Data protection

Protect your data with confidence

A “check-the-box” approach to compliance will not protect your reputation. Proactive programs, measures and policies will.

Confidently maintain and protect your data, wherever it lives. Protiviti determines the impacts of data security regulatory and contractual requirements, assesses your alignment and capability to meet those expectations, remediates key processes and technologies, and helps implement changes to achieve and maintain compliance—all while improving your data security posture.

Our approach focuses on three core concepts: identifying and securing your most valuable assets; continuous monitoring; and a structured, fast response to a breach.

Protiviti helps you confidently maintain and protect your data, wherever it may reside. We help you understand the impacts of data security.

Regardless of where your data resides, Protiviti helps you maintain and protect it, and to understand the impacts

Our data protection services

Data identification and security

Organizations want to know what data matters most. Protiviti’s data protection methodology identifies critical data, implements measures to protect it, and establishes a program to sustain and maintain data security as data evolves.


Data security compliance

No matter the compliance framework (PCI , HITRUST, HIPAA, SOC 2, SWIFT , NYDFS , FedRAMP, FISMA, CMMC ) we scope your environment, address compliance gaps, and implement policies, procedures and technical solutions to meet any regulatory and contractual obligations.


Third-party risk management

Organizations increasingly rely on third parties but struggle to balance the level of investment in securing partners. The most effective TPRM programs are repeatable, quantifiable, and manage more risk per dollar spent.


Secure architecture

Securely maintaining technologies, systems, and networks is a challenge most companies face. Whether aligning with compliance requirements or adopting zero trust architecture , we bring skilled expertise to the design and implementation of your security.



 PCI Security Standards Council Publishes New Versions of Self-Assessment Questionnaires

PCI Security Standards Council Publishes New Versions of Self-Assessment Questionnaires

On April 29, 2022, the PCI Security Standards Council (PCI SSC) released new versions of the PCI DSS Self-Assessment Questionnaires (SAQs) ahead of the anticipated June 2022 release timeline. After the release of the new version of PCI DSS 4.0 a...
Read More


PCI security standards council

PCI Security Standards Council publishes updated data security standard

DSS 4.0 addresses rapidly evolving threat environment and provides flexibility for how organisations can achieve compliance On March 31, 2022, the PCI Security Standards Council (PCI SSC) released a new version of the PCI Data Security Standard ...
Read More


Ensuring Technology Fluency in the Boardroom

Ensuring Technology Fluency in the Boardroom

Every company is a technology company today. With business and technology inextricably intertwined, directors need to possess sufficient knowledge of technology issues to execute their duty of care responsibilities. Research indicates there is a...
Read More


Framing the Data Privacy Discussion in the Boardroom

Framing the Data Privacy Discussion in the Boardroom

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. While cybersecurity continues to be an issue for boards, a more targeted focus on data privacy is increasingly...
Read More


Blog Generic 3

Tech Leaders Rephrase the Conversation to Proactively Detect Sensitive Data and Apply Controls

In the technology world, it’s common to hear leaders talk about the three-legged stool to success: people, process and technology. But we often see CISOs and CIOs – tasked with protecting sensitive organizational data – focus most of their attention...
Read More


Blog Generic 7

There’s a Culture Shift Happening in Medical Device Manufacturing. Are CISOs Ready?

There’s a fundamental security sea change happening in the medical device world. Driven by the increasing threats of cyber attacks, corporate competition, and the ever-growing need to protect the massive volumes of valuable patient data, Chief...
Read More


Blog Generic 1

Effective Cybersecurity is Essential as Cyber Threats Expected to Continue Over Next Decade

In today’s rapidly evolving business world, the lines between technology and business have blurred. Organizations need to modernize and transform their technology in order to successfully compete. CIOs play a critical role in transforming the world...
Read More


Blog Generic 3

Don’t Let Technical Debt and Other Cybersecurity Risks Drag on M&A

Do your homework. The age-old mandate has newfound relevance for CISOs, given the intense pace of mergers and acquisitions (M&A) and escalating cybersecurity risks. Global business consolidation activity is strong. The number of deals (and...
Read More

The Protiviti advantage

Protiviti provides expert-level data security consulting solutions to FORTUNE 1000® and FORTUNE Global 500® companies across the world. We provide our clients with data security expertise that spans numerous regulations across all industries.

