DevSecOps Engineer | Governance & Compliance Automation | Regulated IT | ISO 27001 · MDR · NIS2

I design and validate secure infrastructure, governance-aware workflows and compliance-driven technical solutions.

My work focuses on reliable, auditable delivery where configuration, testing, documentation and validation prevent issues from reaching end users. I operate across public-sector, healthcare-adjacent, regulated and infrastructure-heavy environments with attention to operational reliability, governance and controlled change.

My portfolio aligns strongly with DevSecOps principles: security and compliance built into CI/CD pipelines, automated validation gates, local-first development safety and audit-ready delivery rather than post-hoc controls.

I’m strongest in designing and building portable, validated, documentation-driven solutions end-to-end. I may not yet own large-scale production platforms end-to-end, but I build systems and governance structures that are ready to be reviewed, transferred, operated and improved by others.

As a developer, I care about repeatability, validation and evidence.

As an operator, I care about recoverability, ownership and clear boundaries.

As an architect, I care about knowing what not to build yet.

Code is debt.

Not because code is bad, but because every line creates future responsibility: maintenance, security, documentation, testing, ownership and operational risk.

Documentation is an asset when it makes the system understandable, transferable and recoverable.

Tests and audit evidence are what keep technical debt from becoming organizational risk.

I do not try to build perfect final-state systems for imagined final-state worlds.

I prefer lightweight, auditable and recoverable structures where the right solution can evolve safely without the project collapsing under its own complexity.

Complexity is not maturity. Maturity is knowing what not to build yet.

flowchart TB
    ME["Jonne Silvennoinen<br/>DevSecOps / Governance / Regulated IT"]

    GH["Gatehouse<br/>Infrastructure Change Quality Gate"]
    RBAC["RBAC-Lite<br/>Access-control governance example"]
    ESP32["ESP32 Edge Device Security Governance Lab<br/>embedded / edge-device assurance"]
    LOCAL["Local-First WordPress DevSecOps Kit<br/>Docker + privacy + AI boundaries"]
    ITSM["AI-ITSM Compliance Auto<br/>documentation & compliance workflows"]
    HAAS["HaaS<br/>reproducible infra / lifecycle thinking"]
    HOMESTACK["HomeStack<br/>GitLab infra foundation"]

    ME --> GH
    ME --> RBAC
    ME --> ESP32
    ME --> LOCAL
    ME --> ITSM
    ME --> HAAS
    ME --> HOMESTACK

    GH -->|"risk classes / approval / rollback / evidence"| GOV["Governance & auditability"]
    RBAC -->|"partner isolation / RBAC / NDA / audit log"| GOV
    ESP32 -->|"EMB3D / device identity / defensive readiness / evidence"| GOV
    LOCAL -->|"local dev / no prod data / AI boundaries"| GOV
    ITSM -->|"workflow documentation / compliance automation"| GOV
    HAAS -->|"repeatable runtime / lifecycle"| OPS["Operability & recovery"]
    HOMESTACK -->|"IaC foundation / CI/CD structure"| OPS

    GOV --> VALUE["Controlled change<br/>transferable systems<br/>lower operational risk"]
    OPS --> VALUE

    classDef core fill:#eef,stroke:#447,stroke-width:1px;
    classDef gov fill:#efe,stroke:#474,stroke-width:1px;
    classDef value fill:#fff3cd,stroke:#aa7,stroke-width:1px;

    class ME,GH,RBAC,ESP32,LOCAL,ITSM,HAAS,HOMESTACK core;
    class GOV,OPS gov;
    class VALUE value;

• Location: Finland
• Available: Selective opportunities in Cloud Infrastructure, DevSecOps, Compliance Automation, Technical Consulting and regulated IT environments
• Background: Co-founder & Regulatory Lead experience in a MedTech startup context — ISO 13485 / MDR environment
• Direction: Secure infrastructure delivery, compliance-driven environments, IAM/RBAC, CI/CD quality gates, local-first development safety and operational governance
• Core theme: Building compliance automation and operational clarity as a response to governance debt in hype-driven development culture

