Shayl.Taveras
portfolio / overview
● available
projectsexperiencecontact
// GRC Engineer · Compliance Automation · Barrington, NJ
Shayl Taveras_

I came into compliance through the back door. eDiscovery at Merck and J&J, data center ops at Nasdaq, network operations at Verizon Wireless — none of it was planned as a GRC career path. But understanding how infrastructure actually runs before anyone starts auditing it turns out to be a real advantage. That's the lens I bring to this work.

FedRAMPHITRUSTCMMC 2.0RMFSOC 2PCI-DSSNIST 800-53
Projects
5 active
Serverless IAM Access Review System
01
Orchestrates IAM, IAM Access Analyzer, and Security Hub findings into an AI-narrated HTML compliance report. EventBridge weekly trigger, S3 output, CloudFormation deployed.
pythonaws lambdaeventbridgebedrocks3
▶ walkthroughgithub →
Compliant S3 Primitive — NIST 800-53
02
Terraform module enforcing SC-28, AC-3, CM-6, AU-3, AU-6 into every S3 bucket. terraform show -json produces machine-readable evidence an auditor can traverse without a console login.
terraformaws s3nist 800-53kms
▶ walkthroughgithub →
Compliant GCS Bucket — NIST 800-171
03
Reusable Terraform module for GCP Cloud Storage hard-coding six NIST 800-171 controls with plan-time validation gates that reject non-compliant config before any resource reaches GCP.
terraformgcpnist 800-171kms
▶ walkthroughgithub →
GKE Cluster Compliant Primitive — Multi-Framework
04
Ephemeral FedRAMP-realistic GKE cluster. SC-28, CM-6, AC-3, AU-3 hard-coded. Evidence in artifacts/terraform-state.json — auditor-traversable without console access. Maps to NIST 800-53, FedRAMP, CMMC L2, SOC 2.
terraformgkefedrampcmmc l2nist 800-53
▶ walkthroughgithub →
Rego Compliance Policy Library — GCP
05
Three OPA Rego policies that validate a Terraform plan against NIST 800-53 SC-28, AC-3, and CM-6 before any resource is deployed. Runs as a pre-apply gate against terraform plan -json output. Each deny message returns the resource address and NIST control ID so developers know exactly what to fix without filing a GRC ticket. Eight tests, three controls, no cloud access needed.
oparegoterraformgcpnist 800-53policy-as-code
▶ walkthroughgithub →
Experience
5 roles
Florida Blue Cross Blue Shield
IT Systems Compliance Engineer · HITRUST · SOC 2 · CMS ARS
Booz Allen Hamilton
GRC Consultant · FedRAMP High · RMF · NIST 800-53
Lockheed Martin
Senior Cybersecurity Engineer · NIST 800-53 · NIST 800-171 · RMF
Future Technologies, Inc
GRC Specialist · NIST 800-53 · RMF
Syntax
GRC Analyst · PCI DSS · SOC I · SOC II
Shayl Taveras
GRC Engineer · Barrington, NJ
15+
years exp
5
active certs
4
projects
6+
frameworks

The work now is getting organizations off the cycle of treating audits like events they survive and onto compliance as a property the infrastructure has, not a state someone verifies once a year.

Certifications
CISSP
ISC²
CISA
ISACA
CEH
EC-Council
CySA+
CompTIA
Linux+
CompTIA
CCP
in progress · CMMC AB
Connect
LinkedIn
GitHub
Resume
Email
Shayl.Taveras © 2026