Skip to content

BrianSantiago-GRC/grc-portfolio

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
audit-compliance
audit-compliance
 
 
frameworks
frameworks
 
 
incident-response
incident-response
 
 
policies
policies
 
 
risk-management
risk-management
 
 
templates
templates
 
 
README.md
README.md
 
 

Repository files navigation

GRC Portfolio

Brian Santiago | Ocala, FL | [email protected] | LinkedIn

This is a collection of GRC work I built to show how I actually think through compliance and risk problems, not just that I know what the acronyms stand for.

Everything here follows real methodology. The risk register uses a proper 5x5 scoring matrix. The HIPAA checklist is mapped to actual CFR citations. The ISO 27001 gap analysis covers Annex A control by control. I built these the same way I would build them for a real organization, because that is the only version worth showing.

My background is IT operations in HIPAA and FERPA-regulated environments. That context matters for GRC work. I have maintained audit evidence cycles, written SOPs under compliance pressure, and managed access controls in regulated systems. The framework knowledge builds on top of that, not the other way around.

Documents

Document Framework
Risk Register NIST SP 800-30
Risk Assessment Methodology NIST SP 800-30 / ISO 27005
HIPAA Security Rule Audit Checklist 45 CFR Parts 160 and 164
NIST CSF 2.0 Maturity Assessment NIST CSF 2.0
ISO 27001 Gap Analysis ISO/IEC 27001:2022
Information Security Policy ISO 27001 / HIPAA
Access Control Policy NIST SP 800-53 / ISO 27001
Incident Response Plan NIST SP 800-61
Third-Party Risk Assessment Questionnaire ISO 27001 / HIPAA

Certifications

  • ISO 27001 Certified Lead Auditor
  • CompTIA Security+ (2024)
  • CompTIA Network+ (2024)
  • Microsoft SC-900
  • Qualys Vulnerability Management Foundation
  • ITIL Foundation (2024)
  • Google Cybersecurity Certificate (2024)

Skills

Frameworks: HIPAA, FERPA, NIST CSF, ISO 27001, SOC 1/2, NIST 800-171, ISO 27701, ISO 42001

Audit and compliance: gap analysis, control testing, evidence collection, audit coordination, policy authoring

Risk: risk registers, CAPA planning, third-party risk assessments, treatment planning

IAM: provisioning and deprovisioning, MFA, access governance, access reviews

Tools: Splunk, Wireshark, NinjaOne, Qualys, Confluence, Microsoft 365, Azure AD, Active Directory

Open to junior GRC Analyst, IT Compliance Analyst, and Information Security Compliance Analyst roles.

About

GRC portfolio by Brian Santiago, ISO 27001 Lead Auditor. Risk registers, HIPAA audits, NIST CSF, ISO 27001 gap analysis, IRP, and TPRM.

linkedin.com/in/briansantiago

Topics

nist audit cybersecurity compliance grc hipaa information-security risk-management iso27001 ferpa

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors