Written Information Security Program Development

Your WISP should address the risks identified in the risk assessment that you conduct and how you plan to mitigate these risks.

What is a Written Information Security Program?

A written Information Security Program or “WISP” is the document that defines the administrative, technical, and physical safeguards you will use to protect the customer data that your business collects. Your WISP should address the risks identified in the risk assessment that you conduct and how you plan to mitigate these risks.

Physical Safeguards

Physical Safeguards are the most obvious type. This means keeping unauthorized persons physically away from documents or networks containing customers’ NPI. Locks are one example of a physical safeguard. Offices, where NPI is available, should be lockable and locked when an authorized person is not present.


Technical Safeguards

Technical Safeguards are the most important means you use to protect customers’ NPI and may require the advice of IT professionals. Limit permissions to electronically-maintained NPI to only those persons who need it to do their jobs. Properly configured firewalls, anti-spam protection, and anti-virus protection are all technical safeguards that need to be considered. In addition, an intrusion detection system should be installed, including real-time monitoring. Most hackers exploit known vulnerabilities. New vulnerabilities can arise literally overnight, which is why real-time monitoring is so important.


Administrative Safeguards

Administrative Safeguards involve changing the way your employees do their jobs and your dealership conducts its business so that the protection of customers’ NPI is enhanced. Employees are your biggest risk when it comes to safeguarding customer information. It is important that you conduct regular training on best Internet practices such as not clicking on links and attachments in unknown emails that may be phishing attempts; frequently changing passwords and keeping them secure; not giving out user names or passwords, and being suspicious of unusual emails.

Why do I need a WISP?

A WISP is a requirement of the Revised FTC Safeguards Rule. Any business that collects the non-public personal information of customers should have a WISP that outlines how they will protect this data. A WISP demonstrates your commitment to your customers (and to regulators should you experience a data breach) that you take data security seriously.

What do I do with the WISP once it has been created?

Once your WISP is adopted you’ll need to test your program and periodically audit the program to ensure its effectiveness. If your program is lacking you may need to update it.


The Safeguards Rule calls for an adjustment in response to “any material changes to your operations or business arrangements.” What this could mean in the context of a dealership is the addition of a new location to your dealer group. A new building would require its own risk assessment and safeguards.

Another “material change” could include switching DMS or other systems. Any other circumstances that you know or have reason to know may have a material impact on your information security program should also prompt a change to your WISP. This might mean unusually high employee turnover, an actual break-in at your dealership, or a customer’s report of an identity theft that may have originated at your dealership. All such events should be taken seriously and should result in a prompt – and documented – program audit, followed by a review, and if necessary, an update of your WISP.

Must I draft a WISP from scratch?

No – NADA has an excellent template in their Dealer Guide to the FTC Safeguards Rule. It’s free for NADA members or may be purchased by non-members for $89. You can download it here. If you need help getting started, Mosaic and our partners have resources to help. If you would like to learn more contact us for a consultation today or get started now by filling out our Network Status Questionnaire.