Free Security Policies for Small Teams
“The ghost doesn’t knock. It writes the rules on your firewall and vanishes.”
Introduction
Small teams don’t lack firepower – they lack doctrine.
Most startups, side projects, hacker collectives, and pirate tech guilds fly blind when it comes to operational policy. What follows isn’t paperwork. It’s armor.
This is The Phantom SOP – a spectral framework for security discipline:
- No bloat.
- No legalese fog.
- Just clear rules for small teams who live close to the code and closer to the edge.
1. Acceptable Use Policy
“Every command typed is a key. The wrong one unlocks hell.”
Purpose
You trust your team with keys to the kingdom. This policy says what the kingdom is – and what happens if someone sets fire to the walls.
Directives
- Systems are for mission work only. No personal torrents. No gambling scripts. No funny business.
- Do not probe internal networks unless explicitly required by role or task.
- Do not share credentials. Not with teammates. Not with shadows.
- Violations trigger immediate lockdown. No debate.
Implementation Notes
- Keep it to one page.
- Use plain language.
- Tie violations to clear consequences.
2. Data Retention Policy
“Data is memory. Memory can be a threat.”
Purpose
If you store everything, you become a hoarder of risk. This policy defines what data lives and what gets burned.
Directives
- Define retention durations for logs, backups, and customer data.
- Store only what is essential, and only as long as necessary.
- Encrypt everything at rest and in transit.
- Document all data deletions. Log the purge.
Implementation Notes
- Use specific durations (e.g., “30 days”, “180 days”).
- Automate retention enforcement via cron, Ansible, or CI/CD.
- Align with relevant privacy laws, but enforce zero-trust by default.
3. Incident Response Plan
“When it burns, don’t scream. Move.”
Purpose
Incidents don’t start with smoke. They start with silence. Your team needs a ritual for when the silence breaks.
Directives
- Define what qualifies as an incident: phishing, breach, lost device, anomalous traffic.
- Assign roles for:
- Detection
- Containment
- Eradication
- Recovery
- Reporting
- Maintain secure comms: fallback channels like Element, Signal, or a burner Matrix room.
Implementation Notes
- Include an offline, printable version.
- Run tabletop simulations quarterly.
- One-pager format with contacts and communication plan.
4. Remote Work Security Policy
“The perimeter is dead. Your couch is the new frontline.”
Purpose
The castle model is dead. We operate from coffee shops, cabins, and co-working dungeons. The edge is everywhere.
Directives
- All work devices must use full-disk encryption.
- VPN is mandatory. Home routers must be secured.
- Public Wi-Fi is allowed only if tunneled and trusted.
- Screens must auto-lock on idle. Devices should never be left unattended.
- Personal and work devices must remain separated.
Implementation Notes
- Provide a recommended toolkit with open source apps.
- Avoid burnout: enable paranoia without rigidity.
- Integrate the policy into onboarding and team rituals.
Phantom SOP Summary
| Policy | What It Secures | Ghost Rule |
|---|---|---|
| Acceptable Use | Team behavior, internal trust | Every command typed is a key. |
| Data Retention | Data lifecycle and liability | Memory can be a threat. |
| Incident Response Plan | Chaos response and resilience | When it burns, don’t scream. |
| Remote Work Security | Perimeterless operations | Your couch is the new frontline. |
Deployment Notes
- Store under
/sop/in your project root. - Version control all policies.
- Encourage feedback loops. Assign a maintainer per document.
- PDF export via Org or Pandoc for external sharing.
Final Words
DeadSwitch out.
“Security isn’t silence. It’s choreography beneath it.”
Tom's IT Cafe 