Bevan Lane has over 17 years of experience in information security consulting, auditing, and training. He has delivered training to over 50 clients worldwide and has consulted on more than 10 ISO27001 implementation projects. Currently, he is consulting on three ISO27001 and one PCI compliance project. Previously, he led a team conducting ISO 27001 audits across 25 sites for Shell Oil Company over six years while at PricewaterhouseCoopers.
Independent Information Security Consultant Profile
1. Bevan John Lane
1/29/2014
Independent Information Security Consultant and Trainer
Bevan specializes in Information Security consulting, auditing and training where he
has over 17 years’ experience in forensics, awareness, consulting, training,
implementation & auditing. He has delivered training at more than 50 clients around
the world and has consulted on more than 10 ISO27001 projects for his clients.
Work Experience Highlights
• Presently consulting on three ISO27001 implementation projects and a PCI
compliance project for his clients and is known as a thought leader in terms of the
standards.
•
Price Waterhouse Coopers (PwC), lead a team conducting ISO 27001 audits and
consulting across 25 sites across Europe and Africa for Shell Oil Company over a 6
year period.
•
Consulted on Privacy and Card Payment security forums and assisted large
retailerswith implementation processes.
•
Project managed and consulted on large Sarbanes Oxley certification projects,
including large mining Canadian organisations in the Kyrgyz Republic and
Mongolia.Developed Information Security documentation and policies for large and
small organisations throughout South Africa. Bevan has developed policies for many
large organisations in South Africa and also for smaller organisations and government
departments.
•
Has been involved in many high profile cybercrime investigations and forensic
consulting for clients.
•
Conducted Technical reviews, including Penetration Tests, Vulnerability assessments
and other specific technical assessments.
Summary of Experience
•
17 years’ work experience
•
14 + years in IT auditing, forensics
and Information security consulting
and audits. awareness,
implementation, lead auditor courses
•
•
Conducted over 50 courses Training
more than 1,000 candidates
Training conducted in UAE, Qatar,
Saudi Arabia, Bahrain, Tanzania,
Nigeria, Namibia, Zimbabwe and
South Africa
Oil and Gas, Mining Industry
Experience
Certifications
•
More than 12 years including large
projects for:
Shell Oil
Engen South Africa
Centerra Gold Mining
Company
Training for:
Shell
QAFAC
Aramco
Bachelor Of Commerce – Nelson
Mandela Metropolitan (South
Africa)
•
•
•
•
•
CISSP,
•
•
SABSA
CISA,
CISM,
CGEIT
BSI certified lead auditor of ISO
27001
COBIT
2. Bevan Lane - CV
Work Experience:
November 2006- Present: Infosec Consulting SA (Cape Town)
Role: Director
Duties:
Bevan has been conducting Information Security consulting, training and auditing projects both for local and
international clients. He works with partner firms or through his own organisation Infosec Consulting SA depending on
the type of assignment and is heavily involved in the Information Security and governance community both within the
Western Cape and Southern Africa. He is responsible for managing teams on Information security and IT auditing
assignments and coming up with solutions for specific problems.
1. IT and Information Security documentation development
Bevan has extensive experience in developing, collating and modifying IT and information security documentation for
clients. He is able to understand requirements and then collate information into an agreed document standard. Allied
with his knowledge of information security and applicable best practice frameworks he has developed documents for
many clients, both for simple and complex assignments. Over the last 5 years he has:
Developed IT Policies to support Sarbanes Oxley certification requirements at 2 large mining Canadian
organisations in the Kyrgyz Republic and Mongolia. This included Information security policies, IT policy,
process and standard documentation and audit support documentation.
Developed Information Security documentation and policies for large and small organisations throughout
South Africa. Bevan has developed policies for many large organisations in South Africa and also for smaller
organisations and government departments. He also reviews existing policies and advises on how best to
improve policy architectures
Developed a Security operations guide for a large Financial Services organisation which aligned existing
security practices with legislation, frameworks, controls and internal documentation. This document is to be
used as the single information security document.
2.
Information Security/Certification Consulting
Page
2
3. Bevan Lane - CV
Bevan is first and foremost an Information Security consulting specialist and has extensive experience in the following
types of work:
ISO27001 Certification projects, from inception to preparation for final audit.
