Josh Jones
About Me
GRC engineering and security operations specialist skilled at turning compliance frameworks into scalable controls, building audit-ready systems, and bridging regulatory and engineering worlds in fast-paced environments. Experienced across IT and security domains including security architecture, security governance, security risk management, system administration, networking, and application development.
- > CISSP - Certified Information Systems Security Professional
- > CISA - Certified Information Systems Auditor
- > CSIS (A+, Network+, Security+)
- > PCI ISA - PCI Internal Security Assessor
- > PCIP - Payment Card Industry Professional
- > Project+
- > ISO 42001:2023 Lead Auditor
Work Experience
Compliance Programs Manager, Security and Healthcare
- > Built the enterprise Compliance Engineering function, automating continuous monitoring across Azure, M365, AWS, OCI, and on-premises environments
- > Reduced audit prep time for controls through automated audit evidence collection, saving engineering teams countless hours
- > Used Copilot Studio to build a custom AI agent to match customer questionnaire questions to standard Q&A responses
- > Successfully completed over 25 external audits or assessments annually covering PCI DSS, PCI Secure Software Standard, HITRUST, SOC1, SOC2, SOC3, and partner audits
- > Partnered with DevOps, Security, and Infrastructure teams to embed compliance into CI/CD pipelines
Security & Healthcare Compliance Analyst IV, Lead
- > Served as the primary internal PCI subject matter expert covering four level one PCI DSS ROCs and one PCI Secure Software Standard product
- > Led internal Operational Readiness reviews for hundreds of projects and new products, partnering with product and engineering teams
- > Collaborated with PCI SSC's Special Interest Group (SIG) to help develop industry guidance "PCI DSS Scoping and Segmentation Guidance for Modern Network Architectures"
- > Participated in RFCs as a PCI SSC Participating Organization, helping to develop numerous PCI standards
- > Implemented a GRC tool (Hyperproof and internally developed M365 stack) and created a common control set for the enterprise
Senior PCI Security Analyst
- > Worked with numerous high-profile clients to improve security readiness and compliance with PCI DSS
- > Reviewed technical controls, system configurations, policies, and procedures to assess compliance and recommend improvements
- > Worked closely with company executives and clients on the development of a SaaS-based integrated risk management (IRM) platform capable of supporting 800+ compliance standards
Information Security Analyst
- > Worked under the PCI QSA and assisted with PCI assessments
- > Wrote various scripts to assist with the collection of evidence
Systems Analyst
- > Administered numerous systems including ERP, ITAM, POS, E-Mail, Document/Records Management, M365, Public Safety, and more
- > Administered a mixed environment of Windows, Linux, and IBM i operating systems
- > Implemented various security technologies such as the Elastic Stack for SIEM and centralized logging capability as well as CrowdStrike for EDR
- > Wrote various scripts and utilities to assist with patch management, automation, and more
- > Assisted with security compliance related activities (PCI DSS and CJIS)
IT Helpdesk Analyst
- > Triaged and routed all IT service requests as the sole Help Desk Analyst
- > Provided tier 1 & 2 technical support for over 600 users and 800 devices including mobile phones, laptops, desktops and servers
- > Performed Active Directory administration including the management of users, organizational units, security groups, and group policies
Co-Founder
- > Developed web application front-end and back-end for e-waste recycling business
- > Operated e-waste recycling business, refurbishing and reselling used electronics including cell phones, laptops, desktops, and more
Technical Skills
Frameworks & Standards
- • PCI DSS, Secure Software Standard, Secure Software Lifecycle, Key Management Operations, Point-to-Point Encryption, PIN
- • SOC 1, SOC 2, SOC 3
- • HITRUST CSF
- • ISO 42001
- • CJIS
- • More...
Tools & Technologies
- • Wiz, ImPAC, Qualys, Snyk
- • ServiceNow, Jira
- • Copilot Studio
- • Power Automate, Python, Bash, PowerShell
- • Elastic Stack, Exabeam, CrowdStrike
- • Hyperproof
Cloud Platforms
- • AWS
- • Azure
- • OCI
Key Projects
Compliance Engineering Automation
Built enterprise Compliance Engineering function automating continuous monitoring across Azure, M365, AWS, OCI, and on-premises environments. Reduced audit prep time for controls through automated audit evidence collection.
AI-Powered Questionnaire Automation
Used Copilot Studio to build a custom AI agent that matches questions from customer questionnaires to answers from a curated list of standard Q&A responses, cutting review time by more than 80%.
Enterprise GRC Platform
Implemented a GRC tool (Hyperproof and internally developed M365 stack) and created a common control set for the enterprise.
PCI DSS Industry Standards and Guidance
Participated in numerous PCI SSC standard RFCs and collaborated with PCI SSC's Special Interest Group (SIG) to help develop and produce the industry guidance "PCI DSS Scoping and Segmentation Guidance for Modern Network Architectures".
Get In Touch
Ready to discuss security compliance challenges or explore collaboration opportunities? Drop me a message and let's secure the digital world together.