What is a Written Information Security Program (WISP)?

Home  »  Blog  »  Cyber Security  »  What is...

By Bill Minahan   |   December 11, 2020   |   7 Comments

What is a Written Information Security Program?

A Written Information Security Program (WISP) is a document that details an organization’s security controls, processes, and policies. A WISP is a roadmap for an organization’s IT security and is legally required by several states.

Data security laws are in place to ensure that businesses that own, license, or maintain personal information about residents implement and maintain reasonable security procedures and practices.

The number of states with data security laws has doubled since 2016, reflecting an increase in data breaches and cyber crime.

A Written Information Security Program is designed to provide your organization with solid security procedures that not only reduce your chance of a breach but also limit your liability if one were to occur.

A WISP demonstrates to law enforcement and the public that your business has reasonable security measures in place. Likewise, a well-crafted WISP also shows your customers and employees that you value their data and take the responsibility of securing it seriously.

For instance, one of the key elements of a WISP that every business is expected to undertake is a cyber security assessment. A cyber security assessment evaluates and identifies your risks and therefore allows your team to mitigate them in order of magnitude and likelihood of the threat.

A cyber security assessment provides your organization with a benchmark of your security so that your team can start building your WISP with greater visibility into your IT security environment.

aNetworks offers a free cyber security assessment tool that generates a report on your organization’s security posture.

What does a WISP cover?

Written Information Security Programs (WISPs) can vary greatly in what security controls they cover. How comprehensive your WISP is will depend on your industry, size, and which state laws you must comply with. As a result, WISPs can fluctuate depending on which security framework your business follows.

For the vast majority of businesses, a WISP is a legal requirement that ensures adequate administrative, technical, and physical safeguards are in place for your business to protect personally identifiable information (PII). Furthermore, a WISP requires proper documentation of these safeguards.

Specifically, WISPs address the following security areas:

  • Designating employees responsible for the security program
  • Identifying as well as assessing security risks
  • Developing policies for the storage, access, and transportation of personal information
  • Imposing disciplinary measures for violations of the WISP
  • Limiting access by or to terminated employees
  • Overseeing the security practices of third-party vendors as well as contractors
  • Restricting physical and digital access to records
  • Monitoring and then reviewing the scope and effectiveness of the WISP
  • Documenting data security incidents and responses

Additionally, there are also certain technical requirements of WISPs that can include the following:

  • Securing users credentials
  • Restricting access to PII on a need-to-know basis
  • Encrypting the transmission and storage of personal information
  • Monitoring security systems
  • Updating firewalls, security patches, anti-virus, and anti-malware software
  • Training employees on security policies as well as the proper use of computer security systems

Apart from the legal obligation of WISPs, creating a well-written and tailored WISP reduces your risk of a data security incident. Furthermore, it allows for a quick response if one were to occur. As a result, in most cases, it’s in the best interest of a business to implement and maintain a WISP.

The more detailed and comprehensive your WISP is, the less likely you are to become a victim of a cyber security incident. Your WISP should be tested and updated frequently. However, a “paper-plan” security program is better than no program at all.

Which states require a Written Information Security Program?

The following is a comprehensive list of states that have enacted data security laws that require a WISP or similar alternative:

  • Alabama: 2018 SB 318
  • Arkansas: Ark. Code § 4-110-104(b)
  • California: Calif. Civil Code § 1798.91.04
  • Colorado: Colo. Rev. Stat. § 6-1-713 to -713.5
  • Connecticut: Conn. Gen. Stat. § 38a-999b, Conn. Gen. Stat. § 4e-70
  • Delaware: Del. Code § 12B-100
  • Florida: Fla. Stat. § 501.171(2)
  • Illinois: 815 ILCS 530/45
  • Indiana: Ind. Code § 24-4.9-3-3..5(c)
  • Kansas: K.S. § 50-6,139b
  • Louisiana: La. Rev. Stat. § 3074 (2018 SB 361)
  • Maryland: Md. Code Com Law §§ 14-3501 to -3503
  • Massachusetts: Mass. Gen. Laws Ch. 93H § 2(a)
  • Minnesota: Minn. Stat. § 325M.05
  • Nebraska: Neb. Rev. Stat. §§ 87-801-807 (2018 L.B. 757)
  • Nevada: Nev. Rev. Stat. §§ 603A.210, 603A.215(2)
  • New Mexico: N.M. Stat. § 57-12C-4 to -5
  • New York: New York Gen. Bus. Law § 899-BB
  • Ohio: Ohio Rev. Stat. § 1354.01 to 1354.05 (2018 S.B. 220)
  • Oregon: Or. Rev. Stat § 646A.622
  • Rhode Island: R.I. Gen. Laws § 11-49.3-2
  • South Carolina: S.C. Code § 38-99-10 to -100. (2018 HB 4655)
  • Texas: Tex. Bus. & Com. Code § 521.052
  • Utah: Utah Code §§ 13-44-101, -201, 301
  • Vermont: 9 V.S.A § 2446-2447 (2018 HB 764)
  • District of Columbia: 2020 B 215  (enacted; under Congressional review)

If you are interested in the specific requirements your state imposes for data security laws, then please contact us. Our compliance experts are versed in data security laws throughout the U.S. and have ample experience meeting compliance requirements for a variety of frameworks. As a result, we can quickly and efficiently determine which WISP framework works best for your business in order to save you both time and money.

Which Written Information Security Program is right for you?

There are several types of WISPs that are uniquely designed to help you comply with different compliance regulations and state laws. The hard part is finding out which one is right for you.

aNetwork’s provides WISPs based on the types of data you control and the compliance regulations you may be obligated to follow.  Below you can find a list of the different WISPs available to help you decide which one is best for you. If you need help determining which WISP is right for you, then please contact us and we will help you decide.

HIPAA Written Information Security Program (WISP)

If you are required to comply with HIPAA regulations, then you are also required to implement and maintain a written information security program that documents the policies and standards you have in place to safeguard PHI.

Documentation of policies can be requested at any time by HHS.

As a result, it’s important to have a written information security program (WISP) available at all times that documents how your organization complies with or is working towards complying with each of the requirements set forth in the HIPAA Privacy and Security Rule.

aNetworks, Inc. provides customized WISPs that comply with HIPAA for covered entities as well as their business associates, who are also required to implement and maintain WISPs. This is a comprehensive, editable, easily implemented document that contains the policies, control objectives, standards, and guidelines your company needs to secure data and meet HIPAA compliance requirements.

The HIPAA WISP is ideal for health care organizations and their business partners who must comply with the HIPAA Privacy & Security Rules.

Apart from being completely customizable, our HIPAA WISP is a fraction of the cost of writing one yourself or hiring an outside consultant to write one for you and it covers each of the policies and standards set forth by HIPAA.

For pricing information and more details on our HIPAA WISP click here.

23 NYCRR 500 Written Information Security Program (WISP)

The New York Cyber Security Regulation, officially known as 23 NYCRR 500, is a regulation that requires financial service organizations and their third-party vendors to implement written information security programs.

All documentation and information relevant to the covered entity’s cyber security program can be requested by the NYDFS superintendent at any time.

As a result, it’s important to have the proper documentation that meets each of the requirements set forth in 23 NYCRR 500.

aNetworks, Inc. provides customized WISPs that comply with 23 NYCRR 500. This is a comprehensive, editable, easily implemented document that contains the policies, control objectives, standards, and guidelines your company needs to secure data and meet NY compliance requirements.

The 23 NYCRR 500 WISP is ideal for financial organizations and their third-party vendors.

Apart from being completely customizable, our NYCRR WISP is a fraction of the cost of writing one yourself or hiring an outside consultant to write one for you and it covers each of the policies and standards set forth by 23 NYCRR 500.

For pricing information and more details on our 23 NYCRR 500 WISP click here.

AICPA TSC 2017 SOC 2 Written Information Security Program (WISP)

The American Institute of Certified Public Accountants (AICPA) developed its Service Organization Controls (including SOC 2) as an auditing procedure to assist service providers in managing data securely in the cloud to protect client privacy and their own organizational interests. SOC 2 compliance is a minimum security requirement for SaaS providers.

AICPA TSC 2017 (SOC 2) was created to ensure secure data management in the cloud, as a result, it applies to almost every SaaS company, as well as any business that stores customer data in the cloud.

SOC 2 refers to both the technical audit process and the requirement that businesses create and follow comprehensive information security and SOC 2 security compliance policies.

aNetworks, Inc. provides customized WISPs that comply with SOC 2. This is a comprehensive, editable, easily implemented document that contains the policies, control objectives, standards, and guidelines your company needs to secure data and meet SOC 2 compliance requirements.

