WISP Written Information Security Plan
Why You Need a WISP
“…The Task Force notes that the cyber threat to U.S. critical infrastructure is outpacing efforts to reduce pervasive vulnerabilities, so that for the next decade at least the United States must lean significantly on deterrence to address the cyber threat posed by the most capable U.S. adversaries. It is clear that a more proactive and systematic approach to U.S. cyber deterrence is urgently needed…” -Task Force on Cyber Deterrence [DSB 2017], the Defense Science Board (DSB)
What Is a WISP?
The NIST Cybersecurity Framework (CSF)-based Written Information Security Program (WISP) is a set of cyber security policies and standards that are suited for smaller organizations or those governed by NIST 800-53.
Technically, WISPs are geared for small businesses but we have expanded our offering to include those governed by NIST 800-53.
Download a sample, editable WISP here.
Are You Required to Have a WISP?
Several industries and organizations are governed by cybersecurity regulations that require a WISP. If your organization is bound by the Health Insurance Portability and Accountability Act (HIPAA), then it is required to have a WISP as well. The same is true for financial service organizations that fall under the New York Cyber Security Regulation known as 23 NYCRR 500. The American Institute of Certified Public Accountants (AICPA) developed Service Organization Controls to manage data securely with AICPA TSC 2017 SOC 2 which also requires a WISP as does the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
We create custom State- and NIST-compliant WISP Written Information Security Plans for business of all sizes. This document protects you and it protects your customers or clients or patients. These affordable documents include standalone versions of all policies and procedures that are referenced in your WISP. For example, if your WISP access control policy would be provided also as a separate document that you can use in other documents such as training manuals or employee handbooks or as standard operating procedures.
Do You Live in One of These States?
If you live in one of these States, you are required to have a WISP that conforms to State requirements: Alabama, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Illinois, Indiana, Kansas, Louisiana, Maryland, Massachusetts, Minnesota, Nebraska, Nevada, New Mexico, New York, Ohio, Oregon, Rhode Island, South Carolina, Texas, Utah, Vermont, District of Columbia.
No One is Exempt
According to the DBIR Verizon 2021 Data Report: The first thing we noticed while analyzing the data by organizational size this year was that the gap between the two with regard to the number of breaches, has become much less pronounced. Last year, small organizations accounted for less than half the number of breaches that large organizations showed. Unlike most political parties, this year these two are less far apart with 307 breaches in large and 263 breaches in small organizations.
Last year, small organizations were greatly troubled by Web Applications, Everything Else and Miscellaneous Errors. The changes in our patterns account for a good bit of what we see this year in small organizations, since the Everything Else pattern was recalibrated, and the attacks that remain are largely Hacking and Malware, thus fitting into the System Intrusion pattern. In contrast, large organizations saw a fair amount of actual change. The top three last year were Everything Else, Crimeware and Privilege Misuse. The pattern recalibration means that most of the Crimeware type events went into System Intrusion and Basic Web Application Attacks, but Privilege Misuse is not a pattern that saw any substantial degree of change. Therefore, this is an indication that we saw fewer Internal actors doing naughty things with their employer’s data.
Why Our WISP?
Our custom NIST-based WISP Written Information Security Plans identify the policies and procedures for protecting your company’s confidential data, assessing how it’s being protected, and identifying who is ensuring it’s protected.
This WISP document enables you to proactively plans for the “what ifs” and is fundamental to your organization’s security. It can be the basis for risk management measures. It also enables you to be compliant with State requirements, where necessary.
Whether they are included as part of the WISP or simply referred to as part of an abbreviated description, we provide complete policies and procedures referenced in the WISP. See a full list of these policies here. We also offer our compliance documentation in two formats: The first is focused on the what (NIST policies) and the other is focused on how (company-specific policies based on NIST standards). See samples of the two approaches below.
And, of course, they are affordable with WISP pricing that starts at $1,500.
Consultations are free
WISP Format Choices
How you choose to format your WISP is a matter of choice, as long as it conforms to State guidelines wherever applicable.
Writing and implementing a WISP requires assessing company business processes, an understanding of the laws and regulations that apply to the those processes, identifying potential information security gaps and weaknesses, finding the right balance between business practices and security, and educating end users about the policy once it is approved by company management.
This WISP version is mapped to NIST standards and the terminology.
