While not required by law for your organization, developing and monitoring a WISP can provide benefits, including: In addition, for most organizations, a WISP is a legal requirement that ensures that appropriate administrative, technical, and physical safeguards are in place to enable your organization to protect personally identifiable information (PII). In addition, a WISP requires proper documentation of these security precautions. However, in addition to the legal obligation of WISPs, creating a well-written and customized WISP reduces the risk of a data security incident. In addition, it allows a rapid response in the event of an incident. Therefore, in most cases, it is in a company`s best interest to implement and maintain a WISP. This statement is very clear on an important fact – even if your organization is not based in Massachusetts, if you do business with or employ someone who lives in the state and collect personally identifiable information about them, you are subject to this regulation. This means that legally, you must have a written information security plan. This is not optional for you, and if you suffer a breach of any kind and personal data is involved, the absence of a WISP will further aggravate your problems. A written information security program (WISP) is a document that details an organization`s security controls, processes, and policies. In other words, a WISP is a roadmap for an organization`s IT security and is also required by law by multiple states.
Whether or not there is a legal or contractual obligation to maintain a WISP, a WISP can serve as evidence of an organization`s implementation of appropriate security measures that can help manage exposure in the event of a data breach (and potentially prevent the data breach altogether). To achieve this goal, the WISP must be correct and the actions required to implement and maintain the described program must be properly executed. The existing WISP should be adapted to the organization. An organization that collects only a small amount of protected information that is not particularly sensitive would not need to take as extensive security measures as an organization that collects health or financial information from individuals. Note, however, that almost all organizations have proprietary information that is confidential, such as employee information. In addition to the legal requirements mentioned above, a WISP is vital to the security of your business, as it is much more than a written document with security guidelines. Rather, a WISP serves as a dynamic framework for your organization`s overall cybersecurity strategy, defining specific protocols and roles for your organization`s unique position. A comprehensive written information security program determines not only what to do in the event of a breach, but also how to remedy the situation and who within the organization is responsible for taking those actions. In addition to defining key actions to take during and after a security incident, a well-designed WISP will also dictate processes to reduce the risk of a breach. The bottom line is that if you are dealing with MA residents as customers or employees of your business, you will need a WISP. If you need help implementing a written information security program in your organization, contact the Envision team today.
Our security experts have worked with companies of all sizes in a variety of industries, and we can help you protect your business and ensure you`re compliant with Massachusetts and other safety regulations. Written information security programs (WISP) can vary greatly in terms of the security controls they cover. In addition, the extent to which your WISP is comprehensive largely depends on your industry, size, and state laws you must comply with. As a result, Internet service providers may fluctuate depending on the security infrastructure your organization is following. Therefore, it is important to have the correct documentation that meets all the requirements outlined in 23 NYCRR 500. The 201 CMR 17.00 WISP is ideal for Massachusetts businesses that control sensitive data. In addition, it covers all the guidelines and standards set out in 201 CMR 17.00. A „PSIP“ is a written information security program that documents the measures taken by an organization to secure and protect the confidentiality and integrity of personal data or other sensitive information („Protected Information“) that the organization collects, processes, creates, uses and stores. The PSW generally describes the objectives of the program and includes information on the implementation and maintenance of administrative, technical and physical safeguards to protect the protected information that the organization holds, receives or uses. A WISP usually provides information, but not specific details (which are left for the underlying guidelines). Because it is an overarching policy rather than a description of specific actions, a WISP is often something shared with outsiders such as data subjects and customers, especially when the organization is expected to access or process its customers` protected information. Most companies have more information than they think – for example, employee information and information collected through the analytics/backend of most websites.
It then covers all policies and standards set by NIST.