The Massachusetts Office of Consumer Affairs put together a sample (PDF) written information security program or WISP. I have read it probably 75 times...  It must be incredibly difficult to produce a policy document for a fictional company created completely in the abstract. In fact, it is. The document created by the MA OCA is a guideline and not YOUR company's policy.

The Written Information Security Program must apply to your company, your company's business processes and your company's procedure for dealing with that Personal Information that your company possesses. The "sample" may provide some guidance, but you need to customize it to your company's procedures.

So, what happens when you try to adapt the "sample" to your company?

The biggest mistake I have seen is the "copy/paste" job. In the sample there is a line under the "Internal Risks" section that suggests that terminated employees shall "be required to surrender all keys, IDs or access codes or badges or business cards and the like..." (page 4, second bullet point) There are companies who have that exact language in their WISP, yet they have no badges, IDs or business cards.

Or how about the prohibition on employees keeping Personal Information on their desk when they're not there. (page 4, bullet 7) When you cross reference that one with the one that requires all Personal Information to be "locked up" (bullet 9) - wow, going to the bathroom during work is going to have to be planned well in advance, now isn't it?

If a business takes the position that "hey, I'll copy Mr. Gov't's sample WISP and if something happens, I'll just tell them that I did exactly what you asked...look, my policy looks just like yours!!!" - then they are taking a very significant risk.

Basing your company policy regarding "Personal Information" as required by Massachusetts law on the Gov't's sample policy document makes sense, but merely putting your company logo at the top of a copy/paste job is not compliance and doesn't make sense.

Let me just break that document down a bit: Objective: comply with law, Purpose: comply with law, Scope: some how related to compliance with the law. Internal risk assessment: what? External risk assessment: (see internal risk assessment answer)

Ladies and Gentlemen, the Government passed a law that requires compliance in the form of a written policy. My suggestion: Hire a lawyer. Hire a lawyer who knows about the data privacy law, about risk assessment and about the different ways that  your data can be compromised. (yes, that is a small plug for my services....)

I thank the gov't for giving me, a lawyer, a cheat sheet on what they are looking for in terms of compliance, but I cannot credit them with creating a workable template for businesses because they didn't.

Next up for review: the WISP "checklist" (PDF) by the same authors...