Federico Leefhelm - ISO – Senior Consultant Quality & Information Security

Düsseldorf, Germany

Experience

Oct 2023 - Jun 2024

9 months

Germany

ISO – Senior Consultant Quality & Information Security

Gemeinsame Klassenlotterie der Länder (GKL)

Responsible for the introduction of QMS & ISMS on behalf of the partner company ModernX GmbH & Co. KG.
Responsible for the benchmark and the future implementation of an ISO tool for the central management of all management systems.
Responsible for the deployment of a Quality Management System (QMS) according to ISO 9001:2015.
Responsible for the deployment of an Information Security Management System (ISMS) according to ISO 27001:2022.
Preparation and creation of the relevant measures (scope, SoA, policies, security concepts, operating procedures, SOP, etc.) to establish a QMS and ISMS.
Risk management: identification, assessment and handling of critical and potential attack scenarios.
Risk analysis, risk treatment, determination of protection requirements and vulnerability analysis of the IT infrastructure.

Jul 2023 - Apr 2024

10 months

Hamburg, Germany

ISO – Senior Consultant Cyber- & Information Security

Northland Power Europa GmbH

Northland Power is a developer, operator and owner of clean wind power plants.
Member of the security team, co-responsible for the cyber & information security of the wind power plants.
Responsible for creating all documents and measures (policies, security concepts, cryptography, key management) to deploy attack detection systems (SzA) according to BSI IT-SiG 2.0 and EnWG.
Preparation and development of the measures (policies, SOP, ISMS manual, BCM, IT emergency concepts, IAM, backup & recovery, MDM, supplier, password, patch, asset & configuration, network management) to build an ISMS according to ISO 27001:2022.
Identification, assessment and handling of critical and potential attack scenarios of the wind power plants in risk management.
Risk analysis, risk treatment, determination of protection needs and vulnerability analysis of the IT/OT infrastructure.
Development of IT/OT emergency concepts, incident response processes & rebuild of IT/OT systems as part of BCM (BIA, RIA & DRP).
The project was terminated early as the wind power plants were sold and the company in Germany was closed.

Feb 2023 - Aug 2023

7 months

Velbert, Germany

CISO ad Interim & Senior Management Consultant ISMS, BCM & IAM

Huf Hülsbeck & Fürst GmbH & Co. KG

Leading and managing the project for implementing a Business Continuity Management (BCM) according to ISO 22301.
Definition of scope, creation of a BCM policy, business impact analysis (BIA), risk impact analysis (RIA) and disaster recovery plan (DRP).
Development of IT emergency concepts, vulnerability analysis, incident response processes & rebuild of IT systems.
Conducting the first review of the corporate identity and access management process (IAM) and identifying improvement measures.
Participation in the continuous improvement process for TISAX and ISMS certification according to ISO 27001.
The BCM project was not completed due to budget planning.

Dec 2022 - Jul 2024

1 year 8 months

Düsseldorf, Germany

ISO, Sr. Management Consultant and Sr. PMO

Universitätsklinikum Düsseldorf (UKD)

UKD is the largest hospital in the state capital and one of the most important medical centers in North Rhine-Westphalia.
Operator of critical infrastructures (KRITIS according to §8a BSIG) with an ISMS certified according to ISO 27001:2022.
Works directly as Senior Management Consultant to the head of IKMT (CIO) and leader of innovation projects.
Responsible for the entire IT department in information security as ISO.
Creation, maintenance and improvement of ISMS policies and SOPs.
Training and awareness for IT staff in IT security, incident response processes and system recovery.
Creation and main contact for the new IT strategy of UKD plus a BIA and DRP for system recovery.
Preparations for the next implementation of Business Continuity Management according to ISO 22301 for the IKMT department and UKD.
Development of an IT cyber security strategy and roadmap for implementing additional tools and solutions for UKD's cyber security.
Creation of an IT emergency concept (part of DRP), IT security concept, incident response and related supporting concepts (data protection, antivirus, cryptography, configuration and hardening measures, asset & configuration, patch management, roles & rights (IAM), IT emergency preparedness, etc.).
Participation in developing measures to become compliant with attack detection systems (SzA) according to BSI IT-SiG 2.0.
Development of a security concept, conducting a proof of concept (PoC), evaluation and analysis up to procurement and implementation of a medical device monitoring security system.
Setting up a Security Operations Center (SOC) with work concept and definitions for preventive measures, threat detection and incident response.
Setting up a Security Information Event Management (SIEM) with Splunk.
Senior PMO of the department management since February 2023, responsible for controlling all IT-related projects (>2K projects).
Creation & management of Gantt charts for all IT-related projects (IT & medical, IT security, SAP, etc.).
Creation of a patch management security concept & processes and standard operating procedures (SOP).
Participation in the continuous improvement process (CIP) of the certified ISMS as preparation for the first surveillance audit.
Regular reporting of project progress to department management and the board.

