GRC · AI Governance · Work Samples

Designing clarity inside complex systems, now at the organizational layer.

I spent years making complex products legible to the people who use them. Now I'm building the governance layer that makes those products worth trusting at the organizational level.

ISC2 CC · In ProgressCompTIA Security+ · In ProgressHIPAA Certified

What I bring to a GRC role

Policy Writing

Most security policy is dense and unusable. I write governance documents that non-technical people can actually read and act on. That is a communication skill. I have been doing it for years, just with different stakes.

HIPAA Working Knowledge

I hold a HIPAA certification and spent time in healthcare-adjacent product design. A patient-facing AI wellness companion. A clinical dashboard system. The regulatory context is not new to me.

Risk Communication

Most technical security people struggle to explain risk to leadership in plain language. That is something I have done across every role I have held, just with different subject matter.

Cross-Functional Instincts

GRC work happens across Legal, IT, Clinical, and Product. I spent years coordinating between teams with different vocabularies and competing priorities. That is the job.

Why this pivot makes sense

My background is in UX and product design. I spent years figuring out how to make complex systems clear to the people who use them. Healthcare apps, financial tools, eCommerce platforms with strict regulatory requirements.

At some point I realized the thing I kept coming back to was not the interface. It was the question underneath it: how do you build something people can actually trust? Not just usable. Trustworthy.

GRC and AI governance are the organizational answer to that question. Policies, risk assessments, compliance frameworks. That is the infrastructure that either earns trust or does not. I want to work on that layer.

My HIPAA background, my MBA, and the compliance instincts I built doing design work for regulated industries all transfer directly. The security certifications are filling in the formal vocabulary. The work samples on this page are me doing the actual work.

Governance work samples

Ten documents across three industries and three fictional organizations. Risk assessments, policies, vendor reviews, training programs, audit prep, and framework mappings. Real document types. Fictional organizations.

All organizations referenced in these work samples are fictional. Documents were created for portfolio purposes only.

  • Risk Assessment
  • Policy
  • Audit Readiness
  • Vendor Risk
  • Risk Register
  • Training Program
  • Incident Response
01 · Risk Assessment

AI Clinical Scribe Tool Risk Assessment

Vantara Health SystemHealthcare / HIPAA
ASSESS-001

Six risks rated by likelihood and impact, with controls mapped to specific HIPAA rule sections.

Classification
Confidential
Owner
Security and Compliance
Version
1.0
Review cycle
Annual

Purpose and Scope

This assessment evaluates the privacy and security risks introduced by ClinScribe AI, an ambient clinical documentation tool that records patient encounters and generates draft clinical notes. The tool processes protected health information (PHI) and integrates with the electronic health record.

Scope covers the audio capture pipeline, the third-party transcription service, the note generation model, and the EHR write-back integration. It does not cover general network infrastructure, which is assessed separately.

Rating Methodology

Each risk is scored on likelihood and impact using a three-point scale. The overall rating is the higher of the two dimensions, escalated one level when both are elevated.

RatingHigh
DefinitionLikely occurrence or severe impact to PHI confidentiality
Response expectationRemediate before production use
RatingMedium
DefinitionPossible occurrence with contained impact
Response expectationMitigate with compensating controls
RatingLow
DefinitionUnlikely occurrence with limited impact
Response expectationMonitor and document acceptance

Risk Register

IDR-01
RiskAudio captured outside the encounter records bystander conversations
LikelihoodMedium
ImpactHigh
RatingHigh
ControlPush-to-talk activation and automatic silence trimming; staff training on capture boundaries
HIPAA164.312(b)
IDR-02
RiskTranscription vendor retains PHI beyond contracted period
LikelihoodMedium
ImpactHigh
RatingHigh
ControlBusiness Associate Agreement with 30-day deletion clause; annual attestation
HIPAA164.504(e)
IDR-03
RiskGenerated note contains fabricated clinical detail not stated by clinician
LikelihoodMedium
ImpactMedium
RatingMedium
ControlMandatory clinician review and sign-off before note is committed to the record
HIPAA164.312(c)(1)
IDR-04
RiskPHI transmitted to model endpoint without encryption in transit
LikelihoodLow
ImpactHigh
RatingMedium
ControlTLS 1.2 or higher enforced; certificate pinning on the mobile client
HIPAA164.312(e)(1)
IDR-05
RiskUnauthorized user accesses draft notes on a shared workstation
LikelihoodMedium
ImpactMedium
RatingMedium
ControlAutomatic session lock after two minutes; unique user authentication
HIPAA164.312(a)(2)(iii)
IDR-06
RiskNo audit trail linking a generated note to the source recording
LikelihoodLow
ImpactMedium
RatingLow
ControlImmutable audit log capturing recording ID, model version, and reviewer
HIPAA164.312(b)

