Mob: Omar Atabani

(1)

1

Omar Atabani

Portfolio Summary:

Mr. Omar Atabani is a seasoned IT and Information Security Consultant; who has been in the IT industry for the last 17 years. Over the years, he has been providing clients across different borders and industries, with consultancy and training services in areas such as Business Continuity, Risk Management, IT Governance and ISO 27001. With a passion to help organizations achieving their goals he built a customer oriented mindset that allowed him to work closely with clients and help them achieve their objectives and goals. Mr. Atabani is known for his business process management skills and setting strategic plans for organizations to sustain their critical business operations. Mr. Atabani has been promoting Information Security and Business Continuity within the ME region for the last 7 years.

Mr. Atabani is a public speaker in different regional events such IDC, and BCI Middle East Summit. He is also associated with international organizations such as (ISC)2_, ISACA, BCI, BSI and EC|Council. Mr. Atabani is a certified CBCI/CISSP/CISM/CISA, CEH/ECSA/LPT trainer delivering IT & Security trainings in the US, Saudi Arabia, Jordan, Lebanon and other countries in the Middle East and Africa. He has taught internationally recognized certification programs such as CNE, MCSE, Security Principles, Network and Host Security, Ethical Hacking, ECSA/LPT, SSCP, Certified Information Systems Security Professional (CISSP) and BCI-CBCI courses. He worked as a Senior Consultant with different companies providing Professional Services and participating in different engagements with their respective customers.

(2)

2 Accreditation and Certifications:

•

Bachelor of Science in Management of Information Systems, Rochville

University, USA

• Certified Business Continuity Institute (CBCI)

• BS25999 Lead Auditor (BSI)

• Certified Information Systems Security Professional (CISSP), (ISC)2 • Certified Information Security Manager (CISM), ISACA

• Certified Information Systems Auditor (CISA), ISACA • Member of the BCI Middle East Working Group • Certified Ethical Hacker (CEH), EC-Council

• Certified Hacking Forensics Investigator (CHFI), EC-Council • EC-Council Certified Security Analyst (ECSA), EC-Council

• Juniper Networks Certified Internet Specialist (JNCIS-FWV), Juniper • Juniper Network Certified Internet Associate (JNCIA-IDP), Juniper • Microsoft Certified Systems Engineer (MCSE), Microsoft

• Certified Novell Engineer (CNE), Novell

• Certified and Authorized Instructor for the following:

 Certified Business Continuity Institute (CBCI)

 Ethical Hacking – CEH

 Certified Hacking Forensics Investigator – CHFI

 EC-Council Certified Security Analyst/Licensed Penetration Tester – ECSA/LPT

 Certified Information Systems Security Professional – CISSP

 Systems Security Certified Professional – SSCP

 Security Principles – SP

 Network & Host Security – N&H Security

 Microsoft – MCT

(3)

3 Standards and Frameworks

• BCI – GPG • BS 25999 • ISO 22301 • TOGAF 9.1 • ISO 27001 • NIST • ISO 31000 • COBIT • ITIL • ISO 20000

Public Speaking:

IDC IT Security Roadshow 2011, May 2011, Jeddah, Saudi Arabia. “Risk

Management in the Era of Mobile Devices”

IDC IT Security Roadshow 2011, June 2011, Riyadh, Saudi Arabia. “Risk

Management in the Era of Mobile Devices”

Application Security Technical Day, Dec 2010, Saudi Aramco, Dhahran, Saudi Arabia

“Secure Coding Case Study”

(4)

4 Detailed Experience:

Independent Consultant (02/2012-Current):

As a freelancing consultant/trainer, I have been providing clients within the region with different consulting and training services in area such as:

• Risk Management • Business Continuity • Security Assessments

• Policies and Procedure Development • ISO 27001 Implementations

• Information Security Governance

• Information Security Strategies and Roadmaps • Project/Program Management

My clients vary across different verticals such as, Government agencies, Oil and Gas, Petrochemical and Financial.

IT Security Training and Solutions (05/06-02/2012):

A leading IT Security company offering consulting service, security solutions, security training and Managed Security Services (MSS). While employed I played multiple roles over 5 years allowing me an exceptional exposure to multiples areas within information security.

