Summary
Overview
Work History
Education
Skills
Certification
Timeline
Generic

Bhavana Galla

Summary

Cybersecurity GRC Consultant and Compliance Specialist with expertise in designing governance frameworks and auditing compliance against ISO 27001, NIST SP 800-53, and FedRAMP standards. Specializes in third-party risk management, operational resilience, and developing dashboards for regulatory compliance and risk metrics. Experienced in conducting control gap assessments and authoring security policies to enhance audit readiness in regulated sectors.

Overview

9
9
years of professional experience
1
1
Certification

Work History

Operational Resilience Manager

Standard Chartered Bank
02.2023 - 07.2025
  • Managed ISMS audit cycles, executing rigorous control gap assessments and maintaining strict organizational alignment with ISO 27001 standards.
  • Cross-mapped enterprise ISO 27001 banking controls against NIST SP 800-53 Rev 5 baselines to ensure continuous audit readiness and compliance for highly regulated public sector and cross-border portfolios.
  • Evaluated vendor compliance using TPRM framework, reviewing FedRAMP authorization packages, SOC 2 Type II reports, and GDPR provisions to mitigate global supply chain risks.
  • Directed end-to-end ISMS and SOC 2 Type II audit cycles, leading control gap assessments, facilitating formal remediation plans, maintaining ISO 27001 alignment, and coordinating audit walkthroughs with compliance and technical stakeholders.
  • Managed vendor onboarding evaluations, analyzing third-party security posture and validating mandatory security clauses to reduce potential external risks.
  • Maintained the corporate enterprise risk register within MetricStream (M7), building custom compliance dashboards for executive leadership to track open audit findings, control exceptions, threat postures, and regulatory compliance metrics.
  • Led enterprise-wide business continuity and disaster recovery efforts, achieving RTO/RPO compliance, conducting plan validation through simulations, and ensuring readiness across critical systems and business operations.
  • Facilitated enterprise crisis response coordination, activating incident war rooms, enabling structured decision-making, and ensuring rapid recovery through predefined escalation and communication protocols.
  • Authored, version-controlled, and enforced enterprise-wide security policies, incident response procedures, and escalation frameworks across global operations.
  • Led Business Impact Analyses (BIA), identifying critical business functions, mapping upstream/downstream interdependencies, and establishing recovery priorities aligned with operational risk and recovery time objectives.
  • Authored, version-controlled, and enforced operational resilience policies, security standards, incident response procedures, and escalation frameworks across global operations, business, IT, and GRC teams.
  • Partnered with infrastructure and GRC teams to integrate resilience controls into cloud and on-prem environments, validating backups, reviewing failover capabilities, and ensuring risk-aligned deployments.
  • Delivered operational readiness training and facilitated tabletop exercises, enhancing crisis response through department-level scenario testing and post-event analysis.

Security & Resilience Analyst

Cognizant
10.2021 - 02.2023
  • Conducted internal ISO 27001 audits using RSA Archer, identifying control gaps and overseeing automated remediation workflows to enhance compliance across business units.
  • Supported vulnerability management compliance by analyzing weekly Qualys scans, tracking CVSS metrics, and integrating findings into ServiceNow GRC for mitigation tracking.
  • Managed identity and access governance via Azure AD and Okta, executing quarterly entitlement audits and enforcing segregation of duties (SoD) across systems.
  • Evaluated corporate endpoint compliance, utilizing CrowdStrike and antivirus reporting tools to validate encryption baselines and patch management compliance.
  • Designed phishing simulation campaigns and security awareness initiatives, analyzing behavioral trends to mitigate human-centric security risks.
  • Collaborated with DevOps teams to establish security baselines within CI/CD pipelines, ensuring secret scanning and secure coding policy adherence.
  • Governed the enterprise vulnerability management lifecycle by analyzing weekly Qualys scans, prioritizing critical/high flaws via CVSS scoring, and tracking remediation SLAs within ServiceNow GRC.
  • Partnered with infrastructure and endpoint teams to drive patch management compliance, managing risk exceptions for legacy systems, and validating vulnerability closure.
  • Governed the enterprise vulnerability management lifecycle, analyzing weekly Qualys scans, prioritizing high/critical vulnerabilities via CVSS scoring, and tracking remediation SLAs inside ServiceNow GRC.
  • Developed and monitored Plans of Action and Milestones (POA&Ms) for identified system flaws, managing risk exception processes and documenting compensating controls to strengthen corporate risk posture.
  • Conducted internal readiness assessments for CMMC 2.0 (Level 2 Scoping), mapping data flows of sensitive information (PII/CUI) to identify control gaps across corporate networks, retail supply chains, and SaaS platforms.
  • Utilized RSA Archer to automate compliance workflows, streamlining evidence collection, internal ISO 27001 gap assessments, and control lifecycle workflows from initiation to closure across business units.
  • Evaluated corporate endpoint compliance, utilizing CrowdStrike, antivirus monitoring, and encryption tracking tools to validate patch levels and asset baselines across corporate Windows environments using automated reporting tools.
  • Managed identity and access governance via Azure AD and Okta, enforcing least-privilege access, executing quarterly entitlement audits, implementing MFA/SSO, and remediating escalated access violations across critical systems.
  • Liaised with DevOps and Cloud Engineering teams to govern secure coding and cloud infrastructure baselines, validating secret scanning and policy compliance within deployment pipelines.
  • Orchestrated phishing simulations and security awareness programs, designing campaigns and analyzing user behavior metrics to reduce human-centric risk and satisfy regulatory user-training mandates.
  • Authored comprehensive security documentation, including SOPs, control definitions, change control guidelines, and policy validations, contributing directly to audit walkthroughs with internal and external assessors.
  • Client: Loblaw Retail

