Here in Massachusetts we are faced with a first in the nation Personal Data Privacy Protection regulation which is meant to motivate businesses to institute best practices with regard to protecting the personal information of residents of the Commonwealth.

The regulation outlines some specific things a business should do to become compliant with the law. Step 1: Designate an Information Security Officer. Step 2: Develop a Written Information Security Plan, etc.

At a seminar on the subject which I recently attended, a prototype plan was handed out.  Upon reading it, I was reminded of an old joke:

A helicopter was flying around Seattle when a malfunction disabled all of the aircraft’s electronic navigation and communications equipment. Due to the clouds and haze, the pilot could not determine the helicopter’s position and course to steer to the airport. The pilot saw a tall building, flew toward it, circled, drew a handwritten sign, and held it in the helicopter’s window. The pilot’s sign said “WHERE AM I?” in large letters.

People in the tall building quickly responded to the aircraft, drew a large sign, and held it in a building window. Their sign said “YOU ARE IN A HELICOPTER OVER SEATTLE.”

The pilot smiled, waved, looked at his map, determined the course to steer to the Seattle airport, and landed safely.

After they were on the ground, the co-pilot asked the pilot how the “YOU ARE IN A HELICOPTER” sign helped determine their position? The pilot responded “I knew that had to be the MICROSOFT building, because similar to their help-lines, they gave me a technically correct but totally useless answer!”

The sample WISP which was handed out at the seminar met these criteria exactly. It was technically correct but totally useless. It simply regurgitated the law without offering any specific guidelines or guidance on how an employee should behave and what actions were or were not necessary.

A WISP should not just lay out general platitudes about the desire of the company to protect data.  It should be a useful tool that employees can learn from and refer to in case of a question regarding data security.

Topics which should be covered include:

-                      E-mail and Internet Acceptable Use

-                      Social Media Site Usage

-                      Anti-Virus – What to do if one is detected

-                      Phishing and Pharming – How to discern and how to react

-                      Remote Access Policy

-                      E-Mail retention Policy

-                      Information Sensitivity Policy (Protecting an organization’s information)

-                      Password Policy (Strength and Renewal)

-                      Laptop Protection

-                      USB port Encryption

-                      Wireless Encryption Policy

Each individual section should outline the issue, the risks associated, actions which should be taken and penalties for non-compliance.

Only by creating meaningful, actionable policy will businesses move away from seeing data privacy protection as a burdensome government intrusion and treat it more like it should be: as a best practice for businesses that operate in the modern information age.