Summary
Overview
Work History
Education
Skills
Certification
Training
Credential
Timeline
Generic
Kulwinder S Sandhu

Kulwinder S Sandhu

Melbourne

Summary

Dynamic Senior Manager with extensive experience at Westpac Bank Group, excelling in risk management and cybersecurity assessments. Proven track record in strategic planning and stakeholder engagement, leading successful initiatives that enhanced compliance assurance and operational efficiency. Adept at fostering teamwork and driving continuous improvement in high-stakes environments.

Overview

35
35
years of professional experience
1
1
Certification

Work History

Senior Manager, Risk in Change

Westpac Bank Group
Sydney
08.2021 - Current
  • Company Overview: Financial Services; Business Controls and Monitoring in Chief Operating Office Division
  • Responsible for IT and security risk and controls for project exceeding AUD $1m.
  • Assist the Divisions and Line of Business to achieve their objectives at a strategic, portfolio, program and project level.
  • Working collaboratively with the project team to deliver project assurance (Technology and Information Security risk and controls) and governance throughout the full lifecycle of capital projects implementing leading practices in project, program, cost and risk management.
  • Currently engaged in a project to sell off the Life and General Insurance business which is a 3year program.
  • Performing the technology and security risk (SRA) and control assessment from a delivery and delivered perspective focusing on the end-to-end business process, policy and standards and the underlying technology as an enabler including the associated risk / control.
  • On-going engagement with the privacy officer regarding Privacy Impact assessment (PIA).
  • Engaged in a security risk assessment (SRA) for a project to enhance Financial Crime detection system and migration of systems to Cloud.
  • Financial Services; Business Controls and Monitoring in Chief Operating Office Division

Information Security and Technology Risk Lead

REST Superannuation
Sydney
12.2016 - 08.2021
  • Company Overview: Financial Services; Strategy, Transformation and Technology Division
  • Responsible for the strategic and tactical delivery of information security, risk management and IT security compliance and supplier security assurances.
  • Participated in the information security strategy project which aligns to the Corporate Strategy.
  • Performed yearly review of REST strategic information security program, taking into consideration business and legal requirements, IT and security risk (likelihood and impact), and criticality; and building consensus among stakeholders.
  • Arising from the security program established the security risk management plans (SRMP) and operationalised.
  • Performed yearly review, development, maintenance and enforcement of cyber security policies and practices which are designed to protect sensitive corporate assets, ensuring compliance to data privacy and internal and external practices standards (APRA, NIST SP 800-53, ISO27001).
  • Daily management of contractors and outsourcers that are providing security technology services to REST, including managed security services.
  • Performed a quarterly basis understanding of the requirement, development, reporting and responding to the Risk Compliance Committee.
  • This includes IT and security risk assessments and remediations.
  • Performed several assurance activities related to SRA, IT risk assessment and privacy impact assessment, aligning to these standards (NIST 800-53, ISO27001, CPS234, Australian Signals Directorate (Australian Government Information Security Manual) and Australian Protective Security Policy Framework and Privacy Act 1988).
  • Influence stakeholder to embed IT and security risk monitoring & control practices.
  • Ensure top down and bottom-up IT and security risk elements, including articulation of risk appetite, supporting the development of KRIs and assurance dashboard for line 1 risk.
  • Close collaboration with the Enterprise Architect to create the future state information Security vision and embed it into the Enterprise Architecture Roadmap.
  • Perform cyber security threat and risk assessment, identifying security gaps and proposing security controls, technologies to mitigate threat and risk.
  • Financial Services; Strategy, Transformation and Technology Division

Senior Information Security Consultant

Commonwealth Bank
Sydney
08.2016 - 12.2016
  • Company Overview: Financial Services, Digital Protection Group
  • Responsible for the strategic delivery of information security and risk management services relating to the cyber governance environment focusing on supplier security assurance (third party risk) and risk management processes associated with Commonwealth Bank.
  • Completed 11 engagements for supplier relationship management review focusing on IT security and risk assessment.
  • IT control gap issues, risk and remediation actions are delivered in a report which is endorsed by Business Owner and delivered to Supplier.
  • These engagements involve close working relationship with major stakeholders mainly business owner, business risk Line 1 and Line 2 and Supplier.
  • Each engagement requires an assessment of approximately 55 IT Controls focusing on design and operating effectiveness.
  • The standards that were adhered in the assessments were the ISO27001, The Operational Risk Management Framework, Supplier Outsourcing and Offshoring group standard, Cyber Security Non-negotiable control framework, Customer and Personal Classification Guidelines, AS ANZ ISO 31000-2009, Information Security and Standards Data Sensitivity Assessment, Materiality assessment, Australian Signals Directorate (Australian Government Information Security Manual) and Australian Protective Security Policy Framework and Privacy Act 1988.
  • Financial Services, Digital Protection Group

Senior Information Security Consultant

Privasec Pty. Ltd.
Sydney
03.2016 - 07.2016
  • Company Overview: (Governance and Information Security Partners)
  • Responsible for the delivery of innovative information security and risk management services to assist organisation protect their information, systems, revenue and reputation.
  • Performed the implementation of the ISO 27001 framework and prepared client for the certification audit.
  • Performed the design, implementation, operation of the Information Security Management System based on the ISO/IEC 27001 standard, including certification against ISO/IEC 27001.
  • Artefacts involve the risk register, statement of applicability (SoA).
  • Performed IT and security risk assessment to support the business in analysing risk as well as prioritising and developing control activity.
  • Ability to bridge Information Security requirements to business processes and ensure that both technical implementations and processes are aligned.
  • (Governance and Information Security Partners)

Chief Information Security Officer

Employee Provident Fund (EPF)
Kuala Lumpur
12.2010 - 12.2015
  • Company Overview: Pension Fund, Financial Services
  • Responsible for establishing and maintaining an enterprise-wide vision, strategy, architecture, and program for ensuring information assets are appropriately protected.
  • Lead security technology vision and leadership in developing and implementing information security technology initiatives and security guidance to security leaders within enterprise- level to enable different thinking about security strategies to change, innovate and be successful.
  • Performed and managed security assurance for i) Technical IT Security (security technology - firewall, IDS, web application firewall (WAF), SIEM, perimeter surveillance alerts handling, security incident response and investigation, 3rd party Managed Security Services, internal and external SLA reporting; ii) IT Security Management (Technology Risk, Disaster Recovery Planning (DRP), IT Security Policy, Standards and Governance, ISO 27001 recertification, benchmarking to Monetary of Singapore (MAS) security standards, ITIL 20000 (Change Management, IT Security Management, IT Business Continuity), IT Security Awareness and ICT security posture assessment, developed security business case initiatives and iii) Identity Management.
  • Created business cases and implemented IT security project initiatives in line with PMBOK: project management - Security Information and Event Management (SIEM) (NETIQ) for security alerts and Operating System baseline compliance – 2011, Data Loss Protection (Symantec) to protect leakage of sensitive corporate data across 5400 employees – 2012, Privilege System ID Management System (Master Sam) which automates the ID workflow request, approval, activity monitoring – 2015, Enterprise Mobile Management (Airwatch) to secure corporate data in mobile devices across 900 employees – 2014, Database Security and Monitoring (IBM Guardium) real time monitoring and protecting of data activity in databases, version upgrade of ISO 27001:2005 to ISO 27001:2013 including Cyber Security Maturity Assessment – 2015.
  • Reviewed the statement of Applicability (SoA).
  • Created an IT Security Blueprint with a 3-year plan to address IT Security gaps.
  • Created Bring Your Own Device (BYOD) policy for mobile phone.
  • Responsible for quarterly IT Security reporting to the Information Security Management Committee (ISMC) chaired by the CEO.
  • Created and presented two papers to ISMC committee regarding security concern on the use of file sharing services in public cloud and the need to implement virtual private network and two factor authentications.
  • Managed up to ten information security officers and coordinated information security activities.
  • Achieved the Security ICT Award – Share Guide Association - for Implementation of Identity Management and Cyber Security Project of the Year 2014 “Data Loss Protection” - Cyber Security Award.
  • Presented a paper – “Best Practices in Implementing ISMS” at the Information Security Conference – Managing IT Security in a World of Uncertainty and Change - May 2011.
  • Pension Fund, Financial Services

Manager of Information Security and Compliance

iPerintis ICT
Kuala Lumpur
02.2009 - 12.2010
  • Company Overview: (Subsidiary of Petronas Holdings), Oil & Gas Services
  • Primarily responsible for leading the IT security and compliance programs across the enterprise as well as development and maintenance of a compliance framework.
  • Served as a subject matter expert to internal IT security, privacy, and compliance stakeholders on specific IT topics/issues to enhance the understanding of the overall IT control framework.
  • Responsible for the management and review of security threats, IT compliance issues and audit remediation updates and quarterly reporting updates to the CEO and the respective operating units.
  • Responsible for the execution, review and implementation of compliance assurance program (in line ISO 27001, COBIT) that covered disaster recovery, technical security baselines, access controls, incident management, business continuity management, system development and maintenance.
  • Performed advisory control review on SAP project which enforced strict segregation of duties, privilege ID management, adopted SAP rule best practice and feedback on post implementation review plan.
  • Developed and presented IT security awareness messages in line with the wide information security initiatives.
  • Managed a staff of up to two information security compliance experts and coordinated security compliance activities.
  • Involved in identifying technology risk and providing IT control/security advisory in relation to system solutions, security papers and IT vulnerability assessment.
  • Developed projects’ scopes (SOW, scope of work) and prepared proposals and cost factors analysis.
  • (Subsidiary of Petronas Holdings), Oil & Gas Services

Information Technology Audit Manager

Reserve Bank of Australia
Sydney
11.2007 - 11.2008
  • Company Overview: Banking Services
  • Responsible for the planning, organization and supervision of multiple audit and consulting engagements covering IT infrastructure, application, telecommunication, general computer controls and post implementation.
  • Act as the third line of defence, independently assessing first- and second-line management’s effectiveness in identifying, measuring, monitoring and controlling the IT risks.
  • Assessing the adequacy and effectiveness of controls, risk management, compliance and governance processes.
  • Performed planning, field work and reporting of the banking systems that covered general computer controls, application controls and business continuity management policy and framework including BCM testing.
  • Conducted an assurance review of Note Control System upgrade that covered governance structure, deliverables, budget, and duration and test plan; and ensured compliance to ISO 27001, Information Security Manual (ISM), and Protective Security Policy Framework (PSPF).
  • Performed post implementation review of SAP system to assess its intended objective through a set of questionnaires.
  • Conducted technical review of RACF, Virtual Private Network and Change Management for Account Maintenance System (AMS) and GL Financial/PeopleSoft.
  • Contributed to the COBIT Framework Task Force for the implementation of the framework for Audit Department.
  • Managed a staff of up to two IT auditors and coordinated information audit activities and budgeting.
  • Banking Services

Senior Risk Analyst

Telstra
Melbourne
08.2006 - 11.2007
  • Company Overview: Telecommunication Services
  • Responsible for implementing information technology risk management strategies for key areas as well as hands-on execution of control/risk assessments and development of control enhancement recommendations.
  • Accountable for proper planning, prioritization and execution of supporting IT risk responsibilities.
  • Conducted SOX end to end Change Management ITS review covered 22 application systems focused on the effectiveness of the design and test of key controls.
  • COBIT and Telstra IT Change Management Framework standard was adopted.
  • Conducted the IT General Computer Controls review that covered change management, problem management, computer operations including end of day processing, backup, physical environment control and Disaster Recovery Planning and ensured compliance to ISO 27001, Information Security Manual (ISM), Protective Security Policy Framework (PSPF).
  • Conducted a control advisory review of IT processes in the IT Transformation Project detailing improvement plans.
  • Telecommunication Services

Manager of Global Infrastructure Services

Maybank Fortis Insurance – IT Services Outsource to Computer Sciences Corporation (CSC)
Kuala Lumpur
10.2003 - 08.2006
  • Company Overview: Global IT Services
  • Responsible for leading and managing teams within the IT Outsourcing arrangement and maintaining relationship with management and customer.
  • Primarily responsible for the management and operations of IT security and compliance.
  • Lead the roll out, review and reporting of the IT assurance framework and compliance for line of services for Malaysia – Reserve Bank of Malaysia and Singapore region- Monetary Authority of Singapore (MAS).
  • Managed seven identity access management staff and coordinated activities that covered SLA reporting, login exception, compliance to standard operating procedures.
  • Managed audit findings, responses, status update and ensured compliance to regulatory requirement of Central Bank of Malaysia and Monetary Authority of Singapore.
  • Managed and lead the enforcement of IT Security methodology and processes within the CSC Line of Services.
  • Managed service level agreements, contracts and compliance within IT Outsourcing.
  • Prepare business justification, RFP/RFI response and solution mapping and collaboration across the various teams.
  • Global IT Services

Manager of IT Security and Quality Assurance Department

Maybank Fortis
Kuala Lumpur
07.2002 - 10.2003
  • Company Overview: Maybank Group, Insurance Services
  • Responsible for the management and operations of IT Security and Quality Assurance for shared services.
  • Performed and managed day-to-day oversight of IT security, IT change management, IT helpdesk, IT procurement, IT problem management, internal and vendor SLA management.
  • Performed review of IT security policies, standards and procedures and recommended improvements, benchmarked against ISO 27001 and Sarbanes-Oxley IT control objectives.
  • Approved IT changes for promotion to production environment.
  • Prepared monthly IT Security and Quality Assurance reporting update to the CEO.
  • Participated in the approach to achieve efficiency in the setup of firewall rules and intrusion detection system.
  • Performed project security reviews that covered new product service in general insurance application system, reviewed the new firewall rules set up (Nokia IP650/checkpoint VPN-1NG) including connectivity testing, assessed the method and encryption of 3 DES and 128bit encryption on data transmission on LAN and WAN.
  • Managed a staff of up to fourteenth information security and quality experts and coordinated activities that covered network security and technical baselines reviews, IT Helpdesk, Procurement and IT Change Management team.
  • Maybank Group, Insurance Services

Assistant Manager, Information Risk Management Division

KPMG
Singapore
11.2001 - 06.2002
  • Company Overview: Consulting Services
  • Primarily responsible for providing security assessment and monitoring of service delivery for clients in the financial services industry.
  • The role is to identify, evaluate and minimize deficiencies and their potential impact to the organization.
  • Conducted IT general computer controls and technical review of AS400, Windows and Unix- AIX system reviews for international banks.
  • Conducted two reviews of SAS 70 IT Controls for Citibank and Deutsche Bank which are Regional Offices for the Asia Pacific managing the IT infrastructure.
  • Conducted IT Controls and SAP system review for Celestica Group of Companies and Jotun Pte. Ltd.
  • Managed security assessment and monitoring of assurance service delivery for clients which were Citibank, Deutsche Bank, Korean Exchange Bank, First Commercial Bank, Nordea Bank of Finland, Scotland Bank, Celestica Group of Companies and Jotun Pte. Ltd.
  • Prepared RFP/RFI, projects’ scopes (SOW, scope of work) and cost analysis.
  • Consulting Services

Assistant Manager, Operational Systems Risk Management

PricewaterhouseCoopers
Kuala Lumpur
10.1999 - 11.2001
  • Company Overview: Consulting Services
  • Responsible for enterprise assessment against IT threats and risks through governance, compliance, identification and validation.
  • Included an integrated model with advisory that covered internal audit, third party assurance and external audit support around organization of IT Security.
  • Conducted review of IT service management controls that covered computer operations management, computer security management and administration, program change and problem management, development and implementation management to assess confidentiality, integrity and availability of core application systems included operational resiliency and data center readiness.
  • Conducted a series of technical security reviews of Windows, HP UNIX, AIX Unix, AS 400 and General Computer Controls Reviews.
  • Conducted bank IT audit strategic assessment to identify and address critical systems that had to be included in the IT Audit plan.
  • Developed proposals to assist clients in identification of business risks, security and controls at enterprise-wide and business unit.
  • Prepared and presented reports to working committee, senior management and audit committee on audit and consulting findings.
  • Presented a talk on computer security for ACCA credit points in Kuching, Malaysia on behalf of PricewaterhouseCoopers.
  • Managed client relationships for customers which were Perwira Affin Bank, Rashid Hussain Securities, Hong Leong Bank, Telekom Malaysia, Courts Mammoth, Pan Malaysian Pools, Dunlop Malaysia International, Epson Percission (M) and Pengurusan Danaharta Nasional.
  • Prepared RFP/RFI, projects’ scopes (SOW, scope of work) and cost analysis.
  • Consulting Services

Senior Internal EDP Audit Officer

Arab-Malaysian Merchant Bank Berhad
Kuala Lumpur
03.1995 - 10.1999
  • Company Overview: Financial Services
  • Responsible for establishing relationship with the Bank’s Information Technology groups and other lines of business to ensure appropriate control design and control effectiveness are implemented across organizational processes.
  • Conduct IS risk- based audits and recommend strategic solutions to the business units.
  • Conducted a series of application systems reviews for products like savings, fixed deposit, hire purchase, fund transfer system, credit card system, treasury system, general Securities, Hong Leong Bank, Telekom Malaysia, Courts Mammoth, Pan Malaysian Pools, Dunlop Malaysia International, Epson Percission (M) and Pengurusan Danaharta Nasional.
  • Conducted a review of the evaluation process for purchases and upgrade of IT hardware and software to ensure requirements and procedures are adhered to.
  • Conducted project review for application control with new functionality implemented and review of technology strategy to ensure service availability of 99.95% for core systems.
  • Developed IT Audit Plan for the AMMB Group to identify and assess inherent risks.
  • Prepared reports with findings and recommendations and presentation to management and audit committee.
  • Followed-up on appropriate actions taken by business units to correct deficiencies, irregularities and non-compliance to reported recommendations.
  • Financial Services

Casual position

National Australia Bank
Melbourne
01.1990 - 03.1992
  • Company Overview: Foreign Exchange Department
  • Responsible to convert foreign currencies to Australia dollars, prepared debit and credit receipts for payment to customers through Swift payments.
  • Foreign Exchange Department

Education

Bachelor of Business - Information Systems

University of Ballarat
Melbourne, Australia
01.1994

South Australia Matriculation Certificate - HSC Level

Taylor’s College
Kuala Lumpur, Malaysia
01.1989

S.P.M - O-Level

La Salle Secondary School
Klang, Malaysia
01.1986

Skills

  • Risk management
  • Information security
  • Compliance assurance
  • Project assurance
  • Cybersecurity assessments
  • Regulatory compliance
  • Team leadership
  • Critical thinking
  • Problem solving
  • Good judgment
  • Stakeholder engagement
  • Data privacy
  • Change management
  • Strategic planning
  • Effective communication
  • Multitasking Abilities
  • Continuous improvement
  • Attention to detail
  • Computer skills
  • Adaptability
  • Decision-making
  • Interpersonal communication
  • Analytical thinking
  • Written communication
  • Reporting oversight

Certification

  • EC-Council - Network Security Administrator (ENSA), 2014
  • ISO 27001 Lead Auditor, 2015
  • SABSA Foundation 1, 2014
  • PMBOK – 5 days training, 2015
  • CISSP, Target to complete by 31/12/25

Training

  • IT Governance 2015 Conference, ISACA Malaysia Chapter
  • Central Bank Management Programme, Reserve Bank of Australia, Sydney
  • Comprehensive Business Risk Assessment, KPMG, Singapore

Credential

  • Bach. Bus (IT)
  • ISO/IEC 27001:2013 Certified Lead Auditor
  • ENSA
  • SABSA Foundation 1

Timeline

Senior Manager, Risk in Change

Westpac Bank Group
08.2021 - Current

Information Security and Technology Risk Lead

REST Superannuation
12.2016 - 08.2021

Senior Information Security Consultant

Commonwealth Bank
08.2016 - 12.2016

Senior Information Security Consultant

Privasec Pty. Ltd.
03.2016 - 07.2016

Chief Information Security Officer

Employee Provident Fund (EPF)
12.2010 - 12.2015

Manager of Information Security and Compliance

iPerintis ICT
02.2009 - 12.2010

Information Technology Audit Manager

Reserve Bank of Australia
11.2007 - 11.2008

Senior Risk Analyst

Telstra
08.2006 - 11.2007

Manager of Global Infrastructure Services

Maybank Fortis Insurance – IT Services Outsource to Computer Sciences Corporation (CSC)
10.2003 - 08.2006

Manager of IT Security and Quality Assurance Department

Maybank Fortis
07.2002 - 10.2003

Assistant Manager, Information Risk Management Division

KPMG
11.2001 - 06.2002

Assistant Manager, Operational Systems Risk Management

PricewaterhouseCoopers
10.1999 - 11.2001

Senior Internal EDP Audit Officer

Arab-Malaysian Merchant Bank Berhad
03.1995 - 10.1999

Casual position

National Australia Bank
01.1990 - 03.1992

Bachelor of Business - Information Systems

University of Ballarat

South Australia Matriculation Certificate - HSC Level

Taylor’s College

S.P.M - O-Level

La Salle Secondary School

Similar Profiles

CREATE PROFILE
Kulwinder S Sandhu