Cybersecurity Compliance Program

Overview

Delivered a comprehensive cybersecurity compliance program for a multi-carrier insurance platform serving major global insurers. Starting from a formal gap analysis, the engagement covered 49 security controls across 10 domains — achieving 87% automated compliance in under 6 weeks while managing 5 simultaneous insurer security questionnaires and deploying CDK TypeScript infrastructure that eliminated the platform's highest-risk exposures.

The Problem

The platform had a 29% baseline compliance score (14/49 controls passing) against ISO 27001, CIS Controls v8, and LFPDPPP (Mexico's data privacy law). Five major global insurers were simultaneously conducting security questionnaires — delays put contract value at risk. The baseline audit surfaced 5 critical and 11 high severity findings: CloudTrail was completely absent (zero API activity ever recorded), a hardcoded AES encryption key was embedded in source code and shared across all 7 tenant variants, the DLP tool had been purchased over a year prior but never configured — leaving zero data protection in place, the bastion host SSH was open to the internet (0.0.0.0/0) in CDK, and CI/CD pipelines ran under an AdministratorAccess IAM user with no MFA. No security policies, no gap analysis, and no audit evidence existed.

The Solution

I led the program across three parallel tracks. Infrastructure: CDK TypeScript managing 5 stacks (~35–40 resources) — VPC with WAF v2 (OWASP Top 10, SQLi, KnownBadInputs rule sets), EC2 Windows/IIS, RDS SQL Server, S3 with encryption and lifecycle policies, and a dedicated security stack enabling GuardDuty, Security Hub, Inspector v2, CloudTrail with CloudWatch alarms, and AWS Backup with daily RDS snapshots. RDP access proxied exclusively via SSM Session Manager port-forwarding — no direct desktop port exposed. Bastion SSH hardening CDK fix delivered (pending team deployment). GitHub Actions OIDC replaced the AdministratorAccess IAM user entirely. Documentation: 12+ formal deliverables authored including Information Security Policy, Acceptable Use Policy, Incident Response Plan, Disaster Recovery Plan, gap analysis, and remediation roadmap — all audit-ready. Questionnaire management: all 5 insurer questionnaires actively managed concurrently, with controls mapped systematically to each insurer's evidence requirements.

The Results

Compliance score rose from 29% to 87% in under 6 weeks — 13 of 15 automated controls continuously passing as tracked weekly. 30+ RDS backup jobs completed successfully. GitHub Actions OIDC eliminated the AdministratorAccess IAM user and all long-lived deploy credentials. RDP access exclusively via SSM Session Manager with IAM MFA enforced at session level. Twelve-plus formal policies and procedures delivered, audit-ready. Entire infrastructure managed as code in CDK TypeScript.

Key Takeaways

• →CDK TypeScript enables compliance-as-code — WAF rules, GuardDuty, and CloudTrail configuration are version-controlled and provide an auditable evidence trail out of the box
• →SSM Session Manager replacing open RDP/SSH ports is the single change that reduces the most attack surface with the least operational impact on the development team
• →Managing compliance documentation and insurer questionnaires concurrently demands a systematic control-mapping approach — each control needs evidence artifacts, not just enablement
• →GitHub Actions OIDC over long-lived IAM credentials requires one CDK stack and eliminates an entire class of credential leakage risk from CI/CD pipelines

Tools & Technologies