To the person who has never heard of a WISP, you may think it is a small handful of straw or a whisk broom. Far from it. To those with an inkling, you may think it is a wireless internet service provider. Yes, but I am talking about a different kind of WISP. A WISP will keep you out of trouble. The challenge is having your WISP keep your organization out of trouble while your employees are working from home, not just on-site at the office.
A WISP is a Written Information Security Program, mandated first by the Commonwealth of Massachusetts in 2010 with more states following suit in recent years. See 201 CMR §17.00: Standards for the Protection of Personal Information of MA Residents. This regulation is, while only four pages, quite specific in its security and compliance requirements. Does your WISP need to be written by a lawyer? No, but it should be reviewed by one.
If your company maintains ‘personal information’ about Massachusetts residents, then you must have certain administrative, technical, and physical safeguards. The regulation spells out exactly what information must be protected by a WISP and what organizations are required to do.
Before you read further, check whether your organization even has a WISP. If not, you will need to start reading and understanding the regulations to come into compliance. There are various samples on the Internet where you can get started.
But how does this all relate to your employees working from home during this COVID period? The regulation identifies the types of personal information and you should become familiar with them.
Are you able to:
- Identify and correct data security risks of your employees who are saving personal data to their home computer?
- How about those people printing items with personal data?
- What about employees sharing data?
All businesses are required to:
- Name someone in your company to be responsible for the program.
- Identify potential security risks.
- Have a plan to limit the access of personal information.
- Require your vendors to have a similar program.
A data breach in your company is one of the worst possible scenarios. Having a WISP, and, further, training your employees on it, whether they are in the office or working from home, will go a long way. While you can get started with an online sample, your WISP must contain your own risk profile and practices. Your IT team has direct involvement here and can probably identify foreseeable risks associated with working from home. Investing in cybersecurity awareness training will go a long way.
There are information governance professionals who do this for a living, and perhaps a call to them is worthwhile.
Related Posts
Data Breaches Are All Around Us It seems like every day we hear [...]
Can You Safeguard What You Don’t Directly Control? Navigating a work-from-anywhere (WFA) environment [...]
Information Governance Requires Defensible Destruction Part 1-Implementing Policies-The Hows and Whys Corporate workplaces [...]