How to Fix the Technobabble Snafu

Posted on August 20, 2024August 20, 2024 by Writing for Results

STE, simplified technical english, ASD STE100, controlled language, technical texts, technical documentation, ASD Simplified Technical English Specification, non-native English speakers, ASD-STE100 Rules, ASD-STE100 Issue 7 free download

How to Fix The Technobabble Snafu

Technobabble has become so much a part of our lives that we often don’t see the snafus it can create. It is a language unto itself: It is a technical language that is difficult for ordinary people to understand. Technobabble is well-defined as a type of nonsense that consists of buzzwords, esoteric language, or technical jargon. There is little question that technobabble has its place. But the world is changing and the need to communicate information to diverse audiences requires an approach that the entire audience–not just part of it–can understand. Simplified English might be the answer.

A Technobabble Snafu

“Complex technical instructions can be misunderstood and misunderstandings can lead to accidents. STE makes technical texts easy to understand by all readers”

Some Assembly Required

Some Assembly Required is rarely a reason to buy a product and is often a reason to not buy it. The directions may be unclear and likely written in text so small that you have to find the Internet version just to read it. It would be a pleasant surprise if the manual were written in Simplified Technical English that virtually anyone can understand.

Understandable directions, laid out with graphics that actually relate to the product, help to sell it. The fact that a manual can be understood by a broad audience does not diminish the product: It makes it more accessible and more marketable. In fact, any text written so that it can be understood is more engaging and the content is easily understood.

Avoid Your own Technobabble Snafu!

We can help you communicate in Simplified Technical English or just Plain English. Either way, your audience will be engaged in and easily understand your message.

A Technobabble Transformation

A group of engineers were set to update a Code written in the last century. But this would be no easy task because they had no real interest in enabling a wide range of people to crack the Code. Even the promise of protecting the technical integrity of the Code was not appealing. But change was coming so they had to make the best of it. Ultimately, with a few dissenters still unwilling to accept all of the changes, a consensus produced a clear, unambiguous Code. Their story can be downloaded below.

Leveraging STE

Case study of a Simplified Technical English (STE) conversion in the Engineering sector. The conversion was intended to remove the archaic wording and make the text easier to translate and understand. The transformation resulted in reduced cost and better translations.

Case Study of STE Transformation in Engineering Sector

Translations

Why not just translate the documentation?

For highly technical documents, Simplified Technical English may be more appropriate than Plain Language. The controlled language with its technical dictionaries may better transform these texts into clear, unambiguous documentation. Also, there are times when it is important for all readers to understand the content in English. Once in English, it can be translated into other languages.

“STE was developed to help the readers of English-language documentation understand what they read, particularly when these readers are non-native English speakers.” – ASD-STE100

Translation, however, is not the only consideration here because non-native speakers as an audience is not the only issue. Documentation in simplified English must also bridge the chasm between native speakers who speak English (or any language) well and those who do not. This is especially true for training documentation where everyone from upper management to supervisors to workers must be on the same page. Standard operating procedures, likewise, must be clearly understood by everyone affected by them.

English, Simplified, Might Solve Many Technobabble Snafus

As every business must look for roadblocks that would disrupt their operation, they must also be aware of roadblocks that disrupt communication. Concerns about reducing documentation content to its lowest level of understanding must be replaced by the intent to make information available to the widest possible audience. Simplified Technical English and Plain Language can do just that.

Simplified Technical English

ASD-STE100, also known as Simplified Technical English (STE), is a specification for writing technical documentation in a simplified language that is easy to understand for a global audience.

This can help improve safety, reduce errors, and increase efficiency in various industries where technical documentation plays a critical role.

-Simplifying the Complex: ASD-STE100 (Simplified Technical English)

STE Lanuage Rules

Restrict sentence length to no more than 20 words (procedural sentences) or 25 words (descriptive sentences)
Restrict paragraphs to no more than six sentences (in descriptive text)
Avoid slang and jargon while allowing for specific terminology
Make instructions as specific as possible
Use articles such as “a/an” and “the” wherever possible
Use simple verb tenses (past, present, and future)
Use active voice
Do not use present participles or gerunds (unless part of a Technical Name)
Write sequential steps as separate sentences
Start a safety instruction (a warning or a caution) with a clear and simple command or condition.

