A key part of this role was the support for successful ISO27001 certifications up until the risk and compliance functions were separated. After this change, as well as providing a risk model to my team to provide a consistent risk assessment capability, I also devised processes to manage compliance training to cover all relevant company staff. The standard risk work involved the logging, assessment and reporting of risk. Some of this involved the discussion, review and management of corrective action tracking for issues raised during audit work.The risk model was based on FAIR and linked to multiple risk models allowing risks to be transferred between different business units. It was also taken and used by the large payments company to scope and assess risk for significant ad hoc projects.Also during this time I acted as a policy and documentation librarian, making sure that relevant documents were updated as required for ISO purposes.

I took a break from the smoke to see how business works outside the M25. Exposure to preparing information for accounts, tax, payroll, CIS, VAT and management information for small businesses.Also in the front line against the cyber world, being the acting IT manager when Windows etc. doesn't behave itself...

Devised and performed audits of controls over the development and release of quantitative models used in front office and core IT (London branches of two international investment banks).Managed an audit team reviewing the production use of exotic and complex valuation models for trades, covering release, testing and change controls and version management (UK investment banking division).Contributor to both technology and business aspects of FICC and equity derivatives sales audit (US investment bank). Acting Head of IT audit for an outsourced internal audit function covering all aspects of technology use (payments transmission company). Audit coverage:• IT and Information Security• Service certification audits and reviews of third party audit work on IT controls• Review of cybersecurity• Project portfolio management• Business Continuity• Data protection measures and processesActing senior IT audit manager liaising with key business and technology staff (payment services company). Assignments included:• Core infrastructure patch management• IT Governance• Data Centre audit follow up• Monitoring a major transformation programme and project controlsReview of Global Business Continuity function (EMEA/US/Asia based investment bank).

All manner of reviews relating to the bank's business and use of ITPost implementation reviews covering strategic projects.ERP application security reviews covering all user entitlements assigned using activity groups and detailed authorisations. Built a tool to automate this work.ERP infrastructure security review including entitlements, configuration, connectivity, and management of administrator users.Review of the Business Continuity Management programme and its testing.Reviews of all key payment systems including supporting environments including recommendations to prevent unauthorised changes to payment data.Reviews of key trade recording and reporting applications.Reviews of third party services.Management of workstations and small devices.Sign offs for security sensitive changes.Data acquisition and other queries.Scoping and supervision of specialist work performed for Networking, Windows Domain, Oracle and SQL server database audits.General controls relevant to the above audits (change management, information security, business continuity).Post implementation review of outsourced system.Innovations: Use of data mapping software to model the route of outbound payments. Designed, built and used scripts to confirm domain ‘need to know’ access. Built tool for audit review of detailed ERP entitlements. Built scripts to monitor domain workstation accounts.

I ran and presented courses for the BCS IRMA Specialist Group. As there were links with ISACA and ICAEW we also ran joint events.

Active member of committee signing off projects covering the information security and regulatory risks of projects due for release.Helped produce and deliver presentations for security awareness induction sessions for new staff.Input from EMEA region to develop and revise the Firm’s global information security policies.Co-produced global survey of the Firm to assess its exposure to data loss from hardware.Co-created a global newsletter to improve awareness of information security.Devised security metrics for the bank’s ‘Basel II’ project.Innovations: Designed secure management and delegation of private side email privileges which was subsequently used by the Firm. Created management reporting system to gather and publish data generated from security awareness training and surveys.

Application reviews including supporting infrastructure work in a fast moving trading environment:Review of equity derivative model valuation process and environment.General controls review of the Firm’s CDS application, including a gap analysis of controls present in preparation for Sarbanes-Oxley.Application and general control reviews of the Bank’s daily regulatory reporting process, prompting a re-assessment of the risk. Benchmarked the Firm’s audit risk model to CobIT.Co-created newsletter of upcoming regulation and legislation likely to impact the Firm and related roadshow for IT system developers.Innovations: Used database to map the firm’s audit methodology to the CobIT domains and objectives. This was used to perform the first assessment of the likely impact of SOX on the Firm’s IT audit.

Provided security consultancy to projects in Treasury and Lloyds TSB Group, including security requirements definitions as required, and building relationships to support this work. A recurring theme was ensuring compliance with the data protection act.Successful project implementation including the documentation of key operational and security aspects for a Straight Through Processing programme.Providing support to ongoing Treasury eCommerce project, including coordination and evaluation of penetration testing.Reviewed the design and assisted the implementation of a project to secure the transmission of wholesale payments across the group.Researched, prepared and circulated database and wireless networking security papers and provided guidance and training to support the wider Lloyds TSB Information Security community.Liaised at all levels to identify challenges early in the business’s project portfolio. This included risk assessment of projects using emerging as well as established technologies. Examples include middleware, firewalls, PKI (digital certification), databases, operating systems, IP networking and application security.Ad hoc consulting work and projects to address system deficiencies in production.Innovations: Provided a system to make security entitlements visible for the core mainframe application then in use; this was subsequently used by the business to document and sign off those entitlements. Designed and built security monitoring environment for production databases before commercial software was available. Developed metrics to help implement the Bank’s ITEC rules within LTSB Treasury. Testing the adequacy of database level security in core applications. Produced domain wide scripts to find and remove malware. Using MS - Office/VBA to provide solutions to security administrators. Used similar tools to identify entitlement failings in a core application.

Pre- and post- implementation reviews of implementation and application migration projects.General controls work (system development, change management, information security, business continuity) including third party controls.Prepared three year audit plan matching audit universe to workload and resources. Innovations: Coached the Treasury audit department on the importance of database security and showed how this could be practically checked during their work following my own investigations into this area with the database administrators.

Responsible for preparing regulatory report of IT controls used as the basis for a big four report.Advised on the adoption of security measures to improve the branch’s security stance in the following areas: both mainframe and local operating system domains, database security and payment data integrity.

Working for a subsidiary of Lloyds TSB group. This included:Audit recommendations to prevent unauthorised changes to payment data.Review of life insurance core application and its integration with mainframe security.Reviews of business continuity processes, testing and planCore project review to ensure the security of the components automating the flow of business documentation. Reviews of mainframe operating system and RACF security.

All kinds of application (both pre and post imp) and SAS70 reviews including global and mission critical systems. General controls reviews as well as all kinds of data acquisition and reporting in support of audit teams delivering year end and interim audits.Innovations: Developing audit guidance notes for local area network security and running a course to train auditors in using those notes. Devising and delivering staff training in data acquisition, analysis, interrogation, and presentation. Developing and building a computerised solution to support the Firm’s involvement in a major UK charity event. Embedding the firm’s mainframe tool in a client’s production systems to obtain year end audit data.

Under a training contract I was exposed to many small and medium sized owner-managed businesses in the following sectors: • Lloyd’s insurance • Charities • High streetInnovations: I became the office spreadsheet expert, and this knowledge was used to prepare client business projections.