Chrisan Herrod
Data Protection And Privacy Officer
Gulfport, Florida,CHH
Summary
Information Security/Privacy professional with 25 years of experience managing and implementing information security, privacy, risk management, and regulatory compliance programs for public, private, non-profit, and academic organizations. Experienced in developing and managing global information governance, risk, and compliance programs addressing compliance with federally mandated regulations. Proven ability to collaborate and interface with internal and external partners, stakeholders, and customers on all levels.
Solid background in data protection and compliance. Successfully implemented privacy frameworks and policies, ensuring robust data security measures. Demonstrated strong analytical skills and attention to detail in identifying and mitigating potential risks.
Overview
25
25
years of professional experience
2018
2018
years of post-secondary education
4
4
Certifications
Work History
Corporate Privacy/and Data Protection Officer
Shriners Children’s Hospital (SHC)
11.2021 - Current
- Directs the corporate-wide information security and privacy program for international and domestic SHC hospitals
- Develop policies, procedures and technology to mitigate data protection liability
- The corporate HIPAA Security and Privacy officer responsible for HIPAA, HITRUST, GDPR, Canada’s Privacy Laws, Privacy Laws in Latin America and Mexico
- Responsible for the operational risk management program
- Responsible for breach notification procedures and incident response
- Develop and implement security and privacy education and training programs to 22 hospitals
- Collaborate with Information Services, Legal, HR, and medical staff to promote a culture of information security and privacy best practices
- Responsible for all data monitoring systems including Data Loss Prevention and Cerner/Epic privacy monitoring
Data Protection/Privacy Officer
Public Health Institute of California
04.2021 - 11.2021
- Responsible for information security and privacy for the program’s area of responsibility that included California, Washington, and Oregon
- Conducted HIPAA information security and privacy assessments, wrote policies and procedures, reviewed third party Business Associate Agreements, and developed and communicated information security training and awareness updates supporting the remote workforce
- Interfaced with California public health organizations and provided information security updates regarding collection and dissemination of PII to the organization’s grant funding sources
- Conducted Privacy Impact Assessments and Privacy investigations
- Grant Contract—Ending Nov 21
Virtual CISO
NTT Security and Optiv Security
07.2013 - 04.2021
- Virtual CISO to multiple clients for multiple industries including financial and healthcare organizations
- Led vulnerability risk assessments
- Led implementation of cyber security frameworks, i.e
- NIST 800-53 and ISO 27001/2
- Provided oversight of incident response program
- Served as an advisor for Governance, Risk and Compliance Initiatives
- Provided leadership in performing regulatory audits
- Coordinated disaster recovery processes and procedures
- Quantified the value of security initiatives for new products and services
- Assessed the cost of security tools and systems and conducted return on investment analysis
- Maintained approval process for policy reviews
- Conducted internal assessments and provided responses to external audits pertaining to regulatory standards such as SOC, PCI, HIPAA, GDPR, and FedRAMP
- Ensured third party systems meet security requirements and align with business requirements
- Maintained a risk assessment standard for new systems, including penetration testing and vulnerability scans
Chief Information Security Officer (CISO)
University of Maryland, University College (UMUC)
11.2010 - 07.2013
- Recruited for newly created role to direct 20 staff, $1-$2 million budget and key IT Security projects
- Set information security strategy, controls, and roadmap for multiple systems and ensured compliance with required regulations
- Developed policies, standards, and processes to assess, monitor, report, and remediate risk and compliance program gaps
- Managed the security, compliance, and privacy risk assessment process, including reporting and oversight of remediation efforts to address audit findings
- Ensured enterprise compliance programs aligned with applicable laws, regulations and policies to minimize or eliminate risk and audit findings
- Applicable laws and regulations affecting the University included, HIPAA, FERPA, GDPR, FedRAMP, and PCI
- Primary point of contact for all IT external audits by the State of Maryland and the University System of Maryland
- Worked with enterprise architecture to align new technology initiatives and requirements with emerging enterprise projects
