How to Build Your WISP – Step 2: Assigning Roles, Responsibilities, & Permissions
Now that you’ve established your Information Security Policy, the next step in building a Written Information Security Plan (WISP) is defining Roles, Responsibilities, and Permissions. A security plan isn’t just about rules—it’s about people. Every business needs to clearly assign who is responsible for what when it comes to protecting sensitive information.
Why Does Assigning Roles & Responsibilities Matter?
Many businesses assume cybersecurity is just an IT issue. In reality, security is a shared responsibility. A well-defined role structure ensures that security policies aren’t ignored, misunderstood, or inconsistently applied. Assigning roles also helps you meet regulatory requirements such as those outlined in the FTC Safeguards Rule and Gramm-Leach-Bliley Act (GLBA), which mandate businesses designate qualified personnel to oversee security.
Key Roles in Your WISP
Your security structure should be scaled to your business—small businesses may only need a few defined roles, while larger organizations require more separation of duties. Here are the primary roles every WISP should address:
1. Data Security Coordinator (DSC)
The DSC is required by the FTC Safeguards Rule.
This person oversees security policies, training, and compliance.
Monitors security risks and adjusts policies accordingly.
Acts as the point person for security incidents and breach responses.
2. Business Owner or Executive Leadership
Ensures the security program aligns with business operations.
Provides necessary funding and resources for security measures.
Regularly reviews security updates and compliance reports.
3. Employees
Responsible for following security policies and reporting incidents.
Must complete annual security training and sign an Employee/Contractor Acknowledgment of Understanding.
Should understand acceptable use policies for devices, passwords, and data handling.
4. IT Provider or Security Personnel
Implements security controls like encryption, firewalls, and network monitoring.
Oversees user access management, ensuring only authorized personnel can access sensitive information.
Performs regular audits and vulnerability assessments.
5. Third-Party Vendors and Contractors
Any service providers handling sensitive data must comply with your security policies.
Contracts should specify data protection requirements.
Vendor access should be regularly reviewed and restricted as needed.
Assigning User Permissions
Once roles are established, you need to define who has access to what. A least privilege approach—where users only have access to the minimum data and systems necessary for their jobs—reduces security risks.
Steps for Managing Permissions:
Identify Data and Systems – List all systems, software, and data types your business handles.
Define Access Levels – Categorize data (e.g., confidential, internal, public) and determine who needs access.
Use Role-Based Access Control (RBAC) – Assign permissions based on roles instead of individuals to simplify management.
Require Multi-Factor Authentication (MFA) – Especially for accessing financial or customer data.
Regularly Review Access – Remove or adjust permissions when employees leave or change roles.
Documentation and Accountability
For compliance and clarity, your WISP should include:
A written list of roles and responsibilities.
A permissions matrix mapping users to data/systems.
A process for onboarding and offboarding employees and vendors.
Integration with HR Processes – Security responsibilities should be part of your existing HR onboarding and offboarding procedures. New hires should receive security training and have access permissions granted based on their roles, while departing employees should have access revoked immediately.
If you don’t have a formal onboarding/offboarding process, now is the perfect time to document it with security woven into every step. Defining a structured approach ensures that access controls, training, and compliance measures are consistently applied from day one. For compliance and clarity, your WISP should include:
Wrapping Up
Defining roles and responsibilities ensures that security isn’t just a policy—it’s a practice embedded into daily operations. By assigning clear ownership over security tasks and controlling access to sensitive data, you reduce risks and build a stronger security culture.
If structuring your security roles feels overwhelming, Zeus InfoSec is here to help. Our expertise in security documentation and policy development can provide the structure you need to implement a practical and compliant WISP. Security is a shared responsibility—let’s build it together.
In the next post, we’ll cover how to Establish a Plan for Responding to Security Incidents—because knowing what to do in a crisis is just as important as preventing one.
Still not sure where to start?
Check out Protect Your Business with Our Free Cybersecurity Checklist for Small Businesses or Free Cybersecurity Essentials eBook
