How prepared is your firm to handle the aftermath of a security incident? If you haven’t documented your firm’s safeguards, then you may find yourself in hot water. Written Information Security Plans (WISPs) are must-haves in our security-focused culture – just ask your regulators and investors. Below are some insights into the development and maintenance of WISPs.
What is a WISP?
A WISP is a formal documentation of a firm’s plans and systems put in place to protect personal information and sensitive company data. It includes both administrative and technical safeguards and identifies confidential information, where it is located, how it is protected, and who has access to it. Technical safeguards include an assessment of current policies such as penetration software and encryption as well as technical policies like password changes and access control.
In today's changing regulatory and investor landscape, written information security plans are critical for hedge funds and private equity firms to comply with SEC (and other) regulations, due diligence requests and state laws.
Development: Creating the WISP
When developing a WISP for your firm, it is important to avoid falling into cookie cutter templates that are too broad and may not cover all aspects of your firm’s security. When creating a WISP specifically for your business, be sure to identify and cover these following areas:
• Business Operations Assessment: Identify what systems and plans are currently in place to safeguard information. Who can access the information, how can they access it and where and what systems use the information? Especially given the rise of Internet of Things (IoT), data is stored across almost all devices including printers, webcams and others. It is important that all of this data is accounted for when planning for safeguards.
• Technical Policy Assessment: Evaluate the technical procedures the firm goes through to protect data.
• Regulation Requirements: To stay compliant with regulations and laws, firms must stay up-to-date on the legal environment and document legislation the firm must adhere to.
• Cybersecurity Incident Response Guidelines: Identify who is responsible in the event of a breach, whether that be the Computer Security Incident Response Team (CSIRT) and/or Chief Information Security Officer (CISO). A CSIRT team should be made up of both IT and business personnel so that both perspectives are addressed.
• Third Party Risk Assessment: If your firm relies on third-party vendors, it is imperative that there is an understanding of what information they can access and security measures they themselves have in place to protect both your information and their own. It’s one thing to put faith in your service providers to do their jobs effectively. It’s another to ignore your own firm’s responsibility to manage that provider in an effort to protect your own firm.
• Employee Guidelines: It is important to inform and educate internal staff on the policies and procedures included within a WISP and best practices for a smart security strategy.
• Cybersecurity Landscape: Identify the firm’s current threats. Consider conducting a technical policy assessment to identify areas that need improvement.
Audit: Re-evaluating your WISP and Assessing your Risk
As roles, job titles, threats, and regulations change it is important that your WISP remains timely and updated to protect from all threats.
• Assessment: As roles change, review the existing policies and procedures in your WISP. Is everything still current? Have there been changes made to reflect changes in your business?
• Reporting: Report any exposures that should be addressed in the WISP and other recommendations made to ensure the protection of information.
• Sample Documentation: Create templates for third party risk assessments and employee guidelines.
When it comes to security an employee can either be a firm’s greatest asset or weakest link, hence it is critical that all employees understand and implement all security practices.
• Defining: Employees, investors, etc. should have an understanding of what is deemed confidential information; for example, research notes, algorithms, the firm’s financial status, etc. If there is not a clear guideline for employees to follow then confidential data may not be handled appropriately.
• Computer Incident Response Team: Creating a team on paper isn’t enough; employees need to know and be trained on how they should react in the event of a breach.
• Guidelines: What are the procedures for company-owned equipment and how should an employee utilise those devices? Training in these areas could reduce the risk of a breach.
• Internal vs External Threats: Training employees on risks such as social engineering, phishing, user error and the loss of USB devices is critical to ensuring they understand how to react in the event that something happens.
The financial industry landscape is ever-changing, with new regulations, sophisticated hackers, evolving threats and a fluctuating market. To stay protected, firms must continuously update their WISP documentation, especially the summary, third party assessments and employee guidelines to stay ahead of threat scenarios and ensure preparations are in order in the event a security incident occurs.