Site hosted by Build your free website today!



Gautam Sarnaik is a versatile IS Assurance professional having a 10+ years hands-on experience across IT implementation, management, consulting and audit. He is an engineer, CISA and a certified BS7799 Lead auditor with knowledge and experience of effective service delivery and support and of building and auditing internal controls based on BS7799, ITIL, COBIT and PCI-DSS.

Gautam started his career in the electronics manufacturing industry and has worked across verticals such as telecommunications, banking and financial industry. He has an extensive experience in using risk analysis models for identifying, evaluating controls and providing assurance and advice to the management and business process owners.   


Education & Accreditations


§         Post Graduate Diploma in Software Technology  [Jan 2000]

§         Bachelor of Engineering [June 1998]


  • BS7799 Lead Auditor [June 2005]
  • CISA [June 2003]
  • Member, IETE (India)



·         IS Delivery and Support

·         ITIL Service delivery and support

·         Project and team management for service delivery projects

·         Technology management for network and security infrastructure

·         Software systems implementation projects


·         IS audit and IT Security

·         Technical risk assessments

·         Internal controls audit using COBIT, ISO 27001, NIST guidelines and ITIL

·         Risk driven IT Audits including

§         IT General controls

§         Logical Access controls

§         Network and Infrastructure controls

·         Strategic information security planning, policy management and reviews


·         Software Systems Development

·         SLDC and Unified processes

·         Software solution design and communication using UML

·         Software security strategies to manage confidentiality and integrity


·         Pre-Sales

·         Customer oriented communication

·         Effective presentation skills

·         Mapping client requirements to delivery capabilities

·         Solutions overview and business proposals

·         Supporting customer retention from ongoing projects

Work History


Supervisor – IT Audit and Consulting

Aug 2005 to


Moore Stephens International Al Nisf and Partners [MSIL]





Client Management:

Managing IT Audit engagement with a key telecom industry client. The client is an MNC telecom operator with footprint spread across 20+ countries in Middle-east and Africa. Specific engagement activity:

·          Develop and manage annual IT Audit plan (2006, 2007) across 6 countries including Kuwait, Bahrain, Iraq, Jordan, Lebanon and Sudan.

·          Plan and deliver audit programs to review security and internal controls based on COBIT, ITIL, ISO27001 and other security and technology guidance.

·          Supervise and review other IT auditors

·          Support business auditors in specific technology controls

·          Contribute to knowledge management and audit automation efforts

·          Support the clients ISO27001 certification process by internal reviews, guidance on security policy management and security management processes


Practice management:

·          Knowledge development and management for ISO27001 and Information Security Management practice.

·          Development of in-house capabilities for ITIL service delivery and support by resource training, knowledgebase development and management.

·          Exploring synergies with and relationship development with quality vendors for ITIL practice and training.

·          Domain expertise on topics such as PCI-DSS, eTOM, telecom management networks and security.


Business development:

·          Lead generation from professional references leading to significant business in 2007.

·          Relationship management with existing and potential clients.

·          Presentations for knowledge sharing and business proposals to clients.

·          Content development for presentations to public forum on standards such as ISO 27001, BS25999 (Business Continuity Management).




Consultant – Information Security

Aug 2004 to

July 2005

SIFY ltd. [SIFY Assure SBU]





Information Security services: Project management and delivery

·          Telecom Industry: Largest telecommunications operator in Saudi Arabia

·          Life Insurance: Private Life Insurance company in Mumbai, India

·          Internet : ISP Data Centre, India (Technical Risk assessment)


Client focussed project services:

·          Managing client requirements and projects

·          Management reporting and presentations

·          Design and development of Information Security policy framework

·          Review of information security policies and standards

·          Gap analysis vis-ŕ-vis BS7799 control baseline

·          Review and enhancements to security organization components

·          Pre-acceptance reviews of technical standards for telecommunication assets

·          Design and development of standards for emerging technologies and systems such as Windows XP, Wireless networking etc.

·          Design and delivery of Information Security training

·          Technical risk assessments

·          Internal controls evaluation and reporting




Assistant manager –Services Delivery and Support

Jan 2004


Aug 2004

SIFY ltd. [SafeScrypt SBU]





Managed a team of 10 Information Security Engineers across major metros in India implementing and supporting solutions and services based on PKI [Public Key Infrastructure]. Consistently achieved target revenue recognitions and maintained high motivation levels in team. Typical clients from:

·          Government

·          Banks and NBFC

·          Telecommunications operators

·          Small businesses and enterprises


Managed a 2 member team for technical risk assessment of email system:

·          Client a leading automobile manufacturing company in India

·          Review and analysis of IT infrastructure supporting the Email system

·          Personally trained Engineers in the use of Nessus Vulnerability Assessment (VA) tool and managed the evaluation and presentation of the VA

·          Guided post implementation support to technical teams of the client


Managed development and implementation of PKI based secure bulk email solution (B2C) for a leading MNC bank in India:

·          Managed client requirements and SRS

·          Third party solution development

·          Managed implementation of the system at client data centre and integration with the business processes of the client

·          Managed enhancements and support to the client.



Entrepreneur and Consultant – Information Security

Sep 2002


Dec 2003





Entrepreneur and consultant for Information security. Developed business and delivered end-to-end services for clients.

For a software development house:

·          Reviewed the existing skill sets and requirements of the client.

·          Created a training program for the developers on PKI technologies involved and usage using MS Crypto API.

·          Consulted on product development to integrate PKI requirements into the design of the product.

·          Designed the modules required to use PKI and digital signatures

·          Provided implementation support to developers.

For an engineering company in India developed Helpdesk and Incident Management processes based on ITIL:

·          Review of existing infrastructure and processes

·          Design of incident capture and recording procedures using the ITIL Help Desk and Incident management processes as the guiding framework

·          Presentation on ITIL and Incident Management to Management team to seek buy-in.

·          Definition of the operational procedures and creation of Excel based templates to support the same.

·          Initial training and support to operational staff in using the templates.


Security Software Engineer

Feb 2000


Sep 2002

Internet Trends (I) Pvt. Ltd.




Key projects for development of network security software including an IDS solution (Symantec NetProwler). As a software engineer and team member was responsible for:

·          Research activity to understand and create knowledge base on network security, types of intrusions, intrusion detection.

·          Internal papers and presentations on Denial of Service and Distributed Denial of Service attacks on networks.

·          Analysing the requirements for the product and providing technical solutions.

·          Design and implementations of various software modules.

·          Secure messaging channels (SSL), data and message structuring (XML), Database designs (RDBMS and ER Diagrams) and API development for various modules.

·          Using and mentoring the use of Unified processes for SDLC including documentations using UML and UML supporting tools.



Research Assistant

Aug 1998


Jan 2000

National Centre for Software Technology [Now CDAC] India




Team member of Real Time Systems and Networks [now Computer Networks and Internet Engineering] Group.


Was responsible for operation, maintenance and security of the point of presence of the ERNET (Education and Research network) in India.

·          Network administration

·          Management of Email, DNS infrastructure


Development and delivery of Post Graduate course in Internet Engineering [PGDIT]

·          Development of content over five core modules

·          Training and mentoring of post graduate students

·          Course deliver, testing and evaluations.




Permanent Address

5-A, Onkar Society, Amboli,

Andheri (west), Mumbai – 400058,


Residence Telephone


Current Location


Current Telephone

00965 - 9005197

Email Id.