GRC • Nonprofit
Critical Function & Light BIA Assessment for Global NGO
CyberPeace Institute – 2025
Performed a lightweight BIA-style assessment to identify critical functions, operational dependencies,
and high-impact processes for a resource-constrained nonprofit environment.
- Facilitated a structured discovery session to understand the nonprofit’s mission, service delivery workflow, and operational needs.
- Led targeted questioning to identify core digital functions, supporting assets, and the departments responsible for them.
- Captured and organized meeting notes to document critical services, dependencies, and impact levels.
- Provided a ranked critical-functions matrix based on impact, importance, and operational relevance.
- Applied guidance from senior GRC practitioners to refine scope, keep discussions focused, and align analysis with operational priorities.
GRC • Enterprise Risk Management
Healthcare Risk Management Program Using Clearwater IRM
Academic Project – 2025
End-to-end risk management engagement for a fictional healthcare system using Clearwater IRM. Our team defined asset component groups, built an enterprise asset inventory, prioritized systems based on weighted criteria, performed quantitative risk analysis, and designed governance-aligned risk responses and policy updates for a regulated clinical environment.
- Defined logical component groups for desktops, applications, cloud backups, and clinical systems to align with Clearwater’s IRM methodology.
- Built a structured asset inventory and weighted ranking model using criteria such as compliance impact, confidentiality, incident likelihood, data volume, and patient safety.
- Calculated Clearwater risk ratings for high-value assets (e.g., EHR, SQL Server, Office 365, internet gateways) to identify top enterprise risks.
- Documented detailed risk responses and “add or enhance” control actions mapped to specific threat/vulnerability pairs, including DLP, MFA, authentication policies, and secure disposal practices.
- Co-authored an Issue-Specific Security Policy (ISSP) on fair and responsible use of information systems for the Sunshine Healthcare System, tying technical controls back to organizational mission and regulatory requirements.
GRC • Business Continuity
Business Impact Analysis for Multi-Department Enterprise
Academic Project – 2024
A full Business Impact Analysis (BIA) performed using a structured, industry-standard template. This project identifies critical processes, evaluates operational and financial impacts, and documents recovery objectives aligned with enterprise risk and continuity requirements.
- Mapped business units, subprocesses, RTO/RPO, dependencies, and recovery strategies.
- Evaluated both quantitative and qualitative impact across IT, Finance, and Veterinary operations.
- Produced recovery timelines and technology restoration priorities for multiple departments.
- Developed actionable recommendations based on business continuity best practices.
GRC • Policy Analysis
Firewall & VPN Policy Modernization Review
Academic Project – 2024
A comprehensive policy gap analysis reviewing Enterprise, Issue-Specific, and System-Specific Security Policies. The project proposes a new consolidated ISSP for Firewall and VPN Control aligned with zero-trust principles and next-generation firewall capabilities.
- Reviewed firewall/VPN controls across EISP, ISSP, and SySSP levels.
- Recommended zero-trust integration, MFA enforcement, and NGFW adoption.
- Drafted a complete annotated outline for a modernized Firewall & VPN ISSP.
- Identified outdated, fragmented policies and proposed consolidation paths.
Security Operations • Vulnerability Management
Vulnerability Assessment of Hidden Linux & Windows Systems
Academic Project – 2024
Conducted a structured vulnerability assessment using Nmap and Greenbone Security Manager on a concealed lab environment. The Linux server scan identified multiple critical and high-risk vulnerabilities, each mapped to detailed remediation steps.
- Discovered exposed services, outdated software, weak encryption, and backdoored components.
- Identified 11 high-risk vulnerabilities, including Ghostcat RCE, default PostgreSQL credentials, and vsFTPd backdoor.
- Prioritized findings using CVSS scoring and best-practice remediation.
- Applied systematic discovery methodology when the hidden Windows server could not be located.
- GRC Tie-In: Demonstrates risk prioritization, documentation quality, and translation of technical findings into actionable governance-aligned recommendations.