Your WISP should address the risks identified in the risk assessment that you conduct and how you plan to mitigate these risks.
What is a Written Information Security Program?
A written Information Security Program or “WISP” is the document that defines the administrative, technical, and physical safeguards you will use to protect the customer data that your business collects. Your WISP should address the risks identified in the risk assessment that you conduct and how you plan to mitigate these risks.
Physical Safeguards are the most obvious type. This means keeping unauthorized persons physically away from documents or networks containing customers’ NPI. Locks are one example of a physical safeguard. Offices, where NPI is available, should be lockable and locked when an authorized person is not present.
Technical Safeguards are the most important means you use to protect customers’ NPI and may require the advice of IT professionals. Limit permissions to electronically-maintained NPI to only those persons who need it to do their jobs. Properly configured firewalls, anti-spam protection, and anti-virus protection are all technical safeguards that need to be considered. In addition, an intrusion detection system should be installed, including real-time monitoring. Most hackers exploit known vulnerabilities. New vulnerabilities can arise literally overnight, which is why real-time monitoring is so important.
Administrative Safeguards involve changing the way your employees do their jobs and your dealership conducts its business so that the protection of customers’ NPI is enhanced. Employees are your biggest risk when it comes to safeguarding customer information. It is important that you conduct regular training on best Internet practices such as not clicking on links and attachments in unknown emails that may be phishing attempts; frequently changing passwords and keeping them secure; not giving out user names or passwords, and being suspicious of unusual emails.
Why do I need a WISP?
A WISP is a requirement of the Revised FTC Safeguards Rule. Any business that collects the non-public personal information of customers should have a WISP that outlines how they will protect this data. Here is what the revised FTC Safeguards Rule says about the WISP:
Information security program.
You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section.
(b) Objectives. The objectives of section 501(b) of the Act, and of this part, are to:
(1) Insure the security and confidentiality of customer information;
(2) Protect against any anticipated threats or hazards to the security or integrity of such information; and
(3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
What do I do with the WISP once it has been created?
Once your WISP is adopted you’ll need to test your program and periodically audit the program to ensure its effectiveness. If your program is lacking you may need to update it.
The Safeguards Rule calls for an adjustment in response to “any material changes to your operations or business arrangements.” What this could mean in the context of a dealership is the addition of a new location to your dealer group. A new building would require its own risk assessment and safeguards.
Another “material change” could include switching DMS or other systems. Any other circumstances that you know or have reason to know may have a material impact on your information security program should also prompt a change to your WISP. This might mean unusually high employee turnover, an actual break-in at your dealership, or a customer’s report of an identity theft that may have originated at your dealership. All such events should be taken seriously and should result in a prompt – and documented – program audit, followed by a review, and if necessary, an update of your WISP.
Must I draft a WISP from scratch?
No – NADA has an excellent template in their Dealer Guide to the FTC Safeguards Rule. It’s free for NADA members or may be purchased by non-members for $89. You can download it here. If you need help getting started, Mosaic and our partners have resources to help. If you would like to learn more contact us for a Safeguards Consultation today or get started now by filling out our Network Status Questionnaire.