Before and After Comparison of Plain English Transformation

Before

Traditional RPA are the software programs used for simple tasks that don’t require decision making or cognitive activity. These types of bots are also called rule-based systems as they require a set of rules on how to perform a task, where to log in, what data to collect, and where to transfer it.

In general, robotic process automation refers to rule-based bots, which are good for simple tasks and scaling to thousands of automated processes.

After

Traditional RPA is software programs. These programs do simple tasks. These tasks do not require decision-making activity.

These types of programs are also called rule-based systems. This is because they require a set of rules:

How to perform a task
Where to log in
What data to collect
Where to transfer data.

In general, robotic process automation refers to rule-based programs that are good for:

Simple tasks
Scaling to thousands of automated processes.

Avoid Your own Technobabble Snafu!

As Einstein said, “Everything should be made as simple as possible, but not simpler.” We can help you reach a broad audience without burying the content–and context–of your message.

…in Plain Language

Plain language is grammatically correct and universally understood language that includes complete sentence structure and accurate word usage. Plain language is not unprofessional writing or a method of “dumbing down” or “talking down” to the reader.

Plain English

Writing that is clear and to the point helps improve all communication as it takes less time to read and comprehend. Clear writing tells the reader exactly what the reader needs to know without using unnecessary words or expressions. Communicating clearly is its own reward as it saves time and money. It also improves reader response to messages. Using plain language avoids creating barriers that set us apart from the people with whom we are communicating.

-Office of Personnel Management

Plain Language Guidelines Download

Plain Lanuage Rules

Write for your reader, not yourself. Use pronouns when you can.
State your major point(s) first before going into details.
Stick to your topic. Limit each paragraph to one idea and keep it short.
Write in active voice. Use the passive voice only in rare cases.
Use short sentences as much as possible.
Use everyday words. If you must use technical terms, explain them on the first reference.
Omit unneeded words.
Keep the subject and verb close together.
Use headings, lists, and tables to make reading easier.
Proofread your work, and have a colleague proof it as well.

Before and After Comparison of Plain English Transformation

Before

Right of use means any authorization issued under this part that allows use of Outer Continental Shelf lands. Right of use means any authorization under this part to use Outer Continental Shelf lands.

This rule proposes the Spring/Summer subsistence harvest regulations in Alaska for migratory birds that expire on August 31, 2023. This rule proposes the Spring/Summer subsistence harvest regulations for migratory birds in Alaska. The regulations will expire on August 31, 2023.

This regulation governs disaster assistance for services to prevent hardship caused by fire, flood, or acts of nature that are not provided by FEMA or the Red Cross.

After

Right of use means any authorization under this part to use Outer Continental Shelf lands.

This rule proposes the Spring/Summer subsistence harvest regulations in Alaska for migratory birds that expire on August 31, 2003. This rule proposes the Spring/Summer subsistence harvest regulations for migratory birds in Alaska. The regulations will expire on August 31, 2003.

This regulation governs disaster assistance for services to prevent hardship caused by fire, flood, or acts of nature that are not provided by FEMA or the Red Cross. This regulation governs disaster assistance that:

Consists of services to prevent hardship caused by fire, flood, or acts of nature; and
Is furnished by a provider other than FEMA or the Red Cross.

Use Cases for STE and Plain Language?

Simplified Technical English

STE addresses difficulties in English comprehension related to complex sentence structures and the following documentation might benefit the most from using it.

Plain Language (English)

Plain language is communication your audience can understand the first time they read or hear it. A wide range of documentation can benefit from this approach, including:

Why Work With Us?

We are creative, believers in critical thought. Our layouts are sophisticated and appropriate, effective. Our work is informative and engaging. We speak simplified technical English. Let our technical writing services save you time, money, revisions and failed presentations.

GET IN TOUCH

Do You Want to Turn Your Technobabble into Unambiguous Clarity?

Let’s Talk

A Successful Business Plan for a Reinvented Company

Posted on August 7, 2024August 8, 2024 by Writing for Results

business plans, business plan writers, business plan writing services, professional business plan, one page business plan, feasiility plan, live canvas, business model, Customer Segments, Customer Relationships, Channels, Revenue Streams, Key Activities, Key Resources, Key Partners, Cost Structure, Value Proposition, target market

A Business Plan For a Reinvented Business

The Challenge

A startup security operations center that planned to enter the healthcare cybersecurity market had created a business plan that was rejected by four different lenders.

The Company was trapped in its vision and had fallen prey to one of the most common mistakes for businesses of any size. Build it and they will come works very well in a movie but not necessarily for a startup. This Company had already invested $3,500,000 into their project because they knew they could get the business. And, they didn’t think they should have to explain how they would get the business.

They had allowed their vision for the Company to obscure the reality of their situation. A comprehensive business plan that combined vision with validated market and competitive data could likely have precluded this outcome.

Background

A Security Analyst Station

Security Training Documents

Incident Response Flowchart

CyberHealthData was a startup with ambitions to be a major player in the managed security services arena. Their business plan was filled with beautiful pictures of their adaptive reuse of a facility that now housed thirty monitoring workstations as the cornerstone of their Security Operations Center.

They had put their first year revenue at $10,000,000, increasing to $20,000,000 over five years. Their projections were based on the assumption that they would be effectively competing with such high-profile players as Palo Alto Networks and Fortinet. The business plan had been written to obtain funding for the money already spent on the adaptive reuse project and to obtain working capital for the next phase, which was marketing, client acquisition and hiring.

While it is true that the plan lacked any specific, detailed information about the current market, their target market, how the SOC would run, how it would be staffed, how they would find clients, that is not why the business plan was rejected by several lenders. It was quite simple: Every lender felt that the most serous omission was why they thought they were going to be able to compete with companies like Palo Alto and Fortinet.

What they needed was a business plan that was reasonable enough and solid enough that they could obtain funding–a way to make their vision viable.

Need a Professional Business plan?

We can create anything from a lean startup one-page plan to a traditional comprehensive plan not limited by the number of pages.

The Solution

The nine building blocks of the building model canvas are: Customer Segments, Customer Relationships, Channels, Revenue Streams, Key Activities, Key Resources, Key Partners, Cost Structure, and Value Proposition. This framework was used prior to creating the business plan so that the Company could evaluate their proposed operation holistically, to see how all of the parts fit together. Their vision was set aside for this activity, as the focus was only on the business model framework and not the operations that supported it.

While not part of the original Business Model Canvas concept, the blocks were prioritized according to their importance to the solution. There were some issues more critical than others that had to be resolved.

Key Activities

Before anything else, key activities had to be identified. The only way that the feasibility of the venture could be assessed was to identify what the Company wanted to offer.

Customer Segments

Customer segmentation was next to create a realistic profile of the customers they could expect for their services.

Revenue Streams

The anticipated revenue streams were identified: All of them were related to the operation of the SOC.

Value Proposition

Based on what was in the rest of their business model canvas, the Company created their value proposition.

DOWNLOAD THE BUSINESS MODEL CANVAS HERE

CyberHealthData had identified their key operations as those relating to a fully-functioning security operations center (SOC); and to the use of the facility for training. Their customer profile was that of small to medium size healthcare operations in their state, expanding to those in the region. A separate item in this section, however, was their intent to obtain large accounts such as local universities and hospitals. Their revenue streams involved two distinct sources: First were the clients served by the SOC. Another source identified was education and training of high school students. The state in which they are located offers a $7500 stipend for cybersecurity training when the facility is qualified. Their facility qualified. That said, their financial projections did not include the student training because they considered it to be an insignificant part of their revenue. Their value proposition centered on the fact that the facility had been constructed and that they had hired cybersecurity specialists as management personnel.

The solution resulted from a realistic assessment of their business model canvas and the use of market data that would better enable them to make a decision. A critical consideration was their competition. A random survey was done of small and medium size healthcare facilities in the state to determine what cybersecurity measures they had in place. Over 75% of them used online managed service providers. Larger organizations such as university health centers had their cybersecurity programs developed by firms such as Palo Alto Networks and Fortinet.

At this point, the Company had to reevaluate the model they had created so that they could present a viable proposal to lenders. The model was then completely restructured. The decision was made to come up with a model that did not include providing managed SOC services.

