Written Information Security Plans (WISPs) are critical documents for organizations looking to protect their sensitive information against potential cyber threats. A well-developed WISP outlines a company’s security policies, procedures, and controls to maintain regulatory compliance and mitigate security risks. Here’s what you need to know about creating an effective WISP.

History of Written Information Security Plan

WISPs are a product of the growing need for cybersecurity measures in response to the increasing amount of sensitive information stored and processed electronically. In 1996, the Health Insurance Portability and Accountability Act (HIPAA) set the standard for developing WISPs by requiring all covered entities to implement security policies and procedures. Since then, many other industries have followed suit and developed their own WISPs to maintain compliance with various regulations.

Sections of a Written Information Security Plan

A comprehensive WISP should include the following sections:

1. Introduction

The introduction provides an overview of the WISP and its purpose. It should also specify the types of sensitive information that the plan is designed to protect.

2. Risk Assessment

A risk assessment is a crucial component of any WISP. It identifies potential security threats and assesses their likelihood and potential impact. This section should include a detailed analysis of the risks faced by the organization.

3. Security Policies and Procedures

This section establishes the specific policies and procedures that the company will implement to protect sensitive information. The policies and procedures should be tailored to the organization’s unique needs and risks. This section should include the following controls:

Access Control

Access controls ensure that only authorized personnel have access to sensitive information. This may include password policies, two-factor authentication, and biometric authentication.

Network Security

Network security measures protect against unauthorized access and data breaches. This may include firewalls, intrusion detection systems, and penetration testing.

Data Protection

Data protection controls safeguard against unauthorized access, modification, and deletion of sensitive information. This may include encryption, backup and recovery procedures, and data retention policies.

4. Roles and Responsibilities

This section identifies the individuals or departments responsible for implementing and enforcing the security policies and procedures outlined in the written information security plan. It should clearly define roles and responsibilities, including those of upper management.

5. Technical Controls

This section describes the technical controls that the company will implement to protect sensitive information. This may include firewalls, encryption, access controls, and other security technologies.

Here is a list of technical controls:

  1. Access Controls: This refers to the processes and technologies that are put in place to ensure that only authorized users have access to sensitive data or systems. Examples of access controls include password policies, two-factor authentication, and role-based access control.
  2. Network Security: This includes the use of firewalls, intrusion detection/prevention systems, and other network security technologies to protect against unauthorized access, data loss, and other security threats.
  3. Endpoint Security: This involves the use of antivirus software, encryption, and other technologies to protect individual devices (such as laptops and smartphones) from security threats.
  4. Data Backup and Recovery: This involves the regular backup of critical data to ensure that it can be restored in the event of a security breach or other data loss event.
  5. Security Monitoring and Incident Response: This involves the use of security monitoring tools and procedures to identify security incidents and respond to them quickly and effectively.
  6. Security Awareness and Training: This refers to the education and training provided to employees to ensure that they are aware of security threats and know how to respond to them.

6. Administrative Controls

This section describes the administrative controls that the company will implement to protect sensitive information. This may include security training for employees, background checks for personnel with access to sensitive information, and regular security audits.

Here is a list of administrative controls:

  1. Security Policies and Procedures: This involves the creation and implementation of policies and procedures that outline how sensitive data and systems should be secured and how employees should behave to ensure their security. These policies can include acceptable use policies, data retention policies, and incident response procedures.
  2. Risk Assessments: This involves regular assessments of security risks to identify potential threats and vulnerabilities to sensitive data and systems.
  3. Employee Screening and Training: This includes background checks for new employees and regular security training for all employees to ensure they are aware of security threats and know how to respond to them.
  4. Physical Security: This includes measures such as security cameras, access control systems, and security guards to protect physical locations where sensitive data and systems are stored.
  5. Vendor Management: This involves assessing and managing the security risks associated with third-party vendors that have access to sensitive data or systems.
  6. Compliance Management: This involves ensuring that the organization is compliant with all relevant regulatory requirements and industry standards for information security.

7. Incident Response

This section establishes the procedures for responding to security incidents, including how to report incidents, who to notify, and how to recover from the incident.

8. Business Continuity

This section describes how the company will maintain business operations in the event of a security incident or disaster. This may include backup and recovery procedures, redundancy planning, and other measures to ensure continuity of operations.

9. Review and Update

This section establishes a schedule for regularly reviewing and updating the written information security plan to ensure that it remains relevant and effective.

Cleared Systems offers consulting and support services to help organizations develop and implement effective WISPs. Our team of experts can conduct a thorough risk assessment, develop policies and procedures tailored to your organization’s unique needs, and provide ongoing support to maintain compliance and mitigate security risks. Contact us today to learn more about our WISP consulting and support services.

Share in Social Media

case studies

See More Case Studies

microsoft 365 GCC High

What is GCC High? For ITAR & CMMC 2.0

Microsoft 365 Government Community Cloud (GCC) High is a specialized cloud solution tailored for U.S. federal, state, local, tribal, and territorial government organizations, as well as for contractors who hold or process data subject to specific security regulations. In this article, we will explore the features, benefits, and differences between Microsoft 365 GCC High and other Office 365 offerings.

Learn more
Contact us

Partner with Us for Compliance & Protection

We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.

Your benefits:
What happens next?
1

Schedule an initial meeting

2

Arrange a discovery and assessment call

3

Tailor a proposal and solution

How can we help you?