Author/Owner: Badr Karim — Cybersecurity GRC Intern | Security Assurance | Risk-Based Controls | Privacy-Driven TPRM
LinkedIn: https://www.linkedin.com/in/badrkarim/
This repository is my personal TPRM program portfolio written in a US workplace assurance style: tiering, defensible scoring, required controls by risk, and audit-ready evidence discipline.
Focus: US privacy expectations + cloud vendor data protection.
Not legal advice. Examples are sanitized to demonstrate process quality, traceability, and evidence discipline.
00_Start-Here/Portfolio_Authenticity_Statement.md00_Start-Here/Executive_Summary.md00_Start-Here/Reviewer_Guide.md- Policy/Standard/SOP:
01_Policy-and-Program/ - Risk models:
03_Risk-Scoring/ - Tiered DDQ:
04_Due-Diligence/ - Controls + mapping:
05_Control-Library-and-Mapping/ - Evidence system:
06_Evidence/ - Decision + remediation:
07_Decision-Remediation/ - Contracts + monitoring/offboarding:
08_Contracts/and09_Monitoring-Offboarding/ - Business decision artifacts:
13_Business-Decision-Pack/
These demonstrate real execution: intake → DDQ → evidence → residual risk → decision → remediation.
-
High-tier SaaS CRM (SSO + API)
Files:Intake_AcmeCRM.md,DDQ_AcmeCRM.md,ResidualRisk_AcmeCRM.md,Decision_AcmeCRM.md -
Critical-tier MSP (VPN + Privileged Admin Access)
Files:Intake_GuardianOpsMSP.md,DDQ_GuardianOpsMSP.md,ResidualRisk_GuardianOpsMSP.md,Decision_GuardianOpsMSP.md -
High-tier Data Analytics (Large-scale PII) — privacy-heavy
Files:Intake_DataPulse.md,DDQ_DataPulse.md,RoPA_DataPulse.md,DSAR_DataPulse.md,ResidualRisk_DataPulse.md,Decision_DataPulse.md
- Governance:
14_Governance/ - Privacy Operations:
15_Privacy-Ops/ - Monitoring:
16_Monitoring/ - Assessment Reporting:
17_Assessment-Reporting/ - Audit Readiness:
18_Audit-Readiness/
EV-INDEX (Evidence Register):
Remediation Tracker (Closed Items):
One-Page Vendor Risk Summary:
