mission Matters Does Your Nonprofit have a WISP? October 02, 2023 It's Cybersecurity Awareness Month! Did you know nonprofits are a prime target for cyber criminals? For this reason, every nonprofit organization should implement a Written Information Security Plan (WISP). Here are the ins and outs of WISPs. Attention nonprofit boards…are you prepared for a cyberattack? Do you have a WISP in place? If not, you should. Here’s why. Why are Nonprofits a target? Nonprofits are a favorite target of cybercriminals because they often store sensitive information including donor details, financial records, and personal data of beneficiaries. Additionally, nonprofits usually operate with limited budgets and may have fewer resources dedicated to cybersecurity compared to larger organizations. This makes them more vulnerable to attacks as they may have weaker security measures in place. What is a WISP? A Written Information Security Program (WISP) is a mandatory, comprehensive document outlining an organization's security measures, protocols, and policies. It’s essentially a “roadmap” that defines the administrative, technical and physical safeguards you have in place to protect client data. Implementing a WISP is a requirement under the Gramm-Leach-Bliley Act (GLBA), the Safeguards Rule issued by the Federal Trade Commission and all states currently have regulations in place to protect consumer information. Why do nonprofits need WISPs? The unfortunate reality is that close to 70% of nonprofits have not implemented a WISP or conducted any kind of cybersecurity vulnerability assessment. Any business or organization that collects non-public personal employee, client, volunteer, donor or customer information should have a WISP in place. A WISP helps ensure that a nonprofit has implemented (and maintains) the right security processes for the sensitive information they handle. Beyond the legal obligations, a WISP offer nonprofits robust security practices that can lower the likelihood of data breaches and minimize the liability in case a breach does occur in the future. Without a WISP, you run the risk of suffering an expensive and devastating cyber-attack. Studies have shown that the financial repercussions of a cyberattack average over $100,000 for nonprofit organizations. What are the components of a WISP? WISPs are customized to fit your specific organization, but most WISPs include: Information classification: Identifying and categorizing different types of information based on their sensitivity and importance to the organization. This can include public information, internal use data, confidential data, and highly sensitive data.Risk Assessment : Evaluating potential threats and vulnerabilities to the organization's information assets. This involves identifying risks, assessing their potential impact, and determining the likelihood of occurrence.Security Policies and Procedures: Clearly defined policies and procedures that specify how information should be handled, accessed, stored, and protected. These policies cover areas such as data encryption, access controls, password management, incident response, and more.Access Control: Detailing the mechanisms and processes for controlling who can access sensitive information. This includes user authentication, authorization, and role-based access control.Data Encryption: Describing encryption methods and techniques for protecting data both in transit and at rest. This includes encryption for emails, files, databases, and storage devices.Incident Response Plan: Outlining the steps to be taken in the event of a security breach or data incident. This includes identifying the incident, containing it, notifying affected parties, and initiating a recovery plan.Training and Awareness: Defining how employees will be educated about security policies and procedures and how they can contribute to maintaining a secure information environment.Physical Security: Addressing physical security measures to protect information assets, such as secure facilities, access controls, and surveillance.Vendor Management: Guidelines for selecting and monitoring third-party vendors who have access to the organization's data to ensure they comply with security standards.Compliance and Regulations: Identifying and adhering to relevant laws, regulations, and industry standards related to data security and privacy.Monitoring and Audit: Explaining how the organization will monitor security controls and conduct regular security audits to ensure compliance with the WISP.Documentation and Records: Establishing a system for documenting security incidents, audits, compliance activities, and other relevant information.Review and Updates: Specifying how often the WISP will be reviewed and updated to adapt to changes in the threat landscape and the organization's needs.Roles and Responsibilities: Clearly defining the roles and responsibilities of key personnel involved in implementing and maintaining the WISP. Check out our blog, How Do You Get Started with a WISP? for more details on writing and implementing a WISP.