6 Steps to Security Governance For Startups

As a startup, your mind is on your product or service - as it should be. When you gain traction and win larger clients, sooner or later one will ask about your information security program and it will take more than "we're secure, trust us" to convince them.

This is how security governance programs are born.

You might look at large multinationals with full compliance, legal, and InfoSec teams, and be tempted to delay. But as a startup you have an advantage: your agility will help you create a big security governance posture with minimum effort (and cost).

In this article, we describe 6 low impact and low-cost ideas with big benefits to Information Security Governance. These will lay the foundation for convincing clients that your startup takes InfoSec seriously and help set you up for any future compliance pursuits like SOC2 (opens new window), PCI (opens new window), and ISO 27001 (opens new window).

It's All About Controls

Security Governance is just security applied with a plan, with known and tested controls. It doesn't have to be complicated nor expensive to achieve, just demonstrate smart choices, good habits, and a little bit of process.

Controls are guardrails that enforce good activity and prevent bad activity.

Consider the need to ensure that data does not leave company computers. One approach is to disable USB ports on staff machines - this is a technical control. An alternate approach is to explicitly prohibit this in the company's Acceptable Use Policy - this is a policy control.

Technical controls are stronger and preferred to policy controls, but are typically harder and more costly to implement. In the above example, even with USB ports disabled, there are many other vectors for data exfiltration, each of which will need to be addressed. In this case, policy controls can go a long way.

Let's say you're a Fortune 10 company evaluating a neat startup with great technology. How do you know that it meets your security standards and how could the startup convince you?

Somehow the startup needs to convey trust and InfoSec maturity.

We can do this by showing a plan, good habits, thought out process, and a track record of compliance. Each of these will be supported by security controls that keep our organization on the right path and allow us to demonstrate that we do what we say we do.


Below are 6 low impact and low-cost ways for your business to start (or strengthen) your security governance. Each idea tries to estimate the time and effort required and discusses some of the possible benefits.

1. Establish a Security Council

Time Required: 1 hour per quarter
Provides: Demonstrable communication with management and a venue to document critical security decisions

A security council is just a fancy title for regular meetings with your InfoSec team, CTO, CEO, and anyone else involved in security matters. The purpose is simple: establish (and document) a communication channel between "boots on the ground" security and management. It allows you to fulfill criteria such as:

Are management approved operating procedures utilized?

Use these meetings to do the following:

  • Keep management apprised of security activities at a high level,
  • Discuss, vote on, and decide any critical security decisions, and
  • Review policy changes, new risks, and security related plans

We suggest that you make these meetings formal, keep attendance, and create minutes, similarly to how a strata conducts an AGM. The records will be used to show a high level of rigor and history in your security governance process.

You'll likely want to share these minutes with auditors and potential clients, so be mindful of sensitive content and language.

2. Created Named Roles for Staff

Time Required: A few hours to devise groups, an extra step for activities that require separation of duties
Provides: Separation of duties and least privilege

Sooner or later you'll need to formalize some roles for your staff so that you can develop separation of duties and least privilege permissions. These should include Developer, QA, Security, and Manager, but any reasonable variation will work.

Once you have these established, create a Roles and Responsibilities description for each: a paragraph or two that highlights key responsibilities. This allows you to formalize what each role entails. We recommend that you have each staff member read and acknowledge their roles and responsibilities, and keep a record to demonstrate as evidence.

Some small organizations choose to make role assignment fluid, more akin to peer review. For example, each deploy will have a different named person acting as developer, QA, or security. This is a great way to allow staff to walk in each other's shoes but does make least privilege permissions tougher to enact. If you choose this path, make sure that staff read and acknowledge any of the roles and responsibilities for which they'll be acting.

3. Organize Your Access Controls

Time Required: A project
Price: $200/month or $4/month/user
Provides: Robust controls around access, credentials, offboarding, etc.

Access control and Digital Identity is a staple of security governance and is worth getting right. We recommend leveraging an SSO solution as early as possible, which gives a single point for account management and is easy to evidence. The easiest way to get started is to sign up for a service like Auth0 (opens new window), Okta (opens new window), or OneLogin (opens new window) and connect future services, migrating existing accounts as time allows.

If SSO is too big of a project, we recommend a password manager instead. Pick one like LastPass (opens new window) or 1Password (opens new window) and make it company policy to use different strong passwords for every site and service.

