Professional Experience Record

September 2008 so far Domains Applying Security Concepts to Software Design, Security Requirements Customer Virgilio.it (Matrix – Telecom Italia)
Function & Role Security advisor and Project Manager
Location Rome, Milan
Mission/job description ICT Security Consulting
Activities The objective of this project was to assist the client in managing an Information Security Management System and Risk Management (Risk Acceptance, Risk Mitigation, Risk Transfer, Risk Avoidance) in line with Business & Strategy Policy, binding regulations (D. Lgs. n°196/03, Privacy and treatment of the personal data, etc.) and best methodological practices like ISO/IEC 27001:2005, ISO/IEC 27005 and PCI DSS.

The main activities have been:
• Security Plans (YALP, Business Intelligence, e-mail Platform, C6-chat and other web site)
o Risk Assessment
o Impact assessment
o Control and remediation plans
• Internal assessment
o Positioning about ISO 27001:2005
o Positioning about Secure Code Framework (OWASP)
o Authentication infrastructure
• Project Manager on design and implementation of Secure Software Development Life Cycle (SSDLC) framework aimed to introducing security aspect on :
Strategy, Requirements, Design, Development, Integration & Test, Deployment & Operation
• Consulting on Privacy and treatment of the personal data and positioning on ISO/IEC 27001:2005 and ISO/IEC 27005
• Business continuity plans – Guide Line and procedure
• Vulnerability Assessment/Penetration test – Virgilio League channel, New Personal Site channel, Mantis and other web sites (www.virgilio.it, gossip.virgilio.it, sport.virgilio.it, www.assilt.it, gogreen.community.virgilio.it, fotoalbum.virgilio.it, contest.virgilio.it, aziende.virgilio.it, www.jumpin.it )
• Technical Audit and Ethical Hacking of “Virgilio Banner” on the Amazon Cloud Platform, LOG collector platform and other products
• Code review – Business Intelligence System and other system by code review and Fortify tool.
• Security requirements about the migration of 12.000.000 e-mails from Telecom Italia platform to Critical Path platform (virgilio.it)
• Security Project Manager on project “Mapping of data and flow” on all the Data Center of virgilio.it (3.000 Server) with output of over 100 Technical Sheets about the main Virgilio.it’s product/service
• Security Project Manager on project “Business Intelligence platform – getting data anonymous within security” –process, organization and technology redesigning
• Security Project Manager and security teacher to 400 people on project “Security Awareness and learning” aimed to introducing security issues within the daily job
• Technical Leader and Project Manager on project “The Cube” a Security Information Management Software based on ISO 27001:2005, OWASP and integration with Snort IDS output.
• Security bulletin creation
• Management and response activities to malware and security bulletin from Telecom Italia SOC
• Remediation Plan

BANZAI Group (February 2011) The objective of this project was to assist the client in managing an Information Security Management System in line with PCI DSS Standard.

• Vulnerability assessment (www.eprice.it, www.toshibashop.it, www.gioie.it, www.efo.it, www.4trade.it, www.overskill.net, www.playstationb2b.it, www.prezzieofferte.it)
PCI DSS assessment, gap analysis and remediation plan

Cattolica University – Milan (November – Dicember 2011)
The objective of this project was to assist the client in managing an SDLC in line with OWASP “Standard”.
• Internal assessment
o Positioning about Secure Code Framework (OWASP)
o Authentication infrastructure and web application (internet/intranet)
• Vulnerability assessment

Other customer (June 2010 – January 2011)
• Project Manager of open source project “The Cube” aimed to managing the risk (Risk Acceptance, Risk Mitigation, Risk Transfer, based on ISO 27001, 27005, PCI DSS standard and OWASP methodology)
Results On going
IT and/or
Business Environment IT Security Consulting/Telecom Sector – Internet Portal

Professional Experience Record

July 2009 – November 2009 Domains Security Assessment – SOC Customer Yapi Kredi Banking (Turkey Banking), Intesa San Paolo Banking, BCC Rome
Function & Role Security advisor and Project Manager Location Turin/Milan Mission/job description ICT Security Consulting Activities The objective of this project was to assist the client to create the internal SOC (Security Operation Center) based on the Symantec methodology. The main activities have been:
• Project Management activities
• Internal SOC assessment (IKB,ISP)
o Positioning to Symantec framework and define of roadmap
• SOC design (YKB, ISP)
o Writing of process, policy, guide-line, SOC handbook based on Symantec framework and implementation
• Risk Management and Risk Mitigation based on Symantech metodology and framework
• Internal assessment (BCC Rome)
o Positioning about ISO 27001:2005 and compliance Italian Privacy Law
o Definition of security plan to manage the risk (Risk Mitigation, Risk Transfer, Risk Acceptance) based on the ISO 27005

Results On going
IT and/or
Business Environment IT Security Consulting/Banking Sector

Period May 2009 Domains Security Assessment Customer BancaSAI  Function & Role Security advisor and Project manager Location Turin/Parma Mission/job description ICT Security Consulting
Activities The objective of this project was to assist the client in managing an Information Security Management System in line with Business & Strategy Policy, binding regulations (D. Lgs. n°196/03, Privacy and treatment of the personal data, etc.) and best methodological practices like ISO/IEC 27001:2005, ISO/IEC 27002:2005.

