I am a Third-Party Risk and Security Compliance Analyst focused on helping organizations reduce vendor risk, navigate regulatory requirements, and strengthen overall security posture. My background combines business leadership with hands-on cybersecurity and compliance execution, allowing me to translate technical risks into clear, actionable business decisions. I specialize in vendor risk assessments, control gap analysis, and audit readiness across frameworks such as PCI DSS v4.0.1, NIST Cybersecurity Framework 2.0, SOC 2 Type ll and ISO/IEC 27001:2022.

In my work, I have reduced high-risk vendor exposure, improved audit performance, and strengthened compliance programs through structured risk assessments, remediation tracking, and process automation. My approach is practical and results-driven, ensuring compliance efforts are scalable, understandable, and aligned with business priorities while driving measurable improvements in risk reduction and operational resilience.

Connect with me on Linkedin

Intro Video 2.mp4

Real-World Compliance Projects

Automation Process

TPRM Intake & Vendor Procurement Workflow Automation

Designed and built an automated Third-Party Risk Management intake workflow to improve vendor onboarding, procurement coordination, and audit readiness.

The workflow used Slack, Zapier, Trello, and Google Drive to capture vendor requests, identify whether the vendor required system access, notify the appropriate stakeholder, create a vendor review tracking card, generate an evidence folder, and link the documentation back to the workflow record.

This project was designed to solve a common TPRM problem: vendor requests often come in through informal channels, creating gaps in tracking, ownership, evidence collection, and approval visibility. By automating the intake process, the workflow helped reduce manual handoffs, improve consistency, and create a more defensible vendor review process.

What I Built

Built an automated workflow that:

Captures new vendor procurement requests from Slack.
Extracts key vendor information from the request.
Identifies whether the vendor requires system access.
Filters requests so only vendors requiring system access move forward for security review.
Sends a notification to the appropriate stakeholder or approver.
Creates a Trello card to track the vendor review.
Creates a Google Drive folder for vendor assessment evidence.
Links the Google Drive evidence folder back to the Trello tracking card.
Preserves request details and timestamps for better traceability.

Business Problem Solved

Many organizations manage vendor requests through email, Slack, spreadsheets, or informal conversations. That creates risk because vendor reviews can be missed, evidence can become scattered, and security teams may not be notified early enough when a vendor needs system access.

This workflow improves the process by creating a structured intake path that supports better visibility, accountability, and audit readiness.

Why This Matters to Companies

This matters because vendor onboarding is not just a procurement activity. It is a risk management activity.

When a vendor requires access to systems, data, applications, or business processes, the company needs a repeatable way to identify the risk, notify the right stakeholders, track the review, and collect evidence. Without that structure, organizations increase the risk of unauthorized access, incomplete due diligence, missed approvals, and weak audit trails.

This automation helps companies move from a reactive vendor intake process to a more controlled, risk-based workflow.

Tools Used

Slack | Zapier | Trello | Google Drive

Prompt

VENDOR REQUEST AUTOMATION ZAP - COMPLETE BUILD PROMPT,

Zap Purpose: Automate vendor procurement requests from Slack → Filter by system access requirement → Notify approver → Create Trello card & Google Drive folder → Link them together

EXACT CONFIGURATION:

Step 1 - Slack Trigger

App: Slack,
Action: New Message in Channel,
Channel: #new-process,
Listen for: All messages (include bot messages: ON, Raw text: ON),

Step 2 - Extract Vendor Name

App: Formatter by Zapier,
Action: Text → Extract Pattern,
Input: {{340627605__text}},
Pattern: Vendor Name:\s*(.+),
Output: {{340627606output0}},

Step 3 - Extract System Access Answer

App: Formatter by Zapier,
Action: Text → Extract Pattern,
Input: {{340627605__text}},
Pattern: Use prior to[^:]*:\s*(Yes|No),
Output: {{_GEN_1766543364603output0}},

Step 4 - Filter for "Yes" Only

App: Filter by Zapier,
Condition: {{_GEN_1766543364603output0}} equals "Yes" (case-insensitive),
Action: Continue (if true),

Step 5 - Send Slack DM Notification

App: Slack,
Action: Send Direct Message,
To User: Haley (or recipient username),
Send as bot: NO (from your account),
Message: "Hi (Name), heads-up regarding {{340627606output0}}. The request justlanded in my queue a few minutes ago, and it looks like they will need system access.\n\nI'm starting the security review now, but I wanted to share this ahead of time to help with your planning."

Step 6 - Create Trello Card

App: Trello,
Action: Create Card,
Board: Sanity Check,
List: New Request,
Card Name: {{340627606output0}} (vendor name only),
Description: [Full request details from original message],
Request Date: {{340627605__ts_time}} (Slack message timestamp),

Step 7 - Create Google Drive Folder

App: Google Drive,
Action: Create Folder,
Parent Folder: Vendor Assessments,
Folder Name: {{340627606output0}}/ Sanity Check,

Step 8 - Update Trello Card with Drive Link

App: Trello,
Action: Update Card,
Board: Sanity Check,
Card ID: {{_GEN_1766546117815__id}} (from step 6),
Description: Link to Google Drive folder:{{_GEN_1766546117816__alternateLink}},
Overwrite Description: YES,

KEY DATA FLOWS:

Vendor Name flows through entire Zap: Step 2 → Steps 5, 6, 7, 8,
System Access answer: Step 3 → Step 4 (filter gate),
Slack timestamp: Step 1 → Step 6 (Request Date),
Trello card ID: Step 6 → Step 8 (updates same card),
Google Drive folder link: Step 7 → Step 8 (appends to card),

IMPORTANT NOTES:

Slack channel: #new-process (C0A58SDAT7F),
Only executes if "Yes" to system access (Step 4 filter),
Google Drive folder created BEFORE updating Trello (workflow order critical),
All timestamps use Slack's native message timestamp,
DM sent to you () - change recipient as needed

NIST AI Risk assessment V 0

Copy of Loan Shark Holdings Inc. – AI Acceptable Use & Governance Policy

Loan Shark Holdings Inc. – AI Risk Governance Project

Governing AI with Purpose: A Risk-Driven Strategy for Fintech

When companies adopt generative AI, most skip the hard part: governing risk at the process level. For this project, I applied the NIST AI Risk Management Framework (AI RMF 1.0) to a fictional yet realistic fintech business—Loan Shark Holdings Inc.—to create an end-to-end AI governance strategy that reflects how real risks emerge and evolve in financial services.

Instead of starting with technical checklists, I began with process mapping:
Function → Sub-Function → Process → Description → Asset → Vulnerability → Threat.
This allowed me to trace AI risk to actual business operations—from chatbot misinformation to shadow AI use and model bias in loan approvals.

What I Delivered

✔ A story-driven AI risk register using full lifecycle thinking (Govern, Map, Measure, Manage)
✔ Each risk is mapped to ISO/IEC 27001 Annex A, NIST CSF 2.0, and PCI DSS 4.0.1 requirements
✔ Integrated NIST AI 600-1 mitigations like adversarial testing and human-AI oversight
✔ Drafted a cross-framework AI Governance Policy aligned with security, privacy, and compliance obligations
✔ Built a review and escalation plan to track model drift, policy violations, and prompt injection attempts

Why This Strategy Matters

Demonstrates how AI risks emerge from workflows, not just code
Shows maturity in aligning multiple frameworks into one cohesive risk program
Provides a repeatable model for fintechs looking to innovate without losing control

This is how I build governance that works—not just in theory, but in practice.

Risk Register

Teaching Hands-On Risk Management in Cybersecurity & GRC

In cybersecurity and GRC, real impact isn’t just about compliance—it’s about managing real risk. As an instructor, I provided hands-on training to a cohort of 10–15 students, teaching them how to build and manage a Risk Register that goes beyond simple attestation. Using NIST CSF 2.0 (Identify & Respond functions) and PCI DSS 4.0.1’s risk-based approach, I guided students through the process of identifying, assessing, and prioritizing security risks that truly impact an organization’s security posture.

