Profileimage by Anonymous profile, IT Security-Spezialist, SOC /SIEM, 27001-Auditor, IT-Manager / Projektmanager und Penetration Tester

Verified Profile

partly available

Last update: 07.02.2023

IT security ISMS,TISAX, SOC, IT-Grundschutz, ITIL, PMO, kritis, auditor 27001, penetration tester

Company: Kopiaconsulting GmbH
Graduation: Doctorate Degree
Hourly-/Daily rates: show
Languages: German (Full Professional) | English (Full Professional)

Attachments

Lebenslauf-jkopia2023_020323.pdf
Lebenslauf-jkopia2023-en_020323.pdf

Skills

Special fields of the last years: 
  • ISMS implementation based on BSI IT-Grundschutz or ISO 27001-native
  • Auditor and consultant for ISO 9001, ISO 27001, ISO 27019, §8a and TISAX, ISO/IEC 27701, ISO 22301
  • DSGVO data protection implementation, data protection officer
  • SOC2, HIPAA, PCI-DSS
  • GOBD
  • Use of various brand-specific security standards B3Se (e.g. clinics, health, energy, etc.)
  • Establishment of Security Operation Center (SOC) as well as Cyber Security Incident Response Teams (CSIRT), products e.g. Splunk, Greenbone, Nessus, Elastic Search, Elastic Security, Kabana 
  • OT Security, IEC 62443, Scada
  • Cloud Security (AWS Security), Security in Containers (Docker, Kybernetes).
  • Experience with the NIST framework and NIST assessments.
  • SIEM / Splunk, logging, monitoring, Elastic
  • System hardening (Windows, Linux)
  • Threat Modeling 
  • Secure Software Development / Security Testing / SDLC
  • Automotive: SAE J3061, ISO/SAE 21434, TISAX
  • Implementation of technical guidelines for hardware and software development products (incl. Common Criteria certifications including TR 03109)
  • Implementation of risk analyses, IT security assessments, penetration tests, vulnerability assessments 
  • Development of security concepts for network infrastructure and IT systems (incl. IT architectures and software development best practices, e.g. secure coding)
  • Hardening / system hardening
  • Publication of technical articles / authoring activities
  • Project management and team leadership activities with personnel responsibility 
  • Project management for complex projects (requirements analysis, implementation, quality assurance)
  • Requirement analysis and interface business requirement and IT implementation
  • SOX Compliance, BAIT, BaFin, ISAE 3402
  • Experience as Scrum-Master and Product-Owner for product developments
  • Chinese Cyber Law experience
  • IEC 62443, IACS, SCADA
Other Topics: 
  • IT Security / Security / Crypography / Common Critera / PKI solutions.
  • Implementation of ISMS, e.g. in the area of critical infrastructures (Kritis-V)
  • Auditor for IT security catalog according to §11 Ia EnWG, audit proofs according to §8a BSIG,
  • Preparation and audits according to BSI Grundschutz and Grundschutzkataloge
  • ISO 22301 BCM
  • Penetration testing experience (Certified Ethical Hacker certification)
  • OWASP, Burp, ZAP, Nessus etc.
Certificates
  • CISSP 
  • Certified Ethical Hacker (CEH)
  • ITILv4
  • IT Security Officer (certified)
  • IT Security Manager (certified)
  • SCUM Master
  • Certified EC-Council Instructor (CEI)
  • Multi Project Management (PMI / PMP and SCRUM Master certified) 
  • Incident Management and the development of CIRTs
  • Certified EC-Council Instructor (CEI)
  • BCM 22301
  • IT-Grundschutzberater
Some publications:
  • https://www.heise.de/select/ct/2021/7/2031717381985388403
  • https://www.heise.de/select/ct/2022/1/2130115435655413363
  • Effective Implementation of Management Systems, Springer Fachmedien Wiesbaden
  • Hacking WPA2-protected Wi-Fi networks with Fluxion

Project history

02/2012 - Present
IT-Security Projects

 

2010 - today Freelance consultant, among others on behalf of other companies.

Self-employed consultant for information security & auditor ISO 9001 / 27001

 

Activities as Managing Director:

  • Operational management of the company: building of teams and infrastructure, development of products and market presence.
  • Project assignments in the IT security environment with focus on the establishment of Blue Teaming activities (defensive processes and technologies) to defend against cyber attacks.
  • Implementation of Red Teaming processes, including penetration tests and security analyses for companies.
  • Advising on the establishment of Security Operation Centers and implementation of SIEM systems, as well as the establishment of Computer Incident Response Teams (CSIRT).
  • Industries and projects:
  • Security evaluation of systems and networks for plant operators.
  • Consulting for customers in the FINTEC industry on the implementation of compliance requirements
  • Implementation of a data protection management system based on ISO 27701
  • Development of security concepts, among others based on IT-Grundschutz for a financial service provider

 

Activities in the projects:

  • Auditor for ISO 9001 and ISO 27001, §8a, ISO 27019, §11 1a EnWG, TISAX (customers mainly in the environment of critical infrastructure operators and customers for the operation of data centers)
  • Consulting of companies of critical infrastructures regarding information security and compliance with the IT Security Act
  • Consulting of customers in the context of information security and IT security
  • Consulting of companies in questions of certifications according to BSI IT-Grundschutz, ISO 9001, ISO 27001, Business Continuity Management, ITIL and risk management
  • Security assessments and penetration testing of IT and network architectures of customers Project preparation for auditing of SOC1 and SOC2, BCM / ISO 22301 as well as ISO 27001, ISO 27017, ISO 27018
  • Project management activities for customers
  • Auditing of customers in the area of ISO 9001 and 27001, TISAX, KritisV, B3S

 

 

Project examples:

 

 

1/2022-present (ongoing): Consultant for SOC/SIEM:

  • Establishment of a Security Operation Center operation for a bank.
  • Implementation of SIEM use cases in Elastic Stack / Kibana
  • Definition of runbooks
  • Execution of vulnerability scans
  • Assessment of vulnerabilities and alerts based on the Security Incident Management process / SOC Analyst incl. threat analysis and threat intelligence
  • Establishment of a vulnerability management process
  • Selection and configuration of a vulnerability scanner (Rapid7 InsightVM)

 

3/2022-present (ongoing): Head of Security Topics:

  • Design and setup of an overall security process in the context of the implementation of a Security Operation Center (SOC)
  • Conception and management of the implementation of Security Controls with the departments based on the standard of the CIS-Controls
  • Assumption of the internal representative for the integrated management system (IMS) based on ISO 9001 and ISO 27001
  • Accompaniment of specialist topics: Vulnerability Management (Nessus), IAM, Network Security, Data Protection / Privacy, Security Event Management.

 

11/2021-9/2022 (planned end): Consulting for the selection and implementation of a Network Detection and Response Tool (NDR):

  • Accompaniment of the selection process as well as the tendering process within the framework of banking regulations
  • Design of the integration into the IT infrastructure, including the SIEM system
  • Planning and realization proof-of-concept

 

8/2021-today (ongoing): Consulting on IT-Grundschutz, risk analyses, security concept, HiScout tool deployment:

  • Structural analyses, protection needs assessments, risk analyses based on IT-Grundschutz for public authorities
  • Basic protection checks for various ministries and specialized procedures, both for specialized procedures and technical procedures
  • Security conception for technical procedures
  • Administration of the GRC tool HiScout

 

10/2020-06/2021: Security concepts in the context of consultants in the area of IT-Grundschutz - 8 months:

  • Creation of IT security concepts for a data center operator in the public authority environment
  • Risk analyses based on IT-Grundschutz
  • Operational concepts for topics in the area of storage, logging, backup, archiving
  • Support in policy development and documentation of operational processes
  • Workshops with the specialist departments
  • Definition of measures with the responsible persons on the basis of the analysis

 

 

01/2021-today: Assumption of the CISO task:

  • GAB analysis regarding state and status of information security.
  • Reporting level towards management / stakeholders
  • Definition of rules and regulations for information security
  • Creation of operational documentation
  • Project responsibility for the development of the ISMS
  • Implementation of ISO 27001, SOC2 as well as HIPAA, support of certifications and audits respectively
  • Technical vulnerability assessment, penetration tests as well as risk analyses of the IT infrastructure and/or applications
  • Implementation of AWS security measures, including tools such as Guard Duty, AWS Security Hub, AWS config, WAF, Shield and Cloud Watch
  • Risk analyses as part of the management system
  • Creation of technical concepts as well as definition of measures (AWS, development tool chain, release/deployment process)
  • Execution of trainings and awareness trainings
  • Assessment of security incidents

 

2020-2022 (ongoing): auditing of companies - ongoing activities:

The project included the following:

  • Auditing of laboratory equipment manufacturing customers
  • Auditing of operators of data centers
  • Auditing of a customer producing embedded devices for the public sector
  • Auditing of customers who operate control systems in the industrial environment

 

2018-2022 (ongoing): SIEM monitoring, penetration testing, and source code analysis for various customers

