Governance, Risk, Compliance

GRC Risk Assessment

A structured cybersecurity risk assessment project focused on business impact, compliance risk, and remediation recommendations.

Problem

Security gaps matter most when they are connected to business impact. This project practiced turning technical findings into risk language that leadership can prioritize.

What I Did

  • Identified security gaps, vulnerabilities, and compliance risks in a simulated business environment.
  • Mapped risks to HIPAA, FERPA, and PCI DSS concerns.
  • Evaluated likelihood and business impact to prioritize remediation recommendations.
  • Produced professional documentation aligned with governance, compliance, and risk management practices.

Sample Executive Summary

The simulated organization showed elevated risk from inconsistent access review, weak documentation, and limited evidence of control ownership. The recommended priority was to reduce identity and data-handling risk first because those gaps could affect regulated information, audit readiness, and incident response speed.

Controls Mapped

  • CIS Controls: account management, access control management, and audit log management.
  • NIST CSF: identify assets and risk, protect access, detect anomalous activity, and improve response planning.
  • Compliance lens: HIPAA, FERPA, and PCI DSS concepts around sensitive data, access, and documentation.

Framework Thinking

The work connects with the kind of client-ready deliverables I built during my MSP internship, including scored findings, maturity assessment language, and remediation guidance.

Skills Demonstrated

Risk AssessmentCompliance MappingSecurity DocumentationRemediation Planning

Sample Risk Register Row

Risk Likelihood Impact Priority Recommended Action
Stale or excessive user access Medium High High Run quarterly access reviews, remove stale accounts, document owners, and validate privileged roles.

What I Learned

A good GRC artifact should not just list problems. It should explain why they matter, how likely they are, what they could cost the organization, and what should be done next.