Curriculum vitae van kandidaat f0016b

Voornaam Raul

Woonplaats Amsterdam

Geboortejaar 1973

Raul is a Dutch interim manager specialized in IT Audit and Information Security. He has sound knowledge of a wide array of IT security topics, developed by both extensive professional experience as well as through personal interest. He is currently performing a Risk Assessment at ING Investment Management in The Hague in the context of a Group-sponsored IT Risk & Control program. Before that he managed an Identity Management project at ING Ops & IT Banking for 6 months. The project - consisting of 4 streams - delivered a standard user management process across all of ING Business Units, developed business roles for user access (RBAC), and delivered support for asset owners in their verification duties required by Sox 404.

Prior to his start-up as an interim manager, Raul worked at Internal Audit Department of Royal Ahold as an IT Audit Manager. Engagements included CobiT process audits, IT infrastructure audits, project audits, follow-up audits and special investigations. He has also managed audits on high-profile IT projects such as the largest Ahold IT project for next-generation merchandising support and the Executive Board portal project, which was reported directly to the Board and Audit Committee. He was also responsible for IT SOx 404 for Albert Heijn.

Before joining Ahold, Raul worked two years at KPMG Information Risk Management (T&E: Specialist Business Unit specialized in complex IT Security topics) where he specialized in subjects such as Public Key Infrastructures and Role Based Access Control. During this time he was also the coordinator of KPMG’s European Identity Management Centre of Excellence and co-authored a white paper on Privacy Enhancing Technologies for the Dutch Ministry of the Interior that was published government-wide.

Raul started his career as part of Arthur Andersen’s audit and advisory group as an IT auditor (3 years). He holds the RE, CISA and Prince 2 practitioner qualifications and has sound knowledge of IT assurance, IT projects and enterprise risk management as well as technical IT topics such as network architecture, UNIX and Oracle. He has extensive international work experience and is fluent in Dutch, English and Spanish.

Key areas of experience

Subject Area	Details
IT Process Audits	CobiT: Information Security, IT Continuity, Systems Development, Policy and Management, IT Operations
General Process Audits	Bank Management, Accounts Payable, Price Management, Revenue Assurance
IT Infrastructure audits	Penetration Testing (Nessus), Appscan, Desktop, Internet/Intranet/Extranet, LAN/Fileserver, WAN/Data Communication, Access Control Infrastructures
IT Platform audits	UNIX, Linux, Sybase, Progress, Oracle, Windows NT and 2000, AS400, RACF
Sarbanes Oxley 404	SOx IT platform baseline development and 404 management and board testing
Application Audits	SAP (CATS), Baan, PeopleSoft, Gold, Retek
Project Audits	Enterprise Portal, Supervisory Board Portal, European Merchandising Suite, General Merchandising project, Mainframe-to-Unix migration.
IT & Legal	Privacy (Wbp, EU95-46, Safe Harbor) and Electronic Signatures (99/93/EG, ETSI)
IT Attestations	AICPA: WebTrust, SysTrust, WebTrust for CA’s
Policy Development	ISO17799, ITIL, ISO9001
Identity and Access mgt.	Public Key Infrastructures (PKI), Role Based Access Control (RBAC)

Education

· Certified Information Systems Auditor (CISA), June 2005 exam, graded average score: 82;

· Post-graduate EDP-auditing education, Erasmus University Rotterdam. Thesis subject: audit of Role Based Access Control systems. Listed in the Dutch Registry of EDP-auditors (RE);

· M.Sc./drs. degree in Business Administration, Groningen University (1999), specialization Information & Organization (I&O). Thesis subject: audit of Public Key Infrastructures;

· Raul is currently obtaining the IIA’s Certified Internal Auditor (CIA) certification (3 of 4 modules passed).

Employment history

1/4/2007 – 1/10/2007 ING NL – Program Manager Identity Management

04/2004 – 1/4/2007 Koninklijke Ahold N.V. – Internal Audit Department (Division Europe)
07/2002 - 04/2004 KPMG Information Risk Management (IRM), section Technology & eBusiness

07/1999 - 07/2002 Arthur Andersen eBusiness Technology Risk Services (EBTRS)

Professional qualifications

· Certified Information Systems Auditor (CISA)

· Registered EDP Auditor (RE)

· Prince 2 Foundation and Practitioner

· EDP-audit essentials 2000 – Arthur Andersen Chicago

· Several courses on personal effectiveness, report writing, interviewing and presentation skills.

· Techweek – Windows NT/2000 basic and advanced course 2001 - Madrid

Language skills
Dutch: Primary language English: Fluent
Spanish: Primary language German: Moderate

Country experience
UK, USA, Norway, Sweden, France, Germany, Spain, Ireland, Italy, Switzerland, Czech Republic, Poland.

Professional service experience

· Project / Program Management	· Internal Audit
· Attestation Services	· Information Security Consulting
· IT Policy development	· Threat and vulnerability analysis
· BS7799 and General IT controls reviews	· Privacy: EU/95/46, Wbp and Safe Harbor

Market segment experience

· Retail	· Telecom
· Banking	· Aviation and Airports
· Government (Defense and Justice department)	· Entertainment and Media
· Pharmaceuticals	· eBusiness
· Software Manufacturing	· Energy

Detailed Work Experience

ING (04/2007 – 01/2008)

Risk Management Consultant

· Performing expert based risk assessments on IT components based on annual planning;

· Proposing and agreeing on adequate mitigation actions with the responsible managers;

· Developing and propose key risk indicators in the IT processes and reporting on these;

· Advising IT management on the implementation of new or updated IRM policies;

· Organise if required training sessions for key IT staff members;

· Specific advice on request of management on the domain of IT security, BCP/DRP, awareness, etc.

· Preparing periodic reporting on IT risks to business Management and risk comittees.

Program Manager Identity Management

· Management of a major IT controls program under IT Transformation governance within ING NL. Project

· Budget intially 12,4 mln – 8,0 mln following budget cut – 43 staff on project budget, in main four projects:

· ABP: Implementation of ING standard process for User Management at all ING Businss Units;

· SKA: Support for IT Asset Owners in performing access verifications (with sys. development component);

· RBAC: Definition and Implementation of Business Roles for User Access;

· QA: Performing centralized QA reviews to ensure adherence to ING standards;

· Project also delivered central ING Standard for Access Roles.

· Reporting directly to the ING Head of Risk Management and Security (ING NL and Belgium).

Royal Ahold (04/2004 – 04/2007)

CobiT Process Audits

· Information Security (Albert Heijn, ICA, ICA Banken, Ahold Central Europe);

· Systems Development (ICA, ICA Banken);

· IT Continuity (Albert Heijn);

· IT Operations (ICA, ICA Banken);

· Policy and Management (Ahold Central Europe).

Project Audits and Project Risk Analyses

· Global Portal (US): project aimed at realizing an enterprise portal infrastructure;

· Ahold Supervisory Board portal (US): portal application project for the Ahold Supervisory board;

· European Merchandising Suite (SE, NO, NL): strategic project to renew the IT support of retail processes;

· DC Replenishment (SE, NO, NL): project to realize next generation IT support for DC replenishment;

· Mainframe-to-Unix (NL): project to migrate all Mainframe-based applications to UNIX;

· AS400 to iSeries migration (NL): project to migrate all AS400 applications to the new IBM iSeries platform.

IT Infrastructure Audits

· Unix / Oracle audit (Central Europe, SE, NO);

· Linux / Progress audit (NL);

· LAN/Desktop audit (NL, SE, NO);

· Internet / Intranet / Extranet audits (Central Europe, NL);

· WAN/ Data communication audit (Central Europe).

Sarbanes-Oxley 404

· Development of Ahold-wide baselines for IT platforms Unix, PeopleSoft, AS400, Oracle and Windows NT;

· Sarbanes Oxley 404 - Management Testing for NL Arena and Ahold Central Europe.

Financial Audit Support

· Warehouse mgt (Central Europe);

· Price mgt (Central Europe);

· Returns mgt (Central Europe);

· Bank Mgt (Central Europe and NL).

Other

· Upgrade of all proprietary audit methodologies in 2005;

· Follow-Up audits at all European Operating Companies;

· General IT assessment: annual report of IT audit results in 2005 to the board of Ahold Central Europe.

KPMG Information Risk Management (07/2002 - 04/2004)

PKI policy development (2003)

Market segment - Dutch Government
For the Dutch implementation of EU transport safety system, based on a Public Key Infrastructure, Raúl lead the team in charge of developing the policy framework. Products included an information security plan (ISO17799), quality management plan (ISO 9001), operational manual (ITIL), Business Continuity Management Plan and a Certification Practice Statement. Maintained the client relationship and managed acceptance of the documents.

IT controls review (2003)

Market Segment – Software Industry

In order to support the annual financial review of this software company, Raúl was asked to identify and test the design and effectiveness of workflow controls within the core financial system (Psynergy). Performed query analyses and reviewed the Role catalog for the application and advised on an improved role lifecycle.

EU95/46/EC Privacy Audit (2003)
Market Segment – Pharmaceuticals & Medical Research
This client wished to have an independent opinion on their compliance to the EU Privacy Directive EU95/46/EC. Audit of four of their European sites (Marburg, Florence, Amsterdam and London) resulted in significant compliance recommendations, which were accepted and implemented by the client.

PKI Pilot Project (2003)
Market Segment - Government
To coordinate and control the pilot of a government PKI, this client asked KPMG to perform the project management function. Under the KPMG project manager, Raúl was responsible for the local organization of the Pilot. Raúl developed the test plan, test management tool and forms and coordinated the test phase.

PKI control procedures development (2003)
Market segment - Government
This client requested KPMG’s assistance in the development of procedural controls to ensure the security and continuity of their Public Key Infrastructure. Based on KPMG best practices, Raúl developed a full framework of procedures, based on ITIL and the INK quality model.

Safe Harbor certification audit (2003)
Market segment - Global Entertainment and Media
To file for Safe Harbor recertification, this client’s legal department asked KPMG to perform high-level audits on 13 European sites, based on the Safe Harbor criteria choice, consent and recourse. On-location audits were performed in Munich, Madrid, Paris and London.

