Projects I was involved in.
Projects I was involved in @ Hellenic Bank Public Company.
Annual Bank-wide ICT & Security Risk Assessment.
Leading the project of the annual Bank-wide ICT & Security Risk Assessment, of all the critical systems, the Transformation projects, and the security-related teams of the Bank, in collaboration with an external consultant. This project included the interviews of the Business Owners and Technical Owners of each critical system, the Transformation Leads of each project, as well as the Team Leads of each security-related team of the Bank. Reports for each system, project and team were produced and agreed with the people involved. These reports were consolidated in order to produce the final deliverables in a Bank-wide level. The final deliverables of the project are the ICT & Security Risks Matrix of the Bank, as well as the reporting/presentation of the risks to the Top Management.
Laws and Regulations.
Monthly update of the (Information Security) Laws and Regulations Inventory of the Bank, by researching relevant sources of information, such as European Central Bank, European Union, European Banking Authority, Central Bank of Cyprus, Digital Security Authority of Cyprus, European Union Agency for Cybersecurity (ENISA), Office of the Commissioner for Personal Data Protection, etc., including the briefing of the team and other relevant teams of the Bank for any newly published laws, regulations, guidelines, articles, opinions etc.
Monthy Tasks.
Monthly monitoring of the Information Security related open actions, including actions identified through the annual Bank-wide ICT & Security Risk Assessment, the Internal Audit, as well as Compliance actions identified. Monthly monitoring of the Technology and Digital related open actions identfied through the Internal Audit, assessing whether any ICT & Security risks are arised or affected.
Risk Champion/Liaison Role.
Having the role of Risk Champion/Liaison of the team, including providing Information Security opinion for the assessment of any ICT & Security risks identified by other departments, as well as providing assistance to other Risk Champions/ Risk Owners on how to record their risks in the Risks Inventory of the Bank.
Health and Safety Representative.
Having the role of Health and Safety Representative of the team, including the participation in the meetings arranged, the active participation in the Health and Safety exercises performed, and attend trainings performed.
Information Security Compliance Assessment.
Leading the performance of the Information Security Compliance Assessment of the Insurance Companies. The purpose of the assessment is to assess the compliance of the Insurance Companies against the Information Security Policy (ISP) and the information security posture in general, and support Management to enforce the ISP in order to ensure that the data is adequately protected against unauthorized disclosure, modification, or destruction. Based on the compliance assessment, the ICT & Security risks are identified and assessed, suggesting mitigation actions to ensure that the risk is mitigated to the risk appetite.
Policies, Processes, Procedures (PPPs).
Advise on the development, review, update and enhancement of policies, standards, processes, procedures, guidelines, and controls to ensure that ICT and Security risks are properly managed. Act as an advisor to the Group on how to comply to the Information Security Policy / Framework.
Ad-hoc projects/tasks.
Involved in ad-hoc projects/tasks, such as, performing Gap Assessments, review and update the Risk Inventory of the Bank and the ICT & Security risks, the assessment of solutions based on ICT & Security related matters, identifying possible business continuity scenarios that the Bank might face, advise on how the BIA methodology to align CIA, define the Information Security Strategy of the department, etc.
Business Continuity Liaison Role.
Having the role of Business Continuity Liaison of the team, including being involved in the documentation of the Business Continuity Plan of the team.
PSD2 Risk Assessment.
Leading the performance of the PSD2 Risk Assessment for all payment related systems of the bank and documenting the PSD2 risk assessment report, including the operational and security risks. The PSD2 Risk Assessment report is submitted annually to the Central Bank of Cyprus.
Risk Assessments.
Assess, record, and report Information Communication Technology (ICT) and Security risks faced by the Group. Act as an advisor to the Group on how to perform Information Security Risk Assessments.
Secretariat of the Technology Security Sub-Committee.
Having the role of Secretariat of the Technology Security Sub-Committee, responsible for the minutes of meetings documentation and the monitoring of the actions to be implemented by the committee’s members.
Compliance Liaison Role.
Having the role of Compliance Liaison of the team, including being involved in the monitoring of the ICT & Security related compliance actions identfied by the Compliance department.
