Compass IT Compliance Blog

The Dangers of a Written Information Security Program (WISP)

This is a guest post that was written by Joel Goloskie, Esq. Joel is Senior Counsel with Pannone, Lopes, Devereaux, & O'Gara in Boston. Joel is a member of the firms Healthcare, Litigation, and Corporate & Business Teams. Joel advises and assists his clients on the various international, federal, and state cybersecurity issues, with a focus on helping clients monetize innovative uses of data while remaining compliant with slowly-evolving regulatory regimes. For more information on Joel, please visit his profile on the Pannone, Lopes, Devereaux, & O'Gara website or feel free to contact him at

For businesses that maintain data on customers or, increasingly, their own employees, the term “WISP” should be familiar.  A WISP, or Written Information Security Program, is the document by which an entity spells out the administrative, technical and physical safeguards by which it protects the privacy of the personally identifiable information it stores. Healthcare entities subject to HIPAA have long-since become accustomed to not merely developing their own WISPs, but requiring the same of any business associate with which they share patient information. Similarly, banking, insurance and financial institutions have for years developed WISPs in response to their industries’ privacy requirements.

The NIST Cybersecurity Framework - The Protect Function

For the second part of our series on the NIST Cybersecurity Framework, we are going to be discussing the Protect function. Last time we discussed the Identify function which talked about the need to really understand your critical infrastructure, your systems, and the risks associated with those systems so you can move to the next step in the framework, to protect your critical infrastructure. As you can probably see, the functions of the framework build on each other in a logical order. In the first post in this series, I compared the framework to building a house. If the Identify function is the foundation, then the Protect function would be the framing of the outside of your house. You can’t build walls without a firm foundation!

HIPAA Compliance and Audit Controls - What You Need to Know

If you have read the news lately on Healthcare and specifically HIPAA, you probably saw references to a recent HIPAA settlement between Memorial Health Systems of Florida and the Department of Health and Human Services (HHS). I’m sure the amount of the settlement caught your attention- a whopping $5.5M! You probably also noticed the reason for the fine: Lack of Audit Controls. With a fine of that caliber, it’s important to know what are the audit controls when discussing HIPAA Compliance?

5 Quick Tips To Help With Information Security

Information Security is a moving target. Once you "think" that you have it figured out, boom, here comes another new threat to knock you back on your heels and question just how strong your Information Security program is. That's the bad news. The good news is that we are going to give you 5 Information Security Tips that will help reduce the chances (notice I did not say eliminate) of an Information Security incident from taking place.(These can apply to both individuals and organizations as well):

IT GRC - Compliance

Over the past week we have been discussing an overview of IT Governance, Risk, and Compliance as well as diving into each of the components that make up this program. Today we are going to talk about the final piece of the IT GRC puzzle: Compliance.