CV/Mission de Consultant Process Orchestration freelance

Exemple de missions de Bilal,
Consultant Process Orchestration habitant Paris (75)

Expérience professionnelle

ASSOCIATION AACC (SEPT. 2023 – JUNE 2024)
CISO AS A SERVICE – SECOPS, AWARENESS, CLOUD SECURITY
AACC is an healthcare association providing psychotechnical testing SaaS for psychologists. The software
is used by psychologists to ensure people are able to move forward once specific events occurred (such as
a driving license loss). Collaborating with 500+ psychologists, AACC77 CEO has to ensure availability and
security of their SaaS. (10 months fixed mission, average of 0.5-1days/week)
Missions:
— Improve cybersecurity and ensure availability of the SaaS
Results:
— Migrate of hosting applications and websites
— Enforce AWS best practices (IAM RBAC, MFA, etc.)
— Develop availability: Build offsite redundancy, Create backup process
— Enhance awareness: Create phishing campaigns
— Define password policy
— Integrate anti brute force tools (WP)
Environment: Cloud (AWS, Scaleway), IAM, Security Services, Governance, ANSSI (42 controls)

UNIVERSITY OF KUALA LUMPUR (MAR. 2024)
Cloud Security Lecturer
University Kuala Lumpur (UniKL) is the leading university in engineering technology in Malaysia. The
university aims to provide their graduates with the knowledge, skills and attitude required to contribute
towards society in an effort to play major roles in a globalized and knowledge-based economy.
UniKL is the premier and the biggest university in Malaysia with 12 campuses, 140+ programmes, 2500+
staff, and over 55000+ graduates. As part of its activities, the client exercising as UniKL Head of Section
wishes to develop students skills in cloud security.
Missions:
— (Re)discover Cloud fundamentals and vocabulary
— Understand the various Cloud deployment models
— Present the challenges and constraints of Cloud environments
— Tackle all the security challenges of a Cloud environment through practical case
studies
— Present main used tools and solutions
— Focus in depth the workings of two Cloud Providers (Azure, AWS)
— Provide a forum for students to share their questions and experiences on the
subject.
Results:
— 3 hours session training on cloud fundamentals, key principles of cloud architecture,
data protection, access management, maintain security, governance and
compliance
— 100+ students received training
— 100+ certificates delivered.
Environment: Cloud, Security services, Governance, Compliance

ENEDIS (FEB. 2023 – SEPT. 2023)
Cloud Security Office – ISMS, Cloud (AWS, GCP), CI/CD
Enedis is the leader of electricity distribution with over 40K+ employees in France. It also provides smart
meters, advanced metering infrastructures (AMI) and smart grids capabilities. In a strategy of international
expansion, Enedis aims to sell Linky systems. It could include smart meters, advanced metering
infrastructures (or part of it) and specific internal knowledge.
As part of its activities, the Head of Cybersecurity of Linky has to ensure cybersecurity is a central concern
while expanding internationally. Indeed both France and future clients' security could be impacted. To
achieve this, a Cloud Security Consultant has to address international project security topics while being
part of the client's cybersecurity strategies and requirements.
Missions:
— Report on International Linky security to Head of Cybersecurity
— Define security requirements of the solution according to deployment scenarios
— Ensure security run of the solution (DevSecOps, etc.)
— Manage and analyze call for tenders on cybersecurity aspect
— Support future customers on security strategies and requirements
— Assess and ensure Electric Vehicle Supply Equipment (EVSE) project security
— Management and monitoring of ISO 27001 compliance
Results:
— Define AMI security requirements (150+ requirements, 5+ deployment scenarios, 10+
cybersecurity standards)
— Lead technical and functional workshop (10+ workshop conducted;
— Answer calls to tenders on cybersecurity topics (5+ tenders)
— Compliance Gap Analysis (10+ cybersecurity and country-specific standards)
Including : MeitY, APSR, ISO, NIST, SecNumCloud, NIS, SANS, CSA, CIS.
— Cloud Service Provider security assessment
— Define code security methods (obfuscation, etc.) to protect intellectual property and
against reverse engineering
— Organize code audit campaigns (10+ vulnerabilities remediations)
— Develop secure coding: start CI/CD security testing (SAST, SCA, etc.)
— Launch ISO 27001 certification project
— Enhance and develop cybersecurity for EVSE supervision project
— Define and develop Governance :
● Establish cybersecurity pre-sales and technical documentation
● Define policies and processes (code review, access and authorisation, SIEM, cryptography, etc.)
● Define cybersecurity target operating model of consortium (6+ stakeholders)
Environment: Cloud, Security services and tools, CI/CD, Governance, Compliance (NIS, ISO)