Recommendation

Two high risks (R-01, R-02) must be remediated before ClinScribe AI is approved for production. The remaining risks are acceptable with the listed controls in place. A follow-up review is scheduled 90 days after go-live to confirm control effectiveness.

02 · Risk Assessment

NIST AI RMF Assessment for ClinScribe AI

Vantara Health SystemNIST AI 100-1
ASSESS-AIrmf-001

Full assessment across all four NIST AI RMF functions (GOVERN, MAP, MEASURE, MANAGE) for a high-risk healthcare AI deployment.

Framework
NIST AI 100-1
System
ClinScribe AI
Risk tier
High
Version
1.0

System Profile

ClinScribe AI is an ambient documentation system deployed in outpatient clinics. It is classified as high-risk because it processes PHI and its output informs the clinical record. This assessment maps controls to each of the four NIST AI RMF functions.

GOVERN

SubcategoryAccountability structures defined
StatusMet
EvidenceAI governance committee charter names an accountable owner
SubcategoryPolicies for AI risk documented
StatusMet
EvidenceAI Acceptable Use and Data Classification policies in force
SubcategoryWorkforce AI competency addressed
StatusPartial
EvidenceRole-based training in development, not yet mandatory

MAP

SubcategoryContext and intended use documented
StatusMet
EvidenceUse case brief and clinical scope statement
SubcategoryRisks and benefits catalogued
StatusMet
EvidenceRisk assessment ASSESS-001 completed
SubcategoryThird-party components identified
StatusPartial
EvidenceTranscription vendor mapped; model provenance under review

MEASURE

SubcategoryAccuracy evaluated against ground truth
StatusPartial
EvidencePilot accuracy sampling underway, target not yet met
SubcategoryFabrication and error rates tracked
StatusPartial
EvidenceManual review flags fabricated detail; automated metric pending
SubcategoryMonitoring for drift established
StatusNot met
EvidenceNo production drift monitoring in place

MANAGE

SubcategoryRisks prioritized and treated
StatusMet
EvidenceHigh risks scheduled for remediation before go-live
SubcategoryIncident response covers AI failures
StatusPartial
EvidenceGeneral IR plan exists; AI-specific playbook drafting
SubcategoryDecommission plan defined
StatusNot met
EvidenceNo end-of-life or rollback plan documented

Summary

GOVERN and MAP are largely in place. MEASURE and MANAGE have material gaps, notably drift monitoring and a decommission plan. These gaps must close before the system moves beyond the supervised pilot.

03 · Policy

AI Acceptable Use Policy

Fieldwork Labs, Inc.Tech / SaaS
POL-AI-001

Enterprise policy covering approved AI tool use, prohibited use cases, data handling, and reporting obligations.

Classification
Internal
Applies to
All employees and contractors
Version
2.1
Review cycle
Annual

Purpose

This policy defines the acceptable use of generative and predictive AI tools at Fieldwork Labs. It protects company and customer data while allowing employees to use AI tools that improve their work.

Scope

This policy applies to all employees, contractors, and interns who use AI tools for company work, whether the tool is company-provided or personally acquired.

Approved Tools

The following tools are approved for the data tiers noted. Any tool not listed requires review by the Security team before use with non-public data.

ToolEnterprise assistant (SSO)
Approved forPublic and Internal data
RestrictionNo Confidential or Restricted data
ToolCode assistant (managed)
Approved forSource code, Internal
RestrictionRepositories flagged Restricted are excluded
ToolConsumer chatbots
Approved forPublic data only
RestrictionNo company or customer data of any kind

Prohibited Uses

  • Entering customer personal data, credentials, or secrets into any tool not covered by a data processing agreement.
  • Using AI output as the sole basis for employment, credit, or legal decisions without human review.
  • Generating content that impersonates a real person or misrepresents AI output as human-authored where disclosure is required.
  • Bypassing tool access controls or sharing enterprise tool sessions with unauthorized users.

