The What and Why of WISP
There are hundreds of acronyms in the world of business and technology. It is overwhelming to keep up with all of them. WISP or written information security program, is one that your business needs to stay on top of regardless of whether you are a small business owner or come from a large corporation. WISP is a Written Information Security Plan. What is this and what does it mean for your business? Let’s take a closer look at this all important acronym WISP.
What is a WISP?
A Written Information Security Plan is a professionally written document that is meant to create administrative, technical and physical safeguards for customer’s private data. The document discusses electronic and physical methods of accessing, collecting, storing, using, transmitting, protecting, and disposing of our customers’ non-public personal information.
About four years ago the Commonwealth of Massachusetts passed 201 CMR 17.00. This regulation requires that: “Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards…” In short, companies need to write this document to show that they have taken Due Care and Due Diligence to protect the confidentiality of a customers private information in order to comply with Massachusetts State Law. If your company suffers a security breach and does not have a WISP, then things are probably not going to turn out well for you. The penalties can be severe. They can include hefty fines and penalties that require security changes at all levels. (Source: Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulation)
Components of a WISP
There are several main components of a WISP that are meant to safeguard consumers and spell out exactly the risks they are taking when entrusting personal information with the company in question. WISPs usually carefully clarify the purpose and objectives of protecting private data. In addition sections of a WISP explain:
- The role of a data coordinator – The document explains the role of a designated employee(s) who will be responsible for implementing the security protocols, training employees on them, testing the security programs and evaluating the security measures regularly.
- Internal Risks – A WISP should explain to consumers the internal threats to their personal information that exist including paper and electronic records being unlawfully used by employees. Protocols for active and terminated employees should be discussed in this document.
- External Risks – Companies must explain in this document what threats they have identified in regards to your personal data and steps they will take to protect against security breaches such as firewalls, double identification authentication, encryption, and software to protect against malware or viruses.
- Notification Protocols – Companies must also explain how they will notify consumers in the event of a cyber attack and how they will attempt to rectify the situation.