An Information Security Policy for the Startup

Welcome to the company! We’re here to change the world! Before we start moving fast, we need to make sure you don’t cause a massive security incident and flat line the company’s productivity for a few days.

Please read the following and sign at the bottom.

I acknowledge that I will probably cause a security incident. When we’ve been hacked really bad, I’ll direct my calmest and most composed version of panic towards our security group at this address:

I know that address will have someone from PR, legal, and leadership on it. There will be other security minded people on the list who can chime in on how screwed we are and how to fix it, and will be responsible for calling the cops if we need to.

I realize that if I mess up this next section, I will be compromised and blamed for all of our data leaving the barn. That means that I need to please, please(!) pay attention to this list in front of me and not switch tabs and read reddit for at least one minute.

The company gave me a laptop to use, which was still shrink wrapped and will ruin everything if I don’t do these simple things:

  • I will use Chrome because they invest in security.
  • I will encrypt my laptop because I will probably lose it.
  • I will use a screensaver that turns on when I’m away. This screen saver will require a password which… is the whole point!
  • I will install (and use) a password manager. If I forget to do this, I will walk out the door and effectively terminate myself for being unworthy of employment.
  • I will turn on Click To Play which will hugely reduce my odds of being hacked.
  • I will turn on “find my…” features so I don’t freak everyone out and wake everyone up when I randomly lost my phone or laptop in my own damn house on a Friday night.

I will assume that every one of my co-workers will eventually have access to my personal data on company equipment, including files on my laptop, email communications, chat, etc.

Here are the common reasons why:

  • During a security breach, my laptop might be imaged and stored elsewhere, my browser history would be scoured over, and my emails will be investigated for exploitation. It’s hard to spare my privacy when I’m hacked at work so I shouldn’t expect any.
  • I may be sued or become part of a lawsuit. My data would be subject to discovery and the peering eyes of all kinds of lawyers and the public through court proceedings as they figure out what is, and is not, relevant for their lawyering.
  • I may be fired. Or I’ll quit! My teammates may gain access to my data to continue any critical work. I can’t expect they’d know when to avert their eyes, or be blinded by the rash photos I emailed to my Doctor.
  • I realize IT needs to do their job. They might access network traffic to diagnose network downtime or that ridiculous 10 gigabyte cat video attachment that caused everyone’s email to crash while they get to a root cause.

Since these all all terrible scenarios, I will restrict my usage of company technology to just work related stuff as best as possible, because it will only make things painful if any of the above situations happened. And I certainly won’t use my personal devices to do work stuff, which would complicate things far more than what was explained above.

The good thing is that I will not be restricted from personal use of my devices, and plan to do some personal necessities at work, anyway. I should have some expectation that whatever personal data I do happen to expose will not be abused. For instance, my HR team will have a bunch of my personal data simply because I’m employed here.

As I mentioned above, I expect all of my co-workers with administrative access to my data to be held under tight ethical usage standards and be secured from outsider abuse. If a co-worker decides to violate these protections, someone should tell me about it. If abuse transpires, I will have reduced my personal data exposure on these systems as much as possible beforehand.

Additionally, if I do illegal stuff on corporate systems, I don’t expect the company to cover my ass in any way. They’re already on the phone with law enforcement, plotting my capture with a SWAT team. I just want to be able to read my personal gmail on my laptop without some unchecked creeper watching me on my system.

I will defy natural human nature to create terrible passwords everywhere. Instead, I will do the following things to not screw this up:

  1. I will use a password manager like LastPass or 1Password so I don’t blindly fall victim to phishing websites.
  2. I will never use the same password in more than one place, nor will I store my life savings in the trunk of my car.
  3. Any passwords I can’t use within a manager (like a master password) will be hard to crack, and not be horribly weak like “2hot4u”
  4. Every time it’s offered: I will enable multi-factor authentication to make an attackers life harder and give my team more peace of mind during a breach, on every system it’s offered on.
  5. I will not use my personal email accounts for cloud platforms that support the company. That would nosedive everything if my home systems were hacked during a work related project. Also, when I quit, I probably won’t want to talk to you all anymore and this will cause an awkward phone call with my crappy former boss.

Engineering Policies

…for developers and administrators of systems and data at the company.

Any systems I design or am reasonably involved with will have centralized & read only usage logs designed for others to look back on a security incident. I am fully aware of how terrible the nightmare would be if the company had a breach and had no records of what actually happened. For example, if my bank were robbed, it would be helpful to have video tapes of the robber, so I could perform extreme justice maneuvers against them.

At the bare minimum, I’ll be sure to document where I’m storing really sensitive data, like a social security number or a credit card number. I’ll make sure that I don’t start logging important information in some location we’ll immediately turn around and forget about, only for someone else to find. Additionally, I’ll send an email to security@ so that others can handhold me through my bad ideas.

Oh, that brings me to my next point.

I am aware that anything involving cryptography is really hard and requires the buddy system. If I’m dealing with any sort of cryptography, I will give a heads up to security@ to involve others because I will surely break it by myself. This means I will not YOLO-Code when it comes to:

  • Storage of a private key or API token in a place that isn’t so private
  • Broken-For-Years Hashing algorithms like MD5
  • Password Storage so I don’t mess it up like LinkedIn did in 2012
  • Storage of credit card numbers so we’re not breached like every company before us, ever

If I smell something broken in this area, I will also give security@ a shout because it would be a disaster if I screwed this up.

I will not let the company turn into a data sharing brothel with random other companies, pseudo-partners, and straight up hackers. Whenever a contract turns into a data sharing agreement, I will include security@ to make sure I didn’t just jeopardize our entire security posture by putting all of our data somewhere else, or by giving another company access to our systems.

That other marketing startup probably wouldn’t give a second thought to about how many times they email our users, or who they sell the data to, or who could possibly ever breach them. Or maybe that strategic partnership with a bigger company might not warrant full production access to our systems… that would be a good thing to review.

Lets not ink our data away.

If I turn out to be the employee with administrative access to employee data, production systems, user data, etc, I realize I could become the next “GCreep” or LOVEINT if I act selfishly or maliciously. I will not provide favors to anyone with my access, act on my filthy hedonistic human impulses, or commit fraud. I realize that if I am trusted with sensitive data, I am extra-likely to be fired if I’m doing anything with that access that is not my job, so I will not allow myself to become “that guy” or “that girl”.

What is this “security policy” for?

Larger companies have employees sign an information security policy. It’s one of those things you have to eventually do for compliance reasons. After checking a compliance box they are largely forgotten and and don’t really contribute to actual security or fix any employee habits. Oh, and they’re huge.

This is a minimal policy drawing from ISO27002, but articulated in a way that could actually be understood. By being a bare minimum policy, it should be applicable almost everywhere. Add what you need based on the maturity of your company, like vulnerability disclosure or regular third party audit requirements.

I’ve helped respond to countless incidents, big and small. The policy above is ruthlessly prioritized to address the most painful stuff that actually happens.

@magoo

I’m a security guy, former Facebook, Coinbase, and currently an advisor and consultant for a handful of startups. Incident Response and security team building is generally my thing, but I’m mostly all over the place.

--

--