Hafid - Consultant technique 4D

Expérience professionnelle

Environnement : ISO 27001, EBIOS, RGPD, OWASP TOP 10, DATA CLASSIFICATION, PATCHING MGT,
SOC, Cloud AWS/AZURE

Chef de Projet Cybersécurité
- Au sein de l’équipe gouvernance, pilotage et coordination des ressources des différents projets IT Security Program selon la réglementation du groupe allemand avec 1ère place dans le classement des National Sales Companies (SOC Resilient SOAR/Splunk SIEM), EDR FireEyes, Scanning (Nessus), WAF/Dome9, Cloud AWS, Proxy Bluecoat/Zscaler, AD, Comvault
- Pilotage mise en conformité RGPD (suivi des plans d’action, cartographie des risque, politique de gouvernance)
- Mise en place et suivi Security Awareness sous forme de BD animée, pour sensibiliser tout le personnel sur le sujet de la cybersécurité
-Mise en place procédure et processes de bout en bout pour la gestion du patching de toute l’infrastructure (suivi alertes CERT, communication en amont, qualification, applicabilité, test, déploiement, vérification et suivi plan de remédiation, reporting avec KPI)
- Rédaction cahier des charges pour le SOC
- Pilotage et suivi des prestations de pentests et validation des rapports avec le RSSI
- Gestion des coûts, délai et qualité pour la réalisation des projets ITSP2 en mode AGILE et mise en conformité du SMSI (ISO 27001)

- Mise en œuvre des bonnes pratiques de sécurité du SI (ISO 27002)
- Analyse de risques du SOC/SIEM et des applications (ISO 27005)
- Pilotage du SOC/SIEM (ISO 27035)
- Participation CAB et présentation suivi avancement projets au COPIL
- Veille technologique sur les dernières tendances en matière de sécurité de l’IT (Gartner)


BNP Parisbas, Paris Juin 2016 - Mai 2017

Architecte d’Entreprise
Environnement : HSM, SOAR, RGPD, OWASP TOP 10, DATA CLASSIFICATION, CISCO, PULSE

- Fiches de règles et recommandations Groupe sur les architectures techniques dédiées au domaine de la sécurité
- Fiches d’architecture de référence (ITRefCard) détaillées pour les principaux cas d’usage définis dans les livrables  Chiffrement et IAM
- Fiches de qualification des technologies (Group IT Standard Qualification) retenues lors de l’élaboration des livrables pour mise au catalogue technologique du groupe selon Magic Quadrant (Gartner)  Evidian eSSO, VPN Cisco anyconnect
- Prise en compte des nouvelles règles, d’architectures de référence détaillées et technologies standardisées pour la sécurisation des développements de la gestion des données
- Animation de groupes de travail tout au long de l’année avec différents experts et architectes en sécurité de diverses entités du Groupe BNPP (CIB, Fortis, Arval, DW, etc) pour valider la standardisation et conformité de technologies et d’architectures de sécurité (IAM, SIEM, CASB, EDR, SOAR, Fortinet, Checkpoint, Cisco ASA, Evidian eSSO, etc).

MCI Group, Geneva (6 months contract) Jan – June 2015
Security Consultant
- Design, set up client interconnection to cloud (routing, Nexus, F5 LTM VE, Pfsense FWs, HA, Squid Proxy, Snort, VPN)
- Level 3 support, Monitoring, patching and documentation

Novartis, Basel Jun 2013 – dec 2014
PKI Security Engineer,
- PKI engineering and level 3 support (PKI Win 2008, Nexus, Safenet Luna SA HSM, F5 LTM, NetIQ, Nessus and Qualys scan, Bluecoat ProxySG, ...)
- Concept and implementation of two network migrations (Network Splitting)
- Project management for a PKI integration project (Disaster Recovery for both Data Centers)
- E-mail encryption solution design and engineering (Totemo)

Nespresso, Lausanne Jan 2011 – May 2013
Security Consultant,
- Managed and monitored Nespresso infrastructure with RSA Envision
- Security Audit with:
• IBM ISS and Qualys scan to detect vulnerabilities that can be exploited during intrusion attempts or attacks on the network.
• Tufin SecureTrack to track Firewall changes, analyzes configurations, optimizes rule bases, …
• Imperva SS WAF (Web Application Firewall) to analyze and block suspicious web traffic

Banque Cramer, Geneva Dec 2009 – Jan 2011
Security Consultant,
- Set up, configured, managed and monitored bank infrastructure with different technologies such as HP switchs, Juniper VPNSSL (Encrypted Remote Access) / FWs, Proxy (Bluecoat) and Swivel (Strong authentication tokenless solution), Microsoft Active Directory, all in a partially virtual environment (VMware).
- Set up and troubleshoot VPNs connections between different offices.
- Configured, managed and upgraded remotely FWs, HP switchs and documentation.
- Managed, upgraded anti spam appliances (Ironmail)
- Set up, managed, proxy cluster (Bluecoat)
- Level 3 technical support.
- Cisco Aironet for WIFI solution

Verisign, Fribourg and Providence (USA) Feb 2005 – Sept 2009
Dimension Data, Lausanne Nov 2002 – Feb 2005
Verisign took over the MSS contract from Dimension data
SOC Engineer, working mainly in the banking, pharmaceutical and telecom industries
Level 3 technical support :
- Configured, managed and monitored over 1000 customer Firewalls (Checkpoint, PIX/ASA, Netscreen, Sidewinder) and strong authentication (RSA)
- Identified and monitored, customer issues, troubleshoot and coordinated resolution using a variety of applications and testing tools.
- Set up and troubleshoot VPNs connections between various 3rd parties.
- Configured, managed and upgraded remotely FWs and managed PKI certificates

Ascom, Lausanne Jul 2001 – Oct 2002
Security Engineer
Implemented a VPN solution (IPSEC) with authentication server (ACE/ACS), Certificate Authority and Trustworks products (Trusted client and Trusted GSM) to allow Extranet users to access securely sensitive Intranet data.

Nestlé Headquarter, Vevey May 2000 – Jun 2001
Project Manager
PKI Solution:
Managed RSA Keon server (CA) in the Data Center and its reverse proxy (used to mask the PKI architecture) to deliver clients certificates who need to access the specific Intranet Site.
This reverse proxy is and to force users to be authenticated when requesting a certificate needed to access their Intranet site.

Remote Access:
- Implemented a CiscoSecure solution to authenticate traveller users.
- Configured routers and Tacacs+ servers in load balancing mode.

Intranet SSL:
- Defined and implemented a solution encrypting Intranet site access, with a 128 bits key, through Big-IP’s boxes (F5) with power CPU generating SSL connections in order to redirect the traffic (http in https) to the appropriate Intranet site.
- Implemented Stronghold (Secure SSL Web server with full strength 128 bits encryption) on reverse proxy

Intrusion Detection:
-Audit of possible vulnerabilities detected on Cisco devices and on the different platforms (Unix, NT) of the Nestlé network with the ISS RealSecure

Boréal Communication, Cisco partner, Paris Mar-1999 – Apr-2000
Network Administrator for a new Lab installation.
Worked with different technologies: LAN, routing technologies (routers configuration, routing protocols: RIP, IGRP, EIGRP, OSPF, …)

Swisscom, research center, Bern Sept-1998 – Feb-1999
Network Administrator trainee for a new Lab installation.
Worked on different hacking technologies:
Packets Sniffing (Etherpeek 2.0), IP Spoofing, password Cracking (L0phtcrack 2.02),
Cryptography (PGP 6.0), Mail Bombing (Avalanche), Denial of Service (DOS)