Creating and Maintaining a Written Information Security Plan (WISP) for Data Safety

With the rise of data security incidents, businesses are encouraged to maintain a Written Information Security Plan (WISP). A WISP protects businesses and clients, offering a structured response framework for security breaches and other disruptions like natural disasters or theft.

A well-designed WISP should be tailored to a company’s size, activities, and sensitivity of customer data, focusing on three key areas: employee management and training, information systems, and identifying and managing system failures. It’s also important to understand post-breach responsibilities when building a WISP.

Key Elements of a WISP:

• Employee Management & Training
• Information Systems
• Detecting & Managing Failures

Requirements for a WISP:

• Assign one or more employees to manage the security program.
• Identify and assess risks to customer information and evaluate the efficacy of current safeguards.
• Create, monitor, and update a safeguards program.
• Choose service providers capable of implementing robust security measures.
• Update the plan periodically, reflecting changes in business operations.

Tips for Maintaining a WISP:

• Store the WISP in an accessible format (PDF/Word) and provide training to employees.
• Regularly review and update the plan as business circumstances change.
• Develop a data theft response plan and consult the FTC’s Data Breach Response Guide for more guidance.

The IRS has also provided a plain language WISP sample for guidance, available on IRS.gov.