Jovan Miladinovic

Jovan Miladinovic, CISA, ISO LA, BA Mr Jovan Miladinovic has more than 20 years experience in information technology, as an Executive, Technology Leader, and Consultant. He brings over 20 years of IT experience in roles ranging from technical leadership to executive level/CISO roles, combined with a strong understanding of business process. Mr. Miladinovic holds a Major in Economics (BA, University of Belgrade) and postgraduate studies in Computer Sciences and Business Administration (in Belgrade and Toronto). Mr. Miladinovic was one of the first dozen Certified Lead ISO 17799 Auditors in North America. Mr. Miladinovic is also Certified Information Security Auditor (CISA – ISACA). Mr. Miladinovic has developed both strategic and tactical plans, as well as business cases and budgets, in support of the enterprise’s revenue and expense targets. He has excellent client facing skills and acuity for dealing with and managing expectations and sustained relationships at the Board/CxO level, and ability to find effective solutions for conflicting environments, maintaining objective and independent point of view. Mr. Miladinovic’s leadership style is hands-on and collaborative, sustaining a healthy balance of people and technical skills, development & IT/IS operational management. Experience Principal and VP Business Services – NVR Global, Toronto (February 2022 -) Formulated policies, security risk assessment frameworks and established strategic direction including determination of the priorities. Sourced, selected and on-boarded team members in various disciplines, clarified roles and responsibilities and sat task/deliverable/performance expectations. Coordinated and monitored projects processes (Agile/Scrum) and developed/communicated guidelines and procedures. Managed complex technology projects ($10+mill) CISO – Munich RE, Innovation (September 2019 -February 2022) Developed and implemented Information Security, Governance, Risk and Compliance framework and processes for a fully outsourced insurance solution project (Infrastructure, Platform and Development). Maintained the ISMS Program. Mapped control framework to and maintained compliance with both North American and European regulatory requirements (AODA, GDPR, BaFin, KRITIS and others). Created, implemented and maintained/improved DLP program (Microsoft DLP and ProofPoint). Managed a team of Security/GRC specialists. Established Data Governance office and processes including DRM Strategy and planning. Managed preparation for 52-109 CFO Certification. Developed and refined PIA process and guidelines and conducted multiple PIA. Senior Information Security Consultant – WSIB, Toronto (February 2017 – April 2019) Created and operationalized IS control and Vendor screening RFP documentation. Coordinated activities with Procurement and LOBs.; Provided consulting for the RFP evaluation process for both information security and technical/business requirements. Defined, identified, and described information architectural requirements, as well as application and infrastructure design. Managed large procurements including the full lifecycle of public procurements, including: requirements development, Request for Quotes/Proposals/Bids (RFQ/P/B) development, publishing, evaluation, contract award and vendor onboarding. Provided compliance guidelines (AODA) to the departments issuing RFPs. Created Cloud Security Framework and IS Control guidelines and ICQ. Provided IS consulting services to the PMO. CISO, Application Deployment, Operations, Information Security and Architecture – Toronto Public Health, Toronto (November 2012 – May 2016) Established and maintained the organization's vision, strategy, and program to ensure information assets and technologies are adequately protected. Developed and implemented a Risk Management Framework and Plan dealing with identifying, developing, implementing, and maintaining processes across the organization to reduce information and information technology (IT) risks. Managed and improved the ISMS. Managed the team responsible for incident response, establishment of the appropriate standards and controls, managing of the security technologies, and directing the establishment and implementation of policies and procedures, as well as information-related compliance management. Designed a new Access Management solution and managed the vendor selection process for the TPH Case Management application to replace the existing Oracle OAD/OAM solution. Managed the requirements gathering and RFP creation. Coordinated IT Security education and awareness programs Coordinated overall operations and plans for Server/Network