Day 35 — Sprint #4 Close & HR Security

Looking internally for the answers

Bob Weishar
4 min readJan 4, 2021


Today as I wrap up another week of work, I’m feeling equally happy with my progress and anxious with my lack of it. Each day this week I chewed off a big chunk of our information security work, but it turns out it takes a lot of bites to get this one down.

Here’s how it went.

Sprint #4 Retrospective:

I started this sprint looking to complete this list:

My Goal for the Week

And boy, was I optimistic. Early in the week I abandoned using JIRA and resorted to daily piles of sticky notes and tackling whatever big challenge I thought would add value, so this list is a mixed bag of done, not started, and new work that’s been created from my work.

Highlights of the Week

💡What I Learned

  • Information security is a lot of work! Each day I’ve made meaningful progress but there’s still a lot to be done.
  • Using external tools is a blessing and a curse: it’s never been easier to roll up a product, but it’s also probably never been less secure either. Doing this activity opened my eyes to considering how we’re working with 3rd party vendors. Nevertheless, it was a useful exercise and will greatly improve our security posture going forward.

👍 What Went Well

  • Generally speaking, I feel MUCH more comfortable talking about and working on our information security controls. Practice makes perfect.
  • Made a LOT of progress on BIG chunks of our administrative controls.

👎 Opportunities to Improve

  • I continue to be completely unrealistic with my time. I was hoping to complete the list above, but it’s clear I’m at best 1/3 of the way down the list.
  • I say “at best 1/3” because I don’t actually know. Early in the week I abandoned JIRA as a tracking tool and now have some cleanup work to go back and figure out exactly what’s left.

⏭️ Next Steps

  • I hope to finish the rest of these this week, which means I probably still have 2–3 weeks left to go of this work. I’d like another week to continue momentum though, so I’ll pick it back up tomorrow.

Today’s Problem to Solve: Human Resources Security

Similar to our vendor and software asset analysis, another vector of risk is ourselves. All the policies and controls we’ve written go out the window if they’re not followed. Today we look internally.

01 — Security Responsibilities Awareness Policy

Our first control calls for outlining:

  • the workforce member’s responsibilities with regard to the security of company information or information systems (which may continue after the end of the employment on contractual relationship); and
  • that the workforce member may be investigated as part of a sanctions investigation resulting from a breach of the ISMS.

For this I found a confidentiality and security agreement template and customized it to our needs:

Confidentiality and Security Agreement

02 — Pre-Employment Requirements

Nothing to do here today, mainly just a policy to manage new hires and making sure system needs are communicated.

03 — Onboarding

A bunch of onboarding activities to make sure we’re hiring the right people and that those people take privacy & security seriously. No action needed for this today.

04 — Privacy & Security Training

Most of my work was building out our training. I relied on a mix of external resources and my own input based on the work so far.

Here’s the privacy & security training mountain to climb:

Here’s the result:

Now What?

Turn this list red:



Bob Weishar

Founder at Invincible, passionate about building healthcare products that inspire.