The GRC Advisor

Initiating programs of continuous audit and monitoring, advising and supporting on all matters during implementation, directing the design and use of advanced software-based processes, AI and feedback mechanisms to observe operational activities and IT systems, detect their anomalies, inconsistencies and other detrimental factors, collect their KRI and KPI data, record compliance failures, security and privacy breaches, and provide real-time alerts to potentially inappropriate behavior and fraud

Directing continuous development and improvement of enterprise governance, risk, cybersecurity and privacy programs, translating and clarifying board level risk appetites into IT security and business risks, aligning lines of defense with stakeholder roles and policies with frameworks of standards, identifying crown jewel assets and their relationships to mission critical operations and systems, building their compliance profiles and modeling their cyber-threats for risk management/mitigation.

Creating proper awareness of the operational boundaries of critical IT systems and correcting failures to detect cyber-threats and security events in a timely manner that keep mission critical operations from being disrupted.  Also, developing effective, measurable resilience-building strategies that consider the complex interactions existing between risks, people and systems. Including system design evaluation for both resilience and steady-state operation.

Applying core analysis and decision factor analysis to evaluate if risks are appropriately identified, measured, monitored, and controlled, evaluate if management capabilities are sufficient for the size, complexity, and condition of the enterprise,  and determine if management established an adequate controls environment using policies and procedures consistently throughout the organization. 

Implementing formal data analytics programs specifically designed to improve access to threat monitoring data and support the use of AI powered tools, thereby accelerating mitigation response times, using software such as  ACL, Excel, SPSS, SAS, Oracle Data Mining, R, Oracle Analytics Cloud, RapidMiner, Tableau, Google Cloud AutoML, PyTorch, DataRobot, Talend, H2O.ai and IBM Watson Analytics, and training staff on statistical testing, regression and factor analysis.

Methodically identifying areas in need of improvement as a first step in developing a business process automation strategy as the basis of a process for improving and integrating operations. Set-up as an ongoing process by which an organization sets its forward course by bringing all of its stakeholders together to examine current realities and define its vision for the future.

Engaging with stakeholders to discuss and assign responsibilities, articulating and documenting each line of defense and their roles, then conducting the baseline risk assessment and formulating simple dashboard outlining risks, controls, and the potential impact and size of each, and then processing the information to understand and identify key vulnerabilities and threats. Once understood, defining them clearly, breaking them into risks, and selecting the metrics for management to follow.

Leading development, implementation, and continuous improvement of governance and risk management practices (including internal control) at a policy, standards, process, systems, and entity level for the achievement of risk management objectives, such as compliance with laws, regulations, and acceptable ethical behavior; internal control; information and technology security; sustainability; and quality assurance.

Examining the organization's IT infrastructure, applications, policies, and procedures to ensure they are secure, effective, and compliant. Ensuring that the organization is compliant with IT management practices, privacy protections, and information security provisions, and helping to identify potential vulnerabilities and ensure that all assets are secure and properly updated. Reporting to the chief audit executive and audit committee on the results of the IT audit.

Analyzing the scope of certification to identify necessary implementation work, perform current state gap analysis of the IT governance and infrastructure, the processes and documentation for conformity to standards and requirements, and to reveal any additions or adjustments needed for certification. Advise and support in all compliance matters during the process of analysis, remediation and implementation of corrective measures and controls. Perform the assessment for certification issuance.

Systematically collecting data from preestablished metrics and previously deployed security controls to provide an ongoing picture of vulnerabilities and threats, support making risk management decisions in compliance with NIST (SP) 800-137, GLBA 16 CFR Part 314  “Safeguards Rules”, HIPAA privacy and security of Personal Health Information (PHI), and Article 25 General Data Protection Regulation (GDPR), and to demonstrate privacy governance, privacy architecture, and data lifecycle protection.

Identifying risks and sources, evaluating software risk planning and the risk response strategy including the effectiveness of preventive measures used to decrease risk probability. Ensuring software risk monitoring is included in all development phases, that checks are made regularly, and that the development team tracks and aligns to all major changes in the risk management plan, while also verifying that new risks are being identified and mitigated, and low probability risks are being removed

Developing and deploying a firm-wide 3rd party risk management framework based on the standards and best practices found in NIST SP 800-53 and in the  Whistic and The Cloud Security Alliance  CAIQ, and implemented programs for mitigating risks from new and existing suppliers, including formal procedures vendor due diligence, assessing SOC2, vendor contracts, KPIs, SLAs and scorecards, and implementing data analytics and CVMT to facilitate a quarterly QBR program.

Leading the structured process of identifying and documenting all possible security threats on a asset-by-asset, system-by-system, process-by-process basis, and advising on modeling the likelihood and impact of various threat events through cybersecurity risk registers integrated into an enterprise risk profile, and then prioritizing, implementing and communicating enterprise cybersecurity risk response and monitoring needed from there.

Performing black box and crystal box Vulnerability Testing, identifying vulnerabilities associated with key IT assets, third-party applications, web-based services, networked platforms, data assets and infrastructure components that make up the Digital Business environment, Virtual Operational environment, and cyberspace infrastructure. Gathering cyber-intelligence, identifying vulnerabilities exploited by cyber-threats of greatest concern, and presenting threat mitigation options.

Building the frameworks to address incidents when they happen with consistency and facilitate effective coordination and collaboration between internal and external parties for events that rage from simple errors, to malicious attacks, or natural disasters. Establishing the process for escalation that is recognized and understood across the organization, a framework and controls to ensure proper communication and avoid mismanagement, and processes to support a return to normal operations.

Designing and implementin programs to assess and manage enterprise-wide security compliance based on a framework that combines SOX, GLBA, HIPAA & HITRUST standards. Activities include performing current state gap analysis for conformity to standards and requirements, and to reveal any additions or adjustments needed, as well as advising and supporting on all compliance matters during the process of analysis, remediation and implementation of corrective measures, controls, and ongoing monitoring.

Modeling the visual representation of the four main elements that represent the assets within a "mission-critical"system, the system’s attack surface, a description of how the components and assets interact, and the threat actors who could attack the system and how the attack could occur. This relationship model is used to then identify, evaluate and determine gaps in security controls at the application, system, infrastructure, critical operations levels that support essential service delivery.

Translating regulations and licenses into specific data and operational requirements, identifying sources for individual line items, establishing quality frameworks, and implementing automated solutions to produce timely anaccurate filing of reports both domestically and from off-shore sources. Producing a roadmap for automating attestation, aggregation, edit checks, and electronic submissions, and designing the process for reusing regulatory report data as early detection of reporting problems.

Holding the CDPSE qualification demonstrates that the GRC advisor has the expert knowledge and experience necessary to work cross-functionally with legal, policy, DBAs, engineers, software developers, and back-end and front-end experts to develop and implement advanced privacy solutions, from both a technical and governance perspective and is meant to demonstrate the expertise in the three main areas Privacy governance, Privacy architecture, and Data lifecycle.

Holding the CRISC qualification demonstrates that GRC advisor has the expert knowledge and experience necessary to identifying and managing enterprise IT risk and implementing and maintaining information systems controls.  

Holding the CGEIT qualification demonstrates that GRC advisor has the expert knowledge and experience necessary to support governance of enterprise IT. Ensuring that an organization's IT is governed from the top, and therefore aligned with business needs and goals. 

Holding the IIA’s premier designation demonstrates that the GRC advisor has the expert knowledge and experience necessary to support the highest standard of excellence within the profession.  As the only globally recognized internal audit certification, the certification indicates the designee has the knowledge, skill, and competencies to effectively carry out the professional responsibilities of internal audit at the highest levels anywhere in the world.