Startups Procurement Preparation2021-06-24T12:34:24+00:00

Procurement Preparation for Startups

Entering into a business relationship with a Fortune 500 company or a large client (buyer) can produce an incredibly complex procurement for a vendor (supplier, startup). When purchasing products or outsourcing managed services for core operations, it can expose an organization (buyer) and its customers to security risks leading to intentional or unintentional incidents impacting the continuity of electronic communications services. In order to prevent or mitigate such security risks, organizations (buyers) have the opportunity to apply specific security requirements through their internal Third-Party Risk Management to their suppliers or outsourcing partners.

PreCog Security team mitigates the risk of lack of preparedness for procurement by helping startups implement security controls that are part of the security, data governance, and legal mandates within large organizations. If your startup is stuck in procurement and showing a high score on your client’s third party risk assessment – our team will assist in building necessary processes and documentation in place and put you in the best position to move through procurement and satisfy your client’s security mandates.

Do you have an Information
Security Policy?

Startup Questionnaire

/10

1 / 10

Do you have a documented and available set of updated and current procedures for security and IT management in your organization? This includes documents on data integrity, business conitnuity, incident response, physical security, etc

2 / 10

Is there a person primarily responsible for managing security initiatives within your organization?

3 / 10

Do you have a prepared and tested Business Continuity/Disaster Recovery plan?

4 / 10

Do you have a prepared and tested Incident Response Plan (including handling, monitoring and reporting of the incident)?

5 / 10

If you are developing in software/applications, have you implemented a secure software development lifecycle?

6 / 10

Are you performing vulnerability assessments, penetration testing and vulnerability management on information system assets (network, website, endpoints, servers, software, web applications, etc)?

7 / 10

Are you performing regular inventory of all IT assets (hardware and software)?

8 / 10

Are you a venture backed startup ?

9 / 10

Are you employing anti-malware and other security controls such as firewall, data loss prevention, intrusion detection/prevention systems across your environment?

10 / 10

Are you prepared to satisfy procurement mandates for your large client (internal security, data governance, legal mandates)?

In order to put your organization in the best position to acquire large client and mover through the procurement of Fortune 500 customer, our research and recommendations are to align internal processes and procedures to ISO 27001 standards and include internal security controls such as:

Is there a risk assessment program?
Is there an information security policy?
Is there an Acceptable Use Policy?
Are any policy(ies) processes) or procedures) communicated to constituents?
Is there an information security function responsible for security initiatives within the organization?
Is there an individual or group responsible for security within the organization?
Does management require the use of confidentiality or non-disclosure agreements?
​Is access to sensitive data provided to or the processing facilities utilized by external parties?
Is there an asset management program?
Are information assets classified?
Is there insurance coverage for business interruptions or general services interruption?
Are the security roles and responsibilities of constituents defined and documented in accordance with the organization’s information security policy?
Are background screenings of applicants performed to include criminal, credit, professional/academic, references and drug screening?
Are new hires required to sign any agreements that pertain to non/disclosure, confidentiality, acceptable use or code of ethics upon hire?
Is there a security awareness training program?
Is there a disciplinary process for non-compliance with information security policy?
Is there a constituent termination or change of status process?
Is there a documented physical security policy?
Do the systems storing sensitive data reside in a data center?
Are operating procedures utilized?
Is there a formal operational change management/change control process?
​Is application development performed?
Do third-party vendors have access to sensitive data (e.g. backup vendors, service providers, equipment support vendors, etc)?
Is there a process to review the security of a third-party vendor on an ongoing basis?
Are system resources reviewed to ensure adequate capacity is maintained?
Are criteria for accepting new information systems, upgrades, and new versions established?
Are anti-virus products used?
Is there a documented process for securing and hardening network devices?
Is there a wireless networking policy?
Is all sensitive data encrypted while at rest?
Is there a policy that addresses the use and management of removable media? (e.g., CDs, DVDs, disk drives, tapes, etc.)?
​Is Instant Messaging used?
Are hardening standards documented?
Are mobile computing devices (Smartphones, Tablets, PDA, etc.) used to store, process or access sensitive data?
Is there an access control policy?
Are unique user IDs used for access?
Are passwords required to access systems holding, processing, or transporting sensitive data?
​Is remote access permitted in the environment?
Is there a teleworking policy?
Is there a Software Development Life Cycle (SDLC) process?
Are the access control procedures the same for both the test and production environment?
Are systems and applications patched?
Are vulnerability tests (internal/external) performed on all applications?
Is there an encryption policy?
Is there an Incident Management program?
Is there an Incident Response Plan?

Is there a Business Continuity/Disaster Recovery (BC/DR) program?