"More than 25 states in the United States now require companies to have a WISP or some alternative form of security measures in place."

‍

What is a Written Information Security Program (WISP)?

A Written Information Security Program, or WISP, documents the measures a business or organization enforces to ensure that personal or sensitive information is secure. WISPs describe exactly what technical and administrative policies and procedures an organization has in place as well as what liabilities they are responsible for in case a security breach does occur. In other words, a WISP is a written plan that certain businesses are required to have to protect customer data.  

Why is it Important to Have a WISP?

A WISP is crucial for any business, especially those that handle sensitive customer information like law firms, healthcare providers, and accounting firms. The following are just a few reasons why you should implement a WISP in your company:

• Required by State: More than 25 states in the United States now require companies to have a WISP or some alternative form of security measures in place. Failure to comply can not only be a costly mistake but an embarrassing one as well.  

• Defense Against Liability: Data breaches are all too common nowadays and are only becoming more frequent as technology continues to improve and advance. Because of this, not having a WISP can be used as evidence of negligence against your company in the event of a data breach.  

• Good Practice: While having a WISP can help an organization avoid compliance and litigation risks, having a WISP in place is simply good practice for any company. Having a document read and understood by the whole organization can help to avoid future data breaches and minimize the fallout from a data breach should one occur.  

What Does a WISP Require?

WISPs require certain technical and administrative safeguards to be in place to ensure that customer information remains secure and confidential. However, a WISP should be a program within an organization, not a policy. Therefore, a WISP needs to describe the systems that run an organization to ensure that sensitive information is protected. Some elements of these systems include:

• Risk Assessment. WISPs generally require a risk assessment to determine what practices an organization needs to implement based on the sensitivity and amount of customer data potentially at risk of a data breach.  

• Minimum Technical Security. WISPs require that computer systems have adequate encryption, anti-malware software, and other perimeter and internal defenses.

• Third-Party Contract Security. Any third parties involved with an organization are required to protect the data at least as adequately as the organization they are working with.  

• Specific Accountability. There must be a designated individual held responsible for implementing the security program.

• Regular Auditing. Regular auditing is necessary to review WISPs and any specific requirements within them on at least an annual basis.

• Employee Training. For the WISP to be effective, employees must be trained on the organization's security requirements.

What Does a WISP Cover?

WISPs significantly vary when it comes to the different security controls that they cover. These differences are due to factors such as the size of your business, the scope of its activities, the industry it operates in, and the relevant state laws. In other words, what a WISP looks like is unique to each business.  

Summary

In conclusion, having a WISP in place shows potential clients and investors that your company takes cybersecurity seriously and is willing to put forth the necessary time, effort, and resources to ensure security. Not only that, but it demonstrates that you value information safety and that your company is ready to keep information secure in the event of a disaster. Sumsion Business Law can help you and your company create a WISP tailored to your needs and the relevant requirements governing your business.  

‍