Overview:
This project documents a full end-to-end risk assessment performed for a simulated FinTech payment processing organization (AtlasPay). The goal was to evaluate information security and operational risks in a way that supports executive decision-making, audit readiness, and long-term risk governance, rather than focusing purely on technical controls.
Technologies & Tools Used:
- Microsoft Excel (risk register, scoring model, heat map, tracking)
- NIST SP 800-53 Rev. 4
- NIST Cybersecurity Framework (CSF)
- Quantitative risk scoring model (Impact × Likelihood)
Deliverable Features:
- Structured risk assessment worksheet
- Quantitative inherent and residual risk scoring
- Risk register with ownership and timelines
- Heat map visualization for executive review
- Risk treatment and tracking table
- Executive summary and impact statements
Notes for Reviewers:
Plain English was intentionally used when documenting existing controls and risks to ensure clarity for non-technical stakeholders. Formal framework language and control alignment were applied during gap analysis and treatment planning to maintain audit defensibility while keeping executive communication accessible.
Process (Start to Finish):
The project began by defining assessment scope, objectives, and applicable frameworks to ensure alignment with SOC 2 readiness expectations. Risks were identified using a threat vulnerability impact model and documented in plain business language before being mapped to NIST SP 800-53 Rev. 5 control families. A quantitative scoring model was applied to calculate inherent and residual risk, allowing risks to be prioritized consistently. Findings were translated into a structured risk register, heat map, and treatment plan with defined ownership and timelines. The final step focused on executive reporting, emphasizing impact, decision support, and financial relevance rather than technical detail.
Key Takeaways & Discoveries:
- Clear language is critical for executive risk ownership.
- Quantitative scoring improves prioritization and credibility.
- Heat maps are most effective when paired with narrative context.
- Risk management is as much governance and communication as it is controls.
Deep Dive: Why the Heat Map Matters:
The heat map was used to translate complex risk data into a single, intuitive visual that highlights priority areas at a glance. When paired with residual risk projections, it becomes a powerful decision-making tool rather than a static graphic.
Value to Risk Management:
This project demonstrates how structured risk assessments support informed decision-making, resource prioritization, audit readiness, and long-term resilience rather than reactive security responses.
Growth & Next Improvements:
This project strengthened my ability to translate technical risk into business impact. Future iterations could benefit from dedicated GRC platforms (e.g., ServiceNow GRC, Archer) and automated evidence tracking to further scale and mature the process.
Video Walkthrough:
(Embedded walkthrough video coming soon)*