Sr. Security Consultant: Participated in a number of projects as per the below:

o ISO27001 Implementation: Participated in multiple projects where

my role included:

 Develop Asset Registers.

 Develop Risk methodology that maps with the business needs.

 Define risk appetite.

 Conduct risk assessments.

 Develop Policies and Procedures.

 Develop management reports and presentations.

 Conduct ISO27001 Awareness sessions.

 Conduct Pre-audits.

 Help with the actual audit.

o Risk Management: Was part of teams involved in different projects

where my tasks were:

 Define Risk methodology as per the business needs.

 Develop the risk appetite.

 Identify assets for the business.

 Conduct risk assessment.

 Risk mitigation and treatment.

 Recommend controls where applicable.

 Assist in embedding the RM process within the organization.

o Business Continuity: Participated in multiple projects were my role

(5)

5

 Reviewing plans and ensures they meet the business needs.

 Ensure the BCM programs were in compliance with international best practices and standard such BCI-GPG and BS25999.

 Developing Policies and Procedures for the BCM

 Conducting BIA workshops.

 Developing Strategies and Response plans

 Conducting Awareness workshops.

 Managing the overall project.

o Vulnerability Assessment & Penetration Testing:

 Conducted a large number of internal/external, black/grey/white box VA and PT for different clients within the Middle East region.

 Assignments included Network, Systems, and application level testing.

 This was done using different methods and tools (Automated and Manual, open source/free, and property tools).

 Prepared final reports for customers (Executive as well as Technical detailed)

 Provided recommendations and methods on how to mitigate the identified vulnerabilities and risks.

 Clients varied from major banks, telecom companies, stock brokers, government agencies and services providers in Saudi Arabia and the Middle East.

 Conducted knowledge transfer workshops for client and internal staff when needed.

 Developed and enhanced where needed the internal process for conducting VA and PT within the organization and documented the major steps to be followed.

 Participated in vendors/tools evaluations.

Sr. Security Trainer: with the passion of training and sharing knowledge I was in this

role for the 5 years and through all the other roles I played while in the company. Part of the Academy where my tasks included:

o Pre-Sales Activities such as, writing proposals, conducting presentations. o Prepared and delivered different classes such as CEH, CISSP, Security

Principles, Network and Host Security, and more. o Developed Security Awareness Programs.

o Delivered Security Awareness workshops. (General Users, IT Staff and Management).

o Developed and customized material for customers as well as internally. o Conducted competency assessment for different teams within different

organizations.

(6)

6

o List of clients includes all verticals (Finance, Telecom, Oil & Gas, Service Providers, Government, Retail)

PMO Manager:For the duration of one year I was heading the Project Management

Office within the company where my role included:

 Overseen all projects performance within the organization (100+ project with more than $2.5M in value).

 Acted as Program Manager for multi-millions Saudi Riyals projects within the organization.

 Streamline internal processes within the PMO and implemented EPM as out Project Management Portal.

 Defined roles and responsibilities for the different entities

interacting with projects within the organization (BLM, PM, DPM, PML, Finance.

 Was part of the team for automating the internal processes with the implementation of ERP (Microsoft Dynamics AX2009)

 Worked closely with Finance in generating the P&L for each project across the different Business Lines.

 Presented P&L reports to management and Sr. Executive demonstrating the company’s performance in terms of revenue recognitions and booked revenue figures.

Business Development Manager: Got relocated to Eastern Province as BDM

dedicated for Saudi ARAMCO working with all Business Units within the organization. My role included:

o Establish and develop relationship with different divisions.

o Assess and identified the needs for different divisions and worked with them to develop the proper solutions.

o Developed SOW and overseen all projects with the customer. o Acted as the point of contact for the customer.

o Managed projects P&L and revenue recognition for all projects with the customer.

o Acted as a Program Manager for all projects with Aramco.

o Handle all logistics for internal and external consultant working with the customer.

o Quality Assurance on all deliverables within projects. o Maintain customer satisfaction of all services delivered.

o Identified and technically evaluated the right partners/vendors to be used for all projects.

o Performed all pre-sales, sales and post sales services with the customer.

Academy Manager: Head of the Academy (Training Division) within the company,

where my tasks included:

o Run and supervise the daily training operations.

o Business development with clients, introducing new courses and determining their needs.

(7)

7

o Business development by introducing new partners and new courses to meet the demand and the trends in the market.

o Formalizing agreement with new training partners after evaluating their quality of training offerings.

o Initiate development of new material and improvement of in house developed material.

o Develop and prepare new instructors and get them certified.

o Work with partners and sales to come up with business plans for the local market.

o Appoint reseller in the region and formalizing agreements with them. o Work with Sales to achieve the training quote.

o Overachieving Academy quota in 2009 making more than $ 1M in revenue.

o Prepared quarterly reports to management for the Academy P&L.

eSolutions Middle East (Qatar-Doha) 04/05-04/06:

Role: Managing Director, Service and Solutions

Reported to the GM, I built and structured the Services and Solutions division within the company, and got senior management as well as board approvals. Identified the correct partners and formalized partnerships with them. Started business development processes for the different services offered by the company as well pre-sales activities. Supervised and successfully ran multiple marketing campaign and PR events for the company. Established and build a reliable customer database with qualified potential clients. The division offered Security Consulting and Trainings, Learning Management Systems (LMS), Documents Management Systems (DMS) as well Business Intelligence products. I was also overseeing all projects within the division. Part of my tasks was to work with senior management on defining the division budget. Provided advice and technical support for establishing and structuring the training division within the organization.

AlKhaleej Training and Education (KSA-Riyadh) 12/04-03/05:

Role: Platinum Center/Vendor Relations Manager

The Platinum Center is the elite center for high-end technical training for AlKhaleej training; it offers advanced technical courses from vendors such as Microsoft, CISCO, SUN, in addition to IT Security courses. My job was to manage the operation of the center (Scheduling, Resources, …etc.), I was also managing the relationship with all the training vendors that Alkhaleej is authorized through them, this included reviewing all the agreements, negotiating with new vendors and organizing joint events with the vendors. AlKhaleej was also starting their e-learning portal and products; I played a role in reviewing and evaluating proposals from different SW vendors for LMS products and negotiating/reviewing e-library from different vendors.

New Horizons CLC (Damascus-Syria) 08/03-12/04

Role: Assistant General Manager / Training Manager

Started part time and then moved to full time. My responsibilities included monitor instructors’ performance in the classroom, to improve customers’ experience inside the class. Helping and directing the instructors to achieve technical certifications and obtain

(8)

8

recognition from major companies in the industry (Microsoft, CISCO, CIW and others). Developing trainers capabilities to deliver high quality training.

Delivered advanced courses on Windows 2003 as well as Exchange 2003 and ISA server. As an AGM my responsibilities were to develop business for the center and promote our services in the country. Set and implemented business plans for the center. Acting as the GM when needed, managing the overall operations of the center as well as supervising the other mangers in the center and developing their managerial skills, set and maintain the overall budget of the center. Perform any other responsibilities and tasks that were assigned to me by the General Manager.

Internet Support Systems (ISS) (Damascus-Syria) 02/02-12/03

Role: IT/Operations Manager

Managed the IT department of the company, Designed and Implemented the internal network and facilitated connectivity of the company to the Internet using an E1 line. Implemented a variety of hardware and software technologies (VPN, Routers, and firewall), to support our customers remotely through a secure connection over the Internet. Also I was in charge of the Operations department, where we were supporting Datacenters remotely and monitoring different operations/processing done at the customer’s site to process web logs using advanced Data Mining techniques to produce Business Intelligence reports. The whole network was based on Windows 2000 Advance Server and .NET Servers.

Established an information security program within the organization, implemented controls where needed, delivered awareness sessions for all employees, regularly conducted risk assessments, developed and implemented security policies and procedures such as Acceptable Use Policies within the organization for internet and email.