Helping organizations comply with data security requirements is part of our DNA.

PCI : Protiviti is one of the largest and most experienced PCI QSA firms (since 2002) and a two-time member of the PCI SSC’s Global Executive Assessor Roundtable. We frequently present at the Council’s community meetings and partner with global merchants and service providers to aid our clients on their journeys to achieve and maintain PCI certification.

CMMC : Protiviti Government Services is a CMMC-AB Registered Provider Organization™ (RPO) providing accredited consulting services around the Cybersecurity Maturity Model Certification (CMMC) program.

HITRUST and SWIFT : We are a HITRUST CSF Assessor and SWIFT CSP and partner with clients seeking to certify compliance.


Chip Wolford
Chip is a Managing Director in Protiviti’s Technology Consulting practice focusing on Data Security & Privacy. He presently leads Protiviti’s Data Security practice and focuses on Payment Card Industry and Healthcare Information Security as well as supporting ...
David Taylor
David is a Managing Director based in Protiviti’s Orlando office. He has more than 20 years of experience in information security and IT Audit. He is a former federal agent and Computer Crime Investigator (CCI) for NASA’s Inspector General and for the United States Air ...
Dan Hansen
Dan is a Managing Director in Protiviti's IT Consulting Practice and leads the Security & Privacy practice in the San Francisco Bay Area. He has over 16 years of IT process and risk management experience and has led numerous IT engagements, focusing on information ...
Jacob Iley
Jacob is a Managing Director with 20 years of experience in strategic cybersecurity program development and transformation, risk assessments, regulatory and industry compliance, and cybersecurity and privacy assessments. Jacob serves global clients across various ...
Paul Kooney
Paul is a Managing Director with over 25 years of experience in both the public and private sectors focused on innovative third-party risk management programme development, payment card industry security, and cybersecurity and privacy compliance. Paul serves on the ...
Muazzam Malik
Muazzam is a Managing Director with over 20 years of experience in the fields of cybersecurity and data privacy. He helps clients assess, design, implement, and transform security programmes, and solve complex cybersecurity challenges. While his specialty lies in ...
Michael Porier
Michael Porier is a Managing Director in Protiviti’s Houston office specializing in executing and managing information technology risk consulting engagements since 1994. His expertise includes evaluating the risks and controls related to managing a company’s enterprise ...
Jeffrey Sanchez
Jeff is a Managing Director with nearly 30 years of experience in the data security and privacy risk fields. Working in the retail, healthcare, hospitality, and technology industries, he assists global clients with designing, implementing, and managing compliance to ...

CISO Next initiative

What is next for CISOs?

The CISO Next initiative produces content and events crafted exclusively for CISOs, with CISOs. The resources focus on what CISOs need to succeed. The first step is finding out “What CISO type are you?”

Get Involved

CISO Next initiative

Case Studies

Situation: This highly-decentralised client had disparate vendor security assessments and governance policies, which led to repeated assessments and a lack of a common view of vendor risk.

Value: Protiviti enabled the client to properly modify a COTS application in six months and build a strong foundation for an employee training module.

Situation: The diagnostic device division of this company needed a third-party partner to conduct a HITRUST certification controls assessment to identify and remediate control gaps.

Value: Protiviti assisted in developing a plan and timeline for HITRUST certification.

Situation: This global brand needed assistance with its payment card industry (PCI) compliance program.

Value: Protiviti’s experience with acquiring banks and merchant compliance initiatives assisted in the development and rollout of this client’s compliance program for key stakeholders.

Situation: This client needed to update policies and procedures, with organisational alignment between the first, second, and third lines of defense.

Value: Protiviti updated the client’s governance and policies to improve risk assessments, increase visibility into the risk profile of critical systems and infrastructure, and challenge existing data security practices to enhance enterprise regulatory compliance.