Currently running the Global Assurance System and Standards team that consists of multiple “Center of Excellence” and global assurance programs. These programs include, but are not limited to:• Assurance Risk Framework: Framework to assess and prioritize risk to drive risk-based assurance programs• Customer Right-to-Audit (R2A): Centralized program for all customer related compliance related questions and customer audit execution needs• Datacenter Asset Inventory Review: Physical asset inventory program for Microsoft’s 100+ datacenter portfolio• Insurability & Loss Control: Internal datacenter design review and external insurance broker datacenter assessment program Developed a cross-team organizational strategy for the CO+I risk, field operations assurance, supplier assurance, compliance, privacy/data protection, and resilience teams which included, but not limited to developing a governance model, aligning leadership communication (risk based), and increasing integration across the seven teams/programs.Lead the Cloud Infrastructure Security, Safety, and Governance (CISSG) assurance program for the Americas and Asia Pacific. This includes identifying and mapping risks, policies, and controls to strategically provide leadership assurance that key risks are being monitored and mitigated. My team also covers insurance related items within Cloud Operations + Infrastructure (CO+I) and all Microsoft Internal Audit related activities.

Developed key foundational components and processes for new Azure customer right-to-audit (R2A) team; including integrated Objective and Key Results (OKRs) from executive layer, to GM, to principal, to team, to individual members. Established key internal processes for team collaboration and communication processes/plans for partner teams. Additionally, worked with teams to assess current manual processes and develop automation to improve efficiency and accuracy, as well as, design customer facing solutions to allow for a self-service/scalable process for customers to meet their compliance requirements.

Developed a compliance program and led all compliance related activities, including developing processes, defining controls, consulting on evidence deliverables and retention, developing an internal monitoring program, and reviewing and approving new compliance related services/features (GRC approval board). This work helped to mature the Dynamics F&O team from not having any formal controls to achieving SOC 1 and SOC 2 Type I, SOC 1 and SOC 2 Type II, and ISO 27001, 27017, and 27018 (with no external audit findings for any of the certifications). Additionally, developed a PCI program for Dynamics 365 CE that allowed the service to achieve compliance and unblock millions of dollars worth of revenue.

Owned the Control Framework and Monitoring programs for MCIO/C+E Security. This included mapping and maintaining control alignment to both the Microsoft Security Policy, as well as, external regulations. Worked with key stakeholders to identify key aspects of their Standard Operating Procedures (SOPs)/Runbooks to capture as controls. Also worked to update/improve aspects of SOPs to address gaps and improve clarity. Ran monthly campaigns to monitor controls, identified gaps and deficiencies, worked with appropriate teams to develop remediation plans, and reported monitoring and remediation status to key stakeholders and leadership. Also, defined key metrics that provide management insight into the health and adherence to key security policy requirements. As the project manager, I also worked with an engineering counterpart to develop a tool to support this metrics program. This included working with key stakeholders to develop business requirements, user stories, and prioritize deliverables. The outcome of this work will likely help to drive the many of the future “Get Clean/Stay Clean” initiatives.