KAMAL Gurnani

Techno-Functional IT Leader with Banking & Legal qualifications; designing & implementing Security and Privacy Governance best practices; managing organizational Risk and Regulatory Compliance. Leveraging IT to transform organizations

Head GRC (Information Security), IndusInd Bank Ltd.                                                        Mar 2018 - Present

Role (Information Security)

• Directing & managing all aspects of Information Security Governance, Risk & Compliance; ensuring regulatory compliance from an information security perspective. Reporting to the CISO; leading a team of 7# Team Leads and Analysts
• Designing & creating best-in-class processes from frameworks and standards on cybersecurity, introducing effective controls to mitigate the risks in various business processes, and improve awareness
• Designing and developing
• Minimum baseline security standard for device configurations and application security life cycle checklist for assessments
• Vendor Risk Management scorecard and KRI (Key Risk Indicator) assessment checklist for 128 KRIs of RBI
• RCSA for key processes of Information Security domain
• Privacy regulations pertaining to NRI customers in consultation with the London and Dubai branch offices 
• Administering internal & external audits and serving as Privacy Lead to manage GDPR related privacy implementation and compliance initiatives
• Creating GDPR compliant privacy notice along with cookie content and identified a lawful basis of processing personal data for each purpose i.e. Consent, Contract & Legitimate Interest

Role (Personal Data Protection & Privacy)

• Designing
• Privacy vendor assessment questionnaire for new & existing vendors
• Privacy training & awareness content containing basic understanding of Data Privacy, Applicable Laws, Do’s & Don’ts based on internal Privacy Policy 
• Data Protection Impact Assessment Procedure and forms & templates required 
• Privacy incident management procedure and data subject's rights request procedure along with forms & templates 
• Defining personal data retention requirements as per GDPR
• Achieving compliance with regulatory and other standards guidelines: RBI, NPCI, SWIFT, ISO27001, PCI DSS, etc.
• Preparing Record of Processing Activities (ROPA) template for Controller (IndusInd) and Processor (Partner)
• Providing technical & soft skills training to team members and supported them to obtain professional certifications

Highlights

• Oversaw
• PCI DSS Certification (PCI DSS v3.2.1) for acquiring and issuing of prepaid, debit and credit cards 
• ISMS Certification (ISO 27001:2013) for Data, Disaster Recovery, CPU and Contact Centres
• Spearheaded Information Security Governance including review of 12 processes of cybersecurity based on NIST & COBIT Frameworks, trained 370 employees and 240 vendor staff on cybersecurity, evaluated 6 products for phishing campaigns, analysed 140 security metrics
• Provided technical guidance in 38 new business processes, briefed 4 Information Security Committee Meetings chaired by CEO, and updated 11 Board and its Sub-committee meetings on cybersecurity risk posture
• Implemented GDPR Privacy requirements by creating privacy notice, policy & organization structure, data protection impact assessment procedure, contractual clauses checklist for suppliers, privacy vendor assessment questionnaire, privacy training, awareness content, privacy incident management procedure, Data Subject's Rights Requests Procedure, personal data retention requirements and procedure for Record of Processing Activities
• Led Information Security Compliance; ensured adherence to standards, frameworks, guidelines&regulations i.e. RBI, SEBI, SWIFT, ISO 27001, PCI-DSS etc. 
• Re-Certified for Data Centre, DR Site, and certified CPU & Contact Centre for the 1st time; ensured timely submission of 25 RBI periodic and ad-hoc returns on cybersecurity in collaboration with IT, Operations and Product teams
• Managed Technology Risks by reviewing and changing security measures and controls viz. Work-from-home, Work-from-anywhere policies. Supported security incident response team and developed its related processes; reviewed 79 Operational Risk Management notes and addressed cybersecurity challenges 
• Administered business contingency; submitted timely business impact analysis of 12 critical cybersecurity processes like regulatory reporting, threat monitoring, incident tracking &reporting. Reviewed & tested BCP recovery plans

Bachelor of Science, Bachelor of Law, CISA, CISM, CRISC, CGEIT, CDPSE from ISACA, DCPP and DCPLA for DSCI