The main activities have been:
• Project manager of the consulting team
• Internal assessment
o Positioning about ISO 27001:2005
o Definition of security plan to manage the risk (Risk Mitigation, Risk Transfer, Risk Acceptance) based on ISO 27005
Results On going
IT and/or
Business Environment IT Security Consulting/Banking Sector

May 2009 so October 2009 Domains ISMS (Information Security Management System)
Customer Alenia Aerospace (Finmeccanica)
Function & Role Security advisor and Project Manager
Location Turin Mission/job description ICT Security Consulting
Activities The objective of this project was to assist the client in managing an Information Security Management System in line with Business & Strategy Policy, binding regulations (D. Lgs. n°196/03, Privacy and treatment of the personal data, etc.) and best methodological practices like ISO/IEC 27001:2005, ISO/IEC 27002:2005. The main activities have been:
• Definition of security plan to manage the risk (Risk Mitigation, Risk Transfer, Risk Acceptance) based on MIGRA (Finmeccanica metodology) and use of TSCP metodology (Transatlantic Secure Collaboration Program)
• Internal assessment
o Positioning about ISO 27001:2005
• Consulting on Privacy and treatment of the personal data and positioning on ISO/IEC 27001:2005 and ISO/IEC 27002:2005
• Start up and manage of ISMS
• Review of Security Architecture (e.g. SSH Gateway to access to Firewall and critical systems, Log Collector)
• Project manager on the project “Log access and Log collector” aimed to transposing the binding regulations on privacy and treatment of the personal data

Results On going
IT and/or
Business Environment IT Security Consulting/Manufacturing Sector

February 2008 – September 2008 Domains Applying Security Concepts to Software Design, Software requirements, Software Testing Customer Vodafone Italy, DevoTeam SPA
Function & Role Security Advisor and Project manager
Location Milan, Rome (Italy) – Dubai (UAE)
Mission/job description ICT Security Consulting
Activities External Practice Area Manager focused on
• Security Business development on Telco and Finance sector
• Pre-sales activities
• Team and people management
• Mangement on the following projects:
o PKI architecture, strong authentication, Security Plans, Security Code framework, Log Collector (Log lifecycle)
o Techincal audit (ISO 27001, D.Lgs. 196/03, PCI DSS)
o Business Continuity Plans – SW Parad (BS 25999)
• Project manager on design and implementation of Secure Software Development Life Cycle (SSDLC) framework aimed to introducing security aspect on :
Strategy, Requirements, Design, Development, Integration & Test, Deployment & Operation

• Project Manager of the group focused on technical Audit and treatment vulnerabilities
• Vodafone
The aim of this project was managing the team of auditor to conduct a technical audit, vulnerability assessment, security treatment and remediation plan (Risk Mitigation, Risk Transfer, Risk Acceptance based on PCI DSS standard and OWASP metodology) in order to get the enterprise compliant with the PCI DSS (Payment Card Industry Data Security Standard).

The Enterprise systems of the Telecom company included numerous systems (30) under the following categories (COM, OSS, BSS, CC&B), on an average each System consisted of 10 or more sub components (from a minimum of 3 sub components to max 20 sub components). The size’s team that I led was of 5 people.

• DevoTeam Dubai
RFP writing for important mobile operator into middle east. Activities focused on Security Strategy definition, Vulnerability assessment and Penetration test, risk treatment.

Writing article on Italian magazine of ICT Security (Hakin9)
• Methodology to write a security plan – Hackin9 February 2008 http://www.hakin9.org/prt/view/rivista/issue/777.html
• PCI DSS – Payment Card Industry Data Security Standard – Hackin9 May 2008 http://www.hakin9.org/prt/view/rivista/issue/813.html
Results Done
IT and/or
Business Environment IT Consulting/Telecom/Finance

 April 2007 – February 2008 Domains Software Testing , Software Requirements
Customer Telecom Italy  Function & Role Security Advisor and Project Manager
Location Rome, Turin Italy
Mission/job description Security Plan, vulnerability assessment and technical audit
Activities The objective of this project was to assist the client in managing an Information Security Management System in line with Business & Strategy Policy, binding regulations (D. Lgs. n°196/03, Privacy and treatment of the personal data, etc.) and best methodological practices like ISO/IEC 27001:2005. The main activities have been:
• Project management of writing security plans and analysis methodology group
• Security Plans (MMS-C, E-trust project, DFDE – intercepting telephone calls)
o Risk Assessment
o Impact assessment
o Control and remediation plans
• Technical Audit (DFDE – intercepting telephone calls)
o Vulnerability assessment
o Technical audit
o Remediation consulting
• Guide Line – Securing of Virtualization environment
• Consulting on Privacy and treatment of the personal data and positioning on ISO/IEC 27001:2005
Results Done
IT and/or
Business Environment Security/Telecom Sector

