Client Case Studies
A selection of engagements led by Arshid Tariq and the Techem Group advisory team across regulated industries. All client details are anonymized in accordance with confidentiality agreements.
HIPAA Compliance Transformation for a Major Northeast Healthcare System
A regional healthcare system with 3,200+ employees across 12 hospitals, urgent care centers, and specialty clinics, managing protected health information (PHI) across a complex mix of legacy and modern infrastructure.
Multiple prior-year audit findings had exposed serious gaps in access controls, PHI encryption, audit logging, and incident response readiness. Legacy clinical systems lacked modern security controls, and the organization had no unified governance framework for HIPAA compliance. Regulatory and litigation exposure was growing while the security team remained under-resourced and reactive.
Arshid Tariq led an 18-month HIPAA compliance transformation program, beginning with a comprehensive security and risk assessment across all 12 facilities. The engagement delivered role-based access controls across clinical and administrative systems, end-to-end encryption for PHI in transit and at rest, centralized audit logging and SIEM integration, and fully documented incident response and breach notification procedures aligned to the 72-hour requirement. An enterprise-wide HIPAA governance framework was established with clear ownership, quarterly reviews, and a continuous monitoring program. All staff received HIPAA training with documented completion records.
The organization achieved full HIPAA certification with zero findings in the subsequent external audit. Mean time to detect security events improved by 87% and mean time to respond improved by 72%. The governance framework continues to operate sustainably without external support.
SOC 2 Type II Certification for a Regional Bank and Fintech Platform
A progressive regional financial institution with $8B in assets, 250,000+ customers, and a growing digital banking and payment processing platform operating across multiple cloud environments.
Enterprise clients were demanding SOC 2 Type II certification as a prerequisite for partnership. The organization lacked a mature security operations framework, had gaps in continuous monitoring and evidence collection, and operated inconsistently across cloud environments. Building a credible 12-month audit trail while maintaining normal operations required both structural redesign and significant organizational change management.
Arshid Tariq designed and directed a targeted SOC 2 Type II readiness program built around the AICPA Trust Service Criteria, with primary focus on Security, Availability, and Confidentiality. A detailed gap assessment informed a prioritized remediation roadmap. The team implemented a comprehensive control framework covering access management, cryptography, vulnerability management, and change control. Infrastructure for 12-month evidence collection was deployed including enhanced logging pipelines, automated control testing dashboards, and a GRC platform for auditor collaboration. Mock audits at 6-month intervals validated control effectiveness and prepared leadership for the formal engagement.
SOC 2 Type II certification was achieved with zero exceptions on the first audit cycle. Detection of security events improved by 63%, and three significant enterprise partnerships were secured within 90 days of certification, directly attributable to the compliance credential.
NIST Cybersecurity Framework Implementation for a Midwest State Agency
A Midwest state government agency with 850+ employees managing critical public services, citizen data systems, and a complex mix of legacy infrastructure with constrained budgets and limited in-house cybersecurity expertise.
Federal grant eligibility requirements mandated adoption of the NIST Cybersecurity Framework, but the agency had no formal security governance, fragmented practices across departments, and minimal visibility into its threat landscape. Budget constraints required a phased, high-ROI approach. The absence of cybersecurity leadership within the agency meant that external expertise would need to build sustainable internal capability, not just deliver a point-in-time assessment.
Arshid Tariq developed and led a three-phase, 36-month NIST CSF implementation roadmap calibrated to the agency’s budget and technical environment. Phase One focused on high-risk remediation and foundational governance: asset inventory, access management policies, and security leadership structure. Phase Two built detection and response capability through SIEM deployment, incident response planning, and tabletop exercises. Phase Three addressed supply chain risk management, continuous monitoring, and security awareness training reaching all staff. The team invested heavily in knowledge transfer throughout, ensuring the agency could sustain and mature the program independently.
The agency achieved NIST CSF Level 3 maturity across 89% of framework functions and qualified for federal cybersecurity grant funding tied to NIST adoption. Over 1,250 previously unmanaged assets were cataloged and secured. The program has continued to mature beyond the engagement, demonstrating the sustainability of the approach.
Enterprise Cybersecurity Program for a Major Metropolitan Airport Authority
A major metropolitan airport authority serving 28 million annual passengers, operating highly interconnected operational technology systems, passenger processing platforms, cargo management infrastructure, and airline coordination systems with strict FAA security requirements.
The organization operated critical operational technology with minimal cybersecurity governance, no formal security program, and limited visibility into its threat exposure. Aging OT infrastructure, 24/7 operational requirements, and the safety-critical nature of aviation systems created unique security challenges. Incomplete regulatory compliance with FAA requirements, combined with a rapidly evolving threat landscape targeting aviation infrastructure, created urgent and growing risk.
Arshid Tariq designed and led a 24-month enterprise aviation cybersecurity program purpose-built for the operational environment. The engagement opened with a rigorous assessment of IT and OT systems, prioritizing safety-critical infrastructure. Key deliverables included a formal aviation cybersecurity governance structure with board-level reporting, network segmentation isolating operational systems from corporate IT, deployment of OT-aware threat detection and monitoring, and incident response playbooks purpose-built for aviation continuity requirements. Phishing simulation and security awareness training was delivered to 95% of staff, including airside and landside operational personnel. The program was coordinated closely with FAA guidelines and CISA’s aviation sector recommendations throughout.
The organization achieved full FAA cybersecurity compliance through multiple subsequent audits. Network segmentation eliminated cross-system compromise pathways. Monitoring capability detected and remediated 47 security events in the first 12 months, preventing escalation to incidents. The authority was recognized by industry peers as a cybersecurity leader within the aviation sector.