What Is A WISP (Does Your Massachusetts Business Need One?)

Is your cybersecurity based on a plan or strategy? If you operate in Massachusetts, you need a plan in place. Without one, it’s only a matter of time until your Adhoc cybersecurity puts your business at risk (and puts your business in jeopardy).

Cybersecurity is too important to improvise.

Given the wide range of steadily evolving and ever-present threats the cybercrime industry presents to businesses like yours, you can’t afford to rely on an uncoordinated cybersecurity posture.

Properly defending your Massachusetts business requires a robust combination of solutions, best practices and more—all of which should be carefully laid out in a cybersecurity plan.

As a Massachusetts business, you need a Written Information Security Program (WISP)—do you know what they are and how they work?

What Is A WISP?

A WISP is a document that details a Massachusetts organization’s security controls, processes, and policies. This resource is meant to act as a roadmap for an organization’s IT security and is legally required by several states, including ours.

In addition to formalizing your business’ approach to cybersecurity, a WISP also creates value for your business. It demonstrates to clients, business partners and law enforcement agencies that you take your cybersecurity seriously, and not just as an afterthought.

What Does A WISP Include?

  • Specifying who on your staff is responsible for the management of the security program
  • Tracking, assessing, and mitigating known security risks
  • Detailing how sensitive data is stored, secured, and accessed
  • Stating how violations of your WISP are dealt with internally
  • Implementing access controls to protect against unauthorized access to data by current or former staff members
  • Listing methods for guaranteeing standards of cybersecurity in your supply chain
  • Detailing how physical access to servers, data storage devices, and hard copy information is controlled
  • A system for monitoring and improving the effectiveness of the WISP
  • A detailed breach response plan
  • How user credentials are kept secure
  • Which staff members are granted access to sensitive data and/or granted admin rights
  • How data is encrypted at rest and in transit
  • How monitoring tools are used to track system activity
  • Patch management policies for firewalls, anti-virus, and anti-malware software
  • How employees are trained to spot social engineering scams and maintain user-level cybersecurity

If You Operate In Massachusetts, You Need A WISP

According to Mass. Gen. Laws Ch. 93H § 2(a), all businesses operating within the state are expected to have a WISP. It is meant to establish the bare minimum cybersecurity expectations for businesses that collect and store personal information.

That means that if you own or license personal information about a resident of the Commonwealth, this law applies to your business. If you don’t have a WISP, you need to get started on one right away.

The goal of legislation like this is to make sure that the security and confidentiality of a citizen’s information are secured according to industry standards. This will help to protect citizens against anticipated threats or hazards, as well as unauthorized access to or use of such information. In the end, this limits any substantial harm or inconvenience to these citizens.

Developing A WISP Starts With Assessing Your Cybersecurity

Without a cybersecurity strategy, businesses and organizations make easy targets for ransomware attacks, supply chain disruption, and a long laundry list of cybersecurity concerns.

RetroFit Technologies can help you get started on your WISP by performing a cybersecurity assessment. The gulf between what you know and what you don’t is where cybercriminals operate. That’s why risk assessment processes are so crucial.

Consider the facts—whereas nearly 80% of IT security leaders believe their organizations are not secure enough, only 57% have invested in cybersecurity risk assessments. Don’t make the same mistake.

RetroFit Technologies uses an unbiased, quantifiable assessment process to help you find your vulnerabilities. We can also help with any remediation efforts after the fact, including policy and procedure creation, employee training, and more. All of this will help to form the foundation of an effective WISP.

Need Help Developing Your WISP?

RetroFit Technologies will proactively reduce your cyber risk and protect your organization against cybersecurity threats. Contact us today to learn more about the services we offer or to schedule a cybersecurity risk assessment.