Experience

Orvin Lau, CISSP, CISM, SCF, CRISC

Information Security professional with 17 years of IT management & consulting experience.

Expertise Snapshot

  • Strong understanding of information security management and processes.  Experienced in frameworks used in information security, such as ISO/IEC 27001:2005, the PCI Data Security Standard and COBIT 4.1.
  • Certified as an ISO/IEC 27001:2005 Implementation Consultant and Lead Auditor, and formerly as a PCI Qualified Security Assessor (QSA).
  • Adept at connecting and relating business requirements to technical requirements and vice versa.  A breadth of conceptual technical knowledge that is used in developing corresponding business requirements and needs, including networks, operating systems, databases, and application development.

Information Security Consulting Experience

Orvin has successfully delivered numerous Information Security consulting projects in a variety of sectors.

  • PCI compliance through the elimination of cardholder data for small and medium-sized health care organizations.
  • Deployment of mobile device management software for medium-sized organizations.
  • Development of a governance model for a cloud computing environment shared between organizations.
  • Security risk assessment and tracking processes for a technology manufacturing company.
  • Information security program development development for a provincial health care regulator.
  • Information security policy development in the transportation and financial services sectors.
  • Interac cryptographic key management for a Canadian financial institution.
  • PCI Data Security Standard strategy and planning in the Canadian financial services sector.
  • Security threat-risk assessments for over 30 IT projects in an integrated oil and gas company.
  • IT threat-risk assessments in the health care and municipal government sectors.
  • ISO/IEC 27001 internal ISMS audits for a Canadian financial institution.
  • IT security audits for utility companies and Canadian financial institutions.
  • CICA 5970 / SAS 70 service organization internal control audits for IT hosting companies, brokerage firms, and water utility metering and billing company.
  • Web application vulnerabilities assessments using automated tools such as IBM Rational AppScan and HP WebInspect as well as manual techniques.
  • Information security consulting for a provincial crown corporation, reviewing security program reporting, web application security and server hardening and updating processes.