What is a Written Information Security Program (WISP)?

Home  »  Blog  »  Cyber Security  »  What is...

By Bill Minahan   |   July 22, 2022   |   0 Comments

What is a Written Information Security Program (WISP)?

A Written Information Security Program (WISP) is a document that details an organization’s security controls, processes as well as policies. In other words, a WISP is a roadmap for an organization’s IT security, and in addition, it is legally required by several states.

Also, data security laws are in place to ensure that businesses that own, license, or maintain personal information about residents implement and maintain reasonable security procedures along with practices.

Similarly, the number of states with data security laws has doubled since 2016, reflecting an increase in data breaches coupled with cybercrime.

Additionally, a Written Information Security Program is designed to provide your organization with solid security procedures.

Subsequently, these procedures cannot only reduce your chance of a breach but also limit your liability if one were to occur.

Moreover, a WISP demonstrates to law enforcement and the public that your business has reasonable security measures in place. Likewise, a well-crafted WISP also shows your customers and employees that you value their data and take the responsibility of securing it seriously.

For instance, one of the key elements of a WISP that every business is expected to undertake is a cyber security assessment. A cyber security assessment evaluates and identifies your risks and therefore allows your team to mitigate them in order of magnitude and likelihood of the threat.

Likewise, a cyber security assessment provides your organization with a benchmark of your security so that your team can start building your WISP with greater visibility into your IT security environment.

With that being said, aNetworks offers a free cyber security assessment tool that generates a report on your organization’s security posture, so why not take advantage of that!

What does a WISP cover?

Written Information Security Programs (WISPs) can vary greatly in what security controls they cover. Also, the level of how comprehensive your WISP is, will in great part depend on your industry, size, and which state laws you must comply with. As a result, WISPs can fluctuate depending on which security framework your business follows.

Additionally, for most businesses, a WISP is a legal requirement that ensures adequate administrative, technical, and physical safeguards are in place for your business to protect personally identifiable information (PII). Furthermore, a WISP requires proper documentation of these safeguards.

Specifically, WISPs address the following security areas:

  • Firstly, designating employees responsible for the security program.
  • Second off, identifying as well as assessing security risks.
  • Thirdly, developing policies for the storage, access, and transportation of personal information.
  • Fourthly, imposing disciplinary measures for violations of the WISP.
  • Fifthly, limiting access by or to terminated employees.
  • Sixthly, overseeing the security practices of third-party vendors as well as contractors.
  • Also, restricting physical and digital access to records.
  • Eighthly, monitoring and then reviewing the scope and effectiveness of the WISP.
  • Lastly, documenting data security incidents and responses.

Additionally, there are also certain technical requirements of WISPs that can include the following:

  • Initially, securing the user’s credentials.
  • Then, restricting access to PII on a need-to-know basis.
  • After that, encrypting the transmission and storage of personal information.
  • Fourthly, monitoring security systems.
  • Fifth, updating firewalls, security patches, anti-virus, and anti-malware software.
  • Sixthly, training employees on security policies as well as the proper use of computer security systems.

However, apart from the legal obligation of WISPs, creating a well-written and tailored WISP reduces your risk of a data security incident. Furthermore, it allows for a quick response if one were to occur. As a result, in most cases, it’s in the best interest of a business to implement and maintain a WISP.

Additionally, the more detailed and comprehensive your WISP is, the less likely you are to become a victim of a cyber security incident. Moreover, your WISP should be tested and updated frequently. However, a “paper-plan” security program is better than no program at all.

Which states require a Written Information Security Program?

The following is a comprehensive list of states that have enacted data security laws that require a WISP or similar alternative:

  • Alabama: 2018 SB 318
  • Arkansas: Ark. Code § 4-110-104(b)
  • California: Calif. Civil Code § 1798.91.04
  • Colorado: Colo. Rev. Stat. § 6-1-713 to -713.5
  • Connecticut: Conn. Gen. Stat. § 38a-999b, Conn. Gen. Stat. § 4e-70
  • Delaware: Del. Code § 12B-100
  • Florida: Fla. Stat. § 501.171(2)
  • Illinois: 815 ILCS 530/45
  • Indiana: Ind. Code § 24-4.9-3-3..5(c)
  • Kansas: K.S. § 50-6,139b
  • Louisiana: La. Rev. Stat. § 3074 (2018 SB 361)
  • Maryland: Md. Code Com Law §§ 14-3501 to -3503
  • Massachusetts: Mass. Gen. Laws Ch. 93H § 2(a)
  • Minnesota: Minn. Stat. § 325M.05
  • Nebraska: Neb. Rev. Stat. §§ 87-801-807 (2018 L.B. 757)
  • Nevada: Nev. Rev. Stat. §§ 603A.210, 603A.215(2)
  • New Mexico: N.M. Stat. § 57-12C-4 to -5
  • New York: New York Gen. Bus. Law § 899-BB
  • Ohio: Ohio Rev. Stat. § 1354.01 to 1354.05 (2018 S.B. 220)
  • Oregon: Or. Rev. Stat § 646A.622
  • Rhode Island: R.I. Gen. Laws § 11-49.3-2
  • South Carolina: S.C. Code § 38-99-10 to -100. (2018 HB 4655)
  • Texas: Tex. Bus. & Com. Code § 521.052
  • Utah: Utah Code §§ 13-44-101, -201, 301
  • Vermont: 9 V.S.A § 2446-2447 (2018 HB 764)
  • District of Columbia: 2020 B 215  (enacted; under Congressional review)

Which Written Information Security Program is right for you?

Several types of WISPs are uniquely designed to help you comply with different compliance regulations and state laws. The hard part is finding out which one is right for you.

HIPAA Written Information Security Program (WISP)

If you are required to comply with HIPAA regulations, then you are also required to implement and maintain a written information security program that documents the policies and standards you have in place to safeguard PHI.

Documentation of policies can be requested at any time by HHS.

As a result, it’s important to have a written information security program (WISP) available at all times that documents how your organization complies with or is working towards complying with each of the requirements outlined in the HIPAA Privacy and Security Rule.

The HIPAA WISP is ideal for health care organizations, their business partners who must comply with the HIPAA Privacy & Security Rules, and it covers each of the policies and standards set forth by HIPAA.

23 NYCRR 500 Written Information Security Program (WISP)

The New York Cyber Security Regulation, officially known as 23 NYCRR 500, is a regulation that requires financial service organizations and their third-party vendors to implement written information security programs.

All documentation and information relevant to the covered entity’s cyber security program can be requested by the NYDFS superintendent at any time.

As a result, it’s important to have the proper documentation that meets each of the requirements outlined in 23 NYCRR 500.

The 23 NYCRR 500 WISP is ideal for financial organizations and their third-party vendors. Additionally, it covers each of the policies and standards set forth by 23 NYCRR 500.

AICPA TSC 2017 SOC 2 Written Information Security Program (WISP)

In short, The American Institute of Certified Public Accountants (AICPA) developed its Service Organization Controls (including SOC 2) as an auditing procedure to assist service providers in managing data securely in the cloud to protect client privacy and their organizational interests. SOC 2 compliance is a minimum security requirement for SaaS providers.

AICPA TSC 2017 (SOC 2) was created to ensure secure data management in the cloud. As a result, it applies to almost every SaaS company, as well as any business that stores customer data in the cloud.

SOC 2 refers to both the technical audit process and the requirement that businesses create and follow comprehensive information security and SOC 2 security compliance policies.

The SOC 2 WISP is ideal for SaaS providers and other businesses that rely on storing sensitive data in the cloud.

201 CMR 17.00 Written Information Security Program (WISP)

Massachusetts state law, formally known as 201 CMR 17.00, was put in place to safeguard the personal information of Massachusetts residents. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.

The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth.

The goals of this regulation are to ensure the security and confidentiality of customer information following industry standards.

Additionally, it aims to protect against anticipated threats or hazards to the security or integrity of such information.

Furthermore, it protects against unauthorized access to or use of such information that may result in significant harm or inconvenience to any consumer.