There are 1.12 million high school students enrolled in the state in 2024. Each of those students potentially has a chance to receive one of the $6500 stipend ($5000 of which would accrue to CyberHealthData). In operating year one, if the program captured only .04% of those student as trainees, annual revenue would be $2,500,000. While this was a quarter of what they had originally projected, it was based on a solid business model that had the potential to grow as reinvestment into the Company was made. The facility currently houses 10 security monitoring stations. The new plan was to operate this as a training center for 50 weeks a year with 500 students completing the hands-on training and some remote study.

The value proposition then increased dramatically. In addition to a stable operation, the facility would provide job training for the many cybersecurity incident response analyst positions that remained unfilled. It would also provide an incentive to keep students in school since the high school population was rapidly decreasing.

The Result

Actionable Business Plan

The most important thing that resulted from this process was an actionable business plan that got the Company the funding they needed–even if it was not what they originally wanted.

Depending on their size, our business plans may include many sections that are not routinely found in other plans. But we believe they are what makes our plans so successful:

Reasonable business model that is viable
Area-specific target market analysis–whether the market is for an Internet based business or a local business
Market analysis using current information
2024 demographic information
Risk assessment and scenario planning
A mini-economic analysis to show the impact of an operation on the market and population in which it operates.

Business Plans

Problems Solved

Business Model: A sustainable business model evolved that would ensure a profitable, stable operation that could weather economic variances.
Target Market: An entirely new target market was identified but it was one that already existed as an available market and one for which the Company was already guaranteed a share.
Competition: The new model eliminated any concerns about how the Company would compete in an already-crowded arena with many high-profile players. With only one other vendor in the state offering similar training programs, they could establish a much higher profile in this arena.
Revenue streams: This source of revenue was one that could be more easily validated contracts, letters of authorization, etc.
Physical Facility: Even with the reduced level of revenue, it was reasonable enough that lenders would believe that payments could be made from projected revenue.
Vision: They could now create a vision and goals that were attainable.

Strategic Plans

This was a traditional, comprehensive plan but the Business Model Canvas is often used as the basis for a lean startup one-page plan, which we also create. The names and locations were changed.

Why Work With Us?

We are creative and logical, believers in originality and critical thought. Our layouts are sophisticated and appropriate, effective. Our work is informative and engaging. Let our technical writing services save you time, money, revisions and failed presentations.

HOW CAN WE HELP?

Hooked by Spear Phishing Bait: An Easy Catch

Posted on June 3, 2024June 30, 2024 by Writing for Results

zero trust, written information security plans, WISP, risk management, risk analysis, spear phishing, phishing, business case study, legal, multifactor authentication, business impact analysis, business continuity plan, remote work, distributed staff, data breach

Button

We thought our client information was secure–until it wasn’t…

Xavier Otero, Partner, XO Legal

Hooked with Spear Phishing Bait

XO Legal, a small legal firm with an entirely distributed team, was lured into an insidious spear phishing snare by a seemingly harmless email. The attack targeted the firm with carefully crafted emails that appeared to come from legitimate and trusted internal sources. This sleight of email was virtually undetectable. XO Legal had no idea how to pick up the pieces because they didn’t know what the pieces were.

Spear phishing involves targeting specific individuals or organizations with personalized and convincing messages designed to trick the recipient into taking a particular action or providing sensitive information.

Anatomy of a Spear Phishing Attack

Spear Phishing Prey

The Setting

The law firm had four attorneys and two paralegals, all of whom worked remotely. Client files were stored in an encryped cloud account. All six could upload and download files, which meant that all six individuals had credentials necessary to allow them to access the account at some level.

The Bait

Once the phisher had decided on a law firm target, XO Legal, they did what any highly-skilled phisher would do: They patiently researched the firm, its employees, clients, and ongoing cases to gather information that would make their phishing email(s) appear authentic and relevant.

Excellent dossiers were created on all the firm’s employees. From the information acquired, partners Xavier Otero and Rogelio Tejada seemed to be the most potentially profitable targets. The phisher decided to reference a high-profile client as part of the deception. They had learned that there was a hearing the following week, which provided the opportunity to introduce urgency and authenticity into an email.

It was this meticulous preparation that enabled the phisher to craft the personalized emails that would become the bait and make this plot so successful. Their chances of success were greatly improved because the plot was entirely specific to the XO Legal firm.

