A tax preparer in Sugar Land got hit with a phishing email in March. Two staff mailboxes, full of client returns — Social Security numbers, bank routing details, the works. When the IRS and the cyber-insurance carrier started asking questions, the owner pulled out the binder. “We have a WISP,” he said, sliding it across the table. Thirty-one pages. Multi-factor authentication on every account. Encrypted backups. Annual employee security training. Quarterly access reviews.
None of it was true. The document was a free template he’d downloaded in 2021, filled in the company name, and filed. He’d never enabled MFA. There was no training. The “encrypted backups” were a USB drive in a desk drawer. And here’s the part that made his attorney wince: that binder didn’t protect him. It became the prosecution’s exhibit. He had put in writing, in his own document, every control he was supposed to have — and then proved he didn’t run a single one of them.
That’s the WISP problem in a nutshell. Most small businesses are compliant on paper and exposed in reality.
What a WISP Actually Is (in Plain English)
WISP stands for Written Information Security Program — sometimes called a Written Information Security Policy. Strip away the jargon and it’s a written description of how your business protects sensitive information: what data you hold, who is responsible for guarding it, what could go wrong, and what specific safeguards you have in place to stop it.
It is not a generic IT policy. It is not your employee handbook’s “don’t share your password” paragraph. A real WISP is a living document that maps your actual security controls to the actual risks your business faces. Notice the word “actual” twice in that sentence — that’s the whole game.
Who Actually Requires One
A lot of Houston owners assume a WISP is something only big enterprises worry about. It isn’t. Several overlapping authorities expect you to have one, and the definitions are broader than people expect.
- The FTC Safeguards Rule. This applies to “financial institutions” — but the FTC defines that term far more broadly than banks. Mortgage brokers, auto dealers that arrange financing, accountants, tax preparers, payday lenders, collection agencies, and many businesses that simply extend credit or handle consumer financial data can fall under it. The rule explicitly requires a written information security program.
- The IRS, for paid tax preparers. If you prepare returns for compensation, the IRS requires you to have and maintain a WISP. This ties directly to IRS Publication 4557 and the “Security Six” baseline controls (antivirus, firewalls, multi-factor authentication, backups, drive encryption, and a VPN for remote access). No WISP isn’t a gray area here — it’s a missing requirement.
- State laws. Several states require businesses that hold residents’ personal information to maintain a written security program. Massachusetts is the well-known example, but the trend is spreading, and if you serve customers across state lines, more than one set of rules can apply to you at once.
- Your cyber-insurance carrier and your auditors. This is the one that bites people fastest. When you renew a cyber policy, the application asks whether you have a written security program and whether you run the controls it describes. When you file a claim, the carrier asks to see it — and asks for proof you actually followed it. Auditors and larger clients running vendor security reviews ask for it too.
We’re not your attorney and we’re not your auditor, so don’t take this as a legal determination of which rules apply to your specific business. That’s a conversation for your lawyer, your CPA, and your insurance broker. What we can tell you is what we see across Houston SMBs: more clients are being asked for a WISP every year, and most of them are not ready for the follow-up question.
Why a Template Is Worse Than Nothing
This is the part owners struggle with the most, so let’s be blunt about it.
If you have no WISP, you have a gap. That’s a problem, but it’s a knowable one. If you have a template WISP that describes controls you don’t actually run, you have manufactured evidence against yourself. You’ve put your own signature on a document that says “we do X, Y, and Z” when you don’t. In a breach investigation, a regulatory inquiry, or a lawsuit, that document becomes the yardstick you get measured against — and you fail your own test in writing.
Think about how the conversation goes:
- You hand over the WISP that says every account uses multi-factor authentication.
- The investigator pulls the logs and finds MFA was never enabled.
- Now the question isn’t just “were you negligent?” It’s “you documented the right thing and chose not to do it.”
A downloaded template tells everyone what good looks like and then proves you didn’t bother. That’s why we say it plainly: a WISP that doesn’t match reality is a liability, not a shield.
What a Real WISP Contains
A WISP that holds up has structure, and every section has to be true. Here’s what belongs in one:
1. Scope
What information and systems the program covers — client data, employee data, payment data, the specific systems and locations where it lives.