The 201 CMR 17.00 WISP is ideal for Massachusetts businesses that control sensitive data. Moreover, it covers each of the policies and standards set forth by 201 CMR 17.00.

NIST Cyber Security Framework (CSF) Written Information Security Program (WISP)

The NIST Cybersecurity Framework (CSF)-based Written Information Security Program (WISP) is a set of cyber security policies and standards suited for smaller organizations. These do not need to address the more rigorous requirements that can be found in ISO 27002 or NIST 800-53.

Subsequently, it covers each of the policies and standards set forth by NIST.

ISO 27002 Written Information Security Program (WISP)

When you look at ISO 27002 as it compares to other cyber security frameworks, it is right in the middle of the spectrum, based on the topics it covers.

The ISO 27002 is perfect for small-medium-sized businesses that need a comprehensive framework to manage their company’s Information Security program. The ISO 27002 Written Information Security Program (WISP) allows you to implement and document the steps to be compliant with federal, state, and industry laws and regulations.

Furthermore, it covers each of the policies and standards set forth by ISO.

NIST 800-53 (Moderate) Written Information Security Program (WISP)

At its core, this version of the NIST SP 800-53 R5 Written Information Security Program (WISP-LM) is designed to align with “moderate baseline” controls from NIST SP 800-53 R5.

The NIST WISP is ideal for businesses that control large quantities of sensitive data or those that have to comply with multiple frameworks, and it covers each of the policies and standards set forth by NIST.

NIST 800-53 (High) Written Information Security Program (WISP)

Additionally, based on the topics it covers, NIST SP 800-53 high WISP is on the more robust side of the spectrum. NIST SP 800-53 rev5 consists of 20 different families of cyber security as well as privacy controls.

Consequently, medium-sized businesses, that deal with large quantities of sensitive data or those that must comply with multiple frameworks. 

Above all, the NIST SP 800-53 R5 WISP-LMH has complete coverage for these core frameworks:

  • NIST SP 800-53 R5 (low, moderate, high & privacy baselines – as defined in NIST SP 800-53B)
  • Federal Risk and Authorization Management Program (FedRAMP) (low, moderate, high & Li-SaaS baselines)
  • Federal Acquisition Regulation (FAR) 52.204-21 (cybersecurity requirements)
  • DoD Cybersecurity Maturity Model Certification (CMMCv1.02  (Maturity Levels 1, 2, 3 & 4 practices)
  • NIST SP 800-171 R2 (CUI & NFO controls)
  • NIST SP 800-172  – (controls to protect against Advanced Persistent Threats (APTs))

Similarly, the following leading practices map to the corresponding NIST SP 800-53 rev5 WISP-LMH standards:

  • AICPA Trust Services Criteria (TSC) (commonly referred to as SOC 2 controls)
  • CERT Resilience Management Model (CERT RMM) v1.2
  • Center for Internet Security Critical Security Controls (CIS CSC) v7.1 (commonly referred to as the SANS Top 20)
  • Fair & Accurate Credit Transactions Act (FACTA)
  • Generally Accepted Privacy Principles (GAPP)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • ISO 27002:2013
  • IRS 1075
  • MA 201 CMR 17.00
  • North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
  • National Industrial Security Program Operating Manual (NISPOM)
  • NIST Cybersecurity Framework (NIST CSF) v1.1
  • NY 23 NYCRR 500
  • Oregon Consumer Identity Theft Protection Act (OR 646A)
  • Payment Card Industry Data Security Standard (PCI DSS) v3.2.1
  • Secure Controls Framework (SCF)
  • UK Cyber Essentials

The NIST 800-53 high WISP covers each of the policies and standards set forth by NIST.

Written Information Security Programs

In short, if your organization is looking to implement a WISP, then a good place to start is a cyber security assessment. Subsequently, an assessment will highlight which areas of your IT security are the most vulnerable.

As a result, you can build your WISP and implement security controls around the areas that require the most attention. In most cases, businesses that have a WISP are more secure and far less likely to face fines and penalties than their competitors.

As another resource, if you are looking for more information, then feel free to check out our resource center.

Finally, you can always find us on Twitter, LinkedIn, and Facebook.