As a security professional for 30+ years, I have learned to adapt not only the methodologies but also the technologies to provide, cost effective security solutions that make sense. I am constantly seeking out new information and redesigning my own approaches to information security.
I have the ability to identify and translate applicable regulations to corporate policy, then working with the business and technical staff for developing a comprehensive program for addressing all-important business requirements with agility.
I am experienced in providing executive level leadership to ensure alignment with business strategic objectives, reducing impact to overall business operations, and implementing cost savings and risk reduction strategies to support a holistic security risk posture and continued compliance with laws, regulations, and standards. I hold an PhD in computer science and a MSc in computer science and international business.
Name : Robert
Location : CH-8400 Winterthur
Age : 50 Years
Phone : +41 52 589 6776
Nationality : DE
Email : rp@winterthur.biz
Freelance : Available
Languages : German, English
Skills
Memberships
Swiss Informatics Society SI
GI - Society for Computer Science
GPM - German society for project management
Certification
IT-Security Officer - TÜV
IT Expert - DEKRA
Lead Auditor ISO27001 - TÜV
Lead Auditor ISO9001 - TÜV
ISMS-Manager - TÜV
Additional examination process competence KRITIS - Bundesamt für Sicherheit in der Informationstechnik
Microsoft Certified Solutions Associate (MCSA)
Microsoft Certified Technology Specialist (MCTS)
Microsoft Enterprise Administrator (MCITP)
Certified Vulnerability Assessor (CVA)
Certified Professional Ethical Hacker (CPEH)
Certified Penetration Testing Engineer (CPTE)
Certified Information Systems Rsik Manager (CISRM)
Certified Information Systems Security Auditor (CISSA)
Certified Forensic Network Examiner (CNFE)
IS Certification & Accreditation Professional (ISCAP)
Certified UN Cyberdiplomacy Consultant
Experienced Incident Manager with a demonstrated history of working in the management consulting industry. Strong information technology professional skilled in ISO 27001, Computer Forensics, IT Service Management, IT Strategy, and Data Center.
I provide full end-to-end support and help, which enables organisations to obtain ISO27001 Certification and have all the operational activities completed by me.
Using my Assessment, Planning, Deliver, Procedures and Improve methodology I am able to integrate security effectively into organisations.
I have extensive broad business experience combined with ISO 27001 standard Lead Auditor and Implementer certifications. This ensures that I address your requirements and can provide value added support, using my industry insight, awareness and expertise to address the certification requirements.
This engagement covers all areas of ISO 27001 that are listed below.
Company Information Security Policies
Organization of Information Security
Human Resource Security
Asset Management
Access Control
Cryptography
Physical and environmental security
Operation Security
Communication security
System acquisition, development and maintenance
Supplier relationships
Information security incident management
Information security aspects of business continuity management
Compliance
I appreciate that no two organisations are the same, so I tailor my services to each client’s size, complexity, risk appetite, and budget.
No matter what you have on your plate, it’s highly likely I’ve seen it and solved for it before. After 30 years in the technology sector, I know what works. I adhere to industry best practices and apply stringent internal processes to ensure my customers don’t spin their wheels unnecessarily.
You’ve invested and managed to get your business where it is today. Now, you can realize technology innovations and world-class expertise to achieve greater efficiencies, effectiveness and productivity. I leverage technology to your advantage, delivering the highly available, secure and flexible systems needed by companies to compete in the marketplace.
As your IT consultant, I apply a modernized business strategy to ensure your technology is secure and sized appropriately for your business requirements. With me, you won’t have to stress about an IT disaster since your business will be fully safeguarded through expert IT administration. My strategy includes:
Comprehensive Consulting Services
IT Installation
Trusted Vendor Products
Meticulous Planning
Increased Security
IT Management
When you outsource your IT services to me, you’ll have the advantage of a personal IT expert who will help you understand how IT can improve and organize internal affairs of the company. I partner with your current team of employees to educate in IT, analyze business strategy, advise on IT/business alignment, implement information security protocol, and boost productivity. It offers dependable expertise on IT services without the expense of hiring someone in-house.
I span cybersecurity, compliance, cloud, infrastructure, data analytics, and forensic investigation. I operate with a business and technical mindset to assess your current state and develop clear plans of action that get you to the finish line. Whether you need to add an experienced resource to your team, validation on design, strategic guidance, or implementation assistance- I can help.