Download the PDF version of this business case study. No information capture form required for download.

Hooked by Spear Phishing Bait: An Easy Catch Case Study Download

The Hook

The spear phisher registered two email addresses using a free email service, carefully selecting usernames that incorporated the names of the attorneys and the firm’s domain name. They had managed to find out the name of the cloud storage company. The rest was frighteningly simple.

The Attack

An email was sent to one of the paralegals, Ana Mathieson, from Xavier Otero. The email made reference to an upcoming hearing the next day, for which Xavier Otero was the lead attorney. It requested that she look for a file in the client’s folder. If it was there, he needed the link to it right away. He was on his smartphone right now and had no way to access the file. The email contained details about the hearing that she knew to be true. She hesitated but the first one was followed by two other emails, each more frantic than the last. Ana found the file and sent the link to the folder.

The Aftermath

This spear phisher was content with access to this one client’s information. What they wanted was enough information to enable identity theft. There was plenty of information in the file to allow them to do that. XO Legal was forced to pay for all of the client’s identity theft remediation, lost the client (which was a substantial part of their revenue). And in the end, they still did not know if any other client information had been breached. But, it could have been far worse and far more costly.

Our Role in The Spear Phishing Recovery

We documented the existing information security status and provided the written framework for the new security plan. We created zero trust standard operating procedures; a written information security plan; an incident response plan; and a business continuity plan.

A Roadmap to Zero Trust

From Trust to Zero Trust

Protecting client data–whether dictated by law or not–was of paramount concern at XO Legal. But, as with many firms, the intention of the staff to guard the sanctity of client data was not enough. Transformation into a team with a zero trust mindset was essential. So, XO Legal closed the gaping voids in their security protocols with the following actions (non-inclusive):

Incident Response Plan based on ABA Formal Opinion No. 483, which defines the lawyer’s ethical and legal obligations to be prepared to protect against and respond to a cyber security incident.
Written Information Security Plan (WISP) to define what the firm’s information assets are and how they will be protected–including the policies and procedures that will be used.
Standard Operating Procedures were created for the Incident Response Plan and Written Information Security Plan, as required. One of the first ones written is how internal communications were treated, no matter who wrote them.
Ongoing Evaluation of Access and Authentication Protocols to ensure that permissions are appropriate and are updated, as necessary.
User and Device Security is enforced by ensuring that all users and devices (including mobile devices) have the same level of protection as they access resources, regardless of location.
Multifactor Authentication is mandatory for all staff who access files. In this case, fingerprint identification is used.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) email authentication protocol is used to protect against email phishing.
Application and Data Security is used to prevent unauthorized access within app environments no matter where they are hosted.

The Way Forward

The Zero Trust mindset is a new one for this firm because it is so small and the staff knows one another so well. But, now they know that zero trust is critical if they are going to protect themselves and their clients.

Let Us Help You With:

Online or PDF Business Case Studies (Like this one)
Written Information Security Plans (WISPs)
Information Security Documentation
Business Continuity Plans

WISP Cyber Policies

Posted on May 31, 2024October 28, 2024 by Writing for Results

Zero trust, cybersecurity, zero trust security, data breaches, John Kindervag, Forrester, NIST, National Institute of Standards and Technology, security framework, ISO 27001, gap analysis, ransomware, network, phishing, what is zero trust, risk management, encryption, orchestration, file permissions, law firm procedures, restaurant procedures, remote work procedures, zero trust design, zero trust environment, zero trust architecture, multifactor authentication, microsegmentation, ZNTA, digital transformation, Identity Access Management, IAM, Data Loss Prevention, DLP, Secure Access Service Edge, SASE

WISP Written Information Security Plan

Why You Need a WISP

“…The Task Force notes that the cyber threat to U.S. critical infrastructure is outpacing efforts to reduce pervasive vulnerabilities, so that for the next decade at least the United States must lean significantly on deterrence to address the cyber threat posed by the most capable U.S. adversaries.

It is clear that a more proactive and systematic approach to U.S. cyber deterrence is urgently needed…” -Task Force on Cyber Deterrence [DSB 2017], the Defense Science Board (DSB)

What Is a WISP?

