Dennis Silva Email and Phone Number

As a Cyber Security Tech Leader I was in charge to understand the possible security risks related to business to implement (and support the internal teams) security measures to keep data secure.Here is the majority of my responsabilities:- Define the security frameworks to use as a guide for software development process, security baseline, information system management system and risk assessment.- Establish the technical security requirements for several security areas (e.g. software development, IAM - authentication and authorization, vulnerability management, network protection and inspection, cryptograhy (in-transit and at-rest) and incident response.- Execute security assessment to validate which security controls are in place to minimize security risks. Create a security report either executive report and technical report with details about the main findings, recommendations and action plan prioritized by risk level.- Provide technical guidance and mentoring to security staff according to their career aspirations and support them to understand how important is the core security controls for the business.

I came to Daitan company with one big challange: elaborate and implement the strategic, tactical and operational Information Security Plan to mitigate business risks through the effective controls, keeping the Security Information KPIs and KGIs and providing customers satisfaction.The key activities that I'm development is:- Build the Cyber Security Strategic plan, including the risk assessment methodology, controls practices and audit guidelines;- Help the Executive Team to ensure the Information Security directives are established and published to all company;- Awareness all Daitan's Employees about the Information Security best practices, avoiding sensitive data leakage;- Supporting the Information Security questions sent by external customers about the Daitan's security information controls implemented in current IT Environment;- Proof of Concept/Value (PoC/PoV) in an IT or IS technology solutions.

In addition to the activities listed below, I am also responsible for:- Support the cloud customer to understand and clarify Information Security questions. Also, I'm helping them with other cloud subjects in terms of Infrastructure, Database, DevOps, Network, Storage and Backup, etc.- Elaboration the public security documentation (Ex: Security White Paper) that describes the technologies and internal process that we use for deliver the IT environment in a security manner.- Information Security Awareness Training to cloud staff to ensure knowledge about phishing, malwares and security procedures / incidents.

Professional in charge for achieve the ISO27K1 certification and implement the Information Security Management System (ISMS) on TOTVS Cloud Computing Business Unit. The TOTVS cloud is managed by the IT orchestration platform (softwares developed to create and support TOTVS ERPs infrastructure and databases and public cloud approved by TOTVS).The following activities were developed for our team:• Security Information Risk methodology and procedures: - Business and Security Information impacts (e.g. Confidentiality, Integrity and Availability) - Mapping security information risk with internal control considering which kind of control (e.g. manual or automated) and frequency (e.g. quarter, monthly, etc) - Association of internal control with the control of Annex A of ISO27K1• Risk Treatment Plan (RTP) - Development a strategic plan to implement the new controls - Walkthrough to understand the control activities and, sometimes, collecting evidence. • Statement of Applicability (SOA) - Mapping of internal controls applicable to Annex A of ISO2701 based on business justification.• Development the policies, normative and procedures about information Security including: - Information Security - Physical and Logical Access - Remote Access - Clean Desk - Cryptography - Backup and Restore - IT Asset Disposal - Disaster Recovery

• Performing internal and external penetration test in infrastructure, web applications and ERP's (SAP).• Development of executive presentation considering key risks identified, preparation of technical reports describing the identified vulnerabilities and recommendations.• Analysis and implementation of firewall rules on devices such as CheckPoint and Cisco ASA.• Management and segregation of physical and virtual networks of corporate network devices, combined with the implementation of access rules at Layer 2 (Access Control List) and analysis of assets included in the demilitarized zone (DMZ).• Response to security incidents.• Vulnerability Management.• Hardening in operating systems such as Windows and Linux.• Configuration and managing SIEM (Splunk) tool for correlation of logs and notification of security events.• Forensic analysis for Windows / Linux servers and mobile devices.• Business impact analysis (BIA) / Disaster recovery plan (DRP).

• Perform activities related to IT external Audit in support to financial audit and execution test of design and effectiveness IT general controls, acting in three areas:• Access and Program and Data - Security Police and user awareness, access control and sanitization users on network and corporate systems, password police, logs and user accounts administrative.• Program Change - request, authorization and transport changes, segregation of type of changes (Normal and Emergency) and environment (DEV, HMG and PRD).• Computer Operations - jobs and backup scheduled, storage of backup media and monitoring computing resources for critical servers.• Development ISAE3402 Type I or II report considering the entity level and internal controls.In addition to the above activities, participated in projects of IT governance, assessing the maturity level of the controls based on COBIT framework