In order to comply with 201 CMR 17, each affected business must now maintain a Written Information Security Plan (WISP). This document identifies potential threats to data security and details what steps the company is taking to close these security gaps. In some instances data security policies and procedures will be integrated into the WISP. In other instances they will be promulgated separately.
In addition to IT security measures, WISPs include subjects such as employee hiring and discipline processes, physical security measures, the selection and supervision of vendors and service providers, and WISP maintenance.
One or more employees will need to be assigned the role of “WISP Coordinator.” The coordinator will be responsible for ensuring that the WISP remains more that just a document accumulating dust on the bookshelf. The WISP should be maintained and updated regularly as new threats to security are identified and as technology provides for new, and perhaps more effective, measures to protect data stored within the practice.
In addition to monitoring WISP compliance, the regulations require comprehensive reviews. Minimally, the WISP should be reviewed annually to ensure adequacy and applicability and any operational changes that may impact data security should trigger a review as well.
Our services at a glance:
- Drafting a comprehensive WISP
- Familiarizing the WISP Coordinator with the WISP contents
- Assisting the WISP Coordinator with updates
- Annual WISP reviews
Who to contact:
President & CEO