The NIST Cybersecurity Framework (CSF)-based Written Information Security Program (WISP) is a set of cyber security policies and standards that are suited for smaller organizations or those governed by NIST 800-53. This framework has recently been updated to CSF 2.0.

While WISPs are often thought to be the preserve of larger businesses, we include businesses with fewer than 500 employees that also require the protection afforded by a WISP.

Download a sample, editable WISP here.

Why Our WISP?

Our custom NIST-based WISP Written Information Security Plans identify the policies and procedures for protecting your company’s confidential data, assessing how it’s being protected, and identifying who is ensuring it’s protected.

This WISP document enables you to proactively plans for the “what ifs” and is fundamental to your organization’s security. It can be the basis for risk management measures. It also enables you to be compliant with State requirements, where necessary.

Whether they are included as part of the WISP or simply referred to as part of an abbreviated description, we provide complete policies and procedures referenced in the WISP. See a full list of these policies here. We also offer our compliance documentation in two formats: The first is focused on the what (NIST policies) and the other is focused on how (company-specific policies based on NIST standards). See samples of the two approaches below.

GET IN TOUCH

Are You Required To Have a WISP?

Several industries and organizations are governed by cybersecurity regulations that require a WISP. If your organization is bound by the Health Insurance Portability and Accountability Act (HIPAA), then it is required to have a WISP. Recently, the 16 CFR Part 313: Privacy of Consumer Financial Information Rule under the Gramm-Leach-Bliley Act was amended. The American Institute of Certified Public Accountants (AICPA) developed Service Organization Controls to manage data securely with AICPA TSC 2017 SOC 2 which also requires a WISP as does the National Institute of Standards and Technology (NIST) Cybersecurity Framework, recently updated to CSF 2.0.

Are you an accountant? Do you have a WISP?

The FTC’s Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA) says you need one.

FTC Safeguards Act Requirements

The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”

How do you know if your business is a financial institution subject to the Safeguards Rule? First, consider that the Rule defines “financial institution” in a way that’s broader than how people may use that phrase in conversation. Furthermore, what matters are the types of activities your business undertakes, not how you or others categorize your company.

To help you determine if your company is covered, Section 314.2(h) of the Rule lists 13 examples of the kinds of entities that are financial institutions under the Rule, including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC. The 2021 amendments to the Safeguards Rule add a new example of a financial institution – finders. Those are companies that bring together buyers and sellers and then the parties themselves negotiate and consummate the transaction.

DOWNLOAD OUR INFORMATION SHEET, WISPS AND THE FTC SAFEGUARDS ACT. YOU MAY BE SURPRISED AT WHO THE LAW APPLIES TO–IT MAY BE YOU.

Do You Live in One of These States?

If you live in one of these States, you are required to have a WISP that conforms to State requirements: Alabama, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Illinois, Indiana, Kansas, Louisiana, Maryland, Massachusetts, Minnesota, Nebraska, Nevada, New Mexico, New York, Ohio, Oregon, Rhode Island, South Carolina, Texas, Utah, Vermont, District of Columbia.

Alabama: 2018 SB 318

Arkansas: Ark. Code § 4-110-104(b)

California: Calif. Civil Code § 1798.91.04

Colorado: Colo. Rev. Stat. § 6-1-713 to -713.5

Connecticut: Conn. Gen. Stat. § 38a-999b, Conn. Gen. Stat. § 4e-70

Delaware: Del. Code § 12B-100

Florida: Fla. Stat. § 501.171(2)

Illinois: 815 ILCS 530/45

Indiana: Ind. Code § 24-4.9-3-3..5(c)

Kansas: K.S. § 50-6,139b

Louisiana: La. Rev. Stat. § 3074 (2018 SB 361)

Maryland: Md. Code Com Law §§ 14-3501 to -3503

Massachusetts: Mass. Gen. Laws Ch. 93H § 2(a)

Minnesota: Minn. Stat. § 325M.05

Nebraska: Neb. Rev. Stat. §§ 87-801-807 (2018 L.B. 757)

Nevada: Nev. Rev. Stat. §§ 603A.210, 603A.215(2)

New Mexico: N.M. Stat. § 57-12C-4 to -5

New York: New York Gen. Bus. Law § 899-BB

Ohio: Ohio Rev. Stat. § 1354.01 to 1354.05 (2018 S.B. 220)

