Monica Washington

Senior GRC professional with extensive experience designing, governing, and maturing enterprise security programs aligned with regulatory requirements, organizational policies, standards, baselines, and information‑classification frameworks. Skilled in developing security roadmaps and implementing controls across ISO 27001, ISO 22301, ISO 42001, PCI DSS, NIST SP 800‑53, Shared Assessments, FIPS 140‑2, HITRUST, CMMC, SOC 2 Type II, and GDPR. Solid working knowledge of AI governance and model‑risk management, with hands‑on experience conducting AI risk assessments, contributing to AI control design, and supporting explainability and bias evaluation efforts. Experienced in data governance, model validation concepts, identifying AI security risks, and interpreting emerging regulatory requirements. Familiar with responsible AI practices and monitoring considerations such as drift and performance changes. Adept at cross‑functional governance leadership and aligning technical and regulatory requirements with broader enterprise risk strategy.

Professional Compentencies:

• Co‑manage a team of 25 Governance, Risk & Compliance (GRC) professionals responsible for reviewing supplier survey submissions in Aravo TPRM Gateway, determining the need for in‑depth assessments (online, virtual, or onsite), and leveraging Archer as the authoritative system for managing, reviewing, and reporting vendor risk assessments and operational risk levels to leadership and project teams.
• Oversee the Cyber Vendor Risk Management Quality Assurance Program (QAP), ensuring accuracy, consistency, and audit‑ready documentation across all assessments.
• Lead the development of training content for new hires and ongoing refresher training for the Vendor Risk Assessment (VRA) team, strengthening program maturity and assessment quality.
• Manage internal and external SOC 2 compliance audits, coordinating evidence collection, control validation, and remediation activities.
• Lead the Cybersecurity Mergers & Acquisitions (M&A) program, assessing cyber posture, risks, and integration requirements for acquired entities.
• Contribute to the development and operation of the Vendor Security Events Team (VSET) program, supporting incident and breach response activities involving third‑party suppliers.
• Implement process improvements that enhance productivity, streamline workflows, and reduce operational costs across the vendor‑risk lifecycle.
• Mentor junior managers, fostering professional development, team cohesion, and a culture of continuous improvement.

Senior GRC professional specializing in vendor, cloud, operational, financial, and privacy risk assessments, as well as the development of security roadmaps aligned with legal and regulatory requirements, organizational policies, standards, baselines, procedural documentation, and information‑classification programs. Experienced in applying leading frameworks and regulations including COSO, ISO 27001/27002, PCI DSS 3.2, NIST SP 800‑53, FISMA, FIPS 140‑2, CIS Critical Security Controls, HIPAA, Basel, SOC 2, FFIEC, and GDPR.

• Review supplier questionnaire submissions in the Aravo TPRM Gateway to determine the need for in‑depth assessments (online, virtual, onsite, or remediation‑focused) based on engagement scope.
• Utilize RSA Archer GRC 6.6 SaaS to administer workflows and identify, measure, manage, review, monitor, and report vendor risk assessments, inherent risk, and operational risk levels to leadership, business units, and project teams.
• Collaborate with the Office of General Counsel (OGC), Office of Confidentiality & Privacy (OCP), National Strategic Risk, Cyber Design Studio, Lines of Business (LOBs), vendors, and leadership throughout the vendor‑vetting and assessment lifecycle.
• Support determination of Privacy Impact Assessment (PIA) requirements when engagements involve PII or Special Handling PII to ensure GDPR compliance.
• Active member of the Phishing Campaign Team and the Global & US Security Awareness Committees.
• Contribute to continuous improvement of the VRA cybersecurity process, including enhancements to inherent risk scoring, questionnaires, and risk‑level methodologies, while training and coaching new hires.

Senior IT & Cybersecurity Leader with years of experience guiding organizations through foundational cybersecurity, compliance, and risk management challenges across highly regulated industries. Built and matured security programs during the formative years of modern cybersecurity — conducting in‑depth system, application, and vendor assessments; leading enterprise risk initiatives; and strengthening governance frameworks.

Expert in evaluating third‑ and fourth‑party suppliers, performing enterprise‑wide risk assessments, and validating controls across complex on‑premise infrastructures using ISO 27001/27002, NIST SP 800‑53, PCI DSS, SOX, HIPAA, FFIEC, FISMA, COBIT, GLBA, and SSAE16/SOC1. Former PCI DSS QSA with a proven ability to translate technical findings into actionable remediation strategies and executive‑level insights.

Led IAM governance efforts, access certification initiatives, and policy/standards development while partnering with senior stakeholders across IT, security, audit, compliance, and business leadership. Recognized for strengthening security posture, improving control maturity, and delivering risk‑aligned strategies in environments where manual processes, legacy systems, and limited automation required deep technical expertise and disciplined execution.