HIPAA Part 164 Subpart C (Security Rule) Audit & Compliance Program: Drove operational excellence through the development of an internal HIPAA audit program, from scratch, to demonstrate and improve compliance through a multi-matrixed organization of 50,000+ personnel. Developed an audit charter to overlay the security rule subsections and generate acute narrative to be presentable to senior leadership. Supported personnel in developing actionable plans and strategies improving enterprise maturity. Leveraged the organizational narrative to generate meaningful use audit reports for internal assurance and additional funding. Acted as designated security official for Wyoming Medical Center (§164.308(a)(2))HIPAA Part 164 Subpart E (Privacy) Audit & Compliance Program: As a proponent of insourcing the audit and assurance program, developed a continually improving privacy program which reviews 49 Privacy rule elements including: Breach Notifications, Administrative Requirements, Accounting of Disclosures, NPP, etc. Developed comprehensive testing approaches and program standardization language to generate consistent, comprehensible, compliance reports which are commonly used to send to external entities. HiTRUST Program Development: Developed comprehensive and extended policies which align the HiTrust control catalogue against the organizations current security toolset. Identified key gap areas and worked with key business owners to develop action plans to improve gaps and come into compliance. Leveraged and created key committees to review and approve the appropriate documentation to generate cross-departmental support.Exception Management: Developed an exception management program and was the exception management leader to help identify key risk areas pervasive within the organization. Leveraged the program to help drive continual improvement and generate actionable plans for stakeholders so they may formally adopt program requirements.

Policy Development: Developed organizational policies to align against the HIPAA Security Rule (Part 164, Subpart C) as well as SOC2 (Trust Service Criteria – Security, Availability, Privacy, and Confidentiality. Processing integrity excluded). Understood organizational gaps and “ideal state” to support the development of comprehensible policies and continual improvement downstream. Training and Awareness: Developed a training and awareness program for the organization which complied with §164.308(a)(5)(ii). Program was put in place for onboarding new personnel, annual training, and an awareness program. Instated an awareness program which comprised of phishing simulations and privacy safeguards associated to §164.530(c) (and beyond).

Information Systems Auditing: Primarily responsible for monitoring risk mitigation controls and effectiveness of KRIs, as well as ensuring adherence to SOC 2 & ISO27001:2013 framework on a multi-site multinational scaleIT Governance & Monitoring: Responsible for building, developing, and maintaining company ISMS, and privacy program. Developed and implemented company wide policies, processes, and procedures and monitoring their efficiencies. Providing guidance and recommendations for implementing operational controls that institute an appropriate security FrameworkProcurement & Vendor Management: Developed comprehensive procurement process that incorporates appropriate policies to ensure security controls and practices exist within the vendor procurement and management program. Regularly audits vendors and their compliance level as well as institute appropriate contractual requirements to assure flexibility in program reviewInformation Security Operation: Responsible for developing and deploying user awareness content and providing guidance on operational procedures to ensure security is integrated with day-to-day activities. Responsible for running BIA, maintaining and testing BC & DRRisk Management: Responsible for the development and continual monitoring of the risk register. Handling risk assessments against new systems and vendors – building and designing controls to mitigate risk and building a risk management programSecurity Architecture: Gather requirements, stay in-tune with regulatory changes, plan system development around requirements with policy and security measures in place. Gap analysis and assessment to drive security strategy in order to meet company requirements. Develop project charter for PMs. Post-incident analysis and control improvement recommendations. Benchmark set standards against industry best practices. Identify Legal compliance requirements and apply to risk charter.

ISMS Management: Development and management of the information security management system that includes over 28 policies that my team I had crafted to ensure consistency against the ISO27001:2013 framework. As running the ISMS, I had monitored policy compliance, security awareness, and regularly audited the framework to ensure ease of official audits.Vendor Management: Specifically responsible for vendor procurement and the development of a program (later deployed) that governs vendors and their contractual responsibility to the organization. RFP Development & Completions: Responsible for both the development of RFPs (vendor side) and the delivery of content for them (client side), I specifically held the responsibility for the requirements gathering, security program requirements, and identifying the appropriate controls in place to meet specific requirements.Business Impact & Risk Assessments: Upon utilizing new technologies, or changing current, I was responsible for developing a risk assessment and building a BIA against the changes. These were documented and retained as part of the ISMS and Risk Charter. I would recommend controls to be instituted per risk appetite as decided by leadership.Privacy Program for GDPR: Key partner in the development of a program that encompasses GDPR core principles and regulations, this program was developed as part to be implemented into the ISMS. I audit risks and controls that came as part of the output of the privacy program. IAM: Design controls appropriate to technically manage the RBAC Matrix and ensure limited access for employees, based on least privilege. This architecture was designed specifically for all systems in play for the company – being worked into SSO.

Information Security Program Management: Responsible for development the new information systems security program that govern security policies. Goal to achieve ISO27001:2013 certification, but benchmark company security practices against best practices. Managed a small team to audit security functions, compliance, and manage information security systems.Deployment Management: System deployments and project were routed through me. Ensured project delivery, timeliness, and appropriate controls across the product deployment. Following project completion, developed SOPs for handoffs to either an employee of mine or peers whom will continue to manage the system. Department Manager: Manage the complete helpdesk as well as the engineering team, administrator team, security & auditing team. Responsible for reviewing work quality and holding team members to appropriate KPIs. Handled general management functions.SOP Development: Develop procedures for systems following deployment. Build processes and standards for security department and engineering team to follow. Such SOPs were mapped to policies that had been developed in response to the ISO27001:2013 initiative. Budget Management: Manage a $5mm ++ Budget to support the overall IT objectives and vision. This includes labor, procurement, and SaaS. Review and manage contracts to reduce costs and overhead. Forecast and allocate funding to appropriate silos within the department. Quantitatively assess risk costs and address with finance Security Operation Management: Implement security operations into day-to-day functions. Build out processes for analysts and policies and drive awareness content for team members. Measure control efficiencies through value analysis and key indicators.