Security & GRC Analyst

HCL Technologies
05.2019 - 10.2021
  • Integrated RSA Archer to manage control attestations and risk assessments, while connecting endpoint compliance data into GRC reporting to build unified dashboards.
  • Coordinated quarterly user access reviews for heavily regulated applications, reconciling IAM accounts against HR systems to guarantee least-privilege compliance.
  • Executed vendor onboarding risk assessments, documenting policy exceptions and conducting specialized TPRM reviews for offshore teams accessing production environments.
  • Created detailed cybersecurity RFP responses by evaluating internal security postures against frameworks such as ISO 27001, NIST, and HIPAA.
  • Developed audit readiness SOPs, defining evidence storage architecture and facilitating seamless walkthroughs with external regulatory auditors.
  • Participated in application threat modeling sessions, tracking compliance gaps across data flows and trust boundaries to feed the centralized risk register.
  • Reviewed security measures for marketing campaigns to ensure PII protection and GDPR/regulatory alignment.
  • Authored and maintained System Security Plans (SSPs) and baseline documentation mapped directly to NIST SP 800-171 and HIPAA Security Rules to support commercial contracts requiring federal alignment.
  • Integrated RSA Archer with continuous technical monitoring feeds, pulling endpoint compliance data and managing control attestations to construct unified security and GRC reporting dashboards for client stakeholders.
  • Built executive dashboards tracking SLA adherence, remediation metrics, and audit performance, enabling leadership visibility into security posture and control effectiveness.
  • Developed and maintained BCP and DR policies aligned with financial and healthcare regulations, authoring technical test plans, and tracking simulation results to improve enterprise recovery capabilities and audit alignment.
  • Coordinated quarterly user access reviews for heavily regulated applications by reconciling IAM provisioning data with HR records and enforcing segregation of duties (SoD) for finance and healthcare systems.
  • Executed specialized vendor onboarding risk assessments, managing the TPRM lifecycle, validating vendor data handling policies, and conducting specialized risk reviews for offshore development teams with production access.
  • Participated in application threat modeling sessions, analyzing control coverage and collaborating with teams to strengthen security around data flows, trust boundaries, and compliance gaps.
  • Designed SOPs for audit readiness, defining evidence storage and retrieval processes, and supported ISMS walkthroughs by liaising with internal audit and control owners.
  • Delivered training to IT support teams on endpoint hardening, patching standards, and secure configuration practices aligned with organizational baselines and GRC policies.
  • Created detailed cybersecurity RFP responses by mapping risk controls, scoring security posture, and aligning client-specific needs with frameworks such as ISO 27001, NIST, and HIPAA.
  • Investigated data security incidents, reviewing security measures for marketing campaigns to ensure PII protection, and coordinating legal response and root cause analysis (RCA).
  • Clients: Novartis & CNO Banking

