Germain Geissler Email and Phone Number

- Execution of a GDPR control plan in the health and research sector- Performance of risk assessments for several Banking applications- Coordination and tracking of an IT programme to remediate multiple IT audit findings with reporting to senior management. Creation of the organization ISMS Policy and Standard, assistance in the creation of Standard Operating Procedures- Assistance in the review of the operational risk framework - Performance of gap analysis against DORA (including RTS), delivery of DORA presentations for clients awareness purpose - Performance of Cloud Assessments to ensure compliance with regulation 22/806, including preparation of notification files

- Oversight and challenge of the IT risks as 2nd line of defence, through review of Key Risk Indicators, projects IT Risk Assessments, Cloud Compliance, and outsourcing authorizations
- Creation of quarterly IT Risk Profiles for communication to the Board of Directors
- Primary contact for all Cyber and IT Regulatory engagement (e.g. CSSF Circulars 20/750 on ICT and security risk management, 17/654 on Cloud Computing Outsourcing, 12/552, 13/554, 11/504, NIS Directive, DORA, PSD2 & others IT Regulations applicable across Europe / APAC), review of regulatory notification (e.g. material IT outsourcings)
- Performance of deep dives on specific topics on an ad-hoc basis (internal security assessment against SANS20 controls, Vulnerability Management & Patching, Data Lake)
- Development of an IT Risk Heatmap facilitating the understanding of the risk aggregation / prioritization across RBC entities, with the use of Data Analytics and the Risk Register

2nd line of defense function, to provide challenge and oversight to the design and implementation of security controls and processes and to mitigate risk for Investor and Treasury Services (I&TS). - Lead thematic/deep dive reviews to assess the controls effectiveness against key risk scenarios- Review of self-identified risk issues and acceptance or treatment plan to ensure the business is operating within the risk appetite- Monthly Key Risk Indicators review & investigation with 1st Line - Risk assessment reviews- Risk reporting on IT Risk profile- Support as Information Security Officer activities for IT regulatory activities such as review of regulatory files, review of policies and standard to consider local requirements, review of projects to ensure compliance with local requirements (CSSF Circulars such as 12/552; 13/554; 11/504; 17/654)

Part time teacher at the "Institut Universitaire de Technologie" (IUT) of Metz for first-year students in Information Technology on the topic of Databases.

Incident Management- Handling of Information Security Incidents upon occurrence, as Incident Manager- Creation of Information Security Incident Management Policy and Standard, review and improvement of the Incident Management Process (Communication Plan, Standard Operating Procedures)- Management of a project related to development of the digital forensic capabilities at the Group Level with 200.000€ budget. Establishment of the requirements, understanding of the legal framework, creation of standard following ACPO guidelines, creation of operating procedures for the tools used (e.g. Encase v8, FTK Imager, write blockers, seal bags), training of CERT members on Digital Forensic- Escalation of regulatory and operational risks (including impact analysis), regular communication to the top management (KPI), regular communication with IT and non-IT stakeholders- Interface between the CERT and external / internal auditors (communication, preparation of evidences)- Development and implementation of a control self-assessment for the CERT activities

Chief Information Security Officer Assistance (Financial entity in Luxembourg)- Performance of various CISO tasks (e.g. analysis of the implementation of an AML tool with related risks and recommendations, definition and implementation of an IT Security Dashboard, analysis of compliance with the CSSF circulars, access reviews) e-Discovery, Data Analytics, Litigation services- Implementation of tools allowing the identification of transaction linked to Anti Money Laundering, Sanctions, and Tax evasionIT Audit (Gaming Industry in a European context)- Responsible for a 10 persons team for the performance of a recurring IT audit, coordination of the planning, research and training of new IT auditors in this context, creation and update of documentationBusiness Continuity Program & Disaster Recovery Planning (from Business Impact Analysis to Training and Awareness, understanding of the IT infrastructure, creation of Disaster Recovery Plans) within a Major Bank of Luxembourg

ITS Internal Controller (Major Private Bank in Luxembourg)- Design and implementation of a control monitoring program (performance on a regular basis of a 2nd level of control over key operations)- Ad-hoc security investigations on the day to day for various topics (e.g. sensitive data scrambling, third parties contracts controls, incident management, etc.)- Design and implementation of a security incident management process (e.g. Incident detection, escalation, Cyber-security incident management)- Design and implementation of an IT Security Dashboard for the Group Information Security Committee (feasibility study regarding security indicators, data gathering and computing, presentation of the results to the management)IT Audit (Gaming Industry in a European context)- Responsible for a 10 persons team for the performance of a recurring IT audit, coordination of the planning, research and training of new IT auditors in this context, creation and update of documentationHigh privileged accesses management (Major Private Bank in Luxembourg)For a defined scope of applications, review of the permanent high privileged accesses within the organization.- Understanding of applications (related owners, components linked to the applications, accesses storage, high privileged groups)- Data extraction and high privileged accesses analysis (identification of permanent accesses vs temporary accesses, identification of risky temporary accesses, etc.)- Reporting for describing the entire process and procedures. Creation of waivers for risk acceptance.Multiple Business Continuity Program implementations (from Business Impact Analysis to Training and Awareness) within financial organizations (i.e. Management companies)Business Intelligence and IT Forensics

Design and implementation of a pentest LAB - Installation of different Virtual Machines (Windows Server 2008, Asterisk, Archlinux...)Script development for log analysis and visualization via Gephi

Implementation of a complete Business Continuity Management documentation following ITIL v2 and BS:25999- Business Impact Analysis and Risk Assessment- Business Continuity Strategy- Business Continuity and Disaster Recovery Plan

Documentation update and improvements following the department changes (IT Delivery Center), but also by following CSSF circulars. Simulation of an internal audit and tests of IDC procedures.

Security Policy & Procedures improvementsCreation of auditing evidences

Documentation creation following external auditors advises, ITIL v2:-Security Policy & Procedures-Outsourcing Policy & Procedures-Business Continuity & Disaster Recovery Plan

ASP Application improvementsImplementation of reusable componentsSQL Server Migration

Reverse EngineeringASP ApplicationDocumentation creation following Macroscope Guidelines (Fujitsu)