includes AntiSpam service for more than 150,000 mails per day of the corporate mail users.
• Netscreen SSL VPN is deployed in multi location primary-backup setup for the single sign on and remote secure assess to the business critical applications.
• Support to the TrendMicro gateway antivirus setup.
Project –15 ISP Backbone Security
A Leading ISP (HCL Infinet Ltd), India (May 01 – Dec 02)
Role: Project Leader / Tech Lead
Summary: A very big ISP setup with the combination of partially mesh network and full mesh network. The total network has to be secured from External and Internal Attacks.
Environment: Checkpoint Provider-1, Checkpoint Firewall, Symantec Norton Antivirus with Primary and Secondary Server, Fortigate Firewall, eTrust IDS, SolarWinds, Websense, ISS real secure IDS, Content Management, IP Network Planning, IT Operations Management, IT Project Management, Network Operations Management, Security Incident Management, Security Operations Management, Information Security Consulting, OS Hardening, Policy Definition, Security Awareness, Frame Relay, High Availability, Layer -2 Switch, N/W Management, TCP/IP, ATM Switching, Cisco LAN Switch, Cisco Routers, IP Routing, IPv6, ISS RealSecure IDS, Information Security - Policy & Process, Juniper Routers, Microsoft Exchange Server and other Networking Products.
My responsibilities are:
• Evaluation of Checkpoint Provider-1 for Core Security
• Evaluation three Checkpoint gateways at core layers and Internet peering points are managed with Checkpoint Provider-1.
• Ongoing management and support for Checkpoint NG.
• Content Filtering, Email Filtering, URL Filtering and other policy development according to the requirement.
• Distribution Model Setup
• Symantec Antivirus - Integration with Global Server, Primary Server and Client mode.
• Fortigate Firewall – Configured as a Gateway for Noida – HO site, with the security policy defined for Content filtering, Email filtering, URL filtering and Inbuilt IDS.
• SolarWinds Software integrated with Firewall for to collect the logs. Periodic Validation of logs is checked.
• Policies of firewall are reviews and modified as per change management to protect the entire setup from latest attacks.
• Also Logs of Content Filtering being utilized to monitor the employee’s activity and to avoid the misusage of Internet and mails.
• Firewall level authentication enabled for to access the various business critical servers.
• Incident reviewing & monitoring and validating the effectiveness and implementation of WAN Security, Application Security, Remote Access security, etc.
• Successful Evaluation on eTrust IDS for to monitor the Intrusion activities and network traffic analysis for HO
• ISS Real Secure IDS is installed and configured to monitor the network related intrusions.
• Validating the effectiveness of internal controls for the collocated client servers and routers.
• Providing recommendations on Information Security policy to the firewall administrator.
• Worked with internal audit team to meet the requirements of BS7799 standard and roadmap for ISMS implementation was projected to the manager.
Project –16 Enterprise Networking Security and VPN Solution
Leading Tyres manufactures (Apollo Tyres Pvt Ltd), India (Nov2000 – March 01)
Role: Project Lead
Summary: Information Security at HO is designed with Pix firewalls and Cisco VPN Concentrator. Considering all the business requirement and security standards and guidelines derives pix firewall policies.
Environment: Cisco PIX Firewall on HA Mode, Cisco VPN 3000 Concentrator, Cisco LAN Switch, Cisco Routers, IP Network Planning, IT Operations Management, IT Project Management, Network Operations Management, Solutions Management, Cisco PIX, Information Security Consulting, Frame Relay, High Availability, ISDN, Layer -2 Switch, TCP/IP, IP QoS, IP Routing, Network Security.
My responsibilities are:
• Cisco Pix Firewall 515-E on Hot Standby Mode for Core Security and Cisco 3745 configured as Pocket Filter Firewall.
• Prevention of well-known attacks is configured and Security Policy and logs are reviewed and correlated periodically and polices are modified accordingly.
• Corporate VPN policy for Secure Remote Access VPN is designed and deployed with Cisco 3000 Concentrator.
• More than 300 Sites over VPN connected to HO – Hub and Spoke Model
• Site-to-Site IPSec and layered Security at Head Office are deployed.
