Logo
© Input Output
Beginner-friendlyUpdated 2026

Test Guide Page

This is testing the guide functionality.

James Bowers II avatar
James Bowers II
Chief Security & Compliance Architect
14 min read
11 chapters
1280x720 AI ComputerSystems

Key Takeaways

  • A WISP is the documented backbone of your FTC Safeguards Rule compliance program 

  • Policies must align to risk, not generic templates 

  • Procedures translate policy into day to day execution 

  • Training proves employees understand and follow expectations 

Warning

Replace with your callout body.

Checklist

  • 1

  • 2

  • 3

  • Manual 1

  • Manual 2

  • Checklist outside of the callbox

  • 2

  • 3

Checklist

  • Replace with your callout body.

  • 2

  • 3

Where This Fits in the Checklist

This is Step 5 in the FTC Safeguards Rule Checklist for Compliance: Policies, Procedures, and Training

This step formalizes how your safeguards are governed, communicated, and reinforced across the organization. 

What the Rule Requires

Under 16 CFR § 314.4(e), covered organizations must develop, implement, and maintain written information security policies and procedures and ensure personnel receive appropriate security awareness and training. 

This requirement ties directly to your WISP and applies across administrative, technical, and physical safeguards. 

In plain terms: If your security expectations are not written down, communicated, and reinforced, regulators will assume that they do not exist, or at best, are not consistently followed. 

Auditors typically expect to see: 

  • A documented WISP approved by leadership 

  • Policies mapped to identified risks 

  • Procedures that explain how policies are executed 

  • Evidence that employees are trained and aware of their responsibilities 

Why This Matters

Policies and training are where many security programs quietly fail. Organizations often have tools in place but lack clear rules about how those tools should be used or what employees are expected to do. 

Without documented policies and training: 

  • Security controls are applied inconsistently. 

  • Employees rely on informal assumptions and word-of-mouth practices instead of defined, documented expectations. 

  • Organizations struggle to demonstrate due care after incidents. 

Example (practical): An organization deploys multifactor authentication but never documents when it must be used. Employees bypass it for convenience, and leadership cannot show that expectations were ever clearly defined. 

Common Misconceptions and Compliance Traps

  • “A WISP is just one document.” A WISP is a structured set of policies, procedures, and oversight activities. 

  • “Templates are enough.” Generic policies that do not reflect actual risks weaken compliance. 

  • “Training once a year is sufficient.” Training must be ongoing and reinforced as threats change. 

  • “Policies are IT-only.” Policies apply to all personnel, including leadership. 

  • “If no one reads them, it still counts.” Regulators expect evidence that policies are communicated and understood. 

How to Meet This Requirement Using Due Diligence + Due Care

Due Diligence (Planning + Design)

Due diligence defines how your WISP, policies, procedures, and training program are intentionally designed before rollout. This is where leadership decisions are translated into written expectations that are clear, consistent, and defensible. 

A strong due diligence phase answers one core question: What do we expect people to do, and why? 

Due diligence checklist: 

  • Identify required policies based on risk assessment results and business operations 

  • Define policy purpose, scope, ownership, and review cadence 

  • Align policies to FTC Safeguards Rule requirements and other applicable frameworks (FTC, GLBA, IRS Pub 4557, ISO 27001) 

  • Design procedures that explain how policies are executed in real-world scenarios 

  • Define training requirements by role, access level, and risk exposure 

  • Establish leadership approval, exception handling, and review workflows 

Tip

Replace with your callout body. Tip.

Caution

Replace with your callout body. Caution.

Warning

Replace with your callout body. Warning.

Info

Replace with your callout body. Info.

Checklist

Replace with your callout body. Success.

Checklist

Replace with your callout body. Checklist.

Example

Replace with your callout body. Example.

plaintext
Code block in example?

Key Takeaway

Replace with your callout body. Key Takeaway.

plaintext
This is a code box. Line 1.
#2
#3

Core Policy Categories Commonly Included in a WISP

While policies should be risk-based and tailored, most defensible WISPs include coverage across these areas: 

  • Acceptable Use Policy: Defines how employees may use company systems, devices, and data 

  • Data Classification and Handling Policy: Explains how nonpublic personal information and sensitive data must be stored, transmitted, and protected 

  • Access Control Policy: Documents how access is granted, reviewed, and revoked 

  • Identity and Access Management Policy: Defines authentication, authorization, and multifactor authentication requirements 

  • Cryptography and Encryption Policy: Specifies how customer information is encrypted at rest and in transit 

  • Incident Response Policy: Outlines how security events and incidents are identified, escalated, and handled 

  • Mobile Device and Remote Access Policy: Governs laptops, phones, and remote connectivity 

  • Third-Party Risk Management Policy: Defines expectations for service providers and vendors 

These policies create a shared operating manual for the organization. They reduce ambiguity, support consistent behavior, and give leadership a clear way to communicate expectations. 

Due Care (Execution + Ongoing Oversight)

Due care proves that the WISP is not shelfware. This is where policies and training move from intent to evidence. 

Regulators do not just ask whether policies exist. They look for proof that policies are communicated, understood, followed, and reinforced over time. 

Due care checklist: 

  • Formally approve and publish policies 

  • Distribute policies to all relevant personnel with acknowledgement tracking 

  • Deliver initial security awareness training aligned to policy requirements 

  • Conduct role-specific training for higher-risk roles 

  • Track training completion, acknowledgements, and remediation 

  • Review and update policies at least annually or after significant changes 

  • Adjust training content based on incidents, testing results, or emerging threats 

Information Security Training and Awareness

Training is how policies become behavior. Under the FTC Safeguards Rule, organizations must ensure personnel are informed about and capable of meeting their security responsibilities. 

Effective training programs are ongoing, role-aware, and practical. 

Types of Training That Support Compliance

  • Foundational security awareness training for all personnel 

  • Role-based training for employees with elevated access or responsibilities 

  • Simulated phishing and social engineering exercises to reinforce real-world recognition 

  • Targeted awareness campaigns using posters, emails, and reminders 

Training should address common threats such as phishing, smishing, vishing, quishing, and social engineering using examples employees are likely to encounter. 

Ongoing Training and Reinforcement

Security awareness is not a one-time event. Ongoing training ensures employees stay informed as threats evolve. 

Best practices include: 

Checklist

  • Annual Baseline

  • Periodic refreshers

  • Industry or role

  • Annual baseline training for all staff 

  • Periodic refreshers focused on emerging threats 

  • Industry or role-specific training where risk is higher 

  • Reinforcement through short, frequent communications 

This approach demonstrates that the organization is actively maintaining awareness, not simply checking a box. 

FTC Safeguards Rule checklist infographic displayed on a smartphone, showing core compliance requirements.

If you haven’t downloaded the checklist yet, grab it here and use it to track your progress through these requirements.

Download the FTC Safeguards Rule ChecklistOne page. No fluff. Just the requirements.

Small Business / Minimum Viable Compliance Path

Small organizations do not need hundreds of policies to be compliant. 

A defensible baseline includes: 

  • A single consolidated WISP document 

  • Core policies covering access, data handling, incident response, and vendors 

  • Documented procedures for critical activities 

  • Annual security awareness training for all staff 

  • Role specific training for higher risk positions 

This approach demonstrates intent, structure, and follow through without unnecessary complexity.

Want to Implement This Faster? (WISP Callout)

The Input Output WISP provides a complete, pre built structure for FTC Safeguards Rule compliance. 

It includes policies, procedures, training guidance, and evidence templates designed to align directly with FTC expectations. 

Instead of building from scratch, organizations can focus on implementation and oversight. 

View the Full WISP Program 

[Internal Link Placeholder: WISP Program Page | Anchor: View the Full WISP Program] 

Evidence Checklist (What to Keep)

  • Approved WISP document 

  • Information security policies and procedures 

  • Policy review and approval records 

  • Training materials and schedules 

  • Training completion logs 

  • Employee acknowledgements 

  • Policy update history 

  • Records of corrective actions tied to training or policy gaps 

FTC Safeguards Rule WISP: What to Do Next

Policies and training connect safeguards to people. They ensure expectations are clear, repeatable, and enforceable. 

Next in the series: FTC Safeguards Rule Service Provider Management 

Related guides: 

Download the FTC Safeguards Rule Checklist