AKSHAY VIJAY MULKUTKAR

1) Data Privacy & Risk Consultant for one of India’s largest telecommunication company. The project objective is to develop, implement and maintain a Data Privacy and Risk Management programme.  Implementation of the PIMS (Personal Information Management System) o Conduct a GAP assessment of the current privacy portfolio vs new GDPR requirements o Identification of critical applications, products, projects etc. to determine the requirement for conducting a Privacy Impact Assessment (PIA) o Preparation of PIA Control worksheet and Data flow diagrams.  Perform Privacy Impact Assessments and Privacy by Design assessments.  Maintain Privacy Risk Register.  Provide recommendations on Privacy Risk Mitigation Strategies and validate the remediation of the identified Privacy risks.  Conduct Privacy Awareness Trainings/Forums/Sessions across various functions within the organization and also with selected critical vendors/supplier/processors.  Create Line of Sight report, Risk Notes, and Management summary for Risk Oversight Committees, etc. 2) Functional Consultant for building a Data Privacy Governance solution using RSA Archer GRC tool (Wipro Internal project) Key capabilities of the tool:  Develop and Maintain PII/SPI Inventory  Automate Privacy Impact Assessments  Assess Privacy Risk  Highlight compliance status across the organisation 3) Security Advisor for UK’s Largest Financial Services Group in London Act as the primary Security Advisor for multiple areas of the business, maintaining good working relationships with those business areas, promoting security awareness, and fulfilling the role of trusted Security Advisor.  Responsible within the project/programme for confirming the Solution Design meets with internal and external regulatory and security policy requirements.  Facilitate vulnerability and penetration tests ensuring that the business understands the threat agents, the technical vulnerabilities and how the threat agents could exploit the vulnerabilities to realise the risk.  Undertake due diligence review on 3rd party’s to provide assurance to the business that the services being provided are managed in a secure manner thereby reducing the risk to the confidentiality, integrity and availability of the service and thereby safeguarding the reputation of the Bank.  Participate from time to time in supplier selection process, evaluating usefulness and cost of products and making appropriate recommendations 4) GRC Consulting for India's leading Stock Exchange at Mumbai The project objective is to maintain of Governance, Risk Management and Compliance setup for National Stock Exchange (NSE) in Mumbai.  Assess gaps in the current Risk Management framework and suggest improvements.  Analyze gaps in existing processes and assess adherence to ISO 27001.  Assess design and operating effectiveness of ITGC, Application and Infrastructure controls.  Conduct Business Process Review and Assess Information Security Risk.  Conduct Data Classification Audit. 5) IT Resiliency Control Testing for UK’s Largest Financial Services Group in London The project objective was to validate the new control framework adopted by Lloyds Banking Group by testing the design and implementation effectiveness of critical IT resiliency controls.  Review design of the IT Resiliency Control Framework  Conduct walkthrough with the Control Owner and related subject matter experts (SMEs) to validate the design  Verify the operating effectiveness of controls  Share draft findings with the control owners to get their agreement and concurrence. Once control owners approve the findings, audit report is prepared and communicated to the Compliance team.

1) Manage ISO 27001 based Information Security Management System (ISMS)  Transition to ISO 27001:2013 version  Provide Information Security education to employees  Conduct process health check assessments to improve effectiveness and efficiency of the processes and support delivery in closing the gaps  Co-ordinate vulnerability assessment for IT infrastructure (servers and network devices) and ensure remediation  Conducting periodic assessments of vendor’s risk management practices, baseline its strengths, identify its deficiencies, and programmatically plan and execute its remediation activities.  Educating the business owners so that risk assessment is incorporated at the beginning of every partner/supplier engagement, instead of having this treated as a “checkbox” assessment.  Conduct periodic vendor/third party assessments 2) Implementation of Information Security Program for Mumbai Metro One P Ltd.  Conduct review of IT & related business processes  Assess gaps between current processes and industry standards and regulatory framework  Assess information security, process and vendor risks  Document action plan and get concurrence from senior executives  Document and implement IT Security practices, policies & procedures  Provide training to key personnel on the above  Conduct vulnerability assessment of IT infrastructure and finalizing the information security requirements as part of generic project life cycle 3) GRC Consulting for Chhattisgarh State Electricity Board  Assess gaps in the current Risk Management framework and suggest improvements.  Conduct Review of IT and related business processes  Assist in identifying and assessing information risk related to their business  Identify action plans to mitigate the risks observed  Provide Information Security education to employees and updated management on the status of Information Risk Management  Implementation of Identity and Access Management Solution 4) Implementation Lead for Seclore Information Rights Management/Digital Rights Management Solution 5) Implementation Lead for Symantec DLP

 Coordinated IT Audit function by monitoring technology & operational risks across Johnson & Johnson locations worldwide.  Conducted SOX 404 review /application control review (for subsidiaries across NA, SA, EMEA, and ASPAC) surrounding IT Management and Operations in the following IT cycles  Change management, Incident management, capacity management, BCP & IT disaster recovery, Backup and recovery, User access management, Application Security.  Communicated the geographical risks to the Internal Audit Management on a periodic basis and ensure the risks are included in the Internal Audit Calendar.  Provided effective consultancy for different Information Technology, Infrastructure and Information Security Projects.  Supported Business Operations audits by testing applications controls and security controls around different applications and Information Technology infrastructure in Business Operations Audit. Achievements  Conducted nine audits in 15 months; traveled extensively to Johnson & Johnson locations across the globe  Successfully completing on time review despite non- English documentation (Portuguese & Japanese)