Written Information Security Program (WISP)
All Things Praise
Effective Date: 01/0/2013
Website: https://www.allthingspraise.com
1. Purpose
This Written Information Security Program (WISP) establishes administrative, technical, and physical safeguards to protect the personal, client, and company data managed by All Things Praise. It is designed to comply with applicable laws and best practices concerning information security and data privacy.
2. Risk Assessment
Internal Risks:
- Unauthorized employee access to sensitive client information.
- Accidental deletion or mishandling of client records.
- Insider threats due to lack of security training.
External Risks:
- Cyberattacks (e.g., phishing, ransomware, malware).
- Website breaches targeting client data.
- Loss or theft of company devices containing sensitive information.
Assessment Procedures:
- Conduct annual risk assessments to identify new vulnerabilities.
- Maintain an updated inventory of data storage locations and systems.
3. Safeguards and Controls
Technical Controls:
- Implement SSL/TLS encryption for all website data transmissions.
- Use firewalls and intrusion detection/prevention systems (IDS/IPS).
- Enforce strong, unique passwords and multi-factor authentication (MFA) for all internal systems.
Physical Controls:
- Limit physical access to servers and devices storing sensitive data.
- Secure backup drives and hard copies in locked facilities.
Administrative Controls:
- Define user roles and permissions based on minimum necessary access principles.
- Regularly review access logs and permissions.
4. Data Handling Policies
Data Storage:
- Store client data securely using encrypted cloud services that comply with industry standards (e.g., ISO 27001, SOC 2).
Data Access:
- Grant access to client information only to employees who require it to perform their job duties.
Data Disposal:
- Use secure deletion tools for electronic data and cross-shredding for physical documents when they are no longer needed.
5. Incident Response Plan
In the Event of a Data Breach:
- Detection: Immediately investigate any suspected breach.
- Containment: Limit the scope and impact of the breach.
- Assessment: Identify affected data and evaluate risks.
- Notification:
- Notify impacted clients promptly, no later than 72 hours after confirming a breach.
- Report breaches to regulatory bodies if required by law.
- Remediation:
- Correct vulnerabilities that led to the breach.
- Review and update security measures to prevent recurrence.
- Documentation: Maintain detailed records of the breach and response actions taken.
6. Employee Training
- Provide onboarding and annual training sessions covering:
- Information security best practices.
- Phishing and social engineering awareness.
- Secure handling and disposal of sensitive information.
- Conduct regular simulated phishing tests to reinforce training.
7. Regular Security Reviews
- Internal Audits: Conduct semi-annual security audits of systems, policies, and employee compliance.
- External Audits: Engage third-party security firms for annual penetration testing.
- Updates: Revise this WISP at least annually, or sooner if significant changes in operations, regulations, or threats occur.
Document Owner: Amari Winrow, Data Protection Officer
Approval Date:01/01/2023
Next Review Date: 01/01/2026