Chris Olowo
Cybersecurity PM & GRC · PMP® · ISO 27001 · AI Governance

CHRISOLOWO

Cybersecurity Project Manager & GRC Leader
PMP®-certified · Risk · Governance · Compliance · AI Governance

ISO 27001 / NIST CSF / SOC 2 / FAIR / ISO 42001 / ICS 100–300
🚀 Launch GRC Platform → Get In Touch
Live Platform
Enterprise GRC Platform
Risk · Controls · Frameworks · KPI
Top Credential
PMP® — Active
Project Management Institute
Emergency Management
ICS 100 · 200 · 300
H2Safety — field-certified
30+ Credentials
GRC · AI Governance · Agile
PMI · IBM · Securiti · Amii

Governance

GRC programs built for real workflows — policies, risk registers, SOAs, and evidence packs audit-ready from day one.

ISO 27001NIST CSFGDPR

Risk Quantification

FAIR-based modelling and KPI frameworks translating security risk into board-ready business language — not heat maps.

FAIRROSIKPI Dashboards

AI Governance

ISO 42001-aligned AI risk frameworks for enterprise deployments — model security, regulatory mapping, ethical controls.

ISO 42001AI RiskResponsible AI

Emergency Management

ICS 100–300 field-certified with MSF and Federal Ministry of Health deployments. BCP and ERP built for real incidents.

ICS 300BCP / BIAIncident Command
Projects

Delivered Work

★ Featured

Enterprise GRC Platform

A fully operational GRC command centre. Risk Register with FAIR quantification, 6 framework assessments (ISO 27001, NIST CSF, SOC 2, GDPR, CIS, HIPAA), Evidence repository, Statement of Applicability, Incident tracking, Business Continuity BIA, KPI & ROI calculator, and a Reporting Hub generating board-ready PDF exports.

ISO 27001NIST CSFSOC 2 GDPRFAIRKPIRisk Register
Launch Platform →
Interactive · Learning

GRC Learning Lab

Guided missions and enterprise-scale practice projects inside the live platform. Complete full projects in isolated workspaces with JSON export and PDF completion reports.

Guided MissionsPractice Projects
Open Lab →
Framework · Emergency

Emergency Management Risk Program

Response plans and BCP frameworks for critical infrastructure — deployed at H2Safety Services with ICS 100–300 field certification.

ICS FrameworkBCP / ERP
View BCP →
Framework · AI

AI Governance Risk Model

Risk framework for enterprise AI deployments — model security, regulatory mapping, and governance controls aligned to ISO 42001.

ISO 42001AI Risk
Enquire →
Toolkit · Compliance

Compliance Audit Toolkit

Centralised toolkit for regulatory compliance audits — evidence collection, control testing, and audit-ready reporting across frameworks.

AuditEvidenceCompliance
Open Toolkit →
30+ Credentials — Core & Selected
AI in Agile Delivery — PMI Scrum Fundamentals (SFC) — VMEdu
Live GRC Platform

What's Inside
the Platform

The GRC Platform is a fully operational enterprise tool — not a mock-up. Every module below is interactive, data-driven, and framework-aligned. Click through before you assume it's a simple portfolio piece.

⚠️

Risk Register

14 pre-loaded risks with FAIR quantification, likelihood × impact scoring, treatment decisions, justifications, owner assignment, and remediation due dates. Fully editable.

FAIRISO 27001NIST CSF
📊

Risk Heatmap & KPI Dashboard

Live Chart.js risk matrix, trend graphs, ROSI calculator, MTTD/MTTR tracking, and board-ready KPI metrics. All calculated dynamically from your register data.

Chart.jsROSIKPI
🔍

6 Framework Assessments

Full gap assessments for ISO 27001, NIST CSF, SOC 2, GDPR, CIS Controls, and HIPAA — each with control-by-control scoring, notes, and exportable PDF reports.

ISO 27001SOC 2GDPRHIPAA
🛡️

Controls Library

Implemented, in-progress, and planned controls with framework references, effectiveness ratings, test dates, owner assignment, and linked risk mapping.

CISNIST CSFEvidence
📋

Evidence & Asset Register

Evidence repository linked to controls, asset inventory with classification and criticality ratings, and a statement of applicability for ISO 27001 Annex A.