May 2022 - Dec 2022

8 months

Munich, Germany

Senior Management Consultant BCM, Compliance & Information Security

Bitmarck Beratung GmbH

Leading and managing the project for implementing Business Continuity Management (BCM) according to ISO 22301 and BSI IT-GS standard 200-4.
Definition of scope, creation of a BCM policy and conducting a business impact analysis (BIA) as well as a risk impact analysis (RIA).
Development of IT emergency concepts, vulnerability analysis, incident response processes and rebuild of IT systems (DRP).
Creation of a project Gantt chart and preparation of all necessary certification documents.
The BCM project was not completed due to budget planning.

May 2022 - Jul 2022

3 months

Germany

CISO as a Service – Chief Information Security Officer

EUROVIA Services GmbH

Preparation and delivery of awareness training for the company and its subsidiaries.
Review of penetration test results and creation of an action plan to fix identified vulnerabilities.
Optimization of IT processes to support business processes.
Contributing to ensuring the availability of IT services.
Reviewing existing ISMS documents for a status assessment and gap analysis to implement an ISMS according to ISO 27001.

Mar 2021 - Jun 2023

2 years 4 months

Wilhelmshaven, Germany

Security Engineer, ISO, Senior Management Consultant Cyber & Information Security

Thales Deutschland GmbH Naval

Member of the F126 team and jointly responsible for the cyber & information security of the new F126 ships for the German Navy according to the German Military Security Accreditation Authority.
Leading the implementation of the largest Thales innovation project in information security for the German Navy.
Identifying, assessing, and handling critical and potential attack scenarios on the new F126 ships.
Risk management, risk analysis, risk treatment, protection needs assessment, IT emergency planning, vulnerability analysis, incident response processes & rebuilding IT systems of the IT infrastructure.
Developing, adjusting, and improving policies, hardening and security concepts, and SOPs.
Creating, maintaining, and documenting information security & emergency plans considering ISO 27001, BSI IT Baseline Protection & Compendium, and the regulations of the German Military Security Accreditation Authority (ZDV A-960/1).
Working on the information security of the Digital Communication Network (DKN), Ship Entry Point (SEP), and Satellite Communication (SATCOM) systems.
Advising and collaborating with business units on conflicts between technical implementation and information security requirements.
Applying the ISO/IEC 27001 standard according to BSI IT Baseline Protection & Compendium and the IT Baseline Protection of the German Armed Forces for ISMS.
Participating in workshops with the German Navy and other contractors in German and English.
Collaborating with information security teams from France and the Netherlands.

Jun 2019 - Mar 2020

10 months

Wiesbaden, Germany

ISO & Senior Management Consultant Compliance & Information Security

Bundeskriminalamt (BKA)

Responsible for certifying (attesting) the new cloud services of the Police Service Platform (PSP) to the international C5 standard.
Conducting a gap analysis and helping build and improve an ISMS according to ISO 27001, IT Baseline Protection, and the new BSI compendium.
Creating and adapting policies and SOPs for the entire federal agency (BCM, BIA, RIA, DRP, IT emergency plans).
Developing and improving information security (SiKo) and IT emergency plans for IT operations and cloud services (IAM, backup & recovery, patch management, crypto & key management, asset & configuration management).
Collaborating with the SOC team to update the threat landscape.
Delivering internal training, workshops, and awareness measures.
BKA security clearance SÜ2.
The project was ended early due to the COVID-19 pandemic.

Feb 2019 - Jul 2019

6 months

Düsseldorf, Germany

CISO & Senior Management Consultant Compliance & Information Security

Dr. Glinz COViS GmbH

Developing security concepts (SiKo) for the company and various software products.
Conducting a pre-audit for GDPR with over 90% compliance result.
Strategically advancing IT security, continuous improvement, and maintaining the ISMS according to ISO 27001.
Introducing a concept for event handling and improving the SOC system.
Conducting security assessments (PenTest & vulnerability scans) to eliminate vulnerabilities.
Developing new compliance services for clients and leading workshops on ISMS and GDPR.
Creating new policies, especially for the use of cloud services as CSP and CSC.

