This sample Written Information Security Policy (WISP) is designed for a gift shop in a busy downtown area. It will give you ideas about how to create your own policy. As always, make sure your legal and computer helpers examine your Written Information Security Policy and approve it.
This is an example of a "text-based" security policy, done in Microsoft Word. The advantages of this approach is that the policy is readable, easy to print, and easy to put in plain language.
The disadvantage of this approach is that it is difficult to audit and check. We find that a spreadsheet format is best for auditing and checking. Our subscription-based template library gives you access to a sample WISP in a spreadsheet format. To read about the template library, go to our home page by clicking here: www.massdatasafety.com/.
Here is the text-based policy:
The Right Gift: Our Information Security Policy
We are a gift shop in downtown
We'll first explain what sensitive information is, why we need it to do our daily business, how we handle it, and how we protect it from people committing identity theft and other crimes.
Information on who is responsible for what aspects of information security is in Roles And Responsibilities at the end of this document.
Sensitive information is information that is not lawfully available to the public and could be used to damage our customers, our employees, or our business. This includes:
q Personal information most commonly used to commit identity theft and similar crimes, such as a person’s name and any of the following:
o Personal identification, including: a number or other identifying information from social security, state id card, driver's license, passport, employee id.
o Financial account identification, including: bank account number or credit card number.
o Other identifying information to access financial accounts or non-public records, including: usernames, passwords, PINs, etc.
q Employee records, including payroll, pension, and insurance.
q Business-private information for legitimate business purposes, including business plans; vendor and customer lists; contracts; and account information of vendors, clients, and customers.
q Financial transactions with our customers, employees, and vendors, including cash, check, and credit card transactions.
q As attorneys, information entrusted to us is legally protected by attorney-client privilege, but it is actually dependent on following these procedures.
Customers, employees, vendors, and business partners entrust sensitive information to us for good business reasons. We store and use that information responsibly, protecting it from unauthorized or illegal use.
Here are some ways we use it:
q As required by law, we keep employment records, including payroll records, and tax forms (W-4 and I-9). We also keep information about the health insurance plan we provide for employees.
q When a customer pays by check, we ask to see a driver's license or passport, and record the number on the check. We scan the check, endorse it, and deposit at our bank.
q When a customer pays by credit card, we examine the customer's ID (for example, driver's license or passport), but we don't record the number. We normally don't record the credit card number (we just swipe the card through the reader), but if the reader is broken, we record the credit card information and deliver it to our credit card processing service.
Sensitive information can be stored and displayed on many kinds of media.
q Many of these media are casually removable and portable, including paper, microform, CD, DVD, external hard drives, and flash drives.
q Other media are not as casually removable, including computer internal hard drives.
All media are subject to theft by someone who:
o breaks or bypasses the visual security of the store or home office, including seeing computer screens, checks, and credit slips of other people;
o breaks or bypasses the physical security of the store or home office; or
o breaks or bypasses the electronic security of our computers and networks.
It is our responsibility to make it reasonably difficult for someone to gain access to sensitive information in our possession.
We routinely share sensitive information with government agencies, which we assume follow information security policies that are legally compliant and over which we have no control.
We routinely share sensitive financial transaction information with our financial institutions, including customer checking account numbers and credit card numbers.
We routinely share sensitive information in the form of employment records, pension and insurance information, and other information required to be a responsible employer.
We share this with our bookkeeping service, our payroll service, our CPA firm, our legal counsel, and our business advisor. Our computer helping service may sometimes see this information in the course of repair work and consulting.
Each year, we require each of these organizations to confirm in writing that they follow a written Information Security Plan that fully complies with all governmental laws and regulations for this location, including Massachusetts information security regulations (201 CMR 17), signed by the CEO or other authorized person.
Our Information Security Manager (ISM), Samantha Hawley, trains every new member of our staff in his or her role in carrying out the Information Security Policy (ISP). This training is refreshed at least annually. New staff members agree in writing to follow our ISP, and understand that their continued employment in our organization depends on their following the ISP. Employees who fail to follow the ISP are given written warnings, followed, if necessary, by being asked to leave the organization.