New Horizons CLC (Houston-Texas) 05/00-01/02

Role: Technical Instructor

Prepare and organize class notes. Train 2-5 day classes on a variety of Microsoft Windows 2000 Advanced Server and BackOffice products, specializing in Microsoft Exchange and Microsoft Proxy. Setup the classroom workstations for each class. Customized trainings for specific customers requirements based on Microsoft Offcial training in addition conducted MCSE Bootcamps . Delivered CNE (Novell) training courses as a Certififed Novell Instructor. I also was deliverying Lotus Notes/Domino Administertaion courses. Was awarded Technical Instrcutor of the Year 2001.

(9)

9 Key Projects Experiences:

1. Consulting Services

Client Government Agency – Jeddah – Saudi Arabia Project Name Business/IT Continuity Management

Team Size 2

Role Sr. BCM Consultant/Project Manager

Brief Project Description

The scope of this project was to design, develop and implement Business Continuity Management per the BCI-GPG Framework and BS 25999 Standard. The scope was developing BCM for all IT Services of the client.

Tasks included:

• Developing BCM Policy

• Developed BIA questionnaires template

• Conduct BIA workshops and RA for the all IT

Services units

• Determining CRA for each unit

• Developing BCM Strategies for the different IT

Services

• Developing BCP and IRM including Crises

Management Plans

• Develop test plans and templates • Conducting training and awareness • Conduct sample tests.

Client Oil & Gas – Dhahran – Saudi Arabia Project Name Security Assessment

Team Size 3

Role Project Manager

The scope of this project was to conduct vulnerability assessment and penetration test for the organization IT infrastructure, which included Windows, Unix and Web Applications.

Tasks included:

• Develop Project Charter

• Define schedule and project milestones

• Manage deliverables and mitigate the risk of project

creep

• Manage project cost with accordance to budget

(10)

10

the delivery teams

• Prepared weekly status reports

Client Petrochemical – Dammam – Saudi Arabia Project Name IT Continuity Framework

Team Size 2

Role Sr. BCM Consultant

The scope of this project was to assist the client in establishing their IT Continuity framework and all the necessary templates for developing an IT Continuity for the IT department of the client which consisting of three divisions. The client is in the process to expand their IT services. All documentation were developed based on GPG and BS25999.

Tasks included:

• Developing the IT Continuity Policy

• Developing BIA questionnaires and report templates

• Developing RA and CRA templates

• Develop BCP template

• Develop IRM template.

• Develop IT Continuity Plan Testing Template • Develop an IT Continuity Manual

• Develop BIA presentations

• Develop Management Awareness Presentation

Client Major Bank – Saudi Arabia

Project Name ISO27001 Implementation & Certification

Team Size 2

Role Sr. Security Consultant

The scope of this project was to design, develop and implement an Information Security Management Systems as per the ISO27001 Standard, and assess the organization in obtaining the certification.

Tasks included:

• ISO 27001:2005 Certification • Scope Definition.

• IT infrastructure Mapping.

• Gap Analysis.

(11)

11

• Conducting Risk Assessment and Risk Treatment. • Preparing Action Plan

• Preparing Statement of Applicability.

• Developing and/or Enhancing Information Security

Policies and Procedures.

• QA for final the deliverables. • Deliver ISMS awareness sessions. • Conduct Internal Audit.

• Preparation of the needed documents for the External

Auditor.

Client Petrochemical Company – Dammam – Saudi Arabia Project Name IT Governance

Team Size 4

Role Sr. Consultant / Project Manager

The scope of this project was to design, develop an IT Governance Framework based on COBIT, then mapping with other frameworks and standards such as ISO27001, ITIL, and BS25999. The project defined roles and responsibilities for the different IT divisions; a set of policies and procedures were developed that mapped to the business objectives for the IT department.

The company was looking to conduct an Enterprise Architecture review out of which we identified the services offered and then mapped that to the R&R and updated them. We then developed a set of policies, processes, procedures with the needed set of templates which all were consolidated into a set of manuals covering the following areas:

• IT Governance • IT Planning • IT Administration • IT Change Management • IT Operations • Enterprise Architecture • Performance Measurement • IT Security • IT Applications • IT Support

In this project I was also the project manager carrying all of the tasks within that role.

