A written information security policy (WISP) is a document that a business can use to inform employees about ways to protect the information in their business. It covers topics such as how complex passwords must be, how often they should change and how to store them. It should also define the different types of information stored in the business, where it is stored and how it should be secured. Most importantly, it defines how to handle this data within the company walls and outside of the company walls to ensure that the data is not breached.
A WISP should be reviewed and signed by every employee and stored in their HR file. This protects the business in the event that there is a data breach showing that the company made an effort to educate their employees and protecting their data. Some data protection laws protecting personally identifiable information (PII) and healthcare information require that you have a written policy on protecting data. If you are subject to these laws and your data is breached, the fines and penalties could put you out of business. Even if your business is not subject to these laws, it is a good idea to ensure that your business data is protected and your employees understand what that means.
Michael Giuffrida from Southington CT has been operating businesses since 1997. He is an experienced entrepreneur in business management, profitable growth, business valuation, mergers and acquisitions, and information technology managed services
Far too often business take the approach of filling a checkbox with a template WISP. It’s a bad idea for the reasons you mention above. Just because you have one if it’s basically ineffective you really are not helping your liability.