Written Information Security Program (WISP) Template

# WRITTEN INFORMATION SECURITY PROGRAM (WISP)

**Document Reference:** [Company Name] - WISP-01  
**Version:** 1.0  
**Effective Date:** [Date]  
**Review Cycle:** Annual  

---

## 1. PURPOSE & OBJECTIVES
The purpose of this Written Information Security Program (WISP) is to establish a comprehensive security framework to protect the confidentiality, integrity, and availability of **[Company Name]**'s information systems and sensitive data.

This program is designed to comply with applicable data protection laws, align with industry frameworks (like NIST CSF or CIS Controls), and establish a defensible standard of care.

---

## 2. INFORMATION SECURITY COORDINATOR
**[Title/Role, e.g., security coordinator or CISO]** is designated as the Information Security Coordinator responsible for:
* Overseeing the implementation and review of this program.
* Coordinating annual security awareness training for all personnel.
* Reviewing third-party vendor security postures.
* Ensuring security policies are updated to reflect changing business risks.

---

## 3. PHYSICAL SECURITY CONTROLS
To prevent unauthorized physical access to systems, databases, and paper files:
* **Access Control:** All physical locations containing sensitive computing hardware or paper records must be locked when unattended. Access keys or badges must be audited quarterly.
* **Visitor Logs:** Visitors to operational locations must sign a guest log and be escorted by authorized personnel.
* **Document Destruction:** Sensitive paper records must be shredded prior to disposal using locked secure-destruction bins.

---

## 4. ADMINISTRATIVE & TECHNICAL CONTROLS

### 4.1 Asset Management
IT department maintains a complete inventory of all corporate hardware, laptops, mobile devices, and SaaS licenses. Untracked personal devices are prohibited from connecting to corporate networks.

### 4.2 Credential & Identity Hardening
* **Mandatory MFA:** Multi-factor authentication (MFA) must be enforced for all employees accessing corporate email, VPN tunnels, and SaaS platforms.
* **Password Complexity:** Passwords must be at least 14 characters, include uppercase, lowercase, numbers, and symbols, and be managed using corporate-approved password managers.
* **Access Reviews:** System privileges are granted based on the principle of least privilege. Administrator accounts are audited semi-annually.

### 4.3 System Patching & Configuration
* **Automatic Updates:** Workstations and laptops must run automated operating system updates and patches.
* **Endpoint Protection:** All devices must run corporate-managed Endpoint Detection and Response (EDR) software. Security alerts from EDR must route to an active monitoring queue.
* **Network Defense:** Firewalls must block unencrypted ports and restrict public access to RDP (Remote Desktop) or VPN configurations.

---

## 5. INCIDENT RESPONSE & DISCLOSURE
In the event of a suspected data breach or security incident:
* Personnel must immediately report the event to the Security Coordinator.
* The Coordinator will activate the Incident Response Plan (IRP) to isolate systems, analyze logs, and preserve forensic evidence.
* If customer or regulated data is exposed, Legal Counsel will determine notification timelines under applicable state and federal laws.

---

## 6. PROGRAM AUDITS & IMPROVEMENTS
This WISP is a living document. The Security Coordinator will review this program annually, or after any significant infrastructure change or security incident. 

Findings from vulnerability scans and penetration tests will be integrated into the program's strategic roadmap to continuously mature the organization's security posture.