Written Information Security Program (WISP)

The purpose of this Written Information Security Program ("WISP") is to establish and maintain a comprehensive information security program for [YOUR COMPANY NAME] ("the Company") that contains administrative, technical, and physical safeguards to protect the personal information of Massachusetts residents, in compliance with Massachusetts General Laws Chapter 93H and 201 CMR 17.00.

This program applies to all employees, contractors, temporary workers, volunteers, and third-party service providers who access, collect, store, use, transmit, or dispose of personal information on behalf of the Company.

Personal Information (PI) as defined by MA law includes a Massachusetts resident's first name and last name (or first initial and last name) in combination with any one or more of the following:

• Social Security number
• Driver's license number or state-issued identification card number
• Financial account number, credit card number, or debit card number (with or without security codes/PINs)

The Company handles personal information in the following systems and processes: [LIST YOUR SYSTEMS — e.g., payroll, HR records, customer database, accounting software, paper files]

The following individual has been designated as the Company's Data Security Coordinator, responsible for implementing, supervising, and maintaining this WISP:

• Name: [FULL NAME]
• Title: [JOB TITLE]
• Email: [EMAIL]
• Phone: [PHONE]

The Data Security Coordinator is responsible for:

• Initial implementation and ongoing management of this WISP
• Conducting and overseeing employee security awareness training
• Evaluating and responding to security incidents
• Ensuring third-party service providers comply with 201 CMR 17.00
• Annual review and update of this document
• Staying current on security threats and best practices relevant to the Company's operations

In the absence of the Data Security Coordinator, [BACKUP PERSON NAME, TITLE] will assume these responsibilities.

The Company shall conduct an annual risk assessment to identify and evaluate reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal information. This assessment shall include:

3.1 Internal Risks

• Employee errors, negligence, or intentional misconduct
• Insufficient training or awareness
• Inadequate access controls or authentication
• Loss or theft of devices containing PI
• Insecure disposal of records

3.2 External Risks

• Phishing, social engineering, and email compromise
• Malware, ransomware, and other cyberattacks
• Unauthorized access via compromised credentials
• Physical intrusion or theft
• Third-party service provider vulnerabilities
• Natural disasters or environmental events

3.3 Risk Mitigation

Following each risk assessment, the Data Security Coordinator shall document identified risks and implement appropriate safeguards to mitigate them. The most recent risk assessment was completed on [DATE] and is maintained as a separate document on file.

Access to personal information shall be restricted to those employees and service providers who require it to perform their job duties. The Company implements the following access controls:

• Principle of Least Privilege: Employees are granted only the minimum level of access necessary for their role.
• Unique User Accounts: Each individual who accesses Company systems is assigned a unique user ID. Shared accounts are prohibited.
• Authentication Requirements: All systems containing PI require authentication with a minimum password length of [14] characters. Multi-factor authentication (MFA) is required for [ALL CLOUD SERVICES / SPECIFY WHICH SYSTEMS].
• Account Lockout: User accounts are locked after [5] consecutive failed login attempts.
• Access Reviews: The Data Security Coordinator shall review user access rights at least [QUARTERLY / SEMI-ANNUALLY] and upon any change in employee role or status.
• Termination Procedures: Access to all Company systems shall be revoked within [24 HOURS] of an employee's separation from the Company, whether voluntary or involuntary.
• Remote Access: Remote access to Company systems is permitted only through [VPN / APPROVED REMOTE ACCESS SOLUTION] with MFA enabled.

5.1 Data Collection

The Company shall collect only the minimum amount of personal information reasonably necessary for its business purposes. PI is collected through the following channels: [e.g., employment applications, customer intake forms, payroll processing].

5.2 Data Storage

• Electronic Records: PI stored electronically shall be protected by encryption (at rest and in transit), access controls, and regular backups. PI is stored in the following systems: [LIST SYSTEMS].
• Paper Records: Physical documents containing PI shall be stored in locked file cabinets or rooms with restricted access when not in use.
• Portable Devices: PI shall not be stored on portable devices (laptops, USB drives, external hard drives) unless the device is encrypted with full-disk encryption.

5.3 Data Transmission

Personal information transmitted over public networks (including the internet and email) shall be encrypted using industry-standard encryption protocols (TLS 1.2 or higher). PI shall never be transmitted via unencrypted email.