Nullam blandit constituto eam ne, te nam ignota vituper.atoribus. Malis cetero quem saipe, prou thendrerit voluptaria.
Cybersecurity
Compliance
Cloud
Data Analytics
IT Forensics
My services aren’t just a random mix of expertise. I methodically designed my practice areas so that my delivered value intertwines, helping companies to remove roadblocks that stand in their path toward rapid growth and financial stability. Many of my clients leverage all my services to create a supply chain of value that positively impacts not just IT but all areas of the business— including the customer experience.
An IT audit can be defined as any audit that encompasses review and evaluation of automated information processing systems, related non-automated processes and the interfaces among them.
It’s important to get an impartial third-party assessment on your IT systems, just as you would a financial audit. Even companies with the best intentions can develop blind spots in processes and policies they’ve developed themselves. Besides, IT is moving so fast these days, you need an IT audit by a company who is familiar with the newest technologies, not to mention the newest threats to your data.
Too many companies lose too much valuable data because of vulnerabilities to these systems and poorly backed up data. That leads to real costs including:
Costs associated with trying to restore or recapture the data
Costs associated with a forensic audit (much more costly than an IT audit)
Business disruption
Notification costs (costs associated with notifying your customers about the breach)
Possible fines
Lost customers
Lost future business
Lost reputation
Direct financial loss due to stolen financial information
The cost of identifying and fixing holes in your system is much, much less in terms of both money and reputation. Even if you don’t handle sensitive customer data, your own data can be valuable. You want to ensure it’s locked up tight from unauthorized users, and readily available to those who need it.
That’s why it just makes sense to get an IT audit report from a reputable source. I will find out where the holes are and give you recommendations for fixing them.
Executive leadership in information security, audit, compliance, and risk management. Extensive expertise in technology governance, information protection, and systems assurance. Developed and managed these functions on a global level for major organizations.
I take pride for being able to interact with all levels of management - IT, Legal, HR, the customer organization, third-party vendors, et al, communicating complex information in intelligible terms.
Robert was a strong individual contributor from day one of the time we first worked together, and he went on to further impress me during our time in the same department by achieving Information Technology certifications on his own initiative! I have known him to have sharp focus and motivational drive not commonly found in other workers, and I would consider it a privilege to work with him again if an opportunity presented itself.
Robert had a deep understanding of the various process and instrumental in bringing a different audit approach which was customer focused and a value-add to the organisation. He was able to articulate the root cause and work with management in getting it resolved. He was a true business partner.
I have had the pleasure of working closely with Robert Poehler on multiple projects over the past decade. Robert is a true IT Security Professional with many years of experience in handling and managing projects of all sizes. Robert’s technical skills, work ethic, intelligence, and creativity are first rate. I would highly recommend Robert to anyone who is in need of an IT Security Professional.
Topics include cybersecurity, risk and compliance, encryption, anti-virus, malware, cloud security, data protection, hacking, network security, virtualization, and more.
ISO 27001 is the only auditable international standard that defines the requirements of an information security management system (ISMS). An ISMS is a set of policies, procedures, processes and systems that manage information risks, such as cyber attacks, hacks, data leaks or theft.
Certification to ISO/IEC 27001 demonstrates that an organisation has defined and put in place best-practice information security processes. Not all organisations choose to get certified but use ISO 27001 as a framework for best practice.
- Win new business and sharpen your competitive edge
- Avoid the financial penalties and losses associated with data breaches
- Protect and enhance your reputation
- Comply with business, legal, contractual and regulatory requirements
- Improve structure and focus
- Reduce the need for frequent audits
- Obtain an independent opinion about your security posture
ISO 27001 is a requirement in certain industries where organizations handle highly-sensitive data. An ISO 27001 certification proves to customers, stakeholders, governments, and regulatory bodies that your organization is secure and trustworthy. For any organization dealing with sensitive data, be it profit or non-profit, a small business, a large business, a state-owned business or a private sector company, ISO 27001 certification is an indispensable asset for all of them.
