My entire career in security, spanning 20 years, has had a major focus on regulatory compliance. As a consultant with Info@Risk between 2004-2014, nearly all projects were driven by regulatory examiner demands in highly regulated industries. The majority of clients served were electrical utilities operating national critical infrastructure (NERC CIP), clinics and hospitals (HIPAA), and banking institutions (Gramm-Leach-Bliley Act enforced by pre-emptive examinations by NCUA, FDIC, OCC, and various state agencies). Aside from the technical security work, I did extensive consulting work in support of client regulatory goals, including:
- Risk assessment and business impact analysis
- Policy and standards development
- Controls audit
- Compliance gap analysis
Of my eight years with Jackson National Life Insurance, four were in positions with large regulatory concerns. As Senior IT Security Auditor, key regulations for which I needed to connect risks and findings were primarily FINRA and SOX. As Manager Information Security Controls Program, some newer regulations added growing job focus around the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and the New York Department of Financial Services (NY DFS). NY DFS regulations were simply another column I needed to add to our internal security framework for alignment with controls. In support of GDPR, I served on an internal management forum working to align security and privacy efforts across business units in the U.S. and Europe. As I was regularly engaged with colleagues in the U.K. and India, I also needed to maintain general awareness of privacy and security regulations covering those countries.
As Manager Security Controls Validation at Zoom Video Communications, one critical mandate I needed to align my work to was an FTC consent order covering security and privacy requirements.
Some additional compliance areas my work has occasionally touched upon over the years, includes helping clients prepare for PCI-DSS audits, and compliance to cyber security requirements of USDA Rural Electric Programs.
Professional certifications supporting this work include: CISSP, CISA, CISM
No comments:
Post a Comment