By Paula Cuozzo
If you’re doing business in Massachusetts, you’re bound by law to protect the personal information of your employees, your customers and any other people your company comes into contact with. That goes for small businesses, including the self-employed.
Part of the compliance process is setting up a “WISP,” or a Written Information Security Program. This program outlines how you’ll go about accessing, collecting, storing, using, transmitting and protecting personal information that connect names to things like Social Security numbers or financial accounts.
The reasons for setting up a WISP are simple enough. Nobody wants to be the next Equifax, breached by hackers to expose personal information of customers, partners or business contacts. It’s bad business, and it can leave the company exposed on a variety of fronts. WISPs are important for your company's IT security.
The processes for setting up a WISP are a little more complicated, but they’re doable. Here is a primer for creating such a program and making it work.
Read the Literature
The state’s Office of Consumer Affairs and Business Regulation has created a couple of useful documents that will help in the creation of an information security program. One is a summary of the actual law – 201 CMR 17 – governing the standards for the protection of personal information. The other is a Small Business Guide that provides advice about key facets of a comprehensive WISP.
These documents spell out the basic areas that a WISP should cover and offer tips about issues to watch out for. A standard WISP process should start with the following:
- Identifying specific risks – A list of the internal and external risks to the security, confidentiality or integrity of documents containing personal information
- Gauging potential damage – Just how likely is it that any or all of these disasters may happen?
- Evaluating existing processes – Are there safeguards in place? And are they solid enough?
- Designing better safeguards – Ensure that you’re minimizing whatever risks are possible
- Monitor performance – Check back regularly to see if the safeguards are working
Put Somebody in Charge
It’s important to have a program, of course, but it’s just as important that somebody in the organization is responsible for enforcing the program. This is the Data Security Coordinator. This person will be in charge of all things dealing with the WISP – including rolling out the initial document, training employees on the finer points, doing regular testing of the new safeguards, interfacing with third-party vendors about their adherence to your WISP rules, doing annual reviews of security measures and conducting regular training sessions for all stakeholders in the process.
Target Internal Risks
No one wants to think about the possibility that employees working inside the organization poses any kind of threat. But we hear about situations every day where workers intentionally or unintentionally expose their colleagues’ information. Somebody might have an axe to grind with a co-worker who’s competing for the same promotion. Or somebody might just be sloppy about circulating documents outside the firm.
Either way, it’s essential to the WISP process that a series of steps be followed inside the organization to protect personal information. These steps include:
- Distributing a copy of the new WISP to every employee
- Retraining employees
- Amending employee contracts with details of the new WISP
- Blocking electronic access to files after multiple unsuccessful attempts to gain access
- Limiting access to electronically stored personal information to designated employees in approved situations
Target External Risks
External threats come in many forms – and your WISP needs to deal with each one of them. There are the obvious threats such as hackers bent on doing damage to your business. Then there are the less obvious threats, possibly from third parties (vendors, customers, suppliers, partners, building owners, etc.). They likely won’t compromise personal information on purpose, but they may have slipshod practices of their own. You’re responsible for their behavior, so you need to put safeguards in place to protect your own information.
Protecting against hackers is something you’ll want to do anyway; the law requires that you document how you’re keeping these threats away from your personal information. Guidelines require that firewall protection is up to date, information on laptops is protected and in certain cases encrypted, and computers are monitored regularly for unauthorized use of personal information.
Another way to protect your organization's information is through use of a "Bring Your Own Device" (BYOD) policy, which we've provided for you here.