Governance, Risk, and Compliance

I have a total of about 14 years experience in doing GRC for multiple employers and consulting clients in multiple industries. I have an additional two years experience in the related IT Security Audit realm, evaluating and addressing risk from a little different perspective.

As a consultant with Info@Risk, I delivered on projects for clients with varying compliance mandates, including:

  • NCUA, FDIC, and OCC implementing FFIEC guidance around Gramm-Leach-Bliley Act compliance,
  • Nationally critical electrical infrastructure in scope for NERC CIP requirements,
  • Clinics and hospitals subject to HIPAA compliance requirements.
These are organizations for which I helped to mature IT processes, mitigate technical risks, and reduce the risks of regulatory non-compliance through:
  • Development of policy and standards documents,
  • Risk assessment and business impact analysis (BIA),
  • Business continuity and disaster recovery planning,
  • Development and conduct of security awareness training,
  • Controls testing

As Manager of Information Security Controls Program at Jackson National Life Insurance, I built the IT Security GRC function from scratch. Key accomplishments here included:

  • Hired and managed the staff, interns, and external consultants to help implement the program;
  • Developed the third-party risk management program, in coordination with Legal and business stakeholders;
  • Owned, designed, and developed the security GRC module within our enterprise GRC system,
  • Authored the security policy and standards governing all North American business units,
  • led the Information Security Controls Assessments team,
  • Automated security controls assessments and evidence capture,
  • Performed qualitative and quantitative risk assessments from the first line of defense perspective,
  • Performed security awareness training,
  • Prepared audit evidence, attestations, and represented IT Security to internal and external auditors, covering SOC2 and SOX audits
  • Served as the IT Security representative to the Enterprise Architecture Forum,
  • Provided senior management with metrics related to the remit of my team.
As Manager Security Controls Validation at Zoom Video Communications, my focus was on using offensive security techniques for product assurance, but the approach was unusual in pursuing these goals through prioritization and testing of security controls. I developed a documented a testing program for this with a timeline covering two years and aligned to the organizational security framework and regulatory mandates. My testing provided the empirical evidence to support control attestations and helped to align control gaps to business priorities and compliance mandates.

Professional certifications supporting this work include: CISSP, CISA, CISM, GCCC
Security and regulatory frameworks utilized in this work have included:
  • Center for Internet Security (CIS) / SANS Critical Controls
  • NIST Cybersecurity Framework and SP800-53
  • ISO 27001 & 27002
  • COBIT
  • BSIMM (Building Security In Maturity Model)
  • HIPAA / HITRUST
  • Information Security Forum Standard of Good Practice
  • FFIEC IT Examination Handbook
  • Gramm-Leach-Bliley Act (GLBA)
  • NY Department of Financial Services
  • NERC CIP
  • PCI DSS
  • European General Data Protection Regulation (GDPR)
  • COSO
  • Sarbanes-Oxley Act (SOX)
  • Service Organization Control 2 (SOC2)
  • Cloud Security Alliance Cloud Controls Matrix (CSA CCM)

No comments:

Post a Comment

Subscribe to: Posts (Atom)