GRC Audit and Compliance is a product‑focused audit and continuous testing team.
We meet our audit obligations to customers and external stakeholders and give leadership clear insight into GitHub’s control posture.
We also support go‑to‑market efforts by treating customer‑facing assurance reports as product features.

Current audit scope:

• SOC 1, SOC 2, SOC 3 – GHEC and Actions
• ISO 27001 – GHEC and Actions
• FedRAMP Low Tailored – GHEC
• PCI DSS – GHEC
• Microsoft non‑financial disclosures – GitHub NFD metrics (Developers, MAC, MEU)
• Microsoft internal audits – Security Governance, Trade Compliance, and others
• GHAE – compliance and risk management
• Azure DevOps – compliance, privacy, and risk programs

Learn more in the Security GRC Compliance repo.

Future Compliance State:

• ISO 27018
• ISO 27701
• ISO 22301
• ISO 42001
• FedRamp High

• Oversee the end-to-end lifecycle of policies, from development and approval to implementation and review.
• Collaborate with stakeholders to ensure policies are up-to-date, relevant, and compliant with current regulations and best practices.
• Lead the formation and execution of steering committee structures to ensure strategic alignment and governance oversight.
• Facilitate regular meetings and communications with committee members to drive governance initiatives.
• Develop and document clear roles and responsibilities using RACI (Responsible, Accountable, Consulted, Informed) matrices to ensure accountability and clarity in governance processes.
• Ensure alignment of roles with organizational goals and governance objectives.

• Design and implement a robust policy exception management workflow to handle deviations effectively.
• Ensure exceptions are documented, reviewed, and approved in a timely manner, with appropriate risk assessments conducted.
• Oversee processes for review and approval of security exception requests.

• Identify and define key performance indicators (KPIs) and metrics to measure the effectiveness of governance policies and programs.
• Develop dashboards and reporting tools to track and communicate performance metrics.
• Support the development of dashboards and audit tools to monitor IT risk indicators and internal control health.

• Collect and analyze data related to policy adherence and governance program performance.
• Prepare comprehensive reports and presentations for leadership, highlighting insights, trends, and areas for improvement.
• Drive key Technology, Security, and Data compliance programs in support of the Digital Technology (corporate IT) organization.
• Partner closely with Legal, Privacy, and Data Security & Governance teams to develop corresponding GRC programs.

• Work closely with cross-functional teams, including legal, compliance, IT, and operations, to align governance initiatives with business objectives.
• Act as a governance advisor to leadership, providing expert guidance on best practices and emerging trends.
• 9+ years of related experience, with at least 4+ years of hands-on leadership experience in the Technology Governance Risk and Compliance field.
• Strong leadership skills, strategy, analytical, problem solving, decision-making; and ability to work under minimum direction.
• Build and expand relationships with key stakeholders.
• Ability to evangelize and influence company IT compliance and governance efforts.
• Build productive customer partnerships and repair strained relationships.
• Assign work, track progress, and deliver semester and annual performance reviews for team members.

• Develop and execute a strategic roadmap for advanced Technology & Security architecture, controls, and solutions.
• Lead efforts to establish governance policies and standards for cloud, AI, and other emerging technologies.
• Collaborate with technology teams to integrate governance into cloud and AI architecture.
• Stay informed about emerging technology trends.
• Experience integrating AI into workflows and decision-making.

• Implement and manage risk management activities aligned with the GitHub program.
• Identify, establish, and maintain strategic relationships with key stakeholders.
• Lead GitHub ISO risk management programs using GitHub Projects and ZenGRC.
• Partner with executive leadership to respond to security evidence requests.
• Guide risk-based decisions focused on mitigating identified risks.
• Provide leadership and oversight for M&A due diligence efforts.
• Represent GitHub in strategic planning, budgeting, and prioritization.
• Collaborate with GitHub leaders for program consistency.
• Integrate GRC requirements into the risk management framework.
• Architect and deploy controls for GRC emerging priorities.
• Drove consistency and visibility of risk activities.
• Oversaw control assessments and leadership remediation.
• Understanding of frameworks like ISO 27001, ISO 27018, ISO 27701, ISO 42001, ISO 22301, SOC, NIST 800-53 and FedRAMP.
• Interpret and apply controls from ISO 27001, ISO 27018, ISO 27701, ISO 42001, ISO 22301, SOC, and FedRAMP.
• Implement optimized, risk-reducing controls.
• Identify and assess complex business and technology risks; advise management on mitigation.

