Kiston Finney, Risk Practice Manager

Kiston has experience in security leadership, as a security practitioner in the public and private sectors, and as a successful security consultant. As a consultant, Kiston has delivered significant projects building information security risk management programs, comprehensive information security programs based on industry-regarded best practice, and HIPAA programs that incorporate both privacy and security and support meaningful use objectives. As a practitioner and leader, Kiston has led teams in a state-funded PAC-12 higher education institution with a health sciences division and a large regional health care system in the Information Security Office's Governance, Risk, & Compliance division. Kiston has spoken nationally on the topics of risk management and HIPAA programs.


While having experience in multiple industries including insurance companies, financial institutions, manufacturing, energy trading, law firms, and higher education institutions, a major focus has been working for large healthcare providers, plans, or organizations serving the healthcare industry. 

Prior to joining Atredis, Kiston was most recently the Manager of Governance, Risk, and Compliance and HIPAA Security Specialist in the University of Utah's Information Security Office, creating and leading a team of GRC analysts that served the institution and all of its units, including the University of Utah Health Care system. In that role Kiston built the University's risk management program from the ground up, developed a comprehensive set of information security policies that became University regulation, and acted as the HIPAA Security Rule subject matter expert.

Kiston has extensive experience in risk assessment and risk management activities, policy and procedure development, and regulatory compliance gap analysis and audit activities. Specifically, Kiston is experienced with multiple compliance and best practice frameworks including HIPAA, FERPA, GLBA, FISMA, NIST 800 series special publications, and ISO 27001/2.

Key Accomplishments

Kiston successfully built a comprehensive governance, risk, and compliance program from the ground up that served a PAC-12 institution with the three distinct business missions of higher education, research, and patient care. This program progressed from level 1 maturity to level 3 maturity in less than two years, with a roadmap to level 4 maturity in a total of three years.

Kiston successfully executed a FISMA compliance effort for a specialized research environment for a large multidisciplinary leader in genomic research.

Extensive experience in building HIPAA programs founded on the principles of both privacy and security, collaborating with office of general counsel to develop different entities' risk tolerance regarding the use and disclosure of protected health information in all formats, and supporting innovation in healthcare by providing counsel and risk analysis documentation to institutional review boards and meaningful use coordinators.

Kiston holds a number of audit and industry certifications including CISSP, ISSAP, CHSS, CRISC, CAP, HISP, HITRUST CSF.