Data Handling

  • Classify data before entering it into any tool and match it to the approved tool tier.
  • Disable training on prompts where the tool offers the setting and the data is non-public.
  • Treat AI output as draft material subject to the same review as any other work product.

Reporting Obligations

Employees must report suspected data exposure through an AI tool to the Security team within 24 hours of discovery. Reports made in good faith will not result in disciplinary action for the reporting employee.

Enforcement

Violations may result in loss of tool access and disciplinary action up to termination. Repeated or willful violations involving customer data are escalated to Legal.

04 · Policy

Data Classification Policy

Vantara Health SystemHealthcare / HIPAA
POL-DATA-001

Four-tier classification framework for PHI and organizational data, with AI tool restrictions mapped to each tier.

Classification
Internal
Owner
Information Governance
Version
1.3
Review cycle
Annual

Purpose

This policy establishes a consistent framework for classifying data so that handling, storage, and AI tool use align with the sensitivity of the information.

Classification Tiers

TierRestricted
DefinitionPHI and data whose disclosure causes serious harm
ExamplesDiagnoses, treatment records, SSNs, credentials
TierConfidential
DefinitionSensitive internal data not intended for disclosure
ExamplesContracts, employee records, financials
TierInternal
DefinitionData for internal use with limited harm if exposed
ExamplesPolicies, internal memos, project plans
TierPublic
DefinitionData approved for public release
ExamplesMarketing materials, published notices

Handling Requirements

TierRestricted
StorageEncrypted at rest, access logged
TransmissionEncrypted, approved channels only
TierConfidential
StorageEncrypted at rest
TransmissionEncrypted in transit
TierInternal
StorageAccess controlled
TransmissionCompany systems
TierPublic
StorageNo special controls
TransmissionNo restriction

AI Tool Restrictions by Tier

TierRestricted
AI tool useProhibited in all AI tools without a signed BAA and Security approval
TierConfidential
AI tool usePermitted only in enterprise tools with training disabled
TierInternal
AI tool usePermitted in approved enterprise tools
TierPublic
AI tool usePermitted in any approved tool

Responsibilities

  • Data owners assign and review the classification of data they control.
  • All workforce members apply handling rules matching the assigned tier.
  • Information Governance audits classification accuracy annually.
05 · Audit Readiness

HIPAA Security Rule Audit Readiness Checklist

Vantara Health SystemHealthcare / HIPAA
ARC-HIPAA-001

Pre-audit checklist mapped to all administrative, physical, and technical safeguard requirements under 45 CFR Part 164.

Reference
45 CFR Part 164
Owner
Security and Compliance
Use
Pre-audit readiness
Version
1.0

Administrative Safeguards

  • Security risk analysis completed and current164.308(a)(1)(ii)(A)
  • Risk management process documented and active164.308(a)(1)(ii)(B)
  • Sanction policy for workforce violations in place164.308(a)(1)(ii)(C)
  • Workforce security and access authorization defined164.308(a)(3)
  • Security awareness training delivered and logged164.308(a)(5)
  • Incident response and reporting procedures maintained164.308(a)(6)
  • Contingency and data backup plans tested164.308(a)(7)
  • Business Associate Agreements executed for all vendors164.308(b)(1)

Physical Safeguards

  • Facility access controls and visitor logs in place164.310(a)(1)
  • Workstation use policy defines acceptable locations164.310(b)
  • Workstation security controls prevent unauthorized viewing164.310(c)
  • Device and media disposal and reuse procedures documented164.310(d)(1)

Technical Safeguards

  • Unique user identification enforced for all accounts164.312(a)(2)(i)
  • Automatic logoff configured on clinical workstations164.312(a)(2)(iii)
  • Encryption and decryption applied to PHI at rest164.312(a)(2)(iv)
  • Audit controls record access to systems with PHI164.312(b)
  • Integrity controls protect PHI from improper alteration164.312(c)(1)
  • Transmission security protects PHI in transit164.312(e)(1)

Readiness Note

Each item should have supporting evidence attached before the audit window opens. Items without current evidence are treated as open findings and prioritized for remediation.