TF1 UNIFY (JAN. 2022 – JAN. 2023)
CISO Office – ISMS, Cloud (AWS, GCP), CI/CD
Unify is the e-media company of TF1 with more than 400+ employees and includes brands such as
Marmiton, Doctissimo, Aufeminin, LesNumériques, Gamekult, CNet, ZDNet and 10+ others.
As part of its activities, the Unify CTO wishes to enhance cybersecurity in order to secure the business. To
achieve this a Security Champion acting as a CISO has to tackle all security topics of the company. After
audit the company and define the security roadmap for the next 2 years, various topics (functionals and
technicals) at different levels have been launched, covering all ISO27K1-2 security subdomains.
Missions:
— Report on cybersecurity to TF1 COO and UNIFY CEO & CTO
— Launch cybersecurity activity
— Create, enhance and develop cybersecurity practices, methods and tools
— Improve visibility on cybersecurity (cloud and on-premise)
— Internal Audit Remediation
— ISO 27001/2 compliance leader
Results:
— Group security roadmap definition (+70 security projects)
— Group audit action plan definition (10+ audit remediations)
— AWS & GCP cloud security : infrastructure review, deploy security services, improve
visibility, enforce security, configuration review
— Cloud SIEM (define requirements, architecture, relevant logs, etc.)
— Organize pen testing campaigns on main websites (13+ vulnerabilities
remediations)
— Define and deploy the cybersecurity awareness strategy (phishing campaigns with
4000+ phishing mails sent, 100+ newsletter, 10+ e-learning modules, workshops, )
— Develop secure coding : launch CI/CD security testing (SAST, SCA, Code Quality,
etc.)
— Define and develop Governance :
● PSSI, Security Assurance Plan, Password Policy,
● Operating model, Risk cartography, Risk analysis template, 3rd party security review,
● Pentesting policy
— Investigate and evaluate security incident provided by external SOC
Environment: Cloud AWS, GCP, Security services and tools, CI/CD, Governance

METROSCOPE – EDF GROUP (2022)
INFORMATION SECURITY & ISO 27001/2 AUDIT
Metroscope is a new technology for the diagnosis in operations and the maintenance of power generation
assets, combining a Digital Twin and Artificial Intelligence (AI). Metroscope wants to identify its
Information Security vulnerabilities and build an ISO 27001/2 compliance roadmap. (2 months fixed
mission)
Results:
— Lead the audit mission and build control plan
— Lead interviews, analyse security & technical documentation (Azure Cloud
environment)
— Identify security vulnerabilities & ISO 27001/2 gaps
Results:
— Information Security & Compliance audit report
— Cybersecurity & ISO 27001/2 compliance Roadmap & Action Plan, charges &
budget

INGENICO (2021)
CLOUD CI/CD SECURITY AUDIT
The client activities are focused on the design and development of payment terminal. The R&D
department has set up a CI/CD (continuous integration / continuous development) environment, with
central repositories in which source code is compiled, built, archived and tested automatically. (3 months
fixed mission)
Missions:
— Check the correct security level of the CI/CD environment
— Constitute a CI/CD documentation including architecture mapping
— Identify threats and vulnerabilities on assets defined as sensitive
— Analyze and estimate main risks
— Formalize an audit report
— Implement a pragmatic remediation action plan promoting quick wins approach
— Produce a detailed summary of the audit
Results:
— Cloud CI/CD security referential (170+ controls defined)
— CI/CD documentation (architecture, products, processes, etc.)
— Mission framing document, Kick-off presentation, Audit restitution document
— Analysis and identification of risks, Remediation plan (17+ remediations defined)
Environment: Cloud, CI/CD (SCM, integration, build, deployment, artefact, orchestration, etc.), Security
testing (SCA, SAST, etc.), ISO27001-2, General security and methodologies referential, Product and context
specific hardening guides, Security best practices and recommendations, Client internal referential

AXA GROUP OPERATIONS (2021)
CLOUD SECURITY office – Azure & AWS
As part of its activities, the client exercising as the Cloud CISO of AXA Group Operations wishes to put the
public cloud under control in order to secure it. To achieve this, various initiatives at different level have
been launched, the Control Tower to regain visibility of the cloud through tools such as the CSPM and
CASB, the Public Cloud Operating Model to define the RACI between the different stakeholder, the Cloud
SAP and so on, that will improve the security oversight.
Tasks evolved during the mission due to the complexity and multiplicity of the topics dealt with by the
client.
Missions:
— Define and validate according to the Security Assurance Plan all security standards
to implement on public cloud
— Define and implement security controls on multi public cloud
— Establish and monitor the reporting of asset statu...