Current Professional Activities
I currently provide consulting and business advisory services to clients and most of my work is done remotely. A large portion of my time is spent assisting clients in identifying and addressing information technology risks and controls associated with cloud technologies including Microsoft Azure, Intune, and Office 365 as well as Amazon AWS. I also provide services addressing client compliance and third-party vendor risk management programs.
In providing services to clients I utilize best practice control frameworks, guidance, and regulations from sources including the National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), Cloud Security Alliance, Secure Controls Framework, and AICPA Trust Services.
Former 30+ Year Career With The State of Georgia
With technical, managerial, and executive roles ranging from IT Business Solutions Analyst to Deputy Director over a span of 30+ years within the agency tasked to independently audit and assess the State of Georgia’s 170+ agencies, universities, and colleges, I’m a seasoned professional well-versed in the benefits as well as the risks associated with information technology systems.
As an Audit Manager, I planned, designed, executed, reviewed, and managed audits to assess and improve the effectiveness, efficiency, and accountability of government operations throughout the State of Georgia. This experience provided me with an appreciation of the three main goals necessary for information security: protection from unauthorized access (confidentiality), protection from unauthorized changes (integrity), and accessibility by authorized users (availability) from the business operations point of view.
Subsequently, as an IT Auditing Specialist, I designed and conducted an independent review of the State’s Y2K readiness based upon a U.S. Government Accountability Office (U.S. GAO) framework which led to increased attention and efforts by State officials to achieve compliance. I later established the Information Systems Audit & Assurance Services Division and as it’s Deputy Director provided direct day-to-day oversight, management, and supervision of all IT audit staff involved in planning, designing, and executing general and application controls reviews as well as targeted security reviews (e.g., vulnerability and penetration tests) of information systems throughout the State. I also developed and implemented an open-source electronic document management system for audit planning, execution, work paper storage, and audit metrics based on best practices and frameworks including the National Institute of Standards and Technology (NIST), the U.S. GAO’s Federal Information System Controls Audit Manual (FISCAM), and the Information Systems Audit and Control Association’s COBIT framework for IT governance and control.
As an IT Business Solutions Analyst, I utilized business intelligence, data quality, and database tools including Hitachi Pentaho Data Integration, Qlik Sense, Microsoft Power BI, Tableau, and Arbutus Analyzer to profile, extract, transform, load, and analyze millions of Health Insurance Portability and Accountability Act (HIPAA)-covered healthcare records associated with Georgia’s Medicaid program. Medicaid claims data and KPIs/metrics were then provided to the Attorney General of Georgia’s Medicaid Fraud Control Unit to assist in their investigation and prosecution of fraud and abuse by Georgia Medicaid program providers.
As a private citizen and advocate of professional collaboration as well as data protection and privacy, I developed two “one-way” cryptographic hashing applications to securely protect sensitive or private information from disclosure. Proper use of these programs allows organizations, businesses, and individuals (i.e., the data owners) to share complete data sets with others without actually disclosing the sensitive or private data, thereby eliminating costly time and effort previously required to remove the data prior to sharing. Additionally, if such data sets are subsequently modified or enhanced through value-added services or products provided by other organizations or individuals and then returned, data owners retain the ability to “re-map” the hashed sensitive data values back to their original values.
I graduated from Tennessee Technological University with a Bachelor of Science in Business Management (Concentration: Management Information Systems) and a Master of Business Administration (MBA) in Management. I formerly was a Certified Information Systems Auditor (CISA) (current CISA status is Retired) and also hold a National Security Agency INFOSEC Assessment Methodology (IAM) certificate.
I’m a nationally certified Emergency Medical Responder, Firefighter, and Swiftwater Rescue Technician with our local volunteer fire department. I was formerly a private pilot, initial co-founder of three non-profit organizations, and served multiple years on two private Christian school boards and three church boards.
When not working or volunteering with the fire department or national park, my wife and I enjoy camping, cycling, hiking and backpacking, and spending time with our children and grandchildren.
Cyber Security and Cyber Risk
Regulatory & Best Practices Compliance
Third-Party Vendor Risk Management