May 2018 - Dec 2018

8 months

Mannheim, Germany

Lead Auditor & Sr. Management Consultant Compliance & Information Security

TÜV SÜD

Conducting audits according to ISO 27001 for various clients.
Leading GDPR workshops and pre-audits for TÜV SÜD Munich and its clients.

Apr 2018 - Jan 2019

10 months

Walldorf, Germany

Lead Auditor & Sr. Management Consultant Compliance & Information Security

SAP AG

International lead audit manager in Quality Management and Information Security according to ISO 9001, ISO 27001, ISO 22301, SOC, SOX, C5, PCI-DSS & SIEM.
Focus on Cloud Network Delivery (CND) and global SAP cloud services.
Collaboration with enterprise compliance, audit, and SOC teams for Threat Lifecycle Management (TLM).
Review and enhancement of information security concepts for all SAP cloud services.
Contribution to the development of innovation projects in Information Security.
Single point of contact between Cloud Network Delivery, users, and global compliance teams.
Compliance project manager for CND (Cisco switches in global data centers).

Feb 2016 - Jun 2018

2 years 5 months

Karlsruhe, Germany

CISO & Division Manager Compliance Services & Solutions

Makro Factory GmbH & Co. KG

Planning, expansion and setup of the new Compliance Services & Solutions division.
Advising clients on implementing an ISMS (ISO 27001), BCM (ISO 22301), IT baseline protection, BaFin & MaRisk.
Successful implementation and dual certification of an ISMS (ISO 27001) and a BCM (ISO 22301) within 14 months.
Achieved ISO 27017 / ISO 27018 certification for personal data protection as a Cloud Service Provider (CSP).
Conducting IT security assessments (pen tests, vulnerability scans) and creating IT contingency plans.
Delivering seminars, training sessions and workshops on GDPR and information security.
Audits in information security according to ISO 27001, ISO 27006 and ISO 19011.

Nov 2015 - Jan 2016

3 months

Düsseldorf, Germany

Senior Management Consultant Compliance & Information Security

Stadtsparkasse Düsseldorf

Conducting banking security consulting regarding BaFin and MaRisk AT 8.2 compliance.
Advising on IT requirements and on secure IT operations measures (SITB).
Advising on outsourcing network services under the German Banking Act (KWG 25a/b).
Adapting incident management for the switch of the network provider to Finanz Informatik (FI) according to MaRisk AT 9 outsourcing.
Business analysis, modeling and adaptation of outsourcing processes.

Mar 2013 - Jun 2015

2 years 4 months

Santiago, Chile

Strategic ITSCM, CISO, Business & eGRC Senior Management Consultant

Self-employed Entrepreneur

Senior project manager, business analyst and senior PMO as interim manager for banks, insurance companies, retail and industry.
Technical rollout and change management for an international mining company during the introduction of new ERP systems.
Strategic development of ITSCM, IT services and IT security as CISO ad interim.
Implementation of an ISMS according to ISO 27001 and BCM according to ISO 22301 in Chile, Argentina and Brazil.
Business development manager ad interim for various IT companies.
Business analyst and interpreter for IT projects (Spanish/German/English).

Jul 2010 - Feb 2013

2 years 8 months

Santiago, Chile

Regional eRCP Manager & Senior PMO for all of Latin America

Zürich Shared Services – Versicherungsgesell.

Responsible for enterprise release, configuration & promotion (deployment) as part of the global Growing Market Platform (GMP) project.
Rollout of a new core insurance system for all Latin American business units of Zurich Insurance.
Establishment, training and leadership of an eRCP team in Chile, Brazil and India.
Regional problem, incident, change, release and crisis management across the entire application lifecycle.
Single point of contact for Latin American users and collaboration with regional Change Advisory Boards (CAB).
QA approval of software releases and development of test cases.
Reviewing and adjusting contracts for external service providers (Accenture, CSC, Everis, Wipro).
Personnel responsibility for more than 80 employees worldwide.
Senior PMO for all non-core applications (legacy systems) in Latin America.

