Procurement Preparation for Startups
Entering into a business relationship with a Fortune 500 company or a large client (buyer) can produce an incredibly complex procurement for a vendor (supplier, startup). When purchasing products or outsourcing managed services for core operations, it can expose an organization (buyer) and its customers to security risks leading to intentional or unintentional incidents impacting the continuity of electronic communications services. In order to prevent or mitigate such security risks, organizations (buyers) have the opportunity to apply specific security requirements through their internal Third-Party Risk Management to their suppliers or outsourcing partners.
PreCog Security team mitigates the risk of lack of preparedness for procurement by helping startups implement security controls that are part of the security, data governance, and legal mandates within large organizations. If your startup is stuck in procurement and showing a high score on your client’s third party risk assessment – our team will assist in building necessary processes and documentation in place and put you in the best position to move through procurement and satisfy your client’s security mandates.
In order to put your organization in the best position to acquire large client and mover through the procurement of Fortune 500 customer, our research and recommendations are to align internal processes and procedures to ISO 27001 standards and include internal security controls such as:
Is there an Acceptable Use Policy?
Are any policy(ies) processes) or procedures) communicated to constituents?
Is there an individual or group responsible for security within the organization?
Does management require the use of confidentiality or non-disclosure agreements?
Is access to sensitive data provided to or the processing facilities utilized by external parties?
Are information assets classified?
Is there insurance coverage for business interruptions or general services interruption?
Are background screenings of applicants performed to include criminal, credit, professional/academic, references and drug screening?
Are new hires required to sign any agreements that pertain to non/disclosure, confidentiality, acceptable use or code of ethics upon hire?
Is there a security awareness training program?
Is there a disciplinary process for non-compliance with information security policy?
Is there a constituent termination or change of status process?
Do the systems storing sensitive data reside in a data center?
Is there a formal operational change management/change control process?
Is application development performed?
Do third-party vendors have access to sensitive data (e.g. backup vendors, service providers, equipment support vendors, etc)?
Is there a process to review the security of a third-party vendor on an ongoing basis?
Are system resources reviewed to ensure adequate capacity is maintained?
Are criteria for accepting new information systems, upgrades, and new versions established?
Are anti-virus products used?
Is there a documented process for securing and hardening network devices?
Is there a wireless networking policy?
Is all sensitive data encrypted while at rest?
Is there a policy that addresses the use and management of removable media? (e.g., CDs, DVDs, disk drives, tapes, etc.)?
Is Instant Messaging used?
Are hardening standards documented?
Are mobile computing devices (Smartphones, Tablets, PDA, etc.) used to store, process or access sensitive data?
Are unique user IDs used for access?
Are passwords required to access systems holding, processing, or transporting sensitive data?
Is remote access permitted in the environment?
Is there a teleworking policy?
Are the access control procedures the same for both the test and production environment?
Are systems and applications patched?
Are vulnerability tests (internal/external) performed on all applications?
Is there an encryption policy?
Is there an Incident Response Plan?
Is there a Business Continuity/Disaster Recovery (BC/DR) program?