2. A Data and Asset Inventory
You can’t protect what you can’t name. This is a real list of the sensitive data you hold, where it’s stored, and the devices, servers, and cloud services that touch it. Most businesses are shocked at how much data they’re holding once someone actually inventories it.
3. A Designated Responsible Person
A named individual accountable for the program. Not “IT” in the abstract — a person. The FTC Safeguards Rule specifically expects this.
4. A Risk Assessment
An honest look at what could go wrong: phishing, ransomware, lost laptops, a rogue or careless employee, a vendor breach. The safeguards in the rest of the document should trace directly back to the risks you identified here.
5. Administrative, Physical, and Technical Safeguards
The three categories every serious framework uses:
- Administrative — access policies, onboarding and offboarding procedures, who is allowed to touch what.
- Physical — locked server rooms, badge access, clean-desk practices, secure disposal of old drives.
- Technical — multi-factor authentication, encryption, firewalls, endpoint protection, logging, and patching. These are the controls that live or die on your network, and they’re exactly where network security and managed IT services do the real work behind the words on the page.
6. Vendor Management
Your security is only as strong as the outside parties who touch your data. A real WISP describes how you vet vendors and hold them to security expectations — because a breach at your payroll provider or cloud host is still your problem when client data leaks.
7. An Incident Response Plan
What happens in the first hour when something goes wrong: who gets called, how you contain it, how you notify the people who need to know. A plan written before the fire is worth ten times a plan improvised during one.
8. Employee Training
Your people are the most-attacked surface you have. A WISP commits to ongoing security awareness training — and you have to actually deliver it, with records to prove it happened.
9. A Review Cadence
A WISP is a living document. It has to be reviewed and updated on a regular schedule and whenever something material changes — new systems, new staff, a new line of business, a near-miss. A WISP printed once in 2021 and filed in a binder is, functionally, no WISP at all.
The Whole Point: The Document Has to Be True
Here’s the thing every owner needs to internalize. A WISP is not a writing exercise. The document is the easy part — anyone can produce a polished PDF. The hard part, and the part that actually protects you, is that every claim in it has to be backed by a control you really run, and that control has to be maintained over time.
That means three things have to line up:
- The document describes what you actually do. No aspirational controls, no copy-paste promises.
- Real technical and administrative controls stand behind every line. If it says MFA, MFA is on. If it says encrypted backups, the backups are encrypted and tested.
- It’s monitored and kept current. Controls drift. People leave, configurations change, software gets uninstalled. Without ongoing monitoring, a true WISP slowly becomes a false one.
This is exactly the gap between “compliant on paper” and “secure in reality.” A binder doesn’t stop ransomware. Running, monitored controls do — and the WISP is just the honest description of them.
How Aspendora Makes a WISP Real
This is where we come in — and where we’re careful about what we’re not. We’re not a law firm and we’re not your auditor. We don’t tell you which regulations bind your business or sign off on your compliance; that’s your attorney, your carrier, and your auditor. What we do is build and maintain the thing those people are asking to see.
Through our compliance services, we inventory your data and assets, run a genuine risk assessment, and then deploy and document the administrative, physical, and technical safeguards that make the WISP true. The technical backbone — MFA, encryption, firewalls, endpoint protection, patching, logging — runs on our network security and managed IT platforms, and we monitor it so the document stays accurate after the ink dries. When your carrier or a big client asks for your WISP, you hand over something you can stand behind.
We charge professional rates for this, because doing it for real takes real work — there’s no free setup and no free support, and you can see how we structure engagements on our rates page. A cheap template you never follow costs you nothing today and everything during a claim. We’d rather you have the real thing.
Start With a Conversation
If you’ve got a WISP in a binder you haven’t opened since you signed it — or you’ve been asked for one and you’re not sure what you actually have — the smartest next step is a quick, honest conversation. Book a free 15-minute discovery call and we’ll talk through where you stand. That call is the only thing we do for free; everything after it is paid, professional work. From there, our compliance services turn a document that could be used against you into one that’s genuinely true, backed by real controls, and kept current.
Don’t wait for a breach or a renewal questionnaire to find out your WISP is fiction. Make it real before someone else makes it evidence.
Aspendora Technologies provides cybersecurity, managed IT, and expert on-premise & open-source solutions to Houston-area small businesses since 2010.