Don't Forget to Share this Post

WISP Basics for Hedge Funds: The Four Key Elements of Written Information Security Plans

By Anna Wendt | Thursday, May 14th, 2015

In our latest webinar, “Understanding Written Information Security Plans," Eze Castle Integration’s resident WISP expert, Lisa Smith, shares insights into the development and maintenance of WISPs, including the basics of what Written Information Security Plans (WISPs) are and the stages that a firm’s WISP goes through. Continue reading for a recap or scroll down to watch the webinar.

What is a WISP? 

A WISP is a formal documentation of a firm’s plans and systems put in place to protect personal information and company sensitive data. It includes both administrative and technical safeguards and identifies confidential information, where it is located, how it is protected, and who has access to it. Technical safeguards include an assessment of current policies such as penetration software and encryption and technical policies like password changes and access control.

In today's changing regulatory and investor landscape, Written Information Security Plans are critical for hedge funds and investment management firms to comply with SEC regulations, due diligence requests and state laws (think MA 201 CMR 17).

The Stages of a WISP

Development: Creating the WISP

  • Business Operations Assessment: The process of identifying what systems and plans are currently being used to safeguard information, who can access the information, and how.

  • Technical Policy Assessment: The evaluation of the technical procedures the firm goes through to protect data.

  • Regulation Requirements: In order to stay compliant with regulations and laws, firms must stay up-to-date on the legal environment and document legislation the firm must adhere to.

  • Cybersecurity Incident Response Guidelines: This part identifies who has responsibilities in the event of a breach, whether that be the Computer Security Incident Response Team and/or Chief Information Security Officer. A CSIRT team should be made up of both IT and business personnel so that both perspectives are addressed.

  • Third Party Risk Assessment: If your firm is using any third party vendors, it is imperative that there is an understanding of what information they can access and security measures that they themselves have in place to protect both your information and their own.

  • Employee Guidelines: As employees can be any firm’s weakest link, it is important to inform and educate internal staff on the policies and procedures included within a WISP and best practices for a smart security strategy.

Audit: Re-evaluating your WISP

  • Assessment: Take the time, every couple of years, to review the existing policies and procedures in your WISP. Is everything still current? Have there been changes made to reflect changes in your business?

  • Reporting: Report any exposures that should be addressed in the WISP and other recommendations made to ensure the protection of information.

  • Sample Documentation: Create templates for third party risk assessments and employee guidelines.


  • Defining: Employees, investors, etc. should have an understanding of what is deemed confidential information, for example, research notes, algorithms, the firm’s financial status, etc.

  • Computer Incident Response Team: Creating a team on paper isn’t enough, employees need to know and be trained in how they should react in the event that there is a breach.

  • Guidelines: What are the procedures for company-owned equipment and how should an employee utilize those devices? Training in these areas could reduce the risk of a breach.

  • Internal vs. External Threats: Training employees on risks like social engineering, phishing, user error and the loss of USB devices is critical because they need to know how to react in the event that something happens and employ certain practices to prevent them from happening in the first place.


The financial industry landscape is ever-changing, with new regulations, sophisticated hackers and a turbulent market. In order to stay protected, firms must continuously update their WISP documentation, especially the summary, third party assessments and employee guidelines. 

To watch the full replay of our webinar, "Understanding Written Information Security Plans", see below or click here.

Related Articles:

Don't Forget to Share this Post

Related Posts

How Can Eze Castle Integration help you?Contact us today!