Security Policy

Learn about BARR Advisory’s Security Policy.

Contact Us

Overview

BARR Ventures Inc. (together with its affiliates BARR Advisory, P.A. and BARR Certifications LLC, referred to as “BARR”) is a professional services firm that establishes, manages, and audits cybersecurity and compliance programs. We are a cloud-native firm with a 100% remote workforce and a zero-trust architecture.

Core Certifications & Frameworks


ISO/IEC 17020:2012
We are certified to ISO/IEC 17020:2012, covering quality management, personnel security, and technical controls.

ISO/IEC 27001 Aligned
Our Information Security Management System (ISMS) is built on the ISO 27001 framework.

AICPA, A2LA, The Cyber AB, ANAB, PCAOB
We practice strict adherence to all professional standards, including, but not limited to, the AICPA, A2LA, The Cyber AB, ANAB, and PCAOB requirements.

Our Cybersecurity Program

BARR’s information security policies are approved by management and communicated to all stakeholders. These policies and associated controls manage information risk and ensure the confidentiality, integrity, and availability of our services. Policies include:

Information Security and Organization
Risk Management
Asset Management
Access Control
Physical and Environmental
Change Management
Vulnerability Management
Incident Management
Business Continuity Planning
Endpoint Management
Personnel Security

Professionalism and Integrity

As a professional services firm, BARR does not tolerate transactions that compromise integrity or professionalism, even if beneficial to business. We serve in the best interest of every client and stakeholder. These commitments are supported by the firm’s quality control policies.

Key Policy Summary

This section summarizes key policies. All policies are published on internal collaboration tools and accessible to all personnel.

Information Security Policy and Organization

BARR maintains a documented and approved Information Security Policy, which defines key personnel roles and security responsibilities. A dedicated security committee provides oversight, reviews and approves all security policies and risk assessments, and promotes a security culture.

Risk Management

BARR performs internal risk assessments at least annually and following significant environmental changes. The process aligns with professional standards, NIST, and ISO 27001 Risk Management Frameworks, and includes:

  • Identifying, analyzing, and evaluating critical assets, threats, and vulnerabilities.
  • Conducting formal risk assessments that include mitigating controls and prioritization to reduce overall risk exposure.
  • Ensuring consistent, valid, and comparable results from repeated assessments.

Risks are categorized, prioritized, and remediated based on likelihood and impact to BARR commitments. Identified risks are addressed via a formal risk treatment plan, and results are retained. Methodologies include:

  • Risk Acceptance: Accept potential risk and continue operations.
  • Risk Avoidance: Eliminate the risk cause or consequence.
  • Risk Mitigation: Minimize risk by implementing preventive and detective controls.
  • Risk Share/Transfer: Transfer the risk to a third party (e.g., insurance) or share it.

Identified risks and their treatment plans are assigned to an owner as part of our annual and quarterly goal-setting process.

Third Party Risk Management

Vendors are vetted with the same high standards we expect from our clients. Supplier agreements include requirements to address supply chain information security risks, including confidentiality and non-disclosure agreements. The Security Committee and Chief Information Security Officer review new vendors and conduct annual reviews of existing ones.

BARR regularly monitors, reviews, and audits third-party service delivery using a risk-based approach against our information security objectives:

  • Determine third-party criticality.
  • Assess the impact of identified threats and vulnerabilities.
  • Assess the likelihood of identified threats.
  • Determine the final risk based on criticality, threat impact, and likelihood.

Third-party risk assessments are reviewed at least annually and updated based on monitoring results. Evaluation frequency is determined by the risk to BARR Advisory’s information security objectives and potential non-compliance with BARR policy (e.g., enterprise strategy, laws, and regulations).

Asset Management Policy

Assets (hardware, software, and critical documents) are inventoried, assigned an owner, and classified. Inventories are periodically reviewed for completeness and accuracy.

Ownership of Assets

Assets or groups of assets are assigned ownership and maintained in the inventory. The asset owner is responsible for proper life cycle management, including:

  • Ensuring assets are inventoried, classified, and protected.
  • Defining and periodically reviewing access restrictions and classifications based on access control policies.
  • Decommissioning the asset when deleted or destroyed.

Acceptable Use of Assets

Rules for the acceptable use of information and assets are identified, documented, implemented, and made available to all users. Employees must review and acknowledge the employee handbook, which covers acceptable use of hardware, software, and data.

Return of Assets

The formal termination process requires all employees and third-party users to return all BARR-issued physical and electronic assets upon separation. In limited circumstances (e.g., manager approval), an employee may keep certain assets (e.g., laptop), but the device will be wiped prior to departure. For personal equipment (e.g., smartphones) used for work, procedures ensure that BARR information is transferred and securely wiped.

Identity & Access Management

Identity and access management is central to our remote-first security strategy. We use a centralized “Source of Truth” to manage the entire user lifecycle.

  • Identity Stack: We use Rippling Identity Management integrated with Google Workspace.
  • Enforced MFA: Multi-Factor Authentication (MFA) is enforced across 100% of our applications, using Passkeys when available.
  • Automated Lifecycle Management: Account provisioning and de-provisioning are automated. Automated workflows revoke access to internal systems and client-facing data rooms immediately upon departure.
Physical and Environmental Policy

BARR Advisory employs a 100% remote workforce. Our infrastructure is housed in AWS and GCP data centers. Refer to their respective compliance pages for physical security controls: AWS Data Center Controls and Google Data Security.

Change Management Policy

While BARR is not a software development firm, we use low-code platforms and automation scripts (e.g., Quickbase, Google Apps Script) to optimize service delivery. To prevent risk to our environment or client data, we follow a lean, high-integrity change management process:

  • Peer Review: All scripts and low-code application changes undergo peer review by a second qualified team member to verify logic and security permissions before deployment to production.
  • Environment Separation: Changes are developed and tested in “Sandbox” or “Development” environments before deployment to the live environment used for client engagements.
  • Principle of Least Privilege: Automations are configured with minimum required scope. We annually audit Google Apps Script Scopes and Quickbase User Roles/API access to ensure no account has broader access than necessary.
  • Audit Logging: Changes to our primary service delivery platform (Quickbase/taskBARR) are logged, providing an audit trail.
Vulnerability Management

Vulnerability management for the taskBARR system is Quickbase’s responsibility. BARR annually reviews penetration test and vulnerability scan results to ensure issues are resolved.

Vendor updates and patches to taskBARR are deployed as available, adhering to BARR Advisory’s change and vulnerability management policies. Operating system updates are automatically pushed to personnel workstation and enpoints.

Incident Management & Resilience

BARR maintains a formal Incident Management Policy for rapid detection and transparent communication.

  • Detection: Huntress EDR and operational tooling provide the security team with real-time alerts and insights.
  • Triage & Escalation: We follow a documented response plan that includes forensic evidence preservation and root cause analysis.
  • Client Notification: In the event of a suspected breach involving client data, BARR commits to written notification within 24 hours of identification.
  • Resilience: As a cloud-native firm, critical business functions are distributed across tier-1 providers (e.g., Google Workspace) to ensure high availability and eliminate single points of failure. Our services are not dependent on any single provider.
Business Continuity Planning Policy

BARR Advisory maintains a formal Business Continuity and Disaster Recovery (BC/DR) plan to ensure continuing service performance. The plan is tested at least annually. Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) are documented and updated based on test results.

Endpoint Security

Every BARR laptop is a managed asset.

  • Mobile Device Management (MDM): All endpoints are managed via Rippling MDM, which enforces:
    • Full-Disk Encryption (FDE).
    • Secure OS configuration and password complexity.
    • Remote wipe capability (automatic upon offboarding).
  • Detection & Response: Huntress EDR is deployed on all endpoints for 24/7 threat hunting, persistent foothold detection, and daily malware scanning.

Vulnerability Management: Security patches and OS updates are enforced on all devices within 30 days of release.

Data Protection

Our program is designed to minimize the data footprint.

  • Non-Persistence Policy: BARR does not host client production data. We interact with client information only through secured, third-party data rooms (e.g., Quickbase/taskBARR and Google Shared Drives). If preferred, we can leverage data rooms and shared drives where all security is managed by the client. A separate enclave is also available in a GovCloud environment for our CMMC services.
  • Clean Desk/Clean Endpoint: Consultants are prohibited from storing client IP on local drives longer than required for the engagement. Automated device wipe protocols serve as a final fail-safe for data destruction.
  • Encryption in Transit: All communications and data transfers occur over encrypted channels (TLS 1.2+).
Personnel Security

Security is a culture, not a department.

  • Background Checks: All employees undergo multi-jurisdictional background and reference checks prior to hire.
  • Continuous Education: Every team member completes initial security awareness training and participates in monthly security “micro-learnings” to stay ahead of the latest phishing and social engineering tactics.
  • Acceptable Use & Acknowledgement: These policies apply to all BARR employees and non-employees with the firm. All personnel must review and acknowledge our policies as part of our handbook. 

Learn More

For security inquiries or to request audit reports, contact our security team at [email protected].

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.