Day 35 — Sprint #4 Close & HR Security

Today as I wrap up another week of work, I’m feeling equally happy with my progress and anxious with my lack of it. Each day this week I chewed off a big chunk of our information security work, but it turns out it takes a lot of bites to get this one down.

Here’s how it went.

Sprint #4 Retrospective:

I started this sprint looking to complete this list:

My Goal for the Week

And boy, was I optimistic. Early in the week I abandoned using JIRA and resorted to daily piles of sticky notes and tackling whatever big challenge I thought would add value, so this list is a mixed bag of done, not started, and new work that’s been created from my work.

Highlights of the Week

💡What I Learned

  • Information security is a lot of work! Each day I’ve made meaningful progress but there’s still a lot to be done.
  • Using external tools is a blessing and a curse: it’s never been easier to roll up a product, but it’s also probably never been less secure either. Doing this activity opened my eyes to considering how we’re working with 3rd party vendors. Nevertheless, it was a useful exercise and will greatly improve our security posture going forward.

👍 What Went Well

  • Generally speaking, I feel MUCH more comfortable talking about and working on our information security controls. Practice makes perfect.
  • Made a LOT of progress on BIG chunks of our administrative controls.

👎 Opportunities to Improve

  • I continue to be completely unrealistic with my time. I was hoping to complete the list above, but it’s clear I’m at best 1/3 of the way down the list.
  • I say “at best 1/3” because I don’t actually know. Early in the week I abandoned JIRA as a tracking tool and now have some cleanup work to go back and figure out exactly what’s left.

⏭️ Next Steps

  • I hope to finish the rest of these this week, which means I probably still have 2–3 weeks left to go of this work. I’d like another week to continue momentum though, so I’ll pick it back up tomorrow.

Today’s Problem to Solve: Human Resources Security

Similar to our vendor and software asset analysis, another vector of risk is ourselves. All the policies and controls we’ve written go out the window if they’re not followed. Today we look internally.

01 — Security Responsibilities Awareness Policy

Our first control calls for outlining:

  • the workforce member’s responsibilities with regard to the security of company information or information systems (which may continue after the end of the employment on contractual relationship); and
  • that the workforce member may be investigated as part of a sanctions investigation resulting from a breach of the ISMS.

For this I found a confidentiality and security agreement template and customized it to our needs:

Confidentiality and Security Agreement

02 — Pre-Employment Requirements

Nothing to do here today, mainly just a policy to manage new hires and making sure system needs are communicated.

03 — Onboarding

A bunch of onboarding activities to make sure we’re hiring the right people and that those people take privacy & security seriously. No action needed for this today.

04 — Privacy & Security Training

Most of my work was building out our training. I relied on a mix of external resources and my own input based on the work so far.

Here’s the privacy & security training mountain to climb:

Here’s the result:

Now What?

Turn this list red:




Startup founder surviving in his parent’s basement.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The MetaApes Declare War


The Securities Quote Exchange (SQX) joins BDP’s Data Marketplace to Launch Their Global…

Kemi Olunloyo, libel and Cybercrimes Act, 2015: Caveat for citizens

{UPDATE} htoL#NiQ -ホタルノニッキ- Hack Free Resources Generator

Upgrade Your SSH Key to Ed25519

New ID Verification Tool for Unemployment Insurance

Cyber-security and healthcare campaign — Staying Cyber safe

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bob Weishar

Bob Weishar

Startup founder surviving in his parent’s basement.

More from Medium

B2B Intelligence for your eCommerce, Pipecandy Prospector

Why Banks Need To Build Intelligent Digital Products

Why Banks Need To Build Intelligent Digital Products

Non-Human Collaborators in an Enterprise SaaS System

Redesign of the Czech TV video platform and SEO perspective