A note about the paragraphs that follow: we talk about keeping paper records under lock and key, and computer records restricted to certain users. We use good common-sense practices about this. When we walk away from a Windows computer, we lock the computer by using WindowsKey-L. On a Windows computer that doesn’t have a WindowsKey, we lock the computer with Start > Log Off > Switch User
We use good common-sense practices to protect sensitive information:
q Where reasonable, we store sensitive information in strongly encrypted form so that even if someone steals or accesses the media, they don’t have easy access to sensitive information.
q In both the store and the home office, we keep all unencrypted and easily removable physical media that contains sensitive information (check, credit slip, CD, DVD, tape, flash drive, paper, microform, etc.) in a locked space where it is reasonably safe from burglary and intrusion. We routinely carry unencrypted media containing sensitive information between the store and the home office.
q When we use sensitive information, we hold the media and its contents closely, we don't share it inappropriately, and we return it to an appropriate locked space when we're done. For example, we don't leave lying on counters, tables, or desks any unencrypted sensitive information, including checks, credit slips, and file folders containing W-4s and I-9s. We also don’t leave sensitive information displayed on an unattended computer screen.
We regularly destroy obsolete records.
q We destroy most paper records using an office-grade shredder.
q We destroy most records on re-writeable media (disk drives, flash drives, etc.) by US-Department-of-Defense-compliant overwriting of the information.
q We destroy other records in media-appropriate ways, such as physical breakage or delivery to an ISP-compliant information destruction service.
q Strongly encrypted sensitive information and the associated encryption key(s) may only be delivered together by hand.
q Strongly encrypted sensitive information may be delivered without the associated encryption keys in any medium by any route, including by mail or email.
q Strongly encrypted sensitive information and the associated encryption keys may both be mailed only on different days.
q Otherwise, encryption keys may only be delivered by fax or phone,
q Usernames and passwords may only be delivered together by hand.
q Usernames and passwords may both be delivered by mail only if they are mailed on different days.
q Otherwise, usernames may only be delivered separately by a route of hand, fax, phone, mail, or email; and passwords may only be delivered separately by a different route of hand, fax, phone, or mail. Passwords may never be delivered by email.
q When we receive checks from customers, we keep them in a locked space. The Store Manager or Assistant Store Manager scans them into a computer directory that can only be accessed by our Accounts Receivable staff (see Roles And Responsibilities).
q The Store Manager or Assistant Store Manager delivers checks, credit slips, cash, and other financial instruments by hand to an appropriate financial institution, such as our bank or credit card processing service.
q Unencrypted employment records are kept in a locked space, and accessed only by the staff responsible for employment issues, which in our case are the store manager, Samantha Hawley, and the owner, Virginia Eckhart.
q When anyone needs to take unencrypted records with sensitive information anywhere not listed above, they must first explain in writing the business reasons that this is necessary and the ISM or the owner must give written permission.
We deliver unencrypted sensitive information to customers and to ISP-compliant vendors only by hand, fax, mail, phone, or ISP-compliant delivery service.
Employment records are kept in a locked space or in a Secure Computer Network. See "Secure Computer Network" below for our practices for keeping our computer network secure.
We email sensitive information between us and our payroll and pension companies, accountant, and bookkeeper only in strongly encrypted form with a password arranged by in-person, fax, or telephone contact.
Password must be at least 8 characters, including one punctuation mark and one change of case. The password must be hard to crack by a dictionary attack, so if it has a word or a proper name, it must have at least TWO unrelated words or proper names.
The ISM keeps all passwords in a master password file encrypted with a master password that is shared by the Owner, the Store Manager, and Legal Counsel. The password list includes the administrator password for all our PCs and servers, which is shared by the Store Manager, the Owner, and our Computer Helping Company (see Roles And Responsibilities).
We discourage co-workers from sharing their passwords, but we accept the reality that co-workers will often learn one another's passwords. Therefore, the ISM changes all workstation passwords at least once a year and whenever an employee leaves.
The workstation administrator password is often stored by multiple programs, including the backup system. Changing it everywhere is a major undertaking, so we do it only when security urgently requires it, such as when a senior staff person leaves on bad terms.
Strong Encryption means using Winzip's AES-256 encryption (or Truecrypt's AES-256 encryption), and using our Password Policy.