initiatives/changes. Coordinated overall TPH IT and Corporate (City of Toronto Shared Services) infrastructure initiatives. Drafted SOWs, work orders and contract negotiations. Developed and managed Data Governance/Protection program (Open DNS, ProofPoint) and provided direction for integration with WCM and Open Data. Developed and implemented Mobile Application Development Framework and Plan and Release Management Framework. Developed and implemented architecture review process. Provided direct consultations to the CIO and worked closely with the Chief Privacy officer by providing advice, guidance, and support in ensuring TPH compliance (AODA) with the privacy legislature (MFIPPA, PHIPA and e-PHIPA). Familiar with Health Information Network Providers (HINP) and Electronic Service Providers (ESP). Refined PIA process and guidelines. Managed multiple large technology projects ($25+mill). Senior Business Security Advisor – Rogers, Brampton/Toronto (March – December 2011) Developed and managed the new Data Governance/Protection Program (Microsoft DLP) within Rogers Information Security & Risk Management organization including strategy, mission, vision, objectives and governance. Reviewed the policies, identified the Security Control Objectives, and ensured that the procedures appropriately addressed these objectives (PCI, Sarbox, PIA). Developed Records and Information Management System, supporting CRO (Chief Records Officer) role. Designed and implemented a DRM solution to support the various lines of Business within the organization. Managed process for determining security and technology requirements for the engineering of deliverables, resources, and schedules. Managed the designed and development of solutions that include controls to ensure proper governance, and security of information assets. Established standards, policies, and procedures for data/information solution best practices. Identified and championed process improvements by developing and maintaining strong relationships with internal and external clients/contacts. Senior Program Manager – Open Text, Waterloo (April 2010- February 2011) Planned, developed, and deployed a comprehensive and multi-faceted Information Security Management System project based on ISO 27001, with an objective to establish a cross enterprise, unified governance environment to be crowned with an ISO 27001/27002 certification. Reviewed, conformed, and updated the gap analysis, identifying current state of procedure availability. Identified and prioritized procedures to be delivered. Developed procedures, reviewed with stakeholders, and supported approval and implementation process. Coordinated with stakeholders to create consensus on the project critical path. Senior Advisor/Program Director – CHK Group SA, Medellin, Colombia (January – April 2010) Provided consulting and advisory services for the top tier Information Security/Governance services organization engaged by Colombian Government, reporting to the CEO. Provided scope, time, cost and quality management including risk management, data centre design, procurement and communications management for multiple projects aligned with ISO27001/27002 control objectives. Senior Program Director – Pilot Performance Resources Management Inc. (February - December 2009) Al Ain Municipality, UAE, Provided consulting and advisory services for the planning phase of the Development and Implementation of Environment, Health and Safety Management System for Al Ain Municipality Project. Developed an ISO27001/Cobit governance model and all supporting policies, processes, and procedures for implementation. Developed a Federated Identity solution for the project. Worked with external vendors/outsourcing organizations for project commissioning. Senior Program Manager – Hydro One (June 2007 – December 2008) Cornerstone, Provided Solution/Data Centre Architecture/IT Governance/ advice/oversight/vendor management to the project whose objective was to replace/upgrade the core information systems within Hydro One Networks based on SAP platform, supporting Supply Chain, Accounts Payable, Work Management and Asset Management. Participated in the design of the data centre. Conducted data centre compliance evaluation. Developed and implemented Federated Identity Management solution (Tivoli, SOA). Developed and implemented governance model and ensured its alignment. Developed Data Loss Prevention Program and Framework including Data Leakage prevention. Balanced the implementation of project deliverables based on conflicting stakeholder goals and competing resource requirements. Smart Meter, Provided Solution Architecture /IT Governance/ /advice/oversight to the Smart Meter project, reporting to the CIO. Acted as lead for the Issue, Risk and Approval processes. BIT, Participated in BIT Security effort to establish and integrate enterprise IS Risk Assessment framework providing better IT Governance control and compliance environment. Designed policies and procedures, mapped controls to standard/regulatory frameworks such as COBIT, ISO 27001, Bill C 198, PCI, NERC, and others. Developed contract components for IT Project Management for external vendors. Provided subject matter expertise regarding project and production management quality assurance, risk and issues management processes, continuous improvement process, security operations and information security governance as it relates to Information Technology (IT) and Operations Technology (OT) systems. Senior Governance Consultant – MPAC (September 2006 – May 2007) Municipal Property Assessment Corporation Reporting to the Board, analysed all aspects of the IT Governance including PCI compliance matrix and Data Loss Prevention program/framework and created Gap assessment document with the project plan to address and rectify most critical gaps in the next few years. This included in depth assessment of MPAC SDLC and provided improvements/optimizations guidelines. Provided guidance in creating of a Business Continuity Framework, by developing of a systematic, comprehensive approach to BCP that includes all aspects of the client’s business drivers. Developed a strategic risk management plan to assist in identifying, quantifying, and managing client’s risk. Presented findings to the Board. Senior Consultant - Accenture (March 2006 –August 2006) Ministry of Health Aided in creating the ITIL (Operational Security, Change Management, Availability/Capacity Management, Release Management, Problem/Incident Management) and ISO 17799 based policies, operational run books, processes and procedures for the OLIS (Ontario Laboratories Information System) Project. Oversaw Quality Assurance and User Acceptance in conjunction with application services. Advised on security methodologies and tools including Active Directory workflow optimization (schema extensions) as well as the BCP and DRP architecture and established and documented the requirements for continuity of OLIS’ critical Information Systems, (IT infrastructure, applications, mobile devices, and all tiers of support centres). Provided guidance for Identity, Access and Privacy. Oversaw OLIS governance on behalf of the Accenture program accountability to clients/users. Project Director – Scienton (September 2000 – March 2006) Organized security and risk management practice with services and standardized service delivery. Developed practice strategy using standards such as ISO17799/BS7799, CC, SAS-70, COBIT, ITIL, ITSM to provide business process baseline for the Information Security Model™ to map security controls to the information infrastructure. Established Data Canter Operational Framework – Documented Policies, Procedures and Operational Guides based on ITIL (Service, Change, Incident and Problem Management), PCI and CMMI guidelines. Managed multiple IT Security Projects. Managed development of Information Risk Cube®, a risk-based asset inventory tool that automates creation of compliance reports (a Web based, Java/SQL tool that produces PDF Reports) and Threat Risk Assessments/Privacy Impact Assessments. Managed a team of 7 people deploying iPHIS (Communicable diseases information exchange system) throughout Ontario – (System Integration, Deployment, Testing and Education for healthcare professionals) for MoH. Managed several Compliance, GAP Analyses, TRAs, PIAs, Identity Management as well as Infrastructure/Business Review Projects for clients in Financial, Health and Government verticals using baselines such as ISO 17799, CoBIT, Basel II (Operational Risk), Sarb-Ox and industry best practices. Managed projects for Financial and Insurance vertical clients with an objective to analyze, develop and implement a SOA (Service Oriented Architecture) based coupling and reuse of the data from the multiple application sources (ITIL based). Managed Federated Identity Management Project for an US Financial Institution with an objective to provide single identity throughout partner network using Active Directory, LDAP and SAML (Security Assertion Markup Language). Developed Identity and Access Management Architecture and design including workflow for user registration/enrolment/provisioning etc from a system use case perspective. Managed a DRM project that resulted in creation of Rights Expression, Content, Protection, and full Document Life-Cycle