Debasish Roy

Over 26 years of experience in IT Application Security, Risk Management, Consulting, leading global cross functional team. Drives initiatives across North America and India and remotely spearheaded programs in Latin America, Europe, China in Engineering, Utility, Manufacturing and Federal Government initiatives.

• CISM Certified - 2021
• ITIL v3 Certified, 2011
• GRC300 Training- SAP Access Control 10.0 - Implementation and Configuration in ASUG by SAP North America 2013
• Certificate on ORACLE 7.1 with Developer - 2000 for Client Server Application in 1996
• Bachelor of Science - University of Calcutta Kolkata, India - 07/1993
• Diploma in Mechanical Engineering - Stace Council for Engineering & Technical Education Govt. of West Bengal - 05/2021
• Certified Information Security Manager (CISM)

• Script to Create Large Number of Users: - As per Timken policy, Information Security Team creates users for any project related activities in SAP systems. This activity was taking a huge amount of time from project as creation of users manually one by one was taking more than 45 to 60 days depending on the number of users. Understanding the pain point of mass user creation manually, created LSMW Script to create mass users from flat file which reduces time to create users to 15 minutes. Thus, reduced the cost of project from InfoSec point of view by more than 95%. Received “Timken Star Award” in the year of joining, 2019.
• SAP Patch Day – SAP -AG releases SAP Patches every alternate Tuesday to secure Application / Database / Network / Code related vulnerabilities. After analyzing all SAP applications (ECC/ S4HANA, BI, BW, SCM, SRM, QIM, GRC 12), it was observed that, there is no process in place to apply critical / high SAP patches on a regular basis to Timken SAP landscape. Prepared process document and presented to IT leadership to apply SAP Patches on regular basis. Since 2020, this has now monthly activity for Timken IT after 16 years of SAP implementation.
• DEBUG Activity Audit Log: - External Auditor of Timken, E&Y, asked to capture log of DEBUG activities by those users with access to all functionalities in SAP Production systems. Also, to ease the review of log file for such activities which were being done by reviewing SAP system log file which was huge and tedious. Based on audit requirement I have designed, created and activated Audit filters in all SAP Production systems to capture DEBUG activities. Tested these filters in non-Prod systems. Based on the successful result, presented to IT leadership and proposed change in review process. After successful implementation of Audit Filter in all SAP Production systems, Monthly SoX Audit is being prepared and reviewed based on this new filters and process. Received recognition for this initiative in Timken Global Forum and received cash reward.
• Cost Reduction: - During review of budget of any project, it was noticed, third party vendors were charging 8% to 11% as transportation in US Dollar. Analyzed the cost and verified with vendors about the justification of the cost associated with it. After multiple internal discussion about this, cost was removed permanently based on contractual agreement. Created Excel based form to estimate line-item specific manhour for any project where involvement of SAP Security Team was mandatory.
• SoD Risk Remediation: TXU Energy (Texas, USA based utility company) was using SAP ECC, SAP BI, SAP CRM and SAP GRC 10.1 systems as part of their SAP landscape. In combination, there were more than 378K critical and high-level SoD risks in ECC system itself. Analyzed root cause of these SoD risk and prepared plan for remediation. Presented the plan to IT Security Director and CIO along with multiple BPOs. Within 30 days of remediation, reduced more than 60% critical and high-level SoD risks in ECC systems single-handedly.
• Data Issue with External Audit: KPMG, the external auditor present data and evidence pointing towards many critical risks in SAP Production systems. From SAP Security aspect, analyzed those risks and verified those evidence in all SAP Production systems. Finally, presented all finding to KPMG in present of IT Security Manager, Director and CIO. KPMG where it got accepted, the ABAP Code KPMG used to collect data is very old as the data source were valid for old SAP systems and not for the version TXU Energy was using and due to this reason, most the risks are false. This saved TXU Energy and Energy Future Holdings Inc. (Parent Company) appx. US$ 82K from Audit fine and saved the organization possible damage of reputation.