Matt Connelly

Governance, Risk & Compliance Professional

Advancing governance maturity through structured risk assessments and continuous control evaluation aligned to enterprise risk tolerance.

Connect on LinkedIn

About Me

Hello, I’m Matt. As a U.S. Navy veteran and cybersecurity professional, I bring a disciplined, structured approach to governance and compliance. This portfolio showcases selected GitHub projects that reflect my technical capabilities, along with a risk assessment demonstrating how I evaluate controls and communicate risk to leadership.

Quick Facts

  • CISSP Certified
  • CCNA & Security+ Certified
  • Masters Degree in Cybersecurity
  • U.S. Navy Veteran

Case Study - Risk Assessment

Excessive Privileged Access to Manufacturing Execution System (MES)

Conducted a structured risk assessment aligned to NIST SP 800-30 focused on access control governance over a Manufacturing Execution System (MES) supporting plant floor production operations.

  • Business Context: The MES platform manages production workflows, work orders, and quality tracking across manufacturing lines.
  • Primary Risk Scenario: Unauthorized modification of production parameters due to excessive privileged access or shared administrative accounts.
  • Impact Consideration: Production errors, quality control failures, operational disruption, and potential financial loss.
  • Inherent Risk Rating: High (critical operational system + elevated privileged access exposure).
  • Control Evaluation: Reviewed role-based access configurations, privileged account assignments, service account permissions, and access review cadence.
  • Control Gaps Identified: Administrative privileges assigned beyond job requirements, shared operator accounts in limited environments, and absence of a formal quarterly access review process.
  • Remediation Actions: Enforced least privilege role restructuring, eliminated shared accounts, implemented quarterly privileged access reviews, and formalized access governance procedures.
  • Residual Risk: Reduced from High to Moderate following remediation and validation of access controls.

Outcome: Strengthened identity governance, reduced exposure to unauthorized system modification, and improved alignment with least privilege and access control requirements.

Risk Register

Risk ID Asset Risk Statement Risk Rating Control Owner Risk Owner Status Review Cycle
MES-AC-01 Manufacturing Execution System Excessive privileged access may allow unauthorized modification of production parameters, resulting in operational disruption and quality control failures. Moderate Infrastructure Manager Director of Operations Active – Under Quarterly Review Quarterly

Risk aligned to NIST SP 800-30 methodology and tracked within structured governance review cycles.

Governance Performance & Risk Indicators

The KPIs and KRIs below illustrate how control effectiveness and risk exposure can be monitored within a governance program, aligned to the access control case study above.

Key Performance Indicators (KPIs) — Control Effectiveness

100%

Privileged access reviews completed on schedule for critical manufacturing systems

Control Domain: Access Governance (AC-2 / AC-6)

0

Shared administrative accounts across production environments

Control Domain: Account Management & Authentication

100%

Privileged roles mapped to documented job functions and approved access paths

Control Domain: Role-Based Access Control (RBAC)

Key Risk Indicators (KRIs) — Risk Exposure

33% ↓

Reduction in excessive privileged accounts after access remediation

0

Open high-risk access control exceptions for critical manufacturing applications

< 24h

Mean time to revoke access after role change or termination

.

Featured Projects

Azure Privileged Access Governance Automation

Automated privileged access reviews to strengthen identity governance and improve visibility into administrative accounts across enterprise environments.

  • Control Domain: Privileged Access Management
  • Framework Alignment: NIST 800-53 (AC-2, AC-6) | ISO 27001 (A.5.15, A.8.2) | CIS 5 & 6 | SOC 2 (CC6)
View Project

AWS Continuous MFA Compliance Monitoring

Built automated monitoring to detect IAM users without MFA enabled using AWS Config, EventBridge, and Lambda to generate security alerts and maintain continuous compliance visibility.

  • Control Domain: Identity & Access Management
  • Framework Alignment: NIST 800-53 | NIST CSF | SOC 2 Trust Services Criteria
View Project

AWS Privileged Access Review Automation

Implemented automated access validation to enforce least privilege principles and enhance structured oversight of elevated permissions.

  • Control Domain: Identity & Access Management
  • Framework Alignment: NIST CSF (PR.AA) | NIST 800-53 (AC-2, AC-6) | ISO 27001 (A.5.18) | CIS 5 & 6
View Project

S3 Encryption Compliance Monitoring

Developed automated control validation to verify encryption enforcement across storage resources supporting sensitive data workloads.

  • Control Domain: Encryption & Data Security Controls
  • Framework Alignment: NIST 800-53 (SC-13, SC-28) | ISO 27001 (A.8.24) | CIS 3 & 13 | SOC 2 (CC6)
View Project

AI Driven Risk Reporting

Automated structured risk reporting from security findings to enhance leadership visibility and strengthen continuous monitoring maturity.

  • Control Domain: Continuous Monitoring & Risk Assessment
  • Framework Alignment: NIST 800-53 (CA-7, RA-3) | NIST CSF (DE.CM) | ISO 27001 (A.8.16) | CIS 8
View Project

Get In Touch

Connect on LinkedIn

Open to professional discussions and collaboration.