The certification adds value to your business and enhances your reputation in the marketplace by serving as an official document that is a testament to your high compliance standards and solid security systems. It also helps avoid financial damages or penalties incurred due to data breaches or security incidents. Organizations looking to work in an environment where data is securely processed will always seek and favor organizations that are ISO 27001 Certified as it becomes a prerequisite instead of an added advantage.
The risks involved in Cyber Security and data breaches are constantly on the rise, along with a growing number of stakeholders whose primary concern is how their valuable information is being handled and protected. Demonstrating an ISO 27001 certification proves your commitment to meeting the highest standards of Information Security to customers and stakeholders This is a guaranteed way to help build trust and retain customers. Obtaining the internationally accredited ISO 27001 certification also means that new clients will that you have a demonstrable information security management process in place, and know that you can be trusted with their information and their business.
ISO 27001 is a standard that puts Cyber Security at the forefront. Highly qualified Information Security experts (preferably external consultants) auditors will observe your organization’s security practices and seek to reinforce or replace them with industry best practices to mitigate security breaches.
They will help map out goals and objectives, thus providing your organization with actionable information that will define data security measures and responsibilities across the board. Going through the certification process will help you compile professional reports and documents that will improve your information security strategies and serve as a trusty guide for years to come.
ISO 27001 certification provides a clear framework for Information Security management processes and key operational elements. Practices such as keeping IT systems up to date, anti-virus protection, data storage and back-ups, IT Change Management, and event logging is clearly defined under this standard. The processes required to meet the ISO 27001 standard result in improved documentation and clear guidelines to follow for all personnel, this further keeps the organization secure and resilient from cyber attacks. Some of the policies introduced in organizations are clear instructions concerning the use of external drives, safe internet browsing, and strong passwords.
Cyber-attacks and data breaches will always remain a possibility, but the forward planning involved with ISO 27001 demonstrates that you have evaluated the risks and taken into account business continuity and breach reporting if things were to go wrong, thus allowing your organization to stay functional with minimal damage.
Annex A.18 of ISO 27001 specifically addresses the topic of compliance with legal and contractual requirements. The objective of this annex is to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security. In simple terms, the organization must ensure that they are up-to-date with any documentation, legislation and regulation that affects the achievement of its business objectives and the outcomes of compliance with legal and contractual requirements.
Since most of these requirements already come under the scope of ISO 27001 as an outcome of the Risk Management process,, organizations do not mostly require putting in place secondary processes to be compliant with these requirements.
The process of implementing an ISO-compliant ISMS will help create strong, tested processes and policies for information protection, regardless of how and where information is stored and shared. As your organization develops a policy or process for each risk that is identified, you will find yourself digging deep into all of the avenues of communication and information storage spaces in the organization.
The result is a clear picture of the company’s current standings and security processes along with an outline of what is required to satisfy functional, legal, regulatory and customer requirements. These findings will help you develop action items that will need to be completed to comply with your new and evolving threat scenarios. Consistent monitoring of these processes is what ensures that they function as intended.
This requires routine leadership meetings aimed towards checking the functioning of the ISMS and making adjustments to optimize it as needed. This systematic approach requires consistency above all else. With systems that are continuously monitoring in place it becomes easier to detect potential weak spots and stop breaches before they affect your business.
The long-term benefits of ISO 27001 will be shown through your ability to grow and prosper in our rapidly changing business environment. This new environment is one where Information Security is quickly becoming one of the most essential aspects of any business. With an ISO 27001 certification in place you are essentially future-proofing your business against these constantly-increasing security threats.
With the above-mentioned benefits and the systems you will have in place for careful monitoring, planning, and quick breach realization, you will significantly reduce the cost and damage caused by information breaches, thus minimizing your losses. Even if you cannot predict when they’ll happen, you will be prepared to act as soon as you realize your information is compromised. ISO 27001 sets companies up with an Information Management System that automates and defines each step of the process. Your company will be positioned to capitalize on the structure, realizing growth opportunities and serving your existing customers with confidence for a long period of time.
The true success of ISO 27001 lies in its alignment with business objectives and its effectiveness in realizing those objectives. With the benefits of ISO 27001 laid out so plainly you might be wondering how to get your own company a certification. I recommend visiting a trusted global Information Security Consulting Expert like me to help you at every step of the way, from consulting to certification. You can count on me to take care of all your compliance needs.