The SOC 2 WISP is ideal for SaaS providers and other businesses that rely on storing sensitive data in the cloud.

Apart from being completely customizable, our SOC 2 is a fraction of the cost of writing one yourself or hiring an outside consultant to write one for you and it covers each of the policies and standards set forth by AICPA TSC 2017 (SOC 2).

For pricing information and more details on our AICPA TSC 2017 (SOC 2) WISP click here.

201 CMR 17.00 Written Information Security Program (WISP)

Massachusetts state law, formally known as 201 CMR 17.00, was put in place to safeguard the personal information of Massachusetts residents. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.

The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth.

The objectives of this regulation are to ensure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.

aNetworks, Inc. provides customized WISPs that comply with 201 CMR 17.00. This is a comprehensive, editable, easily implemented document that contains the policies, control objectives, standards, and guidelines your company needs to secure data and meet MA compliance requirements.

The 201 CMR 17.00 WISP is ideal for Massachusetts businesses that control sensitive data.

Apart from being completely customizable, our Mass CMR WISP is a fraction of the cost of writing one yourself or hiring an outside consultant to write one for you and it covers each of the policies and standards set forth by 201 CMR 17.00.

For pricing information and more details on our 201 CMR 17.00 WISP click here.

NIST Cyber Security Framework (CSF) Written Information Security Program (WISP)

The NIST Cybersecurity Framework (CSF)-based Written Information Security Program (WISP) is a set of cyber security policies and standards suited for smaller organizations that do not need to address more rigorous requirements that are found in ISO 27002 or NIST 800-53.

This WISP product is ideal for organizations that control sensitive data and need to align with the leading cyber security best practices, but do not have multiple compliance, statutory, regulatory, and contractual obligations that require a more robust cyber security framework.

For this reason, the NIST CSF version of our WISP is very popular with insurance brokers, smaller financial organizations, law firms, and other small organizations.

Apart from being completely customizable, our NIST CSF WISP is a fraction of the cost of writing one yourself or hiring an outside consultant to write one for you and it covers each of the policies and standards set forth by NIST.

For pricing information and more details on our NIST Cyber Security Framework WISP click here.

ISO 27002 Written Information Security Program (WISP)

When you look at ISO 27002 as it compares to other cyber security frameworks, it is right in the middle of the spectrum, based on the topics it covers. Our ISO 27002 WISP consists of 14 different sections that correspond to a specific set of cybersecurity controls.

The ISO 27002 is perfect for small-medium sized businesses that need a comprehensive framework in order to manage their company’s Information Security program. The ISO 27002 Written Information Security Program (WISP) allows you to implement and document the steps to be compliant with federal, state, and industry laws and regulations.

Our ISO 27002 WISP is a customizable document that you can adjust to fit the needs or compliance requirements of your organization.

Apart from being completely customizable, our ISO 27002 WISP is a fraction of the cost of writing one yourself or hiring an outside consultant to write one for you and it covers each of the policies and standards set forth by ISO.

For pricing information and more details on our ISO 27002 WISP click here.

NIST 800-53 (Moderate) Written Information Security Program (WISP)

At its core, this version of the NIST SP 800-53 R5 Written Information Security Program (WISP-LM) is designed to align with “moderate baseline” controls from NIST SP 800-53 R5.

The NIST WISP is ideal for businesses that control large quantities of sensitive data or those that have to comply with multiple frameworks. 

The following leading practices are mapped to the corresponding NIST SP 800-53 rev5 WISP-LM standards and included as part of your purchase:

  • AICPA Trust Services Criteria (TSC) (commonly referred to as SOC 2 controls)
  • CERT Resilience Management Model (CERT RMM) v1.2
  • Center for Internet Security Critical Security Controls (CIS CSC) v7.1 (commonly referred to as the SANS Top 20)
  • Fair & Accurate Credit Transactions Act (FACTA)
  • Generally Accepted Privacy Principles (GAPP)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • ISO 27002:2013
  • IRS 1075
  • MA 201 CMR 17.00
  • North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
  • National Industrial Security Program Operating Manual (NISPOM)
  • NIST Cybersecurity Framework (NIST CSF) v1.1
  • NIST SP 800-172  – (controls to protect against Advanced Persistent Threats (APTs))
  • NY 23 NYCRR 500
  • Oregon Consumer Identity Theft Protection Act (OR 646A)
  • Payment Card Industry Data Security Standard (PCI DSS) v3.2.1
  • Secure Controls Framework (SCF)
  • UK Cyber Essentials

Apart from being completely customizable, our NIST 800-53 moderate WISP is a fraction of the cost of writing one yourself or hiring an outside consultant to write one for you and it covers each of the policies and standards set forth by NIST.