Projects I was involved in @ PwC Cyprus
Project Title:
Cyber Security Awareness Training
Project Duration:
May 2023 (2hrs)
Client:
Financial Institution / Bank
Project Description:
Cyber Security Awareness Training to the Board of Directors
Responsibilities / Duties:
Leading Member of the Implementation Team & Presenter
Project Objectives / Deliverables
Presentation of Cyber Security Awareness Training to the Board of Directors:
Cybersecurity Attacks
How to prepare for cyber attacks
How to respond to cyber attacks
Relevant Regulations
Next Steps
Project Title:
Risk Assessment & Cybersecurity / Information Security Awareness Training
Project Duration:
February 2023 – May 2023
Client:
Retail Fashion and Hospitality Organization
Responsibilities / Duties:
Leading Member of the Implementation Team & Presenter
Project Description:
Assessment of the risks faced by the information systems of the Organization in terms of infrastructure and security
Project Objectives / Deliverables
Evaluation of the current IT environment of the Organization
Identification of the risks faced by the Organization regarding the information systems it uses
Propose a Strategy for the upgrading of the Organization’s information systems
Presentation of the findings to the Organization’s Board of Directors
Information Security Awareness Training to all employees (5 sessions of 6hrs duration each)
Project Title:
Information Security Framework & Toolkit
Project Duration:
January 2023 – June 2023
Client:
Independent Government Authority
Responsibilities / Duties:
Leading Member of the Implementation Team
Project Description:
Establish National Risk Assessment and Business Continuity Standards/ Methodologies for Critical Information Infrastructures of Cyprus based on specific framework
Project Objectives / Deliverable
Defining the overall scope of the framework, the applicable environment, the stakeholders, the general governance model, the improvement management processes, etc.
Defining roles and responsibilities in relation to the overall and specific governance model of essential service operators
Definition of risk data elements/parameters to create common understanding between essential service operators, relevant parties, and future users/applications of the developed framework, including risk assessment parameters, risk categories, threat descriptions, materiality, etc.
Define framework methodologies detailing the steps to be followed by essential service operators when performing Business Impact Assessment and Risk Assessments
Define standards that can be used by essential service operators to document the relevant model and policies:
Governance standard document
Risk assessment and Business Continuity Plan standards
Risk register standard
Risk Treatment Plan template to record actions, owners, and schedules
BCP template for documenting critical business functions (impact analysis), related risks and exposures, Recovery Time Objective, Recovery Point Objective, critical applications and resources, recovery team members, recovery processes, etc.
Development of the implementation toolkit, through the development of a set of documents, links to standards and guidance material to be used by the essential services operators to carry out BIAs and RAs according to the defined methodologies
Informing the staff of essential services operators about the project and training
Training program for specialized personnel to support the implementation of the developed cyber security frameworks
Tailored training program for senior management in each essential service operators to support information gathering related to RA/BIA processes
Training program to strengthen cyber incident reporting capabilities
Tailored learning by studying the essential service operators’ best practices from across Europe and the US to accelerate learning and enable benchmarking of their own practices against the latest technology
Project Title:
ESS IT Security Certification Assessment
Project Duration:
November 2022 – December 2022
Client:
PwC Netherlands
Responsibilities / Duties:
Member of the Implementation Team
Project Description:
Collaboration with PwC Netherlands for the performance of an ESS IT Security Certification Assessment for a Governmental Organization in Cyprus
Project Objectives / Deliverable
Provide security assurance for the ESS IT Security Framework thereby maintaining trust among the ESS members regarding secure and confidential data exchange
Project Title:
EMI Licensing
Project Duration:
October 2022 – December 2022
Client:
Electronic Money Institution
Responsibilities / Duties:
Member of the Implementation Team
Project Description:
Review of Policies, Procedures and Plans to ensure compliance with EMI requirements so that to ensure licensing of the client
Project Objectives / Deliverable
Review & Update of Policies, Procedures, and Plans
Project Title:
Information Security Management System
Project Duration:
September 2022 – November 2022
Client:
Governmental Organization
Responsibilities / Duties:
Leading Member of the Implementation Team
Project Description:
Review and Update of the Information Security Management System based on the ISO/IEC 27001:2022
Project Objectives / Deliverable