Facebook is garnering headlines for another data leak putting users' privacy at risk. The latest incident involves the personal information of 533 million Facebook users from 106 different countries as apparently discovered by Alon Gal, co-founder and CTO of cybercrime intelligence firm Hudson Rock.
In an April 3 tweet, Gal said the data, which includes Facebook members' account creation date, bio, birthdate, Facebook IT, full name, location, past location and relationship status, has been made available free to members of a hacking forum.
In a January 14 post, he said an early 2020 vulnerability which exposed the phone numbers linked to every Facebook account had been exploited and that a hacker had advertised a paid bot that would allow users to query the database. Facebook claims the data must have been scraped prior to September 2019, before the vulnerability was addressed.
Facebook has no plans to notify individuals whose information was exposed because the company claims it does not know who was affected. Despite the patch in September 2019, 419 million records were leaked which contained user IDs and phone numbers that same month. Then in December 2019, a Ukrainian researcher discovered a database on the open Internet which included the personal information of more than 267 million Facebook users.
Interestingly, in July 2019, the FTC announced that it had completed a year-long investigation and concluded that Facebook had "used deceptive disclosures and settings to undermine users' privacy preferences" in violation of a 2012 FTC order. Specifically, third-party apps were allowed to collect the personal information of Facebook members whose friends had downloaded the apps.
According to the new 20-year settlement order:
Facebook must pay a $5 billion fine which the FTC claims is unprecedented.
Facebook's board must form an independent privacy committee "removing unfettered control by Facebook's CEO Mark Zuckerberg over decisions affecting user privacy."
Zuckerberg and Facebook compliance officers must independently file certifications with the FTC quarterly which state the company is complying with the order.
A third-party assessor must make biennial assessments of Facebook's privacy program to identify any gaps and report to the new privacy board on a quarterly basis.
The FTC can monitor Facebook's compliance using discovery tools provided by the Federal Rules of Civil Procedure.
Every new or modified Facebook, Instagram, or WhatsApps product, service or practice must undergo a privacy review before it's implemented.
If the data of 500 or more users has been compromised by a breach, the incident must be documented and shared with the FTC and the assessor within 20 days of the incident.
Data privacy is a serious issue that organizations need to address proactively. While behemoths like Facebook can weather a $5 billion fine, lesser fines could be fatal to smaller organizations. A responsible approach to privacy should include:
The trick here is to look slowly, and then look again. Take the time to look in detail and to look at the same thing from different angles, with different light, long lenses and wide lenses. Then move to the left a bit. You may never feel the need to leave the house again.
Privacy by design so the right guardrails are built into products and services.
Penetration testing to identify weak areas.
Patching to avoid unnecessary vulnerabilities.
Board-level oversight to ensure that privacy is given the attention it deserves.
Compliance officers or a compliance officer, depending on the size of the company, whose job it is to ensure compliance.
Data governance to avoid data misuse.
Continuous monitoring to prevent or minimize data exfiltration.
Scenario planning in case a breach occurs.
A plan to notify affected victims and law enforcement should a PII leak occur.
Ongoing security awareness training for IT and non-technical personnel to reduce the risk of inadvertent mistakes.
On March 2nd, 2021, Microsoft reported it was the victim of a state-sponsored cyberattack from the Chinese hacking group called Hafnium. Microsoft explained in their notification that the group “primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors.”
The attack affected over 30,000 organizations across the United States, including local governments, government agencies, and businesses. It is the eighth instance of a nation-state cyberattack against civil organizations and businesses Microsoft has reported in the last 12 months.
The Microsoft breach was carried out through a sophisticated zero-day hacking campaign that targeted hundreds of thousands of on-premise servers running Microsoft’s Exchange software. Hafnium gained access to on-premise servers through a combination of stolen passwords and previously undetected vulnerabilities. Then, Hafnium created a web shell around those servers that provided them with the access they needed to steal email data remotely.
Microsoft’s Exchange Server software handles email communications, and the attack exposed the emails of each organization.
Hafnium was able to carry out this attack because of undiscovered vulnerabilities in Microsoft’s software. Although Microsoft released patches designed to correct these vulnerabilities, their customers are still at risk unless they update their software with those patches.
+41 52 589 6776
rp@winterthur.biz
8400 WinterthurI'm always open to discussing IT
project work or partnerships.