06 · Audit Readiness

SOC 2 Type II Readiness Assessment

Fieldwork Labs, Inc.Tech / SaaS
ARC-SOC2-001

Gap analysis across 39 Trust Services Criteria controls in Security, Availability, and Confidentiality categories, with a prioritized remediation roadmap.

Framework
AICPA TSC 2017
Categories
Security, Availability, Confidentiality
Controls
39 in scope
Window
6-month Type II

Assessment Scope

This readiness assessment prepares Fieldwork Labs for a SOC 2 Type II examination covering the Security, Availability, and Confidentiality trust services categories. It evaluates 39 in-scope controls against the AICPA criteria and identifies gaps to close before the observation window opens.

The Processing Integrity and Privacy categories are excluded from this examination and will be considered in a future cycle.

Readiness by Category

CategorySecurity (Common Criteria)
Controls27
Ready21
Gaps6
StatusOn track
CategoryAvailability
Controls7
Ready6
Gaps1
StatusOn track
CategoryConfidentiality
Controls5
Ready3
Gaps2
StatusAt risk

Control Gap Detail

RefCC6.1
ControlLogical access provisioning
FindingAccess reviews run ad hoc rather than quarterly
SeverityHigh
RefCC6.6
ControlBoundary protection
FindingWAF deployed but rules not tuned to app traffic
SeverityMedium
RefCC7.2
ControlSecurity monitoring
FindingAlerting exists; on-call runbook not documented
SeverityMedium
RefCC8.1
ControlChange management
FindingEmergency changes lack retroactive approval records
SeverityHigh
RefA1.2
ControlCapacity monitoring
FindingThresholds set; no documented review cadence
SeverityLow
RefC1.2
ControlConfidential data disposal
FindingNo evidence of periodic secure deletion runs
SeverityHigh

Remediation Roadmap

  • Formalize quarterly access reviews with sign-off before window opensPriority 1
  • Document change approval workflow including emergency change pathPriority 1
  • Establish and log periodic secure deletion of confidential dataPriority 1
  • Tune WAF rules and record a review cadencePriority 2
  • Publish security monitoring and on-call runbookPriority 2
  • Set documented capacity review cadencePriority 3

The three Priority 1 items are prerequisites for a clean Type II opinion. They must be operating for the full observation window, so remediation cannot slip past the window start.

07 · Vendor Risk

Vendor Risk Assessment for PeopleBridge HR

Fieldwork Labs, Inc.Tech / SaaS
VRA-2026-004

Pre-onboarding third-party risk review of an HRIS vendor processing confidential employee PII, with contract gap analysis.

Vendor
PeopleBridge HR
Service
HRIS and payroll
Data
Employee PII (Confidential)
Assessment
Pre-onboarding

Vendor Profile

PeopleBridge HR provides a cloud human resources information system and payroll processing. The engagement requires the vendor to store and process employee personal data including names, government identifiers, compensation, and bank details.

Risk Domain Review

DomainSecurity certifications
FindingCurrent SOC 2 Type II provided; scope covers the offered service
RatingLow
DomainData encryption
FindingEncryption at rest and in transit confirmed
RatingLow
DomainAccess controls
FindingRole-based access with SSO; MFA available but not enforced for admins
RatingMedium
DomainSubprocessors
FindingPayroll disbursement subprocessor not disclosed until requested
RatingMedium
DomainIncident notification
FindingContract offers 72-hour notice but excludes subprocessor incidents
RatingHigh
DomainData return and deletion
FindingNo defined return format or deletion timeline on termination
RatingHigh

Contract Gap Analysis

  • Add flow-down breach notification covering all subprocessorsGap 1
  • Enforce MFA for all administrative access to the tenantGap 2
  • Define a 30-day data return window and machine-readable export formatGap 3
  • Require certified deletion within 60 days of terminationGap 4
  • Attach the current subprocessor list as a maintained exhibitGap 5

Recommendation

Onboarding is conditionally approved subject to closing the two high-rated gaps (breach notification flow-down and data return and deletion) in the contract before signature. Medium items should be addressed within the first 90 days.

