Security Compliance Analyst

Secure once, Comply many

After a successful career in sales leadership, I transitioned into cybersecurity and risk management, driven by a desire to help organizations navigate evolving threats, regulatory requirements, and operational risks. My ability to understand business challenges and deliver tailored solutions naturally translated into identifying vulnerabilities, improving security posture, and aligning compliance initiatives with business goals.

I now work as a Security Compliance Analyst with a primary focus on PCI DSS and a secondary focus on NIST, ISO, and CMMC. I help organizations strengthen their compliance programs and reduce risk through practical, framework-aligned solutions. This includes supporting both internal and client-facing projects through risk assessments, control implementation, audit readiness, and user awareness training.

My approach is practical and results-driven, ensuring compliance efforts are scalable, understandable, and aligned with organizational priorities. I bridge business and security through clear communication, stakeholder engagement, and a strong commitment to operational resilience.

Connect with me on Linkedin

Real-World Compliance Projects

NIST AI Risk assessment V 0

Copy of Loan Shark Holdings Inc. – AI Acceptable Use & Governance Policy

Loan Shark Holdings Inc. – AI Risk Governance Project

Governing AI with Purpose: A Risk-Driven Strategy for Fintech

When companies adopt generative AI, most skip the hard part: governing risk at the process level. For this project, I applied the NIST AI Risk Management Framework (AI RMF 1.0) to a fictional yet realistic fintech business—Loan Shark Holdings Inc.—to create an end-to-end AI governance strategy that reflects how real risks emerge and evolve in financial services.

Instead of starting with technical checklists, I began with process mapping:
Function → Sub-Function → Process → Description → Asset → Vulnerability → Threat.
This allowed me to trace AI risk to actual business operations—from chatbot misinformation to shadow AI use and model bias in loan approvals.

What I Delivered

✔ A story-driven AI risk register using full lifecycle thinking (Govern, Map, Measure, Manage)
✔ Each risk is mapped to ISO/IEC 27001 Annex A, NIST CSF 2.0, and PCI DSS 4.0.1 requirements
✔ Integrated NIST AI 600-1 mitigations like adversarial testing and human-AI oversight
✔ Drafted a cross-framework AI Governance Policy aligned with security, privacy, and compliance obligations
✔ Built a review and escalation plan to track model drift, policy violations, and prompt injection attempts

Why This Strategy Matters

Demonstrates how AI risks emerge from workflows, not just code
Shows maturity in aligning multiple frameworks into one cohesive risk program
Provides a repeatable model for fintechs looking to innovate without losing control

This is how I build governance that works—not just in theory, but in practice.

Risk Register

Teaching Hands-On Risk Management in Cybersecurity & GRC

In cybersecurity and GRC, real impact isn’t just about compliance—it’s about managing real risk. As an instructor, I provided hands-on training to a cohort of 10–15 students, teaching them how to build and manage a Risk Register that goes beyond simple attestation. Using NIST CSF 2.0 (Identify & Respond functions) and PCI DSS 4.0.1’s risk-based approach, I guided students through the process of identifying, assessing, and prioritizing security risks that truly impact an organization’s security posture.

But identifying risks isn’t enough. To translate risks into actionable business value, I taught students how to develop a Plan of Action and Milestones (POAM)—a structured approach that connects risks to accountable remediation efforts. My training aligned with:

✔ NIST CSF 2.0: Teaching students how to apply ID.AM-01 (Asset Management), ID.RA-01 (Risk Assessment), RS.AN-03 (Incident Analysis), and RS.MI-01 (Incident Mitigation) to enhance risk visibility and response.
✔ PCI DSS 4.0.1: Providing real-world application of 6.3.1 (Risk-Based Vulnerability Management), 12.3.2 (Risk Assessment for Custom Controls), and 11.6.1 (Continuous Threat Monitoring for Payment Pages) to ensure risk-informed security decisions.

Why This Matters for Future GRC Professionals

✅ Prepares students for real-world cybersecurity risk management, ensuring they can assess and mitigate risks in an enterprise setting.
✅ Strengthens decision-making skills, enabling students to prioritize security threats based on business impact rather than checkbox compliance.
✅ Builds proactive security leaders by teaching how to integrate risk management frameworks into governance, compliance, and security operations.

GRC isn’t about checking boxes—it’s about making informed security decisions that protect critical assets and support business growth. Through practical, hands-on learning, I equip students with the skills they need to transition into cybersecurity risk and compliance roles, ensuring they can apply risk-based thinking to drive security resilience.

PCI DSS 4.0.1 REQ 1.pdf

Download for FREE

Simplified PCI DSS 4.0.1 Framework for Enhanced Security Awareness

In this project, I developed a simplified version of the PCI DSS 4.0.1 framework, designed to make compliance requirements accessible to non-technical analysts and stakeholders. By translating complex regulatory language into clear, actionable steps, I ensured that team members at all levels could understand and implement the requirements effectively.

A key focus was aligning the framework with Requirement 12.6, which emphasizes the importance of security awareness. I created tailored training materials to enhance understanding and engagement across technical and non-technical teams. This initiative empowered stakeholders to confidently meet compliance objectives while fostering a culture of security awareness and accountability.

Key Achievements:

Transformed intricate PCI DSS 4.0.1 requirements into an easy-to-understand framework for non-technical audiences.
Designed security awareness training aligned with Requirement 12.6, improving team comprehension and collaboration.
Bridged the gap between technical and non-technical stakeholders, driving efficient implementation of compliance measures.