  • Network and vulnerability scans of infrastructure, including for asset discovery in the OT environment
  • OWASP testing of interfaces and web apps
  • Penetration tests of infrastructure landscapes (IT and OT)
  • Static code analysis for vulnerabilities and IT security flaws
  • Threat modeling for IT systems and applications
  • Risk analyses of IT and OT infrastructures based on various standards, esp. MITRE ICS and Attack, IEC 62443, ISO 27034, NERC-CIP, CIS Critical Security Controls
  • Definition of scope and focus of penetration testing requirements
  • Support implementation of SIEM systems (mainly Splunk, ELK/Elastic Stack) and creation of analysis and dashboards 
  • Assess security event management / SIEM processes in the context of critical infrastructure.

more see pdf

02/2000 - 02/2011
Diverse Projects

Projects 2008-2011

Requirement analysis & process analysis
Creation of requirements and functional specifications, analysis of processes and IT architectures, moderation of workshops, conception of solutions (also by means of process representation in UML, BPMN etc.)
 
Selection of solutions and providers, tendering
Provide ROI analysis and IT investment decisions for departments and companies
Preparation of tender documents and evaluation criteria
Implementation of the provider presentations
Evaluation and presentation of the provider/solutions with recommendations for the most appropriate solution
Software development processes
In addition to requirements analysis, I know the software development cycle very well. This includes methodologies of development (agile, extreme programming) as well as the tools used for it. I also know the topics testing and QA, release management and deployment very well.
SCRUM
Certified as Scrum Master and experience in working with Scrum Teams. I am especially interested in increasing productivity through agile methodologies and the hurdle to consolidate this way of thinking in teams and companies.
Project Management
Experience in classical project management based on PMI through PMP certification.
Project planning, management and controlling, risk management and other relevant areas in this field (according to PMI Knowledge Areas).
Service Level, Quality and IT Processes
I have carried out an ITIL Foundation certification and various process support in projects.
Development experience
Very good overview of Java / JEE development as well as the development with PHP5 through own past development experience. I am familiar with the tools and current technologies and their performance (EJB3, persistence frameworks, JMS, and other different APIs as well as web services).
SOA / BPM
In various companies I was involved in the selection and implementation of a service-oriented architecture.
Use of BPM tools based on existing automated IT infrastructures.
IT Administration
As team leader, I was responsible for w data centers and a heterogeneous system landscape. This included above all the support of the application and web servers as well as database servers, but also the architecture of the system landscape itself (network technology, virtualization, IT security according to BSI / IT basic protection, etc.)
Web development
Through project experience knowledge of front-end technologies and processes: Web design, HTML/CSS/JavaScript, Flash, Silverlight, but also JSP/Servlets.
Mobile Technologies
Very good knowledge of mobile systems (iOS, Windows Phone) and their capabilities and requirements in relation to software development projects.
Sales experience
Development experience of a division of a personnel agency Experience in sales and key account management.
Marketing and social media consulting
Consulting for various SMEs in the field of social media topics as well as marketing in the online sector (including SEO/SEM)

Activities in the field of management consultancy (2 years):

Sales and product management support and project management in the field of innovative hardware and software products
Drafting contracts with suppliers and customers of the new market
Change management of internal processes
Conception and business plan development for a start-up company in the field of management consulting
Project management at skilldeal AG for various IT projects

Worked as project manager (5 years):

multi-project management
Introduction of the CRM system Salesforce.com for 500 employees
Conception, development support and introduction of an external event management system system into the internal company processes
Evaluation and introduction of an Enterprise Service Bus (ESB) with SOA architecture of the top providers in the market according to Gartner. Setting up a Business Process Management (BPM) based on the infrastructure and products and introducing the necessary process changes in the company
Introduction of a Social Media/Enterprise 2.0 intranet for the Scout Group
Decision making, implementation and migration of an old BI tool to a Business Intelligence system.
Assumption of Scum Master positions for various Scrum teams in software development.

Activities as partner for a management consultancy (2 years):

consulting and coaching
Development of social media strategies and online marketing measures for SMEs
Coaching of individuals and teams with regard to the specialist topics of marketing, financing, IT processes and systems and in personnel management
Lectures at networking events on the above topics
Conception of ideas and writing of business plans
Writing of professional articles
Project management in the area of ECM (6 months): The focus of the project was on complex integration projects in the Enterprise Content Management product environment. I performed the following tasks: Activities

