Paul F. Odong

1. Your advisory team Paul F. Odong Paul F. OdongManager IT Risk & Assurance Services Place imagehere.Refer toguidelines Tel +256 414 343520 Mobile +256 752 222598 Fax +256 414 251736 Email paul.f.odong@ug.ey.com Background Professional experience • 2009 - Led a multi-national team from Nigeria, Kenya, Uganda & South Africa in a co-sourcing Network Security assessment for MTN Nigeria. Reviewed the core GSM switching network (MSC, SMSC) and the Charging System nodes comprising SDP, VS, AIR, MINSAT, HLR, mediation and billing systems. Performed Internal Attack & Penetration testing of the core network and switches • 2010 - Team lead for an information systems audit and forensic investigation into computer fraud for a leading mortgage finance bank in Uganda • 2009 - Team lead for a business process analysis and requirements definition for an Electronic Content Management System for the Finance Ministry • 2007 - Security assessment of the Safaricom Ltd core network systems involving attack & penetration testing, ISO 17799 (27001) review , implementation, and certification • 2008 – project managed a co-sourced black box attack & Penetration testing and vulnerability assessment for Bank of Uganda. • 2010 – Team lead for an IT Security Audit for the National Social Security Fund (NSSF) Uganda, involving penetration testing and vulnerability assessment • 2007 - Assisted in a pre-live assessment of the Equity Bank internet banking application and perimeter network related to e-Banking infrastructure • 2010 - Team lead for Fuel Debit (Advantage) Card security assessment for a Standard Chartered bank in Uganda, involving penetration testing of POS links and internal vulnerability assessment. • 2009 - Assisted in an Oracle ERP implementation project security review and application controls testing for the Kenya Airways • 2009 - Team lead for an information systems audit and revenue assurance for the Rwanda Revenue Authority • 2006- Team lead for comprehensive data analytics (Claims and premiums) performed for INVESCO Insurance Company in Kenya • 2006 - Cyber Process Certification (WebTrust) of the commercial Bank of Africa’s e-Banking product • 2009 - Facilitated a training workshop in E-Banking strategies, payment systems, and PCI DSS compliance for a leading bank in Uganda • 2007 - Team lead for SOX (404) Compliance and data analysis review for a Del Monte Kenya. • Manager in Advisory Practice focussing on IT Risk & Assurance Services. Joined Ernst & Young in 2005 and is based in Uganda • BSc. (Hons) Agriculture (Economics Option) – 2005 • Certified Information Systems Auditor (CISA) – 2008 • Certified Information Security Manager (CISM) – 2009 • Certified Computer Hacking Forensic Investigator (CHFI) - 2010 • ACCA (Part 1) • Ernst & Young eXtreme Hacking Class • Member of ISACA • Proficient in English Language • 2012 – External and internal attack and penetration testing and vulnerability assessment for mobile banking and internet banking for DFCU Bank • 2012 – Special audit of the national backbone infrastructure and E-government Infrastructure for government of Uganda. • 2012 – IT security assessment and capability building involving penetration testing and vulnerability assessment for internet banking for Bank of Kigali Rwanda • 2012 -BartiAirtelUganda - Information systems audit and financial audit integration • 2012 – Orange Uganda Ltd - Information systems audit and financial audit integration • 2012-Business Process Review for National Medical Stores. • 2012-URANET managed telecom service contract review for Uganda Revenue Authority • 2011-Value for money audit for Post Bank’s SLA with Map Switch the service provider for ATMs, Point of Sale and Mobile phone Banking services. • 2011-Development of requirements for implementing a financial management system for National Curriculum Development Centre • 2011– East African Community customs Interconnectivity study for customs network integration across involving customs process analysis • 2011 – National Information Technology Authority Uganda e-Government readiness assessment and survey tool development • 2011- BCP development for Centenary Rural Development Bank Ltd, Uganda. • 2011 - Team lead for British American Tobacco (Africa) – Attack and penetration testing, wireless testing and vulnerability assessment. • 2011 – IT security assessment for Opportunity Bank Ltd. • 2011 – IT security audit of Uganda Finance Trust Ltd involving process analysis, controls testing, and attack and penetration testing of the network • 2011 – Application controls and security assessment for the ASYCUDA++ customs application for Tanzania Revenue Authority • 2010 - Corporate security assessment of MTN Uganda infrastructure including offices, warehouses, BTS sites & residences • 2010 – Team leader for post implementation review of core banking application at Bank of Africa which included business process analysis • 2010 - Team lead for MTN Uganda network traffic data analysis to ensure that information relevant for billing is flowing through from the switching/ network elements to the IN and the billing system. Skills • Attack & Penetration testing, Internal vulnerability assessment, web application security review, IT governance, Enterprise Risk Assessment and BCP/DRP • Lead trainer at the ISMS Academy, Nairobi, 2007 • Lead trainer at the FAIT Academy, Nairobi, 2007 • E-banking Payment Systems and PCI DSS compliance • Member of the team that developed and delivered Ernst & Young Extreme Hacking course, Nairobi, 2007 • Proficiency in Data quality assessment and Data analytics (ACL), business process analysis and IT General Controls (ITGC) review • Proficiency in ISO 27001/27002, COBIT, ITIL, SOX, PCI DSS compliance • Revenue Assurance (CDMA, GSM, PSTN and Data Networks) • Computer Forensic Investigation • E-banking/EFT systems, e.g. SWIFT, Mobile Money, RTGS