When it comes to producing a functional, adaptable, and successful written information security plan (WISP) for any company, business leaders must understand that it is not a single document, but a puzzle consisting of many moveable pieces. A WISP is also a living document that needs to be able to adapt to your business as it changes. Additionally, each business is different in its requirements for information technology and security. It’s for these reasons a single WISP template is not a viable answer for all businesses.
WISP Puzzle Pieces
Every business should have a WISP in place not only because it is now required in many states (more than 25 including Massachusetts) by law, but also because it is a guide for protecting your organization. Even the smallest of businesses or nonprofits need a WISP as it outlines the policies, procedures, and security controls for an organization. It also details how that information is protected and who within a company is ultimately responsible for safeguarding that data.
One piece of the WISP puzzle is the written plan. That written plan includes the technical and administrative policies and procedures of how data is stored, handled, and destroyed. It is through this written piece that methods and behaviors are identified to reduce the odds of a cyber incident. Furthermore, if and when one does occur, the WISP helps to reduce the total loss, damage, and liability suffered by a business. While this written piece is central to your overall WISP, it’s just not enough.
The Security Manager
This piece of a WISP provides information about who your security manager will be. This may be an owner, manager, or even a third-party provider such as ORAM Corporate Advisors. This person or provider is responsible for maintaining and updating the WISP annually, ensuring employee compliance with the WISP, and many other aspects of your company’s cybersecurity and the WISP itself.
Within the WISP, the results of your company’s IT assessment will be included. It will also outline where sensitive information is stored. This portion of the WISP should also include storage areas, timeframes, and access points, both physical and electronic. This section can further be broken into internal and external risks to best identify plans for the protection of data assets.
This section will be unique to every business based on its unique risks, the threat landscape it operates in, and its industry needs. The safeguards your organization puts in place will be determined by the risks it faces (see above) and how they can be best addressed. This section will likely also include regular training for all employees, steps for disciplinary action when the WISP is violated, how data is collected, and much more.
Technical & Physical Elements
Having a written plan in place is the first step but there are other pieces that must also be implemented by an IT professional. This may mean applying digital layers of security to hardware and software, installing monitoring software to sift through emails to prevent intrusions or even extra cybersecurity for cloud storage. This is the technical aspect of any WISP.
Just as the written plan may change over time as your business grows and changes, the technical aspect of your WISP will also need to be adaptable. Another element of the technical piece is that cybersecurity must be adaptable to changes in the threat landscape. As new threats appear, the technical piece of your WISP will need to meet the challenges of those threats.
From the Shield Act of New York state to laws requiring WISPs in Massachusetts, California, Texas, Oregon, and Rhode Island, new and ongoing requirements in legislation reflect the continuous increase in cyberattacks, breaches, data theft, and ransomware. Depending on where your business is based and if it has locations in multiple states or nations, you need to know what is required by law.
As part of a WISP, you need to know what sensitive data your business has in its possession, where it is stored, who has access, how long it is kept, and how it is disposed of. While in your company’s possession, data such as personally identifiable information (PII) including healthcare information, birthdates, social security numbers, and more must be protected. It is your responsibility to safeguard this data. Should it be stolen or destroyed during a cyber event, your company is ultimately accountable for any loss.
As a business owner or leader, your job is to know where your most valuable data is stored, both digitally and hard copy. As part of your WISP, it should be detailed where that information is stored and what protections are in place. Additionally, you will need to outline who requires access to data to perform their work duties and keep everyone else out. This is known as the practice of least privilege.
Every Business, Every Industry
As mentioned previously, every business in every industry requires a WISP and the implementation of all pieces of the plan. All businesses have some information that is sensitive or proprietary in nature. For example, in healthcare, the Health Insurance Portability and Accountability Act (HIPAA) outlines national standards to protect certain health information as does the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Educational institutions are required to protect student information due to the Family Educational Rights and Privacy Act (FERPA). This protects student records and provides certain rights to parents regarding their child’s educational records and the ability to transfer them. This impacts all schools and educational institutions that receive federal funding.
The Supervisory Control and Data Acquisition (SCADA) system allows industrial businesses and organizations to control processes on-site and/or remotely. There are federal recommendations from the National Institute of Standards and Technology (NIST) regarding SCADA that are meant to protect critical infrastructure systems such as electrical power grids, water distribution systems, and dams, among others. There are specific requirements in place to protect these essential businesses.
When it comes to the finance industry, there are federal financial privacy laws in place to protect consumer data. Some of those include the Right to Financial Privacy Act and the Gramm-Leach-Bliley Act among others. There are laws in place to protect consumer data, recommendations for preventing breaches during financial transactions, and even those specific to certified public accountants such as the controls outlined by the American Institute of Certified Public Accountants (AICPA).
The Worst WISP Violators
From the experience of ORAM Corporate Advisors, there are two groups that come to mind as the worst violators of WISPs: realtors and gym operators. Why? These businesses tend to be operated by one individual or a very small group of people that often fail to realize the importance of having a WISP.
Realtors tend to have the worst security systems and practices. Professionals at ORAM Corporate Advisors have witnessed realtors sharing social security numbers, dates of birth, and other PII with finance companies in a rush to fund a buyer, for example in an unsecured email or while using public Wi-Fi. This is incredibly risky and sets the realtor up for serious liability as a result.
Gym owners and operators also tend to have poor security practices in place and often fail to have a WISP. This is often because the owner/operator is acting alone or has such as small staff they don’t have the bandwidth to handle a WISP and its moving pieces. Additionally, their profit margins are typically so thin, they often fail to have the proper cybersecurity in place let alone have a WISP.
The Cost of a WISP & Not Having One
While the cost of putting a WISP together can run an average of $1,500, it’s a great deal less expensive than the average cost of a breach which is now $3 million. Even if a company has cybersecurity insurance, most policies top out at $1 million which only covers one-third of the average cost of today’s hacks. Could your business make up the cost differential if a cyber incident were to occur?
In addition, most states now require cybersecurity measures to be in place that are covered by a WISP. Should a business be found to not have one, the fines and penalties can be exorbitant enough to shut down an organization. The good news is that once a company has overcome the initial cost of instituting a WISP specific to its needs, the monthly cost to maintain it is much lower.
Ultimately, no single template can achieve what is required of a WISP. Each industry and every business differs in its requirements so each WISP is individual to an organization, like a fingerprint. While the cost of implementing a WISP may seem overwhelming, it is nothing compared to the ultimate cost of a breach, which many organizations never recover from.
If you’re ready to get started with preparing a WISP for your business, book a free IT assessment with ORAM Corporate Advisors. There is no obligation and it will help identify security gaps in your business in order to help you prepare to build a WISP. You can also call ORAM directly with any questions at (617) 933-5060.