Governance
I build policies, standards, control expectations, and documentation that make security programs easier to own.
Hello, I Am
I turn security requirements into clear controls, usable evidence, and confident decisions.
I am a cybersecurity governance, risk, and compliance practitioner focused on making security programs clearer, more accountable, and easier to operate.
My work connects policy, audit evidence, control frameworks, risk registers, and remediation planning. I like the point where a finding becomes a decision and documentation becomes something a team can actually use.
In these projects, I worked across ISO/IEC 27001, CIS Controls v8.1, NIST CSF 2.0, CIS RAM, HIPAA, PCI DSS, GDPR, incident response, vulnerability review, vendor risk, and business continuity.
I group my skills by the work they support: governance, risk, compliance, documentation, operations readiness, and professional communication.
I build policies, standards, control expectations, and documentation that make security programs easier to own.
I connect cybersecurity risk to business impact, ownership, likelihood, and practical treatment options.
I interpret framework expectations and prepare audit-friendly evidence, reports, and gap analysis outputs.
I write clear materials that help technical and non-technical stakeholders act with confidence.
I support readiness through incident planning, vulnerability review, continuity planning, and vendor workflows.
I bring structure, communication, collaboration, and judgment to cybersecurity engagements.
ISC2
2024
Google Career Certificates
2024
Professional Development Path
Future
ISACA
Future
Case studies
I organized each project around the same question: what did I need to clarify, what evidence or method did I use, and what changed because of the work?
Policy Development & Review
Objective: Develop, review, and align cybersecurity policies with organizational needs, compliance obligations, and industry standards.
Process: I moved from baseline research through inventory, gap analysis, drafting, peer review, and final delivery.
Result: Produced policy governance libraries grouped by baseline and compliance-specific needs. Delivered gap analysis findings with remediation recommendations. Updated standards for MFA, vendor onboarding, and current compliance expectations.
Audit & Control Testing
Objective: Conduct a comprehensive cybersecurity assessment and translate control gaps into business-focused recommendations.
Process: I scoped critical systems, mapped frameworks into one control view, gathered evidence, tested controls, ranked risk, and shaped the final report.
Result: Created an internal audit report with executive summary and technical appendix. Identified gaps such as limited log monitoring and backup RPO weaknesses. Prioritized remediation by business impact, likelihood, and compliance consequences.
CIS RAM Methodology
Objective: Run a structured cybersecurity risk assessment covering assets, threats, vulnerabilities, scoring, and treatment planning.
Process: I converted risk discovery into a prioritized register with clear treatment paths across mitigation, transfer, acceptance, and avoidance.
Result: Built a risk register across data, systems, and business-process assets. Assessed threats including malware, phishing, insider misuse, and supply-chain attacks. Created a risk treatment plan that connected decisions to business context.
Vendor Security Review
Objective: Evaluate suppliers and third-party vendors for cybersecurity risk, control maturity, and onboarding readiness.
Process: I identified vendors, built assessment questionnaires, reviewed security documentation, scored risk, and shaped monitoring recommendations.
Result: Delivered a third-party risk assessment report and vendor rating matrix. Recommended contractual controls, remediation requests, and ongoing monitoring steps. Created an onboarding and monitoring framework for repeatable vendor reviews.
Playbooks & Tabletop Exercise
Objective: Develop an incident response capability and validate the response workflow through tabletop exercises.
Process: I created incident response policy, built phishing, ransomware, and insider-threat playbooks, facilitated a tabletop, and captured lessons learned.
Result: Delivered an incident response plan with scenario-specific playbooks. Produced an after-action report that translated exercise observations into improvements. Strengthened crisis coordination, documentation, and escalation readiness.
Human-Centered Security
Objective: Improve organizational security awareness through structured training materials, sessions, and learning evaluation.
Process: I assessed training needs, developed presentations, posters, and quizzes, delivered sessions, and evaluated learning outcomes.
Result: Built awareness content focused on practical, everyday cyber risk. Supported safer user behavior through structured education and assessment. Strengthened public speaking, training delivery, and security communication skills.
Remediation Strategy
Objective: Review vulnerability findings and prioritize remediation activity according to severity, exposure, and operational impact.
Process: I analyzed penetration testing reports, categorized findings, developed remediation strategy, and tracked progress across fixes.
Result: Created a vulnerability register with critical, high, medium, and low findings. Defined remediation actions including patching, configuration hardening, and segmentation. Improved the path from technical finding to tracked security improvement.
Control Alignment
Objective: Compare major cybersecurity frameworks and recommend adoption strategies that fit governance and control needs.
Process: I studied ISO/IEC 27001, CIS Controls v8.1, and NIST CSF 2.0, then cross-mapped common control expectations into recommendations.
Result: Built a control mapping matrix across leading cybersecurity frameworks. Reduced duplicate control language by grouping overlapping expectations. Produced recommendations for framework adoption and implementation strategy.
BC/DR Planning
Objective: Develop business continuity and disaster recovery capabilities aligned to critical business operations and recovery targets.
Process: I conducted business impact analysis, identified RTO and RPO needs, designed recovery strategies, built a BC/DR plan, and recommended exercises.
Result: Documented critical business functions and recovery expectations. Recommended backup, alternate-site, cloud recovery, and simulation strategies. Connected IT recovery planning to operational resilience and business priorities.
My resume gives the shorter version: governance-first cybersecurity support across policy development, internal audit, risk assessment, control mapping, compliance awareness, technical documentation, and executive communication.
Download Resume
“Osen makes security expectations easier to understand. Her work connects controls, evidence, and ownership in a way teams can act on.”
Security Program Reviewer
GRC portfolio review
“The strongest signal in her case studies is communication. She explains risk without losing the business context behind it.”
Cybersecurity Mentor
Professional feedback
“Her portfolio makes the audit trail feel practical. I can see how each artifact supports the next decision.”
Risk Program Lead
Portfolio review