08 · Risk Register

Enterprise Risk Register

Crestline Financial Group, Inc.Financial Services / GLBA
RR-CREST-001

Living register of ten risks across cybersecurity, operations, regulatory compliance, vendor management, and AI, with inherent and residual scores, owners, and open action items.

Type
Living document
Scoring
Likelihood x Impact (1-5)
Cadence
Quarterly review
Owner
Enterprise Risk Committee

Scoring Method

Each risk carries an inherent score before controls and a residual score after controls are applied. Scores multiply likelihood and impact on a five-point scale, producing a range from 1 to 25. Residual scores drive prioritization and review frequency.

BandHigh
Score range15 to 25
Review frequencyMonthly
BandMedium
Score range7 to 14
Review frequencyQuarterly
BandLow
Score range1 to 6
Review frequencySemi-annual

Register

IDRR-01
RiskRansomware disrupts core banking systems
CategoryCybersecurity
Inherent20
Residual9
OwnerCISO
IDRR-02
RiskGLBA Safeguards Rule noncompliance finding
CategoryRegulatory
Inherent16
Residual6
OwnerCompliance
IDRR-03
RiskCritical vendor outage halts payment processing
CategoryVendor
Inherent15
Residual10
OwnerVendor Mgmt
IDRR-04
RiskEmployee mishandles nonpublic personal information
CategoryOperations
Inherent12
Residual6
OwnerOperations
IDRR-05
RiskAI credit model produces biased outcomes
CategoryAI
Inherent16
Residual12
OwnerModel Risk
IDRR-06
RiskPhishing leads to credential compromise
CategoryCybersecurity
Inherent16
Residual7
OwnerCISO
IDRR-07
RiskBusiness continuity plan fails in regional outage
CategoryOperations
Inherent15
Residual8
OwnerOperations
IDRR-08
RiskUnlicensed money movement in a new state
CategoryRegulatory
Inherent12
Residual5
OwnerLegal
IDRR-09
RiskFourth-party subprocessor breach exposes data
CategoryVendor
Inherent15
Residual11
OwnerVendor Mgmt
IDRR-10
RiskAI vendor changes model without notice
CategoryAI
Inherent12
Residual9
OwnerModel Risk

Open Action Items

  • Complete tabletop test of ransomware recovery runbookRR-01
  • Stand up bias monitoring dashboard for the credit modelRR-05
  • Require model-change notification clause in AI vendor contractsRR-10
  • Extend subprocessor disclosure requirement to fourth partiesRR-09
  • Validate failover for the payment processing dependencyRR-03

The two AI risks (RR-05, RR-10) show the smallest gap between inherent and residual scores, reflecting that controls for third-party model behavior are still maturing.

09 · Training Program

Security Awareness Training Program

Crestline Financial Group, Inc.Financial Services / GLBA
SAT-PRG-001

Behavior-change-focused security awareness program across six content pillars, with phishing simulation metrics and GLBA Safeguards Rule alignment.

Audience
All employees
Cadence
Monthly modules
Regulation
GLBA Safeguards Rule
Version
1.0

Program Objectives

The program aims to reduce human-driven security incidents by changing behavior, not just delivering content. Success is measured by phishing simulation performance and reporting rates rather than completion alone.

Content Pillars

  • Phishing and social engineering recognition
  • Handling customer financial data and nonpublic personal information
  • Password hygiene and multi-factor authentication
  • Safe remote and mobile working
  • Incident reporting and escalation
  • Physical and clean-desk security

Phishing Simulation Metrics

QuarterQ1
Click rate18%
Report rate22%
TrendBaseline
QuarterQ2
Click rate11%
Report rate41%
TrendImproving
QuarterQ3
Click rate7%
Report rate58%
TrendImproving
QuarterQ4
Click rate5%
Report rate66%
TrendOn target

Target: click rate below 8% and report rate above 60% by year end. Both targets met in Q4.