ISO 27001 Annex ASoA
🎓

GRC Learning Lab

10 guided missions and 6 enterprise-scale practice projects — each in an isolated workspace with progress tracking, JSON export, and PDF completion report generation.

ProjectsGuided Missions
🚀 Launch GRC Platform → No login required · All data stays in your browser · Demo mode clearly labelled
Security Architecture

Built Securely.
By Design.

✓ OWASP Top 10 Mitigated ✓ Static Secure Hosting ✓ CSP Enforced ✓ No Backend Attack Surface ✓ SRI on External Scripts ✓ Responsible Disclosure Policy
🛡️

Secure Static Hosting

Deployed on GitHub Pages with HTTPS enforced. No server-side runtime means zero server-side vulnerabilities — no SQL injection, no RCE, no auth bypass at the infrastructure layer.

GitHub Pages HTTPS Only No Backend TLS 1.3
📋

Content Security Policy

A strict CSP meta-tag is enforced on every page, restricting script execution to self and trusted CDNs only. Inline styles are scoped; connect-src is locked to 'none' on the portfolio page.

CSP Level 3 frame-ancestors: none base-uri: self
🔗

Dependency Security

All external scripts (Chart.js) are loaded from cdnjs with Subresource Integrity (SRI) hashes, ensuring tampered CDN files are blocked by the browser before execution.

SRI Hashes Pinned Versions CDN Integrity
🔒

XSS Prevention

All user-supplied data is HTML-encoded via a purpose-built esc() sanitizer before any DOM insertion. URL inputs are validated to block javascript: and data: URI injection.

HTML Encoding URL Validation OWASP A03
📦

Data Protection

The GRC Platform stores all data in browser localStorage only — scoped entirely to the user's own session. Exports are rate-limited (5/min) and audit-logged. Internal platform datasets are never included in user exports.

Client-Scoped Data Rate Limiting Audit Logging
🔍

DevSecOps Practices

Repository is configured for secret scanning (GitHub Advanced Security). All commits are reviewed for accidental credential exposure. Security headers, responsible disclosure policy (security.txt), and clickjacking prevention (X-Frame-Options: DENY) are implemented.

Secret Scanning security.txt X-Frame-Options
⚔️ STRIDE Threat Model

Methodology: STRIDE (Microsoft SDL) · Assets in scope: portfolio source code, GitHub repository, CDN dependencies, client browser session · Review date: March 2026

S
Spoofing
Identity spoofing / impersonation of portfolio owner
No authentication surface exists. LinkedIn/GitHub accounts protected with 2FA. OSINT exposure is intentional and managed.
Accepted · Monitored
T
Tampering
CDN script replacement / supply chain compromise
Subresource Integrity (SRI) hashes on all CDN scripts. Tampered files are rejected by the browser before execution.
Mitigated · SRI
R
Repudiation
Denial of data export actions in GRC platform
Client-side audit log records export events with timestamps within the session. Controls are localStorage-scoped and cannot prevent a determined user from clearing them — accepted as a limitation of static architecture with no server-side enforcement available.
Accepted · Client-scoped
I
Information Disclosure
Source code exposure / console data leakage / OSINT
No secrets or credentials in source. console.warn() calls removed. No backend = no server-side data to leak. Public OSINT is intentional portfolio exposure.
Mitigated · Reviewed
D
Denial of Service
GitHub Pages availability disruption
GitHub Pages has enterprise-grade DDoS protection. Static files have no server compute to exhaust. No application-layer DoS surface.
Accepted · GitHub SLA
E
Elevation of Privilege
XSS → session hijack / privilege escalation
CSP blocks inline script injection. All user input HTML-encoded via esc(). URL inputs validated to block javascript: injection. No privilege levels exist to escalate to.
Mitigated · CSP + esc()
🗂️ GRC Control Mapping

Portfolio security controls mapped to NIST Cybersecurity Framework and ISO/IEC 27001:2022 Annex A. Methodology aligns with NIST SP 800-30.

Control NIST CSF Ref ISO 27001 Ref Implementation Evidence Status
HTTPS Enforcement
 PR.DS-02 A.8.24 GitHub Pages HTTPS enforced + JS redirect for HTTP→HTTPS Browser padlock · HSTS header Implemented
XSS Prevention
 PR.DS-02 A.8.28 HTML encoding via esc() · URL validation via escUrl() · CSP script-src Source code review · CSP meta tag Implemented
Clickjacking Prevention
 PR.AC-04 A.8.28 X-Frame-Options: DENY · CSP frame-ancestors: none HTML meta tags · CSP header Implemented
Dependency Integrity
 ID.SC-04 A.12.6 SRI sha512 hash on Chart.js CDN · Version pinned to 4.4.4 integrity= attribute in source Implemented
Content Security Policy
 PR.AC-04 A.8.28 CSP Level 3 · script-src, style-src, connect-src: none, base-uri, form-action CSP meta tag · DevTools verification Implemented
Secure External Links
 PR.AC-04 A.8.28 All target=_blank links include rel="noopener noreferrer" Source code audit · tab-nabbing test Implemented
Secret Scanning
 ID.SC-04 A.12.6 GitHub Advanced Security secret scanning enabled on repository GitHub Security tab · gitleaks recommended Partial
Responsible Disclosure
 RS.CO-01 A.6.8 RFC 9116 security.txt published at /.well-known/security.txt security.txt file · LinkedIn contact Implemented
Export Rate Limiting
 PR.AC-04 A.8.20 5 exports per 60s enforced client-side · Excess blocked with user notice · localStorage-scoped; bypassable via DevTools — acceptable given no server-side attack surface Source code · checkExportRateLimit() Implemented (client-scoped)
Audit Logging
 DE.CM-03 A.8.15 All data export events timestamped and stored in grc_export_log · localStorage-scoped; bypassable via DevTools — accepted limitation of static client-only architecture localStorage audit trail · export functions Implemented (client-scoped)
⚙️ DevSecOps Controls

Repository-level and pipeline security controls in effect for this portfolio.

Repository Security

GitHub Secret Scanning — automatic detection of credentials in commits
Branch Protection — main branch protected against force-push
No Runtime Dependencies — zero npm packages, zero supply chain risk at build time
gitleaks recommended — run against full commit history to verify no historical secret exposure

Dependency Security

SRI Hashes — all CDN scripts pinned with sha512 integrity attributes
Version Pinning — Chart.js 4.4.4 explicitly versioned, not loaded via "latest"
No eval() — no dynamic code execution in any script block
CDN Fallback — Chart.js stub prevents crash if CDN is unavailable

Static Security Testing

Manual code review — full HTML/CSS/JS audit performed against OWASP Top 10
OWASP ZAP — recommended passive scan against live GitHub Pages URL
CSP Evaluator — Google CSP Evaluator tool used to validate policy strength
securityheaders.com — header analysis recommended post-deployment

Infrastructure Security

GitHub Pages HTTPS — TLS enforced, HSTS supported, GitHub enterprise DDoS protection
Zero server attack surface — static files only, no compute layer to exploit
security.txt (RFC 9116) — responsible disclosure policy published
X-Frame-Options: DENY — clickjacking prevention at meta-header level

🔟 OWASP Top 10 — Mitigation Map

A01

Broken Access Control

No backend = no access control layer to break. All data is user-scoped to localStorage.

A02

Cryptographic Failures

HTTPS enforced on all pages. No sensitive data transmitted or stored server-side.

A03

Injection (XSS)

All user input is HTML-encoded via esc(). URL inputs validated to block protocol injection.

A04

Insecure Design

Threat-modelled as a static portfolio — minimal attack surface by architecture. Demo banner prevents misrepresentation of capabilities.

A05

Security Misconfiguration

CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers applied. HTTPS enforced.

A06

Vulnerable Components

Chart.js pinned to latest stable version with SRI hash. No npm runtime dependencies.

A07

Auth & Session Failures

No authentication system = no session tokens to hijack. Portfolio is intentionally public-read-only.

A08

Software & Data Integrity

SRI hashes on all CDN scripts. GitHub secret scanning enabled. No CI/CD pipelines with unverified dependencies.

A09

Logging & Monitoring

Client-side export audit log maintained. All data export events are timestamped and stored in localStorage.

A10

SSRF

No server-side requests possible — static hosting eliminates SSRF attack surface entirely.

Contact

Let's
Build
Something.

Looking to stand up a GRC function, strengthen a security program, or bring structured delivery to a compliance initiative? I'd like to hear about the challenge.

Explore the GRC Platform →
LinkedIn
Chris Olowo, PMP® — /in/chris-o-742316135
GitHub
chrisolowolafe-sys