Ask the Experts: What’s a WISP?
A “WISP” is a Written Information Security Program – documentation of the network and data storage security policies and procedures for any for-profit or nonprofit organization.
In March of 2010 the new privacy laws went into effect in Massachusetts. Officially titled 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, the rules are more familiarly and collectively known as Massachusetts Privacy Rule 17. In response to those regulations, Accounting Management Solutions partnered with a major IT services provider to offer data privacy audits to our clients.
Your organization is required to comply with Rule 17 (and have a WISP) if it maintains records containing a resident’s first and last name or first initial and last name in combination with:
- A Social Security number
- A driver's license or State ID number
- A financial account number or credit/debit card number
Privacy laws require certain information to be encrypted or stored in a secure location. While Rule 17 is relevant if you do business (or are a nonprofit) in Massachusetts, having a WISP is smart for any organization. As part of a WISP, organizations should have a data breach policy and response mechanism ready in the event of an emergency.
- At a minimum, a WISP should contain policies and information regarding:Secure user authentication protocols including unique user identities and passwords
- Data security passwords
- Methods for restricting access to information to only active users and active user accounts
- Methods for blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system
- Access to records and files containing personal information
- Encryption of all transmitted records and files containing personal information
- Systems monitoring, for unauthorized use of or access to personal information
- Ways to protect laptops or other portable devices
- Firewall protection
- System security agent software, malware protection Education and training of employees
Recently, the Commonwealth of Massachusetts imposed a fine in excess of $100,000 on an organization that didn’t react appropriately to a data breach (and, in fact, continued to collect personal data while the breach was occurring, over an extended period of time.) The judgment included requirements to:
- Implement, maintain and adhere to a WISP
- Review security measures (at least on an annual basis)
- Implement security password management, including unique passwords for each staffer
- Be prepared to appropriately notify customers
If your organization is not yet in compliance, AMS can help. Contact Leigh Tucker.