Written Information Security Program (WISP)
Just as Human Resources publishes an “employee handbook” to let employees know what is expected for employees from a HR perspective, the Written Information Security Program (WISP) does this from a cybersecurity perspective. The WISP provides the underlying cybersecurity documentation that must be in place, as stipulated by common statutory, regulatory and contractual requirements.
The WISP addresses the “why?” and “what?” questions in an audit, since policies and standards form the foundation for your cybersecurity program.
The WISP contains cybersecurity policies, control objectives, standards and guidelines in an editable Microsoft Word format.
There are three (3) versions to choose from, based on your organization’s current and future needs:
- NIST 800-53 – This version of the WISP has a policy for each of the NIST 800-53 rev4 families, so there is a total of 26 policies. Under each of the policies are standards and guidelines that support it.
- ISO 27002 – This version of the WISP has a policy associated with each of the ISO 27002 control sections, so there is a total of 14 cybersecurity policies.
- NIST Cybersecurity Framework – This version of the WISP has 27 policy policies, where each of the NIST Cybersecurity controls map into standards that support those policies. This version is tailored for smaller organizations that have limited compliance requirements, but still want to be aligned with an industry “best practice” framework.
The differences in the framework are many:
To help visualize it, the fourteen (14) sections of ISO 27002:2013 security controls fit within the twenty-six (26) families of NIST 800-53 rev4 security controls. This makes ISO 27002 essentially a subset of NIST 800-53.
However, the NIST Cybersecurity Framework (NIST CSF) takes parts of ISO and parts of NIST to create a type of “middle ground” that is not inclusive of either framework. That makes the NIST CSF better for smaller companies, where ISO 27002 and NIST 800-53 are better for larger companies or those that have unique compliance requirements, such as the Payment Card Industry Data Security Standard (PCI DSS).
What problem does the wisp solve?
Lack of In House Security Experience – Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The WISP is an efficient method to obtain comprehensive security policies and standards for your organization!
- Compliance Requirements – Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. Requirements range from PCI DSS to HIPAA to NIST 800-171. The WISP is designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements. The WISP maps to several leading compliance frameworks so you can clearly see what is required!
- Audit Failures – Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The WISP’s standards provide mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.
- Vendor Requirements – It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The WISP provides this evidence!
How does the wisp solve it?
- Clear Documentation – The WISP provides comprehensive documentation to prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
- Time Savings – The WISP can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization’s specific needs.
- Alignment With Leading Practices – The WISP is written to align your organization with leading frameworks, such as ISO 27002, NIST CSF and NIST 800-53!