By now, you probably have come to realize that your business data is your most precious commodity. Protecting it should be viewed as an essential step in keeping your company protected. That means having all of the proper policies, procedures, and protections in place. That’s where a written information security plan, a WISP, comes in.
What Is a Written Information Security Plan (WISP)?
Every business, regardless of size, should have a written information security plan (WISP). A WISP outlines the policies, procedures, and security controls for your company to ensure confidential information is protected. It also details how that information is protected within your organization and who is responsible for safeguarding all information. More than 25 states in the United States including Massachusetts, California, Oregon, Texas, and Rhode Island now require companies to have a WISP or similar alternative in place. The increase in security laws reflects the growing threat of cybercrime, breaches, and data theft.
Your WISP should include technical and administrative policies and procedures to reduce the likelihood of a cyber incident as well as your liability when one does occur. Anyone with access to your business’s data such as employee or client data should be familiar with the company’s WISP. The WISP informs all staff about how to implement data protection at the appropriate levels of security for all data.
Regulations and WISPs
Several industries and organizations are governed by cybersecurity regulations that require a WISP. If your organization is bound by the Health Insurance Portability and Accountability Act (HIPAA), then it is required to have a WISP as well. The same is true for financial service organizations that fall under the New York Cyber Security Regulation known as 23 NYCRR 500. The American Institute of Certified Public Accountants (AICPA) developed Service Organization Controls to manage data securely with AICPA TSC 2017 SOC 2 which also requires a WISP as does the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The list of federal and state regulations requiring a WISP goes on.
Technical Safeguards for Your WISP
There are several technical safeguards that should be included in your WISP. The first is regular, ongoing assessments of technical security measures your organization has in place. This may include software patches, penetration testing (pen testing), multifactor authentication, and encryption.
Through these assessments, you’ll be able to evaluate the efficacy of the technical protections you have in place. The evaluation of such stopgaps such as cybersecurity tracking documents should also be included in your WISP. Your WISP should also include language to allow for the adoption and implementation of additional technical safeguards as necessary to adapt to the changing business and threat environments.
Administrative Safeguards for Your WISP
In addition to the technical safeguards found in your WISP, you’ll also want to include several administrative defenses. These should include, but are not limited to, the following:
- Definitions of confidential data and data classification
- A detailed outline of how confidential data is protected
- Where confidential data is located (hard copy format, shared drives, cloud, etc.)
- Identifying who has access to confidential data in all forms
- How access to data is limited to only those people who require it to fulfill their job duties
- Defining roles and responsibilities for responding to a cybersecurity incident or breach (this includes internal and external communication procedures for responding to incidents)
Physical Safeguards for Your WISP
Though most of your data is likely developed, stored, and accessed digitally, many businesses also keep hard copies of information as well from employee tax forms to client projects. That means there is an element of physical security required for business data as well including the following:
- Developing policies for the secure storage and protection of physical data
- Implementing policies for transporting physical data or making copies
- Restricting physical access to stored records
- Ensuring doors, file cabinets, and other physical access points are locked and protected
- Updating physical security technology such as closed-circuit cameras and key cards for access
A WISP vs. a Business Continuity Plan
A WISP and a Business Continuity Plan (BCP) actually have very different purposes yet act in tandem to protect your business. Though a WISP is incredibly important, having an updated BCP is also imperative. A BCP is a written document your company should have in place to ensure it can continue operating as seamlessly as possible in the event of a cyber incident or breach.
While a WISP outlines the policies and procedures for protecting company data at all times in an effort to prevent the loss or theft of data, a BCP details how your organization will continue operating when faced with a business disruption of any type. Such disruptions could range from a natural disaster or inclement weather to workplace violence, a breach, or other events that would otherwise shut down operations.
For example, a BCP (also known as an incident response plan or IRP) may outline the use of a VPN for workers who must go remote with little to no notice or the use of cloud computing for easy access to documents and other data needed by your workforce to keep plugging away.
An effective BCP will minimize the negative impact of unforeseen disruptions as well as financial losses. It will also help keep a business’s reputation intact and keep strategic plans in place. An effective BCP can significantly reduce the impact of such unplanned disruptions that could affect everything from day-to-day business operations to your company’s market standing.
Having a WISP in place demonstrates to staff, clients, partners, law enforcement, and the public that your business takes cybersecurity seriously. It shows everyone from clients to employees that you value their data and your organization is prepared to responsibly secure it.
For more information about WISPs or how to develop one for your company, contact ORAM Corporate Advisors at (617) 933-5060. The call is free and there is no obligation.