Three lines of defense. Quantified risk posture. Defensible controls.
Designing and operationalizing enterprise GRC programs across federal and Fortune 500 environments — from ServiceNow IRM deployment and risk register management to control testing, audit liaison, and regulatory compliance across NIST 800-53, CMMC, SOX, and FISMA.
My GRC programs operate across all three lines — from first-line IT and operational controls through second-line risk oversight to third-line audit validation. This integrated approach ensures governance is not siloed but embedded across the enterprise.
800+ security and privacy controls organized into 20 control families. My programs deploy and validate controls across AC, AU, CA, CM, IA, MP, RA, SC, and SI families — establishing the baseline for enterprise GRC programs in federal and defense environments.
Defense Industrial Base compliance requiring demonstrable implementation of 110+ NIST 800-171 controls at Level 2. Led controls implementation and CMMC audit preparation for a Fortune 500 firm — establishing GRC workflows, audit trail governance, and compliance documentation required for certification.
IT General Controls (ITGCs) under SOX include change management, access controls, computer operations, and data integrity. My programs establish and test ITGCs as part of broader GRC frameworks in financial services and public company environments.
Hands-on implementation experience deploying ServiceNow IRM to digitize enterprise risk management frameworks — automating risk assessments, control testing, issue lifecycle management, and compliance documentation. Led IRM implementation selected as 1 of 2 globally funded go-to-market investments of a digital risk solution for a Big 4 firm.