Why You Need Both a Written Information Security Plan and a Business Continuity Plan

There is no doubt that in today's world, data security and privacy is a hot topic. With General Data Protection Regulation (GDPR) in the EU and cybersecurity constantly being in the headlines, investment firms are constantly facing scrutiny and questions from investors on what measures they take to secure their data. While most organizations have a formal cybersecurity posture, it is also crucial to have a Written Information Security Plan, also known as a WISP, and a Business Continuity Plan, also known as a BCP. While these are both formal plans to protect your organization, many firms confuse the two.

What is a Written Information Security Plan (WISP)?

A WISP details policies and procedures for ensuring confidential data is protected, how it is being protected, and who is ensuring it is protected. A WISP includes both administrative and technical safeguards that your organization has in place. Anyone or any company that has access to client or employee information needs to make sure that they implement the appropriate level of both administrative and technical safeguards.

Some examples of administrative safeguards include:

• Definitions of confidential data and how it is protected

• Where confidential data is located (shared drive, externally hosted, hard copy format, etc.)

• Monitoring who has access to confidential data and ensuring only the necessary people are able to access the data

• Roles and responsibilities for responding to a data breach or cyber incident and internal and external communication procedures for responding to incidents

Technical safeguards include:

• Assessment of technical safeguards (penetration testing, encryption, software patches, etc.)

• Evaluation of technical safeguards (cybersecurity tracking documents)

• If necessary, implementation of additional technical safeguards

To learn 9 steps to create a Written Information Security Plan, watch the recap of our webinar here.

A WISP isn't to be confused with a Business Continuity Plan (BCP), which is documentation of how your firm will respond when confronted with unexpected business disruptions to your investment firm. These unexpected disruptions could be inclement weather or a natural disaster, basically anything that will cause the firm any financial loss. An effective BCP can help minimize financial loss and the negative effects of disruptions in an investment firm's strategic plans, market position, operations and reputation.

Through Eze Castle Integration is, of course, known for being experts in financial technology, Business Continuity Planning extends well past technology to examine and map critical business processes and operations that must be available during a disruption. Eze BCP covers the full-spectrum of business continuity planning, including impact and risk analysis, plan development and ongoing plan maintenance to help ensure a firm's operations can easily recover should a disruption occur.

The Eze BCP service methodology encompasses four key components:

1. Risk Assessment

2. Risk Impact Analysis (RIA)

3. Strategy and Plan Development

4. Plan Testing, Training and Maintenance

Prudent investment firms have both a Written Information Security Plan and a Business Continuity Plan to ensure that their organization is protected against internal and external threats. Eze Castle Integration can assist firms in creating Written Information Security Plans and Business Continuity Plans, as well as conduct audits of existing plans and policies. 

For more information on Eze Castle Integration's WISP or BCP services, contact us here.

Related Topics:

• Incident Response Planning: Before, During and After

• 20 Steps to Build a Cybersecurity Framework