Oregon: Or. Rev. Stat § 646A.622

Rhode Island: R.I. Gen. Laws § 11-49.3-2

South Carolina: S.C. Code § 38-99-10 to -100. (2018 HB 4655)

Texas: Tex. Bus. & Com. Code § 521.052

Utah: Utah Code §§ 13-44-101, -201, 301

Vermont: 9 V.S.A § 2446-2447 (2018 HB 764)

District of Columbia: 2020 B 215

We create custom State- and NIST-compliant WISP Written Information Security Plans for business of all sizes. This document protects you and it protects your customers or clients or patients. These affordable documents include standalone versions of all policies and procedures that are referenced in your WISP. For example, your WISP access control policy would be provided also as a separate document that you can use in other documents such as training manuals or employee handbooks or as standard operating procedures.

GET IN TOUCH

What Are the Most Common WISP Elements?

Every WISP is different–some are less comprehensive and some are more so depending on the situation. In general, however, WISPs contain the following elements:

Designation of the employee or employees responsible for the security program
Identification and assessment of security risks
Policies for storage of data, as well as access and transportation of personal information
Disciplinary measures imposed on WISP violators
Limiting access by/to terminated employees
Managing the security practices of third-party vendors and contractors
Methods of restricting physical and digital access to records
Monitoring and reviewing the scope and effectiveness of the WISP
Documentation of data security incidents and responses

WISP Format Choices

How you choose to format your WISP is a matter of choice, as long as it conforms to State guidelines wherever applicable.

Writing and implementing a WISP requires assessing company business processes, an understanding of the laws and regulations that apply to the those processes, identifying potential information security gaps and weaknesses, finding the right balance between business practices and security, and educating end users about the policy once it is approved by company management.

NIST Framework

This WISP version is mapped to NIST standards and the terminology.

IR-4(2): INCIDENT HANDLING/DYNAMIC RECONFIGURATION
Control Objective: Include organization-defined types of dynamic reconfiguration for organization-defined system components as part of the incident response capability.

Standard: Where technically feasible and justified by a valid business case, ACME must implement automated mechanisms to enable dynamic reconfiguration of information systems as part of incident response remediation actions.

Guidelines: Dynamic reconfiguration includes changes to router rules, access control lists, intrusion detection or prevention system parameters and filter rules for guards or firewalls. Organizations may perform dynamic reconfiguration of systems to stop attacks, misdirect attackers and isolate components of systems, thus limiting the extent of the damage from breaches or compromises.

Organizations include specific time frames for achieving the reconfiguration of systems in the definition of the reconfiguration capability, considering the potential need for rapid response to effectively address cyber threats.

Standard Policy Framework

This WISP version uses narrative, company-specific policies.

RISK ASSSESSMENT
The Program Coordinator shall conduct a risk assessment to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information that could result in its unauthorized disclosure, misuse, alteration, destruction or other compromise, and assess the sufficiency of any safeguards in place to control these risks. The risk assessment shall cover all relevant areas of the Dealership’s operations. At a minimum, the risk assessment shall cover the following:

• Employee training and management;
• Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
• Detecting, preventing and responding to attacks, intrusions or other systems failures.

Once the Program Coordinator has identified the reasonably foreseeable risks, the Program Coordinator will determine whether current policies and procedures in these areas sufficiently mitigate the potential risks identified. If not, the Program Coordinator shall design new policies and procedures that meet the objectives of the Program. Final policies and procedures that meet the objectives of the Program will be part of the Program.

FTC Standards for Safeguarding Customer Information

16 CFR Part 314: Standards for Safeguarding Customer Information (https://www.ftc.gov/business-guidance/blog/2023/10/ftc-announces-new-safeguards-rule-provision-your-company-whats-required)

October 2023 marks the 20th anniversary of the effective date of the Gramm-Leach-Bliley Safeguards Rule. Its purpose then – and its purpose now – is to protect consumers by requiring entities covered by the Rule to “develop, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”

The amendment announced today requires financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. Such an event requires notification if unencrypted customer information has been acquired without the authorization of the individual to which the information pertains. The notice to the FTC must include certain information about the event, such as the number of consumers affected or potentially affected.

