The Comprehensive Written Information Security Program (WISP) Compliance Checklist
- Do you have a comprehensive, written information security program (“WISP”) applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts (“PI”)?
We offer the service of helping you create a comprehensive Written Information Security Program and Internet Usage Policy - Does the WISP include administrative, technical, and physical safeguards for PI protection?
- Have you designated one or more employees to maintain and supervise WISP implementation and performance?
- Have you identified the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices that contain personal information?
We can help you inventory all of the systems in your organization. Additionally, our Gateway Security Appliance logs identifying information (IP Address, MAC Address, Device Type, etc.) about every device that connects to the network. - Have you chosen, as an alternative, to treat all your records as if they all contained PI?
Our File Server Appliance can be enabled to encrypt every file at the server, so it treats all files as if they contained sensitive information. - Have you identified and evaluated reasonably foreseeable internal and external risks to paper and electronic records containing PI?
- Have you evaluated the effectiveness of current safeguards?
- Does the WISP include regular ongoing employee training, and procedures for monitoring employee compliance?
Our File Server Appliance offers a full, compliance-ready activity log for reporting and auditing purposes. - Does the WISP include disciplinary measures for violators?
- Does the WISP include policies and procedures for when and how records containing PI should be kept, accessed or transported off your business premises?
- Does the WISP provide for immediately blocking terminated employees, physical and electronic access to PI records (including deactivating their passwords and user names)?
Should an employee be terminated, our Gateway Security Appliance allows for all of their known devices to be blocked from accessing the network and our File Server Appliance allows for their username to be flagged as inactive so no future logins can be made. - Have you taken reasonable steps to select and retain a third-party service provider that is capable of maintaining appropriate security measures consistent with 201 CMR 17.00?
- Have you required such third-party service provider by contract to implement and maintain such appropriate security measures?
- Is the amount of PI that you have collected limited to the amount reasonably necessary to accomplish your legitimate business purposes, or to comply with state or federal regulations?
- Is the length of time that you are storing records containing PI limited to the time reasonably necessary to accomplish your legitimate business purpose or to comply with state or federal regulations?
- Is access to PI records limited to those persons who have a need to know in connection with your legitimate business purpose, or in order to comply with state or federal regulations?
Our File Server Appliance allows for only users who are given permission to view a file or directory to view it’s contents. - In your WISP, have you specified the manner in which physical access to PI records is to be restricted?
- Have you stored your records and data containing PI in locked facilities, storage areas or containers?
- Have you instituted a procedure for regularly monitoring to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of PI; and for upgrading it as necessary?
- Are your security measures reviewed at least annually, or whenever there is a material change in business practices that may affect the security or integrity of PI records?
We can review your systems on a regularly scheduled basis in order to make sure you are still in compliance with applicable laws. - Do you have in place a procedure for documenting any actions taken in connection with any breach of security; and does that procedure require post-incident review of events and actions taken to improve security?
Our File Server Appliance offers activity logs for reporting and auditing purposes to assist you in your review of events.
Additional Requirements for Electronic Records
- Do you have in place secure authentication protocols that provide for:
- Control of user IDs and other identifiers?
Our File Server Appliance allows for each person in your organization to have a unique login ID. - A reasonably secure method of assigning/selecting passwords, or for use of unique identifier technologies (such as biometrics or token devices)?
Our File Server Appliance allows for each person in your organization to have a unique password for their login ID. - Control of data security passwords such that passwords are kept in a location and/or format that does not compromise the security of the data they protect?
Our File Server Appliance encrypts passwords with a hash algorithm before storage. - Restricting access to PI to active users and active user accounts?
Our File Server Appliance allows for only users who are given permission to view a file or directory to view it’s contents. - Blocking access after multiple unsuccessful attempts to gain access?
Our File Server Appliance comes with a built-in brute force protection that throttles too many failed login attempts originating from a range of IP addresses.
- Do you have secure access control measures that restrict access, on a need-to-know basis, to PI records and files?
Our File Server Appliance allows for only users who are given permission to view a file or directory to view it’s contents. - Do you assign unique identifications plus passwords (which are not vendor supplied default passwords) to each person with computer access; and are those IDs and passwords reasonably designed to maintain the security of those access controls?
Our File Server Appliance allows for each person in your organization to have a unique password for their login ID. - Do you, to the extent technically feasible, encrypt all PI records and files that are transmitted across public networks, and that are to be transmitted wirelessly?
Our File Server Appliance employs industry-standard TLS to encrypt data in transfer and data at rest in storage can be encrypted using a default military grade AES-256 encryption. - Do you, to the extent technically feasible, encrypt all PI stored on laptops or other portable devices?
Remote devices can be encrypted and monitored through our RMM system. - Do you have monitoring in place to alert you to the occurrence of unauthorized use of or access to PI?
Our Gateway Security Appliance has a built-in Intrusion Detection System. - On any system that is connected to the Internet, do you have reasonably up-to-date firewall protection for files containing PI; and operating system security patches to maintain the integrity of the PI?
Our Gateway Security and File Server Appliances are setup to download security patches automatically. - Do you have reasonably up-to-date versions of system security agent software (including malware protection) and reasonably up-to-date security patches and virus definitions?
Our RMM solution offers virus protection along with a phishing filter and malware protection, which are updated daily. - Do you have in place training for employees on the proper use of your computer security system, and the importance of PI security?
We offer ongoing training for your staff on how to use the systems we install and how to avoid potential security risks.
Latest posts by CCOC Rick (see all)
- 10 Tips for Preventing and Recovering from a Ransomware Attack - July 10, 2023
- FAQ – Do I Need To Replace My Hard Drive to Get Rid of A Virus? - November 11, 2022
- What Is Your E-Mail Score? - October 12, 2022
State of MA WISP Compliance Checklist
You must be logged in to post a comment.