- Managed the incident response team, investigated incidents and implemented remediation processes and technologies to mitigate vulnerabilities
- Developed technical controls and assessed technology implementation by conducting and reviewing application and system vulnerability results
- Worked with senior business leaders, HR, Legal, and Procurement to identify key risk areas and mitigation strategies to implement a new Learning Management System
- Managed a team of IT analysts that provided technological support to the business areas
- Managed a comprehensive information technology, security and risk management awareness and training program for all faculty, students and staff worldwide
- Developed effective disaster recovery policies and standards; coordinated development plans and procedures to ensure that business-critical services were recovered in the event of a declared disaster
Chief Security and Privacy Officer
Securities and Exchange Commission (SEC)
08.2003 - 11.2010
- Responsible for IT Security, privacy, risk, compliance, and disaster recovery program oversight
- Developed and implemented security policies and procedures using best practice frameworks from both government and industry
- Managed the privacy impact program and the IT compliance program
- Managed the internal/external audit relationships for the commission
- Developed and implemented an audit management and tracking system for compliance to FISMA directives and for Office Management and Budget (OMB) reporting
- Conducted reviews of new technologies and software applications to improve the security of SEC’s infrastructure
- Participated in numerous Federal groups and in private sector forums collaborating on securing the national financial infrastructure
- Obtained business unit buy-in for the security, risk, and privacy programs
- Chaired the SEC’s Security Steering Group that coordinated across business units’ with the purpose of directing the implementation of security policies and program initiatives
- Managed a staff of 30 contractors and federal employees and a budget of 8 million dollars
Director Global IT Risk Management
GlaxoSmithKline (GSK)
09.2000 - 01.2003
- Developed and implemented an IT security and privacy operations program including policies, education/training and awareness/ and IT business continuity for an international company with multiple operating platforms and systems
- Conducted privacy assessments for worldwide external systems and 600 corporate websites
- Developed and implemented information security and privacy policies based on industry best practices such as ISO standards relating to the protection of information assets and intellectual property
- Managed the information security risk assessment activities for enterprise IT projects
- Established a records management program using holding periods based on regulations applicable to all lines of business
- Eliminated a significant volume of documents held in off-site storage and established more effective management of retained documents, resulting in a 40% savings on storage vendor costs and the mitigation of data privacy risks
- Identified and mitigated offshore deployment risks, particularly those related to data privacy and security
- Created a program to identify these risks and implement appropriate controls to mitigate them, resulting in the maximization of the number of functions deployed and a realized savings of 20% on operational costs
Education
Doctor of Education -
Northcentral University
MS - Project Management
National Defense University
BA - International Relations
Pennsylvania State University
Skills
Regulatory compliance evaluation
Certification
CISM
Timeline
Corporate Privacy/and Data Protection Officer
Shriners Children’s Hospital (SHC)
11.2021 - Current
Data Protection/Privacy Officer
Public Health Institute of California
04.2021 - 11.2021
Virtual CISO
NTT Security and Optiv Security
07.2013 - 04.2021
Chief Information Security Officer (CISO)
University of Maryland, University College (UMUC)
11.2010 - 07.2013
Chief Security and Privacy Officer
Securities and Exchange Commission (SEC)
08.2003 - 11.2010
Director Global IT Risk Management
GlaxoSmithKline (GSK)
09.2000 - 01.2003
MS - Project Management
National Defense University
BA - International Relations
Pennsylvania State University
Doctor of Education -
Northcentral University
Similar Profiles
ANGELA KELLYANGELA KELLY
Corporate Director, Organization Development and Learning Strategy at SHRINERS CHILDREN’SCorporate Director, Organization Development and Learning Strategy at SHRINERS CHILDREN’S
Sharon CherianSharon Cherian
Clinical Informatics Specialist at Shriners Children’s TexasClinical Informatics Specialist at Shriners Children’s Texas
Kate RyanKate Ryan
Manager of Education and Development at Shriners Children’s OhioManager of Education and Development at Shriners Children’s Ohio