Skip to content

Instantly share code, notes, and snippets.

@sacarino

sacarino/AcceptableUsePolicy.md

Last active June 6, 2025 21:16
Show Gist options
  • Save sacarino/ec75eda0e6e37ef644d1bd3c384411a3 to your computer and use it in GitHub Desktop.
Save sacarino/ec75eda0e6e37ef644d1bd3c384411a3 to your computer and use it in GitHub Desktop.
Download ZIP
Example SOC II Type I policy types needed for an early-stage startup (you need to actually fill these in yourself)
Raw
AcceptableUsePolicy.md

Purpose:
To ensure responsible use of company-provided systems, devices, and data.

Policy:
Use of company resources should be for business purposes only. Use that introduces risk (e.g., file sharing of sensitive data via unapproved platforms) is prohibited.

Raw
AccessControlPolicy.md

Purpose:
To define how access to company systems and data is granted, managed, and revoked.

Policy:
Access is granted based on role and the principle of least privilege. Shared accounts are not permitted. All access is logged where technically feasible.

Procedures:

  • Access is granted upon onboarding, and revoked immediately during offboarding.
  • Admin access requires approval from a company founder.
Raw
BusinessContinuityAndDisasterRecoveryPlan.md

Purpose:
To ensure services can resume quickly in the event of disruption.

Policy:
Critical systems (e.g., infrastructure hosting, code repositories) must have:

  • Automated daily backups.
  • Access to recovery documentation stored in a cloud drive.
  • A basic BC/DR test conducted at least annually.
Raw
ChangeManagementPolicy.md

Purpose:
To control changes to infrastructure and software to reduce risk of disruptions or vulnerabilities.

Policy:
All production changes must:

  1. Be reviewed by a second person if available.
  2. Include logging or rollback procedures when possible.
  3. Be documented via Git commit messages and pull requests.
Raw
DataRetentionAndDisposalPolicy.md

Purpose:
To define how long data is retained and how it's securely disposed of.

Policy:

  • Customer data is retained only as long as needed for operational or legal purposes.
  • Data must be securely deleted using digital shredding or similar mechanisms when no longer needed.
Raw
EmployeeOnboardingAndOffboardingProcedures.md

Purpose:
To ensure that access to systems is correctly granted and revoked.

Policy:

  • Onboarding: New employees receive access based on their role via least privilege.
  • Offboarding: Access is revoked within 24 hours of departure, ideally immediately upon termination.
Raw
IncidentResponsePlan.md

Purpose:
To provide guidance for responding to security incidents.

Policy:
All incidents must be documented, reported to a founder, and remediated promptly.

Initial Procedure (MVP):

  1. Contain the threat.
  2. Notify affected parties and a founder.
  3. Review and log the incident in an internal security journal.
Raw
InformationSecurityPolicy.md

Purpose:
To establish a baseline for protecting organizational data and systems from unauthorized access, disclosure, alteration, or destruction.

Policy:
We are committed to implementing reasonable and appropriate security controls to safeguard information assets. All team members must follow security best practices, including use of strong passwords, secure devices, and encryption where applicable.

Responsibilities:

  • The founding team is responsible for defining and reviewing security requirements.
  • All personnel must report suspected security incidents immediately.
Raw
RiskAssessmentPolicy.md

Purpose:
To identify and address risks to company operations and data.

Policy:
A basic risk assessment will be conducted quarterly by a founder or designated team member to evaluate threats, vulnerabilities, and potential business impacts.

Raw
VendorManagementPolicy.md

Purpose:
To ensure third-party services meet basic security and availability requirements.

Policy:
All third-party vendors must be reviewed for security and compliance posture before onboarding.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment