By Kimberly Connella | July 22, 2022 | 0 Comments
A Written Information Security Program (WISP) is a document that details an organization’s security controls, processes as well as policies. In other words, a WISP is a roadmap for an organization’s IT security, and in addition, it is legally required by several states.
Also, data security laws are in place to ensure that businesses that own, license, or maintain personal information about residents implement and maintain reasonable security procedures along with practices.
Similarly, the number of states with data security laws has doubled since 2016, reflecting an increase in data breaches coupled with cybercrime.
Additionally, a Written Information Security Program is designed to provide your organization with solid security procedures.
Subsequently, these procedures cannot only reduce your chance of a breach but also limit your liability if one were to occur.
Moreover, a WISP demonstrates to law enforcement and the public that your business has reasonable security measures in place. Likewise, a well-crafted WISP also shows your customers and employees that you value their data and take the responsibility of securing it seriously.
For instance, one of the key elements of a WISP that every business is expected to undertake is a cyber security assessment. A cyber security assessment evaluates and identifies your risks and therefore allows your team to mitigate them in order of magnitude and likelihood of the threat.
Likewise, a cyber security assessment provides your organization with a benchmark of your security so that your team can start building your WISP with greater visibility into your IT security environment.
With that being said, aNetworks offers a free cyber security assessment tool that generates a report on your organization’s security posture, so why not take advantage of that!
Also, running a compliance software like SecureMyComputer can bring your computer(s) to compliance with CIS benchmarks. The scan is free and will give you a score against the current cyber security standards.
Written Information Security Programs (WISPs) can vary greatly in what security controls they cover. Also, the level of how comprehensive your WISP is, will in great part depend on your industry, size, and which state laws you must comply with. As a result, WISPs can fluctuate depending on which security framework your business follows.
Additionally, for most businesses, a WISP is a legal requirement that ensures adequate administrative, technical, and physical safeguards are in place for your business to protect personally identifiable information (PII). Furthermore, a WISP requires proper documentation of these safeguards.
However, apart from the legal obligation of WISPs, creating a well-written and tailored WISP reduces your risk of a data security incident. Furthermore, it allows for a quick response if one were to occur. As a result, in most cases, it’s in the best interest of a business to implement and maintain a WISP.
Additionally, the more detailed and comprehensive your WISP is, the less likely you are to become a victim of a cyber security incident. Moreover, your WISP should be tested and updated frequently. However, a “paper-plan” security program is better than no program at all.
The following is a comprehensive list of states that have enacted data security laws that require a WISP or similar alternative:
Several types of WISPs are uniquely designed to help you comply with different compliance regulations and state laws. The hard part is finding out which one is right for you.
If you are required to comply with HIPAA regulations, then you are also required to implement and maintain a written information security program that documents the policies and standards you have in place to safeguard PHI.
Documentation of policies can be requested at any time by HHS.
As a result, it’s important to have a written information security program (WISP) available at all times that documents how your organization complies with or is working towards complying with each of the requirements outlined in the HIPAA Privacy and Security Rule.
The HIPAA WISP is ideal for health care organizations, their business partners who must comply with the HIPAA Privacy & Security Rules, and it covers each of the policies and standards set forth by HIPAA.
The New York Cyber Security Regulation, officially known as 23 NYCRR 500, is a regulation that requires financial service organizations and their third-party vendors to implement written information security programs.
All documentation and information relevant to the covered entity’s cyber security program can be requested by the NYDFS superintendent at any time.
As a result, it’s important to have the proper documentation that meets each of the requirements outlined in 23 NYCRR 500.
The 23 NYCRR 500 WISP is ideal for financial organizations and their third-party vendors. Additionally, it covers each of the policies and standards set forth by 23 NYCRR 500.
In short, The American Institute of Certified Public Accountants (AICPA) developed its Service Organization Controls (including SOC 2) as an auditing procedure to assist service providers in managing data securely in the cloud to protect client privacy and their organizational interests. SOC 2 compliance is a minimum security requirement for SaaS providers.
AICPA TSC 2017 (SOC 2) was created to ensure secure data management in the cloud. As a result, it applies to almost every SaaS company, as well as any business that stores customer data in the cloud.
SOC 2 refers to both the technical audit process and the requirement that businesses create and follow comprehensive information security and SOC 2 security compliance policies.
The SOC 2 WISP is ideal for SaaS providers and other businesses that rely on storing sensitive data in the cloud.
Massachusetts state law, formally known as 201 CMR 17.00, was put in place to safeguard the personal information of Massachusetts residents. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.
The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth.
The goals of this regulation are to ensure the security and confidentiality of customer information following industry standards.
Additionally, it aims to protect against anticipated threats or hazards to the security or integrity of such information.
Furthermore, it protects against unauthorized access to or use of such information that may result in significant harm or inconvenience to any consumer.
The 201 CMR 17.00 WISP is ideal for Massachusetts businesses that control sensitive data. Moreover, it covers each of the policies and standards set forth by 201 CMR 17.00.
The NIST Cybersecurity Framework (CSF)-based Written Information Security Program (WISP) is a set of cyber security policies and standards suited for smaller organizations. These do not need to address the more rigorous requirements that can be found in ISO 27002 or NIST 800-53.
Subsequently, it covers each of the policies and standards set forth by NIST.
When you look at ISO 27002 as it compares to other cyber security frameworks, it is right in the middle of the spectrum, based on the topics it covers.
The ISO 27002 is perfect for small-medium-sized businesses that need a comprehensive framework to manage their company’s Information Security program. The ISO 27002 Written Information Security Program (WISP) allows you to implement and document the steps to be compliant with federal, state, and industry laws and regulations.
Furthermore, it covers each of the policies and standards set forth by ISO.
At its core, this version of the NIST SP 800-53 R5 Written Information Security Program (WISP-LM) is designed to align with “moderate baseline” controls from NIST SP 800-53 R5.
The NIST WISP is ideal for businesses that control large quantities of sensitive data or those that have to comply with multiple frameworks, and it covers each of the policies and standards set forth by NIST.
Additionally, based on the topics it covers, NIST SP 800-53 high WISP is on the more robust side of the spectrum. NIST SP 800-53 rev5 consists of 20 different families of cyber security as well as privacy controls.
Above all, the NIST SP 800-53 R5 WISP-LMH has complete coverage for these core frameworks:
Similarly, the following leading practices map to the corresponding NIST SP 800-53 rev5 WISP-LMH standards:
The NIST 800-53 high WISP covers each of the policies and standards set forth by NIST.
In short, if your organization is looking to implement a WISP, then a good place to start is a cyber security assessment. Subsequently, an assessment will highlight which areas of your IT security are the most vulnerable.
As a result, you can build your WISP and implement security controls around the areas that require the most attention. In most cases, businesses that have a WISP are more secure and far less likely to face fines and penalties than their competitors.
As another resource, if you are looking for more information, then feel free to check out our resource center.