June 2001- April 2007 Domains Applying Security Concepts to Software Design, Software Testing, Software Implementation/Coding, Security Requirements
Customer DeLonghi, Italgas (Eni) NetRise, Accenture, Italtel, OKI and many other medium and small companies
Function & Role Security Advisor and Project manager
Location Milan, Rome, Turin, Treviso – Italy
Mission/job description Security Plan, Vulnerability assessment, Penetration Test and technical audit, web security development
Activities During these years I worked for many companies in different areas of security – both on technical side and on governance side:
• Security strategy, security positioning and policy define
• Security plans compliant with ISO/IEC 27001:2005 and D.Lgs. 196/03 (Italian privacy law)
• Writing of Security Behavioral Code (Italtel)
• Activities of Vulnerability assessment and Penetration test and remedition plans on many web applications
• Awareness and teaching on security (secure code, standard ISO 27001 and Italian privacy law)
• Project Manager on design and implementation of Secure Software Development Life Cycle (SSDLC) framework aimed to introducing security aspect on :
Strategy, Requirements, Design, Development, Integration & Test, Deployment & Operation
• Project Manager and technical leader on Web Application secure development (requirements, design, implementation and testing) – SW Security Audit, CRM, e-learning, web sites
Results Done
IT and/or
Business Environment Security/Telecom Sector and Industry
 • Operating systems (Windows 95, 98, XP, Vista, Dos, Linux Distro, Mac OS Leopard/Lion);
• Programming languages (C, PHP, ASP, JavaScript, VBScript, Flash ActionScript, .NET);
• DataBase : Mysql, MSSQL, Oracle
• Web Server (Apache, ISS)
• Networking (TCP-IP, SSH, SFTP, Telnet, Http, Https, etc.);
• Security architecture (Firewall, IDS/IPS, PKI, IAM, Strong authentication RSA, Secure Software Development Life Cycle, Log Collector Architecture SysLog Ng, SSIM – Symantec)
• Methodology – Risk analysis (ISO/IEC TR 13335-3:1998, ISO 27005), Security Audit (CISA, PCI DSS, ISO/IEC 27001-27002), Security Management (ISO 27001:2005, CISM), Security plans, Secure software (CSSLP, OWASP), Penetration Test (OSSTMM), CobiT, CMM (capability maturity model), Balanced score card, SCRUM (agile approach to software development)
• Standard and regulatory – D.Lgs 196/03 (Italian Privacy Law), Sarbanes-Oxley, Basilea II, PCI DSS Payment Card.
• Tools – Nmap, httprint, hmap (Fingerpint), TeleportPro, Funnel Web Analyzer (web crawling), Paros (Proxy) Ethereal (Sniffer di rete), Retina, Acunetix, AppScan (IBM), Nessus, NStealth, Syhunt Collapse (Vulnerability assessment), Fortify, AppScan Source (Code Review), UrlScan-Microsoft, CAL9000, SQLPowerInjector, SQLping2, SQLRecon, MetaSploit, w3af, Saint (Penetration Test-exploit), Caino, John the Ripper (Brute force password attack), Snort (IDS), IPCOP (Firewall), Selenium (web application testing), ModSecurity (Web Application Firewall), OSSIM (Open Source Security Information Management)
 http://vizualize.me/nrNxEt003b#

Managed high importance projects with primary companies as DeLonghi, Italgas (ENI), FiorentinaGas (ENI), NapoletanaGas (ENI), AES (ENI), OKI, Telecom Italia, Virgilio (Matrix), Vodafone, Altran, DevoTeam, Accenture, Symantech, Alenia Aeronautica (Finmeccanica Group), BancaSAI, Banca Intesa San Paolo, Yapi Kredi, eprice.it (Banzai).Now focusing on information security management and especially on:
• Information Security Managment System (Project Management and implementation)
• Risk Management (Risk Assessment, Risk analysis, Security Plans, Remediation Plans)
• Technical Audit
• Web Applications Security (Vulnerability Assessment, Penetration test, Audit, Secure Programming, Remediation Plan)
• SOC (security operation center) assessment and design
• CISM – n° 0810416 (ISACA – Certified Information Security Manager)
• CISA – n° 0864402 (ISACA – Certified Information Systems Auditor)
• CSSLP – n° 337254 (ISC2 – Certified Secure Software Lifecycle Professional)
• IQNET (Security Manager)