Services
Security programs built
for how you actually operate.
Every engagement is scoped to your environment. Here’s what I offer and what you get from each.
Gap Assessment
Know where you stand against a framework before you spend a dollar on controls
A structured evaluation of your current security posture against NIST CSF 2.0, ISO 27001, SOC 2, HIPAA, or another applicable framework. Every control is assessed, findings are documented, and you get a prioritized roadmap — not a list of everything wrong with no direction on what matters first.
What you get
Scoped assessment against your chosen framework
Control-by-control findings with evidence notes
Risk register with scored and prioritized findings
Executive summary for leadership or stakeholders
Prioritized remediation roadmap
Policy & Procedure Development
Security policies aligned to your environment and your compliance requirements
I write security policies, standards, and procedures that are aligned to your real environment and tailored to your industry requirements. From an overarching information security policy through functional policies and operational procedures — documented in language your team can actually use.
What you get
Information security policy and supporting documents
Functional policies aligned to applicable frameworks
Operational procedures your team can follow
Review and acknowledgment tracking guidance
Asset Management
You can’t protect what you don’t know you have
An accurate asset inventory is the foundation of almost every other security control. I help you establish a documented inventory of your systems, applications, and data assets — and put the processes and ownership structure in place to keep it current after the engagement ends.
What you get
Documented asset inventory across systems and data
Asset classification and ownership assignments
Process documentation for ongoing maintenance
Asset management policy aligned to NIST CSF ID.AM
Third-Party Risk Assessment
Your vendors are part of your attack surface whether you treat them that way or not
A significant share of breaches originate through third-party vendors with access to your systems or data. I evaluate the security posture of your key vendors and partners, identify your exposure, and help you establish a repeatable process for ongoing vendor review.
What you get
Vendor inventory and risk tiering
Security questionnaire and review process
Risk findings with recommended treatment actions
Repeatable vendor review framework you keep
Identity & Access Management
Who has access to what — and whether they should
IAM failures — overprivileged accounts, stale access, missing MFA — are behind a significant share of breaches. I assess your current identity posture and implement controls across Okta, Microsoft Entra ID, and AWS IAM covering least privilege, lifecycle management, MFA enforcement, and SSO configuration.
What you get
IAM posture assessment and gap findings
MFA and SSO implementation across platforms
Least privilege review and access cleanup
User lifecycle and offboarding process documentation
Fractional GRC Retainer
Ongoing security expertise without a full-time hire
Security isn’t a one-time project. A fractional retainer gives you consistent access to GRC expertise on a monthly basis — policy maintenance, risk reviews, compliance monitoring, and a point of contact who actually knows your environment. Priced for organizations that need real coverage without a full-time salary.
What you get
Dedicated monthly advisory hours
Ongoing policy and risk register maintenance
Compliance monitoring and reporting support
Priority response for security questions and incidents
Ready to start?
Not sure which service fits?
Most engagements start with a gap assessment. If you’re unsure where to begin, that’s the right place to start — it tells you exactly where you are and what matters most.
Get in Touch