GRC Projects
Governance, Risk Management, and Compliance (GRC)
Governance, Risk Management, and Compliance (GRC)
GRC (Governance, Risk, and Compliance)
GRC Mastery Course - (NIST-CSF, ISO 27001 Capstone projects):
Conducted an enterprise wide NIST-CSF Cyber Security assessment as part of GRC Mastery training course.
Conducted a third-party risk assessment on a supplier. The assessment consisted of reviewing a third-party security assessment questionnaire, assessing and summarizing the key risk items identified.
Asset Management: Designed a process to capture assets and maintain a CMDB.
Conducted and end-to-end cyber security maturity assessment using NIST/CSF framework.
Completed the ISO 27001 Lead Auditor training through GRC Mastery by building a full ISMS from scratch, including developing risk assessments, the Statement of Applicability, and drafting all core security policies and procedures required for certification.
Skills include Cyber Security Risk Management, Cyber Security Audit, Asset Management, Identity and Access Management (IAM), Security Education and Awareness, Data Loss Protection (DLP), Incident Response, Third Party Risk Management.
Risk-based asset replacement for Electric Utilities clients
Objective:
The objective was to demonstrate that value-based decision making, based on risk as a function of the likelihood and cost of consequence and failure. The client wanted to shift from age-based to value-based decision-making for powerline pole replacements. Historically, the client has been like-for-like replacing approximately 10,000 poles per year, primarily based on asset age. The pilot covers 4,395 poles out of a total network of 250,000 poles.
Tools and Techniques:
Asset risk for electric utilities is calculated per the following:
Risk = Probability of Failure (PoF) × Likelihood of Consequence (LoC) × Cost of Consequence (CoC)
Probability of Failure follows a Weibull distribution with age.
Consequences fall into 4 buckets:
● Cost to repair/replace the asset (20% more expensive to reactively replace than
proactively)
● Safety incidents (e.g. pole falls on a car)
● Reliability (e.g. outages)
● Fire (e.g. ignition and spread of a wildfire)
Replacing an asset incurs a high upfront
Process & Methodology:
Implemented Integrated Risk Model: Align Cost, Consequence, and Performance data into a unified model built on probabilistic risk factors
Calculate Total Risk Avoidance: Risk = Likelihood × Consequence LoC (%) x CoC ($$)
Decision Framework:
Replace if: Risk-cost > asset replacement cost (CoC) > (CapEx)
Defer if: Risk-cost <= asset replacement cost (CoC) <= (CapEx)
Findings and Results:
Age-based analysis would replace 178 poles (4% of 4,395) at a cost of (CapEx $2.44M) resulting in a relatively low Risk-Cost avoidance of ($1.98M). Risk-based analysis results in a higher Risk-Cost avoidance of ($36.66M) but at a much higher replacement cost of (CapEx $11.42M) to replace 951 poles (21.6% of 4395). Normalizing to a realistic budgetary constraint of ($2.44M), poles are prioritized by the highest CoC/CapEx benefit ratio resulting in a total of ($11.93M) of Risk-Cost avoidance to replace 203 poles.
Conclusion and Recommendations:
Next Steps: Conduct further analysis. See attached presentation for details.
Digital Twin used to conduct physical and cyber audit (IoT/OT) to assess risk and ensure compliance (ISO 26443)
Movable bridges.
Objective:
The Objective was..
Tools and Techniques:
The tools used in this projects were...
Process & Methodology:
The process used in...
Findings and Results:
Conclusion and Recommendations:
Digital Twin used to conduct physical and cyber audit (IoT/OT) to assess risk and ensure compliance (ISO 26443)
Airport Operations.
Objective:
The Objective was..
Tools and Techniques:
The tools used in this projects were...
Process & Methodology:
The process used in...
Findings and Results:
Conclusion and Recommendations:
Digital Twin used to conduct physical and cyber audit (IoT/OT) to assess risk and ensure compliance (ISO 26443)
Secure Shipping.
Objective:
The Objective was..
Tools and Techniques:
The tools used in this projects were...
Process & Methodology:
The process used in...
Findings and Results:
Conclusion and Recommendations:
Digital Twin Infrastructure Risk Assessment and Compliance Management in Nepal
Hydro Electric power-gen (new construction)
Hydro Electric power-gen IoT/OT
Objective:
The Objective was..
Tools and Techniques:
The tools used in this projects were...
Process & Methodology:
The process used in...
Findings and Results:
Conclusion and Recommendations:
GRC (Governance, Risk, and Compliance)