5.4 Data Disposal

When personal information is no longer needed for its business purpose or required to be retained by law, it shall be disposed of in a manner that ensures it cannot be read or reconstructed:

• Paper Records: Cross-cut shredding or secure document destruction service
• Electronic Records: Secure overwriting (minimum 3-pass), degaussing, or physical destruction of storage media
• Equipment: All storage media shall be securely wiped before disposal, donation, or transfer

All employees who have access to personal information shall receive security awareness training:

• Initial Training: Within [30] days of hire
• Annual Refresher: At least once per calendar year
• Supplemental Training: When significant changes to the WISP or security procedures are implemented, or in response to a security incident

Training shall cover, at minimum:

• The requirements of this WISP and employee responsibilities
• Recognizing and reporting phishing emails and social engineering
• Proper handling and disposal of records containing PI
• Password and authentication best practices
• Physical security procedures
• Incident reporting procedures
• Consequences of WISP violations

Training completion shall be documented and records retained by the Data Security Coordinator. Employees who fail to complete required training within [30] days of the due date shall have their access to PI suspended until training is completed.

7.1 Definition

A security incident is any event that compromises or may compromise the security, confidentiality, or integrity of personal information maintained by the Company.

7.2 Reporting

All employees must immediately report suspected security incidents to the Data Security Coordinator at [PHONE / EMAIL]. "Immediately" means as soon as the employee becomes aware — not at the end of the day, not after trying to fix it themselves.

7.3 Response Procedures

1. Contain: Immediately take steps to limit the scope of the incident (isolate affected systems, disable compromised accounts, change passwords)
2. Assess: Determine what PI was involved, how many individuals were affected, and the likely cause of the breach
3. Notify: If a breach of PI is confirmed, notify the Massachusetts Attorney General's Office and the Office of Consumer Affairs and Business Regulation as required by M.G.L. c. 93H, § 3. Affected individuals must also be notified.
4. Remediate: Implement corrective actions to prevent recurrence
5. Document: Maintain a written record of the incident, investigation, and response actions taken

7.4 Breach Notification Requirements (MA Law)

Under M.G.L. c. 93H, notification must be made "as soon as practicable and without unreasonable delay." Notification must include:

• The nature of the breach
• The type of PI compromised
• Steps taken in response
• Steps the individual can take to protect themselves
• Contact information for the Company

The Company shall take reasonable steps to ensure that third-party service providers with access to PI are capable of maintaining appropriate security measures consistent with 201 CMR 17.00. This includes:

• Requiring service providers to implement and maintain appropriate security measures by contract
• Requesting evidence of their security practices (SOC 2 reports, security certifications, insurance)
• Including data breach notification requirements in service agreements
• Conducting periodic reviews of third-party security practices

Current third-party service providers with access to PI include: [LIST — e.g., payroll processor, cloud hosting provider, IT managed services provider, accounting firm]

The Company maintains the following physical safeguards to protect PI:

• Offices and facilities are secured with [LOCKS / KEY CARDS / ALARM SYSTEM]
• Areas containing PI (server rooms, file storage) have restricted access limited to [LIST AUTHORIZED PERSONNEL]
• Workstations are configured to automatically lock after [5] minutes of inactivity
• Visitors are required to sign in and be escorted in areas where PI is accessible
• Security cameras monitor [SPECIFY AREAS — e.g., entrances, server room, file storage areas]
• Paper records containing PI are stored in locked cabinets when not actively in use
• Clean desk policy: Employees shall not leave documents containing PI visible on desks at the end of the business day

The Company shall retain personal information only for as long as there is a legitimate business need or legal requirement to do so. The following retention periods apply:

• Employee Records: [X YEARS] after termination of employment
• Customer Records: [X YEARS] after last transaction
• Tax/Financial Records: As required by IRS and state regulations (typically 7 years)
• Contracts and Agreements: [X YEARS] after expiration

Records that have exceeded their retention period shall be securely destroyed in accordance with Section 5.4 of this WISP.

The Company implements the following technical safeguards:

• Firewall: A business-grade firewall protects the Company network from unauthorized access
• Antivirus/EDR: All endpoints are protected with [SECURITY SOFTWARE NAME], configured for automatic updates and real-time protection
• Encryption: Full-disk encryption is enabled on all Company laptops and portable devices. Data in transit is encrypted with TLS 1.2+.
• Patching: Operating systems and software are updated within [30] days of security patches being released. Critical patches are applied within [72 HOURS].
• Backups: Data is backed up [DAILY] and backups are tested [QUARTERLY]. Backups are stored [DESCRIBE — e.g., encrypted cloud backup with 30-day retention].
• Monitoring: System logs are reviewed [WEEKLY / MONTHLY] for suspicious activity
• Email Security: Advanced email filtering, SPF/DKIM/DMARC, and external email tagging are enabled

This WISP shall be reviewed and updated:

• At least annually by the Data Security Coordinator
• Whenever there is a material change in the Company's business practices, technology, or personnel that may affect the security of PI
• Following any security incident or breach
• When new regulations or legal requirements are enacted

All revisions shall be documented with the date of the revision and a summary of changes made.

By signing below, the undersigned acknowledge that they have read, understand, and agree to comply with this Written Information Security Program.