Ryan McGeehan
Sep 14, 2015 · 8 min read

An Information Security Policy for the Startup


Welcome to the company! We’re here to change the world! Before we start moving fast, we need to make sure you don’t cause a massive security incident and flat line the company’s productivity for a few days.

Please read the following and sign at the bottom.

I will panic correctly

I acknowledge that I will probably cause a security incident. When we’ve been hacked really bad, I’ll direct my calmest and most composed version of panic towards our security group at this address:

security@

I know that address will have someone from PR, legal, and leadership on it. There will be other security minded people on the list who can chime in on how screwed we are and how to fix it, and will be responsible for calling the cops if we need to.

My laptop could ruin everything

I realize that if I mess up this next section, I will be compromised and blamed for all of our data leaving the barn. That means that I need to please, please(!) pay attention to this list in front of me and not switch tabs and read reddit for at least one minute.

The company gave me a laptop to use, which was still shrink wrapped and will ruin everything if I don’t do these simple things:

  • I will use Chrome because they invest in security.

My privacy is threatened

I will assume that every one of my co-workers will eventually have access to my personal data on company equipment, including files on my laptop, email communications, chat, etc.

Here are the common reasons why:

  • During a security breach, my laptop might be imaged and stored elsewhere, my browser history would be scoured over, and my emails will be investigated for exploitation. It’s hard to spare my privacy when I’m hacked at work so I shouldn’t expect any.

Since these all all terrible scenarios, I will restrict my usage of company technology to just work related stuff as best as possible, because it will only make things painful if any of the above situations happened. And I certainly won’t use my personal devices to do work stuff, which would complicate things far more than what was explained above.

Hey… I’m not an animal! I have rights!

The good thing is that I will not be restricted from personal use of my devices, and plan to do some personal necessities at work, anyway. I should have some expectation that whatever personal data I do happen to expose will not be abused. For instance, my HR team will have a bunch of my personal data simply because I’m employed here.

As I mentioned above, I expect all of my co-workers with administrative access to my data to be held under tight ethical usage standards and be secured from outsider abuse. If a co-worker decides to violate these protections, someone should tell me about it. If abuse transpires, I will have reduced my personal data exposure on these systems as much as possible beforehand.

Additionally, if I do illegal stuff on corporate systems, I don’t expect the company to cover my ass in any way. They’re already on the phone with law enforcement, plotting my capture with a SWAT team. I just want to be able to read my personal gmail on my laptop without some unchecked creeper watching me on my system.

My password is ‘dog’

I will defy natural human nature to create terrible passwords everywhere. Instead, I will do the following things to not screw this up:

  1. I will use a password manager like LastPass or 1Password so I don’t blindly fall victim to phishing websites.

Engineering Policies

…for developers and administrators of systems and data at the company.

Logs catch the bad guys

Any systems I design or am reasonably involved with will have centralized & read only usage logs designed for others to look back on a security incident. I am fully aware of how terrible the nightmare would be if the company had a breach and had no records of what actually happened. For example, if my bank were robbed, it would be helpful to have video tapes of the robber, so I could perform extreme justice maneuvers against them.

Skeletons are bad

At the bare minimum, I’ll be sure to document where I’m storing really sensitive data, like a social security number or a credit card number. I’ll make sure that I don’t start logging important information in some location we’ll immediately turn around and forget about, only for someone else to find. Additionally, I’ll send an email to security@ so that others can handhold me through my bad ideas.

Oh, that brings me to my next point.

Math is hard

I am aware that anything involving cryptography is really hard and requires the buddy system. If I’m dealing with any sort of cryptography, I will give a heads up to security@ to involve others because I will surely break it by myself. This means I will not YOLO-Code when it comes to:

  • Storage of a private key or API token in a place that isn’t so private

If I smell something broken in this area, I will also give security@ a shout because it would be a disaster if I screwed this up.

Don’t trust other companies

I will not let the company turn into a data sharing brothel with random other companies, pseudo-partners, and straight up hackers. Whenever a contract turns into a data sharing agreement, I will include security@ to make sure I didn’t just jeopardize our entire security posture by putting all of our data somewhere else, or by giving another company access to our systems.

That other marketing startup probably wouldn’t give a second thought to about how many times they email our users, or who they sell the data to, or who could possibly ever breach them. Or maybe that strategic partnership with a bigger company might not warrant full production access to our systems… that would be a good thing to review.

Lets not ink our data away.

I’m not a creep

If I turn out to be the employee with administrative access to employee data, production systems, user data, etc, I realize I could become the next “GCreep” or LOVEINT if I act selfishly or maliciously. I will not provide favors to anyone with my access, act on my filthy hedonistic human impulses, or commit fraud. I realize that if I am trusted with sensitive data, I am extra-likely to be fired if I’m doing anything with that access that is not my job, so I will not allow myself to become “that guy” or “that girl”.

I read this and won’t ruin our security

Signed, ____________________


What is this “security policy” for?

Larger companies have employees sign an information security policy. It’s one of those things you have to eventually do for compliance reasons. After checking a compliance box they are largely forgotten and and don’t really contribute to actual security or fix any employee habits. Oh, and they’re huge.

This is a minimal policy drawing from ISO27002, but articulated in a way that could actually be understood. By being a bare minimum policy, it should be applicable almost everywhere. Add what you need based on the maturity of your company, like vulnerability disclosure or regular third party audit requirements.

I’ve helped respond to countless incidents, big and small. The policy above is ruthlessly prioritized to address the most painful stuff that actually happens.


@magoo

I’m a security guy, former Facebook, Coinbase, and currently an advisor and consultant for a handful of startups. Incident Response and security team building is generally my thing, but I’m mostly all over the place.

Starting Up Security

Guides for the growing security team

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store