Information Security project management and issue specific resolution assignments (Compliance
assignments, regulatory implications, specific information security issues)
Information Security Policy and document development and implementation
Implementation of specific Information Security issues
Technical Security reviews and implementation projects
Assisting clients with assessments and certification implementation guidance for compliance requirements
(including Protection of Personal Information, Payment Card Industry Data Security Standard (PCI-DSS),
Sarbanes Oxley and ISO 27001. Bevan has helped clients all over the world become compliant with these
standards.
He has used his extensive experience in IT and information security auditing to specialise in assisting clients become
certified in specific standards and performing mentoring roles on specific issues. He has assisted with hiring staff,
mentoring staff and developing frameworks to assist with certification processes. His clients include Shell where he
worked on security governance consulting and then auditing in terms of Sarbanes Oxley for 7 years and Engen South
Africa. He has also undertaken training for various oil and Gas companies including Saudi Aramco and QAFAC.
3. Audit/Governance
Bevan has performed IT audits throughout Southern Africa for clients in various industries (namely insurance, hotel
groups and local government). These audits are completed using a combination of recognised IT frameworks or
standards (including ISO 27001, CobIT, PCI-DSS and ISO 19011) and is governed by the ISACA rules and
standards. He specialises in IT certification audit and consulting assignments.
Bevan has been involved in over 50 IS0 27001 certification audits across the world and has performed IT audits for
over 12 years.
4. Forensics
Performed specific IT forensic investigations for clients in South Africa where forensically sound images were
obtained and investigations were conducted and presented to management. This resulted in legal and disciplinary
actions being taken by the client. Bevan was a founder of the South African PwC Cyber-crime unit which aligned
forensics and Information Security consulting and has extensive experience in forensics..
5. Training
Bevan is the only registered BSI 27001 trainer in South Africa where he conducts the Lead Auditor training on their
behalf and has conducted training on other IT governance areas, such as IT Risk, CobIT, Business Continuity and
other general IT governance and Information Security areas.
Page
3
4. Bevan Lane - CV
He has also presented at conferences and workshops across the world over the last 10 years and is well respected as
a trainer and presenter.
6. Specific assignments
Worked as Outsourced Information Security consultant for specific clients:
o Shoprite Checkers.
o Mining Company in Kyrgyz Republic and Mongolia
o Old Mutual
o Metropolitan Cover2Go
Conducted IT audits for the following clients:
o Metropolitan Cover2Go
o Sun International
o PPS Insurance
o Peninsula Beverages
o Standard Bank
October 1999–October 2006PricewaterhouseCoopers
Cape Town
Manager: Technology security division
Duties:
Manage specific projects relating to network and Internet security projects.
Consult on specific IT risk management issues
Specific ISO1799 Experience
Certification audits
Managed and coordinated a large assignment where ISO 27001 security audits and IT compliance issues
were assessed for Shell Oil units across 35 sites in Europe and Africa. This assignment consisted of
managing a team of 15 people across these countries and dealing with top IT management. I was involved in
all aspects from proposal to final report and interacted with senior management at the client. I also dealt with
and presented to the heads of Information Security and consulted and presented on Information security
challenges facing the organization. These certification audits were assessed in terms of ISO27001
compliance and operating units were given chances to become compliant when issues were found and then
re-assessed.
Assisting various organisations with ISO 27001 initiatives. Either with regards to assessing their
implementations or with regards to assessing whether they could be certified with the standard.
Consulting
Project managed an assignment for an international mining company, Centerra Gold in order to ensure that
one of their subsidiaries became Sarbanes-Oxley compliant; this involved all aspects of SOX controls and
testing as well as implementation of controls. My emphasis was on forming an Information Security
Management Function (ISMF) in terms of ISO, COBIT and ITIL standards:
Page
4
5. Bevan Lane - CV
Assessed the various COBIT and ITIL relevant guidelines and compiled controls based on a combination
of the two which fitted the industry.
Drew up and facilitated agreement of security policies
Compiled various security procedures (etc. anti-virus, patch management, logging and incident response)
Security awareness training,
Training and mentoring of security staff,
implementing solutions to Security issues (log management, Removable media)
Assisting with forensic investigations
Risk Assessments
Vulnerability Assessments
Various additional security audits (Firewalls, Servers, Physical Security)
Being outsourced to Shoprite Checkers for three years where I performed the task of security/risk manager, This
entailed various components of information security management:
Drawing up a comprehensive set of security policies (24 policies) and related procedures
Risk assessments and Security Assessments in order to understand the current situation and the risks
involved.
Monthly Security management reporting and measurement of the security program
Assisting with creating security architecture for the firm.
I also evaluated software tools and drew up procedures to govern their use. (i.e. content filtering, patch
management)
Was involved in various complex security projects (Identity management, Wireless security)
Forensic investigations
Disaster Recovery project assistance
Managing an outsourced security management function for an Internet initiative, this entailed setting up
security policies and procedures as well analysing technical guidelines and educating the staff on security
issues. This was an ongoing process and involved implementation and other outsourced related issues
Additional Work
Various Security reviews at clients throughout South Africa and Namibia. This included security audits, attack and
penetration testing and consulting on security initiatives.
I was Chairman of the PWC South Africa cyber crime Task team which was been set up to form a unit of qualified
individuals who will undertake specific cyber crime assignments around South Africa I also drew up an interim
business plan, set up methodologies and then left this area to concentrate on security management.
I have performed various Sarbanes Oxley assessments and audits at various clients and mapping controls in
terms of in-house standards for a specific client. Most notably for a multinational oil company.
Did assessments in terms of COBIT requirements at various clients, specifically in terms of Ensure Systems
Security (DS5)
Performed various cyber crime investigation assignments at clients, this included investigations related to
hacking, e-mail abuse, Identity theft as well as IT abuse and intellectual property investigations. I have also
consulted on various cases which either went to court or arbitration.
Page
5
6. Bevan Lane - CV
Project Management as well as assisting with the technical duties with regard to specific security issues at South
Africa’s largest Internet service provider. A multi- faceted task that involves clearing up user accesses, checking
the integrity of the network and Internet servers as well as planning and implementing an overall network security
policy.
I was chairman of the Western Cape Security Special Interest Group (SSIG), a group of +- 40 Security
professionals in the Western Cape who shared knowledge and discussed pertinent issues for 2 years. I also
present at various conferences on various aspects of security and governance and am quoted in publications and
on the internet. I have presented at Information Security, Banking, ATM and anti-fraud courses.
Internal review of AS 400, NT, windows 2000 and Novell servers at various businesses around South Africa.
Managed specific audience measurement assignments at various Internet companies in order to verify statistics
relating to page impressions and assess the security controls inherent in the system.
Various IT risk consulting engagements such as Archiving, Asset management and ISO certification assistance.
June 1998–September 1999 PricewaterhouseCoopers
East London
Senior Forensic Consultant
Duties:
Assist and manage specific fraud investigations in the public as well as private sectors with specific
relevance to the IT and data interrogation fields.
Specific Experience
Forensic investigation relating to the Department of Health & Welfare pension payouts, including a complete
Data Interrogation of the Socpen Database and Eastern Cape Persal system. Millions of rands/month were
saved through our efforts.
Forenisc Investigation relating to fraudelent activities within various local TLC’s within the Eastern Cape and
Kwazulu Natal using the latest Forensics software
Ghost headcount Investigation for the Free State Transformation program
Working with the Tertiary Education Linkages Project to determine the effectiveness of how specific grants
given by the US government are spent at various tertairy educations within the Eastern Cape. This includes
technical assistance to these HDI’s as well as ensuring that these grants funds are correctly spent within the
guidelines of USAID.
Setting up of a complete database of all the property presently owned by the Eastern Cape development
agency.
Part Time: May 1999 – December 1999
Damelin College
East London
Lecturer
I lectured short business related courses at Damelin, specifically Practical Accounting, an
intermediate accounting course. This consisted of two days a week preparing lectures, exams
Page
6
7. Bevan Lane - CV
and assisting with general queries. This was done part time while I was employed by Coopers and
Lybrand.
June1996– June1998 Coopers & Lybrand Bisho
Management Consultant
Duties:
General consulting activities within the Eastern Cape, training and building capacity within the Public sector
including:
Organising the Reintegration of the TVBC states telephone services for Telkom (Ciskei and Transkei),
including the determination of leave credit accruals and the verification of the validity of refunds.
Audit investigation relating to incorrect payments for the Department of Public Works
Planning and implementing of the Verification of Fixed assets at various government departments on behalf of
the Department of Transport.
Assisting with a computerised Forensic investigation for the Department of Transport relating to contracted
bus operators
Planning and controlling the monitoring of subsidised bus routes within the Eastern Cape and assisting in the
planning of a new bus service. Including the drawing up of contracts and evaluation of feasibility of routes as
well as a forensic investigation of whether the operators were fulfilling their contractual obligations.
Page
7