WRITTEN INFORMATION SECURITY PROGRAM (WISP)
5 Key Components of a Written Information Security Program (WISP)
1. Designated Security Officer
For regulated industries, it is a requirement to have a designated security officer in place that is responsible for coordinating and implementing your security program.
2. Risk Assessment
This component assesses the risks that your organization faces and what reasonable and appropriate steps need to be taken in order to mitigate the risk. This assessment allows you to prioritize and apply cost effective countermeasures.
3. Policies & Procedures
Once the risk assessment is completed, a written document that states how a company plans to protect the company’s digital assets is developed. This is a living document that is continuously updated as technology and employee requirements change.
4. Security Awareness Training
The human factor is the weakest link in the security chain. Every employee needs to be aware of his or her roles and responsibilities when it comes to security. All users need to have ongoing security awareness training to protect against social engineering attacks.
5. Regulatory & Audit Compliance
Organizations should not only comply with their own security program, but may also need to comply with federal and state regulatory bodies. Some of the regulatory standards that your organization must comply with is HIPAA, PCI, GLBA, Sarbanes-Oxley and FISMA. Periodic audits are necessary to assess the level of security in place, whether it’s been breached and to also make sure it complies with your security program.
Guiding policies for information security used to identify strengths and weaknesses within your organization.