Secure Compliance Frameworks

Portfolio

About Me

With over a decade of specialized experience in Information Security across sectors such as digital payments, banking, healthcare, technology, and SaaS, I bring extensive expertise in IT Security Governance, Risk, and Compliance (GRC) Program Management. My career has been dedicated to evolving GRC practices, driving continuous improvement, innovation, and alignment with business objectives. I have led transformative security initiatives in both large-scale enterprises and agile mid-sized entities, laying the foundation for robust information security frameworks.

Key Projects & Experience Areas

Security Policy Refresh & Control Implementation

Blue Shield of California (2017-2018)

• Objective: Strengthen compliance with NIST and HIPAA by modernizing security policies and implementing a GRC program.

  • Security Policy Modernization: Led a comprehensive review and update of security policies, ensuring alignment with HIPAA and NIST CSF.

  • Security Governance: Established interdepartmental governance groups and implemented GRC tools for efficient policy tracking and enforcement.

Realtor.com (2016-2017)

• Objective: Align security policies with business objectives during mergers, maintaining compliance with ISF and ISO 27001.

  • Policy Development: Spearheaded policy creation and revisions to meet ISO 27001 standards during acquisitions.

  • Security Integration: Integrated security gates into the SDLC, embedding controls and assessments into each development stage.

PayPal (2016)

• Objective: Ensure post-acquisition policy alignment with ISO 27001 and PCI DSS standards.

  • Policy Gap Analysis: Conducted post-acquisition gap analysis to align security policies with ISO 27001 and PCI DSS.

  • SOX & PCI DSS Compliance: Managed PCI DSS audit and SOX compliance reviews.

ETRADE Financial (2010-2013)

• Objective: Manage security policies and user access processes in compliance with regulatory standards.

  • Security Audits: Conducted security policy audits aligned with NIST, ISO 27001, FFIEC, and OCC requirements.

  • IAM Procedures: Updated IAM processes to ensure compliance with PCI DSS, SOX, and regulatory frameworks.

GRC Program Maturity & GRC Tool Implementation

A3INFOSEC (2022-2024)

• Objective: Provide GRC advisory services and implement vendor risk management solutions.

  • GRC Advisory: Advised SaaS companies on SOC 2, ISO 27001, and HITRUST compliance, leading gap assessments and remediation efforts.

  • TPRM Framework Design: Designed and implemented a Third-Party Risk Management (TPRM) framework with continuous monitoring and due diligence.

Equinix (2020-2022)

• Objective: Deploy ServiceNow GRC and automate global compliance processes for SOC 2, ISO 27001, and other standards.

  • ServiceNow GRC Deployment: Led the deployment of ServiceNow GRC, integrating it with vulnerability management tools for continuous monitoring.

  • UAT Leadership: Developed training materials and led UAT for GRC feature releases, ensuring successful implementation.

RingCentral (2019-2020)

• Objective: Lead GRC automation efforts and manage third-party risk management processes.

  • Audit Readiness Automation: Automated audit evidence gathering processes for SOC 2, HITRUST, and ISO 27001.

  • Third-Party Risk Management: Improved third-party risk management by enhancing contractual safeguards in vendor agreements.

Blue Shield of California (2017-2018)

• Objective: Implement GRC platforms to automate compliance workflows and streamline policy management.

  • GRC Tool Selection: Led the evaluation, selection, and implementation of ServiceNow and Archer GRC platforms to automate compliance workflows.

Protiviti (2013-2014)

• Objective: Manage GRC and audit initiatives with a focus on PCI DSS and SOX compliance.

  • PCI DSS & SOX Compliance: Led PCI DSS Level 2 audits and managed SOX 404 control testing for FinTech clients, overseeing evidence collection and documentation.

Risk Assessment & Mitigation

A3INFOSEC (2022-2024)

• Objective: Conduct vendor security risk assessments and manage risk mitigation processes for a multinational conglomerate.

  • Vendor Due Diligence: Performed in-depth assessments of vendor controls with real-time risk monitoring using SecurityScorecard.

Visa Inc. (2014-2016)

• Objective: Perform risk assessments and mitigate vulnerabilities for Visa’s payment products and third-party providers.

  • Vulnerability Management: Led security risk assessments and collaborated with development teams to remediate vulnerabilities during secure coding reviews and penetration testing.

Federal Reserve Bank of San Francisco (2018-2019)

• Objective: Conduct security risk assessments and manage remediation strategies to ensure compliance with NIST 800-53 and FISMA.

  • Risk Assessments: Conducted risk assessments of SSPs and third-party providers, managing the Authorization to Operate (ATO) process.

RingCentral (2019-2020)

• Objective: Strengthen IT risk management practices through enterprise-wide risk assessments.

  • Risk Mitigation: Managed risk remediation efforts and conducted third-party security assessments, ensuring compliance.

Protiviti (2013-2014)

• Objective: Conduct comprehensive risk assessments for enterprise clients using NIST 800-53 and other industry frameworks.

  • Enterprise Risk Assessments: Delivered actionable risk mitigation strategies for a major travel client using CIS and NIST frameworks.

ETRADE Financial (2010-2013)

• Objective: Manage third-party security risk assessments and oversee remediation efforts.

  • Vendor Security Assessments: Performed assessments using SIG, ISO 27001, and SAS 70, recommending remediation actions for vulnerabilities.

IT Audit

A3INFOSEC (2022-2024)

• Objective: Ensure audit readiness for clients across multiple regulatory frameworks.

  • Audit Readiness: Conducted pre-audit assessments and led remediation planning for SOC 2, ISO 27001, and HITRUST audits.

Equinix (2020-2022)

• Objective: Automate audit lifecycle management and compliance processes.

  • Compliance Automation: Automated evidence gathering and audit tracking for SOC 2, ISO 27001, and SOX audits through ServiceNow GRC.

RingCentral (2019-2020)

• Objective: Lead readiness audits and manage audit submissions for SOC 2, HITRUST, and ISO 27001 certifications.

  • Audit Evidence Management: Managed submissions for external audits, ensuring proper documentation and collaboration with auditors.

Protiviti (2013-2014)

• Objective: Conduct PCI DSS and SOX audits for enterprise clients.

  • PCI DSS Level 2 Audit: Led the audit process, coordinating control testing and evidence submission for PCI DSS and SOX audits.

ETRADE Financial (2010-2013)

• Objective: Provide audit support for PCI DSS, SOX, OCC, and FFIEC regulatory requirements.

  • Audit Support: Contributed to audits by providing evidence for PCI DSS, SOX, FFIEC, and OCC compliance, particularly in access control and security policy management.

Alexandria Seven, CISSP
Information Security and GRC Consultant
San Francisco Bay Area, CA
LinkedIn

• CISSP (Certified Information Systems Security Professional), ISC², 2011-2026

• GRCP, GRCA (Governance, Risk, and Compliance Professional/Auditor), OCEG, 2022-2023

• PCI QSA (Payment Card Industry Qualified Security Assessor), PCISC, 2014-2015

Get in Touch

Let’s connect to explore how I can help your organization enhance its security posture and navigate complex compliance requirements.