Written Information Security Plan

A Written Information Security Plan (WISP) for your business is just one part of what business professionals need to protect their clients and themselves. Creating a WISP is an often overlooked but critical component. Not only is a WISP essential for your business and a good business practice, but many laws and regulations require you to have one. For many business professionals, knowing where to start when developing a WISP is difficult. 

 

There are multiple considerations necessary to create a security plan to protect your business, and your clients and comply with the law. They span geographies, industries, and even global regions. For example, the Gramm-Leach-Bliley Act (GLBA) is a U.S. law that requires financial institutions to protect customer data. In its implementation of the GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule to outline measures that are required to be in place to keep customer data safe. One requirement of the Safeguards Rule is implementing a WISP. Under the GLBA, financial institutions subject to the Safeguards Rule include mortgage brokers, real estate appraisers, universities, nonbank lenders, and check cashing businesses. As a part of the plan, the FTC requires each firm to: 

• Designate one or more employees to coordinate its information security program 
• Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks 
• Design and implement a safeguards program, and regularly monitor and test it 
• Select service providers that can maintain appropriate safeguards by ensuring your contract requires them to maintain safeguards and oversee their handling of customer information 
• Evaluate and adjust the program considering relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring