Projects | Guiselle Armstrong

Audit Readiness & GRC Program Enablement

Tue, 01 Aug 2023 00:00:00 +0000

Focus Areas: SOC 2 · PCI DSS · CCPA · ISO/IEC 27001

Focused on transforming audit readiness from a reactive, audit-season effort into a continuous, well-governed program aligned with SOC 2, PCI DSS, CCPA, and ISO/IEC 27001 principles. I led cross-functional efforts to improve visibility into risk, standardize evidence management, automate governance workflows, and strengthen collaboration between business teams, technical teams, and auditors.

Experience

Established Executive-Level GRC Visibility

Designed and automated a Power BI GRC Executive Dashboard providing leadership with monthly visibility into key compliance and risk metrics
Tracked user access reviews, policy exceptions, audit artifacts, remediation activity, and vulnerability trends
Enabled continuous monitoring, management review, and risk-based decision-making

Strengthened Access Controls & Resiliency

Partnered with departments to complete and document User Access Reviews (UARs)
Developed and maintained Disaster Recovery documentation aligned with audit and availability requirements
Ensured access controls and recovery practices were clearly defined, owned, and consistently audit-ready

Operationalized Privacy & Regulatory Compliance (CCPA)

Supported privacy access removals and data rights requests using OneTrust
Ensured requests were processed within regulatory timelines and documented with appropriate approvals
Maintained defensible evidence aligned with SOC 2 Privacy and ISO data protection controls

Centralized Evidence Management & Audit Support

Gathered, validated, and archived audit artifacts from multiple business and technical teams
Maintained organized evidence repositories to support internal audits, SOC 2, PCI DSS, and regulatory assessments
Actively participated in QSA and auditor meetings, helping translate control intent, clarify scope, and resolve gaps efficiently

Supported Audit Findings & Timely Remediation (MAPS)

Assisted teams in reviewing and addressing audit (MAPS) findings
Partnered with control owners to identify root causes, define corrective actions, and track remediation efforts
Ensured findings were remediated within required timelines and supported with appropriate evidence to meet audit expectations

Implemented Policy Exception Governance

Created and facilitated a weekly policy exception review meeting with cross-functional stakeholders
Built a Power Automate workflow and dashboard to track exception approvals and notify owners of upcoming expirations
Documented risk acceptance decisions and communicated outcomes to leadership to maintain a clear audit trail

Enabled PCI DSS Compliance Through Training

Designed and delivered PCI DSS training for employees involved in payment processing and credit card handling
Reinforced secure handling practices, role-based responsibilities, and compliance expectations
Supported ongoing audit readiness and reduced compliance risk

Developed People & GRC Capability

Trained, mentored, and empowered early-career cybersecurity engineers
Helped teams understand how technical controls support SOC 2, PCI DSS, and ISO requirements
Strengthened long-term ownership and accountability for controls across the organization

Impact & Results

Improved continuous audit readiness across SOC 2, PCI DSS, privacy, and internal audit programs
Reduced audit friction by proactively addressing MAPS findings and control gaps
Increased leadership visibility into compliance health and remediation status
Strengthened collaboration between security, IT, legal, and business teams
Built scalable, repeatable governance processes that supported consistent audit outcomes

Vulnerability Management & Risk Reduction Program

Wed, 01 Mar 2023 00:00:00 +0000

Framework Alignment: SOC 2 & ISO/IEC 27001

Objective: Reduce organizational risk by preventing vulnerable assets from entering production and ensuring timely, well‑governed remediation across infrastructure, databases, and endpoints

Overview

Established vulnerability management as a preventive, risk‑based control integrated into both production readiness and ongoing operations. The program aligned technical vulnerability scanning, remediation scheduling, and patch validation to SOC 2 and ISO/IEC 27001 expectations, ensuring vulnerabilities were identified early, prioritized appropriately, and remediated in a controlled, auditable manner.

How I Approached Vulnerability Risk Management

Preventive Vulnerability Controls & Production Readiness

Executed enterprise vulnerability scans using Qualys and Nessus
Performed mandatory vulnerability scans on all new server builds prior to production deployment
Ensured systems met baseline security requirements before promotion to production, supporting preventive controls under SOC 2 CC7 and ISO operational security principles

Continuous Risk Monitoring & Leadership Visibility (SOC 2 CC4 | ISO Clause 9)

Designed and delivered a Power BI Vulnerability Management Dashboard
Provided visibility into open vulnerabilities, remediation progress, and vulnerability burndown trends
Enabled management review and continuous monitoring of security risk posture

Clear Ownership & Accurate Data Mapping (SOC 2 CC3 | ISO Clause 6)

Parsed vulnerability scan outputs using Python to accurately map vulnerabilities to specific devices and responsible owners
Delivered owner‑specific remediation views to reduce noise and increase accountability
Improved data integrity for both remediation tracking and audit evidence

Risk‑Based Prioritization & Zero‑Day Response (SOC 2 CC5 | ISO Risk Treatment)

Prioritized vulnerabilities based on severity, exploitability, and active threat intelligence, including zero‑day exploitation
Focused remediation efforts on vulnerabilities posing the highest risk to confidentiality, integrity, and availability
Ensured remediation decisions aligned with documented risk tolerance and audit expectations

Cross‑Team Remediation Scheduling & Governance (SOC 2 CC7 | ISO Clause 8)

Collaborated closely with server, database, and endpoint teams to establish structured vulnerability remediation schedules
Coordinated remediation timelines based on system criticality, exposure, and operational impact
Facilitated recurring remediation discussions to track progress and remove blockers

Patch Testing & Controlled Deployment

Worked directly in SCCM and Patch My PC to validate and test patches prior to production rollout
Ensured patches were tested for stability and compatibility before deployment
Supported controlled, auditable patch management processes aligned with ISO patch management and SOC 2 system operations controls

Audit & GRC Integration

Ensured vulnerability remediation activities, approvals, and outcomes were documented and retained as audit evidence
Demonstrated continuous monitoring, risk treatment, and control effectiveness during audits
Integrated vulnerability management metrics into broader GRC and audit readiness reporting

Impact & Results

Prevented insecure servers from entering production environments
Reduced time‑to‑remediate for high‑risk and zero‑day vulnerabilities
Improved coordination and accountability across infrastructure, database, and endpoint teams
Strengthened patch governance through testing and controlled deployment
Provided clear, defensible evidence of vulnerability management controls during SOC 2 and ISO‑aligned audits

Change Management & Controlled Release Governance

Wed, 01 Jun 2022 00:00:00 +0000

Framework Alignment: SOC 2 (CC7) & ISO/IEC 27001

Objective: Ensure all system and application changes were authorized, risk‑assessed, tested, documented, and deployed in a controlled manner to protect system availability, security, and compliance posture

Overview

Focused on strengthening organizational change management practices to meet SOC 2 CC7 and ISO change control expectations. The goal was to ensure that changes were not only implemented successfully, but also governed in a way that reduced operational risk, protected sensitive data, and produced defensible audit evidence. My work emphasized education, structured governance, and cross‑functional collaboration to embed change management into daily operations.

How I Applied SOC 2 & ISO Change Control Principles

Established Controlled Change Processes (SOC 2 CC7 | ISO Change Controls)

Trained department managers and stakeholders on how to properly submit change documentation in alignment with formal change control requirements
Ensured all changes included required elements such as testing evidence, risk assessments, business justification, and approvals
Reinforced that changes must be authorized, reviewed, and traceable prior to implementation

Led Change Advisory Board (CAB) Governance (SOC 2 CC7.2 | ISO Authorization & Review)

Led daily CAB meetings, facilitating structured reviews of proposed changes
Evaluated changes for risk, timing conflicts, dependencies, and potential impact to availability and security
Ensured approval decisions, conditions, and outcomes were clearly documented for audit purposes

Ensured Change Documentation Integrity & Data Protection

Reviewed and revised submitted change records to ensure completeness, accuracy, and audit readiness
Verified inclusion of testing results, risk assessments, and formal business approvals
Ensured no PII or PCI data was included in change documentation, reducing data exposure risk and supporting regulatory compliance

Coordinated Secure & Successful Releases (SOC 2 CC7 | ISO Operational Change)

Worked closely with release and deployment teams to verify that approved changes were deployed as planned
Supported coordination, communication, and scheduling to minimize disruption
Assisted with post‑implementation validation to confirm change success and stability

Advised on Risk, Impact, and Organizational Readiness

Acted as a trusted advisor to teams on how uncontrolled or poorly documented changes can impact availability, security, audit results, and customer trust
Educated stakeholders on the importance of structured change management as a core operational and compliance control
Strengthened awareness that change management is a shared responsibility supporting the organization as a whole

Impact & Results

Improved consistency and quality of change documentation across departments
Reduced operational risk from unauthorized or insufficiently tested changes
Supported system stability and availability during deployments
Strengthened evidence for SOC 2 and ISO‑aligned audits
Increased organizational understanding of change as a critical governance control