System Administrator

Amara Raja Batteries
07.2016 - 05.2019
  • Governed user access lifecycles across Windows Server and Active Directory environments, enforcing strict least-privilege principles, Group Policies, and separation of duties (SoD).
  • Enforced technical system hardening and baseline compliance across Windows Server and Linux environments, managing Active Directory domains and implementing Group Policies (GPOs) to satisfy access controls.
  • Utilized PowerShell scripting to automate patch verification, significantly reducing the organization's mean time to remediate (MTTR) critical security flaws.
  • Developed PowerShell scripts to automate administrative tasks such as patch verification, user provisioning, and log analysis to maintain security consistency.
  • Conducted weekly asset vulnerability assessments using Nessus, translating technical scanning data into actionable risk remediation plans for system administrators.
  • Oversaw corporate vulnerability assessments using Nessus, conducting weekly scans, translating technical vulnerability reports into prioritized patch management schedules, and contributing to risk remediation meetings.
  • Conducted weekly asset vulnerability assessments using Nessus, tracking patch compliance, and contributing to remediation meetings to enforce endpoint hardening.
  • Utilized PowerShell scripting to automate administrative compliance checks, patch status verification, user provisioning, and server access log analysis, reducing manual auditing times and enhancing data logging integrity.
  • Maintained cloud-based and infrastructure data backup architectures, conducting quarterly failover testing and documenting disaster recovery protocols to validate strict RTO/RPO metrics and operational resilience.
  • Configured DNS, DHCP, and VPN settings for seamless network connectivity, while resolving access escalations and device issues across business units through structured infrastructure support.
  • Participated in endpoint audits to ensure disk encryption, antivirus configuration, and DLP tool compliance, while tracking software licensing across systems.
  • Participated in endpoint audits to ensure disk encryption, antivirus configuration, and DLP tool compliance, while tracking software licensing across corporate networks.
  • Authored and maintained technical infrastructure documentation including network diagrams, IP schemas, asset inventories, and device configuration baselines for operational transparency and audit readiness.
  • Delivered onboarding sessions to new employees covering endpoint security, acceptable use, password policies, and corporate cybersecurity guidelines.
  • Designed and delivered onboarding sessions for new hires, training staff on acceptable use policies, password hygiene, and organizational cybersecurity guidelines.
  • Coordinated with marketing teams on CRM deployments, performing integration testing, and supporting secure application delivery with appropriate firewall rule configurations, approvals, and rollback plans.

Education

Master of Science - Information Technology

New Mexico State University
Las Cruces, NM
12-2025

Post-Graduation Program - Cyber Security

Gujarat Forensics Science University
02-2019

Bachelor of Technology - Computer Science & Engineering

Sri Padmavati Mahila University
04-2016

Skills

  • GRC frameworks
  • NIST CSF
  • NIST 800-53/171
  • HIPAA
  • GDPR
  • DFARS 252204-7012
  • Third-Party Risk Management
  • Policy Architecture
  • ISO/IEC 27001
  • NIST SP 800-171
  • GRC Platforms: RSA Archer GRC
  • ServiceNow GRC
  • MetricStream (M7)
  • Audit Board
  • Risk & Audit Management: Risk management registers
  • Control Mapping
  • Internal Audits
  • Gap Assessments
  • Evidence Collection
  • Vulnerability Remediation Strategies
  • Nessus Scanning
  • CVSS Threat Analysis
  • POA&M Management
  • Risk mapping
  • Risk Exception Workflows
  • IAM governance
  • Vulnerability oversight
  • Endpoint Compliance
  • Operational Resilience Planning
  • Group Policies
  • Patch Automation
  • Log Analysis
  • PowerShell
  • Business Continuity Planning
  • Cloud, Network & Technical Governance: AWS (basic)
  • Azure
  • Windows Server
  • Linux
  • API Security
  • Token Validation
  • OAuth 20
  • SSL/TLS
  • Cloudflare
  • Let’s Encrypt
  • DNS
  • VPN
  • Firewall Rules
  • Patch control
  • System Hardening
  • Compliance Risk Assessment
  • Plans of Action and Milestones (POA&M)
  • SOPs
  • CISO Dashboards
  • Certifications: CISA
  • ISO 27001 Lead Auditor (LA)
  • Certified Network Security Specialist (CNSS)

Certification

  • CISA
  • ISO 27001 Lead Auditor (LA)
  • Certified Network Security Specialist (CNSS)

Timeline

Operational Resilience Manager

Standard Chartered Bank
02.2023 - 07.2025

Security & Resilience Analyst

Cognizant
10.2021 - 02.2023

Security & GRC Analyst

HCL Technologies
05.2019 - 10.2021

System Administrator

Amara Raja Batteries
07.2016 - 05.2019

Master of Science - Information Technology

New Mexico State University

Post-Graduation Program - Cyber Security

Gujarat Forensics Science University

Bachelor of Technology - Computer Science & Engineering

Sri Padmavati Mahila University

Similar Profiles

CREATE PROFILE
Bhavana Galla