Swarnika Mehta

Swarnika is a Director in KPMG Advisory Services practice aligned within the Information Protection and Business Resiliency (IPBR) group. She has over 5 years of experience in information security, information assurance, certification and accreditation (C&A), governance, controls and compliance. She has a strong background across system risk management projects, assessing complex security environments, helping clients achieve regulatory/standards compliance, and conducting enterprise wide security risk assessments.  Her experience spans over various industries including technology, government, entities, non-profit and academic institutions. She graduated from University of Washington in 2011 with a Masters in Information Management. She is certified Risk Management and Information Assurance professional by the UWPCE.

Professional and Industry Experience

GRC Business Transformation

• Built an RSA Archer deployment and strategy roadmap for a leading telecommunication provider’s corporate information security group to automate their GRC processes and onboard into Archer over a multi-year timeframe.
• Helped the Corporate Information Security team at a large, national telecommunication provider with the strategy, planning and implementation of GRC processes and tool to support their security risk and compliance management. Efforts include planning and multi-fold implementation of RSA Archer’s Enterprise, Policy, Compliance, Risk and Vendor Management solutions. Trained end users and management stakeholders via training sessions and documentation on various modules and capabilities of the Archer SmartSuite Framework.
• Develop RSA Archer training webinars to provide hands-on training of RSA Archer smart suite framework and core GRC solutions.

Cloud Security & Compliance

• Contributed to development of a white paper for a leading Software as a Service (SaaS) provider on multi-tenancy security risks that discusses concepts of multi-tenancy, related security risks and their mitigations, leading best practices and customer expectations.
• Developed threat and vulnerability management strategy based on leading industry practices supported with a threat catalogue for a leading software development company.
• Contributed to development of a white paper for a leading Software as a Service (SaaS) provider on multi-tenancy security risks that discusses concepts of multi-tenancy, related security risks and their mitigations, leading best practices and customer expectations.
• Provided subject matter guidance to leading software manufacturer on security implications of picture password authentication based on FISMA compliance requirements.

Security Assessments

• Led a detailed assessment of the current state of a leading IaaS provider’s Continuous Monitoring processes and identified gaps and areas of process improvements. Provided detailed and operationally consumable recommendations to fix current processes automate existing manual processes and eliminate redundancies. Developed a FedRAMP Continuous Monitoring Strategy which supports reporting to FedRAMP and other government agencies.
• Led a team to conduct information security policy and procedures review for a leading cloud service provider, utilizing NIST 80-53, ISO 27001, and SOC 2 as benchmark standards to develop assessment criteria and recommendations for security policy improvement. 
• Conducted controls mapping with ISO, SOC 1 and SOC 2 to FedRAMP security baseline controls. Conducted FISMA gap assessment for a leading cloud service provider based on the results of the control mapping.
• Led multiple security risk assessments to develop and assess current state of security practices against NIST 800-53 controls based on FISMA/FedRAMP requirements. Conducted baseline assessment of leading cloud service provider of current security practices against  industry standards for  their dedicated and public cloud environment. This included in-depth assessment of management, operational and technical controls around information security, developed risk matrix to categorize risk against its likelihood and impact. Developed remediation plan and timeline, designed and implemented a robust remediation tracker and process workflow to effectively track and assess ongoing remediation of identified gaps. Generated automated dashboards for reporting at different levels of organization for visibility of high risk gaps and its remediation status.
• Conducted security risk assessment of a state owned corporation that manages fund investments. Assessed their urgent IT and information security practices, provided recommendations to mitigate their security risks and developed a reference remediation plan. Developed a security risk assessment report for presentation to the state audit committee.
• Conducted security risk assessment of a state owned corporation that manages fund investments. Assessed their current IT and information security practices, provided recommendations to mitigate their security risks and developed a reference remediation plan. Developed a security risk assessment report for presentation to the state audit committee.
• Led a cloud security risk assessment for a major university medical center for their Occupational Health Management System (OHM) which hosted student and employee personal healthcare information.  Conducted analysis on critical security threats, vulnerabilities and provided recommendations for risk mitigation and cost-benefit analysis. In addition, conducted vendor assessment of cloud providers to migrate the center's OHM system from legacy environment to a multi-tenant cloud environment.