Why every business needs a WISP

Non-compliance is a risk, and the Attorney General's office carries a big stick for those who don't follow the rules.

If you don't have a written information security program (WISP) in place for your business, then you could be risking data theft, legal action, and punitive fines. The law in many states now dictates that you must take steps to safeguard personal information. They vary in strictness, but there are nearly 50 different regulations you need to cater for if you're doing business across the United States.

You can't afford to bury your head in the sand and assume it will never happen to you. Research from the Identity Theft Resource Center (PDF) shows an alarming rise in incidences of personal data theft every year since they started recording. They report 783 breaches last year, compared to just 157 in 2005.

A WISP is not optional

The need to have a WISP is made clear in one of the most stringent of the regulatory bunch, the Massachusetts Data Security Regulations, 201 CMR 17.00 (PDF). Abide by this, and you will probably abide by your own state's data privacy laws.

The Commonwealth of Mass states:

"Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards."

That doesn't just apply to businesses operating in Massachusetts; it applies if you have a single customer living there. If you have a data breach and personal information is stolen, you won't just have the clean-up and reputational damage to worry about, the Attorney General is liable to levy serious fines.

Despite the serious risk of financial penalty, there are still companies without a proper WISP in place. According to a Protiviti survey on data security (PDF) from last year, a third of companies don't have a WISP at all and over 40% lack a data encryption policy.

If you need an idea of the size of the potential risk here, consider that IBM's Cost of Data Breach Study for 2015 put the average consolidated total cost of a data breach at $3.8 million. That's an increase of 23% just since 2013.

Creating a solid WISP

There are lots of things to consider when you create a WISP. Think about how you protect data in transit and at rest. Encryption at all times is vital. Consider the level of access your employees have and what your authentication procedure is. Remember to take into account what happens with personal devices, especially in light of the mobility and BYOD trend. You also need to have a good firewall, anti-virus, and anti-malware protection in place, and it should be updated regularly.

Something that's often overlooked is the importance of applying the same rules to your third-party vendors. Make sure that they comply with your WISP, particularly if you are using a lot of cloud-based services and storing data offsite.

This concern isn't limited just to large organizations. Small businesses are liable too. That's why Massachusetts has a handy guide (available in a PDF here) to help small businesses or individuals handling personal information to get started on a WISP.

Educating and reviewing

Creating a WISP isn't going to kill the risk of data breach stone dead – you need to educate your employees about it and make sure that they review it regularly and sign off on it. User awareness is a key component here, and ignorance will never be accepted as an excuse by your customers or by the law. As we mentioned before, that awareness and sign-off should extend to your contractual relations with third-parties.

You also need to review the program internally and ensure risks are reevaluated as your business evolves. Consider the impact of new systems, devices, software, partners, and employees. The absolute minimum frequency for review and sign-off on your WISP is annual, but in certain circumstances it will make sense to review more frequently than that, especially when there are changes in the business that might impact on it.

Make sure that all the roles and responsibilities are clearly delineated in your WISP, and that employees are empowered to take action when they encounter a problem. There must be a designated person in charge that the buck stops with.

One final consideration that's worth keeping in mind is that your WISP is not a magic bullet for cybersecurity threats. Compliance will not guarantee that your data is safe, but it's a good opportunity to start building a really solid information security program.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.

Join the CSO newsletter!

Error: Please check your email address.

More about ASTIDGIDG CommunicationsInc.Protiviti

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michelle Drolet

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place