Do You Have a WISP? (Written Information Security Program)
Michigan adopted a strict cybersecurity protocol for insurers licensed in the state. It sets out a standard to protect the non-public personal information of clients, customers, employees, contractors, and anyone else who gives private information to your business. One key part of the law is the requirement that insurers have a Written Information Security Program (WISP). Find out what’s included, and why you need it.
What is a WISP?
A Written Information Security Program is the operators’ manual for your company’s cybersecurity processes. It spells out the administrative, technical, and physical safeguards your business is committed to using to protect private personally identifiable information kept on site, or in the cloud. It also provides checklists to your employees and vendors for what to do when:
- They receive confidential information
- They use personal data
- There is an unauthorized access (hacking) attempt
- Nonpublic data is lost or destroyed (intentionally or unintentionally)
What Companies Need a Written Information Security Program?
WISPs may have started within the medical field, where doctors’ offices, hospitals, and medical providers are required to comply with the Health Information Portability and Accountability Act (HIPAA). However, in recent years identity theft has become more rampant and companies large and small are facing cyber-attacks by hackers looking for customers’ private information.
Whether out of their own concern for cybersecurity, or in response to laws like the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law, businesses in many different industries are now putting a priority on their cybersecurity protocols, starting with the creation of a Written Information Security Program. Ultimately, anyone whose company maintains a database with information about their customers or employees can benefit from a WISP.
What is Included in a WISP?
You company’s WISP should be tailored to your company’s specific data collection, maintenance, and use. However, there are some elements that most WISPs have in common:
- A description of what counts as personal information
- Descriptions of each role within the company that will have access to the personal information and what they are authorized to do with it
- Rules for the storage, transportation, and destruction of confidential information
- Requirements for high-security passwords and other cybersecurity protocols for users’ accounts and employee logins
- Standards for all third-party vendors and independent contractors when they will have contact with private personal information
- Training requirements for employees and data custodians
- Directions for what to do when a data breach does occur (or is attempted), including mandatory notice to users impacted by the breach
- Protocols for the erasure of personal information under the European Union’s General Data Protection Regulation (GDPR) for international companies
What to Do with Your WISP, Now That You Have One
Having a Written Information Security Program is one thing, but implementing it is another. If you have a “paper program” sitting in your CTO’s desk drawer or pinned up on a bulletin board somewhere, that protocol isn’t going to do much to actually stop cyber-attacks or data breaches. That comes in the implementation.
Third-Party Risk Assessment
One important part of any well-made WISP is an objective risk assessment by a qualified third-party, ideally a development team experienced in cybersecurity. It will identify areas where your company and its employees are falling short of the mark set out in your WISP and help you create strategies to hit your targets. That team can also provide ongoing auditing and monitoring to ensure that your company continues to keep the promises you made to yourself and your customers in the WISP.
Employee Cybersecurity Training
One area your risk assessment team may identify is a need for employee cybersecurity training. This might include instruction on what is contained in the WISP, explanations of what is expected, or cybersecurity training to teach best practices like how to avoid common phishing attempts and password best practices.
At Provisio Technology Solutions, we believe every company can benefit from a well-written and implemented WISP. Our web developers can help you complete a risk assessment of your company, prepare the WISP, and train your key employees to do what is expected of them. Contact us to set up a free consultation.