• Manage operational processes that monitor and respond to security threats.
• Partner with IT to mature operational controls.
• Lead follow-up education for policy-violating or risky behaviors.
• Oversaw assessment of controls and ensured deficiencies are addressed.
• Integrate issue management programs into the GRC framework.

• Round on leadership to influence decisions and educate on risk.
• Lead and coordinate implementation of process and technology changes.
• Execute technical audits across infrastructure and security environments.
• Develop and apply audit procedures to test IT controls.
• Design and execute risk-based audits.
• Perform control testing and data validation.
• Conduct walkthroughs and testing for SOC and ISO controls.
• Define and prioritize strategic projects.
• Lead major cross-functional initiatives.
• Contribute to system architecture decisions.
• Review audit project plans, work papers, and reports; discuss issues with management; confirm quality controls.
• Plan, schedule, and execute IT audits within budget and deadlines; supervise audit staff and coach for improvement.

• Ensure vendor contracts include proper security terms.
• Work with IT and business leadership to assess and onboard vendor systems securely.
• Maintain controls for vendor-maintained solutions.
• Deploy technical controls for Third Party Risk and Resiliency programs.
• Advise stakeholders on TPRM and vendor-related risk issues.

• Coordinate with HR and training teams for GitHub content delivery.
• Lead proactive communication and awareness campaigns.
• Create audit reports for technical and non-technical audiences.
• Exhibit strong written and verbal communication skills.
• Champion customer security needs internally.
• Effectively communicate standards and best practices.

• Recruit and manage contractor staff.
• Ensure team training and development supports internal audits.
• Participate in succession planning.
• Perform other assigned duties.
• Uphold the “Code of Conduct” and “Mission and Value Statement.”
• Mentor team members on frameworks and best practices.
• Assess compliance candidates in hiring processes.
• Guide others on design, processes, and standards.

Sr. IT Control Analyst

• Designed, implemented, and tested controls for ISO 27001, ISO 27018, AICPA, and NIST.
• Built an SDLC audit plan that streamlined controls for 1,500 developers.
• Managed external SSAE‑18 and ISO 27018 audits and internal assessments.
• Completed customer due‑diligence questionnaires quickly.
• Advised stakeholders on changing compliance requirements.
• Identified risk and guided remediation.

IT Control Analyst

• Supported compliance, external, and internal audit work.
• Streamlined internal processes by improving tooling.
• Maintained risk and control matrices, test plans, and status trackers.
• Assessed ITGC design and implementation against policies.
• Verified control evidence for completeness, accuracy, and precision.

Risk Advisory Services Consultant

• Performed general computer control reviews on UNIX, Windows, AS/400, and Oracle systems.
• Tested automated application controls for financial reporting software.
• Evaluated and improved client operational efficiency.
• Reviewed the design, build, and operation of client business processes.
• Led cyber‑security risk assessments and audits.
• Supported financial audit and SOX teams with control design and testing.
• Assessed security issues and recommended remediation.
• Managed the IT Audit SharePoint knowledge repository, boosting productivity.

• IT design and consulting for Standing Stone Nursery.
• Intake and review of GitHub bugs reported in HackerOne.

• Exotic plants 🌴
• 4‑wheeling 🚴‍♂️
• Hiking 🥾
• Travel ✈️
• Time with the dogs 🐕🐕🐕

• LinkedIn
• Slack: @HaDoyle12