Why Your Business Needs a WISP
By Roger Murray | December 29th, 2016
Not having a written information security program (WISP) for your business could be putting your data at risk of not only theft, but substantial legal/punitive damages. The laws in Massachusetts enforce strict guidelines to safeguard any personal information of individuals stored on your network.
Sadly, many SMBs brush it off as a minimal danger that is unlikely happen to them. Despite studies that show the assumption to be untrue, in fact, SMBs are often targeted due to their common ease to infiltrate.
Having a WISP is not Optional
The Massachusetts Data Security Regulations developed one of the most stringent data privacy laws, 201 CMR 17.00. It serves as the gold standard most businesses who work nationally abide by, because if it is CMR compliant, they are most likely compliant in all other states, and it isn’t just for large corporations. 201 CMR 17.00 specifies:
“Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards”
This means any business who operates, or even has a single customer living in the state of Massachusetts, must comply. If a data breach occurs and personal information is stolen, your business will have more than reputational damage to recover from, the Attorney General will likely levy considerable fines against you for failing to be compliant.
Considerations While Developing a WISP
The details involved with developing a proper WISP are substantial. You must consider not only how data is transmitted, but how it is stored within your network.
- Implementing full encryption is a must, as well as controlling access to the personal information by employees, as well as any third-party vendors who have access to your network.
- BYOD mobility and integration within your network are practically standard fare now, so a solid firewall solution, as well as an anti-virus and anti-malware protection should be installed. If you use a lot of cloud-based services, or store data offsite, all the same rules must be applied.
- User training and education are key components to keep in mind while curating a secure security program, and should be extended to any third-party vendors to ensure complete coverage of your liabilities.
- Minimum review and sign-off for your WISP should be annual, or sooner if there are changes that may impact your business.
One important note to keep in mind, having a written information security program will not magically eliminate the potential risk of a data breach. Ensuring compliance does not guarantee protection, but it does serve as the building blocks for a comprehensive security program. To learn how TSI can develop your WISP, as well as create a complete security protection plan for your business, Contact Us today!