WISP it good: Composing a data security plan
In its 1980 hit song “Whip It,” the American new wave band Devo espoused a certain sunny optimism for overcoming problems that life may send your way. That catchy tune continues to speak to us today as we grapple with contemporary business problems. Atop the hit list of most urgent business threats is the growing crescendo of data security risk.
When it comes to managing data security, many in business hit a flat note. To be honest, most businesses do not treat data security as a priority. Perhaps it’s the perceived expense involved. Maybe it’s a fear of the unknown. As with all business risks, there is a judgment to be made — whether or not to roll the dice and chance it. Normally the law allows a business to make this type of judgment, but that’s no longer the case with data security.
For every business, there is now a law in the United States that requires the business to secure any non-public third-party data that it possesses. The law may be in the form of a state or federal statute, or in the nature of a common law obligation as determined by an applicable court. In all cases, data security is no longer a business choice, but rather a legal obligation.
Most data security laws now require companies to implement a data security plan and to memorialize the plan in writing. These plans are generically referred to as “Written Information Security Plans” or “WISPs.” A WISP is helpful in several ways. First, it forces a company to evaluate its current security environment. Second, it creates a roadmap for implementing and managing a security plan. Lastly, it provides a written record — evidence — that the company is taking steps to secure its data in compliance with law. For these reasons, a WISP is both a good business decision and a sound method of documenting an organization’s compliance efforts.
Creating a WISP requires both technical and legal assistance. As to technical assistance, an IT security consultant will identify the security procedures for your organization to follow and will document those in the WISP. As to legal assistance, a lawyer will ensure that the WISP is addressing the required elements under applicable law and will also help draft any additional policies needed to document compliance.
If your organization has yet to grapple with the emerging threat of data security, now is the time to start by implementing a WISP. Don’t procrastinate; the downside is significant. Instead, listen to the prescient words of Devo and “shape it up, get straight, go forward, move ahead.” And WISP it good.
Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.