Security, Governance & Incident Response
Directory audits, log analysis, incident response, and access governance controls under ISO 27001 frameworks.
Overview
I administer directory access permissions, analyze audit logs, investigate security incidents, and compile evidence for access governance reviews. This work is based on standard ISO 27001 control mappings across a 3,000-user multi-campus directory.
My hands-on experience covers directory deprovisioning audits, Google Drive shared drive access reviews, network segmentation, security awareness development, and generative AI directory permissions.
Security Work in Practice
- Directory audits: Regular reviews of group memberships, privileged access roles, and Google Workspace delegated administration.
- Offboarding audits: Tracing departure-to-deactivation latency and compiling offboarding SLA compliance logs.
- Incident investigations: Tracing Admin Console audit logs to identify anomalous IP addresses, external file shares, and unauthorized folder restructuring.
- Evidence compilation: Extracting logs and path metadata to verify access boundary containment for internal audits.
- Policy implementation: Drafting and enforcing Acceptable Use Policies (AUP) and student data protection charters.
- Threat mapping: Identifying exposed external Drive shares and mapping network segmentation gaps across distributed sites.
- SaaS configuration reviews: Auditing third-party OAuth app permissions, domain-wide email routing rules, and external sharing policies.
Selected Incident Reports
Shared Drive Privilege Containment
Challenge: A delegated account with excessive manager access renamed root folders and trashed academic directories on core Shared Drives.
Mitigation: Suspended the user account, blocked the external gateway IP, and restored folder structures using Google Workspace restoration tools.
Offboarding Governance & Exfiltration
Challenge: A terminated instructor account remained active post-departure, permitting after-hours access and download of 20,000+ curriculum resources from external IPs.
Mitigation: Suspended credentials, revoked OAuth tokens, rotated Shared Drive keys. Recommended automated HR-to-IT deprovisioning integration.
Security Governance
- Least-privilege access: Deprecating shared admin accounts. Restricting Shared Drive permissions to comment/view-only by default and enforcing role-specific delegation.
- Lifecycle deprovisioning: Auditing account departure latency, identifying active orphaned credentials, and recommending automated HR-to-directory integrations.
- Auditing & alerting: Configuring Admin Console alert thresholds to trigger notifications on bulk downloads or external file shares.
AI Governance & Enablement
- Data filtering: REST API key validation to restrict LLMs from accessing production directories.
- Script sandboxing: Reviewing and vetting Apps Script integrations in developer sandboxes prior to domain authorization.
- Usage charters: Authoring Acceptable Use Policies defining restrictions on student record inputs in public LLMs.
