Compliance Preparation for Startups
Compliance readiness, implementation of processes, and documenting relevant procedures can separate startups with enterprise client revenue vs struggling bootstrap startups. Our team is highly trained to evaluate your startup readiness to adapt and respond to new regulations and communicate them successfully across all your teams (CTO, DevOps, Founders). At the same time, we intend to highlight information security and operational security best practices whether you are at the beginning of your compliance journey or well ahead. Our goal is to assist you to run an information security management system (ISMS) according to ISO 27001/ISO 27002 and align to other compliance requirements such as GLBA, FINRA, SOX, GDPR as well as SOC1 and SOC2. This includes defining and writing procedures, best practices and help with implementing organizational and technical controls that are mandated by ISO 27002 or NIST 800 series. We provide a fully tailored service according to your threat model, risk profile, and specific organizational issues.
Web application security and the development of information security practices inside an organization is a continuous and never-ending project. Pricing is developed as a plan where the client has access to PreCog Security’s engineers and staff of advisors, testers, reviewers, and implementers.
Startup Questionnaire
In order to put your organization in the best position prior to compliance audit (ISO 27001, GDPR, SOC1, SOC2, CCPA, HIPAA, PCI-DSS) we recommend a PreCog Security general security compliance checklist below.
Is there an Acceptable Use Policy?
Are any policy(ies) processes) or procedures) communicated to constituents?
Is there an individual or group responsible for security within the organization?
Does management require the use of confidentiality or non-disclosure agreements?
Is access to sensitive data provided to or the processing facilities utilized by external parties?
Are information assets classified?
Is there insurance coverage for business interruptions or general services interruption?
Are background screenings of applicants performed to include criminal, credit, professional/academic, references and drug screening?
Are new hires required to sign any agreements that pertain to non/disclosure, confidentiality, acceptable use or code of ethics upon hire?
Is there a security awareness training program?
Is there a disciplinary process for non-compliance with information security policy?
Is there a constituent termination or change of status process?
Do the systems storing sensitive data reside in a data center?
Is there a formal operational change management/change control process?
Is application development performed?
Do third-party vendors have access to sensitive data (e.g. backup vendors, service providers, equipment support vendors, etc)?
Is there a process to review the security of a third-party vendor on an ongoing basis?
Are system resources reviewed to ensure adequate capacity is maintained?
Are criteria for accepting new information systems, upgrades, and new versions established?
Are anti-virus products used?
Is there a documented process for securing and hardening network devices?
Is there a wireless networking policy?
Is all sensitive data encrypted while at rest?
Is there a policy that addresses the use and management of removable media? (e.g., CDs, DVDs, disk drives, tapes, etc.)?
Is Instant Messaging used?
Are hardening standards documented?
Are mobile computing devices (Smartphones, Tablets, PDA, etc.) used to store, process or access sensitive data?
Are unique user IDs used for access?
Are passwords required to access systems holding, processing, or transporting sensitive data?
Is remote access permitted in the environment?
Is there a teleworking policy?
Are the access control procedures the same for both the test and production environment?
Are systems and applications patched?
Are vulnerability tests (internal/external) performed on all applications?
Is there an encryption policy?
Is there an Incident Response Plan?
Is there a Business Continuity/Disaster Recovery (BC/DR) program?