Project management in the area of ECM (6 months): The focus of the project was on complex integration projects in the Enterprise Content Management product environment. I performed the following tasks: Activities
Creation of an internal project platform based on SharePoint
Definition of new customer segments for targeted project acquisition
Key Account Management of an existing customer base
Processing of tenders
Organization of trade fair appearances
Project personnel service provider (1 year): The task of my position within the service provider in the Interim Management and IT division was to develop the area of consulting and project management. Due to my previous consulting activities, in which many sales aspects played a role, and my expertise in the field of IT technologies, I got in contact with specialist departments with companies to present their services and discuss solutions and projects with the contact persons. Here, current and strategic topics and project decisions with strong reference to the placement of technical experts, especially freelancers, were discussed. My own assignments as a freelancer allowed me to actively shape the project business.   Activities
Development and implementation of sales strategies
Collaboration on ideas for a new corporate strategy in this area
Advising customers on technical issues with the aim of providing consulting services in the area of business processes (CMMI/ITIL), optimization of processes, project management offices as well as decisions in the IT environment (SOA, outsourcing, migration projects, etc.)
Participation in tenders
Quotation calculation and preparation
Interim assignments with clients as interim manager or freelancer
Publication of articles in professional journals

Axel Springer AG / Hamburg and Berlin Interim Manager (6 months)   

activities:
Team management of the internal IT in the area of infrastructure and data center with disciplinary personnel responsibility of 14 employees including second level support
Project management of various projects, including:
Accompanying the introduction and establishment of the shared service center strategy in the area of IT infrastructure and all applications relevant to the publishing house
Optimization of internal processes
Migration of different software systems to new versions and new hardware
Coordination of the computer center operation and roll-outs of new hardware (SUN Solaris, database server etc.)
Support of architecture decisions in an increasingly complex environment of gigantic data volumes (HDS, LUN, SAN etc.), ITIL and ISO 20000 as well as CMMI conformity
Takeover of change management processes
Technical environment: complex system landscape in decentralized data centers made of heterogeneous hardware from SUN Solaris to Windows servers, SAN, HDS, various web servers, terminals and thousands of workstations (Windows and MacOS) as well as the most diverse applications relevant to publishing

Cornelsen (6 months) 

activities:
Process management: Recording, documentation and optimizing consideration of all operative processes and the associated business cases and transfer of the same into an IT-usable form (process documentation tool) for the purpose of developing a new cross-company publishing system (plus key figures in the sense of business process management)
Creation of an evaluation catalogue and coordination of the selection of an enterprise software
Advice on strategic IT issues (architecture, especially the question of service-oriented architecture, decision-making and support as well as evaluation whether in-house or third-party development or potential system providers etc.), advice on setting up IT governance processes and standards (according to CobiT) and return on investment considerations
Used tools and technologies: Office tools, especially Excel and MS Project, Rational Rose, technologies considered were questions of migration of legacy applications, their encapsulation and provision as a service as well as the migration of hardware

Springer publishing house   

activities:
Project management for the migration of a CRM system
Preparation of tender documents
Selection and evaluation of providers and presentation of the results
Consulting for portfolio decisions and requirements management
Technological environment: Oracle databases and various Oracle applications and their migration to a new system (including backup and roll-back concept, data consistency, data cleansing, performance and worst-case scenarios), various project management tools and their evaluation

Handelsblatt publishing group (3 months)   

activities:
Consulting in questions of the usability of Web 2.0 tools
IT architecture and system decisions (e.g. SOA, web services, performance issues for database access, search engine optimization, indexing, content management systems, hardware selection, etc.)


Selection and evaluation of providers and presentation of the results, in particular the basis for decision-making after the pitches of various providers and agencies
(Technological) environment: heterogeneous system landscape, especially in the area of the content management systems used, customer relationship management systems and related subsystems (billing, accounting, supply management, ordering systems, etc.), search engines and indexing system of Google Search Appliance, Fast Search and Transfer and others, integration development within the framework of a SOA

Kneipp works (2 months)   

activities:
Organizational analysis and process documentation of all areas relevant for controlling
Advice on setting up a precisely fitting controlling system based on BPM and balanced scorecards
Consideration of an outsourcing option in the context of BPO
Introduction of a Business Intelligence application based on the controlling system
Development of a catalogue of measures to overcome internal personnel-related hurdles
(Technological) environment: Legacy controlling applications and the data stock to be migrated, consideration of different controlling systems, implementation support for Microsoft Dynamics

