Rachel Teoh

Rachel has over eight years of experience in Information Security, Risk Management and related subjects such as Business Continuity Management, Corporate Governance, Regulatory Compliance and Internal Audit. She has proven her ability to understand operational and strategic issues that lead to detailed analysis, planning and implementation of effective technical and management information security solutions. She has conducted a variety of consulting assignments and trainings for various industries and different level of audiences. She also assisted organizations to review and improve the way in which they handle risk management issues from both operational and strategic perspectives. She help developed and implemented a large number of risk, continuity and disaster management strategies along with their associated plans, policies, procedures and technologies.

Appointment within BCM Institute

Rachel is an Associate Instructor for BCM Institute Malaysia.

Past Employment

• Global Security & Compliance Specialist, Shell IT International [1]

• Managing Consultant, SCAN Associates Berhad, KL 2001 – 2009

• Lecturer Tunku Abdul Rahman College, KL 2001 [2]

Professional Certification

• Certified BS7799 Lead Auditor by British Standard Institute
• Certified Information Security System Professional (CISSP) (Cert No.: 66098) by International Information Systems Security Certification Consortium (ISC)2
• Certified Functional Continuity Planner (CFCP) by Disaster Recovery Institute International (DRII)
• SANS GSEC

Academic Qualification

• MSc Computer Science

University of Technology Malaysia, KL. Master by research in the field of information security. 2003

• BSc Computer Science

University of Technology Malaysia, Johor, 2000

Presentations and Publications

• Teoh Su Chi and Norbik Bashah Idris. An Improved Key Recovery Infrastructure by Leveraging the PKI. Symposium of Cryptography and Information Security, Japan (2002).
• Teoh Su Chi and Norbik Bashah Idris. A Novel Key Recovery Scheme Implemented in Public Key Infrastructure. 2nd World Engineering Congress (2002).
• Teoh Su Chi and Norbik Bashah Idris. Key Recovery In PKI. Malaysian Science and Technology Congress (2001).
• Teoh Su Chi. Piawaian Keselamatan ICT Perlukan Pematuhan Proaktif. Berita Harian (December 28, 2005).
• Teoh Su Chi. Common Pitfalls to Avoid in Achieving ISO27001 Standard. New Straits Times (December 3, 2007).
• Teoh Su Chi. A Framework for Resilience and Success. New Straits Times (March 17, 2008).
• Teoh Su Chi. ISS Challenge: Efforts to Comply with the New Standard. SSD Newsletter (May 2009).

Others Special Developments and Interest

Information Security Strategic Planning /Management

• Engaged in crafting the information security framework for clients ranging from telecommunication providers to financial institutions. The framework is a strategic plan which outlines the client’s current state of information security, defines future security state and provides the roadmap and action plan for closing the identified gaps.
• Experienced in implementing an Information Security Management System (ISMS) in compliant with ISO27001. This includes security documents development, security risk assessment, strategic blueprint and risk treatment plan development etc. Have practical and successful experience in preparing an organization for ISO27001 certification.
• Experienced in developing policies/standards/guidelines/procedures for all sort of environment, both high level and technical.
• Involved in the conceptualization of an operational and process framework for Saudi Computer Emergency Response Team (CERT). Among activities involved are developing policies and procedures in supporting the operation of CERT.
• Involved in the conceptualization of an operational and process framework for Security Operation Center (SOC) for PT Indosat (Indonesia). Among activities involved are developing policies and procedures in supporting the operation of the SOC.
• Security consultant for the implementation of security solutions as part of Bank Negara Malaysia’s GPIS1 requirements for a local financial institution. The work involved developing blueprint and roadmap, preparing tender specifications and evaluation criteria, preparing Proof-of-Concept requirements, conducting technical evaluation and giving recommendation

Business Continuity Management (BCM) /Disaster Recovery Planning

• Was involved in the conceptualization of service model, development of service delivery methodology, and transfer-of-knowledge to subordinates.
• Provided technical expert assistance to organizations in developing, implementing, testing, and maintaining their Business Continuity /Disaster Recovery Plan.
• Involved in risk profiling and business impact analysis. Determine the financial, regulatory, operational impact a disaster may introduce to an organization. And subsequently facilitate and help clients to determine their risk appetite, recovery requirements and recovery objectives.
• Developed options of recovery strategies, with cost and benefit analysis. Prepare budgetary requirement, technical architecture, and relevant BCM framework for management approval.
• Developed plans and procedures for emergency response, recovery, backup and restoration, evacuation, resumption, damage assessment, plan activation, escalation etc.
• Conducted simulation testing and plan walkthrough to validate the practicality and effectiveness of the developed plan.

Regulatory Compliance

• Assisted in the interpretation and implementation of requirements for the following regulations: US Export Control, SOx, Privacy and Data Protection Act, Payment Card Industry (PCI) Data Security Standard (DSS).

Information Security Handbook

• Co-author for Saudi Arabia Information Security Handbook (SAISH). The handbook (approximately 200 pages) provides an overview of information security threats and various controls that could be used to mitigate the risks. The handbook intends to provide a quick guideline to public and private sectors in the Kingdom of Saudi Arabia on how to manage security risks.

• Among topics addressed in SAISH are concepts in information security, information security planning process, physical security, incident handling, access control, security monitoring tools and methods, computer forensics etc.

Information Security Training /Awareness Program

• Involved in the design of training modules and development of training content. Well versed with training service delivery methodology, e.g. training need analysis, gap analysis, post training evaluation etc.
• Conducted various information security training and user awareness program for different level of staffs, ranging from technical staff, operational staff, line managers to ‘C’ level management. The following provides synopsis of various trainings conducted.
• Introduction to Cryptography. This course provides the basics of cryptography. It covers topics such as number theory, secret key cryptography, public key cryptography, hashing etc.
• Advanced Cryptography. This course was specifically designed for the defense department. It discusses complex topics such as elliptic curve cryptography, Advanced Encryption Standard (AES), public key infrastructure, steganography, cryptographic protocols etc.
• Information Security Management System. This course provides practical guidance for those who aim to establish an information security management system for the purpose of ISO27001 certification.
• Business Continuity Management. This course provides practical guidance in developing, implementing and maintaining a Business Continuity Plan. It covers topics such as project initiation, risk assessment, business impact analysis, crisis communication, plan maintenance, plan testing, etc.
• Introduction to ICT Security. This is a foundation course which provides the basics about information security. It covers topics such as network security, security tools, encryption, firewalls, intrusion detection system, wireless security etc.
• Among clients served include: Celcom, Jabatan Pendaftaran Negara, MAMPU, PT Excelcomindo Pratama (Indonesia), PT BCA (Indonesia), Ministry of Defense, INTAN, Bank Pembangunan, SME Bank etc.