FROM STARTUP

TO ENTERPRISE
The checklist for a growing IT department

Enterprise

Midmarket

Startup

SHARE THIS EBOOK

Introduction
Every company reaches a point when it transforms from a startup to a grownup organization. Ad hoc systems and fly-
by-the-seat-of-your pants philosophies give way to documented procedures and repeatable processes.

For many startups, this transition is required before you can raise venture capital, especially in large amounts. For other
startups, you need to become a grownup company before you can land your first enterprise-level customer. VC inves-
tors and major corporations alike want to know that, given all the risks inherent in betting on a startup, your company is
not itself taking unnecessary risks.

Every department -- marketing, finance, human resources -- has its own maturation milestones, but the area most
often overlooked in the “growing up” effort is technology. Tech startups rightfully assume that their technology is a
strength, but just because your core application is well designed doesn’t mean your IT department is well run.

2 From startup to enterprise: The checklist for a growing IT department SHARE THIS EBOOK
Below we offer a basic checklist of items you need to address before you can call yours a grownup IT department.

• Do you have a documented security policy? Completed

○○ That’s been audited by a third party (SOC I or SOC II)? Completed
▪▪ With an audit report you can share with customers / investors? Completed
○○ That conforms to a recognized standard (Webtrust, ISO 27001 or NIST)? Completed
○○ That includes procedures for handling a security breach? Completed
▪▪ Including how to inform customers? Completed
○○ That documents how to de-provision departed employees? Completed
▪▪ Even ones that were fired / quit without notice? Completed
○○ That dictates standards for securing employee workstations? Completed
▪▪ With specific security technology? Completed
▪▪ And required password strength / refresh rates? Completed
▪▪ And also logs that all workstations are secured? Completed
▪▪ Even the BYOD / personal tech that employees use for work? Completed
○○ That outlines standards for securing data centers? Completed
▪▪ Like encrypting data at rest? Completed
▪▪ With a major encryption standard? Completed
▪▪ And logs of who gains physical access to servers? Completed
○○ That includes a regular risk assessment? Completed
▪▪ Performed no less than quarterly? Completed
▪▪ With logs to prove it? Completed
Comments:

• Do you have a documented disaster recovery / business continuity plan? Completed

○○ That includes full failover / backup of all business data? Completed
▪▪ Even cloud-based data? Completed
▪▪ Backed up by a third party? Completed
▪▪ With logs to prove it? Completed
○○ That has been successfully tested? Completed
▪▪ More than once? Completed
▪▪ With logs to prove it? Completed
Comments:

3 From startup to enterprise: The checklist for a growing IT department SHARE THIS EBOOK
 • Do you have a documented customer privacy policy? Completed
○○ That specifies what kind of data you’re allowed to keep? Completed
▪▪ And logs to prove you’re abiding by it? Completed
▪▪ Along with a process for handling breaches in the policy? Completed
○○ That’s been reviewed by someone of legal competence? Completed
Comments:

• Do you monitor the performance of your core systems / infrastructure? Completed

○○ Against benchmarks for optimal performance? Completed
▪▪ With alerts when they aren’t being met? Completed
▪▪ And procedures for dealing with impending failures? Completed
○○ And log performance over time? Completed
Comments:

• Do you have a data retention policy? Completed

○○ That accounts for all the data that employees create? Completed
▪▪ Even in the cloud? Completed
▪▪ And on social media? Completed
▪▪ That can produce data subpoenaed or requested by regulators? Completed
▪▪ That you’ve tested? Completed
▪▪ More than once? Completed
▪▪ With logs to prove it? Completed
Comments:

4 From startup to enterprise: The checklist for a growing IT department SHARE THIS EBOOK
 • That can prevent deletion of critical data? Completed
○○ That you’ve tested? Completed
▪▪ More than once? Completed
▪▪ With logs to prove it? Completed
○○ That has procedures for purging data past the retention deadline? Completed
▪▪ And technology that enacts these deletions? Completed
▪▪ With logs to prove it? Completed
Comments:

• Do you have a regulatory compliance policy? Completed

○○ That includes a list of all the federal and state standards that apply to you? Completed
▪▪ With a documented list of compliance certifications? Completed
▪▪ And a specified plan for keeping them up to date? Completed
Comments:

• Do you have a complete list of the vendors that supply your tech infrastructure and services? Completed
○○ With a complete list of warranties and SLAs? Completed
▪▪ That has been audited by someone of legal competence? Completed
○○ With a complete list of support escalation processes? Completed
▪▪ That you’ve tested? Completed
○○ With a complete schedule of end-of-contract dates? Completed
▪▪ And a plan to renew or replace these vendors when their terms end? Completed
Comments:

5 From startup to enterprise: The checklist for a growing IT department SHARE THIS EBOOK