Christian Fox Cyber Security Consultant

- Creation of a process model for carrying out gap analyzes based on the banking standard - Support in the implementation of the model in ServiceNow - Support in conducting gap analyses

- Creation of an SSD framework based on Confluence and Jira - Creation of epics, tasks, subtasks and kanaban boards - Co-planning software sprints in agile software development - Support in the implementation of specific security measures (SAP, web and application development, SaaS, Java, Cobol) - Execution of threat modeling risk analysis - Implementation of security measures (Docker, containers, Kubernetes, Open Shift) - Performing penetration testing - Establishment DevSecOps in the SCRUM development

- Supporting SAP IT projects in identifying, assessing and mitigating cybersecurity risks - Improvement of role and authorizations concepts - Definition of guidelines with regards to SAP cybersecurity - Identifying the improvement areas in authorization topic i.e. in both process and technical areas - Support technical SAP cybersecurity audits, tests and self-assessments - Ensuring secure software development in the SAP ABAP environment based on the BSI-modules CON.8, CON.10, APP.4.6

- Central contact and coordinator between application managers and IT security management - Implementation of measures tracking and ensuring the elimination of the security gap - Creation reports on progress and status of vulnerability remediation and overview of open findings Applications: PCI DSS, OSST MM, NIST SP800-115, BSI, BAIT, MaRisk, KWG, BCBS239, OWASP, BSI-Penetrationstest Leitfaden, Office, Nessus, Rapid7, Metasploit, Nmap, Wireshark, Splunk, OpenVas, Burp

Analyze web application security and perform vulnerability and risk assessments using tests and security guides (OWASP, etc.) - Performing automated scans with web scanner tools - Identification of security vulnerabilities ( e.g. XSS, CSRF, SQL, Command and XPath Injections, Directory and Path Traversal and Security Misconfigurations) - Reporting, evaluation and recommendation of countermeasures - Collaborate with application owners and software developers and conduct vulnerability remediation meetings

- Vulnerabilities- , Exploits- and Threats Detection for the Helaba GROUP (Cert, CVE, CVSS, Metasploit, ...) - Carrying out of vulnerability scanning (Network, Data bases, Applications, virtual-, container- and cloud environments) - risk-oriented analysis on the basis of data mining - Identification of application and system owners, opening of vulnerability ticket and coordination of actions - Monitor the timely application of security patches and ensuring the implementation of remediation measures

- Development of the patch management and adaptions of the vulnerability process and policy - Increasing the degree of automation in the processing of vulnerability - Integration into existing Ticketing-System and Workflows - Coordination of the interfaces to change-, release-, configuration-, incident-, risk- and IT security- management

IT risk management in the banking sector - Analysis of IT and operational risks - Coordination and implementation of mitigating measures - Consideration of the banking supervisory requirements for IT (BAIT) and MaRisk

- Development of a cloud strategy that is tailored to your specific requirements - Development of modern "hybrid cloud architectures" from infrastructure to network, security, governance, compliance and integration into operations - Reduction of your IT costs and generation of added value - Experience with AWS Cloud Platforms

- Responsible for establishing the "First Line of Defense" for the detection and defense of cyber attacks - Detection and defense of cyber attacks by using a vulnerability scanner to detect and prevent, identify, evaluate and conclude vulnerabilities - Recording of vulnerabilities information for automatic evaluation and determination of rules and regulations - Preparation of IT risk and management reports - Development of the process, roles, interfaces and integration into the IT service mngmt

- Performing an comprehensive 27001:2013 GAP analysis - Carry out internal ISMS audits - Contact for external auditors on questions concerning KRITIS, VAIT - Responsible for the preparation of a project plan for the implementation of an ISMS - Responsible for the implementation of the ISMS based on ISO 27001:2013 - Responsible for implementing measures for an external Maturity Assessment examination

- Examining current "Cyber Security" strategy - Analysis "Cyber Security" Threat Situation - Implementation of "Cyber Security" checks "ISACA", "NIST - Framework for Improving Cyber Security", "U.S. Banking Regulators" - Transfer "Cyber Security" controls into "Cyper Security" Assessment Tool FFIEC - Execution of IS risk assessment (ISO31000) - Adjustments of ISMS, policies, strategies, etc. and coordination with "stakeholders - Coordination with stakeholders

Ensuring secure source code in DevSecOps development: - Creation of security software guidelines - Performing Source Code Analysis - Member of the Change Advisory Board in the role of IT Security Manager - Consulting in the DevOps development process in the Salesforce environment in the role of IT security manager - Execution of vulnerability scan - Execution of IS risk and threat analyses Docker, Nessus, Salesforce, Slack, Vera Code, OWASP, Office (Excel, Word, Power Point)

The internal audit served as preparation for ISO 27001/2 certification. The following points were checked: - The audit of the documentation complies with the standard requirements of the management system. - Review of the practical application of the management system and its effectiveness - Checking compliance with the IT security law

- Ensuring compliance with the "Gematik" requirements for the electronic health card - Examination of Client data center area in the data center

The internal audit served as preparation for ISO 27001/2 certification. The following points were checked: - The audit of the documentation complies with the standard requirements of the management system - Review of the practical application of the management system and its effectiveness - Checking compliance with the IT security law

- Closing of audit findings - Accompaniment and contact for the auditor

Creation of the Cloud Security Guideline based on the ISO/IEC standards: - 27001:2013 - 27017 - 27018 - 29151 (Code of conduct for the protection of personal data) - 27005 (Risk management for information security) - NIST 800:144 (Guidelines for Security and Privacy in Public Cloud Computing) - NIST 800:145(Definition of Cloud Computing) - NIST 800:146 (Cloud Computing Synopsis and Recommendations) - BSI C5