WebtTrust certification advisory (2003)
Market segment – eBusiness / Application Service Provider (ASP)

This client intends to obtain a WebTrust certification and asked KPMG to assist in selecting suitable criteria and to advise on policy development and controls implementation. Based on his WebTrust experience, Raúl delivered a framework for controls and policies to serve as the basis for the certification.

Privacy Enhancing Technologies (PET) policy manual (2003)

The Dutch ministry of interior asked KPMG to develop a policy manual on implementation of Privacy Enhancing Technologies (PET) within Dutch government organizations, in collaboration with PET-experts.
Raúl collaborated in the development of the manual and was responsible for the Business Case section of the policy manual. The manual was presented to the Dutch parliament and has been published government-wide.

Arthur Andersen - eBusiness Technology Risk Services (07/1999 - 07/2002)

Financial audit support (2003)

Market segment - eBusiness

In order to support the annual financial review of this software company, Raúl was asked to perform an IT review to assess the design and effectiveness of the financial risk controls. The engagement included a general IT controls review, high-level Perl script analysis (in collaboration with client) and a database integrity review.

AICPA SysTrustTM attestation audit (2002)
Market segment - eBusiness
This ASP is an application and infrastructure provider for clients who wish to outsource ICT infrastructure services. Engagement was aimed at SysTrust certification of the online system and the back-end ASP systems.

Hacking/ Penetration Test (Switzerland, 2002)
Market segment - Private and Corporate Banks
Penetration test (by international team) of the security aspects related to the design and implementation of Fontis on-line banking application and the general IT infrastructure. Tests included stress testing (Denial of Service) of the web-based application, the web server software, the web host and the network components.

IT value assessment / IT due diligence (2002)
Market segment - Metal Industry
IT value assessment to support a due diligence. Value assessment of IT systems and supporting organization. Engagement included function point analysis, financial due diligence and qualitative/continuity analysis.

PKI scalability study (2002)
Market segment – Dutch Government
Engagement aimed at mapping PKI requirements at several departments within the department. This was required in order to analyze the feasibility of up-scaling an operational local PKI to the entire organization. The engagement included interviewing IT managers within almost all departments of the Ministry.

Administrative Organization system development (2002)

Market Sector – Airlines and Aviation
This client asked KPMG to develop an online service to make the Administrative Organization (AO) procedures available to all employees. The provided procedures were modeled in the Protos software package and made available in collaboration with the client’s IT department. The engagement resulted in an additional AO redesign engagement for KPMG.

Threat and Vulnerability Analysis (2002)
Market segment - Government
Development of information security plans for several units within the governmental department in order to achieve compliance to VIR '94 regulations. The CRAMM software package was used to develop the component models and to execute the threat and vulnerability analyses.

Straight Through Processing (STP) project consultancy (Ireland, 2001)
Market segment - Private Banking
Project consultancy to modernize core banking systems and processes by implementing Straight Through Processing (STP) concept. Included extensive business analysis, process modeling and simulation, requirements definition, test design and support, user profile definition, reports definition, release planning. The engagement required relocation to Ireland for a period of three months.

Attestation of business principles and practices (2001)
Market segment - eBusiness
Systems Assurance (attestation) engagement for a payment service provider (PSP) in the Netherlands. Fast growing company that offers over 40 international on- and offline payment methods. Engagement aimed at providing an attestation report on a management statement of business principles and practices. Job included review of security architecture, user profiles and the logical security mechanisms of the Payment Service.

Baan III review (2001)
Market segment - Defense industry
Review of Baan III implementation and analysis of organizational and costing models. The engagement addressed all business units and resulted in an advisory report with significant organizational redesign recommendations and organizational impact.

MS Access MIS front-end development (2001)
Market segment - Airports
Following a previous engagement, this airport expressed the need for a user friendly Front-end audit and reporting tool to signal payroll errors and possible fraud indicators. This system was developed, tested, realized and documented in very short period and resulted in high client satisfaction.

Web-development assistance (2001)
Market segment - Not for profit organizations
Co-development and testing of web interface (design, module and stress testing). Charity website sponsored by Arthur Andersen. Formed part of project team, coordination with French core programmer team and management. Closely involved in the development and realization process. Project realized March 2001.

Security audit / Third Party Memorandum (TPM) (2001)
Market segment – IT Datacenters
Security audit of high-tech / high security server co-location facility in Amsterdam, which is part of the national telecom company. General IT Controls and advanced security review aimed at producing a Third Party Memorandum (TPM). Included review of physical security measures.

Revenue assurance audit (2001)
Market segment - Telecommunications and Cable
Review of provisioning, mediation and billing processes and supporting systems. Engagements performed to support the annual audit of the financial statement.

IT value assessment (2001)

Market segment – Travel Industry
To support a due diligence, Andersen’s transaction support services asked Raúl to perform an IT value assessment and to take inventory and review available maintenance and operations documentation.

CATS application controls review (2001)
Market segment - Energy Research
Audit of integrity and access controls of CATS time and expense registration system (SAP module). The review was performed to determine if financial auditors could rely on automated controls within the system.