Secure by Design Consulting
Support new implementations by assessing security controls using standard security user stories.
Perform security-related SDLC work.

Weekly (On Demand)

Varies by product scope

SDLC documentation reviewed in Asset Management.
Security user stories completed.
Assessment submitted to Assessment COE.

Due Diligence Requests
Conduct risk management and mitigation work for third-party vendors.

Weekly (On Demand)

Varies by assessment

Risks reviewed with Assessment COE.
Risk treatment approach defined.
Remediation plan and compensating controls documented with business owner.

Physical Site Assessments
Support physical site assessments for J&J enterprise data centers.

Annual (Per Site)

Defined upon request

Site assessment form completed in IRIS GRC module and aligned with S-23 IAPP.

Security Risk Acknowledgment & Action Planning (S-RAAP)

Monthly (On Demand)

Intake: < 7 days
Analyze: < 7 days
Respond: < 7 days

Completed IRIS GRC IPT ticket.
Presentation of findings and risk management decisions.

Ad-Hoc Security Control Consultations
(via IRIS Service Requests)

Daily (On Demand)

Ongoing

90% of demand marked In-Progress or Completed.
"Value" documented for each Service Request Task ticket.

Acquisitions & Divestitures (A&D) Work
Review and adapt A&D templates.
Support SDLC tasks for acquired entities.

Monthly (On Demand)

Per A&D project plan

Tasks completed per project timeline and A&D plan.

Monthly BIS Leadership Reporting
Create reports summarizing IRIS tasks, demand sources, and support needs.

Monthly

First Friday of each month

Accurate and timely reporting to Corp BIS leadership.