The FTC revised the Safeguards Rule in October 2021 to strengthen protections for consumers’ information maintained by non-banking financial institutions – for example, mortgage brokers and payday lenders. Also announced was a proposed supplemental amendment to the Safeguards Rule that would require financial institutions to report certain data breaches and other security events to the FTC. The agency just approved an amendment that will require notification.

The focus is on “notification events” – defined as the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” If a notification event “involves the information of at least 500 consumers,” the covered entity must contact the FTC “as soon as possible, and no later than 30 days after discovery of the event” using a form on the FTC’s website.

Here are some of the things the notice must include:

the name and contact information of the financial institution;
a description of the types of information involved;
the date or date range of the notification event, if it’s possible to determine;
the number of consumers affected; and
a general description of the notification event.

Ig1 – Implementation Group 1

From the Center for Internet Security:

Implementation Groups (IGs) are the recommended guidance to prioritize implementation of the CIS Critical Security Controls (CIS Controls). CIS Controls v8 defines Implementation Group 1 (IG1) as essential cyber hygiene and represents an emerging minimum standard of information security for all enterprises. IG1 is the on-ramp to the CIS Controls and consists of a foundational set of 56 cyber defense Safeguards. The Safeguards included in IG1 are what every enterprise should apply to defend against the most common attacks.

In most cases, an IG1 enterprise is typically small to medium-sized with limited IT and cybersecurity expertise to dedicate towards protecting IT assets and personnel. A common concern of these enterprises is to keep the business operational, as they have a limited tolerance for downtime.

The sensitivity of the data that they are trying to protect is low and principally surrounds employee and financial information. Safeguards selected for IG1 should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks. These Safeguards will also typically be designed to work in conjunction with small or home office commercial off-the-shelf (COTS) hardware and software.

Safeguards selected for IG1 should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks. These Safeguards will also typically be designed to work in conjunction with small or home office commercial off-the-shelf (COTS) hardware and software.

But no matter the size or complexity of your business, we recommend that all organizations begin with IG1. We also refer to IG1 as Essential Cyber Hygiene because it provides the actions necessary for an organization to defend itself against the major attack types being used by cybercriminals. IG1 is not just another list of good things to do; it’s an essential set of steps that helps all enterprises defend against real-world threats. And it provides a strong foundation for your cyber maturity growth, or as your security needs change. This is a strong claim, but we back it up with our use of the best-available summaries of attacks (like the Verizon DBIR), and an open, shared methodology (the CIS Community Defense Model v2.057).

NIST Cybersecurity Framework (CSF) 2.0

The agency has finalized the framework’s first major update since its creation in 2014
February 26, 2024

“The National Institute of Standards and Technology (NIST) has updated the widely used Cybersecurity Framework (CSF), its landmark guidance document for reducing cybersecurity risk. The new 2.0 edition is designed for all audiences, industry sectors and organization types, from the smallest schools and nonprofits to the largest agencies and corporations — regardless of their degree of cybersecurity sophistication.

The CSF 2.0, which supports implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy. The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation.

The updated framework anticipates that organizations will come to the CSF with varying needs and degrees of experience implementing cybersecurity tools. New adopters can learn from other users’ successes and select their topic of interest from a new set of implementation examples and quick-start guides designed for specific types of users, such as small businesses, enterprise risk managers, and organizations seeking to secure their supply chains.

A new CSF 2.0 Reference Tool now simplifies the way organizations can implement the CSF, allowing users to browse, search and export data and details from the CSF’s core guidance in human-consumable and machine-readable formats.“

Read More Here: NIST Releases Version 2.0 of Landmark Cybersecurity Framework https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-landmark-cybersecurity-framework

NIST Cybersecurity Framework 2.0

CSF 2.0 Resource/Overview Guide

NIST Special Publication 800-53 Revision 5 Full Text

This free download is the full text of the NIST Revision 5, September 2020. This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

NIST Special Publication 800-53 Revision 5

Why Work With Us?

We are creative, believers in critical thought. Our layouts are sophisticated and appropriate, effective. Our work is due diligent, informative and engaging. Let our technical writing services save you time, money, revisions and failed presentations.

GET IN TOUCH