WISP: A Written Information Security Program
A Written Information Security Program (WISP) is a set of documents that details an organization’s security controls, processes as well as policies.
In many states in North America, a WISP is a legally required document, to show the organization’s IT security and data protection status.
It takes into account the, policies and processes that should be in place to ensure that any organization, which processes, controls, manages, licenses and / or retains personal information about citizens, has implemented the required level of data protection and cyber security. If these do not currently exist, a WISP can help identify the gaps in any security plan.
As data breaches and cyber security attacks increase, having the correct WISP documentation in place can demonstrate to clients and suppliers, customers and members, as well as the regulatory authorities and employees that your organization takes Data Protection and Cyber Security seriously, and has implemented the necessary safeguards.
What is required?
A priority list of action required will be produced and a mitigation and implementation plan can be developed.
A WISP is the benchmark for data security and ensures that all senior management (and especially the Board of Directors) has greater visibility of the IT security/ Data Protection environment for governance.
Specifically, a WISP should address the following security areas:
-
Identify the contact within the organization (personnel) who is responsible for the data protection and security program.
-
Risk assessment of all data protection and cyber security policies and procedures as well as the systems in place (patches / firewalls/ encryption / anti virus and malware)
-
Development of policies for the storage, access, and transfer of personal information.
-
Training for employees with regard to management of data, data protection requirements and disciplinary measures for violations of the WISP.
-
JML – access control procedure and access privileges for all personnel and those employees who have left the organization.
-
Encryption during transfer and retention of data
-
Check procedure for the level of security third-parties (contractors etc) have in place
-
Incident/Breach policy and procedure for logging and reporting, and steps to be taken in the event of a data breach/ security incident
-
Review process for all procedure (and the WISP itself), implementation and effectiveness.
The Advantage of having WISP
A WISP should be a well documented and detailed part of an organization’s governance. Allowing the senior management to see and understand what policies and procedures are in place, who is responsible and accountable, and the level of risk the organization is prepared to accept, will ensure that the organization is prepared and resilient.
A good WISP will ensure that the organization is less vulnerable to cyber attack, or data breach.
It will give a level of confidence to employees, clients and customers, suppliers and members.
Having your Cyber and Data Protection policies and procedures documented, and accredited if necessary, in place and available for examination by outside organizations, is not only legally required by some US states, but is generally accepted as “best practice”
NORTH AMERICAN STATES REQUIRING (BY LAW) A WISP:
Alabama: 2018 SB 318
Arkansas: Ark. Code § 4-110-104(b)
California: Calif. Civil Code § 1798.91.04
Colorado: Colo. Rev. Stat. § 6-1-713 to -713.5
Connecticut: Conn. Gen. Stat. § 38a-999b, Conn. Gen. Stat. § 4e-70
Delaware: Del. Code § 12B-100
Florida: Fla. Stat. § 501.171(2)
Illinois: 815 ILCS 530/45
Indiana: Ind. Code § 24-4.9-3-3..5(c)
Kansas: K.S. § 50-6,139b
Louisiana: La. Rev. Stat. § 3074 (2018 SB 361)
Maryland: Md. Code Com Law §§ 14-3501 to -3503
Massachusetts: Mass. Gen. Laws Ch. 93H § 2(a)
Minnesota: Minn. Stat. § 325M.05
Nebraska: Neb. Rev. Stat. §§ 87-801-807 (2018 L.B. 757)
Nevada: Nev. Rev. Stat. §§ 603A.210, 603A.215(2)
New Mexico: N.M. Stat. § 57-12C-4 to -5
New York: New York Gen. Bus. Law § 899-BB
Ohio: Ohio Rev. Stat. § 1354.01 to 1354.05 (2018 S.B. 220)
Oregon: Or. Rev. Stat § 646A.622
Rhode Island: R.I. Gen. Laws § 11-49.3-2
South Carolina: S.C. Code § 38-99-10 to -100. (2018 HB 4655)
Texas: Tex. Bus. & Com. Code § 521.052
Utah: Utah Code §§ 13-44-101, -201, 301
Vermont: 9 V.S.A § 2446-2447 (2018 HB 764)
District of Columbia: 2020 B 215 (enacted; under Congressional review)
How The TrustBridge can help
-
The TrustBridge documentation has helped our clients through due diligence by some of the biggest companies in the world, regulators and ISO27001 and SOC2 audits.
-
The TrustBridge has developed 70 policies, procedural documents that we tailor for your organization.
-
The TrustBridge can help you implement these policies
The Trust Bridge has developed an audit process (submitted to the regulatory authority for accreditation) with a report which will enable all participating companies to re-assure their partners, clients and suppliers that they have implemented best practice measures: The TrustBridge D3