ISO/IEC 27001:2013 Certifications and Readiness Assessments

• Performed annual ISO 27001 internal audits, set up audit schedules and requirements, prepared status reports and updates.
• Performed an assessment to determine whether the IT security program and business applications meets prudent and regulatory security guidelines as defined in the ISO/IEC 27002 control framework.  Developed scoring methodology for objective ratings.
• Performed risk assessments, developed scope and boundaries and Statement of Applicability (SoA) documents, developed required high-level policies, etc.
• Conducted interviews of all business units; performed reviews of technical, architectural design, and Policy documents; reviewed controls in place for all systems, applications, physical security controls, and other areas.
• Prepared comprehensive report of findings to Executive Management; report included identification of gaps between the current operations and ISO 27001/27002 requirements, defined the risk associated with the gaps, and provided remediation recommendations and methodology.

PCI Certifications and Readiness Assessments

• Technical review of entire data and voice networks, including detailed review of firewall, router and switch configurations for PCI compliance.
• Identification of PCI non-compliant firewall rules and required steps for remediation, conference calls with internal company teams to review findings and steps for appropriate remediation.
• Led project management for all technical areas and reviews.

HITRUST, HITECH and EHNAC DTAAP-HISP Certification

• Led all internal efforts to manage preparation of response documents and exhibits to external auditors.
• Provided project management expertise including weekly progress reports and executive dashboard for executive management team.
• Provided management and security guidance to Security and Risk Management Officer to strengthen internal infrastructure, policies and controls.

CMMC (Cybersecurity Maturity Model Certification)

• Led all internal efforts to manage preparation of response documents and exhibits.
• Reviewed controls in place for all systems, applications, physical security controls, and other areas.

GLBA Risk Assessment

• Performed a complete GLBA risk assessment in order to identify reasonable and foreseeable internal and external threats to member information; assess the likelihood and potential damage of those threats; and assess the sufficiency of the policies, procedures, customer information systems, and other controls in place to mitigate and reduce the identified risks.
• Conducted interviews of all business units; performed reviews of technical, architectural design, and Policy documents; reviewed controls in place for all systems, applications, physical security controls, and other areas.
• Prepared a comprehensive report of findings including a risk assessment spreadsheet with risk ratings and mitigation recommendations for all business units, systems, applications and other areas of the organization.

SOC2 Readiness Assessments

• Performed SOC2 readiness assessments including interviews and determination of the appropriate Trust Services Principles/Criteria.
• Conducted interviews of all business units; performed reviews of technical, architectural design, and Policy documents; reviewed controls in place for all systems, applications, physical security controls, and other areas.
• Prepared a comprehensive report of findings including a risk assessment spreadsheet with risk ratings and mitigation recommendations for all business units, systems, applications and other areas of the organization, as well as a gap analysis and  recommendations for improvements needed prior to external audit and certification.