Cybersecurity and Privacy – What You Need to Know (Part 4 of a Series)

Written Information Security Program (WISP)

A Written Information Security Program is a formal document that addresses cybersecurity policies, procedures and guidelines. You may recognize it by its prior name which was just ‘Information Security Program;’ but, by adding the word ‘Written’ to the name, there is now a formality to the plan that encourages follow through.

What’s included in a WISP?

• A Designated Program Owner – In order to establish accountability for the security program, you will need to designate a person who is responsible for managing the WISP. The person chosen will depend on the size of the company and complexity of the information that is being stored.  Generally, this will be a C-level employee such as a CEO, CFO, or CIO.
• Risk Assessment /Gap Analysis – It is important to detail where the vulnerable data is, how it is housed, and who has access to it. It is important to delineate where the vulnerabilities are and how you are mitigating the risk of these vulnerabilities. 
• Security Policies and Procedures – This should include provisioning user access with both internal employees and external parties. Examine how you are doing this. For example, a policy might be to ‘secure our firewall’ and the procedure says how you will do this.
• Security Awareness & Training – Using the policies and procedures section, make sure everyone knows what they should and shouldn’t do. This is ongoing process that should be reviewed at minimum on an annual basis. This will be determined by the size and complexity of the company and in some cases could be quarterly. Work with your human resources department policies and make sure new employees are primed on security policies and procedures as well as employees who return from a leave of absence. 
• The Monitoring Process – Delineate what controls are in place, what tools are being used, who is monitoring it, and how to respond when there is an event. Once something is brought to attention, what should be done about it initially? What will you do if the problem escalates?
• Periodic Policy Review and Update – This is usually performed on an annual basis but sometimes more frequently. For example, a technology might change which alters how a company performs a certain task. This would need to be updated in the policy and procedures of the WISP. In general, turn to your WISP as a checkpoint whenever your company makes significant changes in business processes rather than waiting to do everything all at once at the end of the year. This will help alleviate any gaps and potential damage that could occur.
• Administrative, Technical, and Physical Safeguards – This includes the protection of the physical technology that holds the data as well as the people allowed to handle the data, both internally and externally through outside vendors.

Need assistance developing your Written Information Security Program (WISP)? Contact EisnerAmper’s Consulting Services group.

The last few blogs in this series have focused on determining risk and the prevention or mitigation of a breach. The next blog in this series covers the equally important Information Security Incident Management Plan which covers how a company will respond when a breach occurs.