Create a strong password policy. The simplest approach is to follow the latest NIST standards (opens new window) which boils down to:

  1. Set an 8 character minimum,
  2. Change only if there is evidence of compromise (i.e. don't rotate every 90 days),
  3. Screen new passwords against lists of known compromised passwords, and
  4. Limit the number of failed attempts

Requirement 3 may be challenging to achieve, but if you're using a password manager you can come close by requiring different randomly generated passwords.

Next, add policy controls that require MFA everywhere and prohibit credential sharing. You'll likely need to carve out service accounts such as database connection credentials.

If you can't decide where these policies should go, put them in your Acceptable Use Policy.

Finally, formalize your onboarding, offboarding, and review process. A good starting point is:

  1. A checklist of accounts to create for new staff,
  2. A checklist of services where to disable accounts for offboarding and for quarterly review, and
  3. An approval process for adding or removing staff or accounts. This can be anything that tracks history, such as a Jira ticket, wiki page, or even email where approval is given as a reply.

Combined, these controls give your access governance a good foundation.

4. Establish Foundational Policies

Time Required: A day to create, a couple of days annually to review
Provides: Formalized policies to follow and evidence. Policy controls where technical controls aren't practical.

A great way to demonstrate security maturity is by having a few key policies in place. This shows that you've sat down and established some guidelines, patterns, and processes.

These don't need to be long-winded or dense, just detailed enough to clearly lay out the policies. You'll likely find that most of the content is obvious, so staff acceptance shouldn't be a problem. Here is an example set of baseline policies:

  • Information Security Policy (ISP) - High-level information security strategy
  • Acceptable Use Policy (AUP) - Protects against the misuse of company systems and assets
  • Code of Conduct - Documents staff conduct and ethics guidelines
  • Business Continuity Plan - Plan in the event of a business disruption
  • Disaster Recovery Plan - Plan in the event of a technical disaster, such as site outage

There are many other policies to consider depending on your need. Policies tend to grow over time as new needs emerge and new policy controls are required:

  • Clean Desk Policy - Appropriate handling of paperwork and other sensitive information
  • Data Protection Policy - Minimum requirements for securing data in transit and at rest, data destruction, and data retention
  • Incident Response Procedure - Plan and requirements in the event of a technical incident (outage, security breach, etc).
  • Offboarding Policy - Procedures for offboarding employees
  • Prohibited Website Policy - Detailed guideline for prohibited websites
  • Subcontractor Policy - Policies for engaging and working with subcontractors
  • Supplier Code of Conduct - Vendor conduct and ethics guidelines
These don't need to be long, elaborate, or dense. A single page policy is perfectly acceptable. They just need to exist and demonstrably match what your business is doing.

5. Make Acknowledging the AUP Part of Your HR Process

Time Required: A few hours to create and have staff acknowledge
Provides: Documented acknowledgment of company guidelines, rules, and repercussions

One of the first policies you create should be an Acceptable Use Policy (AUP) or Code of Conduct. This policy outlines acceptable use of company assets and sets out guidelines for staff conduct and ethics.

The policy is mostly a common-sense guideline that prohibits theft, harassment, and illegal activities. It's also a good place to have broad company standards like a password policy or "MFA everywhere" policy. There are many examples available to help you craft one, such as here (opens new window).

Once you have an AUP, have your staff acknowledge it - and record that acknowledgment. The good way to do this is with a signature on a printed copy, but an email reply works equally well.

Finally, make acknowledging the AUP part of your staff onboarding process. This gives you a robust and well documented Acceptable Use mechanism with easy evidence that everyone is aware of the policy and the repercussions of breaching it.

6. Consider Formal Security Training for Staff

Time Required: A couple of hours annually for all staff
Price: $500/year
Provides: A formalized security training program

Annual security training is a good way to start your formal security training program. If you run a tech organization, many of your techies may roll their eyes at the exercise, so remind them that this is less about learning new skills and more about recertifying existing skills.

Include as many of your staff as possible. Much of the training will focus on Phishing attacks and employees as threat vectors, and your least technical staff are most susceptible

Rule of thumb:
Every employee with a company email account should be included in security training.

Leveraging an existing service like KnowBe4 (opens new window) or PhishingBox (opens new window) can make this process fairly straight forward and easy to manage.

How RFPHead Can Help

Creating a robust security governance program takes time and consideration. At RFPHead (opens new window) we help companies of all sizes start, improve, and manage their security programs. If you're looking for additional support with your security assurance, governance, or audit process, please don't hesitate to reach out to us.