(12)

12

Client Government Agency – Saudi Arabia Project Name ISO 27001 Implementation

Team Size 4

The scope of this project was to build an information security program based on ISO27001 standard, my role was:

• Define a Risk Management Approach

• Conducted Risk Assessment. • Build Policies and Procedures.

• Conduct awareness workshops at different levels

within the organization.

• Assist in the execution of the program complete set of

policies and procedures for the organization as per the ISO27001 standard, the implementation.

Client KSA University – KSA

Project Name ISO 27001 Implementation & Certification

Team Size 4

Brief Project Description ISO 27001:2005 Certification • Scope Definition. • IT infrastructure Mapping. • Gap Analysis.

• Business Impact analysis

• Conducting Risk Assessment and Risk Treatment. • Preparing Action Plans

Auditor.

Client Private Company – KSA Project Name Information Security Services

(13)

13

• Risk Management

• IT infrastructure Mapping.

• Gap Analysis.

• QA for final the deliverables.

Client Telecommunication – KSA Project Name ISO 27001:2005 Certification

Team Size 4

Brief Project Description ISO 27001:2005 Certification • Scope Definition. • IT infrastructure Mapping. • Gap Analysis.

Auditor.

Client Large Telecom Company – Saudi Arabia Project Name Competency Management System

Team Size 8

The scope of this project was to build a competency management system, perform competency assessment, and build a development plan for each individual in the security department. This project involved updating the roles and responsibilities of the information security departments and

(14)

14

configuring the process and system to maintain and develop the competency levels needed to perform these job roles.

Client Major Bank - Saudi Arabia Project Name Vulnerability Assessment of ATM

Team Size 3

Role Security Consultant

Vulnerability assessment of WIN XP based ATM. This report helped to deploy the standard image based on our finding and hardening recommendation on more than 300 ATMs. A customized security Template was also developed to import on their ATM isolated Domain.

Client Large Telecom Company - Saudi Arabia Project Name Penetration Test and Vulnerability Assessment

Team Size 4

Penetration testing and vulnerability assessment for the GSM systems , Web applications , Network devices …etc

Client Large Bank - Jordan

Project Name Penetration Test and Vulnerability Assessment

Team Size 4

The scope of this assignment was to perform complete vulnerability assessment for all windows servers and SQL servers ,Linux and UNIX servers

Client Government Agency – Saudi Arabia

Project Name Vulnerability Assessment & Penetration Testing

Team Size 5

Vulnerability Assessment of windows server and firewall Penetration of the website

Security Architecture Review and Design Document Risk Assessment That including:

(15)

15

• Assets Identification and valuation for all assets

• Threats and Vulnerabilities analysis to the identified

assets

• Vulnerability, threat and risk matrix for identified assets

Client Financial Bank – Saudi Arabia

Project Name Internal Vulnerability Assessment & Penetration Testing

Team Size 2

Vulnerability Assessment of windows servers, routers and firewall

Internal Penetration Test of the different clients, servers and network devices.

Client Large Telecom Company – Jordan

Project Name External Vulnerability Assessment & Penetration Testing

Team Size 2

Vulnerability Assessment of their public IPs’ and Penetration testing of those, facing the internet.

Web Application Pen Test for their Web server.

Client Large Petrochemical Company – Saudi Arabia

Project Name External Vulnerability Assessment & Penetration Testing

Team Size 2

Vulnerability Assessment of their public IPs’ and Penetration testing of those, facing the internet. The tests also included their Wireless environment.

Client Financial Brokerage – Saudi Arabia Project Name Compliance with TADAWAL regulations

(16)

16

Team Size 5

The project composed of multiples pieces:

• Vulnerability Assessment. • Policies & Procedures.

• Defining Roles & Responsibilities for the Information

Security

Client Financial Investment House – Saudi Arabia Project Name Internal & External Web Application Pen Test

Team Size 2

Internal & External Pen Testing for the company’s new web portal. The application was running on MS platform (.NET, SharePoint, MS SQL).