Review & Update of Statement of Applicability
Business Continuity and Disaster Recovery Plans Training of relevant teams
Business Continuity and Disaster Recovery Scenarios Testing (Workshop)
Update of Asset Register and Business Impact Assessment
Update of Risk Assessment
Update of Risk Treatment Plan
Social Engineering Scenarios Testing (Physical)
Project Title:
Information Security Risk Assessment
Project Duration:
January 2022 – July 2022
Client:
Health Services Organization
Responsibilities / Duties:
Leading Member of the Implementation Team
Project Description:
Analysis of risks faced by the Organization’s information systems in terms of their infrastructure and security
Project Objectives / Deliverable
Providing an overview and evaluation of the current environment of the Organization’s information systems
Highlighting the risks faced by the Organization regarding the information systems it uses
Propose the strategy at a high level that the Organization must follow to upgrade its information systems
Presentation of the findings to the Organization’s Board of Directors
Project Title:
Information Security Risk Assessment
Project Duration:
November 2021 – May 2022
Client:
Governmental Organization
Responsibilities / Duties:
Leading Member of the Implementation Team
Project Description:
Preparation of a Security Risk Assessment
Project Objectives / Deliverable
Evaluation and assessment of the security procedures followed based on the ISO/IEC 27001 standard
Risk Management Framework that will cover the main points that need upgrading in security
Developing Organization’s Security Incident Response Plan and Procedure
Suggestions for adjusting the findings identified
Project Title:
Risk Assessment & Business Impact Assessment
Project Duration:
November 2021 – April 2022
Client:
Financial Institution
Responsibilities / Duties:
Leading Member of the Implementation Team
Project Description:
Review and Update of the Information Asset Inventory, Risk Assessment Report and Business Impact Assessment
Project Objectives / Deliverable
Review and Update of the Information Asset Inventory
Review and Update of the Risk Assessment
Review and Update of the Business Impact Assessment
Project Title:
Design & Development of an Information Security Management System (ISMS)
Project Duration:
November 2021 – June 2022
Client:
Semi-Governmental Organization
Responsibilities / Duties:
Leading Member of the Implementation Team
Project Description:
Definition and development of an Information Security Framework to underpin the Identification, Detection, Response to and Recovery from Information Security Risks in line with the strategy and business scope of the organization
Project Objectives / Deliverable
Definition and development of a business-aligned Information Security Management System
Review, update and development of Information Security Policies, Procedures and Processes
Identification and documentation of assets and asset owners (Asset Inventory)
Definition and documentation of an Information Risk Management Methodology
Development of an Information Security Risk Register
Definition and documentation of a monitoring, measurement, analysis, and evaluation process of the ISMS
Definition and documentation of an Information Security Internal Audit Program
Definition and documentation of the Continual Improvement Process
Aligning Organization’s ISMS operation with the legal and regulatory requirements for the processing and protection of Personal Data
Reviewing, updating and/or developing Organization’s Incident Response Policy and Procedure
Projects I was involved in @ JCC Payment Systems Ltd.
Governance.
Involved in the Information Security Governance processes. These include the development, implementation and management of the security program in order to achieve the following:
Strategic alignment: Aligning information security with business strategy to support organizational objectives
Risk management: Mitigating risk and reducing potential impacts on information resources to an acceptable level through execution of appropriate measures
Value delivery: Optimizing security investments in support of business objectives
Resource optimization: Using information security knowledge and infrastructure eficiently and effectively
Performance measurement: Monitoring and reporting on information security processes to ensure that objectives are achieved
Assurance process integration: Integrating all relevant assurance factors to ensure that processes operate as intended from end to end
Compliance.
Ensure compliance with laws, regulations, standards, obligatory requirements, directives, guidelines etc.
Such requirements are:
PCI DSS, PCI DSS for merchants, PCI PIN, ISO/IEC 27001, GDPR, NIS Directive, CBC Directive, ECB Directives and Requirements, Digital Security Authority (DSA) Requirements, EBA Guidelines, e-IDAS, CROE
Perform Gap-Analysis so that to ensure the compliance of the enterprise with the requirements and controls of all of the above. Responsible for the collaboration with the Internal Auditor and External Auditors during the perormans of Internal and External Audits in regular intervals, so that to verify adherence and compliance as well as to discover any deviations or gaps.
Security Metrics.