For pricing information and more details on our NIST 800-53 Moderate WISP click here.

NIST 800-53 (High) Written Information Security Program (WISP)

Based on the topics it covers, NIST SP 800-53 high WISP is on the more robust side of the spectrum. NIST SP 800-53 rev5 consists of 20 different families of cyber security and privacy controls.

It is ideal for medium-sized businesses that deal with large quantities of sensitive data or those that must comply with multiple frameworks. 

The NIST SP 800-53 R5 WISP-LMH has complete coverage for these core frameworks:

  • NIST SP 800-53 R5 (low, moderate, high & privacy baselines – as defined in NIST SP 800-53B)
  • Federal Risk and Authorization Management Program (FedRAMP) (low, moderate, high & Li-SaaS baselines)
  • Federal Acquisition Regulation (FAR) 52.204-21 (cybersecurity requirements)
  • DoD Cybersecurity Maturity Model Certification (CMMCv1.02  (Maturity Levels 1, 2, 3 & 4 practices)
  • NIST SP 800-171 R2 (CUI & NFO controls)
  • NIST SP 800-172  – (controls to protect against Advanced Persistent Threats (APTs))

The following leading practices map to the corresponding NIST SP 800-53 rev5 WISP-LMH standards and are included as part of your purchase:

  • AICPA Trust Services Criteria (TSC) (commonly referred to as SOC 2 controls)
  • CERT Resilience Management Model (CERT RMM) v1.2
  • Center for Internet Security Critical Security Controls (CIS CSC) v7.1 (commonly referred to as the SANS Top 20)
  • Fair & Accurate Credit Transactions Act (FACTA)
  • Generally Accepted Privacy Principles (GAPP)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • ISO 27002:2013
  • IRS 1075
  • MA 201 CMR 17.00
  • North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
  • National Industrial Security Program Operating Manual (NISPOM)
  • NIST Cybersecurity Framework (NIST CSF) v1.1
  • NY 23 NYCRR 500
  • Oregon Consumer Identity Theft Protection Act (OR 646A)
  • Payment Card Industry Data Security Standard (PCI DSS) v3.2.1
  • Secure Controls Framework (SCF)
  • UK Cyber Essentials

Apart from being completely customizable, our NIST 800-53 high WISP is a fraction of the cost of writing one yourself or hiring an outside consultant to write one for you and it covers each of the policies and standards set forth by NIST.

For pricing information and more details on our NIST 800-53 (high) WISP click here.

Written Information Security Programs

If your organization is looking to implement a WISP, then a good place to start is a cyber security assessment. An assessment will highlight which areas of your IT security are the most vulnerable as well as give our team a better idea of which WISP will best suit your organization.

As a result, you can build your WISP and implement security controls around the areas that require the most attention. In most cases, businesses that have a WISP are more secure and far less likely to face fines and penalties than their competitors.

If you are looking to outsource your written information security program, then aNetwork’s provides writing services as well as implementation services.

If interested in a WISP, then please fill out the form below. We will send a quote over within 24 hours.

 

Additionally, you can call us at 855-459-6600.

If you are looking for more information, then check out our resource center.

Finally, you can always find us on Twitter, LinkedIn, and Facebook.




Comments

Galimi

December 22, 2020 | 6:22 pm

Did not know my state required a WISP. Thank you for the info.

Zoe Cullen

August 11, 2020 | 8:39 am

Of course!

Doretha

August 9, 2020 | 1:24 am

Hello! Would you mind if I share your blog with my twitter group? There's a lot of folks that I think would really appreciate your content. Please let me know.

Anne

August 8, 2020 | 3:22 pm

I visited multiple web sites however this explanation is truly excellent.

jamila

August 8, 2020 | 9:36 am

great, you gained a new reader.

Ara

August 7, 2020 | 11:08 pm

helpful blog from start to end.

marisa

August 7, 2020 | 8:10 pm

keep up writing.