Skip to content
← Field notes
Rubric deep-dive · Pillar 05

Rubric deep-dive: operating baseline (Pillar 05).

15% of the composite, and the pillar most likely to end a vetting cycle. Not SOC 2. A check that the team handles data, access, change control, incidents, and contracts at a level a serious buyer can defend to their own security team.

By · Guest expertAgencies7 min read

The operating-baseline pillar is not a security audit. It is not SOC 2. It is a check that the team handles client data, access, change control, incident response, and contracts at a level a serious buyer can defend to their own security team. Fifteen percent of the composite. A single critical failure blocks issuance, which is why this pillar ends more vetting cycles before completion than any of the other four.

02

The scope of the pillar

One infosec-experienced reviewer plus legal review on contract hygiene. The artifact is a checklist, supporting documents, and attestations on file. Not a penetration test. Not a compliance certification. The comparison we run: could a buyer's own head of security look at the file and defend the choice of vendor without needing to add material remediation. If yes, the pillar scores. If no, the pillar fails, and the badge cannot issue regardless of the other four scores.

That framing is the entire pillar in one sentence. We are not certifying the vendor is secure by any absolute standard. We are certifying the vendor is at least as safe as a defensible mid-market domestic firm would be, on the specific vectors that come up in offshore engagements.

03

Data handling

Twenty-five percent of the pillar. Where client data lives, who can read it, how long it is retained, how it is deleted. Evidence: a written data-handling policy and a sample DPA scoped to what the team actually touches. Software agencies show a general DPA. Marketing agencies show a DPA covering customer lists, ad-audience uploads, and CRM data. Design agencies show a DPA covering research-participant PII and asset repositories. Product agencies show a DPA covering interview transcripts and strategy documents.

The bar is that the written policy exists, is followed in practice, and survives reviewer questioning. The catastrophic red flag we score at level 0 (which blocks issuance): client data copied onto personal laptops. Any evidence of this, at any point, on any team, ends the vetting cycle. The corollary: no process for deleting client data when the engagement ends. Same score.

04

Access controls

Twenty percent of the pillar. SSO, MFA, least-privilege, joiner-and-leaver discipline. Evidence: documented least-privilege access to client systems and a documented leaver checklist. Software teams show identity-provider configuration. Marketing teams show delegated access to ad accounts, analytics, and CRMs. Design teams show access to client design tools and asset stores. Product teams show access to client docs, dashboards, and interview archives.

The bar: MFA enforced across the team. Leavers off all client systems within one business day. The red flags: shared logins across the team (very common in offshore agencies under two years old), and former employees who still have access to client accounts or ad platforms. The second is the more damaging finding because it is usually accidental, a shared account nobody rotated when someone left, which means the team had not been thinking about the risk at all.

05

Delivery-workflow maturity

Twenty percent of the pillar. Change control appropriate to the trade. Who can change what, who approves, how a bad change gets rolled back. The path from a proposed change to a client-visible change must be documented, reviewed, and reversible.

Two red flags we mark hardest: a single person can push a client-visible change with no second set of eyes. Manual edits to live client systems with no audit trail. Either one is a level 1 at best. Both together tend to be level 0.

06

Incident response

Fifteen percent of the pillar. Not a formal certification. What we want: a documented process, a recent test of it, and at least one post-mortem on file. The bar: the process exists, has been used, and led to a documented change in how the team works.

The single red flag we see often and always score down: the team reports no incidents have ever occurred. Not credible at scale. Teams that have done real client work have had incidents. Teams that report none are either not thinking of them as incidents, are hiding them, or are too new to have accumulated any, in which case they should say so plainly.

07

Contracts and IP hygiene

Twenty percent of the pillar. This is where legal review joins. MSA quality, IP assignment, subcontractor disclosure, insurance. The bar: IP cleanly assigns to the client, subcontractors are disclosed, insurance is current.

Three red flags block issuance under this criterion. Ambiguity about who owns the delivered work. In our experience the most common version is a boilerplate MSA that has IP transfer language on paper but includes a licensing carveout the team did not realize was there. Subcontractors used but not disclosed to the client. Extremely common, extremely disqualifying. Every subcontractor arrangement discovered during our vetting is documented on the verification page. Professional-liability insurance that has lapsed. Uncommon but not rare, especially at agencies under twenty people. We verify certificates directly with the underwriter.

08

Why this pillar's floor is higher than the others

For the Backed tier, this pillar must be at least 70. For Managed, at least 85. Higher floors than the other pillars because a security failure produces harm that cannot be un-done. A team can have a mediocre communications score and a client can still get value. A team with a security failure produces losses the client cannot recover from. Data leaks, IP disputes, legal exposure.

The higher floor is our way of saying: we will forgive being a level 2 on craft. We will not forgive being a level 1 on data handling. The badge is only as trustworthy as the pillar with the least room to fail.

Takeaways
  • 01The pillar tests operating baseline, not compliance. The reference is a defensible mid-market domestic firm, not a SOC 2 certification.
  • 02Data handling on personal laptops or no data-deletion process is disqualifying. Both are more common in offshore agencies than most buyers realize.
  • 03Access controls are graded on leaver discipline. Former employees with active access to client systems is a level-1 finding at minimum.
  • 04Change control must be documented, reviewed, and reversible. Single-person pushes to client-visible systems are disqualifying.
  • 05Contracts and IP hygiene are legally reviewed. Undisclosed subcontracting is the most common finding and the fastest disqualification.
  • 06Pillar floors are higher because security failures cannot be un-done. The badge is only as trustworthy as the weakest pillar.
Related
Score yourself

Where does your shop sit on this pillar?

The self-assessment mirrors the pillar weights and gives you a private draft score before you commit to the full intake.