Overview of DLP, Access, Zero Trust

Follow up for Thomas

Table top exercises (data breach) > Communication team

Full-Year Security Rollout Plan for Picsume

Phase 1: Foundational Security & Compliance (Months 1-3)

1. SOC 2 Type 1 Compliance Initiation

• Objective: Establish foundational controls to begin SOC 2 Type 1 compliance.
• Steps: Conduct a gap analysis, develop policies, set up controls, and start evidence collection.

2. Access Management and Control

• Objective: Enforce least-privilege access with multi-factor authentication for all users.
• Steps: Implement RBAC and MFA, perform regular access reviews, and limit non-sensitive roles (sales, marketing) to essential applications only.

3. Data Backup and Disaster Recovery

• Objective: Protect data availability with backup and disaster recovery mechanisms.
• Steps: Set up automated backups, enable cross-region replication for critical data, define RTO/RPO, and test recovery quarterly.

4. Security Awareness Training

• Objective: Cultivate a security-conscious team with training and discussion of phishing vulnerability.
• Steps: Provide initial training, run phishing simulations (lower priority), and schedule quarterly refreshers.
  • knob4 - phishing campaigns (gmail?)

5. Additional Security Measures for Non-Sensitive Roles

• Objective: Implement basic security for roles without sensitive data access.
• Steps: Enforce endpoint security (anti-virus), MDM-BYOD policies, VPN usage, secure communication channels, phishing awareness, and password management.
  • Email filtering (google admin)