What is a Written Information Security Program?
A Written Information Security Program (WISP) is a document that details an organization’s security controls and policies. It includes the measures a business or organization takes to protect the security, confidentiality, integrity, and accessibility of its data. A WISP is essentially a roadmap for an organization’s information security.
A WISP is inward-facing in the sense that it is meant to be used internally by an organization, both as a reference and as a record of practices. Its purpose is not for public consumption. This stands in contrast to a privacy policy which tends to be outward-facing documents, meant to notify potential consumers and vendors about an organization’s data use and security practices.
Different WISPS for Different Folks
WISPs are required across a wide sampling of industries and information types. For example, the IRS requires accountants to create a WISP under the directive of the Gramm-Leach-Bliley Act. In another example of a WISP condition, organizations may also be required by data protection laws to develop a WISP to protect health and medical data under HIPAA.
What is Included in a WISP?
Depending on the size, industry, and location of a business, the format, and contents of a WISP can differ significantly. Even so, there are some similarities between data WISPS. A WISP must, at the very least, describe the following:
- Security practices that are proportionate with the sensitivity and volume of data the organization handles including the following:
- Technical security measures
- Physical security measures
- Administrative security measures
- How and where data is stored and transferred
- WISPs will often require minimum technical security controls such as encryption, anti-malware software, and other perimeter and internal defenses.
- Holding third-party vendors to the same standards as the company that originally collects the information is a central concept in a WISP. WISPs require that vendors be adequately vetted and that periodic risk assessments are included in the contract terms.
- WISPs normally require that the responsibility of upholding and carrying out security policies falls on a designated employee.
- Risk assessments and auditing must be conducted on at least an annual basis.
- Employee training
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
The Importance of a WISP
It’s a good idea to create a WISP even if there is no express legal requirement for it within the industry or state in which the business operates. Should your business suffer from a data breach, having a good-quality, consistently implemented, and maintained WISP policy provides an affirmative defense against legal claims alleging that an avoidable security failure resulted in a data breach.
The value of a WISP is found also in its very creation because it prompts your business to assess information security risks and implement appropriate protection strategies. Beyond the benefit of avoiding compliance and litigation risk, developing a good WISP translates to better data protection and stronger resilience to a data breach and the inevitable fallouts.
Which Laws Require a Written Information Security Program?
Massachusetts Standards For The Protection Of Personal Information Of Residents Of The Commonwealth
The most well-known example of a WISP requirement in state privacy law is the Massachusetts regulations on Standards for the Protection of Personal Information of Residents of the Commonwealth. It requires that “every person that owns or licenses personal information” about a Massachusetts resident must “develop, implement, and maintain a comprehensive information security program that is written in one or more accessible parts.”
HIPAA
If you are required to comply with HIPAA regulations, then you are also required to implement and maintain a written information security program that documents the policies and standards you have in place to safeguard PHI. Documentation of policies can be requested at any time by HHS. Therefore, it’s important to have a written information security program (WISP) available at all times that documents how your organization complies with or is working towards complying with each of the requirements outlined in the HIPAA Privacy and Security Rule.
The Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA) is a U.S. law that requires financial institutions to protect customer data. In its implementation of the GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule to outline measures that are required to be in place to keep customer data safe. One requirement of the Safeguards Rule is implementing a WISP.
PCI-DSS
If a business accepts credit or debit cards, that business requires a professionally written set of policies, procedures, standards, and guidelines under the PCI-DSS standard. The WISP is a non-negotiable requirement for the PCI standard and even applies to businesses that are already in compliance with laws like HIPAA or GLBA.
Serious Business
Data is a critical business asset that warrants appropriate safeguards. Developing and maintaining a WISP demonstrates that you are serious about protecting your data and practicing due diligence.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
