What Is A Written Information Security Policy and Why Does My Company Need One?
A Written Information Security Policy (WISP) is a documented statement of rules and guidelines that need to be followed by people accessing company data, assets, systems, and other IT resources.
What Are the Benefits Of A Written Information Security Policy?
- To Define Roles and Responsibilities – An effective Written Information Security Policy should clearly document who is authorized for various tasks, and the associated responsibilities. This policy defines not only the roles and responsibilities of employees, but also those of other individuals accessing company resources, such as guests, contractors, and suppliers.
- To Define Accountability – A WISP is expected to be acknowledged and signed by employees, and outlines the consequences for not adhering to the policy details.
- To Increase Employee Cybersecurity Awareness – WISPs are educational documents, and can teach employees about cybersecurity best practices. Topics covered can include choosing a secure password, file transfers, data storage and accessing company networks through use of VPNs.
- To Address Threats – WISPs can include actions to be performed to address security threats, recover from a breach or cyber-attack, and ways to mitigate vulnerabilities. Topics such as who should respond in a security event, what an employee should do, or not do, and who is ultimately accountable can be detailed in the Written Information Security Policy.
- To Comply With Regulations – WISPs define a company’s cybersecurity efforts, particularly in meeting the requirements of industry standards and regulations, such as PCI, GDPR, HIPAA, CCPA, or ISO/IEC 27002.
Why Is A Written Information Security Policy Important to My Company?
Depending on industry, noncompliance could lead to fines, lawsuits, and loss of a company’s reputation.
What Does a Written Information Security Plan Typically Contain? Components of Effective Policies Include:
- Purpose of the Policy
- Scope of the Policy – Who does the policy pertain to
- Policy Statement –
- What are the rules
- What are the expectations
- Sanctions –
- What are the consequences for non-compliance
- Exceptions (if any)
- User Agreement –
- The user understands the terms of the policy, and agrees to abide by the policy. Further, the user signs/dates their acceptance of the policy.
Some Commonly Included Policies:
- Data Classification Protection and Retention Policy
- Physical and Environmental Security
- Network Access Policy
- Encryption and Decryption Policy
- Backup Policy
- Secure Remote Access Policy
- Acceptable Use Policy
- Email Usage Policy
- Password Policy
- Bring Your Own Device (BYOD) Policy
- Remote Access/Remote Work Policy
- Third Party Access Policy
- Guest Wireless Access Policy
What Procedures Should Be Followed In Creating An Effective WISP?
Make your WISP policy understandable as well as enforceable. It should be reviewed and updated on a regular basis, with individual acceptance and signoff credentials mandatory.
Regardless of the size of your organization, a Written Information Security Policy is vital in protecting company data, IT resources and increasing employee cyber awareness. Written Information Security Policies help companies remain competitive and earn (and retain) the trust of their clients or customers.
Contact Vestige for help in creating a Written Information Security Policy to address your company’s needs.
By Mary Brewer, MBA, BS, AAS