PROJECTS
• Fills the role of Virtual CISO
- Presents to a cybersecurity committee
- Prepares presentations for boards of directors
- Conducts strategic planning
- Leads risk register meetings
Recent Projects:
• Data actions inventory
• Privacy risk management framework
- NIST Privacy Framework v1.0
- NIST privacy task statements
- Consumer rights
- Business obligations
- Reputable practices to identify and mitigate risk
- Assigned RACI designations to controls
• 3 days of on-site meetings (March, June and November)
- Cybersecurity committee meeting
- Working sessions
- Strategic planning
- Outbrief presentation
• Insider risk management program - Phase II.
• Incident response playbook
- Fraudulent website
• Zero trust controls analysis
- NSA's seven pillars
• TPRM program refresh
- Generative AI
- NIST Cybersecurity Framework v2.0
- Privacy updates
- Reputable practices
• Data security training deck
• Crisis communications training deck
• Consolidate logs for insider threat detection
• Executive overview deck
• Generative AI chatbot testing procedures
• Information security survey
- Voice of the customer
• Privacy risk management controls
• Materiality determination process
- Cybersecurity incident
• Insider threat personas (5)
• Suspicious command monitoring
• Vendor report analysis procedures
• Cyber risk management framework
- NIST Cybersecurity Framework v2.0
- Implementation examples
- NIST Privacy Framework v1.0
- Added controls to identify and mitigate risk
- Assigned RACI designations to controls
• Executive risk summary
• Data breach notification matrix
• Control risk summaries
• Shared responsibilities matrix process
• Targeted risk analysis
• Vendor contract addendum
- Secure software development
• Tabletop exercise - Cybersecurity
- Two 90-minute sessions
- 9 incident response injects
- 9 crisis communications injects
- Hot wash
• Third party risk management questionnaire
• Incident response training
• RACI matrix
- Responsible
- Accountable
- Consulted
- Informed
• Penetration testing methodology
• PCI compliance program charter
• Encryption key custodian form
• Procedures manuals
- Virtual machine administrator
- Network and firewall administrator
2023 Select Projects:
• Activity task scheduling - Cybersecurity
• Crisis communications plan
• Procedures manuals
- Security operations
- Governance, risk and compliance
- Database administrator
- Cloud administrator
- Key management
- Third party risk management
- IT operations
- Vulnerability management
- Targeted risk analysis
- Change management
- Software development
- Identity and access management
• 3 days of on-site meetings (March, June and November)
- Cybersecurity committee meeting
- Working sessions
- Strategic planning
- Outbrief presentation
• Incident response plan (5 scenarios)
• Holding statement templates
- Data breach
- Third party data breach
- Viral hoax message
- Chatbot error
• Requirements - Issue management application
• Deception technologies
- Honeypots
- Honeytokens
- Multi-vendor
• Issue management - Cybersecurity
- Remediation standards
- Timelines by risk severity
- Issue categories
- Reporting, metrics, KPIs and KRIs
• Website privacy notice
- Analysis of laws and regulatory requirements
- Updated privacy notice content
- Transitioned to layered notice
• Cybersecurity risk management framework and information security policies
- NIST Cybersecurity Framework
- PCI Data Security Standard
- Added controls to identify and mitigate risk
- Mapped controls to roles and artifacts
- Startup company
• Tabletop exercises (TTX)
- Cybersecurity incident response
- Incident trends - March
- Recent incidents - June
• Privacy impact assessments (6)
• Privacy management metrics (6)
- Data subject requests
• Generative AI company policy
• Insider risk monitoring and response
- Continuous data exfiltration monitoring
- Monitoring when an employee tenders resignation
- Monitoring triggered by behavioral indicators
• Data exfiltration by an employee or contractor
- Incident response playbook
- Return of company data letter
- Process diagram
• 30, 60, 90 day plans (2)
• Process owners - Privacy risk management briefing
• Privacy program executive update
• Privacy management program strategy
• Cybersecurity risk assessment (340 controls)
2022 Select Projects:
• 3 days of on-site meetings (March, June and November)
- Cybersecurity committee meeting
- Working sessions
- Strategic planning
- Outbrief presentation
• Risk management routines - Cybersecurity (18)
• Process and procedures inventory - Cybersecurity (13)
• Cybersecurity risk management framework
• Permit to build - Authorization to operate
• Threat landscape and controls analysis
• Monthly program status updates
• Zero trust executive briefing
• Staffing capacity and headcount request
• Incident response tabletop exercise (9 scenarios)
• Policy exception review process
• Planning exercises - Building and leading security strategy (2)
• Boundaries, defense and monitoring analysis
• Cybersecurity job descriptions (2)
• Voice of the customer feedback sessions - Cybersecurity (8)
• Health check methodology and planning
• Process design and risk assessment briefings (4)
• Privacy program, risk scenarios and framework review
• Policy exception request form
• Information security program summary
• Mission / vision statements
- Privacy management program
- Threat hunting program
• Identity and access management policy
• Strategic planning workshop
• Cloud security strategy
• Vendor risk profile
• Cyber risk self-insurance
- Research and analysis
• Architecture review board process
• SIEM monitoring alert requirements
• Procedures manual - Identity and access management
• Procedures - Third party risk management
- SOC report review
- Vendor artifacts review
• Mitigating vulnerability trends
2021 Select Projects:
• Program welcome packet
• Vendor contract security requirements
• Cyber risk appetite statement
• Metrics and reporting packages
- Third party risk management
- Vulnerability management
• Established and populated a risk register
• Insider threat toxic combinations
• Risk governance process, including risk register
• Workforce development plan
• Ransomware risk analysis
• Incident response plan (4 scenarios)
• Zero trust controls analysis (134 controls)
• Vulnerability management metrics, KPIs & KRIs
• Procedures manuals
- Third party risk management
- Vulnerability management
• Assessments
- Agile security testing (119 controls)
- Penetration test program (199 controls)
- Cybersecurity risk (409 controls)
- Cybersecurity program (303 controls)
- Cyber exercise program (99 controls)
- Business process risk (327 controls)
- Security awareness program (87 controls)
2020 Select Projects:
• Performance and development plans
• Cybersecurity metrics, KPIs & KRIs
• Internal control framework
• Risk governance process, including risk register
• Workforce development plan
• Assessments
- Cybersecurity risk, threat landscape & controls analysis, risk register process, insider threat and fraud prevention (561 controls)
- Security Operations Center (SOC)
2019 Select Projects:
• Cybersecurity insurance information supplement
• Third party risk management program
• Cloud security strategy
• IT asset management requirements