IT risk management: Is your WISP policy document up to date?
Colleges and universities are faced with addressing the constant onslaught of new risk as well as a growing number of compliance laws and regulatory mandates.
Examples of potential IT risks today include security breaches, data loss or theft, cyberattacks, system failures, and natural disasters. Anything that could affect the confidentiality, integrity and availability of higher education institution systems and assets can be considered an IT risk. And these risks present challenging legal, technical and operational issues.
IT risk management entails identifying, monitoring and managing potential information security or technology risks, with the goal of mitigating or minimizing their negative impact. As such, a Written Information Security Program (WISP) policy document functions as the foundation, oversight and driver of a comprehensive information security program.
What is a WISP policy document?
The WISP document provides comprehensive guidelines and policies designed to safeguard all data and to comply with applicable laws and regulations. It also establishes employee responsibilities in safeguarding data as well as administrative, technical and physical safeguards to ensure the security of sensitive data, acceptable uses of technology, and accountability.
A Written Information Security Program policy document functions as the foundation, oversight and driver of a comprehensive information security program.
Given organizational objectives and strategies, a WISP document should be developed to indicate the process used to achieve them. As such, it defines student and employee data protection responsibilities; the processes outlining how and when to use certain technologies; acceptable use expectations; and those assigned roles and authority within the organization to accomplish organizational strategic directives.
Once the document is in place, the risk management controls and technologies necessary to implement its guidelines and policies can be planned, evaluated and carried out.
Regular maintenance and updates are necessary based on the results of periodic risk assessments and security reviews to reflect and respond to changes in the IT systems and the legal and regulatory risk environment.
Using WISP to increase security awareness
The WISP document should be a major component of an institutional security awareness program. It should be reinforced on a regular basis to faculty and staff, and it should be made part of new-hire orientation programs to increase security awareness and practical implementation of security best practices. This ensures that everyone has an appropriate level of know-how about security and risks along with an appropriate sense of responsibility.
For example, a WISP document for a university or college will state that the chief information security officer (CISO) is responsible for educating all users on the WISP document. When communicating the WISP training requirements to faculty and staff, the CISO relies on the authority granted in the document to do so. The document also expresses user responsibility to protect sensitive information. As such, users receive the WISP education communication as properly authorized by the document and view it as part of their responsibility to protect organizational systems and data.
The document also lays out specific expectations for employee behavior with respect to company systems and information, as well as penalties for policy violations. As a result, the document creates an accountability structure that protects the organization and its employees. From the higher ed institution’s perspective, management has recourse if an employee violates the document. From an employee perspective, the document clarifies expectations with respect to employee behavior and the handling of information and related systems.
Following the WISP education example, the document states that new employees are expected to complete WISP training within a prescribed period following the date of hire. The document also states that employees who have not completed the training within the prescribed period will experience suspension of system credentials until the training has been completed. These specifications provide a clear expectation of employee behavior and prescribe logical consequences for noncompliance, which reduces risk by protecting sensitive data until the policy directives are met.
Nicholas M. Tella is the director of information security and an adjunct professor for the College of Engineering & Design at Johnson & Wales University in Providence, Rhode Island. He is a UB Tech® featured speaker, presenting the “Managing IT Risk Through Policy-Driven Implementation” session.
For all UB Tech® news, click here.