Sanjaya Kalpage

Senior Information Systems Auditor

Colombo, Sri Lanka | Sanjaya.kalpage@gmail.com | +94-772531381

PROFILE SUMMARY

With over a decade of experience, I am currently a Senior Information Systems Auditor at Sampath Bank PLC, a leading commercial bank
in Sri Lanka with 229 branches and more than 4000 employees. In this pivotal role, I lead comprehensive IT security audits, ensuring the
integrity, performance, and security of critical systems and IT infrastructure in adherence to international standards and regulatory
compliance. I collaborate with cross-functional teams, simplifying technical complexities for strategic alignment. My results-driven
approach consistently enhances the bank's compliance and security posture, contributing to its reputation for trust and reliability in the
financial sector.

SKILLS

• IT Audit & Compliance aligned with international standards
• Strong cross-platform information security knowledge
• ISO 27001 & COBIT 5
• IT Risk Management and knowledge of IT general controls
• Cybersecurity & Threat Mitigation
• Data Privacy & Protection
• IT Security Policy and Procedure Review
• Security Investigations and root cause analysis
• Cross-functional Collaboration
• Adaptability & Critical thinking
• Logical reasoning & Attention to details
• Strong analytical skills

WORK EXPERIENCE

Senior Executive - Systems Audit Department, Sampath Bank PLC, Colombo, Sri Lanka (2013 – Present)

• Plan, schedule, and conduct security audits in application systems (web, mobile applications) and related IT infrastructure such as
end point devices, middleware, web/application servers, active directory, databases, communication and network devices such as
firewalls and routers while maintaining quality standards and adhering to timelines.
• Evaluate whether sufficient internal controls are in place to ensure that business processes are free from any disturbances while
achieving integrity and information security requirements.
• Review the risk management process from risk identification to risk treatment and monitoring to ensure alignment with the
company’s risk management framework and to manage risks effectively.
• Review and assess the adequacy of information security policies, procedures, and guidelines to meet industry best practices and
regulatory requirements. Update them as necessary and verify whether users have sufficient awareness of these documents.
• Check whether systems and processes are developed in compliance with information security policies, procedures, standards,
industry best practices, and regulations.
• Act as the ISO lead auditor to conduct annual ISO 27001 surveillance audits, verifying the effectiveness of the bank’s Information
Security Management System (ISMS). Report any non-compliances and assess the effectiveness of corrections and corrective
actions.
• Investigate information security breaches to diagnose the root cause and provide recommendations to troubleshoot and resolve
control lapses and technical issues in systems and processes.
• Ensure that vulnerability assessments and penetration tests are conducted and the issues are promptly resolved to enhance the
organization's resilience against potential cyber threats.
• Regularly assess the hardening status of servers, endpoint devices, and network security devices using industry-standard
guidelines to confirm their proactive protection against cyber threats.
• Ensure information security requirements for sensitive data by assessing data protection measures in databases such as
encryption, backup strategies, and recovery processes.
 Sanjaya Kalpage Page - 2

WORK EXPERIENCE (Continued)

• Assess the data center design to ensure seamless equipment operations, efficient network connectivity, and compliance with
information security requirements.
• Evaluate the capacity planning of IT infrastructure such as storage and network bandwidth to verify whether sufficient focus has
been made and actions taken to fulfill future requirements.
• Collaborate with cross-functional teams and ensure that the organization complies with relevant laws, regulations, and industry
standards related to cyber security and data protection.
• Analyze and review whether technical issues in software applications, endpoint devices, back-end servers, and network
communication have been rectified effectively following standard change management procedures to maintain availability.
• Verify the status of service level agreements with vendors, whether the bank has active contractual obligations, especially on
information security-related services.
• Serve as a technical committee member in IT security projects (e.g., DLP, SOC, SIEM) to provide expertise knowledge on ensuring
alignment with information security requirements.
• Lead the team in reviewing the annual disaster recovery drill to verify the readiness of application systems and related IT
infrastructure, assessing the adequacy of procedures, and evaluating the capability of recovery processes, and data centers.
• Assist the management in identifying and evaluating technology-related risks within business processes, assessing the
effectiveness of controls towards information security.
• Evaluate the identified gaps on a risk-based approach and convey findings to the users and the management through audit reports
with recommendations for corrections and corrective actions in professional standard to eliminate recurrence.
• Maintain a database of issues and suggestions made by the department and follow up on corrections and corrective actions with
agreed timelines and escalate when required.
• Review the effectiveness of remediation actions and troubleshooting activities performed to resolve identified system issues
through follow-up audits.
• Maintains detailed work papers and a thorough audit trail organized through the appropriate tools, ensuring comprehensive
documentation of the completed tasks.
• Stay current with emerging cyber threats and industry best practices to proactively fortify information security defenses and
provide training to subordinates.

Junior Executive – Branch operations, Sampath Bank PLC, Colombo, Sri Lanka (2006 -2013)

• Established a robust operational foundation with seven years of hands-on experience in business transactions, internal controls
and compliance, providing a unique perspective for evaluating security controls in any domain, effectively bridging the gap
between IT and business.

CERTIFICATIONS

• Certified Information Security Manager (CISM) - ISACA, 2023

• Certified Information Systems Security Professional (CISSP) - ISC2, 2021
• Certified Information Systems Auditor (CISA) - ISACA, 2018
• ISO Certified Lead auditor ISO 27001 - Bureau Veritas, 2018

EDUCATION

• Master of Business Administration (MBA) - Anglia Ruskin University, UK, 2018

• Bachelor of Information Technology (BIT) - University of Colombo School of Computing (USCS), Sri Lanka, 2012

*** References available upon request