We have tested Winzip ($30) and TrueCrypt (free), and we feel that Winzip is better suited to the task of sending business files back and forth in encrypted format.
We do not keep PI on laptops, or other handheld or portable devices. We store backups on external hard drives and flash drives, encrypted with Strong Passwords using Strong Encryption.
We configure our network as follows:
q Firewall passes grc test.
q Passwords changed when staff leaves. Workstation passwords changed annually.
q Cabling secure.
q Wireless WPA.
q Strong Passwords, multiple lockout.
q Antivirus kept up to date both in version and in signatures, and certified by ICSA.
q Malwarebytes and SAS kept up to date.
q Staff scans in case of slowness or other anomaly.
q Anti-phishing and poisoned website measures.
q Remote access is only by remote access software that is encrypted and secure, using screen blanking and keyboard locking,
When a new computer is added to our network, it is secured with our master administrator password, and users are given appropriate logins with passwords. These passwords, like all passwords in the company, are kept on the Master Password list. When a computer is replaced, the old computer's data folders are erased using Tolvanen Eraser using DOD 3-pass erasing standard. If a hard drive is unable to be erased because it is broken, we destroy its electrical leads and dispose of it in the trash.
When a staff person leaves our organization, all passwords that person used are changed, so that the person no longer has access to our computer network remotely or if s/he visits the office. The person also returns any keys used to physically secure PI.
Computer backups are encrypted using AES-256 encryption, with a strong password. We keep regular backups on and offsite, and test them regularly.
If a Breach Occurs
If our ISM determines that PI has been stolen, she will notify the Office of Consumer Affairs & Business Regulation (OCABR) and the Attorney General's Office, describing the theft in detail, and work with authorities to investigate the crime and to protect the victim's identity and credit. To the extent possible, our ISM will also warn the victims of the theft so that they can protect their credit and identity.
q Computer Security:
o Everyone must enter a correct username-password pair to access one of our computers.
o If someone fails to enter the correct password for a username several times in a row, the computer locks that username. The Information Security Manager or designee must unlock the username before anyone can login with that username.
o Operating System set to automatically download and install security updates.
o Antivirus configured to download and install both code and virus signature updates.
o Malwarebytes and (SAS – what is this?) configured to automatically download and install security updates. If computers seem to be slow or otherwise not working normally, the staff runs scans on the computer. If the problem persists, the ISM contacts the computer helping service.
o Anti-phishing and poisoned website measures.
o Remote access is only by remote access software that is encrypted and secure, using screen blanking and keyboard locking,
q Our computers are on a Secure Network. (See MassDataSafety.com for details.)
o The firewall passes the GRC test.
o When a staff member leaves, the Information Security Manager removes or changes all passwords to which that person had access.
o Each year, the Information Security Manager changes all workstation passwords.
o Network cables are (secure – what does this mean?).
The wireless network uses WPA encryption with strong passwords.
|
Role Name |
Responsibility |
Person(s) |
|
Owner |
Everything, including Accounts Receivable, Employment, and Information Security. |
Virginia Eckhart |
|
Store Manager |
Everything assigned by the Owner |
Samantha Hawley |
|
Information Security Manager |
Regularly review and update this Information Security Plan; train new staff and refresh training of all staff on information security; regularly audit staff and vendor on information security compliance. |
Samantha Hawley |
|
Assistant Store Manager |
Deliver checks to the bank and other responsibilities assigned by the Store Manager. |
James Sorkin |
|
Store Staff |
Work with customers, perform financial transactions, follow Information Security Plan and other policies of the organization. |
various |
|
Accounts Receivable |
Billing. |
Owner, Store Manager, Bookkeeping Service, CPA Firm |
|
Employment Staff |
Maintain and transmit employment records. |
Owner, Store Manager |
|
Computer Helping Company |
Install and repair computers and software. Consult on issues relating to computers or security. |
Computer Care And Learning |
|
CPA Firm |
Audit financial records and advise on financial issues. |
|
|
Bookkeeping Service |
Keep financial records, issue bills, prepare financial reports. |
|
|
Business Advisor |
Advise in business matters. |
|
|
Legal Counsel |
Advise and represent in legal matters. |
|
|
Payroll Service |
Issue payroll as directed by the Owner and Store Manager. |
|