Identify and monitor security metrics, to measure key security events such as incidents, policy changes and violations, audits, training, etc. by using the SMART method, so that to ensure metrics’ quality and effectiveness, as well as that they are specific, measurable, attainable, relevant, and timely. Metrics indicate the state of an information security program over time. Security metrics help the design and development of the Security Strategy of an organization as opportunities for improvements are more easily identified. Metrics could be of the form of Key Performance Indicators (KPIs) or Key Risk Indicators (KRIs).
Asset Management.
Manage the Information Asset Register, including tangible and intangible information, equipment, hardware, software, services and people. Ensure each asset is assigned an owner, it is classified and its retention period along with its perging method are identified.
Access Rights Management.
Review and approve access rights requests as the Information Security Officer. Review the access rights reported in the tool and compare with the actual access rights given through the systems so that to be in line with each other.
Data Leakage Prevention (DLP).
Involved in the Data Leakage Prevention Project from beginning to end. Collaboration with external vendor and IT Department for the implementation, testing as well as the identification and creation of policies and rules. The scope of the project is to ensure that sensitive and confidential data such as card numbers and IBANs are not leaked outside of the company’s network by any means.
Business Continuity Plan, Disaster Recovery Plan, Incident Response Plan.
Review and update the BCP, DRP and IRP in collaboration with the Business Continuity Officer. Got involved in different test scenarios as well as real-life scenarios that occurred, where all plans above were invoked.
Cyber Security Strategy.
Involved in the development of the Cyber Security Strategy.
Understand the current state of the organization in regards of cybersecurity
Define the desired state o the organization in regards of cybersecurity
Identifying the information security objectives, processes, methods, tools and techniques
Addressing and mitigating risk
Provide an acceptable level of compliance with the legal, contractual and statutory requirements of the enterprise
Address how the enterprise will embed good security practices into every business process and area
Identify what resources are available for the development of the steps that must be taken to implement the strategy
Identify the constraints that will be faced during the development of the security strategy
Policies, Processes, Procedures (PPPs).
Review the Organization’s Information Security Policies, Processes and Procedures on a yearly basis or when a change occures, and update them based on the applicable laws, regulations, guidelines, standards, directives, obligations, and best practices.
Ensure that policies are documented in such a way so that to directly reflect from the organization’s mission, objectives, and goals.
Ensure that processes include one or more procedures that help employees understand how things are supposed to be done.
Ensure that procedures describe the steps to be followed when carrying out functions and tasks.
Security Audits.
Manage, implement, and perform different types of security audits in a regular basis based on international standards, laws, regulations, obligations, directives, and guidelines. In addition, organize, coordinate and collect evidences to external auditors to ensure compliance.
Penetration Tests.
Coordinate the Penetration Tests with external vendors and recommend remediation actions. Record the findings and agree with related departmental managers on mitigation actions and record them in the Risk and Compliance Management System. Follow-up the remediation actions so that to be implemented on time, based on their criticality and specified timeframes.
Vendor Management and Assessment.
Assess and manage all vendors with departmental managers, based on their classification level as well as the service or product they provide to the company. Ensure that all defined requirements are met in regards of compliance, assessment and agreements.
Perform a risk assessment when a new vendor will be selected.
Security Information and Event Management (SIEM) & Security Operations Center (SOC).
Manage the Security Information and Event Management system for incident investigation and monitoring in collaboration with the system vendor and the Security Analyst. Manage outsourced Security Operations Center (SOC) that provides 24/7 Security Monitoring and Event Management to ensure efficient monitoring of all applications and systems.
Project Management.
Involved in different types of projects so that to ensure information security compliance and identification of information security risks that may arise during the different phases of each project. Coordinate different security projects in collaboration with other relevant departments.
Risk Management.
Responsible for the performance of the ongoing enterprise-wide and asset-based Information Security & Cybersecurity Risk Assessment Program in collaboration with all the relevant departments.
This includes the identification of risks, the analysis of the identified risks based on the likelihood and the impact, and of course the recommendation of a Risk Treatment Plan to the Management through the Information Security Steering Committee.
The Risk Management process was based on the framework of ISO/IEC 27001 and ISO 27005, and it also considers other legal, regulatory, statutory and contractual requirements.
Recording of the risks identified in the Risk and Compliance Management System and follow up on mitigation/treatment actions with the owners.
Also, perform risk assessments of new applications, services, vendors, acquisitions, changes, etc., and provide adequate information to management for acceptance or rejection.
