Startups Compliance Preparation2021-06-24T12:33:42+00:00

Compliance Preparation for Startups

Compliance readiness, implementation of processes, and documenting relevant procedures can separate startups with enterprise client revenue vs struggling bootstrap startups. Our team is highly trained to evaluate your startup readiness to adapt and respond to new regulations and communicate them successfully across all your teams (CTO, DevOps, Founders). At the same time, we intend to highlight information security and operational security best practices whether you are at the beginning of your compliance journey or well ahead. Our goal is to assist you to run an information security management system (ISMS) according to ISO 27001/ISO 27002 and align to other compliance requirements such as GLBA, FINRA, SOX, GDPR as well as SOC1 and SOC2. This includes defining and writing procedures, best practices and help with implementing organizational and technical controls that are mandated by ISO 27002 or NIST 800 series. We provide a fully tailored service according to your threat model, risk profile, and specific organizational issues.

Web application security and the development of information security practices inside an organization is a continuous and never-ending project. Pricing is developed as a plan where the client has access to PreCog Security’s engineers and staff of advisors, testers, reviewers, and implementers.

Startup Questionnaire


1 / 10

Do you have a documented and available set of updated and current procedures for security and IT management in your organization? This includes documents on data integrity, business conitnuity, incident response, physical security, etc

2 / 10

Is there a person primarily responsible for managing security initiatives within your organization?

3 / 10

Do you have a prepared and tested Business Continuity/Disaster Recovery plan?

4 / 10

Do you have a prepared and tested Incident Response Plan (including handling, monitoring and reporting of the incident)?

5 / 10

If you are developing in software/applications, have you implemented a secure software development lifecycle?

6 / 10

Are you performing vulnerability assessments, penetration testing and vulnerability management on information system assets (network, website, endpoints, servers, software, web applications, etc)?

7 / 10

Are you performing regular inventory of all IT assets (hardware and software)?

8 / 10

Are you a venture backed startup ?

9 / 10

Are you employing anti-malware and other security controls such as firewall, data loss prevention, intrusion detection/prevention systems across your environment?

10 / 10

Are you prepared to satisfy procurement mandates for your large client (internal security, data governance, legal mandates)?

In order to put your organization in the best position prior to compliance audit (ISO 27001, GDPR, SOC1, SOC2, CCPA, HIPAA, PCI-DSS) we recommend a PreCog Security general security compliance checklist below.

Is there a risk assessment program?
Is there an information security policy?
Is there an Acceptable Use Policy?
Are any policy(ies) processes) or procedures) communicated to constituents?
Is there an information security function responsible for security initiatives within the organization?
Is there an individual or group responsible for security within the organization?
Does management require the use of confidentiality or non-disclosure agreements?
​Is access to sensitive data provided to or the processing facilities utilized by external parties?
Is there an asset management program?
Are information assets classified?
Is there insurance coverage for business interruptions or general services interruption?
Are the security roles and responsibilities of constituents defined and documented in accordance with the organization’s information security policy?
Are background screenings of applicants performed to include criminal, credit, professional/academic, references and drug screening?
Are new hires required to sign any agreements that pertain to non/disclosure, confidentiality, acceptable use or code of ethics upon hire?
Is there a security awareness training program?
Is there a disciplinary process for non-compliance with information security policy?
Is there a constituent termination or change of status process?
Is there a documented physical security policy?
Do the systems storing sensitive data reside in a data center?
Are operating procedures utilized?
Is there a formal operational change management/change control process?
​Is application development performed?
Do third-party vendors have access to sensitive data (e.g. backup vendors, service providers, equipment support vendors, etc)?
Is there a process to review the security of a third-party vendor on an ongoing basis?
Are system resources reviewed to ensure adequate capacity is maintained?
Are criteria for accepting new information systems, upgrades, and new versions established?
Are anti-virus products used?
Is there a documented process for securing and hardening network devices?
Is there a wireless networking policy?
Is all sensitive data encrypted while at rest?
Is there a policy that addresses the use and management of removable media? (e.g., CDs, DVDs, disk drives, tapes, etc.)?
​Is Instant Messaging used?
Are hardening standards documented?
Are mobile computing devices (Smartphones, Tablets, PDA, etc.) used to store, process or access sensitive data?
Is there an access control policy?
Are unique user IDs used for access?
Are passwords required to access systems holding, processing, or transporting sensitive data?
​Is remote access permitted in the environment?
Is there a teleworking policy?
Is there a Software Development Life Cycle (SDLC) process?
Are the access control procedures the same for both the test and production environment?
Are systems and applications patched?
Are vulnerability tests (internal/external) performed on all applications?
Is there an encryption policy?
Is there an Incident Management program?
Is there an Incident Response Plan?

Is there a Business Continuity/Disaster Recovery (BC/DR) program?