In Tech Blog by zdwyer

Do you run a business that handles Massachusetts residents’ personal information? If so, did you know that the Massachusetts regulation 201 CMR 17.00 asks that every business handling personal information on a Massachusetts resident must have a written security plan or what is referred to as a WISP (Written Information Security Program)? Considering 135,145,808 records have been stolen so far this year*, it’s probably a good idea. The challenge however, is that this plan can be very confusing to draft, especially if you don’t have technical experience.

That said, a WISP plan forces business owners to create standards and policy around protecting the personal information of Massachusetts state residents. Personal information consists of a Massachusetts resident’s first and last name, or first and last initial in combination with their Social Security Number, driver’s license, state issued ID number, financial account number or credit or debit card number. If your business owner, here’s a check list to consider. Fines are becoming more frequent, as are the hackers targeting small businesses. It’s time to take action.

*Identity Theft Resource Center, Report Date: 7/21/2015

WISP Checklist

Have you:

  • Created a Written Information Security Program (WISP) that includes administrative, technical, and physical safeguards
  • Selected an employee to maintain and administer your WISP implementation
  • Recorded the various records and devices that contain PII
  • Included policies in your WISP that address how records with PII should be transported, accessed, and kept off of your business’s premise
  • Assessed the current safety measures and recorded needed improvements
  • Checked that third parties with access to PII are using proper security measures
  • Identified everything within your business that contains PII
  • Created a monitoring procedure to keep your WISP up to date
  • Trained employees on the proper use of computer security, the importance of PII security, and the details of the WISP
  • Collected written confirmation that each employee has a copy of the WISP
  • Implemented the ability to promptly block terminated employees access to physical and electronic PII records
  • Implemented an Acceptable Use Policy to protect computers against inappropriate use
  • Restricted access to electronic PII to those who need to know only
  • Created a password policy that makes for secure passwords
  • Restricted access to PII to only approved accounts
  • Encrypted wirelessly transmitted PII records
  • Encrypted all PII stored on portable devices such as laptops and smartphones
  • Put monitoring in place that detects unauthorized access of PII
  • Made sure you have a properly configured Firewall with the latest firmware and updates
  • Kept patches for workstations updated and maintained
  • Installed security software that includes malware protection and up-to-date security patches and virus definitions
  • Secured all wireless Access Points
  • Restricted access to physical PII records through locked storage
  • Protected data from leaving the organization
  • Secured all PII records and files properly at the end of the day
  • Properly disposed of paper or electronic records containing PII