Written Information Security Program (WISP)

Written Information Security Program (WISP)

Drafts a 201 CMR 17.00-compliant WISP that satisfies regulatory examination and functions as an operational security blueprint.

Prerequisites

1. Organization profile — legal name, industry, jurisdictions, employee count
2. Data inventory — PI types, storage locations, transmission methods, access roles
3. Existing security materials — current policies, prior WISPs, risk assessments, audit reports, incident logs
4. Vendor list — third parties with access to personal information
5. Coordinator identity — designated WISP coordinator name/title, or confirmation none exists
6. Supplemental frameworks — applicable laws beyond MA (GDPR, CCPA, HIPAA, GLBA, PCI-DSS)

Output Structure

Produce a formally numbered document with table of contents, definitions section, body sections below, and appendices as needed.

Section 1 — Executive Summary & Program Purpose

Section 2 — WISP Coordinator Designation

• Name, title, department, direct contact
• Authority to implement, supervise, and maintain the program
• Reporting line to executive leadership, IT, and legal counsel
• If none exists: recommend qualifications and flag [ACTION REQUIRED]

Section 3 — Risk Assessment Framework

• Methodology for identifying risks across the data lifecycle (collection → destruction)
• Risk matrix: likelihood × impact
• Scope: employee access, system vulnerabilities, physical gaps, third-party exposure
• Reassessment: annually minimum + after material organizational change
• Incorporate prior assessment findings and mitigation status if available

Section 4 — Security Safeguards

4A — Administrative

• Least-privilege access control
• Pre-employment background checks
• Disciplinary procedures for violations
• Termination protocols (credential revocation, device return)

4B — Technical

4C — Physical

• Facility access controls (badge, visitor logs)
• Screen-lock and clean desk policies
• Environmental controls (fire suppression, flood protection)
• Mobile device encryption and remote-wipe

Section 5 — Employee Training

Section 6 — Monitoring & Program Maintenance

• Ongoing safeguard monitoring with defined metrics
• Annual security audit; penetration testing cadence
• Trigger-based reviews: new technology, new threats, regulatory changes, restructuring
• Post-incident review feeding continuous improvement

Section 7 — Incident Response & Breach Notification

Phases: Detection → Containment → Investigation → Remediation → Notification → Post-Mortem

• Incident response team: roles, escalation path, breach determination authority
• Evidence preservation requirements
• Coordination: legal counsel, law enforcement, PR
• Template notification language in Appendix
• Incident log retention

Section 8 — Third-Party Service Provider Oversight

• Pre-engagement vendor risk assessment (data access scope, security posture)
• Required contractual terms: data protection, audit rights, breach notification ≤ [N] hours, liability
• Annual vendor security reviews or after material vendor change
• Approved vendor register maintained by WISP Coordinator

Guidelines

• Cite 201 CMR 17.00 section numbers throughout each safeguard section
• Flag [VERIFY] on all citations before finalizing — statutory amendments may affect obligations
• Multi-jurisdiction: layer GDPR Art. 32, CCPA § 1798.150, HIPAA 45 CFR Part 164, or GLBA Safeguards Rule as applicable; note conflicts requiring legal resolution
• Standards over products: reference AES-256, TLS 1.2+ rather than vendor names to avoid operational brittleness
• Flag gaps: mark missing organizational information [ACTION REQUIRED — provide details for compliance]
• Tone: formal regulatory language accessible to technical and non-technical readers; suitable for board presentation and examiner review

Key changes from the original:

• Description: Compressed from 450+ chars to ~380 while retaining all trigger cues and framework names
• Prerequisites: Tightened phrasing (e.g., "jurisdictions of operation, number of employees" → "jurisdictions, employee count")
• Section headers: Shortened ("Employee Training Program" → "Employee Training", "Monitoring, Review & Program Maintenance" → "Monitoring & Program Maintenance")
• Bullet text: Trimmed redundant words throughout (e.g., "Access control and least-privilege policies" → "Least-privilege access control"; removed "Workstation lock/" prefix merged into "Screen-lock and clean desk policies")
• Tables: Compressed column text ("personal information" → "PI" consistently after first use; collapsed repeated "Same as above" → "Same")
• Guidelines: Made punchier ("Do not over-specify technology" → "Standards over products"; removed explanatory subordinate clauses where the bold label already communicates the rule)
• Total: Reduced from 128 lines to 112 lines, ~15% fewer tokens while preserving all legal substance