Log Analysis & Event Correlation (Core of the Role)
Situation: Our SIEM began flagging repeated failed logins from a privileged account.
Task: Determine whether it was noise or a real threat.
Action: I correlated SIEM alerts (Splunk‑style workflow) with VPN logs and IDS/IPS data (Snort/Suricata equivalent). I noticed the activity originated from an unusual geo‑location and occurred outside normal hours.
Result: I escalated immediately, contained the account, and prevented a potential credential compromise. The after‑action review led to improved alert tuning and MFA enforcement.
Vulnerability Scanning & Remediation Guidance
Situation: Monthly NIST‑aligned vulnerability scans identified a critical RCE vulnerability on a legacy server.
Task: Ensure remediation without disrupting business operations.
Action: Using a Nessus‑type scanner, I validated the finding, met with the system owner, explained the risk in business terms, and coordinated a patch window. After patching, I rescanned to confirm closure and updated the risk treatment plan.
Result: Reduced the system’s exposure window and improved our audit readiness.
Identity & Access Management (RBAC, Least Privilege, Access Audits)
Situation: During an access review, I noticed several accounts retained elevated permissions after role changes.
Task: Reduce privilege creep and enforce least privilege.
Action: I used IAM tools (Okta, AD) to review permissions, validated business needs with managers, and removed unnecessary privileges. I also updated our RBAC documentation to prevent recurrence.
Result: Reduced risk of unauthorized access and improved compliance with HIPAA minimum‑necessary standards.
Incident Detection & Response (Another Core Requirement)
Situation: A user reported suspicious mailbox behavior after clicking a phishing email.
Task: Investigate and contain the incident.
Action: I used SIEM logs, EDR telemetry, and email security tools to confirm malicious forwarding rules. I isolated the account, reset credentials, removed rules, and documented the incident.
Result: Contained the compromise quickly and contributed to updated phishing detection rules.
Tools referenced: SIEM, EDR (CrowdStrike‑style), email security console.
Data Protection, DLP, and HIPAA‑Aligned Privacy Practices
Situation: A team was storing sensitive data in an unapproved shared location.
Task: Ensure proper data handling and compliance.
Action: I used DLP tools to identify the data, confirmed it contained PHI, and worked with the team to move it to an encrypted, access‑controlled repository. I updated the data classification record and reinforced HIPAA minimum‑necessary guidelines.
Result: Eliminated an exposure risk and improved data‑handling practices across the team.
Collaboration, Empathy, Communication, and Accountability (Huge in This Role)
Situation: During a high‑pressure incident, multiple teams disagreed on root cause and next steps.
Task: Keep the response coordinated and productive.
Action: I facilitated communication by summarizing findings from SIEM/EDR tools, listened to each team’s concerns, and aligned everyone on a shared remediation plan.
Result: The incident was resolved quickly, and leadership praised the clarity and calmness I brought to the situation.
Ability to Work in Ambiguous, Fast‑Paced Environments
Situation: When I moved into the ISSO rotation, many of our assessment and incident documentation processes were inconsistent and not clearly defined.
Task: Keep work moving while bringing structure to an unclear environment.
Action: I used Microsoft 365, Asana, and our internal GRC documentation to create standardized templates for risk treatment plans and incident reports. I clarified workflows with senior ISSOs and aligned our monthly assessment process with NIST RMF requirements.
Result: This reduced confusion, improved turnaround time, and helped the team operate more consistently during high‑volume periods.
Knowledge of Network Security & System Hardening
Situation: We identified several servers and endpoints that weren’t meeting our internal hardening baseline.
Task: Reduce exposure by validating and tightening system and network security controls.
Action: I used Nmap and Wireshark to identify open ports and insecure services, applied hardening steps (firewall rule tightening, disabling unused services, enforcing VPN and encryption settings), and validated fixes through SIEM logs and follow‑up scans.
Result: Reduced attack surface, eliminated recurring vulnerabilities, and improved compliance with NIST and SOC 2 requirements.