2. Enterprise Security Design & Implementation

Client Air Conditioning Manufacturer – Saudi Arabia Project Name Network Security Enhancement Project

Team Size 4

Design and deployment for end-to-end security solutions including: Top Layer Intrusion Prevention System, Juniper SSL VPN, Cisco PIX Firewall, Cisco Intrusion Detection System, Cisco Access Control Server, and Cisco VMS management solution.

Client Government Agency – Saudi Arabia Project Name End-to-End Security Enhancement Project

Team Size 5

Role

The project scope was to redesign the network security infrastructure of the ministry and to introduce and deploy end-to-end security solutions to enhance the security level of the ministry’s network.

(17)

17

The following solutions were implemented in this project:

Teros Application-Layer firewall, PatchLink patch

management solution, Adinos DNS appliance, IronMail mail security solution, Cisco MARS SIM solution, and the migration from Symantec FW to Juniper Netscreen FW.

3. Network Design & Implementation

Client Large Training Center – Saudi Arabia Project Name Enterprise Network

Team Size 5

Role Team Lead

Designed and deployed corporate network connecting different branches across the country, the design incorporate security measure to protect the centers database. Components included CISCO routers, PIX firewalls, WAN switches.

Client Large Manufacturing company – USA Project Name Exchange Implementation and Tuning

Team Size 4

Re-designing the Exchange infrastructure for the whole organization, and introduced new features and components. The project included tune up of the existing Exchange infrastructure.

Client Internet Systems Provider – Syria Project Name VPN Remote Access

Team Size 4

Designed and Implemented WAN connectivity solutions for different client networks back in the US. Solutions included deployments of PIX boxes and configuration of different encryptions methods

(18)

18

4. Training Services

Client Saudi ARAMCO

Project Name Computer Security Liaison Certification

Team Size 3

Role Sr. Security Consultant & Trainer

Developed a 10 days training class for the Business Lines Computer Security Liaison. The object was to enhance the information security skills of the CSL to allow them to act as the InfoSec Officers within their own business line organization. The training was customized to map to the existing practices in the client environment and to fit the organization culture. Topics:

• Information Security Basics • Information Security Governance • Developing Policies and Procedures • Roles and Responsibilities

• Risk Management • Introduction to ISO 27001 • Business Continuity • Access Control • Security Technologies • Security Attacks

Client Saudi ARAMCO

Project Name Information Security Workshops (Development & Delivery)

Team Size 1

Role Sr. Security Consultant &Trainer

Developed a one-day workshop based on CISSP domains with customization of the client environment and methods used internally.

The audiences of the workshop were data proponents (owners) from all business units within Saudi Aramco.

Delivered the workshop to more than 500 data proponents from different business organizations.

(19)

19

Project Name Security Awareness Workshops

Team Size 2

Role Sr. Security Trainer

Closed-Sessions Security Awareness sessions for Users, Management and IT staff.

Customization of contents for the training sessions.

Client Different Clients, Saudi Arabia Project Name Public Courses Training

Team Size 1

Role Sr. Security Trainer/Consultants

• Security Principles • Network & Host Security • Ethical Hacking

• CISSP

• CBCI-GPG

Client Different Clients, Saudi Arabia, Middle East Project Name Closed-Sessions Training

Team Size 1

Role Sr. Security Trainer/Consultants

• Security Principles • Network & Host Security • Ethical Hacking

• ECSA/LPT

• CHFI

• CISSP

• CBCI-GPG

Client Saudi Telecom Company, Riyadh-Saudi Arabia Project Name Carrier Development Planning (SOC)

Team Size 2

Role Sr. Security Trainer/Consultant

(20)

20

Description the different technologies implemented and the skills needed to operate a Security Operations Center.

Client Government Agency, Riyadh-Saudi Arabia Project Name Carrier Development Planning (SOC)

Team Size 2

Role Sr. Security Trainer/Consultant

Developed training plan for all SOC team members based on the different technologies implemented and the skills needed to operate a Security Operations Center.

Client Different Clients, Saudi Arabia, Middle East, USA, Africa Project Name Closed-Sessions Training

Team Size 1

Role Sr. Trainer/Consultants

• Microsoft Training (MCSE)

• Novell

• Lotus Notes (Domino)

• Network +