Muhammad Asif Qureshi

• Establishing information security function in organization.
• Leading team of consultants for establishing Integrated Information Security Framework in line with ISO 27001 and SIA NCRMF.
• Managing Information Security Governance Committee meetings for seeking buy-in from senior management on Information Security program.
• Managing Information Risk Management activities in line with NCRMF guidelines.
• Establishing Information Security Culture through various automated tools and techniques such as social engineering, information security awareness campaigns, advisories and flyers for C level executive management as well as normal users.
• Advising management on governance and related information security matters.
• Managing governance and compliance activities inline with regulatory and compliance requirements.
• Providing information security due diligence on new business initiatives.
• Governance and oversight on security incidents management process, recovery, and resilience.
• Managing security incident response readiness drills.
• Governance and compliance reviews of IT disaster recovery and continuity tests.
• Providing assurance through Vulnerabilities Assessments, Configuration Reviews, and Penetration testing.
• Leading Information Security Projects.
• Managing and governing third party Security Operations Center (SOC).

Key Achievements

• Implementation of vulnerability management process.
• Governance activities for SOC function.
• Due Diligence for Information classification and DLP program, Privileged Access Management and SIEM solutions projects.
• Ensured compliance with industry regulations and legal requirements by implementing comprehensive policies and training programs for staff members.

• Performing integrated audits with business auditors, reviewing general IT controls, business systems in compliance with PCI-DSS, ISO 27001 etc.
• Performing risks assessments on technology environment including core banking system and security environment.
• Managing a team of third party consultants for assessment of security architecture of the bank.
• Managing audit engagement including planning, execution and reporting on audit procedures and outcomes.
• Performed audits on operating systems, applications, infrastructure, policies, and procedures, etc.
• Conducted closing meetings with management to discuss audit findings, control issues, process inefficiencies, or operational risks and recommend appropriate solutions.
• Reviewing software development controls.
• Auditing identity and access management process in line with established policies.
• Interacted with all levels of management with a focus on building relationships and executing continuous monitoring initiatives.

Key Achievements

• Played a key role in enterprise-wide IT audit risk management model.
• Supervised trainee auditors on all aspects of auditing including continuous personal development.
• Conducted project audits to meet organizational objectives.
• Championed Audit Management system (MKI) and provided hands-on trainings through knowledge sharing and workshops.

• Planning and conducting Information systems audit assignments and underlying IT operations.
• Evaluate IT risks, design appropriate testing plans, and formulate appropriate conclusions from test results.
• Lead and execute IT audit planning tasks, fieldwork, and report writing.
• Document detailed IT process flows and perform audit of information systems that support business processes and assist financial auditors in evaluating associated risks.
• Assess major system initiatives of key project phases including risk assessment matrices, transaction flow charts, business requirements, identification and assessment of the control environment such as design, testing, implementation, and post implementation reviews.
• Involved in assurance and advisory reviews for Information Security Management Systems (ISMS).

Key Achievements

• Recognized as having raised quality of audit across the group.
• Conducted an extensive cross-organizational information security review.
• Supervised trainee auditors on all aspects of auditing including continuous personal development.

The bank is a joint investment of the Government of Pakistan and Government of Saudi Arabia with a large network of branches and ATMs all over the country. My responsibilities included:

• Performing technical audits of IT infrastructure, applications and business processes.
• Due diligence reviews of technical and application systems during procurement process.
• Performing branch audits with audit teams which included review of IT general controls, branch operations and reconciliation systems.
• Discussing audit issues with branch management.
• Represented internal audit in Business Continuity Testing exercises.

Key Achievements

• Recognized as having raised quality of audit reporting.
• Supervised trainee auditors on all aspects of auditing including continuous personal development.
• Consulting business to comply with audit recommendations.

During my tenure with the bank, I was member of the team responsible for establishing IT audit department. The team developed policies and procedures for IT auditing. I was involved in providing training to existing business auditors. Further, our team performed review of bank’s infrastructure and core banking application. My responsibilities included reviewing security parameters in OS400 and IT general controls in regional data centers.

Key Achievements

• Reviewed current audit setup and assisted development of IT Audit department.
• Supervised trainee auditors on all aspects of auditing including continuous personal development.
• Provided training to auditors for IT auditing standards and practices.

Active member of the Technology Risk Consulting practice of the ex-Andersen affiliate represented in Pakistan by Sidat Hyder Morshed Associates (Pvt) Ltd. The firm has now been merged into the local Ernst & Young practice, which is a member firm of Ernst & Young International. As part of the team, I was responsible for delivering IT audit support work as well as Information Security Advisory projects for Jaffer Brothers (Trading Concern).

Key Achievements

• Part of the team who performed first ever IT audit in banking industry of Pakistan.
• Advised clients for revamping auditing policies and procedures.
• Developed Internal Auditing manual for a large trading concern.
• Provided tailored technical trainings to various clients’ auditing staff.

I commenced my professional career with KPMG and gained exposure in Management Assurance Services (Internal Audit), and Information Risk Management (IT Audit) practice.

During my tenure with KPMG, I managed assignment of National Bank of Pakistan. Bank’s existing manual system for maintaining investment portfolio was reviewed and a solution was developed to automate the investment portfolio and related business processes. The solution also facilitated automated reconciliation of bank accounts related to sale and purchase of investments.

Key Achievements

• Developed an automated solution for bank’s Trustee department reconciliation system.
• Provided training to bank’s staff for automated stock reconciliation system.