
Massachusetts CMR 17.00 - Written Information Security Plan (WISP)
As of January 2010, any business which collects certain personal information about a Massachusetts resident is legally required to have a written plan for the development, implementation, maintenance and monitoring of a comprehensive, written information security program (“WISP”) applicable to that information.
The written plan needs to include:
- One or more employees designated to maintain the WISP.
- A security risk assessment.
- An evaluation of the effectiveness of current safeguards, with plans for improvement, if needed, including ongoing employee and temp training, compliance with policies and procedures and means for detecting and preventing security system failures.
- Security policies that take into account whether and how employees should be allowed to keep, access and transport records outside of business premises.
- Disciplinary measures for violations of the WISP rules.
- Procedures to prevent terminated employees from accessing records containing personal information by immediately terminating their access to such records, including deactivating passwords and user names.
- Verifying third-party service providers with access to personal information are also following the regulations.
- Limiting the amount of personal information collected to only what is necessary to accomplish the legitimate purpose for which it is collected.
- Limiting how long personal information is retained to only what is necessary to accomplish the legitimate purpose for which it is collected, or to comply with state or federal record retention requirements.
- Limiting access to personal information to only those who need access to accomplish the purpose for which it was provided.
- Identifying which paper, electronic or other records, or computers, laptops or portable devices contain personal information.
- Placing restrictions on the physical access to records containing personal information, including a written procedure stating how access is restricted, and storing such records and data in locked facilities, storage areas or containers.
- Regularly monitoring to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information, and upgrading information safeguards as necessary.
- Reviewing security measures at least annually or whenever there is a material change in business practices that may affect records containing personal information.
- Documenting actions taken in connection with any incident involving a breach of security, and conducting mandatory post-incident reviews of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
- Establishing and maintaining a security system covering computers, including any wireless system, that electronically stores or transmits personal information. The security system must include secure user authentication protocols, restricted access to records containing personal information to only those who need the information in the course of their job duties, encryption of any data transmitted wirelessly or stored on laptops or other portable devices, and firewall protection for anything connected to the internet.
Massachusetts has created a small business guide to the WISP, which you can download here.