IR-4(2): INCIDENT HANDLING/DYNAMIC RECONFIGURATION
Control Objective: Include organization-defined types of dynamic reconfiguration for organization-defined system components as part of the incident response capability.
Standard: Where technically feasible and justified by a valid business case, ACME must implement automated mechanisms to enable dynamic reconfiguration of information systems as part of incident response remediation actions.
Guidelines: Dynamic reconfiguration includes changes to router rules, access control lists, intrusion detection or prevention system parameters and filter rules for guards or firewalls. Organizations may perform dynamic reconfiguration of systems to stop attacks, misdirect attackers and isolate components of systems, thus limiting the extent of the damage from breaches or compromises.
Organizations include specific time frames for achieving the reconfiguration of systems in the definition of the reconfiguration capability, considering the potential need for rapid response to effectively address cyber threats.
Standard Policy Framework
This WISP version uses narrative, company-specific policies.
The Program Coordinator shall conduct a risk assessment to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information that could result in its unauthorized disclosure, misuse, alteration, destruction or other compromise, and assess the sufficiency of any safeguards in place to control these risks. The risk assessment shall cover all relevant areas of the Dealership’s operations. At a minimum, the risk assessment shall cover the following:
• Employee training and management;
• Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
• Detecting, preventing and responding to attacks, intrusions or other systems failures.
Once the Program Coordinator has identified the reasonably foreseeable risks, the Program Coordinator will determine whether current policies and procedures in these areas sufficiently mitigate the potential risks identified. If not, the Program Coordinator shall design new policies and procedures that meet the objectives of the Program. Final policies and procedures that meet the objectives of the Program will be part of the Program.
States That Require WISPs
Alabama: 2018 SB 318
Arkansas: Ark. Code § 4-110-104(b)
California: Calif. Civil Code § 1798.91.04
Colorado: Colo. Rev. Stat. § 6-1-713 to -713.5
Connecticut: Conn. Gen. Stat. § 38a-999b, Conn. Gen. Stat. § 4e-70
Delaware: Del. Code § 12B-100
Florida: Fla. Stat. § 501.171(2)
Illinois: 815 ILCS 530/45
Indiana: Ind. Code § 24-4.9-3-3..5(c)
Kansas: K.S. § 50-6,139b
Louisiana: La. Rev. Stat. § 3074 (2018 SB 361)
Maryland: Md. Code Com Law §§ 14-3501 to -3503
Massachusetts: Mass. Gen. Laws Ch. 93H § 2(a)
Minnesota: Minn. Stat. § 325M.05
Nebraska: Neb. Rev. Stat. §§ 87-801-807 (2018 L.B. 757)
Nevada: Nev. Rev. Stat. §§ 603A.210, 603A.215(2)
New Mexico: N.M. Stat. § 57-12C-4 to -5
New York: New York Gen. Bus. Law § 899-BB
Ohio: Ohio Rev. Stat. § 1354.01 to 1354.05 (2018 S.B. 220)
Oregon: Or. Rev. Stat § 646A.622
Rhode Island: R.I. Gen. Laws § 11-49.3-2
South Carolina: S.C. Code § 38-99-10 to -100. (2018 HB 4655)
Texas: Tex. Bus. & Com. Code § 521.052
Utah: Utah Code §§ 13-44-101, -201, 301
Vermont: 9 V.S.A § 2446-2447 (2018 HB 764)
District of Columbia: 2020 B 215
NIST Special Publication 800-53 Revision 5 Full Text
This free download is the full text of the NIST Revision 5, September 2020. This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.
What Are the Most Common WISP Elements?
Every WISP is different–some are less comprehensive and some are more so depending on the situation. In general, however, WISPs contain the following elements:
- Designation of the employee or employees responsible for the security program
- Identification and assessment of security risks
- Policies for storage of data, as well as access and transportation of personal information
- Disciplinary measures imposed on WISP violators
- Limiting access by/to terminated employees
- Managing the security practices of third-party vendors and contractors
- Methods of restricting physical and digital access to records
- Monitoring and reviewing the scope and effectiveness of the WISP
- Documentation of data security incidents and responses
Why Work With Us?
We are creative, believers in critical thought. Our layouts are sophisticated and appropriate, effective. Our work is due diligent, informative and engaging. Let our technical writing services save you time, money, revisions and failed presentations.
Consultations are free