Incident Management.
Responsible for the management of both operational and security incidents through the Incident Management Process of the organization. Report any incident related to company’s main services Digital Security Authority (DSA), Central Bank of Cyprus, other banks and financial institutions, as well as any other related authority, based on specified timeframes and guidelines.
Recommend corrective and preventive measures to avoid re-ocurrence and follow up on their implementation progress.
Report the incidents to management along with their root cause analysis, lessons learned and corrective actions.
Reponsible for the activation and following of the Incident Response Plan in case of a critical incident.
Security Awareness.
Design and perform a yearly Security Awareness Training Program, ad-hoc Induction Trainings, and montly Security Newsletters. Manage the E-Learning platform to distribute training courses to all the employees based on their profession.
Vulnerability Assessments.
Define and perform regular vulnerability assessments for all corporate systems to identify weaknesses and assess the effectiveness of existing controls and recommend remediation actions. Review automated generated vulnerability assessments and collaborate with IT for the mitigation of the findings identified based on specified timeframes.
Risk and Compliance Management System.
Manage the internal system for Risk and Compliance so that to record incidents, compliance requirements, audit findings, and risks along with mitigation actions. Perform follow-ups on regular intervals and generate reports for management.
CRM Tickets.
Review CRM Tickets of Security or IT requests as the Information Security Officer and examine justification provided in order to decide on approval or rejection.
Physical Security.
Responsible for the physical security of the data rooms and server rooms. Physical Security Assessments of these critical areas were performed and further controls were implemented.
Projects I was involved in @ Cablenet Communication Systems PLC.
Governance.
Involved in the Information Security Governance processes. These include the development, implementation and management of the security program in order to achieve the following:
Strategic alignment: Aligning information security with business strategy to support organizational objectives.
Risk management: Mitigating risk and reducing potential impacts on information resources to an acceptable level through execution of appropriate measures.
Value delivery: Optimizing security investments in support of business objectives.
Resource optimization: Using information security knowledge and infrastructure eficiently and effectively.
Performance measurement: Monitoring and reporting on information security processes to ensure that objectives are achieved.
Assurance process integration: Integrating all relevant assurance factors to ensure that processes operate as intended from end to end.
Policies, Processes, Procedures (PPPs).
Responsible for the identification, documentation, and implementation of the Organization’s Information Security Policies, Processes and Procedures, as well as the review on a yearly basis or when a change occures, and update them based on the applicable laws, regulations, guidelines, standards, directives, obligations, and best practices.
Ensure that policies are documented in such a way so that to directly reflect from the organization’s mission, objectives, and goals.
Ensure that processes include one or more procedures that help employees understand how things are supposed to be done.
Ensure that procedures describe the steps to be followed when carrying out functions and tasks.
Security Audits.
Manage, implement, and perform different types of security audits in a regular basis based on international standards, laws, regulations, obligations, directives, and guidelines. In addition, organize, coordinate and collect evidences to external auditors to ensure compliance.
Penetration Tests.
Coordinate the Penetration Tests with external vendors and recommend remediation actions. Record the findings and agree with related departmental manager on mitigation actions. Follow-up the remediation actions so that to be implemented on time, based on their criticality and specified timeframes.
Access Rights Management.
Identify the access rights of the critical systems of the organization and assess whether the already provided access rights to personnel are needed. After workshops with departmental managers, suggest the revocation of the not-needed access rights and implementation by the IT department. Review and approve access rights requests as the Information Security Officer. Perform the annual review of the access rights of critical systems.
Risk Management.
Responsible for the performance of the ongoing enterprise-wide and asset-based Information Security & Cybersecurity Risk Assessment Program in collaboration with all the relevant departments.
This includes the identification of risks, the analysis of the identified risks based on the likelihood and the impact, and of course the recommendation of a Risk Treatment Plan to the Management.
The Risk Management process was based on the framework of ISO/IEC 27001 and ISO 27005, and it also considers other legal, regulatory, statutory and contractual requirements.
Also, perform risk assessments of new applications, services, vendors, acquisitions, changes, etc., and provide adequate information to management for acceptance or rejection.
Incident Management.
Responsible for the documentation and implementation of the incident management process and procedure of the organization, for the management of both operational and security incidents. Report any incident related to company’s main services to the OCECPR and Digital Security Authority (DSA), Commissioner for Personal Data Protection, as well as any other related authority, based on specified timeframes and guidelines.
Recommend corrective and preventive measures to avoid re-ocurrence and follow up on their implementation progress.
Report the incidents to management along with their root cause analysis, lessons learned and corrective actions.
Reponsible for the activation and following of the Incident Response Plan in case of a critical incident.
Member of the Crisis Management Team, responsible for any incidents that are escalated to a crisis.
Security Awareness.
Design and perform an Information Security and Business Continuity Awareness Training Program for Information Security and Business Continuity. Performed 17 sessions of 3 hours duration each for approximately 300 employees of the organization, as part of the Annual Information Security and Business Continuity Awareness Training.
Vulnerability Assessments.
Coordinate the Vulnerability Assessments with external vendors for all corporate systems to identify weaknesses and assess the effectiveness of existing controls and recommend remediation actions. Collaborate with the IT Department for the mitigation of the findings identified based on specified timeframes.
Vendor Management and Assessment.
Collaboration with the Procurement Officer in order to assess and manage all vendors, based on their classification level as well as the service or product they provide to the company. Ensure that all defined requirements are met in regards of compliance, assessment and agreements.
Project Management.
Involved in different types of projects so that to ensure information security compliance and identification of information security risks that may arise during the different phases of each project. Coordinate different security projects in collaboration with other relevant departments.
Compliance.
Ensure compliance with laws, regulations, standards, obligatory requirements, directives, guidelines etc.
Such requirements are:
ISO/IEC 27001, ISO/IEC 22301, GDPR, NIS Directive, OCECPR, Digital Security Authority (DSA) and CSIRT Requirements, etc.
Perform Gap-Analysis so that to ensure the compliance of the enterprise with the requirements and controls of all of the above. Responsible for the performance of the Internal Audit and collaboration with the External Auditors during the perormans of External Audits, in regular intervals, so that to verify adherence and compliance as well as to discover any deviations or gaps.
Security Metrics.
Identify and monitor security metrics, to measure key security events such as incidents, policy changes and violations, audits, training, etc. by using the SMART method, so that to ensure that metrics’ quality and effectiveness, as well as that they are specific, measurable, attainable, relevant, and timely. Metrics indicate the state of an information security program over time. Security metrics help the design and development of the Security Strategy of an organization as opportunities for improvements are more easily identified. Metrics could be of the form of Key Performance Indicators (KPIs) or Key Risk Indicators (KRIs).
Asset Management.
Identify the Assets of the Organization, and create and manage the Information Asset Register, including tangible and intangible information, equipment, hardware, software, services and people. Ensure each asset is assigned an owner, it is classified and its retention period along with its perging method are identified.
Cyber Security Strategy.
Coordinated the Cyber Security Project which was devided in seven phases, including DDoS testing and resilience benchmarking, vulnerability testing, penetration testing, security gap analysis, cyber security strategy, etc. Assist the Information Security Manager with the adoption of the Cyber Security Strategy and the establishment and implementation of it.
Business Continuity Plan, Disaster Recovery Plan, Incident Response Plan.
Develop the BCP, DRP and IRP. Be a member of the Crisis Management Team as the backup of the Business Continuity Coordinator. Got involved in different test scenarios as well as real-life scenarios that occurred, where all plans above were invoked.
Physical Security.
Perform a re-arrangement of the cameras inside and outside of company’s buldings, so that to be compliant with the GDPR Regulation, as well as to be sure that the safety of the company’s assets and employees are safe. Also, physical security of data rooms and server rooms were assessed and controls were implemented.
Projects I was involved in @ PwC Malta
IT Systems Audits.
Perform IT Audits as part of the financial audit so that to ensure that the systems that produce the financial related data, are secure enough, following the security best practices.
Performed IT Audits for companies in the financial, insurance, entertainment, manufacturing, telecommunications, computer, food, etc. industries.
Cyber Security (Internal & External) Audits.
Perform Cyber Security Audits / Gap Assessments for companies in the banking and gaming sector, acting as Internal or External Auditors / Advisors.
Provide recommendations for the mitigation of non-conformities or gaps.
System Audits.
Perform System Audits with accordance to the Malta Gaming Authority (MGA) requirements checklist to Online Gaming companies seeking licensing from Malta Government.