WISP IMPLEMENTATION OVERVIEW

The diagram depicted below is an illustration of the process flow that generally takes place to implement a Written Information Security Program (WISP) within an organization. There will most likely be some level of customization of the WISP that is necessary to meet ACME’s unique requirements and staffing levels.

Choice: You can implement the WISP as it is or make changes to specifically fit your organizatio n’s unique needs.

First off- make a copy of the original WISP so you have an original you can revert to, if necessary. From there:

- If a section does not pertain to your business model, you can either delete it or edit the standard to state something like “At this time, this control is not applicable.”

- If you need to edit content, you are free to edit since the WISP is in Microsoft Word format.

Work with your IT staff to implement the technical components of the WISP’s policies and standards:

- Identify the most important changes and prioritize the work.

- You may find a lot of the standards

Publish the WISP to your users in your organization and educate them on any changes

that they need to be aware of.

Note: There is a helpful applicability chart provided that clearly shows the intended audience of the WISP controls:

- Management

- Asset Owners & Custodians - General Users

This helps focus what controls are relevant to different types of employees. Asset owners and custodians (e.g., application owners

& IT staff) will have the greatest amount of controls they need to be intimately familiar with. Management and users have far less controls that truly pertain to them on a day-to-day basis.

With the included user acknowledgement form, have users sign off that they have read and will abide by your company’s policies and standards. File this sign-off in their personnel folder.

Following the Plan-Do-Check-Act approach, work with the IT staff and other departments to look for weaknesses in the IT security program and correct those deficiencies.

WISP TEMPLATE 1: MANAGEMENT DIRECTIVE EXAMPLE WORDING

Written Information Security Program (WISP) Implementation

ACME Consulting, LLC (ACME) is committed to protecting its employees, partners, clients and ACME from damaging acts that are intentional or unintentional. Effective security is a team effort involving the participation and support of every ACME user who interacts with data and information systems. The reason for implementing ACME’s Written Information Security Program (WISP) is not to impose restrictions that are contrary to ACME’s established culture of openness, trust and integrity, but to strengthen ACME’s ability to guard against unauthorized access to, alteration, disclosure or destruction of data and information systems. This also includes against accidental loss or destruction.

The purpose of the Written Information Security Program is to ensure that security controls are properly implemented and that clients and business partners are confident their information is adequately protected. Protecting company information and the systems that collect, process, and maintain this information is of critical importance. Therefore, the security of information systems must include controls and safeguards to offset possible threats, as well as controls to ensure accountability, availability, integrity, and confidentiality of the data:

 Confidentiality – This security component addresses preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

 Integrity – This security component addresses the property that sensitive data has not been modified or deleted in an unauthorized and undetected manner.

 Availability – This security component addresses ensuring timely and reliable access to and use of information.

The WISP establishes the foundation for the Information Security Program at ACME. The formation of the policies is driven by many factors, with the key factor being risk. These policies set the ground rules under which ACME shall operate and safeguard its data and information systems to both reduce risk and minimize the effect of potential incidents.

These policies, including their related procedures, standards and guidelines, are necessary to support the management of information risks in daily operations. The development of policies provides due care to ensure ACME users understand their day-to-day security responsibilities and the threats that could impact the company.

Implementing consistent security controls across the company will help ACME comply with current and future legal obligations to ensure long term due diligence in protecting the confidentiality, integrity and availability of ACME data.

It is the responsibility of every user to know these policies and to conduct their activities accordingly. The WISP is effective as of [enter date policy is effective].

Respectfully,

[owner/manager’s signature]

[insert owner/manager’s printed name]

[insert owner/manager’s title]

WISP TEMPLATE 2: USER ACKNOWLEDGEMENT FORM

ACME Consulting, LLC (ACME)

Written Information Security Program Acknowledgement

I, , acknowledge I have read ACME’s Written Information Security Program

(WISP). I agree to abide by ACME’s policies, standards and procedures.

I acknowledge that if I do have any questions regarding any information within ACME’s WISP, it is my responsibility to address those issues with my manager for further clarification. I acknowledge that ignorance on my part is not an excuse and I take full responsibility for my actions and the actions I fail to do. I acknowledge and understand that failure on my part to practice due care and due diligence may also result in the termination of my employment for cause.

