Bryan Cave's "Do Companies Need a Written Information Security Plan?" imparts sound advice to companies to develop and maintain on a current basis a written information security plan (WISP) that can support the company's defense in the event of a personal data (e.g., customer PII) breach.
Key components of the WISP include:
- The administrative, technical, and physical safeguards to keep sensitive personal information secure
- Company's process to identify risks to the information it maintains
- Specific employee ultimately responsible for maintaining and implementing security policies
- The sensitive information maintained by the company, where and how it will be stored, and how it can be transported away from the company
- Procedures for assigning usernames and passwords, encryption, provisioning and de-provisioning user credentials, employee security trainings, data destruction, and retaining service providers that have data access
The memo also identifies ISO and NIST as among the most popular third-party frameworks that some companies use as models in lieu of developing their own WISP from scratch.
See the firm's "Data Security Breach Handbook" and numerous additional resources on our Cybersecurity/Data Privacy page. This post first appeared in the weekly Society Alert!