But identifying risks isn’t enough. To translate risks into actionable business value, I taught students how to develop a Plan of Action and Milestones (POAM)—a structured approach that connects risks to accountable remediation efforts. My training aligned with:

✔ NIST CSF 2.0: Teaching students how to apply ID.AM-01 (Asset Management), ID.RA-01 (Risk Assessment), RS.AN-03 (Incident Analysis), and RS.MI-01 (Incident Mitigation) to enhance risk visibility and response.
✔ PCI DSS 4.0.1: Providing real-world application of 6.3.1 (Risk-Based Vulnerability Management), 12.3.2 (Risk Assessment for Custom Controls), and 11.6.1 (Continuous Threat Monitoring for Payment Pages) to ensure risk-informed security decisions.

Why This Matters for Future GRC Professionals

✅ Prepares students for real-world cybersecurity risk management, ensuring they can assess and mitigate risks in an enterprise setting.
✅ Strengthens decision-making skills, enabling students to prioritize security threats based on business impact rather than checkbox compliance.
✅ Builds proactive security leaders by teaching how to integrate risk management frameworks into governance, compliance, and security operations.

GRC isn’t about checking boxes—it’s about making informed security decisions that protect critical assets and support business growth. Through practical, hands-on learning, I equip students with the skills they need to transition into cybersecurity risk and compliance roles, ensuring they can apply risk-based thinking to drive security resilience.

PCI DSS 4.0.1 REQ 1.pdf

Download for FREE

Simplified PCI DSS 4.0.1 Framework for Enhanced Security Awareness

In this project, I developed a simplified version of the PCI DSS 4.0.1 framework, designed to make compliance requirements accessible to non-technical analysts and stakeholders. By translating complex regulatory language into clear, actionable steps, I ensured that team members at all levels could understand and implement the requirements effectively.

A key focus was aligning the framework with Requirement 12.6, which emphasizes the importance of security awareness. I created tailored training materials to enhance understanding and engagement across technical and non-technical teams. This initiative empowered stakeholders to confidently meet compliance objectives while fostering a culture of security awareness and accountability.

Key Achievements:

Transformed intricate PCI DSS 4.0.1 requirements into an easy-to-understand framework for non-technical audiences.
Designed security awareness training aligned with Requirement 12.6, improving team comprehension and collaboration.
Bridged the gap between technical and non-technical stakeholders, driving efficient implementation of compliance measures.

CompTIA Sec+ E BOOK (1).pdf

Download for FREE

I developed a comprehensive, AI-driven study guide for the CompTIA Security+ certification exam, tailored to provide aspiring cybersecurity professionals with a streamlined, effective learning experience. This resource leverages advanced AI technology to deliver essential knowledge and skills, supporting not only certification success but also a robust start to careers in cybersecurity.

Key Features of the Study Guide:

Complete Coverage of Exam Objectives: Aligned with CompTIA’s Security+ blueprint, this guide covers all critical areas, from risk management and incident response to cryptography and access control, ensuring learners have a solid grasp of each core topic.
Simplified Explanations of Complex Concepts: Utilizing AI-powered content generation, I transformed intricate cybersecurity concepts into accessible explanations, enriched with real-world examples and applications to deepen understanding.
Actionable Insights and Expert Tips: Drawing from my industry experience, I included practical advice and recommendations to help learners navigate common challenges, enhancing their preparation journey with valuable insider perspectives.
Enhanced Learning Experience Through AI: With Perplexity’s AI platform, I organized a vast amount of information into an intuitive, easy-to-follow format, making the learning process more efficient and engaging.

To advance inclusivity in cybersecurity, I’ve made this resource freely accessible, removing financial barriers that often limit access to high-quality educational materials. My goal is to democratize cybersecurity education, empowering aspiring professionals with the tools they need to thrive and contribute to a capable, diverse workforce poised to meet the demands of an evolving digital landscape.