• Contingency Plan is planned and executed for the gateway security solution provided by Pix Firewall in Hot Standby Mode.
Project –17 Public Key Infrastructure (PKI)
ELGI Equipments Ltd, India (Aug2000 – Oct2000)
Role: Project Lead
Summary: Implementing Public Key Infrastructure to provide the secure data flow between the sites over shared network environment by ensuring the data authenticity, integrity and confidentiality.
Environment: Cisco PIX Firewall, IPSec, Cryptography, Information Security Consulting, Cisco LAN Switch, Cisco Routers, Win 2000 Server configured as CA Server, Windows 2000 Active Directory Server, Project management.
My responsibilities are:
• Cisco PIX Firewall 515E is deployed to provide robust user and application policy enforcement, multivector attack protection, and secure connectivity services.
• Cisco Pix Firewall 515-E is configured as per the enterprise policies.
• Site-to-Site VPN is configured between Cisco PIX Firewall to Cisco Routers at Branch offices.
• Internal Certificate Authority primary server and backup servers are configured using Win 2000 Server.
• Pix Firewall and the remote office routers are integrated with Certificate Authority server.
• Private keys are configured in the router and PIX Firewall
• Public keys are kept with the CA server.
• IPSec tunnels are configured to use the PKI for authentication between PIX Firewall at HO and routers at remote offices.
Project –18 Disaster Recovery Network Design and Implementation
Bank Of Rajasthan, India (May2000 – July2000)
Role: Project Leader
Summary: Bank required a DRN Solution to keep the business continuity at the networking level.
Environment: DRN (Disaster Recovery Network), Business Continuity Planning, Disaster Recovery Planning, ISP backbone configuration, Project management.
My responsibilities are:
• Disaster site network solution is framed between primary sites at Jaipur to DRN site Indore.
• Configuration in HCL InfiNet ISP backbone and routing is planned and configured.
• DRN network solution deployed
• Contingency and disaster plan successfully executed and tested.
Project –19 VPN Design and Deployment with IPSec
ITC, India (July 1999 – April 2000)
Role: Project Leader
Summary: VPN solution framework with IPSec Security for about 6 divisions and 250 branch offices.
Environment: Frame Relay, H.323, High Availability, ISDN, LAN Workplace, Layer -2 Switch, N/W Management, Wireless N/W, Cisco Routers and switches, ISP backbone configuration, IPSec Technology, Checkpoint firewall, Project management.
My responsibilities are:
• VPN solution framework with IPSec Security designed and implemented for about 6 divisions and 250 branch offices spread all over India.
• Partially mesh VPN topology with Point-to-Point and VPN solution framework designed and deployed for more than 250 locations and 7 Divisional HQ.
• IPSec VPN Solution deployed between branch offices to Division HQ.
• IPSec over GRE tunnels are configured between DHQ to Corporate HQ.
Few More Projects handled on Different Domains are listed below.
Solution Name: Proposals for Information Security Frameworks
Client Name: Tata Motors, India, Idea Cellular, India
Tool Used: Clear documentation and Proposal documentation on Intrusion Detection and Prevention (IDP) requirement of the customer. Netscreen IDP and ISS products are evaluated
Solution Name: Internal Benchmarking and validating the security products
Client Name: Clients for Wipro Technologies Ltd and Apara Enterprise Solutions (P) Ltd.
Tool Used: Various security devices are validated in a controlled environment and the best product for the customer environment was suggested and promoted.
Solution Name: Bandwidth Optimization Solution
Client Name: AESSEAL, Bajaj Alliance, WNS and Emphasis, India.
Tool Used: Peribit
Solution Name: Bill Of Material Validation
Client Name: Enterprise Solutions provided by HCL Infinet to their Customers.
Tool Used: Understanding the solution and validating the Bill of Material (BoM) estimated for that.
Solution Name: Corporate VPN Solution Design, Deployment and Support
Client Name: ITC, LG Electronics Ltd, Manipal Hospitals, Gabriel, Kone Elevators, Airport Authority Of India, Air Deccan Aviation, etc. India.
Tool Used: VPN Technology, Routers, Layer Three and Two Switches, HCL Infinet Backbone.
Subscribe to:
Posts (Atom)
