Orvin Lau, CISSP, CISM, CRISC, CPISM
Information Security professional with 15 years of IT management & consulting experience.
- Certified as an ISO/IEC 27001:2005 Implementation Consultant and Lead Auditor, and formerly as a PCI Qualified Security Assessor (QSA).
- Strong understanding of information security management and processes. Experienced in frameworks used in information security, such as ISO/IEC 27001:2005, the PCI Data Security Standard, COBIT 4.1 and the NERC Critical Infrastructure Protection (CIP) Standard.
- Adept at connecting and relating business requirements to technical requirements and vice versa. A breadth of conceptual technical knowledge that is used in developing corresponding business requirements and needs, including networks, operating systems, databases, and application development.
Information Security Consulting Experience
Orvin has successfully delivered numerous Information Security consulting projects in a variety of sectors.
- Security risk assessment and tracking processes for a technology manufacturing company.
- Security threat risk assessment and security program development for a provincial health care regulator.
- Interac cryptographic key management for a Canadian financial institution.
- Information security policy development in the transportation and financial services sectors.
- PCI Data Security Standard strategy and planning in the Canadian financial services sector.
- Security threat-risk assessments for over 30 IT projects in an integrated oil and gas company.
- IT threat-risk assessments in the health care and municipal government sectors.
- ISO/IEC 27001 internal ISMS audits for a Canadian financial institution.
- IT security audits for utility companies and Canadian financial institutions.
- CICA 5970 / SAS 70 service organization internal control audits for IT hosting companies, brokerage firms, and water utility metering and billing company.
- Web application vulnerabilities assessments using automated tools such as IBM Rational AppScan and HP WebInspect as well as manual techniques.
- Information security consulting for a provincial crown corporation, reviewing security program reporting, web application security and server hardening and updating processes.