BlackHat_Consultants_written_information_security_policies
 

Enterpise-Class Written Information Security Program (WISP)

BlackHat Consultants provides small and medium-sized businesses with exactly what they need to protect themselves - professionally written policies, procedures, standards and guidelines at a very affordable cost. Similar documentation standards can be found in Fortune 500 company that have dedicated IT Security staff. All policies are backed up by documented best practices.

The Written Information Security Program (WISP) provides a comprehensive framework to manage your company’s Information Security program. The WISP allows you to implement the steps and documentation to be compliant with Federal, state and industry regulations.
WISP Example Policy

Information security documentation is comprised of four main parts: a core policy; procedures that must be followed; measureable standards used to quantify the policy; and guidelines that are recommended, but not mandatory.

The Written Information Security Program (WISP) is something applicable to every business. It is written in a manner that it is customized to your company. You will be provided with the policies, procedures, standards, and guidelines required to properly educate your employees to their responsibilities and to provide documentation of your standards.

Small and medium-sized businesses have always been at a disadvantage when it comes to securing their networks from threats. Generally, the lack of expertise and staffing are the contributing factors, but the overwhelming issue is a false sense of security. This false sense of security comes from business owners not asking the question of what issues they should be compliant with and from the IT provider or staff not being proactive and bringing up compliance issues to management. This scenario creates a dangerous set of assumptions that can potentially put the company out of business. Unfortunately, ignorance is neither bliss, nor is it an excuse! What your employees do not know has the proven ability to hurt your company. In terms of liability for a company, security does not exist until it is documented.

Your WISP will contain your logo on the front cover and the document is written from your company's perspective, incorporating your company's name throughout the document. This helps employees "take ownership" of the document and abide by the policies. The document also has extensive footnoting and references so that you have clear evidence of the policies supporting industry-recognized best practices.

Written Information Security Program (WISP) highlights:

  • Easy to implement & tailored to your company
  • Policies are based on NIST 800-series and ISO 27000-series standards
  • Dozens of policies and standards specifically tailored for small to medium businesses
  • Covers the PCI DSS, GLBA, SOX, HIPAA, FACTA and more!
    • Identifies administrative, technical and physical factors associated with Information Security
    • Provides standards for both assessing risk and hardening of networks and systems
    • Comprehensive encryption procedures
    • Ongoing user education and security awareness training
    • Incident response procedures
    • Procedures to audit user accounts and deal with terminated employees
  • Includes Security & Compliance Director (SCD) appointment orders, an employee acknowledgment form, and other useful forms to allow you to implement a complete Information Security program right away

Written Information Security Program (WISP)
Product Cover Image - WISP

[click on an image to see an example]

It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft. If you have 2 or more employees, a WISP is just as important as the professional liability insurance you carry on your business.

The benefits of Information Security for small and medium businesses are many:

  • Decreased costs - less reactive IT support
  • Improved productivity - decreased distractions
  • Decreased virus & spyware outbreaks
  • More efficient operations
  • Better performing network & computers
  • Better accountability of assets & resources
  • Better educated & trained employees

What Makes BlackHat Consultants’ Written Information Security Program (WISP) Superior To The Competition

The Written Information Security Program (WISP) is logically organized, following industry-recognized best practices as established by the National Institute of Standards & Technology (NIST).

Security controls are synonymous with standards. Security controls have a well-defined organization and structure. Security controls are organized into classes and families for ease of use in the control selection and specification process. There are four general classes of security controls:

  • Common
    • Common controls address Information Security program-level security topics.
    • These common controls establish the overall framework for management, operational and technical controls.
       
  • Management
    • Management controls address techniques and concerns that are normally addressed by management in the Information Security program.
    • Management controls focus on the management of the Information Security program and the management of risk within the company.
       
  • Operational
    • Operational controls address techniques and concerns that are generally implemented and executed by people, as opposed to systems, that are put in place to improve the security of a particular system or group of systems.
    • Operational controls often require technical or specialized expertise; often relying upon management activities as well as technical controls.
       
  • Technical
    • Technical controls address processes and concerns that a computer system executes.
    • Technical controls are dependent upon the proper functioning of the system for their effectiveness and therefore require significant operational considerations.

These classes of controls have subordinate families of controls. While they sometimes have overlapping coverage, as visualized below, the end product is a comprehensive Information Security program that will serve your company well.
Example - Control Overlaps

The best method to describe the comprehensive nature of the policies of the Written Information Security Program (WISP) is to show you how our policies both cover industry-recognized best practices, as well as how regulatory and non-regulatory requirements map out to the policies within the WISP.

Click on the image below to open a PDF document that lays out the policies within the WISP, the industry best practices used, and the corresponding requirements that are addressed by those policies.
Example - Control Matrix

WISP Best Practices & Compliance Chart
[Home] [WISP] [Examples] [HackerView] [Consulting] [CompTIA_Security_Trustmark] [About Us] [Contact Us]

Copyright 2005-2012. All rights reserved.
BlackHat Consultants, LLC is Veteran owned - We are proud to support the small & medium businesses that help make this a great country.

The CompTIA Security Trustmark logo is a registered trademark of CompTIA (Computing Technology Industry Association). All rights reserved.