I agree to indemnify, defend and hold harmless ACME, its subsidiaries and affiliated companies, and each of its respective owners, officers, directors, managers, employees, shareholders and agents (each an "indemnified party" and, collectively, "indemnified parties") from and against any and all claims, damages, losses, liabilities, suits, actions, demands, proceedings (whether legal or administrative), and expenses (including, but not limited to, reasonable attorney's fees) threatened, asserted or filed by a third-party against any of the indemnified parties arising out of or relating to any and all gross negligence and/or misconduct on my part.

The terms of this acknowledgement shall survive any termination of employment.

User Name / Title Signature & Date

User’s Supervisor / Manager Signature & Date

WISP TEMPLATE 3: USER EQUIPMENT RECEIPT OF ISSUE

ACME Consulting, LLC (ACME)

User Equipment Receipt of Issue

Item Description Qty Make Model Serial # Notes

1 Desktop

2 Monitor

3 Laptop w/ power cord 4 Laptop case

5 Docking station 6 Cell phone w/ charger 7 Printer

8 Scanner

9 Tablet 10

11 12 13 14 15 Ownership:

I acknowledge that the item(s) listed in the table above, including all applicable software and licenses, remain the property of ACME.

These information assets are to be used solely in the execution of my official duties with ACME. These information assets shall be accessible to ACME upon demand and that ACME may request and receive any and all of these items in my possession at any time.

Maintenance:

I acknowledge I am responsible to for the due care and due diligence in protecting these items from loss, theft, damage or compromise. I agree to keep ACME informed of any repair or upgrade requirements.

If loss is deemed negligent on my behalf, I understand ACME may seek financial reimbursement for the equipment based on the outcome of an investigation into the loss or damage of the information asset. I acknowledge that failure on my part to practice due care and due diligence may also result in the termination of my employment for cause.

I acknowledge my responsibilities for the equipment listed above and I verify the accuracy of the information associated with the items listed above (e.g. quantity, make, model, and serial #).

User Name / Title Signature & Date

User’s Supervisor / Manager Signature & Date

WISP TEMPLATE 16: PRIVACY IMPACT ASSESSMENT (PIA)

This worksheet is to be completed by the project manager and system owner.

SECTION 1: CONTACT INFORMATION 1. Project Manager/ System Owner(s) 2. Name

3. Title

4. Organization 5. Telephone Number

SECTION 2: GENERAL INFORMATION - Project/System Information 1. Name of Project or System.

2. Description of Project or System.

3. What is the purpose of the Project or System?

4. Requested Operational Date?

5. What specific legal authorities, arrangements, and/or agreements require the collection of this information?

SECTION 3: Data in the System 1. What data is to be collected?

2. What are the sources of the data?

3. Why is the data being collected?

4. What technologies will be used to collect the data?

5. Does a personal identifier retrieve the data?

SECTION 4: Attributes of the Data (use and accuracy) 1. Describe the uses of the data.

2. Does the system analyze data to assist users in identifying previously unknown areas of note, concern or pattern?

3. How will the data collected from individuals or derived by the system be checked for accuracy?

SECTION 5: Sharing Practices

1. Will the data be shared with any internal or external organizations?

2. How is the data transmitted or disclosed to the internal or external organization?

3. How is the shared data secured by external recipients?

SECTION 6: Notice to Individuals to Decline/Consent Use

1. Was notice provided to the different individuals prior to collection of data?

2. Do individuals have the opportunity and/or right to decline to provide data?

3. Do individuals have the right to consent to particular uses of the data?

SECTION 7: Access to Data (administrative and technological controls)

1. Has the retention schedule been established? If so, what is the retention period for the data in the system?

2. What are the procedures for identification and disposition of the data at the end of the retention period?

3. Describe the privacy training provided to users, either generally or specifically relevant to the program or system?

4. Is the data secured in accordance with policies and standards?

5. Which user group(s) will have access to the system?

6. How is access to the data by a user determined? Are procedures documented?

7. How are the actual assignments of roles and rules verified according to established security and auditing procedures?

8. What auditing measures/controls and technical safeguards are in place to prevent misuse (e.g., unauthorized browsing) of data?

SECTION 8: Privacy Analysis

Given the amount and type of data being collected, discuss what privacy risks were identified and how they were mitigated:

SECTION 8: Attestation

Name: ________________________ __ _ Signature: ___________________________________

(System Owner / Project Manager) (Signature)

Date: ____________________________

SECTION 9: Endorsement

□ ^Approved □ ^Denied