What is a WISP?

Check out our blog, Does Your Nonprofit have a WISP? For the basics of Written Information Security Programs (WISP).

A lot goes into the writing and implementation of a WISP. You will need to:

1. Build an Information Security Team: This group designs and builds the framework of the security program. The team should include senior-level team members responsible for the mission and goals of the security program, setting security policies, risk limitations, etc. as wells as the individuals responsible for daily security operations.

2. Inventory and Manage Assets: The team should conduct an inventory of everything that could contain sensitive data, both internally and third party developed hardware and devices to applications, databases, shared folders, and more. Once this list is created, each assets should be assigned an owner, then categorized by importance and value should a breach occur.

3. Assess Risk: It is essential to think about potential threats and vulnerabilities. Begin by making a list of any potential threats to the assets in the previous step and rank these threats based on their likelihood and impact on the organization. Then assess vulnerabilities within the organization, categorize and rank them. Vulnerabilities can consist of people (employees, donors, clients, third parties, etc.), processes or lack thereof and technologies in place. Once these lists have been completed review to determine if any threats and vulnerabilities intersect likely where the highest level of risk, impact and threat to the organization.

4. Manage Risk: The team should then review the risks and determine what it can reduce, transfer, accept or ignore.

• Reduce the risk: Pinpoint and apply fixes to counter the risk (This might include setting up a firewall, implementing a data leakage detection and prevention systems, and establishing local and backup locations, ).
• Transfer the risk: Implement Due Diligence Questionnaires and reassess existing vendors and engage new vendors based on ranked risk assessments. Invest in insurance for assets or task a third party to take on that risk.
• Accept the risk: Does the cost to apply a countermeasure outweigh the value of the loss? You have the option to do nothing and accept the risk.
• Avoid the risk: This occurs when you deny the existence or potential impact of a risk. We do not recommend this strategy as it can lead to irreparable effects

5. Craft an Incident Management and Disaster Recovery Plan: The plan should address events such as power outages, supply chain problems, IT system crashes, hacking, , and even pandemics like COVID-19. A plan should identify common incidents, outline what needs to be done and by whom in order to recover data and any impacted IT systems.

6. Manage Third Parties: Make a list of vendors, suppliers, and other third parties who have access to your organization’s data or systems, then prioritize your list based on the sensitivity of the data. Some common examples are payroll processing organizations, health insurance vendors, retirement plan custodians, etc. Once identified, find out what security measures high-risk third parties have in place or mandate necessary controls. Be sure to consistently monitor and maintain an updated list of all third-party vendors.

7. Implement Controls: in step 4 the team identified the action for each risk. In this step the team will implement controls to mitigate or eliminate the risk. These controls can be technical ((e.g., encryption, antivirus, firewalls, intrusion detection software), or non-technical (e.g., policies, procedures, physical security, and personnel).

8. Establish Security Awareness Training: Have a plan in place to educate employees on the policy and how to uphold it. Share your information security plan and how each employee plays a role in it

9. Oversight (Audit): The best way to determine the effectiveness of your information security program is to hire a third-party auditor to offer an unbiased assessment on security gaps.

A well-structured WISP helps an organization mitigate security risks, protect sensitive information, maintain compliance with relevant regulations, and respond effectively to security incidents. It serves as a roadmap for information security and ensures that everyone within the organization understands their part in safeguarding critical data. Additionally, it can be a valuable document for demonstrating commitment to information security to clients, partners, and regulatory authorities.

We can help you get started. Reach out to us today.

Don't miss our webinar, What Nonprofit Board Members Need to Know About Cybersecurity on October 24th with our affiliate technology company, Envision Technology Advisors.