CompTIA Sec+ E BOOK (1).pdf

Download for FREE

I developed a comprehensive, AI-driven study guide for the CompTIA Security+ certification exam, tailored to provide aspiring cybersecurity professionals with a streamlined, effective learning experience. This resource leverages advanced AI technology to deliver essential knowledge and skills, supporting not only certification success but also a robust start to careers in cybersecurity.

Key Features of the Study Guide:

Complete Coverage of Exam Objectives: Aligned with CompTIA’s Security+ blueprint, this guide covers all critical areas, from risk management and incident response to cryptography and access control, ensuring learners have a solid grasp of each core topic.
Simplified Explanations of Complex Concepts: Utilizing AI-powered content generation, I transformed intricate cybersecurity concepts into accessible explanations, enriched with real-world examples and applications to deepen understanding.
Actionable Insights and Expert Tips: Drawing from my industry experience, I included practical advice and recommendations to help learners navigate common challenges, enhancing their preparation journey with valuable insider perspectives.
Enhanced Learning Experience Through AI: With Perplexity’s AI platform, I organized a vast amount of information into an intuitive, easy-to-follow format, making the learning process more efficient and engaging.

To advance inclusivity in cybersecurity, I’ve made this resource freely accessible, removing financial barriers that often limit access to high-quality educational materials. My goal is to democratize cybersecurity education, empowering aspiring professionals with the tools they need to thrive and contribute to a capable, diverse workforce poised to meet the demands of an evolving digital landscape.

Through this AI-powered guide, I aim to inspire, inform, and equip the next generation of cybersecurity talent, helping them take confident steps toward earning their Security+ certification and making a positive impact on the industry.

Hardening Healthcare: A NIST CSF 2.0 Analysis of the 2024 Ascension Health Ransomware Attack

When cybercriminals targeted Ascension Health in 2024, they didn't just breach a network – they jeopardized critical healthcare services across 140+ hospitals, impacting millions of patients. This case study leverages the newly released NIST Cybersecurity Framework 2.0 to dissect one of healthcare's most significant cyber incidents, transforming hindsight into foresight for enhanced security.

Through systematic analysis of Ascension's pre-breach posture, incident response, and recovery efforts, this study:

Maps critical security gaps against NIST CSF 2.0's core functions
Extracts actionable insights for healthcare organizations facing similar threats
Demonstrates practical implementation of the framework's latest enhancements
Develops a blueprint for resilience in an era of escalating healthcare cyber attacks

Beyond theoretical framework application, this analysis delivers concrete recommendations for protecting healthcare operations and patient data integrity in today's heightened threat landscape.

Case Study 3.pdf

1) Case Study

Applying the NIST CSF 2.pdf

2) Applying the NIST CSF 2.0

Third Party Security Risk Analyst Exercise

Third_Party_Security_Risk_Analyst_-_Assignment (2).pdf

1) Case Study

Assignment_-_Third_Party_Security_Risk_Analyst_1.pdf

2) Assignment - Third Party Security Risk Analyst

Step-by-step_playbook.pdf

3) Step by Step Playbook for Third Party Security Risk Analyst

“Star Sales Solutions” Security Mock Assessment | CIS v8

This assessment aimed to support a tech company with limited security maturity by conducting a comprehensive audit using the CIS v8 Implementation Group 1 framework. Given the company’s modest capabilities, CIS v8 provided a cost-effective and scalable framework to establish foundational security controls.

Project Highlights:

Framework Selection and Alignment: Leveraged CIS v8 Implementation Group 1, ensuring that the company’s resources are aligned with the foundational controls necessary for cybersecurity readiness.
Implementation of Core Security Measures: Established essential security practices, including multi-factor authentication (MFA), data privacy protocols, backup strategies, regular software updates, employee security training, and an incident response plan.
Development of Policies and Procedures: Crafted and implemented customized policies and procedures to support ongoing security compliance and governance, creating a sustainable security posture.
Compliance with Privacy Regulations: Conducted a thorough risk assessment and ensured compliance with privacy regulations such as GDPR and CCPA, enhancing the company’s data protection practices.

Assessment Process:

Policy and Procedure Creation: Defined and documented security policies tailored to the organization’s needs.
Implementation Group 1 Questionnaire: Applied targeted assessments to identify current security gaps.
Risk Assessment and Control Framework: Conducted a risk analysis aligned with CIS v8 to map out security priorities and potential vulnerabilities.
Final Assessment Report: Delivered a comprehensive report to stakeholders, including an executive summary, scope, findings, and actionable recommendations to enhance their security posture.

This project empowered “Star Sales Solutions” with the foundational tools and insights necessary for sustainable security management, aligning with industry standards and regulatory requirements.

READ FIRST Maximizing Business Impact with Course Lab Expertise.docx

1) Maximizing Business Impact

1 mock audit company.pdf

2) CIS Mock Assessment Process Overview of Tasks

2 Star Sales Solutions Policy Mock company.pdf

3) Star Sales Solutions Acceptable Use Policy (AUP)

3 question and answer for cis.pdf

4) Questionnaire

4 CIS v8 IG1 Framework.xlsx

5) CIS v8 IG1 Framework

5 Final Report.pdf

6) FINAL ASSESSMENT REPORT

Case 2: A Construction Company Gets Hammered by a Keylogger
Topic: Keylogging, Malware and Bank Fraud

Cybersecurity-Case-2.pdf

1

A Construction Company Gets Hammered by A Keylogger.pdf

2

Google Sites

Report abuse