THE TENACIOUS FOUNDER

close

Please Note: This site is currently UNDER CONSTRUCTION and not Optimized for Mobile

THE

TENACIOUS FOUNDER

  • Article of Operation

AE.5 Access & Security

Article Strategy

What

Access & Security

Access is a form of control. If everyone can touch everything — or nothing — you’re either going to get hacked or slowed to a crawl. This section defines who can access what, and how, so security supports speed instead of killing it.

Why

Purpose

  • Control access to sensitive systems and data
  • Minimize security risks, IP loss, and offboarding issues
  • Build digital trust infrastructure early so you can scale without chaos

When It’s Used

  • As soon as tools contain customer, financial, or IP data
  • Before onboarding additional team members or contractors
  • Updated quarterly and revised annually, or after any major team/leadership change

Protect the Business — Systems, Data, Roles, Access & Security

Sets the rules and systems for managing digital access — from passwords to permissions — so the right people can act quickly without exposing the company to unnecessary risk.

Core Practices:

  • Password Management
    • Mandatory use of a secure password manager (1Password, Bitwarden, Dashlane)
    • Shared vaults for team tools; private vaults for individual credentials
  • Authentication & Identity Controls
    • MFA (multi‑factor authentication) and SSO (single sign‑on) wherever possible — especially for banking, CRM, HR, and internal tools
  • Role‑Based Permissions
    • “Least privilege” principle — no full admin rights unless required
    • Access groups by department or function
  • Device Security Standards
    • Password or biometric lock on all devices used for company work
    • Disk encryption on by default (BitLocker for Windows, FileVault for Mac)
    • Auto‑lock after short idle time
  • Shared Account Handling
    • Store shared logins (e.g., social media) only in the password manager — never in Slack, email, or DMs
  • Cloud Storage Permissions Review
    • Quarterly audit of Google Drive/OneDrive/Dropbox “anyone with link” shares — switch to account‑based access
  • Vendor & Third‑Party Access Control
    • Maintain a log of all vendors/service providers with system access
    • Vet new vendors for basic security practices before granting access
    • Include vendors in quarterly access reviews
  • Offboarding Protocol
    • Revoke access immediately upon exit
    • Transfer ownership of accounts/docs before deactivation
  • Access Mapping
    • Maintain a central register of tools, owners, and access levels
    • Review quarterly to remove dormant accounts and excess privileges
  • Critical System Backup Plan
    • Backup high‑value files (finance records, investor decks, source code) to a secure, separate location or account
  • Secure Data Disposal
    • Remove outdated files from shared drives quarterly
    • Use secure wipe/shred tools for digital or physical media before disposal
  • Incident Response Basics
    • 1‑page guide on first steps if accounts or data are compromised
    • Include emergency contacts, escalation path, and logging process
  • Security Awareness Basics
    • Onboarding briefing on top 5 startup security rules: phishing, VPN for public Wi‑Fi, suspicious activity reporting, etc.

Tool Permission Examples:

  • Notion / Google Drive → team‑based folders + edit/view rights
  • QuickBooks / CRM → view vs. edit vs. admin controls
  • Slack / Email → standard channels vs. private threads

Why this matters

Most data breaches and IP losses start inside the company — not from shadowy outside hackers. Clear access policies, vendor controls, and instant offboarding protect your assets, your customers, and your people. Done right, security becomes invisible — enabling speed instead of killing it.

If You Don’t Do This

  • Compromised accounts — A single ex‑employee with active credentials can drain accounts, delete files, or leak IP.
  • Vendor vulnerabilities — A poorly secured third‑party account can be the back door into your systems.
  • Data breaches — Costly fines, legal exposure, and brand damage from preventable leaks.
  • Founder bottlenecks — If only one person knows the passwords, work halts when they’re unavailable.
  • Lost investor confidence — Sloppy access control signals immaturity; can kill deals or lower valuations.
  • Operational chaos — Team members waste hours chasing links, requesting access, or recreating missing files.

Skipping access discipline is like leaving your office unlocked, keys in the door — you may get away with it for a while, but the day you don’t, the cost can be existential.

Linked Asset


View

Edit

Expected Output (Minimum Viable Legal Documentation):

  1. Central password manager in use company‑wide
  2. Access map (tool + owner + access level) maintained & updated
  3. Offboarding checklist documented and followed for all exits
  4. MFA/SSO enabled for all critical systems
  5. Device security standards enforced for all work devices
  6. Quarterly cloud + vendor permission audit completed and logged
  7. Critical backup plan in place and tested
  8. Incident response guide documented and accessible
  9. Secure data disposal process followed and logged