Management framework combining Digital Watermarking (Navisware/Adobe) SafeNet’s Network Encryptors and steganography techniques (TrueCrypt and others). Created Policy and Life-Cycle Management documentation. Performed compliance analysis of audit controls and substantive testing of the IT general controls against PCI/Bill C198/SOX/COBIT control objectives in the following areas (including mapping for compliance guidelines to IT): - Security Identity Governance and Administration Process Design - I.T. governance, Public Sector (GO and Fed) - Acquisition/development and testing of system software - Development and maintenance of policies and procedures - Acquisition, installation, testing of technology - Agile/scrum - Management of service levels and third-party services - Data Loss Prevention - Cyber security PIA - Systems security and data management - Controls to manage problems and incidents - Controls to manage IT operations - Change and Configuration management - Management of multiple simultaneous technology projects (up to $50 mill) Human Services Cluster, Ontario Government: Aided the management in transition of the PKI administration from Accenture to the Cluster. Created policy statements and developed policy enforcement mechanisms. Developed and documented guidelines, processes, and procedures for the cross-certification requirements of the Entrust (Direct, TruePass, Entelligence) based PKI system. Rolled out cross-certification domain (Federal-Provincial Government). Provided operational improvements and provision of the general guidelines for maintaining of the PKI trust model. Managed the PKI Municipal Registration Model as an MCFCS SDMT Local Registration Authority (LRA). Coordinated and led the ongoing development and updated operations security practices and procedures for the Ministry. Coordinated, led, and facilitated inter-disciplinary/inter-ministerial groups developing changes to the MCFCS and Municipal Registration Models. Managed integration plan with the GO IDMP (LDAP & XML) & PKI (Entrust). Provided specific information and support and documented it for the Ministry and the user community on data security procedures and issues. Provided several TRAs (Threat Risk Assessment) for new business processes and projects as well as Business Continuity Planning and Disaster Recovery Planning and execution. Planed and facilitate workshops. Participated in the creation and delivery of awareness sessions, which encompassed security issues, procedures, and productions. Provided analysis, interpretation, and evaluation of complex, diverse operational and security problems, and emergency fixes, identifying nature and source of problem or change, determining feasibility and specification of fixes, selecting appropriate tools and approaches. Delivered ISO 17799 based Service Management Gap Analysis and compliancy metrics for the Cluster. Advised senior management on Service Management improvements in line with ITIL, COBIT and ISO 17799. Major Canadian Bank: Conducted ISO 17799 Gap Analysis for the World Markets Department with an emphasis on Basel Accord Risk compliancy metrics. Performed application security and business continuity framework audit. Identified and evaluated high level alternatives for BCP implementation, as to their technical feasibility, resource requirements and cost effectiveness for different levels of downtime. Designed business Enterprise Authentication Requirements and developed ROI. Managed Portal Authentication (PKI/SSO/Smart Card/ADS/Biometrics) implementation. Developed pilot plan for the MS-CA/SSO/SmartCards/Netegrity/CA eTRUST/DS/XML. Rogers Communications Inc.: Planned and coordinated Capacity Increase for Vision 21 Infrastructure – An Oracle V8 based Amdocs application running on HP V2600 Servers (Upgrade to Superdome) sharing EMC Symetrix 8000 frames. Provided performance-based Capacity Analysis as well as HA, developed and documented operational procedures and business/cost Impact Analysis, reporting to the Director, Technical Services. Major Canadian Bank: Created Information Security Risk Management Framework and Methodology for Corporate Audit Department using Scienton Security Information Management Model™, ISO17799 and COBIT. Provided a Privacy Impact Assessment and BIA (BCP) for the rollout of a new Web based retail application including Identity Management System. Produced pre-deployment Wireless Project Security Assessment and Risk Analysis. Major Canadian Engineering Company: Managed an Information Leak Protection Proof of Concept Lab Project. Analyzed organization’s information levels and existing information protection processes and technologies. The integrated solution provided corporate authentication, information protection and access control strategy allowing for the protection of multiple file types stored on the file server and the files in transfer using mail, FTP and web protocols (digital watermarking-MarkAny and proprietary steganography techniques). Developed Business Requirements Document and ROI for Enterprise Authentication. Developed PKI/BIO/SSO/DS requirements document and vendor selection process. Designed PKI/CA & SSO solution with vendors and managed POC project phase. Coordinated POC tests for Entrust, RSA Keon, Shym, Baltimore & CAI. Developed DNS management & DNS solution for the Raptor v6.0 Allianz Canada: Provided high level Enterprise Security Assessment document with an objective to amalgamate the findings of the previously performed extensive, low-level security audit. Developed IS Security Strategy guidelines (security policies, assessment, procedures, and risk analysis documentation), as well as DRP. Attorney General – Assessment Review Board: Managing an ongoing long-term maintenance agreement for ARB’s Oracle/Sun Solaris environment. Created SLA based procedure documentation (ITIL). TD Securities: Managed project to design proxy server solution (Web Complex) with an objective to filter access to the Internet (HTTP and SMTP) as well as to control inbound traffic (SMTP, HTTP, FTP, (N)NTP, Telnet and virus protection), based on clustered (StoneBeat – high availability software) Raptor servers, Session Wall Intrusion Detection and Net Appliance caching device. Provided high-level design for Authentication/Identity Management Project (SSO+ PKI+Smart Card). Organized Authentication Proof of concept stage with CoreChange SSO, Entrust PKI, Baltimore PKI, American Biometrics BIO Devices (bio devices + smart card), CA eTrust suite (SSO, Access Control, Directory), Netegrity SiteMinder. Installed and customized all necessary components. Developed integration between CA Directory and Authentication components (Entrust, BIO devices, SSO, Netegrity SiteMinder). Prepared RFPs and business proposals for clients. **Experience prior to 2000 as a Project Lead/Manager available on request** Invited Lectures and Presentations Canadian and International ISO17799 User group Conferences -; CEBIT – Hanover, March 2004; Calculating Risks – ITIL, COBIT and ISO17799 Southeastern Europe Conference on Regional Security through Data Protection – Belgrade, December 2003; Information Risk Modeling ISSA Toronto Chapter Seminars - SANS Conference – Chicago 2004 – Risk Models for Privacy CIO Summit – Toronto 2002 – Panel on Risk Management CIO Summit – Toronto 2015 - Executive Visions Panel Memberships IARCP (International Association of Risk and Compliance Professionals) - Member Project Management Institute – Canada’s Technology Triangle Chapter ISACA – Toronto Chapter Canadian ISO 17799 User Group – Member of the Board ISSA – Ontario Chapter ITAC – Member – also served a s a member of the ITAC e-Health Privacy Committee -) CIPS (Canadian Information Processing Society) Ontario e-Health Privacy Council - Member of the Advisory Board SOCAN - Society of Composers, Authors, and Music Publishers of Canada Education CISA – ISACA – 2006 ITIL – Service Management, HSC/IT , Toronto (2003) ITIL – Change Management, HSC/IT , Toronto (2003) ISO 17799 – Certified ISMS Implementor, British Standard Institute, Toronto, 2002 BS 7799-2 - Certified ISMS Lead Auditor, British Standard Institute, Toronto, 2002 Different Security Courses -) Certified Solaris Security Administrator Certified Checkpoint System Engineer (CCSA & CCSE for Firewall-1) Certified Computer Associates – eTrust Line of Products Professional Certified AIX SA & AIX SP (v3.* & v4.*), Completed IBM SP Installation Certified Sun Solaris 2.5 Administrator I & II (Competency 1000) Certified HP-UX 10.* Post-sale Support Certified HP - Raptor Firewall Solution Provider Certified RSA Inc. - SecureID VAR Certified IBM Firewall v3.1.1 Professional Raptor v4.0 Modeling Web-based Applications, Rational Software Corp. (2000) Completed Different Oracle, Sybase & consultants courses. CLIENT/Server Computing Course, Learning Tree International, Toronto, Ontario (1995) Novell’s Course for Certified Network Engineer, Toronto, Ontario (1993) Honeywell-Bull SA/DB Management Course (6 months), Belgrade, Yugoslavia (1987) Courses in Computer Science (one year), Belgrade University, Yugoslavia -) BA, Belgrade University, (Economics major) (1983) Patents Co-Invented three patents for risk and security modelling and quantification. Two patents granted, and additional patents filed, individually in Canada, US, and EU.