2005 – 2006       

I managed the IT department of the internet agency New Impact AG. This mainly included the recruitment, personnel development and personnel management of 20 employees and the resource planning of all IT staff based on the IT orders. The low staff turnover made it possible to focus on staff development and organizational problems in a role with disciplinary responsibility. Especially in the area of software development projects on various platforms (Java/JEE, .NET and PHP on Tomcat/JBoss, Webshpere, MS SQL, Oracle, MySQL) an exact forecast of upcoming projects and its technologies had a great influence on the workload of the employees. Close cooperation with the individual project participants and incoming orders was therefore crucial. A further task was the project management. On the one hand, I assumed the role of the contact person for the customer. I was responsible for the requirements analyses, which ended in requirement specifications and ultimately in offers with fixed SLAs, for which I was also responsible - including the necessary contract negotiations. I also divided the development teams, took care of the project organization and project controlling as well as the usual project management tasks such as change and risk and quality management within the projects assigned to me. Since each project manager had full budget responsibility, a standardized approach was essential in every project. In addition to intensive customer support during the project, the presentation of the interim and final solution or training was another important task. The goal was always to generate follow-up projects through the network or customer contact. Technically, I was involved in architecture decisions and in the modeling of software and processes (OOA/OOD) with UML due to my software development background.   Excerpt of project activities (from multi-project management):   

duration: 4 months 

GastroBern project manager software development project with web presence activities:
Requirement analysis and creation of functional specifications based on the business case
Offer preparation and negotiations regarding the implementation
Project meetings and coordination with graphics, development and administration
Project management standards-standards measures Controlling functions, regular team meetings, quality assurance and organisation of testing including regular code reviews in close consultation with the customer
Presentation and training of the customer in the new system
Use of technology: Virtual machines (vmware), distributed system with Apache, MySQL, PHP as well as interface to a mobile phone operator, CMS Typo3

Duration: 6 months 

Swiss Police Department FDJP Project Manager Software development project with Imperia (CMS) activities:
Requirement analysis and creation of functional specifications
Demonstrate migration scenarios of legacy applications to the new system
Customer support during the development phase in the form of status meetings, incident and change management
Coordination of the development team
Technology deployment: Virtual machines (vmware) as development platform Eclipse, Oracle databases, Java templating system, Perl- and JavaScript,

2003 – 2005       

My tasks at X mainly included various project management activities. I was also responsible for building up the internal IT department and planned IT systems for both internal and external use. In addition to analyzing and designing customer-specific solutions with a focus on the eBusiness sector and supply chain systems, I coordinated the software developers who implemented the solution. I made the decision for the IT architectures together with my colleagues and at times helped to develop program code. An agile approach according to SCRUM, which I established, enabled an efficient cooperation of the development team under increasing pressure with constant quality.  Customer consulting and simultaneous acquisition of follow-up projects in terms of technology and online strategy were as much a part of my tasks as the recording of requirements and the writing of offers including technical specifications.   Excerpt of project assignments:   Duration: 12 months software development project Business-2-Business System project management and developer activities:
Conception, requirements definition and calculation as well as proposal writing (including SLAs)
Organizational project planning
Technical project management and development (based on PHP, MySQL)
Finding additional staff and developers, if resources were not sufficient
Coordination of development in small iterations / sprints, including quality assurance through code reviews and testing
Acceptance and presentation to the customer
Technology environment: Highly available Linux servers (Debian), Apache web servers, MySQL databases, PHP development environment, Java/J2EE with various development platforms including Eclipse, Adobe FLASH, Visual Studio and ASP and ASP.NET

11.2001 – 11.2003     

Berlin Software Developer  
 activities:
Software development with Java/J2EE and PHP
The focus of the projects was on web applications and content management systems
XML development (XSL, XSLT transformations)
Database development (MS SQL, MySQL)

Other activities and operations 

2011                           
iPhone app development based on Xcode 
Lecturer    

03.2001 – 08.2001     
AMD Europe / London, England Freelance: Hotline Engineer in Hardware Support   

12.2000 – 02.2002    
Film Industry / Various companies and locations in Germany

Certifications

CISSP
IC2
2021
BSI IT-Grundschutz Praktiker
BSI
2021
CEH Certified Ethical Hacker
EC-Council
2019
Certified Security Analyst (ECSA)
EC-Council
2019
ISO 27001 Auditor
Irca
2014
ISO 9001 Auditor
Irca
2014
SCRUM Master
Scrum Alliance
2012
PMP Project Management Professional
PMI
2010

Local Availability

Open to travel worldwide
I am available for worldwide work. Just contact me.

Youtube - Video

YouTube Profil
Profileimage by Anonymous profile, IT Security-Spezialist, SOC /SIEM, 27001-Auditor, IT-Manager / Projektmanager und Penetration Tester IT security ISMS,TISAX, SOC, IT-Grundschutz, ITIL, PMO, kritis, auditor 27001, penetration tester
Register