Request Consultation
Request Consultation
architectural photography of glass buildings

Portfolio

Alexandria Seven, Strategic GRC Consultant | CISSP

Enhancing Security Posture through Risk Management, Compliance Automation & IT Audit Excellence

San Francisco Bay Area, CA 94402

linkedin.com/in/alexsevenprofessionalprofile

Certifications

  • CISSP (Certified Information Systems Security Professional), (ISC)² 2011-2026

  • GRCP, GRCA (Governance, Risk, and Compliance Professional & Auditor) 2022-2023

  • PCI QSA (Payment Card Industry Qualified Security Assessor) 2014-2015

Professional Summary

Information Security Professional with extensive experience across financial services, banking, healthcare, technology, and SaaS industries. I’ve led and advised on IT Security Governance, Risk, and Compliance (GRC) initiatives for organizations ranging from startups to multinational enterprises. My work has contributed to stronger risk management frameworks and more defined GRC processes, advancing IT security maturity across these organizations.

Core GRC Expertise

  • GRC Program Leadership: Extensive experience in developing, implementing, and managing comprehensive GRC programs aligned with industry standards and regulatory requirements, ensuring organizational compliance and risk reduction.

  • Risk Management: Expertise in conducting in-depth risk assessments, identifying vulnerabilities, and implementing targeted mitigation strategies to strengthen security posture.

  • Compliance & Audits: In-depth knowledge of compliance frameworks and significant experience leading audits across standards including SOC 2, HIPAA, HITRUST, NIST, ISO 27001, PCI DSS, SOX, GLBA, FFIEC, OCC, and CIS, ensuring thorough adherence and regulatory alignment.

  • Third-Party Risk Management: Skilled in establishing and managing TPRM programs, performing comprehensive vendor due diligence, and mitigating supply chain risks effectively.

  • Compliance Automation: Proficient in utilizing GRC platforms (e.g., ServiceNow, Archer, OneTrust, RSAM) to automate compliance workflows, streamline processes, and improve risk visibility and management efficiency.

Security Skills

  • Security Policy Development & Implementation: Experienced in developing and enforcing security policies that align with organizational requirements and industry standards, supporting resilient security frameworks.

  • Security Architecture & Engineering: Solid understanding of security architecture principles with a background in designing and deploying secure infrastructure solutions.

  • Cloud Security: Knowledgeable in cloud security best practices with hands-on experience in securing cloud environments to meet organizational standards.

  • Identity & Access Management: Proven expertise in managing identity and access controls to protect sensitive data and ensure compliance with access management policies.

Technical Skills

  • SDLC Methodologies: Proficient in both Waterfall and Agile development methodologies, ensuring adaptability in varied development environments.

  • User Acceptance Testing (UAT): Experienced in conducting thorough UAT to validate systems against requirements and meet user expectations.

  • Technical Writing: Strong technical writing capabilities, with a focus on creating clear, concise documentation for processes, procedures, and reports.

Business & Leadership Skills

  • Project Management: Demonstrated ability to manage complex projects effectively, ensuring adherence to timelines and budgets.

  • Process & Workflow Development: Skilled in designing and implementing optimized processes and workflows to improve operational efficiency.

  • Strategic Planning & Collaboration: Strong strategic planning abilities and collaborative skills, facilitating cross-functional initiatives to meet organizational goals.

  • Business Requirements Analysis: Proficient in gathering and documenting business requirements, ensuring solutions are aligned with stakeholder needs and objectives.

Industry Affiliations

  • Active in ISC2, RSA, ISACA, OCEG, GRC World Forums, and SecureWorld

  • Founded and actively manage an IT Security blog - GRC PROS www.grcpros.tech - sharing industry insights and engaging the cybersecurity community on social media.

Education

  • Bachelor of Science in Accounting Information Systems
    California State University, Sacramento

  • Continuing Education in Information Security & Business and Project Management

GRC Program Implementation

Equinix: Global Compliance Automation

  • Challenge: Equinix needed to automate global compliance processes across multiple standards (SOC 2, ISO 27001) to improve security policy management, risk visibility, and audit efficiency.

  • Solution:

    • Led a team of engineers to deploy ServiceNow GRC.

    • Designed policy and exception management workflows within ServiceNow.

    • Integrated ServiceNow with vulnerability management tools for continuous monitoring of security controls.

    • Integrated UCF Common Controls into ServiceNow for cross-standard reporting.

    • Developed training materials and led user acceptance testing (UAT) to ensure successful implementation.

  • Key Technologies/Frameworks: ServiceNow GRC, ISO 27001, SOC 2, Jira, UCF Common Controls

RingCentral: Audit Management

  • Challenge: RingCentral needed to achieve ISO 27001 certification and undergo external audits for SOC 2 Type II, HITRUST, and C5.

  • Solution:

    • Coordinated auditor meetings and prepared internal staff for audits.

    • Guided staff interviews with auditors.

    • Managed the end-to-end audit process, including evidence gathering, issue resolution, audit scope management, and report generation.

  • Key Technologies/Frameworks: SOC 2, HITRUST, ISO 27001, GRC Portal

Blue Shield of California: GRC Program Modernization

  • Challenge: Blue Shield of California sought to modernize its security policies and implement a comprehensive GRC program to strengthen compliance with NIST and HIPAA.

  • Solution:

    • Led a comprehensive review and update of security policies, ensuring alignment with HIPAA and NIST CSF.

    • Established interdepartmental governance groups to foster collaboration and ownership of GRC activities.

    • Implemented GRC tools for efficient policy tracking, version control, and enforcement.

    • Led the evaluation, selection, and implementation of ServiceNow and Archer GRC platforms to automate compliance workflows and improve efficiency.

  • Key Technologies/Frameworks: NIST CSF, HIPAA, ServiceNow GRC, Archer GRC

Confidential Client (Virtual Assistant): SaaS Compliance

  • Challenge: A SaaS client required guidance and support in achieving compliance with various security standards crucial for their industry and client trust.

  • Solution:

    • Conducted thorough gap assessments to identify areas for improvement.

    • Managed remediation efforts to address identified gaps and ensure compliance.

  • Key Technologies/Frameworks: SOC 2, ISO 27001, PCI, HITRUST

Risk Assessment & Mitigation

Confidential Client (Multinational Conglomerate): Vendor Security Risk Management

  • Challenge: A multinational conglomerate needed to strengthen its vendor risk management program to address potential vulnerabilities and ensure compliance.

  • Solution:

    • Conducted comprehensive assessments of vendor controls, including assessing their security posture, business continuity plans, and incident response capabilities.

    • Developed a centralized vendor risk management platform to track and monitor vendor performance.

    • Implemented a risk-based approach to vendor management, prioritizing high-risk vendors for increased oversight.

  • Key Technologies/Frameworks: SecurityScorecard, TPRM

Visa Inc.: Security Risk Assessment

  • Challenge: Visa required proactive identification and mitigation of vulnerabilities in payment products and third-party providers to maintain the security and integrity of its payment ecosystem.

  • Solution:

    • Led security risk assessments, including threat modeling and penetration testing.

    • Collaborated with development teams to remediate vulnerabilities during secure coding reviews.

    • Ensured alignment with industry standards like ISO 27001 and PCI DSS.

  • Key Technologies/Frameworks: ISO 27001, PCI DSS, NIST, secure technology baselines, secure coding, penetration testing, threat modeling, Agile, Scrum

Federal Reserve Bank of San Francisco: NIST RMF Compliance

  • Challenge: The Federal Reserve Bank of San Francisco required rigorous risk assessments to ensure compliance with stringent regulatory requirements, including FISMA.

  • Solution:

    • Conducted risk assessments of SSPs and third-party providers.

    • Managed the Authorization to Operate (ATO) process in compliance with NIST 800-53 and FISMA.

  • Key Technologies/Frameworks: NIST 800-53, NIST RMF, FISMA, ATO, RSAM GRC, Technology Baselines

RingCentral: IT Risk Management

  • Challenge: RingCentral sought to strengthen IT risk management practices across the organization.

  • Solution:

    • Managed risk remediation efforts, addressing identified vulnerabilities and weaknesses.

    • Conducted third-party security assessments to ensure compliance and minimize vendor-related risks.

  • Key Technologies/Frameworks: Third-party risk assessments

Protiviti: Enterprise Risk Assessments

  • Challenge: Protiviti's enterprise clients required comprehensive security risk assessment based on industry best practices.

  • Solution:

    • Delivered actionable risk mitigation strategies for a major travel client, leveraging CIS and NIST frameworks.

    • Conducted enterprise-level risk assessments, identifying and evaluating potential threats to business operations.

  • Key Technologies/Frameworks: NIST 800-53, CIS, Enterprise Risk Assessment

Key Projects & Experience Areas

IT Audit & Compliance

Equinix: Audit Automation

  • Challenge: Equinix faced challenges with manual audit processes, which were inefficient and time-consuming.

  • Solution:

    • Automated audit processes and evidence tracking for SOC 2, ISO 27001, and CUI audits by customizing ServiceNow GRC workflows.

    • Streamlined evidence collection and reporting, reducing the time and effort required for audits.

    • Improved the accuracy and completeness of audit documentation.

  • Key Technologies/Frameworks: ServiceNow GRC, SOC 2, ISO 27001, CUI

RingCentral: Audit Management

  • Challenge: RingCentral needed to efficiently manage audit submissions and ensure complete and accurate documentation for SOC 2, HITRUST, and ISO 27001 certifications.

  • Solution:

    • Led readiness audits to ensure preparedness for external audits.

    • Managed audit submissions, ensuring proper documentation and timely responses to auditor requests.

    • Facilitated effective communication and collaboration with auditors throughout the audit process.

  • Key Technologies/Frameworks: SOC 2, HITRUST, ISO 27001

Protiviti: PCI DSS, DLP, and SOX Compliance

  • Challenge: A FinTech startup required assistance in achieving PCI DSS compliance to protect sensitive cardholder data. Additionally, Protiviti needed support in addressing data loss prevention (DLP) and Sarbanes-Oxley (SOX) compliance requirements for various clients.

  • Solution:

    • Led a PCI DSS Level 2 audit for the startup, coordinating control testing and audit reporting.

    • Provided guidance on implementing security controls to meet PCI DSS requirements.

    • Ensured the startup achieved compliance and could securely process card payments.

    • Assisted with the development and implementation of DLP policies and procedures to protect sensitive data.

    • Supported SOX compliance efforts by assessing internal controls over financial reporting and providing recommendations for improvement.

  • Key Technologies/Frameworks: PCI DSS Level 2, DLP solutions, SOX compliance frameworks

Security Policy Development & Management

Blue Shield of California: Security Policy Modernization

  • Challenge: Blue Shield of California's existing security policies were outdated and needed to be aligned with current security standards and regulations, including HIPAA and NIST CSF.

  • Solution:

    • Led a comprehensive review and update of security policies, ensuring alignment with HIPAA and NIST CSF.

    • Developed and delivered training programs to employees on updated policies and security awareness.

    • Implemented a policy management system to track policy versions and ensure ongoing compliance.

  • Key Technologies/Frameworks: HIPAA, NIST CSF

Realtor.com: M&A Security and Compliance

  • Challenge: Realtor.com needed to maintain compliance with ISF and ISO 27001 during mergers and acquisitions, ensuring a smooth integration of security practices.

  • Solution:

    • Spearheaded policy creation and revisions to meet ISO 27001 standards during acquisitions.

    • Integrated security gates into the SDLC, embedding security controls and assessments into each development stage.

    • Provided guidance on aligning security practices across acquired companies.

  • Key Technologies/Frameworks: ISO 27001, ISF, SDLC, AWS

PayPal: Post-Acquisition Compliance

  • Challenge: Following an acquisition, PayPal needed to align its security policies with ISO 27001 and PCI DSS standards to ensure the continued security of its payment processing environment.

  • Solution:

    • Conducted a post-acquisition gap analysis to identify areas of non-compliance with ISO 27001 and PCI DSS.

    • Managed PCI DSS audit and SOX compliance reviews, ensuring adherence to regulatory requirements.

    • Provided recommendations for remediation and process improvement to strengthen security posture.

  • Key Technologies/Frameworks: ISO 27001, PCI DSS, SOX

650-797-1104

San Mateo, CA USA

Home

GRC Services

Portfolio

Resources

Contact

Terms of Service | Privacy Policy | Non Disclosure and Confidentiality Agreement

Copyright © 2022-2024 | A3INFOSEC | IT Security & GRC Consulting