Through this AI-powered guide, I aim to inspire, inform, and equip the next generation of cybersecurity talent, helping them take confident steps toward earning their Security+ certification and making a positive impact on the industry.

Hardening Healthcare: A NIST CSF 2.0 Analysis of the 2024 Ascension Health Ransomware Attack

When cybercriminals targeted Ascension Health in 2024, they didn't just breach a network – they jeopardized critical healthcare services across 140+ hospitals, impacting millions of patients. This case study leverages the newly released NIST Cybersecurity Framework 2.0 to dissect one of healthcare's most significant cyber incidents, transforming hindsight into foresight for enhanced security.

Through systematic analysis of Ascension's pre-breach posture, incident response, and recovery efforts, this study:

Maps critical security gaps against NIST CSF 2.0's core functions
Extracts actionable insights for healthcare organizations facing similar threats
Demonstrates practical implementation of the framework's latest enhancements
Develops a blueprint for resilience in an era of escalating healthcare cyber attacks

Beyond theoretical framework application, this analysis delivers concrete recommendations for protecting healthcare operations and patient data integrity in today's heightened threat landscape.

Case Study 3.pdf

1) Case Study

Applying the NIST CSF 2.pdf

2) Applying the NIST CSF 2.0

Third Party Security Risk Analyst Exercise

Third_Party_Security_Risk_Analyst_-_Assignment (2).pdf

1) Case Study

Assignment_-_Third_Party_Security_Risk_Analyst_1.pdf

2) Assignment - Third Party Security Risk Analyst

Step-by-step_playbook.pdf

3) Step by Step Playbook for Third Party Security Risk Analyst

“Star Sales Solutions” Security Mock Assessment | CIS v8

This assessment aimed to support a tech company with limited security maturity by conducting a comprehensive audit using the CIS v8 Implementation Group 1 framework. Given the company’s modest capabilities, CIS v8 provided a cost-effective and scalable framework to establish foundational security controls.

Project Highlights:

Framework Selection and Alignment: Leveraged CIS v8 Implementation Group 1, ensuring that the company’s resources are aligned with the foundational controls necessary for cybersecurity readiness.
Implementation of Core Security Measures: Established essential security practices, including multi-factor authentication (MFA), data privacy protocols, backup strategies, regular software updates, employee security training, and an incident response plan.
Development of Policies and Procedures: Crafted and implemented customized policies and procedures to support ongoing security compliance and governance, creating a sustainable security posture.
Compliance with Privacy Regulations: Conducted a thorough risk assessment and ensured compliance with privacy regulations such as GDPR and CCPA, enhancing the company’s data protection practices.

Assessment Process:

Policy and Procedure Creation: Defined and documented security policies tailored to the organization’s needs.
Implementation Group 1 Questionnaire: Applied targeted assessments to identify current security gaps.
Risk Assessment and Control Framework: Conducted a risk analysis aligned with CIS v8 to map out security priorities and potential vulnerabilities.
Final Assessment Report: Delivered a comprehensive report to stakeholders, including an executive summary, scope, findings, and actionable recommendations to enhance their security posture.

This project empowered “Star Sales Solutions” with the foundational tools and insights necessary for sustainable security management, aligning with industry standards and regulatory requirements.

READ FIRST Maximizing Business Impact with Course Lab Expertise.docx

1) Maximizing Business Impact

1 mock audit company.pdf

2) CIS Mock Assessment Process Overview of Tasks

2 Star Sales Solutions Policy Mock company.pdf

3) Star Sales Solutions Acceptable Use Policy (AUP)

3 question and answer for cis.pdf

4) Questionnaire

4 CIS v8 IG1 Framework.xlsx

5) CIS v8 IG1 Framework

5 Final Report.pdf

6) FINAL ASSESSMENT REPORT

Case 2: A Construction Company Gets Hammered by a Keylogger
Topic: Keylogging, Malware and Bank Fraud

Cybersecurity-Case-2.pdf

1

A Construction Company Gets Hammered by A Keylogger.pdf

2

Google Sites

Report abuse