Day 34 — Hello Governor

This Sprint I’ve focused on building toward HIPAA compliance, and after a week I can say I’m not nearly as far as I’d hoped.

BUT! I also have made really good progress and made some great strides. Perhaps most importantly, I’ve learned a lot. Here’s where I stand today based on our controls:

Progress on Administrative Controls

Building Good Governance

From Aptible:

Governance is the architecture of processes that creates oversight and accountability in your security management program. It’s a meta-set of security decisions and actions that enable the “management” part of your security management program.

Today’s Problem to Solve:

How might we establish our commitment to security and to build trust with our customers and the wider community?

Today’s Results

Today was a bunch of small activities around our ISMS governance. None of them individually took that much time, but it added up. We already have the baseline version of our ISMS in place, so today’s work was mostly focused on the additional work that is specified in our control policies.

1— ISMS Metrics

I started by defining the core metrics we would track. I wanted to start simple, so I identified these:

  • % of employees who were properly onboarded and off-boarded
  • % of employees who complete security training
  • % who have signed a security policy and procedure agreement
  • % of applicable devices properly enrolled in device management
  • Number of security incidents

2 — Roles & Responsibilities

Determining roles & responsibilities for our security team is an important process of establishing good governance. While most of these activities will initially fall on me, we’ll start to build out these functions to share the love.

Here’s a high-level view of the org chart:

High-Level Security Org (credit: Aptible)

3— Documentation Control

Documentation control boils down to good documentation practices to ensure we do what we say we’re going to do.

For this, I added a “Version Control” section to each of the excel files I’ve created so far this week. It’s nothing fancy, but over time we’ll use this to ensure we track all changes and store them in a secure place of record. I’m storing everything in Google Drive right now.

Version Control for our Documentation

4 — Legal & Contractual Log

This lays out our legal and contractual responsibilities in the market. HIPAA has been the driving force for this work, though there are additional frameworks we’ll need to consider depending on the demographic (e.g., COPPA if we have users under 13), geography (e.g., GDPR if we’re in the EU), and market (e.g., FERPA when we re-launch in schools).

Our Legal & Contractual Log

5 — Asset Management (People & Devices)

This was just wrapping up our asset log with people and devices. Since the devices will be used to store sensitive data, we need to be sure they’re tracked and inventoried.

What’s Next?

Tomorrow I wrap up this Sprint with Human Resources Security — mainly all the training we’ll need to complete internally.

I’m quickly realizing I’ll need at least another week to finish these administrative controls, so I’ll also get re-organized and inventory the work that’s left.




Startup founder surviving in his parent’s basement.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Let’s Defend: SOC 141 — Phishing URL Detected alert Walkthrough

What are CTFs?

Disclosure And Privacy Policy

Reported Second Phase of New York Excelsior App Raises Privacy Concerns

Top 20 Most Harmful Website Hacks of All Time

Blockchain Blog 06 — Cryptography, SHA, and Wallets

#MyCyberWhy 28: Sherrie Caltagirone, Founder and Executive Director at Global Emancipation Network

Pre-Presale Airdrop

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bob Weishar

Bob Weishar

Startup founder surviving in his parent’s basement.

More from Medium

A controversial street artist-Banksy

Remote Work: How to make it work for your company

Elon Musk vs Twitter — a lesson on how outstanding leaders own PR

This one beginner’s error complicates all my work in Sketchup, it’s not about the technical trick…