• Azure & cloud governance foundations
• Microsoft 365 / Entra ID foundations
• Active Directory / hybrid identity fundamentals
• Infrastructure as Code thinking
• Docker Compose based development environments
• CI/CD automation and pipeline validation
• GitHub Actions quality gates
• MDR / ISO 27001-aligned documentation exposure
• ITIL 4 and operational processes
• Technical documentation and validation plans
• Audit-ready artefacts and evidence chains
• Access-control governance / RBAC thinking
• AI-assisted development with clear operational boundaries
• Local-first AI workflows and development data safety

I use these tools primarily for:

• building reproducible infrastructure
• validating changes through CI/CD
• producing audit-ready documentation and evidence
• making systems easier to review, recover and transfer between teams
• reducing local development drift and onboarding friction
• keeping AI-assisted development inside clear operational boundaries

Detailed areas:

• Operating systems: Linux, Windows
• Cloud & identity: Microsoft 365, Azure, Entra ID / Azure AD foundations, Active Directory fundamentals
• Containers & runtime: Docker, Docker Compose
• CI/CD & automation: GitHub Actions, validation workflows, quality gates
• Infrastructure & configuration: Infrastructure as Code thinking, YAML, repeatable runtime configuration
• Scripting: Bash, PowerShell, Python
• Languages / tooling exposure: Python, C / C++ embedded firmware exposure through ESP32 / PlatformIO baseline work, PHP / WordPress context, Rust tooling exposure, SQL, JavaScript / Node.js basics
• ITSM & operations: ITIL 4 practices, service processes, compliance workflows
• AI & automation: local-first AI workflows, RAG concepts, AI-agent boundaries, API-driven documentation automation
• Documentation & validation: technical documentation, validation plans, audit-ready artefacts, CLI-first repeatable scripts
• Security & compliance exposure: MDR, ISO 27001-aligned environments, GDPR-aware development practices, regulated delivery

Role: Architecture & implementation — compliance-aware automated change validation Tech: Python, GitHub Actions, Markdown Focus: Risk classification, approval requirements, rollback planning, audit evidence and CI/CD validation

Notes:

• Markdown-based change requests
• Risk classes 1–3
• Quality gate validation
• Audit evidence reporting
• CodeQL workflow
• RBAC-Lite integration example
• Demo-friendly validator flow for controlled change review

Role: Access-control governance and compliance example Tech: WordPress / PHP, Markdown, GitHub Actions, Python validation tooling Focus: Partner isolation, RBAC thinking, NDA/terms enforcement, audit logging and governance validation

Notes:

• Lightweight WordPress-based RBAC/access-control reference
• Partner-based data isolation model
• User-to-partner assignment thinking
• NDA / terms enforcement concept
• Gatehouse-compatible compliance example
• Main branch protected against force pushes and deletion
• Completion report documenting the RBAC-Lite + Gatehouse governance work

Role: Architecture & implementation — embedded/edge-device security governance and evidence modeling Tech: ESP32 / PlatformIO, C++, Python, pytest, GitHub Actions, Markdown, Mermaid Focus: Firmware baseline, device identity, sensor data governance, network point inventory, defensive exercise gates, interference observation, EMB3D-aligned threat-modeling evidence and KATAKRI-style public/private boundaries

Notes:

• Local-only ESP32 firmware skeleton with synthetic sensor readings
• Device identity and configuration boundary model
• Volatile data-retention boundary and serial-only event visibility
• Python readiness, inventory, protection and interference-observation models
• Defensive exercise gate for permission, scope, rollback and evidence readiness
• MITRE EMB3D-style property mapping and evidence-alignment model
• Version-controlled repository wiki and Apache-2.0 / NOTICE licensing layer
• Public-safe design: no real site data, no network scanning, no credential testing and no production-readiness claim

