adminThere is no denying that the Internet has made the world smaller and more easily accessible at the click of a button. It has made it easier for firms in different locations and geographies to interact and conduct business. Using Internet, firms can reach out to a wider spectrum of suppliers, clients and customers far and across the globe. It has made it easy for someone to sit in South Africa, interact and buy a service or product from a vendor in India and vice versa. However, along with this comfort and ease, it has brought with it MASSIVE security scares too! Interaction with national and international clients and customers put firms out in the open making it vulnerable in terms of both cyber security and legal implications concerned with the same. Here’s when Written Information Security Program, simply named as WISP comes in handy.
What’s WISP?
A Written Information Security Program/Policy is a comprehensive and formal set of rules and regulations set up within an organization, to be followed with respect to information security context. These rules recommend guidelines to be followed, suggestions on classifying and analysing devices and resources than can lead to a cyber breach, the responsibilities of groups and individuals and the consequences for neglect of these rules. There can be multiple WISPs for different aspects of information security involved in your business or just a single policy which covers all aspects.
Who needs a WISP?
Every organization! We say this because every organization deals with some sort of sensitive data, it’s employees’ or its clients’ or suppliers’. With technological advancements and the growing need of digitization, there arises a need of a standardised and well-structured WISP. If you run a business venture, irrespective of its size, having a WISP with a strict implementation can ensure you remain cybersafe. A Written Information Security Program also makes sure that you are on the right side of a legal showdown, if it ever comes to that.
Even in India, where compliance requirements are usually not stringent, RBI is coming up with stricter controls that financial firms need to create policies on and implement. Getting caught in a cyber-breach case while these controls are not in place may lead to a hefty fine which can go up to 1 crore. Other than it being seen as a compliance requirement, a WISP is a firm’s responsibility towards its clients and brings in credibility, transparency and safety.
What’s all included in a WISP?
WISP consists of technical, administrative and physical safety measures to keep your organizations’ data secure, especially of such data whose leakage may cause serious implications to the functioning of the company. The document mentions preventive and combative measures towards avoiding a cyber breach. Some of the points include-
– Training measures for all employees, which means that every employee,from the management team to the fresh recruit needs to know what’s required and acceptable as safety measures to protect your cyber data.
– Classification of data and assets on the basis of sensitivity of information stored and the level of protection that they should implement.
– Password management policy detailing desirability of strong passwords, access control of important assets, use of external devices etc.
– Incident response plan to be followed in case of a data breach
– Data backup schedules and audits/checks for the same.
Tips to create a clear WISP
Your WISP can be based on the globally standardised frameworks available. ISO 27001/02 and NIST are the standards and framework which can be adopted by all organizations, big or small. As important as it is to have a WISP, it is necessary that it has a strict implementation too. A few points that need to be kept in mind while creating the WISP can take a firm a long way in its better execution and acceptance, which include :
– Use simple and easily understandable language
– Let it be clear and strictly lay down the rules.
– Mark down managers or point of contacts for the cybersecurity policies, so that a set of members are always responsible for the same.
– Set up a hierarchy for dealing with cyber threats or breaches.
Do I need a WISP?
Yes, you do.
– Even though the region you conduct your business from doesn’t have strict rules for a WISP, always remember that a client of yours from miles away could belong to a region, which mandates a WISP. Not just that, a WISP is a commandment for any organization which is serious about protecting the data of their customers.
– If you are a business organization dealing with various vendors, you should look for a WISP at your partner’s end too. This makes sure that someone else is not putting your data in jeopardy.
– With the increasing frequency of cyber-security incidents, more and more industries will have WISP as a compliance requirement. Why wait till then!
– Above all, it’s safe to have a WISP in place and have your employees adhere to it, strictly.
We at DigiSec360 have expertise in creating WISPs for organizations, irrespective of their size! We can help you take the first step and help you document your internal cyber security policies, guidelines and procedures. If you don’t have procedures set at all, we can get you started on that. And if you have a basic document which you are unsure of, we review it as well!!
For details reach out to us [email protected]