GLBA Safeguards Rule Alignment

RequirementEmployee training on the information security program
How the program addresses itMonthly modules assigned to all staff with tracked completion
RequirementAwareness of safeguards for customer information
How the program addresses itDedicated pillar on nonpublic personal information handling
RequirementRegular testing of key controls
How the program addresses itQuarterly phishing simulations with remediation for repeat clickers
10 · Incident Response

Incident Response Plan

Vantara Health SystemHealthcare / HIPAA
IRP-VHS-001

Seven-phase IRP covering preparation through post-incident review, with HIPAA breach risk assessment framework and notification timelines.

Reference
HIPAA Breach Notification Rule
Owner
Incident Response Team
Activation
24/7 on-call
Version
1.2

Purpose

This plan defines how Vantara Health System detects, responds to, and recovers from security incidents involving protected health information. It establishes roles, phases, and notification obligations consistent with the HIPAA Breach Notification Rule.

Response Phases

Phase1. Preparation
ObjectiveMaintain readiness
Key actionsTooling, on-call roster, and tested runbooks
Phase2. Detection
ObjectiveIdentify potential incidents
Key actionsAlert triage and initial classification
Phase3. Analysis
ObjectiveConfirm scope and impact
Key actionsDetermine systems and PHI involved
Phase4. Containment
ObjectiveLimit the damage
Key actionsIsolate affected systems and revoke access
Phase5. Eradication
ObjectiveRemove the cause
Key actionsRemediate vulnerability and remove threat
Phase6. Recovery
ObjectiveRestore operations
Key actionsValidate integrity and return to service
Phase7. Post-Incident
ObjectiveLearn and improve
Key actionsRoot cause review and control updates

Severity Classification

SeverityCritical
DefinitionConfirmed PHI exposure or core system outage
EscalationImmediate executive and legal notification
SeverityMajor
DefinitionContained incident with potential PHI risk
EscalationIR lead and Privacy Officer within 1 hour
SeverityMinor
DefinitionNo PHI risk and limited operational impact
EscalationLogged and handled by on-call analyst

HIPAA Breach Risk Assessment

When PHI is involved, a four-factor assessment determines whether an impermissible use or disclosure is a reportable breach.

  • Nature and extent of the PHI, including identifiers and likelihood of re-identification.
  • The unauthorized person who used the PHI or to whom the disclosure was made.
  • Whether the PHI was actually acquired or viewed.
  • The extent to which the risk to the PHI has been mitigated.

Notification Timelines

RecipientAffected individuals
TriggerConfirmed reportable breach
DeadlineWithout unreasonable delay, no later than 60 days
RecipientHHS (500 or more)
TriggerBreach affecting 500+ individuals
DeadlineWithin 60 days of discovery
RecipientHHS (fewer than 500)
TriggerSmaller breach
DeadlineAnnual log within 60 days of year end
RecipientMedia
TriggerBreach affecting 500+ in a state
DeadlineWithout unreasonable delay, no later than 60 days

The 60-day clock starts on discovery, not confirmation. The breach risk assessment should be completed early so notification is not compressed against the deadline.

Certification roadmap

  1. ISC2 Certified in Cybersecurity (CC)

    In Progress

    Starting here because it's the fastest way to get a legitimate credential on paper while I study for Security+. The content overlaps enough that it doubles as prep.

  2. CompTIA Security+

    In Progress

    The one that actually unlocks job applications. Most GRC postings list it as a requirement. Everything else I'm building is context. This is the ticket.

  3. CompTIA CySA+

    Planned

    The next step after Security+ lands me a role. By the time I sit for this one I'll have real work experience to pull from, which makes the exam content click differently.

  4. IAPP AIGP (AI Governance Professional)

    Planned

    The cert that maps directly to where I want to go. EU AI Act, NIST AI RMF, ISO 42001. This is the one that makes AI Governance Specialist a realistic title rather than an aspiration.

  5. CISSP

    Long-term

    Long-term. Five years of experience required. I'm starting the clock now.

Target title: AI Governance Specialist

Background

Current focus
GRC and AI governance transition
Previous work
UX and Product Design across healthcare, fintech, and eCommerce
Certs in progress
ISC2 CC, CompTIA Security+
Industries
Healthcare, financial services, consumer goods, SaaS
Regulatory background
HIPAA Privacy Rule, HIPAA Security Rule, GLBA Safeguards Rule, EU AI Act (study), NIST AI RMF
Education
MBA in Marketing, Grand Canyon University / BS in Communications, Biola University