Jul 2008 - Jul 2010

2 years 1 month

Santiago, Chile

Acting CISO & Interim Manager of IT and IT Security Departments

INE, Chilean National Statistics Institute

Responsible for preparing, programming, and securing wireless solutions for digital data collection in the 2011-2012 census.
Conducted training sessions for external staff on digital data collection.
Strategically developed ITSCM, IT services, and IT security, and led all innovation projects.
Restructured the IT department and negotiated with management and the works council.
Implemented policies in line with ISO 27001, ISO 22301, ITIL, COBIT, and OECD guidelines.
Established and launched the first SOC with a SIEM platform for automated threat lifecycle management (TLM).
Introduced PMO, development, and project management methodologies (PMI, CMMI, CMMN).
Led the cross-border telecommunications network upgrade (RFP).
Had interim personnel responsibility for over 50 employees.

Mar 2002 - Jun 2008

6 years 4 months

Santiago, Chile

CEO & Owner; Managing Director, CISO & Senior Consultant

ATNet Latin America Management Consulting GmbH

Founder and Managing Director of an international IT management consulting company.
Specialized in IT governance, risk & compliance, information security, and electronic invoicing processes.
Implemented and certified ISMS (ISO 27001) and BCM (ISO 22301) for financial institutions in South America.
Built SOCs with SIEM platforms for banks in Chile.
Developed and marketed an application for electronic invoicing using asymmetric cryptography.
Taught strategic and technological aspects of cryptography to the Ministry of Economy and the Santiago Chamber of Commerce.
Automated workflows for foreign trade processes for a Brazilian bank.
Consolidated networks and server platforms to reduce TCO for a local bank.
Implemented IT security guidelines and reorganized the IT department at Chile's largest mining and steel company.
Had personnel responsibility for over 120 employees.

May 2000 - Feb 2002

1 year 10 months

Santiago, Chile

CIO & COO – IT & Operation Manager

Chipkarten AG (ETISA)

Launched an electronic money card (eWallet) using smart cards as a subsidiary of the banks.
Managed the technology platform for eWallet management as an open innovation project.
Licensed the money card through Mondex International (MasterCard).
Established and led an interbank committee for operations and technology topics.
Developed the model for production, operation, and settlement of electronic money in collaboration with banking regulators and the central bank.
Developed the financial model for investment and profit distribution while maintaining money market stability.
Acted as the interface (Business Analyst) between banks for project implementation.
Had personnel responsibility for over 20 employees.

Jul 1998 - May 2000

1 year 11 months

Santiago, Chile

Remote

Manager of Technological Remote Channels

Banco Crédito Inversiones (BCI)

Managed the operations of remote technology channels: web, mobile banking, telephone banking, and ATMs.
Designed and defined the project to launch Chile's first transaction-oriented banking website.
Introduced mobile digital banking.
Led and controlled external service providers.
Had personnel responsibility for over 40 employees.

Oct 1994 - Jul 1998

3 years 10 months

Santiago, Chile

Senior Consultant Electronic Banking

Banco Crédito Inversiones (BCI)

Developed, implemented, and managed all electronic banking products for the corporate sector.
Developed and launched eCommerce solutions for the bank.
Advised on secure development of eCommerce and EDIFACT in Chile.

Jul 1992 - Sep 1994

2 years 3 months

Santiago, Chile

R&D Manager, Research and Technology Development

Banco Crédito Inversiones (BCI)

Implemented EDIFACT (Electronic Data Interchange) for the bank.
Advised on setting up an EDI subsidiary for the banks.
Developed and launched the first drive-in banking branch.
Managed a team of over 10 employees.

Jul 1991 - Jun 1992

1 year

Frankfurt, Germany

Senior Consultant & Deputy Manager, International Banking

Digital Equipment Corporation (DEC)

Responsible for COMEX, Financial EDIFACT & eCommerce for German and European banks.
Responsible for the financial institutions area at CeBIT.
Developed and promoted eCommerce solutions in German banks.
Member of the European interbank committees in Frankfurt, Paris, and London.
Led an eCommerce project between commercial banks and the Landeszentralbank (LZB) in Frankfurt.

Jul 1983 - Jun 1991

8 years

Frankfurt, Germany

CIO and Authorized Officer

Société Générale

Conducted benchmarking and procured the SWIFT-ST400 system for the entire bank.
Planned, rolled out, and trained staff on the SWIFT system for all German branches.
Introduced the first Wide Area Network (WAN) from Frankfurt to all national branches using analog multiplexers.
Defined and implemented the new data center in Frankfurt.
Managed a team of over 40 employees.
Career progression within the bank: promoted to CIO and Authorized Officer (1988), CTO (1986), Deputy CIO (1984), Software Engineering Team Lead (1983).

Skills

Information Security Governance, Risk & Compliance: Consulting & Management For Implementing An Information Security Management System According To Iso 27001, A Business Continuity Management According To Iso 22301 (Bia, Ria, Drp & Bsi It-gs 100-4 / 200-4), Dora And Nis2 Compliant
Gdpr Compliant With The Use Of An Isms According To Iso 27001:2022 Plus Iso 27701
Bafin: Dora, Macomp & Xait Compliant; Marisk, Bait, Vait, Zag, Zait, Kait
Bsi: It Baseline Protection & Compendium As The German Basis For Information Security
C5:2020 & Information Security: Cloud Computing Compliance Criteria Catalogue And Escloud
Setup, Rollout & Services Of Secure Operation Center (Soc) & Siem, Ueba & Soar Platforms
Iam; Identity & Access Management, Cryptography & Key Management (Symmetric/asymmetric)
Audits In The Field Of Information Security According To Iso 27001, 27006, 19011, Gdpr & Bsi-gs
Audits For Energy Supply Companies (So-called Kritis) According To Bnetza § 11 Art. 1a Enwg
Project Management & Control Methods For Projects (Pgmp & Pmo According To Project Management Institute)
Itscm (Iso 27031), Itsm (Iso 20000), Sla, Crisis, Patch, Security Logging & Monitoring, Event, Incident, Problem Management, Etc.
Ercp Management: Enterprise Release, Configuration & Promotion/deployment, And Release & Change Management (According To Itil & Cobit)
Strong Hands-on Mentality, High And Fast Analytical, Conceptual, Abstract And Logical Thinking
Service- And Solution-oriented, Conceptual, Strategic, Self-reliant, Goal-focused And Highly Structured Way Of Working Based On The Pestel Framework
High Sense Of Responsibility, Self-motivation, Flexibility And Trustworthiness
Creativity And Courage To Present And Drive New Ideas, Following The Open Innovation Principle
High Assertiveness And Persuasive As A Contact Person For Users
Strong Cooperation And Team Skills
Strong Process Thinking In Terms Of The Overall Design And Modeling Of Business Processes
Very Good And Strong Communication Skills And Social Competence
Confident And Convincing Appearance
Experience In Leading International Project Teams, Project Management, Pmo, Etc.
Audits In The European General Data Protection Regulation (Gdpr)
Information Security Egrc – Enterprise Governance, Risk Management & Compliance According To Iso/iec 2700x Standards Family, Iso 22301, Iso 27031, Bsi It Baseline Protection, Gdpr, New Bdsg And According To "Deumilsaa" German Military Security Accreditation Authority (Zdv A-960/1, Etc.)
Bcm, Business Continuity Management According To Iso 22301, Iso 27031 (Bia, Ria, Drp) And Bsi It Baseline Protection Standard 100-4 / 200-4, It Service Continuity Management (Itscm According To Iso 27031). Disaster Recovery Plan, Business Continuity Plan, It Emergency Concepts, Etc.
Kritis: Bsig § 8a Paragraph 1a And The Use Of Systems For Attack Detection (Sza), Early Detection Of Cyber-attacks, Management Of Incident Response & Rebuild Of It Systems
C5 & Escloud: Security Concepts For Using Cloud Services (Csp & Csc)
Iam; Identity And Access Management
Bafin: Dora, Macomp And Xait Compliant (Bait, Vait, Zait, Kait); Management Consulting For Credit Institutions, Marisk, Zag
Audits According To Iso 9001, Iso 27000, Iso 27001, Iso 27006, Iso 19011, Iso 22301, Soc, Sox, C5, Pci-dss And According To Kritis Regulation § 11, Art. 1a Enwg And Bsi It-gs
Irbc According To Iso 27031; It Readiness For Business Continuity To Minimize Company-threatening It Risks And Take Effective Countermeasures
Pm & Pmo According To Pmi, It Service Continuity Management According To Iso 20000 & Itil, Cobit, Cmmi