The Action Plan

SheldonArticlesLeave a Comment

The action plan is the first step in developing your WISP.   It is designed as a tool to aid in the development of a written information security program for your business or individual that handles “personal information.”  Each step is intended to collect information that will ultimately become your WISP.

Action plan steps:

  1. Designate one or more employees to maintain and supervise WISP implementation and performance.   This person will be responsible for the developing, training, monitoring and maintaining the WISP.
  2. Identify the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices that contain personal information.   You may chose, as an alternative, to treat all your records as if they all contained PI.
  3. Identify and evaluate reasonably foreseeable internal and external risks to paper and electronic records containing PI.
  4. Identify, document and evaluate your current safeguards and the effectiveness of those safeguards.
  5. Define your regular ongoing employee training, and procedures for monitoring employee compliance.
  6. Develop a policy for disciplinary measures for violators.
  7. Develop policies and procedures for when and how records containing PI should be kept, accessed or transported off your business premises.
  8. Define your process for immediately blocking terminated employees‟ physical and electronic access to PI records (including deactivating their passwords and user names).
  9. Identify all third party providers and certify that they are capable of maintaining appropriate security measures consistent with 201 CMR 17.00
  10. Update third-party service provider contracts (both instate and out of state) with a provision that they are required to implement and maintain appropriate security measures.
  11. Eliminate PI that you have collected if it is not needed to accomplish your legitimate business purposes, or to comply with state or federal regulations.
  12. Define you retention requirements and time frames for storing records containing PI based necessity to accomplish your  business purpose or to comply with state or federal regulations
  13. Define and limit access to PI records to those persons who have a “need to know”.
  14. Define how physical access to PI records is to be restricted
  15. Stored your records and data containing PI in locked facilities, storage areas or containers.
  16. Develop and instituted a procedure to regularly monitoring the WISP on how well it is effectively operating to prevent unauthorized access to or unauthorized use of PI; which also included the process for updating it as necessary.
  17. Define a process to review your security measures at least annually and what actions you will take if there is a material change in business practices that may affect the security or integrity of PI records.
  18. Define a process for documenting what actions will be taken in connection with any breach of security; include in that process a post-incident review of events and the enforcement of an action plan to improve security.

Electronic Records Requirements

  1. Implement secure authentication protocols that provide for:
    1. Control of user IDs and other identifiers
    2. A reasonably secure method of assigning/selecting passwords, or for use of unique identifier technologies (such as biometrics or token devices)
    3. Control of data security passwords such that passwords are kept in a location and/or format that does not compromise the security of the data they protect
    4. Access restrictions to PI to active users and active user accounts
    5. Access blocking after multiple unsuccessful attempts to gain access
  2. Implement secure access control measures that restrict access, on a need-to-know basis, to PI records and files
  3. Implement unique identifications plus passwords (which are not vendor supplied default passwords) to each person with computer access; and are those IDs and passwords reasonably designed to maintain the security of those access controls
  4. Encrypt to the extent technically feasible, all PI records and files that are transmitted across public networks, and that are to be transmitted wirelessly
  5. Encrypt to the extent technically feasible, all PI stored on laptops or other portable devices
  6. Put a monitoring process in place to alert you to the occurrence of unauthorized use of or access to PI
  7. Install reasonably up-to-date firewall protection for files containing PI on any system that is connected to the Internet,
  8. Install operating system security patches to maintain the integrity of the PI
  9. Install reasonably up-to-date versions of system security agent software (including malware protection) and reasonably up-to-date security patches and virus definitions?
  10. Develop a training program for employees on the proper use of your computer security system, and the importance of PI security

Leave a Reply

Your email address will not be published. Required fields are marked *