Role: Local-first DevSecOps model and public-safe portfolio starter kit Tech: Docker Compose, WordPress, MariaDB, Mailpit, Bash, Markdown, Mermaid Focus: Safe local development, privacy-aware data handling, AI boundaries, developer onboarding and audit evidence templates

Notes:

• One-command WordPress development runtime
• Docker Compose stack with localhost-bound services
• No production data in development principle
• Development data flow with anonymization and secret scan model
• AI boundary model: assistive, not autonomous
• Evidence templates for local environment validation and anonymization logs
• Public-safe refactoring of a regulated project development model

Role: Solution design & automation for ITSM documentation and compliance workflows Tech: ClickUp + AI workflows, documentation automation Focus: Compliance documentation, workflow automation, ITSM-oriented evidence generation

Notes:

• AI-assisted documentation workflow
• Compliance-oriented process thinking
• ITSM documentation and operational structure
• Early foundation for AI-assisted governance workflows

Role: Solution design & reproducible infrastructure Tech: YAML, GitHub Actions, Docker Focus: Lifecycle management, reproducible infrastructure and automation

Notes:

• Device onboarding → maintenance → decommissioning
• Lifecycle management model
• RAG architecture roadmap for AI-driven documentation search
• Automated Azure deployment validation workflows
• Supporting evidence for infrastructure lifecycle and repeatability thinking

Role: Pipeline automation & reporting Tech: GitHub Actions, shell scripting, HTML reporting Focus: Pass/fail gating and human-readable workflow output

Notes:

• The Auto Assign badge above points to the demo repository workflow.
• Used as a lightweight CI/CD reporting proof.

Role: Validation reporting Tech: GitHub Actions, HTML reporting, scripts Focus: Human-readable pass/fail HTML reports for release gates

Notes:

• The Proof HTML badge above points to the demo repository workflow.

Project: HomeStack Summary: Infrastructure-as-Code foundation for modular home services Key artefacts: CI/CD configuration, CHANGELOG, CONTRIBUTING guidelines, Apache 2.0 license

• Migrated hundreds of devices in critical healthcare HVA environments with minimal disruption
• Built audit-ready documentation and validation artefacts for MedTech systems in regulated environments
• Designed and built Gatehouse / Infrastructure Change Quality Gate — an ISO 27001-aligned CI/CD quality gate concept, demo-friendly with example change requests
• Built RBAC-Lite + Gatehouse governance documentation showing how access-control changes can be made auditable, reviewable and CI/CD-validatable
• Built an ESP32 / embedded edge-device security governance lab aligned with EMB3D-style threat-modeling, defensive readiness, evidence validation and controlled public/private boundaries
• Created a public-safe Local-First WordPress DevSecOps Kit to demonstrate Dockerized local development, privacy-safe data handling, AI boundaries and audit evidence templates
• Applied lightweight governance thinking: build only the structure needed now, while preserving auditability, recoverability and future evolution

• Microsoft Applied Skills: Administer Active Directory Domain Services Credential ID: CA01C7ED2E401F38 Completed: 5 May 2026 Focus: AD DS administration, domain services, Group Policy, DNS dependencies, hybrid identity foundations and operational troubleshooting.

My Microsoft Applied Skills credential in Active Directory Domain Services provides the hybrid identity and operational infrastructure foundation behind my broader DevSecOps, access governance and compliance automation work.

It connects Microsoft hybrid identity, Group Policy, DNS dependencies, AD replication, secure channel troubleshooting, privileged access, auditability and operational diagnostics to the same themes that appear in my projects: controlled change, access governance, recoverability, evidence and safe delivery.

I do not position it as an Expert-level certification. I position it as a practical, hands-on Microsoft skills demonstration in one of the most important operational layers of hybrid infrastructure.

• HealthTech regulatory training: Regulatory Essentials in Health Tech / PRRC Focus: MDR/IVDR responsibilities, risk management, audit readiness, post-market surveillance and authority communication.

• Microsoft Learn transcript: broader learning record across Microsoft 365, Azure, Entra ID, Purview, Defender, DevOps, governance and security fundamentals.